- a contract is entered in the Philippines;
- a juridical entity is unincorporated in the Philippines but has central management and control in the country; and
- an entity that has a branch, agency, office, or subsidiary in the Philippines, and the parent or affiliate of the Philippine entity has access to personal information; and
- the entity carries on business in the Philippines; and
- the personal information was collected or held by an entity in the Philippines.
2.3. Material scope
The Act applies to the processing of all types of personal information. On the other hand, the following specified information is not covered by the Act, subject to the extent indicated under the law:
- information processed for purposes of allowing public access to information that falls within matters of public concern;
- personal information processed for journalistic, artistic, or literary purposes, in order to uphold freedom of speech, expression, or the press;
- personal information that will be processed for research purposes, intended for a public benefit;
- information necessary to carry out the functions of a public authority;
- information necessary for banks, other financial institutions under the jurisdiction of the Bangko Sentral ng Pilipinas, and other bodies authorized by law to the extent necessary to comply with the Republic Act No. 9510 Establishing the Credit Information System and for Other Purposes 2008 and the Republic Act No. 9160 on Anti-Money Laundering 2001 in the Philippines, and other applicable laws; and
- personal information originally collected from the residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, which is being processed in the Philippines.
In addition, publishers, editors, or duly accredited reporters of any newspaper, magazine, or periodical of general circulation are still bound to follow the Act but are not compelled to reveal the source of any news report or information appearing in the publication if it was relayed in confidence to them.
3. Data Protection Authority | Regulatory Authority
3.1. Main regulator for data protection
The NPC is the primary Government agency tasked to implement and enforce the Philippines' data privacy laws.
3.2. Main powers, duties and responsibilities
The NPC is composed of three Privacy Commissioners and has the following functions, namely, rulemaking, advisory, public education, compliance, monitoring, the duty to adjudicate on complaints, as well as investigations, enforcement, and other functions as may be necessary to fulfill its mandate under the Act.
4. Key Definitions
Data controller: PIC refers to a natural or juridical person or any other body who controls the processing of personal data or instructs another to process personal data on its behalf.
Data processor: PIP refers to any natural or juridical person or any other body to whom a PIC may outsource or instruct the processing of personal data pertaining to a data subject.
Personal data: Refers to all types of personal information, whereas 'personal information' is defined as any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
Sensitive data: Referred to as sensitive personal information under the Act, refers to personal information:
- regarding an individual's race, ethnic origin, marital status, age, color, and religious, philosophical, or political affiliations;
- regarding an individual's health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings;
- issued by Government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension, or revocation and tax returns; and
- specifically established by an executive order or an act of the Congress of Philippines to be kept classified.
Health data: The Act and the IRR do not specifically define 'Health Information' but classify such information as sensitive personal information. However, the Health Privacy Code Specifying the Joint A.O. No. 2016-0002, also known as the Privacy Guidelines for the Implementation of the Philippine Health Information Exchange, defines 'Health Information' as personal information and sensitive personal information that relates to an individual's past, present, or future physical or mental health condition, including demographic data, diagnosis, and management, medication history, health financing record, cost of services, and any other information related to an individual's total well-being.
Biometric data: The Act and the IRR do not specifically define 'Biometric Data.' However, the NPC, in Advisory Opinion 2017-63 Personal and Sensitive Information, citing Republic Act No.10367, defined biometrics as the quantitative analysis that provides a positive identification of an individual such as voice, photograph, fingerprint, signature, iris, and/or such other identifiable features. Biometric data may be considered both as content of the information about a particular individual as well as an element to establish a link between one piece of information and the individual. Hence, as currently defined, biometric data is considered personal information since such data may be used to identify a particular individual.
Pseudonymization: The Act and the IRR do not specifically define 'pseudonymization.' However, in NPC Advisory Opinion 2020-26, citing Article 4(5) of General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR), the NPC defined 'pseudonymization' as the processing of personal data in a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Privileged information: Refers to any and all forms of data which under the Philippine Rules of Court and other pertinent laws constitute privileged communication (e.g., information between client and lawyer) and is subject to similar rules on lawful processing which are applied to sensitive personal information.
