The Philippines Data Privacy Act (PDPA): What Businesses Must Know to Comply

Sameer Ahirrao -

On September 8, 2012, the Philippines enacted the Data Privacy Act (Republic Act No. 10173), marking the country's first comprehensive law dedicated to data protection. This legislation was established to safeguard personal information and ensure organizations take responsibility by enforcing stringent security protocols.

This law created the National Privacy Commission (NPC), which is tasked with enforcing and overseeing the Data Privacy Act. The NPC has the authority to create, review, and amend regulations to ensure the effective implementation of the Act, as outlined in Rule 3. The enforcement of this law was vital in protecting the fundamental rights of Filipinos by establishing a legal framework to safeguard their personal information (PI).

Scope and Objectives of the Philippines Data Privacy Act:

The PDPA applies to the processing of personal information by both government and private organizations, whether they operate inside or outside the Philippines, as long as they have a presence, engage in data processing, or have connections to the country. It sets out specific requirements for data controllers and processors related to the collection, use, disclosure, and storage of personal data. The law also enforces strict guidelines on obtaining consent, ensuring data accuracy, managing data storage, and implementing security measures to handle data responsibly and ethically.

The primary goals of the PDPA (Philippines Data Privacy Act) can be outlined as:

  • Protecting Privacy Rights and Empowering Individuals: The PDPA provides a framework that ensures personal information is processed lawfully and fairly, allowing individuals to control and give consent regarding the handling of their sensitive data. It ensures that data subjects are informed about the purposes, methods, and extent of data processing.
  • Promoting Security Measures: The law requires organizations to implement safeguards that match the sensitivity of the data they handle. This reduces the risk of data breaches, unauthorized access, alteration, or disclosure.
  • Ensuring Transparency and Accountability: The PDPA mandates that organizations adopt privacy policies, enforce data protection measures, and appoint a data protection officer to ensure compliance with the law.
  • Enabling Secure Cross-Border Data Transfers: The PDPA sets standards and mechanisms for the legal transfer of personal information outside the Philippines, aligning with international data protection standards to protect personal data during cross-border transactions.

Why is the PDPA important for businesses?

For global businesses, understanding and complying with the PDPA Philippines Act is crucial for operating securely and avoiding data breaches. Here’s why it matters:

  • Essential for Global Data Protection: Compliance with the PDPA is necessary for participating in the global landscape of data protection.
  • Builds Customer Trust: Adhering to the PDPA fosters customer trust, which enhances loyalty and strengthens an organization's reputation, both within and outside the Philippines.
  • Prevents Financial and Legal Issues: PDPA compliance helps businesses avoid costly financial penalties and legal complications.

General Principles of the Data Privacy Act

The processing of personal information for background checks by employers is permitted as long as it adheres to the DPA and relevant laws. The key principles of the Philippine Data Privacy Act include the following:

  • Purpose Limitation: Personal information should only be processed for a legitimate, declared, and specific purpose, which must not conflict with morals, laws, or public policy.
  • Data Minimization: Employers should process only the personal information that is necessary, relevant, adequate, and not excessive for the stated legitimate purpose.
  • Accuracy and Integrity: The information needs to be accurate and complete. Any data that is incorrect or incomplete should be corrected, supplemented, destroyed, or have its further processing limited.
  • Retention Limitation: Personal information should only be retained for as long as it is needed for the purpose for which it was collected.
  • Identifiability: The information should be kept in a form that identifies the candidate or employee for no longer than necessary.

The Rights of Data Subjects:

The PDPA strongly emphasizes protecting individuals' rights regarding the processing of their personal data. Some key rights granted to data subjects under the PDPA include:

