Data Protected - Philippines
Contributed by Ocampo & Suralvo Law Offices
Last updated March 2024
General | Data Protection Laws
National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement
ePrivacy | Marketing and cookies
National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone
_____________________________________________________________________
General | Data Protection Laws
____________________________________________________________
National Legislation
General data protection laws
Republic Act No. 10173, known as the Data Privacy Act of 2012 (the “Data Privacy Act”). The Implementing Rules and Regulations of the Data Privacy Act (“IRR”) were promulgated on 24 August 2016.
Entry into force
The Data Privacy Act was signed into law on 15 August 2012 and came into effect on 8 September 2012. The IRR came into effect on 9 September 2016.
_____________________________________________________________________ Top
National Supervisory Authority
Details of the competent national supervisory authority
The National Privacy Commission (the “Commission” or the “NPC”). The Commission is attached to the Department of Information and Communications Technology.
5th Floor, Delegation Building
PICC Complex,
Roxas Boulevard, Manila
Metro Manila
Notification or registration scheme and timing
A Personal Information Controller (“PIC”) or Personal Information Processor (“PIP”) operating in the Philippines is required to register with the NPC where it meets any of the following conditions: (i) it employs two hundred fifty (250) or more persons (ii) it processes sensitive personal information of one thousand (1,000) or more individuals, or (iii) it processes data that will likely pose a risk to the rights and freedoms of data subjects (there will be a risk to data subjects in a range of situations such as where the information is confidential by law or data subjects are considered vulnerable).
PICs and PIPs are considered "operating in the country" and if they “although not founded or established in the Philippines, use equipment that are located in the Philippines,” or “maintain an office, branch, or agency in the Philippines.”
The current registration framework is set forth in NPC Circular No. 2022-04 which took effect on 11 January 2023. It supersedes in its entirety NPC Circular No. 17-01.
The registration process, which covers registration of the Data Protection Officer and Data Processing Systems, is completed through the National Privacy Commission Registration System accessible through this link: https://npcregistration.privacy.gov.ph/.
PICs or PIPs which do not meet the three (3) conditions above, may register voluntarily following the same process followed for mandatory registration.
All covered PICs and PIPs are required to complete Data Protection Officer and Data Processing System registration within one hundred eighty (180) days from the effectivity of the registration Circular or until 10 July 2023. Newly implemented Data Processing System or first DPOs must on the other hand be registered within twenty (20) days from the commencement of such system or the effectivity date appointment.
The National Privacy Commission shall issue a Certificate of Registration in favor of a PIC or PIP that has successfully completed the registration process. The Certificate of Registration shall only be considered as proof of such registration and not a verification of the contents thereof. A Certificate of Registration shall be valid for one (1) year from its date of issuance unless earlier revoked.
A Seal of Registration shall be issued simultaneously with the Certificate of Registration. The Seal of Registration is also valid for one (1) year from the date of issuance and must be displayed at the main entrance of the place of business, office or at the most conspicuous place to ensure visibility to all data subjects.
Exemptions to notification
A PIC or PIP that does not fall under mandatory registration and does not undertake voluntary registration may seek exemption from the Registration of its Data Processing Systems. Under current practice, this is done by submitting to the NPC through email: (i) a sworn declaration to the NPC stating, among others, the reasons why it does not meet the registration requirements and undertaking that it will comply with the orders of the NPC; and (ii) Proof of Authority of the Data Protection Officer to sign the Sworn Declaration. The Commission through an Order may require a PIC or PIP to submit supporting documents related to this submission.
_____________________________________________________________________ Top
Scope of Application
What is the territorial scope of application?
The Data Privacy Act and the IRR apply to Personal Information Controllers and Personal Information Processors established in the Philippines and the processing of personal data by any natural and juridical person in the government or private sector.
The Data Privacy Act also applies to entities established outside of the Philippines if certain links exist to the Philippines. For example, where: (i) the processing relates to Personal Information about a Philippine citizen or a resident; (ii) the entity has a link with the Philippines (such as a contract entered into in the Philippines or a branch or agency in the Philippines) and the entity is processing Personal Information about Philippine citizens or residents; or (iii) the entity has other links such as a business in the Philippines or where it collects and holds Personal Information in the Philippines.