Processing: Refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating, or modification, retrieval, consultation, use, consolidation, blocking, erasure, or destruction of data.
Data Subject: Refers to an individual whose personal information is processed.
5. Legal Bases
5.1. Consent
The processing of personal data may be permitted if the data subject has given their consent.
5.2. Contract with the data subject
The processing of personal information may be permitted if the processing of personal information is necessary and is related to the fulfillment of a contract with the data subject, or in order to take steps at the request of the data subject prior to entering into a contract.
5.3. Legal obligations
The processing of personal information may be permitted if the processing is necessary for compliance with a legal obligation to which the PIC is subject.
5.4. Interests of the data subject
The processing of personal data may be permitted if the processing is necessary to protect vitally important interests of the data subject, including life and health.
5.5. Public interest
The processing of personal data may be permitted if the processing is necessary in order to respond to a national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily include the processing of personal data for the fulfillment of its mandate.
5.6. Legitimate interests of the data controller
The processing of personal information may be permitted if the processing is necessary for the purposes of the legitimate interests pursued by the PIC or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Constitution.
5.7. Legal bases in other instances
For legal bases specific to the processing of sensitive data and privileged information, please see the section on special categories of personal data below.
6. Principles
The Act and the IRR provide that a PIC and PIP shall be accountable for complying with the requirements of the Act, the IRR, and NPC Issuances. Particularly, a PIC and a PIP shall adhere to the general principles of data privacy, implement reasonable and appropriate organizational, physical, and technical security measures for the protection of personal data, and uphold the rights of data subjects. These security measures should ensure the availability, integrity, and confidentiality of the personal data being processed.
In general, a PIC and PIP are mandated to adhere to the general principles of transparency, legitimate purpose, and proportionality. Flowing from these general principles are those that govern the collection, processing, and retention of personal data, such that:
- collection must be for a declared, specified, and legitimate purpose;
- personal data shall be processed fairly and lawfully;
- processing should ensure data quality;
- personal data shall not be retained longer than necessary; and
- any authorized further processing shall have adequate safeguards.
7. Controller and Processor Obligations
Data controller
The PIC shall be responsible for personal data under its control or custody, as well as personal data outsourced or transferred to a PIP or a third party for processing. Personal data is generally considered under a PIC's control or custody even when the personal data is outsourced or transferred to a PIP or third party, whether domestically or internationally. Accordingly, it must use contractual or other reasonable means to provide a level of protection to personal data comparable to the Act while the personal data is being processed by a PIP or third party. The PIC shall likewise designate an individual or individuals who shall be accountable for compliance with the aforementioned.
Processor
Similar to a PIC, the PIP shall uphold the rights of the data subject, and implement adequate organizational, physical, and technical security measures in relation to the personal data it processes.
The PIP processes personal data on behalf of a PIC and only upon the documented instructions of the PIC, therefore it cannot process the personal data for its own purposes or engage another PIP without prior instruction from the PIC. In addition, the PIP has certain obligations to the PIC under the Act.
7.1. Data processing notification
Pursuant to Sections 46 and 47 of the IRR, the PIC, and the PIP operating in the Philippines shall register their data processing systems, defined as structures and procedures by which personal data is collected and further processed in an information and communications system or relevant filing system with the NPC in the following instances:
- the PIC or PIP employs at least 250 employees;
- the processing includes sensitive personal information of at least 1,000 individuals;
- the processing is likely to pose a risk to the rights and freedoms of data subjects; or
- the processing is not occasional.
In NPC Circular 17-01, however, registration of data processing systems with the NPC was made mandatory for all Government bodies or entities, banks, and non-bank financial institutions, telecommunications networks/internet service providers/other entities providing similar services, business process outsourcing companies, schools, and training institutions, hospitals, providers of insurance undertakings, direct marketing, or networking business/companies providing reward cards and loyalty programs, pharmaceutical companies engaged in research, and PIPs processing personal data for PICs in the abovementioned areas and data processing systems involving automated decision-making.
