Rules on accountability

1. Accountability for Transfer of Personal Data 1) A personal information controller shall be responsible for any personal data under its control or custody, including information that have been outsourced or transferred to a personal information processor or a third party for processing, whether domestically or internationally, subject to cross-border arrangement and cooperation. (Section 50, […]

Registration and compliance requirements

1. Enforcement of the Data Privacy Act Pursuant to the mandate of the Commission to administer and implement the Act, and to ensure the compliance of personal information controllers with its obligations under the law, the Commission requires the following: a. Registration of personal data processing systems operating in the country that involves accessing or […]

Outsourcing and subcontracting agreements

1. Subcontract of Personal Data A personal information controller may subcontract or outsource the processing of personal data: Provided, that the personal information controller shall use contractual or other reasonable means to ensure that proper safeguards are in place, to ensure the confidentiality, integrity and availability of the personal data processed, prevent its use for […]

Data breach notification

1. Data Breach Notification a. 72-hour notice  [The NPC] and affected data subjects shall be notified by the personal information controller within seventy-two (72) hours upon knowledge of, or when there is reasonable belief by the personal information controller or personal information processor that, a personal data breach requiring notification has occurred. (Section 38[a], Rule […]

Rights of data subjects

1. Rights of the Data Subject The data subject is entitled to the following rights: a. Right to be informed 1) The data subject has a right to be informed whether personal data pertaining to him or her shall be, are being, or have been processed, including the existence of automated decision-making and profiling. (Section […]

Security of sensitive personal information in Government

1. Responsibility of Heads of Agencies All sensitive personal information maintained by the government, its agencies, and instrumentalities shall be secured, as far as practicable, with the use of the most appropriate standard recognized by the information and communications technology industry, subject to these Rules and other issuances of the Commission. The head of each […]

Security measures

1. Data Privacy and Security Personal information controllers and personal information processors shall implement reasonable and appropriate organizational, physical, and technical security measures for the protection of personal data. (Section 25, Rule VI, IRR of the Data Privacy Act) The personal information controller and personal information processor shall take steps to ensure that any natural […]

Lawful processing of personal data

1. Criteria for Lawful Processing of Personal Information. Processing of personal information is allowed, unless prohibited by law. For processing to be lawful, any of the following conditions must be complied with: 1) The data subject must have given his or her consent prior to the collection, or as soon as practicable and reasonable; 2) […]

Data privacy principles

1. General Data Privacy Principles The processing of personal data shall be allowed, subject to compliance with the requirements of the Act and other laws allowing disclosure of information to the public, and adherence to the principles of transparency, legitimate purpose, and proportionality. (Section 17, Rule IV, IRR of the Data Privacy Act) The processing […]

Terms & Scope

1. Terms “Commission” – refers to the National Privacy Commission. (Section 3[a], Rule I, IRR of the Data Privacy Act) “Consent of the data subject” – refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of his or her personal, sensitive personal, or privileged […]