Is there a concept of a controller and a processor?
The Data Privacy Act places accountability on the “Personal Information Controller” for Personal Information under its control or custody, including information that has been transferred to a third party for processing.
The Data Privacy Act also applies to “Personal Information Processors” to whom a Personal Information Controller may outsource or instruct the processing of personal data.
Under a Commission circular, “Personal Information Controller” is defined as “a natural or juridical person, or any other body who controls the processing of personal data, or instructs another to process personal data on its behalf. The term excludes: (i) a natural or juridical person, or any other body, who performs such functions as instructed by another person or organization; or (ii) a natural person who processes personal data in connection with his or her personal, family or household affairs.
The same circular states that there is “control” if the natural or juridical person or any other body decides on what information is collected, or the purpose and extent of the processing.
Are both manual and electronic records subject to data protection legislation?
The Data Privacy Act applies to both manual and electronic records. The law and the IRR cover information whether recorded in material form or not.
Are there any national derogations?
The Data Privacy Act contains a number of exceptions. It does not apply to personal data originally collected from residents of foreign jurisdictions which is being processed in the Philippines. Other miscellaneous exemptions include the processing of personal data: (i) about government employees acting in an official capacity; (ii) about those contracting with government or obtaining government licences or benefits; (iii) for journalistic, artistic, literary or research purposes; (iv) to carry out the functions of a public authority; and (v) to comply with money laundering and other financial rules. The non-application of the rules to these cases, however, is limited only to the minimum extent of collection, access, use, disclosure or other processing necessary for the purpose, function or activity concerned.
_____________________________________________________________________ Top
Personal Data
What is personal data?
Personal data refers to all types of Personal Information, specifically Personal Information, Sensitive Personal Information and Privileged Information.
Both the Data Privacy Act and the IRR define “Personal Information” as any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
Is information about legal entities personal data?
No.
What are the rules for processing personal data?
In general, the Data Privacy Act and the IRR allow the processing of a personal data subject to: (i) comply with the requirements of the Data Privacy Act and other laws allowing disclosure of information to the public; and (ii) adhere to the principles of transparency, legitimate purpose and proportionality. The IRR describe these three principles more specifically.
The general principles of the Data Privacy Act and the IRR require personal data to be: (i) collected for declared, specific and legitimate purposes and only processed in a way compatible with such purposes; (ii) processed fairly and lawfully; (iii) accurate, relevant and, where necessary, kept up to date; (iv) adequate and not excessive; (v) retained only for as long as necessary, for the fulfilment of the declared, specified and legitimate purpose or as needed for legal claims or legitimate business purposes, or as provided by law; (vi) kept in a form which permits identification of data subjects for no longer than is necessary; and (vii) disposed of securely to prevent further processing or prejudice to the interests of the data subjects.
The processing of Personal Information shall only be permitted if at least one of the following conditions exists: (i) the data subject has given consent; (ii) the processing of Personal Information is necessary for a contract with the data subject or to take steps at the request of the data subject prior to entering into a contract; (iii) the processing is necessary for compliance with a legal obligation; (iv) the processing is necessary to protect vitally important interests of the data subject, including their life and health; (v) the processing is necessary in relation to a national emergency, public order and safety, or to fulfil functions of a public authority; or (vi) the processing is necessary for the Personal Information Controller or recipient’s legitimate interests, except where overridden by the fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.
The IRR contain controls on data sharing (which does not include data sharing as part of an outsourcing). Data sharing shall be allowed: (i) when it is expressly authorised by law provided there are adequate safeguards for data privacy and security, and processing adheres to principles of transparency, legitimate purpose and proportionality; and (ii) in the private sector, if the data subject consents to it and specific conditions are complied with, including executing data sharing agreements in cases of data sharing for commercial purposes, such as direct marketing. These restrictions on data sharing expressly apply to intra-group data sharing.
Are there any formalities to obtain consent to process personal data?