7.2. Data transfers
Data transfers to third parties, including transfers to an affiliate or parent company, require the consent of the data subject, and as discussed in the section on data subject rights below, the execution of a data sharing agreement or use of a contract or other reasonable means to provide a comparable level of protection while the personal data is being processed by the third party.
On the other hand, outsourcing or subcontracting generally does not require the consent of the data subject but requires the execution of an outsourcing or subcontracting agreement. In an outsourcing or subcontracting agreement, the PIC shall use contractual or other reasonable means to ensure that proper safeguards are in place, to ensure the confidentiality, integrity, and availability of the personal data processed, prevent its use for unauthorized purposes, and generally, comply with the requirements of the Act, the IRR, other applicable laws for processing of personal data and other NPC issuances.
The transfer of personal data to foreign countries is generally permitted, subject to the relevant provisions of the Act, the IRR, and other NPC issuances.
Data localization
With respect to the private sector, there are currently no data localization requirements in the Philippines specifically governing personal data, subject to the applicable provisions of the Philippines' data privacy laws including, among others, the need for consent of the data subject (as may be necessary) and data transfer requirements.
7.3. Data processing records
The IRR states that any natural or juridical person or other body involved in the processing of personal data must maintain records that sufficiently describe its data processing system, and identify the duties and responsibilities of those individuals who will have access to the personal data.
7.4. Data protection impact assessment
The requirement for the conduct of a Privacy Impact Assessment ('PIA') stems from the duty of the PIC to implement reasonable and appropriate measures intended for the protection of personal data against any accidental or unlawful destruction, alteration, and disclosure, as well as against any other unlawful processing. In determining the appropriate level of security, the PIC must take into account the nature of the personal information to be protected, the risks represented by the processing, the size of the organization, and complexity of its operations, current data privacy best practices, and the cost of security implementation.
A PIC may require a PIP to conduct a PIA. A PIA should generally be undertaken for every processing system of a PIC or PIP involving personal data.
7.5. Data protection officer appointment
The IRR states that any natural or juridical person involved in the processing of personal data must designate an individual(s) who shall function as a DPO and whose role includes ensuring compliance with the applicable laws and regulations for the protection of data privacy and security.
As an exception, and subject to the approval of the NPC, a group of related companies may, instead of appointing individual DPOs, appoint or designate the DPO of one of its members to be primarily accountable for ensuring the compliance of the entire group with all data protection policies, however, the individual members of the group must instead appoint a Compliance Officer for Privacy ('COP'), that refers to an individual(s) who will perform some of the functions of a DPO. Private entities with branches, sub-offices, and other component units may also appoint or designate a COP for each component unit.
- have an expertise in relevant privacy or data protection policies and practices;
- have sufficient understanding of the processing operations being carried out by the PIC or the PIP, including its information systems, data security, and/or data protection needs; and
- be a full-time or organic employee of the PIC or PIP.
In Circular No. 2022-04, which took effect on January 11, 2023, the NPC provided the guidelines for the designation of DPOs, registration of personal data processing systems, and notification regarding automated decision-making or profiling. Under Circular No. 2022-04, entities that process personal data and operate within the Philippines are required to register their DPO and data processing systems if:
- they employ 250 or more persons;
- they process the sensitive personal information of 1,000 or more individuals; or
- they process data that will likely pose a risk to the rights and freedoms of data subjects.
A data processing system involving automated decision-making or profiling, on the other hand, is required to be registered in all instances, regardless of whether it meets any of the foregoing criteria.
Entities not required to register with the NPC may either register voluntarily or submit a sworn declaration and undertaking for exemption to the NPC.
7.6. Data breach notification
A PIC must notify the NPC and the affected data subjects upon the knowledge that a personal data breach requiring notification has occurred.
