Your address will show here +12 34 56 78
Data Privacy Act - Common Misconceptions Clarified

Since the passage of Republic Act No. 10173, or the Philippines’ Data Privacy Act in 2012 (the “DPA”), followed by the promulgation of its implementing rules and regulations in 2016, the National Privacy Commission has been aggressively monitoring and ensuring data privacy compliance by persons and organizations in the country. Nevertheless, data privacy compliance remains to be a relatively novel concept in the Philippines. As such, and considering the severity of legal and financial exposure in case of non-compliance with the DPA, certain key principles under the law which are commonly misconstrued must be clarified, for a better understanding of its scope, extent, and application.

Q. What constitutes Personal Information which is protected under the DPA?

A. This refers to any information from which the identity of an individual can be reasonably and directly ascertained by another, or when combined with other information, would directly and certainly identify an individual.
As such, personal information is not limited to an individual’s name, address, phone number, and other information commonly regarded as personal data. In fact, under NPC Advisory Opinion No. 2017-63, even a person’s username, password, IP address, MAC address, and location, when combined with other pieces of information which would allow an individual to be identified, may constitute personal information. In the same manner, under Advisory Opinion No. 2019-023, where a CCTV footage or image is of sufficient quality, as would enable a person with the necessary knowledge to reasonably ascertain the identity of an individual captured therein, such image/footage would, as a general rule, be considered personal information.

Q. Is the processing (such as, but not limited to, the collection, recording, storage, use, and destruction) of personal information absolutely prohibited under the DPA?

A. No. Under the DPA, the processing of personal information shall be allowed, subject to i) compliance with certain conditions under the said law (which may vary depending on the nature of the personal information involved); and, ii) adherence to the principles of transparency, legitimate purpose and proportionality.

Q. What is the difference between a Personal Information Controller and a Personal Information Processor, and why is it necessary to distinguish between the two?

A. On the one hand, a Personal Information Controller generally refers to a person or organization who controls the collection, holding, processing or use of personal information, including one who instructs another to do so on his behalf. On the other hand, a Personal Information Processor refers to any person to whom a personal information controller may outsource the processing of personal data pertaining to a data subject.
Under the Principle of Accountability as embodied under the DPA, each Personal Information Controller is responsible for personal information under its control or custody, even if it shall have transferred the information to a third party for processing.

Q. What is the extent of application of the DPA?

A. The DPA is not limited to data processing which is done within the Philippines, and to information relating to Philippine citizens. It may also apply to acts performed outside of the country, where:
A. The processing relates to personal information about a Philippine citizen, or a resident;
B. The entity has a link with the Philippines (such as contractual relations, a branch, or agency), and the entity is processing personal information in the Philippines, or even if the processing is outside the Philippines, as long as it is about Philippine citizens or residents; and,
C. The entity has other links in the Philippines, such as when i.) the entity carries on business in the Philippines; and ii.) the personal information was collected or held by an entity in the Philippines.