Consent must be a freely given, specific, informed indication of the data subject’s will. It must be evidenced by written, electronic or recorded means.
NPC Circular No. 2023-04 (the “Guidelines on Consent”) requires that when consent is obtained, the following information should be provided in a concise statement or privacy notice: (i) a description of the personal data to be processed; (ii) the purpose, nature, extent, duration and scope of processing for which consent is used as basis; (iii) the identity of the Personal Information Controller; (iv) the existence of the rights of the data subject; and (v) how these rights can be exercised.
The Guidelines on Consent clarify that the requirement of having a privacy statement and notice is separate and distinct from obtaining the consent of the data subject in an appropriate consent form. Consent forms should contain all the information required in a privacy statement and notice and indicate that consent is the lawful criterion for processing relied upon.
When a consent form already provides the essential information relating to the specific processing activity that enables the data subject to make an informed decision, a separate privacy notice on that specific processing is no longer necessary.
Are there any special rules when processing personal data about children?
Minors (i.e. those below 18 years old) are considered vulnerable data subjects. The processing of their information is considered likely to pose a risk to their rights and freedoms. Consequently, Personal Information Controllers and Personal Information Processors that process minors’ personal data are subject to mandatory registration.
Are there any special rules when processing personal data about employees?
The collection and processing of personal data of employees of private entities are governed by the same rules as other data subjects. Personal data about government employees that relate to their position or functions form an exemption under the Data Privacy Act.
The Commission has recently issued NPC Circular No. 2023-03 (the “Guidelines on Identification Cards”), which applies to the processing of personal data of employees who are issued identification cards. The Guidelines provide that only necessary personal data should be indicated, and this must relate to the primary purpose of identifying the data subject. If the identification cards have additional functionalities, all other personal data included should be reasonable and necessary for the specified and declared purposes of the identification card.
_____________________________________________________________________ Top
Sensitive Personal Data
What is sensitive personal data?
The Data Privacy Act and the IRR define “Sensitive Personal Information” as Personal Information: (i) about an individual’s race, ethnic origin, marital status, age, colour, religious, philosophical or political affiliations, health, education, genes or sexual life, or offences or alleged offences relating to that individual; and (ii) issued by government agencies peculiar to an individual which includes social security numbers, health records, licences and tax returns.
Specific protection is also given to “Privileged Information”, being information that is subject to legal privilege.
Further classes of Sensitive Personal Information can be identified by an executive order or an act of Congress.
Are there additional rules for processing sensitive personal data?
In general, the processing of Sensitive Personal Information and Privileged Information is prohibited except where: (i) the data subject has given his or her consent, specific to the purpose prior to the processing, or in the case of Privileged Information, all parties to the exchange have given their consent prior to processing; (ii) the processing is provided for by existing laws and regulations; (iii) the processing is necessary to protect the life and health of the data subject or another person, and the data subject is not able to give consent; (iv) the processing is carried out for limited non-commercial purposes by public organisations and their associations; (v) the processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of Personal Information is ensured; or (vi) the processing is necessary for court proceedings or legal claims, or is provided to the government or a public authority.
Are there additional rules for processing information about criminal offences?
The rules for processing information about criminal offences are the same as for Sensitive Personal Information.
In addition, the processing of Personal Information involving criminal offences is considered likely to pose a risk to a data subject’s rights and freedoms. Hence, Personal Information Controllers and Personal Information Processors that process such personal data are subject to mandatory registration.
Are there any formalities to obtain consent to process sensitive personal data?
The same formalities as those required for the processing of Personal Information apply. However, consent must be specific to the purpose and given by the data subject prior to the processing of the Sensitive Personal Information. In the case of Privileged Information, the consent must come from all the parties to the exchange of Privileged Information.
_____________________________________________________________________ Top
Data Protection Officers
When must a data protection officer be appointed?
The Personal Information Controller must designate an individual or individuals who are accountable for the organisation’s compliance with the Data Privacy Act. The identity of the individual(s) so designated must be made known to any data subject upon request.
