CHAPTER I Data Privacy Act
CHAPTER I Data Privacy Act
CHAPTER I Data Privacy Act
GENERAL PROVISIONS
SECTION 1. Short Title. – This Act shall be known as the “Data Privacy Act of 2012”.
SEC. 2. Declaration of Policy. – It is the policy of the State to protect the fundamental human right of
privacy, of communication while ensuring free flow of information to promote innovation and growth.
The State recognizes the vital role of information and communications technology in nation-building and
its inherent obligation to ensure that personal information in information and communications systems
in the government and in the private sector are secured and protected.
SEC. 3. Definition of Terms. – Whenever used in this Act, the following terms shall have the respective
meanings hereafter set forth:
(a) Commission shall refer to the National Privacy Commission created by virtue of this Act.
(b) Consent of the data subject refers to any freely given, specific, informed indication of will, whereby
the data subject agrees to the collection and processing of personal information about and/or relating to
him or her. Consent shall be evidenced by written, electronic or recorded means. It may also be given on
behalf of the data subject by an agent specifically authorized by the data subject to do so.
(d) Direct marketing refers to communication by whatever means of any advertising or marketing
material which is directed to particular individuals.
(e) Filing system refers to any act of information relating to natural or juridical persons to the extent that,
although the information is not processed by equipment operating automatically in response to
instructions given for that purpose, the set is structured, either by reference to individuals or by
reference to criteria relating to individuals, in such a way that specific information relating to a particular
person is readily accessible.
(f) Information and Communications System refers to a system for generating, sending, receiving, storing
or otherwise processing electronic data messages or electronic documents and includes the computer
system or other similar device by or which data is recorded, transmitted or stored and any procedure
related to the recording, transmission or storage of electronic data, electronic message, or electronic
document.
(g) Personal information refers to any information whether recorded in a material form or not, from
which the identity of an individual is apparent or can be reasonably and directly ascertained by the
entity holding the information, or when put together with other information would directly and certainly
identify an individual.
(h) Personal information controller refers to a person or organization who controls the collection,
holding, processing or use of personal information, including a person or organization who instructs
another person or organization to collect, hold, process, use, transfer or disclose personal information on
his or her behalf. The term excludes:
(1) A person or organization who performs such functions as instructed by another person or
organization; and
(2) An individual who collects, holds, processes or uses personal information in connection with the
individual’s personal, family or household affairs.
(i) Personal information processor refers to any natural or juridical person qualified to act as such under
this Act to whom a personal information controller may outsource the processing of personal data
pertaining to a data subject.
(j) Processing refers to any operation or any set of operations performed upon personal information
including, but not limited to, the collection, recording, organization, storage, updating or modification,
retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.
(k) Privileged information refers to any and all forms of data which under the Rules of Court and other
pertinent laws constitute privileged communication.
(1) About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or
political affiliations;
(2) About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for
any offense committed or alleged to have been committed by such person, the disposal of such
proceedings, or the sentence of any court in such proceedings;
(3) Issued by government agencies peculiar to an individual which includes, but not limited to, social
security numbers, previous or current health records, licenses or its denials, suspension or revocation,
and tax returns; and
SEC. 4. Scope. – This Act applies to the processing of all types of personal information and to any natural
and juridical person involved in personal information processing including those personal information
controllers and processors who, although not found or established in the Philippines, use equipment
that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines
subject to the immediately succeeding paragraph: Provided, That the requirements of Section 5 are
complied with.
(a) Information about any individual who is or was an officer or employee of a government institution
that relates to the position or functions of the individual, including:
(1) The fact that the individual is or was an officer or employee of the government institution;
(2) The title, business address and office telephone number of the individual;
(3) The classification, salary range and responsibilities of the position held by the individual; and
(4) The name of the individual on a document prepared by the individual in the course of employment
with the government;
(b) Information about an individual who is or was performing service under contract for a government
institution that relates to the services performed, including the terms of the contract, and the name of
the individual given in the course of the performance of those services;
(c) Information relating to any discretionary benefit of a financial nature such as the granting of a license
or permit given by the government to an individual, including the name of the individual and the exact
nature of the benefit;
(d) Personal information processed for journalistic, artistic, literary or research purposes;
(e) Information necessary in order to carry out the functions of public authority which includes the
processing of personal data for the performance by the independent, central monetary authority and
law enforcement and regulatory agencies of their constitutionally and statutorily mandated functions.