The following conditions determine when a personal data breach requires notification:
- the personal data involves sensitive personal information or any other information that may be used to enable identity fraud;
- there is reason to believe that the information may have been acquired by an unauthorized person; and
- the PIC or the NPC believes that the unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject.
Furthermore, the notification must be subject to the following procedures:
- the PIC is generally required to notify the NPC and the affected data subject(s), within 72 hours from the knowledge of, or when there is reasonable belief by the PIC or PIP that, a personal data breach requiring notification has occurred;
- the notification must describe, among others, the nature of the breach, the personal data likely to be involved, and measures taken by the entity to address the breach; and
- the notification must be submitted to the NPC through written or electronic form and must include, among others, the name and contact details of the DPO and a designated representative of the PIC.
Annual Security Incident Reportorial Requirement
To ensure compliance with data privacy laws and to strengthen the monitoring of threats and vulnerabilities that may affect personal data protection, the NPC requires the PICs and the PIPs to submit an Annual Security Incident Report (ASIR), which is an annual report summarizing all security incidents and personal data breaches. The ASIR should contain all security incidents and personal data breaches of a PIC and a PIP from January 1 to December 31 of the preceding year. In addition, it should include a summary of every breach incident and the aggregate number of non-breach incidents.
Notification and filing of the ASIR are done through the Data Breach Notification Management System, which is an online, standardized, and automated system launched by the NPC for faster and easier data breach notification management and reporting.
7.7. Data retention
Personal data shall not be retained in perpetuity in contemplation of a possible future use yet to be determined. Retention of personal data shall only be for as long as necessary:
- for the fulfillment of the declared, specified, and legitimate purpose, or when processing for the purpose has been terminated;
- for the establishment, exercise, or defense of legal claims; or
- for legitimate business purposes, which must be consistent with standards followed by the applicable industry or approved by the appropriate Government agency.
Nonetheless, retention of personal data shall be allowed in cases provided by law.
7.8. Children's data
The NPC has stated that children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences, and safeguards concerned and their rights in relation to the processing of personal data. In NPC Advisory Opinion No. 2017-49: Teachers right to search a minor students cellular phone and NPC Advisory Opinion No. 2019-46: Inter-agency council against trafficking (IACAT) request for information with the Philippine Statistics Authority (PSA), the NPC explained that a minor cannot validly provide the consent needed under the Act. Hence, before the personal data of minors may be lawfully processed, the consent of their parents or legal guardians should first be obtained. In the absence of such consent, the processing of a minor's personal data must have a lawful basis under existing laws, rules, or regulations.
7.9. Special categories of personal data
The processing of sensitive data and privileged information is prohibited, except in the following cases:
- the data subject has given their consent, specific to the purpose prior to the processing, or in the case of privileged information, all parties to the exchange have given their consent prior to processing;
- the processing of the same is provided for by existing laws and regulations provided that such regulatory enactments guarantee the protection of sensitive personal information and privileged information, and provide further, that the consent of the data subjects is not required by law or regulation permitting the processing of the sensitive personal information or the privileged information;
- the processing is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his or her consent prior to the processing;
- the processing is necessary to achieve the lawful and non-commercial objectives of public organizations and their associations provided that such processing is only confined and related to the bona fide members of these organizations or their associations, provided further, that the sensitive personal information is not transferred to third parties, and provided finally, that consent of the data subject was obtained prior to processing;
- the processing is necessary for the purposes of medical treatment and is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal data is ensured; or
- the processing concerns such personal information as is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise, or defense of legal claims, or when provided to the Government or a public authority.
7.10. Controller and processor contracts
Agreements for the processing of personal data may be in the form of data sharing arrangements, outsourcing, or subcontracting arrangements.
Data sharing refers to disclosures or transfers of personal data by the PICs or the PIPs to third parties. If such disclosure is made by a PIP, it must be upon the instruction of the PIC concerned. In contrast, outsourcing or subcontracting refers to disclosures or transfers of personal data by the PICs to the PIPs, in order for the latter to process the data according to the instructions of the PICs.