The data protection officer must: (i) possess specialised knowledge and demonstrate reliability necessary for the performance of his or her duties and responsibilities; (ii) have expertise in relevant privacy or data protection policies and practices; (iii) have sufficient understanding of the processing operations being carried out by the Personal Information Controller/Personal Information Processor, including its internal structure, policies and processes, information systems, data security and/or data protection needs; and (iv) be a full-time or organic employee of the Personal Information Controller/Personal Information Processor and ideally be a regular or permanent employee.
If the data protection officer’s employment is based on a contract, the term or duration of the contract should be at least two years to ensure stability. Consultants and project, seasonal, probationary or casual employees should not be designated as a data protection officer.
The data protection officer may hold other positions in the organisation only if it does not give rise to any “conflict of interest” which arises where tasks, duties and responsibilities may be opposed to or could affect the performance of the data protection officer. This includes, inter alia, holding a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data.
The first data protection officer of an organisation must be registered in the NPCRS within 20 days of appointment. In the event of a change in data protection officer, the Personal Information Controller or Personal Information Processor must update the system within 10 days from the appointment of the new data protection officer.
What are the duties of a data protection officer?
The data protection officer is responsible for, among others, the following activities: (i) monitoring compliance with relevant applicable legislation and policies; (ii) conducting privacy impact assessments; (iii) advising the Personal Information Controller/Personal Information Processor regarding complaints and/or the exercise by data subjects of their rights; (iv) ensuring proper data breach and security incident management; (v) informing and cultivating awareness on privacy and data protection within the organisation and advocating for the development, review and/or revision of policies, guidelines, projects and/or programmes relating to privacy and data protection; (vi) serving as the contact person vis-à-vis data subjects, the Commission and other authorities in all matters concerning data privacy or security issues of concern and the company; (vii) cooperating, coordinating and seeking advice of the Commission regarding matters concerning data privacy and security; and (viii) performing other duties and tasks that may be assigned by the Personal Information Controller/Personal Information Processor that will further the interests of data privacy and security and uphold the rights of the data subjects.
The data protection officer must have due regard for the risks associated with the processing operations of the Personal Information Controller/Personal Information Processor, taking into account the nature, scope, content and purposes of processing. This means that he or she must prioritise his or her data protection officer activities and focus efforts on addressing any issues that present higher data protection risks.
It is also possible to appoint a “compliance officer for privacy”. This is an individual that performs the functions or some of the functions of a data protection officer in a particular region, office, branch or area of authority. A Personal Information Controller or Personal Information Processor may only register one data protection officer, but in case it has several branches, offices or has a wide scope of operations, it may designate one or more compliance officers for privacy. The compliance officer for privacy must always be under the direct supervision of the data protection officer.
_____________________________________________________________________ Top
Accountability and Privacy Impact Assessments
Is there a general accountability obligation?
Personal information Controllers and Personal Information Processors must implement reasonable and appropriate organisational, physical and technical security measures for the protection of personal data.
Organisational measures include the: (i) appointment of a data protection officer, who shall also be accountable for ensuring compliance with the laws; (ii) implementation of data protection policies; (iii) keeping of data processing records; and (iv) management of employees who have access to personal data (e.g. conduct of capacity building, orientation or training programmes for such employees regarding privacy or security policies).
Physical and technical security measures include: (i) monitoring and limiting of access to personal data; and (ii) implementation of policies for the protection of data such as procedure for the removal, disposal and transfer of personal data.
Are privacy impact assessments mandatory?
Under Commission guidelines, in general, a privacy impact assessment must be undertaken for each processing system of a Personal Information Controller or Personal Information Processor. A privacy impact assessment will be required for both new and existing systems, programmes, projects, procedures, measures or technology products that involve or impact processing personal data. For new processing systems, the assessment should be undertaken prior to their adoption, use or implementation.
A Personal Information Controller or Personal Information Processor may forego the conduct of a privacy impact assessment only if it determines that the processing involves minimal risks to the rights and freedoms of individuals, taking into account recommendations from the data protection officer. In making this determination, the size and sensitivity of the personal data being processed, the duration and extent of processing, the likely impact of the processing to the life of the data subject and possible harm in case of a personal data breach should be considered. In 2021, the Commission issued an advisory on the adoption of ISO/IEC 29184 in conducting privacy impact assessments.
