Preliminary Provisions, Data Privacy Law
Concept
What is data privacy?
Data privacy is not defined in R.A. 10161 or the Data Privacy Act of 2012, neither in the Implementing Rules and Regulations (IRR), or current NPC issuances.
Instead, we will use the following definition from IBM writers:
“Data privacy” or “information privacy” – refers to “the principle that a person should have control over their personal data, including the ability to decide how organizations collect, store and use their data.” (Kosinski & Forest, 2023)
Stakeholders

Figure 1. Stakeholders in Data Privacy
Data Subject
“Data subject” refers to an individual whose personal, sensitive personal, or privileged information is processed. (IRR, Section 3[d], Rule I)
1) A data subject is an individual, i.e., a human being.
2) A data subject cannot be an organization, corporation, or entity.
Personal Information Controllers (PIC
“Personal information controller” refers to a natural or juridical person, or any other body who controls the processing of personal data, or instructs another to process personal data on its behalf. The term excludes:
1. A natural or juridical person, or any other body, who performs such functions as instructed by another person or organization; or
2. A natural person who processes personal data in connection with his or her personal, family, or household affairs;
There is control if the natural or juridical person or any other body decides on what information is collected, or the purpose or extent of its processing. (IRR, Section 3[m], Rule I)
Who is a PIC
1) A Personal Information Controller or PIC may be either be:
a) a natural person, i.e., an individual; or
b) a juridical person, i.e., partnership, corporation, cooperative, etc.; or
c) any other body, i.e., an entity. (IRR, Section 3[m])
What does a PIC do
1) A PIC –
a) Controls processing of personal data; or
b) Instructs another (such as a Personal information Processor or PIP) to process personal data on its behalf. (IRR, Section 3[m]k Rule I)
2) Control – refers to the power to decide “on what information is collected, or the purposes or extent of its processing.” (IRR, Section 3[m], Rule I)
Who is not a PIC
1) A PIC is not one of the following:
a) A natural or juridical person, or any other body, who perform such functions as instructed by another person or organization; or
b) A natural person who processes personal data in connection with his or her personal, family or household affairs.
Personal Information Processors (PIP)
“Personal information processor” refers to any natural or juridical person or any other body to whom a personal information controller may outsource or instruct the processing of personal data pertaining to a data subject. (IRR, Section 3[n], Rule I)
Who is a PIP
1) A Personal Information Processor or PIP may be either be:
a) a natural person, i.e., an individual; or
b) a juridical person, i.e., partnership, corporation, cooperative, etc.; or
c) any other body, i.e., an entity. (IRR, Section 3[n])
What does a PIP do
A PIP – refers to one “to whom a personal information controller may outsource or instruct the processing of personal data pertaining to a data subject.” (IRR, Section 3[n])
National Privacy Commission
“NPC” or “Commission” refers to the National Privacy Commission. (Implementing Rules and regulations of R.A. 10173 or the “IRR”, Section 3[b], Rule I)
Who is the NPC
The National Privacy Commission or NPC – is “an independent body mandated to administer and implement the Act, and to monitor and ensure compliance of the country with international standards set for personal data protection.” (National Privacy Commission or NPC, n.d.b.)
Why learn data privacy law?
Organizations
To avoid, if not prevent:
1) financial loss,
2) reputational harm,
3) interruption to business operations,
4) loss of critical data,
5) lawsuits or damages, and
6) penalties.
Individuals
To avoid, if not prevent:
1) loss of control,
2) identity theft or fraud,
3) financial loss, including loss of employment or business,
4) reputational harm, including embarrassment or humiliation,
5) discrimination,
6) unauthorized disclosure of pseudonyms,
7) emotional distress and anxiety,
8) physical harm and intimidation, including family violence,
9) unwanted marketing collaterals, including spam/junk emails,
10) inability to access Government services. (See OVIC, n.d.)
REFERENCES
Kosinski, M., & Forrest, A. (2023, December 19). What is data privacy? IBM. https://www.ibm.com/topics/data-privacy
National Privacy Commission or NPC. (n.d.a) Implementing Rules and Regulations or Republic Act No. 10173, also known as the “Data Privacy Act of 2012”. https://privacy.gov.ph/implementing-rules-regulations-data-privacy-act-2012/
National Privacy Commission or NPC. (n.d.b). Powers & Functions. https://privacy.gov.ph/powers-functions/
Office of the Victorian Commission or OVIC. (n.d.) Managing the Privacy Impacts of a Data Breach. https://ovic.vic.gov.au/privacy/resources-for-organisations/managing-the-privacy-impacts-of-a-data-breach/
Republic Act No. 10173. (2012). Data Privacy Act of 2012. https://privacy.gov.ph/data-privacy-act/
EXTRA RESOURCES
National Privacy Commission. (2017, May 20). Handle Personal Info With Care [Video]. YouTube. https://www.youtube.com/watch?v=MIY3H63dUC0
National Privacy Commission. (2017, May 20). Ano ng aba ang #DataPrivacy? [Video]. YouTube. https://www.youtube.com/watch?v=6jfn8XDrYxM