Data sharing may be covered by a data sharing agreement or a similar document containing the terms and conditions of the sharing arrangement. The data sharing agreement must establish adequate safeguards for data privacy and security in order to uphold the rights of the data subjects. Outsourcing or subcontracting arrangements must likewise be governed by a contract or other legal act that binds the PIP to the PIC and must set out, among others, the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, the obligations and rights of the PIP, and the geographic location of the processing under the subcontracting agreement.
8. Data Subject Rights
8.1. Right to be informed
Data subjects have the right to be informed when personal data pertaining to them is being processed.
8.2. Right to access
Data subjects have the right to reasonably access matters relating to the processing of their personal data such as, among others, the identity of the PICs or the PIPs that will be given access to their personal data.
8.3. Right to rectification
Data subjects have the right to rectification or the right to dispute the inaccuracy or error in their personal data and have the PIC correct it, within a reasonable period of time.
8.4. Right to erasure
Data subjects have the right to suspend, withdraw, or order the blocking, removal, or destruction of their personal data from the PIC's filing system.
8.5. Right to object/opt-out
Data subjects have the right to object to the processing of their personal data, including processing for direct marketing, automated processing, or profiling.
8.6. Right to data portability
Data subjects have the right to obtain from the PIC a copy of their personal data in an electronic or structured format that is commonly used and allows for further use by the data subject.
8.7. Right not to be subject to automated decision-making
Data subjects have the right to object to the processing of their personal data, including automated processing.
8.8. Other rights
Data subjects have the right to be indemnified for damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of personal data. In addition, individuals have the right to lodge a complaint before the NPC.
9. Penalties
Any natural or juridical person, or other body involved in the processing of personal data who fails to comply with the Act, the IRR, or other issuances of the NPC and is found to have committed a violation of the Act and the IRR may be subject to administrative, civil, and criminal liabilities.
The criminal penalties provided in the Act and the IRR range from six months to seven years of imprisonment, together with fines ranging from PHP 100,000 (approx. $1,709) to PHP 5 million (approx. $85,470) based on whether personal information or sensitive personal information is involved. Moreover, additional penalties may apply depending on the identity of the offender and the number of affected data subjects.
If the offender is a corporation, partnership, or any other juridical person, the penalty will be imposed upon the responsible officers who participated in, or by their gross negligence, allowed the commission of the crime. If the offender is an alien, they will be deported without further proceedings after serving the penalties prescribed.
In addition, under Circular No. 2022-01, administrative fines may also be imposed for each infraction. Infractions are classified as:
- grave infractions, where the fines are 0.5% to 3% of the annual gross income of the immediately preceding year when the infraction occurred;
- major infractions, where the fines are 0.25% to 2% of the annual gross income of the immediately preceding year when the infraction occurred; and
- other infractions, where the imposable fine shall be not less than PHP 50,000 (approx. $855) but not exceeding PHP 200,000 (approx. $3,419). In any case, the total imposable fine for a single act of a PIC or a PIP, whether resulting in single or multiple infractions, shall not exceed PHP 5 million (approx. $85,470).
9.1 Enforcement decisions
Pursuant to its authority to compel any entity to abide by its orders on a matter of data privacy, the NPC has issued decisions, resolutions, and orders to various entities, which are published on its website. We discuss some of these enforcement decisions below.