_____________________________________________________________________ Top
Rights of Data Subjects
Privacy notices
Data subjects should be provided with the following information prior to their personal data being added to a processing system or at the next practical opportunity: (i) a description of the personal data to be entered into the system; (ii) the purposes of processing; (iii) the basis of processing, when the processing is not based on the consent of the data subject; (iv) the scope and method of the personal data processing; (v) the recipients or classes of recipients to whom the personal data may be disclosed; (vi) automatic means to access the personal data; (vii) the identity and contact details of the Personal Information Controller or its representative; (viii) the period for which the information will be stored; and (ix) the existence of their rights as a data subject.
The data sharing principles require that the data subject is provided with certain information prior to collection or before data is shared, including the identity of the Personal Information Controllers or Processors that will be given access to the personal data, the purpose of data sharing and other related information.
Rights to access information
The data subject has the right to obtain confirmation on whether or not data relating to them is being processed, as well as information about any of the following: (i) the contents of the Personal Information and categories of data that was processed; (ii) the sources of the Personal Information if the data was not collected from the data subject; (iii) the purposes of processing; (iv) the manner by which the Personal Information was processed; (v) information on automated decision processes; (vi) names and addresses of recipients; (vii) reasons for the disclosure of the Personal Information to recipients; (viii) the date when the Personal Information concerning the data subject was last accessed and modified; (ix) the period for which particular categories of information will be stored; and (x) the designation, name or identity and address of the Personal Information Controller’s Data Protection Officer.
Rights to data portability
A data subject has the right to obtain a copy of their personal data from the Personal Information Controller and/or have their data transmitted from one Personal Information Controller to another.
Data portability must be limited to the personal data concerning the data subject, and which they have provided to the Personal Information Controller. This includes: (i) data actively and knowingly provided by the data subject, i.e. name, address, age, username, etc.; and (ii) observed data provided by the data subject by virtue of the use of the service or the device, i.e. access logs, transaction history and location data.
Right to be forgotten
Under the Data Privacy Act and the IRR, data subjects have the right to erasure and blocking. A data subject has the right to suspend, withdraw and order the blocking, removal or destruction of his or her Personal Information from a Personal Information Controller’s filing system.
This right may be exercised upon discovery and substantial proof of any of the following: (i) the personal data is incomplete, outdated, false or unlawfully obtained; (ii) the personal data is being used for unauthorised purposes; (iii) the personal data is no longer necessary for the purposes for which it was collected; (iv) the data subject withdraws consent or objects to the processing, and there is no other legal ground or overriding legitimate interest for the processing; (v) the personal data concerns private information that is prejudicial to the data subject, unless justified by freedom of speech, of expression, or of the press or otherwise authorised; (vi) the processing is unlawful; or (vii) the Personal Information Controller or Personal Information Processor violated the rights of the data subject.
Objection to direct marketing
The IRR provides that the data subject shall have the right to object to the processing of his or her personal data including processing for direct marketing, automated processing or profiling. NPC Advisory No. 2021-01 clarifies that the data subject shall have the right to object “where such processing is based on consent or legitimate interest.”
Other rights
The data subject has the right to rectification. This right involves the ability of the data subject to dispute the accuracy of or error in their personal data and have the Personal Information Controller correct this information within a reasonable period of time.
Data subjects have the right to be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorised use of their personal data, taking into account any violation of their rights and freedoms as data subject. Data subjects are able to file a complaint with the NPC if they believe that their rights have been infringed.
The rights of the data subject are transmissible to their heirs and assigns at any time after the death of the data subject or when the data subject is incapacitated or incapable of exercising his or her rights.
_____________________________________________________________________ Top
Security
Security requirements in order to protect personal data
The Personal Information Controller must implement reasonable and appropriate organisational, physical and technical measures intended for the protection of Personal Information against any accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing. This should protect against natural dangers and human dangers.
