Commercial Law

  • Rules on accountability, Data Privacy Law

    1. Accountability for Transfer of Personal Data 1) A personal information controller shall be responsible for any personal data under its control or custody, including information that have been outsourced or transferred to a personal information processor or a third party for processing, whether domestically or internationally, subject to cross-border arrangement and cooperation. (Section 50,…

  • Registration and compliance requirements, Data Privacy Law

    1. Enforcement of the Data Privacy Act Pursuant to the mandate of the Commission to administer and implement the Act, and to ensure the compliance of personal information controllers with its obligations under the law, the Commission requires the following: a. Registration of personal data processing systems operating in the country that involves accessing or…

  • Outsourcing and subcontracting agreements, Data Privacy Law

    1. Subcontract of Personal Data A personal information controller may subcontract or outsource the processing of personal data: Provided, that the personal information controller shall use contractual or other reasonable means to ensure that proper safeguards are in place, to ensure the confidentiality, integrity and availability of the personal data processed, prevent its use for…

  • Data Breach Notification, Data Privacy Law

    Concept “Personal data breach” refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. (IRR, Section 3[k]) Data Breach Notification Section 38. Data Breach Notification. a. The Commission and affected data subjects shall be notified by the…

  • Rights of Data Subjects, Data Privacy Law

    7 Rights of the Data Subjects The following are the 7 rights of the data subject under the Data Privacy Law: 1) Right to be Informed, 2) Right to Object, 3) Right to Access, 4) Right to Rectification, 5) Right to Erasure or Blocking 6) Right to Damages, and 7) Right to Data Portability. Figure…

  • Security of sensitive personal information in Government

    1. Responsibility of Heads of Agencies All sensitive personal information maintained by the government, its agencies, and instrumentalities shall be secured, as far as practicable, with the use of the most appropriate standard recognized by the information and communications technology industry, subject to these Rules and other issuances of the Commission. The head of each…

  • Security Measures for Protection of Personal Data, Data Privacy Law

    Responsibility of PICs and PIPs Section 25. Data Privacy and Security. Personal information controllers and personal information processors shall implement reasonable and appropriate organizational, physical, and technical security measures for the protection of personal data. The personal information controller and personal information processor shall take steps to ensure that any natural person acting under their…

  • Lawful Processing of Personal Data, Data Privacy Law

    Concepts “Personal data” refers to all types of personal information. (IRR, Section 3[j], Rule I) “Personal information” refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together…

  • Data Privacy Principles, Data Privacy Law

    General Data Privacy Principles Section 17. General Data Privacy Principles. The processing of personal data shall be allowed, subject to compliance with the requirements of the Act and other laws allowing disclosure of information to the public, and adherence to the principles of transparency, legitimate purpose, and proportionality. (IRR, Rule IV) 1) Processing of personal…

  • Scope of Application, Data Privacy Law

    Scope Section 4. Scope. The Act and these Rules apply to the processing of personal data by any natural and juridical person in the government or private sector. They apply to an act done or practice engaged in and outside of the Philippines if: a. The natural or juridical person involved in the processing of…