Decisions
The NPC has issued decisions on complaints of privacy violations, directing, advising, or warning the concerned PIC to:
- revise its daily time record system and PIA to reflect and address compliance gaps brought about by actual, current practices, and as identified in the letter-complaint (NPC CID Case No. 17-K-003);
- submit the designation of the DPOs/compliance officers, a copy of its Security Incident Management Policy, including documents demonstrating the creation of its Breach Response Team as well as the dissemination of the Security Incident Management Policy, and the complete Post-Breach Report on the management of a Personal Data Breach (NPC CID Case No. 17-002);
- act on a request for correction of a data subject's account, which had not been addressed, and provide assistance to the affected data subject to ensure that they are able to exercise their rights in accordance with the law (CID No. 17-K-004);
- furnish, among others, proof of its onboarding a data privacy consultant, proof of registration with the NPC, a copy of its Data Privacy Manuals, and Privacy Notice, and proof of its conduct of data privacy awareness, and training for its employees (NPC 18-103);
- submit a complete report on the measures it has undertaken or will undertake to address the issue of delayed response to its customers' request in relation to their rights as data subjects (CID 17-K-004);
- furnish the complainant with the name of the recipient of their personal information in compliance with Section 16(c)(3) of the Act, and pay nominal damages for the violation of the complainant's right to access (NPC 19-653);
- pay nominal damages for failure to fulfill its obligation as a PIC to ensure that the information of the data subject is kept up to date, resulting in the processing of inaccurate information (NPC 21-086); for failure to comply with the principle of proportionality when the PIC allowed the taking of the photo of a minor as proof of delivery of a parcel (NPC 21-167); and for recognition and vindication of data subjects' right to expect that their personal information is being protected (NPC 19-1273); and
- ensure that proper safeguards are in place when banks refer unpaid accounts to collection agents; that the processing of personal information is accurate and up to date; and that PIPs ensure compliance with the Act and related laws (NPC 21-122).
Additionally, the NPC has also issued decisions recommending the prosecution of a PIC for:
- unauthorized disclosure of personal data or sensitive personal data where there was no lawful basis for processing (NPC 21-010 to NPC 21-015 and NPC 20-026); and
- unauthorized access or intentional breach (NPC SS 22-001 and NPC SS 22-008).
Resolutions
The NPC has issued resolutions confirming or advising that:
- the PICs and the PIPs that practice larger-scale and higher-risk types of processing are expected to provide data subjects with clear, concise, intelligible, and easy-to-understand information to guide and provide the data subjects with a clear picture and genuine choice about the use of their personal data to comply with the principle of transparency (NPC Case No. 17-001);
- the on-site examination in the Rules of Procedure of the NPC is not mandatory, and is discretionary to the investigating officer (NPC Case No. 17-003);
- the technical security measures employed by a PIC telecommunication company are sufficient to prevent, correct, and mitigate security incidents that can lead to a personal data breach, however, it should hold its personnel accountable when there is a delay in the deactivation and replacement of SIM cards to ensure strict compliance with its privacy policies and procedures and prevent similar incidents in the future (NPC Case No. 17-K-001);
- the duty of the PICs is to implement adequate safeguards to prevent or minimize occurrences of personal data breaches or security incidents, specifically, the Department of Foreign Affairs (DFA) as a PIC, has the responsibility to regularly monitor for security breaches and conduct vulnerability scans of its computer network and the DFA passport system (NPC SS 19-001);
- the PIA and security measures undertaken by a PIC to address the personal data breach were sufficient to comply with the NPC's order to submit an updated report containing the required information (e.g., nature of the breach, description of how the breach occurred, and the vulnerability of the data processing system that allowed the breach, among others) and submit proof and details of measures taken to address the breach (NPC BN 18-037);
- SQL injection attempts are considered security incidents where there is no personal data that was compromised and not considered a personal data breach subject to mandatory breach notification (NPC BN No. 18-045);
- once the complainant has proven that there was indeed a processing that occurred, it is incumbent upon the PIC, that processed the personal data, to prove that it is either exempt from the scope of the Act or that the processing was based on lawful criteria under Sections 12 or 13 of the Act (NPC 21-010 to 21-015);