The determination of the appropriate level of security must take into account: (i) the nature of the Personal Data to be protected; (ii) the risks represented by the processing; (iii) the size of the organisation and complexity of its operations; (iv) current data privacy best practices; and (v) the cost of security implementation.
The IRR set out specific security requirements in three areas: (i) organisational measures, including the appointment of compliance officers, adoption of suitable policies and use of suitable contracts with Personal Information Processors; (ii) physical measures, including physical access controls, building design and destruction policies; and (iii) technical security measures, including encryption and intrusion detection.
Specific rules governing processing by third party agents (processors)
The Personal Information Controller must ensure that third parties processing Personal Information on its behalf shall also implement these security measures.
The IRR require a contract or other legal act to be in place that requires the Personal Information Processor to: (i) only process personal data on the instructions of the Personal Information Controller; (ii) ensure those accessing personal data keep it confidential; (iii) implement appropriate security measures; (iv) not engage another Processor without the Personal Information Controller’s prior instruction; (v) assist the Personal Information Controller when data subjects exercise their rights; (vi) assist the Personal Information Controller to comply with the Data Privacy Act and the IRR; (vii) at the choice of the Personal Information Controller, return or destroy personal data at the end of the contract; (viii) demonstrate compliance with the Personal Information Controller and submit to audits; and (ix) inform the Personal Information Controller if their instructions conflict with the Data Privacy Act and the IRR.
The employees, agents or representatives of a Personal Information Controller who are involved in the processing of Personal Information must keep it confidential unless it is intended for public disclosure.
The Commission has issued guidance recommending the use of the following standards:(i) ISO/IEC 29151 as a guide in implementing controls for data protection; (ii) ISO/IEC 24760-series for Personal Information Controllers and Processors that carry out management of identity information in management systems; and (iii) ISO/IEC 29100 in implementing the privacy framework in any information and communication technology systems or services where privacy controls are required for personal data processing.
Notice of breach laws
Under the Data Privacy Act and its IRR, the Commission and affected data subjects must be notified of a personal data breach where: (i) it is reasonably believed that an unauthorised person has acquired Sensitive Personal Information or any other information that enables identity fraud; and (ii) the unauthorised acquisition is likely to give rise to a real risk of serious harm to any affected data subject.
The notification must be made within 72 hours. Notification may be delayed where necessary to determine the scope of the breach, prevent further data breaches and secure the underlying system. The Commission may also authorise the postponement of notification where it may hinder criminal investigations related to a serious breach. The Commission may exempt the Personal Information Controller from notifying data subjects where: (i) it would not be in the public interest or in the interests of data subjects; or (ii) the Controller has complied with the security requirements and acquired the Personal Information in good faith.
The notification shall describe the nature of the breach, the personal data possibly involved and the measures taken by the entity to address the breach.
Depending on the nature of the incident, or if there is delay or failure to notify, the Commission may investigate the circumstances surrounding the personal data breach. Investigations may include on-site examination of systems and procedures.
Under the IRR, a report summarising documented security incidents and personal data breaches shall be provided to the Commission annually.
For this purpose, the Commission launched the Data Breach Notification Management System (https://dbnms.privacy.gov.ph/login). Personal Data Breach Notifications and Annual Security Incident Reports are required to be submitted only through this online platform.
_____________________________________________________________________ Top
Transfer of Personal Data to Third Countries
Restrictions on transfers to third countries
Transfers to third countries are permissible under the Data Privacy Act.
However, each Personal Information Controller is responsible for Personal Information under its control or custody, including information that has been transferred to a third party for processing overseas. The Personal Information Controller must use contractual or other reasonable means to provide a comparable level of protection for Personal Information processed by a third party.
Notification and approval of national regulator (including notification of use of Model Contracts)
A Personal Information Controller or Personal Information Processor required to register its data processing systems must, as part of that registration, provide certain details about its data processing system(s), including whether the personal data it processes would be transferred outside of the Philippines.
Use of binding corporate rules
The Data Privacy Act does not contain the concept of binding corporate rules.