Nothing in this Act shall be construed as to have amended or repealed Republic Act No. 1405, otherwise
known as the Secrecy of Bank Deposits Act; Republic Act No. 6426, otherwise known as the Foreign
Currency Deposit Act; and Republic Act No. 9510, otherwise known as the Credit Information System Act
(CISA);
(f) Information necessary for banks and other financial institutions under the jurisdiction of the
independent, central monetary authority or Bangko Sentral ng Pilipinas to comply with Republic Act No.
9510, and Republic Act No. 9160, as amended, otherwise known as the Anti-Money Laundering Act and
other applicable laws; and
(g) Personal information originally collected from residents of foreign jurisdictions in accordance with the
laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in
the Philippines.
SEC. 5. Protection Afforded to Journalists and Their Sources. – Nothing in this Act shall be construed as to
have amended or repealed the provisions of Republic Act No. 53, which affords the publishers, editors or
duly accredited reporters of any newspaper, magazine or periodical of general circulation protection
from being compelled to reveal the source of any news report or information appearing in said
publication which was related in any confidence to such publisher, editor, or reporter.
SEC. 6. Extraterritorial Application. – This Act applies to an act done or practice engaged in and outside of
the Philippines by an entity if:
(a) The act, practice or processing relates to personal information about a Philippine citizen or a resident;
(b) The entity has a link with the Philippines, and the entity is processing personal information in the
Philippines or even if the processing is outside the Philippines as long as it is about Philippine citizens or
residents such as, but not limited to, the following:
(2) A juridical entity unincorporated in the Philippines but has central management and control in the
country; and
(3) An entity that has a branch, agency, office or subsidiary in the Philippines and the parent or affiliate
of the Philippine entity has access to personal information; and
(c) The entity has other links in the Philippines such as, but not limited to:
(1) The entity carries on business in the Philippines; and
(2) The personal information was collected or held by an entity in the Philippines.
Back To Top
CHAPTER II
SEC. 7. Functions of the National Privacy Commission. – To administer and implement the provisions of
this Act, and to monitor and ensure compliance of the country with international standards set for data
protection, there is hereby created an independent body to be known as the National Privacy
Commission, winch shall have the following functions:
(a) Ensure compliance of personal information controllers with the provisions of this Act;
(b) Receive complaints, institute investigations, facilitate or enable settlement of complaints through the
use of alternative dispute resolution processes, adjudicate, award indemnity on matters affecting any
personal information, prepare reports on disposition of complaints and resolution of any investigation it
initiates, and, in cases it deems appropriate, publicize any such report: Provided, That in resolving any
complaint or investigation (except where amicable settlement is reached by the parties), the Commission
shall act as a collegial body. For this purpose, the Commission may be given access to personal
information that is subject of any complaint and to collect the information necessary to perform its
functions under this Act;
(c) Issue cease and desist orders, impose a temporary or permanent ban on the processing of personal
information, upon finding that the processing will be detrimental to national security and public interest;
(d) Compel or petition any entity, government agency or instrumentality to abide by its orders or take
action on a matter affecting data privacy;
(e) Monitor the compliance of other government agencies or instrumentalities on their security and
technical measures and recommend the necessary action in order to meet minimum standards for
protection of personal information pursuant to this Act;
(f) Coordinate with other government agencies and the private sector on efforts to formulate and
implement plans and policies to strengthen the protection of personal information in the country;
(g) Publish on a regular basis a guide to all laws relating to data protection;
(h) Publish a compilation of agency system of records and notices, including index and other finding aids;
(i) Recommend to the Department of Justice (DOJ) the prosecution and imposition of penalties specified
in Sections 25 to 29 of this Act;
(j) Review, approve, reject or require modification of privacy codes voluntarily adhered to by personal