- the determination of whether a PIC telecommunication company's acts or omissions contributed to the breach or gave rise to other violations of the Act are beyond the scope of Circular 16-03 and the matters currently before the NPC (NPC BN 18-179);
- in determining the applicability of the lawful criteria provided in Section 12(f) of the Act (in this case, legitimate interest), the NPC examines how the PIC processed personal information and does not look at its juridical personality or registrations, as the Act does not require that the PIC be a juridical entity registered with the Securities and Exchange Commission or the Department of Trade and Industry (NPC 22-180 and 22-181);
- there is nothing in the Act that requires the PIC to present a specific order before lawfully processing sensitive personal information for the protection of lawful rights and interests of persons in court proceedings, or the establishment, exercise, or defense of a legal claim (NPC 22-012);
- notification to the affected data subjects is required especially in breach cases that involve sensitive personal information or other information that may be used to enable identity fraud and are reasonably believed to have been acquired by an unauthorized person, which may likely give rise to real risk of serious harm to the affected data subjects (NPC BN 18-229);
- a confidentiality breach within the organization, where data subjects’ home phone numbers were visible to the entire organization, does not involve sensitive personal information and is not likely to give real risk of serious harm requiring mandatory breach notification to the NPC (NPC BN 18-200);
- in determining whether the unauthorized acquisition is likely to give rise to real risk of serious harm, a PIC or the Commission may consider several factors, such as the nature and amount of information involved in the breach, the period of time that has elapsed since the breach, objective of the unauthorized acquisition, security measures implemented on the information, and extent of potential misuse and exposure of the information (NPC BN 18-213; NPC BN 18-033 and NPC BN 18-076;NPC 17-028 and NPC BN 18-180);
- breach pertaining to information on juridical entities does not require notification to these affected entities since information of this nature does not constitute personal data (NPC BN 18-046);
- the PIC sufficiently addressed the breach and adopted measures to prevent its recurrence e.g., changing and revising its customer survey forms by removing the collection of personal information of the data subjects, including adopting a Data Privacy Manual to ensure the safety and security of processing of all personal data of its data subjects, etc., (NPC BN 18-120);
- as part of a PIC’s data breach management, it should implement policies and procedures for managing security incidents, including data breaches, following Section 4 of Circular 16-03. This includes ensuring the implementation of organizational, physical, and technical security measures and data privacy policies intended to prevent or minimize the occurrence of a data breach and assure the timely discovery of a security incident (NPC BN 18-222);
- NPC’s Rules of Procedure does not provide that a party’s non-appearance in proceedings despite due notice is a ground for dismissal of a case (NPC Case No. 19-258); and
- an incident where no personal data is compromised is a 'security incident' that is not subject to mandatory notification (NPC BN 23-015).
Orders
The NPC has issued orders directing the concerned PIC to:
- notify all data subjects of an unauthorized online publication of the PIC's website database and explain why further action should not be taken against the PIC for failure to notify the data subjects of the occurrence of a data breach within the required 72-hour period (NPC Case No. 18-058 on Wendy’s Restaurant, Inc (PRO) Data Breach (available on page 344 of the 2018 Compendium of NPC Issuances));
- suspend the PIC's food delivery website and submit a security plan to address data privacy concerns discovered during a vulnerability assessment conducted by the NPC (Commission-Issued Order CIDBN No. 17-043 on Jollibee Foods Corporation ((available on page 346 of the 2018 Compendium of NPC Issuances));
- submit a comprehensive data breach notification report and notify affected data subjects, in accordance with Circular 16-03, and establish a help desk for Filipino users on data privacy matters (Commission-Issued Order CIDBN No. 18-J-162 on Facebook Forced Logout);
- cease and desist from implementing the PIC's pilot test and plans to roll out three new data processing systems because of deficiencies in the systems' risk assessment and mitigation, insufficient PIA, and privacy notice, and the unclear purpose behind the data processing (NPC CC 20-001 In re: Grab Philippines);
- cease and desist from the processing of personal data in its possession until the NPC issues a decision on its comment (In Re: Lisensya.info); and
- cease and desist from the processing of personal data in its database until the NPC issues a decision on its comment (Commission-Issued CID-CDO-21-003 on PiliPinas2022.ph).