It must be noted that in 2021, the Commission issued an advisory promoting the use of the ASEAN Model Contract Clauses (“ASEAN MCCs”) and the ASEAN Data Management Framework (“ASEAN DMF”). The Commission stated in the advisory that the ASEAN MCCs and the ASEAN DMF are developed for voluntary adoption and do not create additional rights or obligations under domestic or international law; therefore, the Commission does not obligate entities to adopt them. The advisory further emphasised that the ASEAN MCCs and the ASEAN DMF do not amend the Data Privacy Act, its implementing rules and regulations and other issuances of the Commission.
_____________________________________________________________________ Top
Enforcement
Fines
Breach of the law is also punishable by fines ranging from 100,000 to five million Pesos (approximately EUR 1,700 to EUR 84,000). Any breach of personal data involving, harming or affecting at least 100 people will be subject to the maximum penalty.
The Commission can also issue administrative fines (see Circular No. 2022-01 or the Guidelines on Administrative Fines dated August 2022). These administrative fines apply to: (i) grave infractions, which can result in an administrative fine of 0.5% to 3% of the annual gross income of the immediately preceding year; (ii) major infractions, which can result in the imposition of administrative fines of 0.25% to 2% of the annual gross income of the immediately preceding year; and (iii) other infractions, which can result in a fine of 50,000 to 200,000 Pesos (approximately EUR 850 to EUR 3,500).The total administrative fine for a single act of a Personal Information Controller or Personal Information Processor, whether resulting in single or multiple infractions, shall not exceed five million Pesos (approximately EUR 84,000).
Imprisonment
Offenders shall be liable to imprisonment ranging from six months to seven years. If the offender is a legal person, the penalty shall also be imposed upon its responsible officers if the breach is as a result of their participation or gross negligence.
Compensation
Data subjects are entitled to an indemnity for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorised use of personal data. Pursuant to the exercise of its quasi-judicial functions, the Commission shall award an indemnity to an aggrieved party on the basis of the provisions of the Philippine Civil Code.
Other powers
If the offender is an alien, he or she shall be deported without further proceedings after serving the penalties prescribed.
The Commission has the authority to perform all acts necessary to enforce its orders, resolutions or decisions, including the imposition of administrative sanctions, fines or penalties.
The Commission may: (i) issue compliance or enforcement orders; (ii) award indemnity on matters affecting any personal data or rights of data subjects; (iii) issue cease and desist orders or impose a temporary or permanent ban on the processing of personal data upon finding that the processing will be detrimental to national security or public interest, or if it is necessary to preserve and protect the rights of data subjects; (iv) recommend to the Department of Justice the prosecution of crimes and imposition of penalties; (v) compel or petition any entity, government agency or instrumentality to abide by its orders or take action on a matter affecting data privacy; and (vi) impose administrative fines for violations of the Data Privacy Act, the IRR and its other issuances.
Practice
In previous years, the Commission had issued compliance orders directing entities to implement corrective measures to comply with the law.
The Commission also conducts privacy compliance checks to evaluate the existing governance, organisational, physical and technical measures of Personal Information Controllers and Personal Information Processors, with the aim of preventing or mitigating similar incidents in the future.
In 2022, the Commission handled 279 new complaints and resolved a total of 1,404 complaints. The Commission’s Legal and Enforcement Office also managed 3,175 concerns while its Adjudication Division issued 35 Decisions, 60 Resolutions and 45 Orders for cases adjudicated during the same year.
_____________________________________________________________________ Top
ePrivacy | Marketing and cookies
_____________________________________________________________
National Legislation
ePrivacy laws
Online privacy is dealt with mainly by Republic Act No. 10175, known as the Cybercrime Prevention Act of 2012 (“Cybercrime Prevention Act”). The Cybercrime Prevention Act protects computer data and systems, including prohibiting violations of an individual’s rights to online privacy.
