Eye on Compliance for Philippine Data Privacy Act


After the National Privacy Commission (NPC) issued the implementing rules and regulations of the Data Privacy Act of 2012, which took effect on 9 September 2016, the stage is now set for controllers and processors of personal information of data subjects to check and ensure their respective compliance with the requirements of the law.

The rules mirror the general principles and requirements of the Data Privacy Act of 2012 (DPA) on the processing of personal information in the government and the private sectors, and the penalties for violations. They reiterate, clarify and enforce the general policy of the DPA to protect the fundamental right of individuals to data privacy while at the same time ensuring the free flow of information for national development.

The rules also promote the general principles of transparency, legitimacy of purpose, and proportionality in processing personal information, by particularising the requirements of the DPA imposed on both personal information controllers (PICs) and personal information processors (PIPs) who: (1) process personal information belonging to Philippine citizens or residents; (2) are established or located in the Philippines; or (3) have commercial links to the Philippines by contract or business presence.

The rules impose several registration and compliance obligations on covered PICs and PIPs, including:

  • Registration of personal data processing systems. Personal data processing systems operating in the Philippines that involve the processing of personal information belonging to at least 1,000 individuals must be registered with the NPC on or before 9 September 2017. PICs and PIPs that employ at least 250 persons are also covered by the registration requirement.
  • Reportorial requirements. PICs are required to notify the NPC and affected data subjects of a data breach within 72 hours of the discovery. In addition, covered entities must also annually report to the NPC a summary of documented security incidents and data breaches, and notify the commission of automated processing operations.
  • Nature of consent of data subjects. The rules clarify that the data subject’s consent to personal information processing should be time-bound in relation to the purpose of the processing.
  • Minimum security requirements; contents of data transfer agreements between controllers and processors. The rules enumerate the specific minimum organizational, physical, and technical requirements which PICs and PIPs are required to implement while processing personal information. The rules also contain the minimum requirements for compliance provisions to be included in any data processing agreement between PICs and PIPs.
  • The commission of any of the offences punishable under the DPA and the rules must be meted out with penalties of imprisonment of up to six years and/or fines of up to 5 million pesos (about US$99,000). The NPC is also vested with quasi-judicial powers to adjudicate privacy complaints and award civil damages to private complainants, and of regulatory powers to impose compliance and enforcement orders, cease and desist orders, bans on personal information processing, or payment of administrative fines.

The NPC also issued NPC advisory No. 2017-01 on the Designation of Data Protection Officers, which sets out guidelines on the mandatory appointment by all PICs and PIPs of a data protection officer (DPO). The relevant guidelines have only been recently issued, but compliance should be immediate, based on the NPC ruling that the period for complying with the Data Privacy Act of 2012 expired on 8 September 2013.

Each PIC or PIP is required to appoint a DPO who will be accountable for ensuring their organization’s compliance with the DPA, the Rules, NPC issuances, and other laws on privacy and data protection.

An individual PIC or PIP is automatically the DPO. A PIC or PIP, which is a juridical entity, is required to appoint one DPO for its entire organization. It may also appoint a compliance officer for privacy (COP) for each of its branches, sub-offices or other component units.

Subject to the approval of the NPC, a group of related companies may appoint a common DPO for ensuring compliance by the entire group, provided that each member company shall have a COP who will be under the direct supervision of the DPO.

Actions to consider

Businesses are advised to evaluate the applicability and impact of the rules to their organizations. Once it is confirmed that a business is covered by the Data Privacy Act, specifically with regard to the registration and compliance requirements, entities should proceed to assess their current security measures vis-à-vis the minimum security standards imposed by the rules.

PICs and PIPs doing business in the Philippines are also urged to immediately appoint a DPO who meets the qualifications prescribed by the NPC. PICs and PIPs who are required to register their data processing systems with the NPC by the 9 September 2017 deadline are required to commence the registration process by submitting to the NPC information regarding their respective DPOs and COPs, together with copies of their appointment papers.

The NPC is presently preparing for the imminent launch of the online registration portal, which is now on beta testing at the NPC website. The launch of the online registration tool is expected to be preceded by, or simultaneous with, the issuance by the NPC of the official registration guidelines.

Under the Data Privacy Act of 2012, compliance by covered entities to the law’s requirements should have been completed by 8 September 2013.

However, considering the absence of an implementing agency and the lack of implementing rules and regulations before September 2016, businesses were at a loss on how to comply with the law. Now that the NPC has been established and the IRRs are in place, it appears that businesses are still in need of guidance, considering the seemingly strict compliance requirements imposed by the IRRs. In order to better pave the road to compliance, it would be best for businesses to map out a clear timetable for accomplishing the individual requirements, starting off with the appointment of a DPO or COP, and after that completing the registration requirements for the submission on or before the 9 September 2017 deadline.

Business Law Digest is compiled with the assistance of Baker McKenzie. Readers should not act on this information without seeking professional legal advice. You can contact Baker McKenzie by emailing: Danian Zhang at danian.zhang@bakermckenzie.com, or for general enquiries contact Anand Ramaswamy at anand.ramaswamy@bakermckenzie.com