information controllers:Provided, That the privacy codes shall adhere to the underlying data privacy
principles embodied in this Act: Provided, further,That such privacy codes may include private dispute
resolution mechanisms for complaints against any participating personal information controller. For this
purpose, the Commission shall consult with relevant regulatory agencies in the formulation and
administration of privacy codes applying the standards set out in this Act, with respect to the persons,
entities, business activities and business sectors that said regulatory bodies are authorized to principally
regulate pursuant to the law: Provided, finally. That the Commission may review such privacy codes and
require changes thereto for purposes of complying with this Act;
(k) Provide assistance on matters relating to privacy or data protection at the request of a national or
local agency, a private entity or any person;
(l) Comment on the implication on data privacy of proposed national or local statutes, regulations or
procedures, issue advisory opinions and interpret the provisions of this Act and other data privacy laws;
(m) Propose legislation, amendments or modifications to Philippine laws on privacy or data protection as
may be necessary;
(n) Ensure proper and effective coordination with data privacy regulators in other countries and private
accountability agents, participate in international and regional initiatives for data privacy protection;
(o) Negotiate and contract with other data privacy authorities of other countries for cross-border
application and implementation of respective privacy laws;
(p) Assist Philippine companies doing business abroad to respond to foreign privacy or data protection
laws and regulations; and
(q) Generally perform such acts as may be necessary to facilitate cross-border enforcement of data
privacy protection.
SEC. 8. Confidentiality. – The Commission shall ensure at all times the confidentiality of any personal
information that comes to its knowledge and possession.
SEC. 9. Organizational Structure of the Commission. – The Commission shall be attached to the
Department of Information and Communications Technology (DICT) and shall be headed by a Privacy
Commissioner, who shall also act as Chairman of the Commission. The Privacy Commissioner shall be
assisted by two (2) Deputy Privacy Commissioners, one to be responsible for Data Processing Systems
and one to be responsible for Policies and Planning. The Privacy Commissioner and the two (2) Deputy
Privacy Commissioners shall be appointed by the President of the Philippines for a term of three (3)
years, and may be reappointed for another term of three (3) years. Vacancies in the Commission shall be
filled in the same manner in which the original appointment was made.
The Privacy Commissioner must be at least thirty-five (35) years of age and of good moral character,
unquestionable integrity and known probity, and a recognized expert in the field of information
technology and data privacy. The Privacy Commissioner shall enjoy the benefits, privileges and
emoluments equivalent to the rank of Secretary.
The Deputy Privacy Commissioners must be recognized experts in the field of information and
communications technology and data privacy. They shall enjoy the benefits, privileges and emoluments
equivalent to the rank of Undersecretary.
The Privacy Commissioner, the Deputy Commissioners, or any person acting on their behalf or under
their direction, shall not be civilly liable for acts done in good faith in the performance of their duties.
However, he or she shall be liable for willful or negligent acts done by him or her which are contrary to
law, morals, public policy and good customs even if he or she acted under orders or instructions of
superiors: Provided, That in case a lawsuit is filed against such official on the subject of the performance
of his or her duties, where such performance is lawful, he or she shall be reimbursed by the Commission
for reasonable costs of litigation.
SEC. 10. The Secretariat. – The Commission is hereby authorized to establish a Secretariat. Majority of
the members of the Secretariat must have served for at least five (5) years in any agency of the
government that is involved in the processing of personal information including, but not limited to, the
following offices: Social Security System (SSS), Government Service Insurance System (GSIS), Land
Transportation Office (LTO), Bureau of Internal Revenue (BIR), Philippine Health Insurance Corporation
(PhilHealth), Commission on Elections (COMELEC), Department of Foreign Affairs (DFA), Department of
Justice (DOJ), and Philippine Postal Corporation (Philpost).