Certain administrative rules also cover electronic privacy issues, particularly direct marketing and cookies. This includes: (i) the Insurance Commission Circular Letter No. 2014-47 of the 2014 Guidelines on Electronic Commerce of Insurance Products (“Insurance E-Commerce Guidelines”); (ii) NTC Memorandum Circular No. 03-03-2005A, as amended by Memorandum Circular No. 04-07-2009 (“Broadcast Messaging Service Rules”); and (iii) the “Consumer Act” and the Department of Trade and Industry Administrative Order No. 2-93 of Rules and Regulations Implementing Republic Act No. 7394 on the Consumer Act (“Consumer Act Rules”).
_____________________________________________________________________ Top
Cookies
Conditions for use of cookies
The Cybercrime Prevention Act and the Data Privacy Act do not specifically regulate the use of cookies.
Specific rules apply to insurance providers under the Insurance E-Commerce Guidelines who must include their privacy policy on their website. The privacy policy must include details of: (i) when the website uses cookies; (ii) how and why they are used; and (iii) the consequences, if any, of consumers’ refusal to accept a cookie.
Regulatory guidance on the use of cookies
None.
_____________________________________________________________________ Top
Marketing by E-mail
Conditions for direct marketing by e-mail to individual subscribers
The Commission’s Guidelines on Consent is instructive in determining what legal basis can be used for marketing.
The Guidelines state that processing for direct marketing purposes may require consent in certain instances. A Personal Information Controller must obtain the consent of the data subject for direct marketing in cases where the nature of the processing would significantly affect the rights and freedoms of the data subject. In other cases, direct marketing can be considered a legitimate interest under the DPA. The Personal Information Controller must conduct an assessment as to whether direct marketing falls under its legitimate interest. If the result of the assessment is that a legitimate interest cannot be relied upon, the processing may be based on consent.
In addition, under the Insurance E-Commerce Guidelines, insurance providers shall not transmit marketing e-mails to consumers without their consent, except when insurance providers have an existing relationship with them. An existing relationship is not established by consumers simply visiting the insurance providers' website. Any marketing e-mail messages that insurance providers send shall prominently display a return e-mail address and shall provide in plain language a simple procedure by which consumers can notify insurance providers that they do not wish to receive such messages.
The Broadcast Messaging Service Rules cover commercial and promotional advertisements, surveys and other messages sent via broadcast/push messaging service. Under the Broadcast Messaging Service Rules, content and/or information service providers are not allowed to send and/or initiate push messages unless the subscriber asks for them by communicating with the provider through written correspondence, text messaging, internet or other similar means of communication. Moreover, commercial and promotional advertisements, surveys and other broadcast messages shall be allowed only upon prior written consent by the subscribers.
Conditions for direct marketing by e-mail to corporate subscribers
The Insurance E-Commerce Guidelines protect consumers which they define as individuals or legal persons engaged in commercial activity. The Broadcast Messaging Service Rules apply to both individual and corporate subscribers.
Exemptions and other issues
The Consumer Act Rules contain specific rules on the contents of any direct marketing, including requiring the disclosure of details of the seller, relevant terms and conditions and payment information. These rules only apply when dealing with consumers who are natural persons.
The Cybercrime Prevention Act used to make unsolicited commercial electronic marketing communications a cybercrime. However, in 2014, the Philippine Supreme Court struck those provisions down as unconstitutional as they violated the right to freedom of expression.
_____________________________________________________________________ Top
Marketing by Telephone
Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)
The Guidelines on Consent issued by the Commission applies equally to direct marketing by telephone to individual subscribers.
The Consumer Act also deals with home solicitation sales which include solicitation by telephone.
Business entities conducting home solicitation sales of any consumer product or service must obtain a permit from the Department of Trade and Industry. In addition: (i) home solicitation sales may be conducted only between 9am and 7pm unless otherwise agreed; (ii) home solicitation sales shall only be conducted by a person who has the proper identification and authority from his principal; (iii) sales generated from home solicitation sales shall be properly receipted; and (iv) there must be no misrepresentation, for example that the consumer has been specially selected or that the purpose of the call is for a survey or research.
Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)
These conditions do not apply to corporate subscribers.
Exemptions and other issues
The Consumer Act Rules contain specific rules on the contents of any direct marketing (see above).
_____________________________________________________________________ Top