  • Right to Be Informed: Individuals have the right to know about the collection, processing, purpose, and scope of their personal data. For example, a healthcare provider must inform patients about the types of data collected, its use in medical treatment, and any third parties involved.
  • Right to Consent: Individuals have the right to give or withhold consent for the processing of their personal data.
  • Right to Damages: If personal data is inaccurate, incomplete, outdated, false, unlawfully obtained, or used without authorization, individuals have the right to seek compensation for any resulting damages.
  • Right to File a Complaint: If individuals believe their data privacy rights have been violated, or their data misused, disclosed without consent, or improperly disposed of, they can file a complaint with the NPC.
  • Right to Access: Individuals can request confirmation and access to their personal data held by organizations. For instance, someone can request a copy of their credit report to review the information stored about their financial history.
  • Right to Rectify: Individuals can request the correction or amendment of any inaccurate or incomplete personal data.
  • Right to Erasure or Blocking: Individuals can request the deletion, destruction, or blocking of personal data that is unlawfully processed, outdated, or no longer necessary. For example, a person can ask a social media platform to delete their account and associated data if they no longer wish to use the platform.
  • Right to Data Portability: Under certain conditions, individuals can request a copy of their personal data in a structured, commonly used, and machine-readable format to transfer it to another platform. For instance, a user can download their photos and other data from a cloud service to move it elsewhere.
  • Right to Object: Individuals have the right to oppose the processing of their personal data if they have valid reasons.

Obligations of Data Controllers and Processors:

The PDPA sets forth various responsibilities for data controllers (DCs) and data processors (DPs) to ensure the responsible and lawful handling of personal data.

  • Transparency and Accountability: DCs and DPs must be transparent about their data handling practices. They are required to have clear privacy policies, appoint a Data Protection Officer (DPO), and take responsibility for their data processing activities.
  • Lawful and Fair Processing: Personal data must be processed legally and fairly. Sensitive personal information (PI) should only be processed with the consent of the data subject or when required by law. DCs and DPs should collect only the necessary data and not retain it longer than needed.
  • Purpose Limitation: Data should be collected only for specific, declared purposes and not used in ways that are inconsistent with those purposes. Organizations should retain data only as long as it is needed for the stated purpose. Section 19(a) of Rule 4 emphasizes that data collection must be for a declared, specified, and legitimate purpose, with consent required for collection and processing unless exempted by law.
  • Security Measures: Strong security measures must be in place to protect data from unauthorized access, changes, or leaks. Organizations are required to implement appropriate organizational, physical, and technical safeguards, aligning with the CIA triad (Confidentiality, Integrity, and Accountability) to ensure data protection. Section 25 of Rule 6 mandates reasonable and appropriate security measures to protect personal data.
  • Data Breach Management: Organizations must have a plan to handle data breaches effectively. Section 38a of Rule 9 requires organizations to notify the National Privacy Commission (NPC) and affected individuals within 72 hours of becoming aware of a breach if it poses a risk to their rights and privacy. The NPC may investigate the breach to determine its cause and examine the systems involved.
  • Cross-Border Data Transfer: When transferring data outside the Philippines, organizations must ensure that the receiving country has adequate data protection measures. They should use safeguards such as contracts or binding rules to protect the data during transfer.

Enforcements and Penalties

Cause of Breach Penalty for Non-Compliance under the Philippine DPA
Unauthorized handling of Personal Information (PI) and Sensitive PI.
  • Imprisonment (1-3 years)
  • Fine: Php2,000,000.00 ≥ Penalty ≥ Php500,000.00
Negligently accessing Personal Information (PI) and Sensitive PI.
  • Imprisonment (1-3 years)
  • Fine: Php2,000,000.00 ≥ Penalty ≥ Php500,000.00
Improperly discarding Personal Information (PI) and Sensitive PI.
  • Imprisonment (6 months- 2 years)
  • Fine: Php500,000.00 ≥ Penalty ≥ Php100,000.00
Using Personal Information (PI) and Sensitive PI for unauthorized purposes.
  • Imprisonment (1 year 6 months- 5 years)
  • Fine: Php1,000,000.00 ≥ Penalty ≥ Php500,000.00
Deliberate breach or unauthorized access.
  • Imprisonment (1- 3 years)
  • Fine: Php2,000,000.00 ≥ Penalty ≥ Php500,000.00

How to Comply with the Philippines Data Protection Act (DPA)

1) Appoint a Data Protection Officer (DPO): The DPO acts as the primary contact for data privacy issues, both for data subjects and the National Privacy Commission (NPC). They are responsible for overseeing the organization’s compliance with the DPA, implementing data protection policies, conducting privacy impact assessments, and coordinating with other departments to address privacy concerns. Organizations must provide the DPO with the necessary support, resources, and training to effectively fulfill their role.

2) Conduct a Privacy Impact Assessment (PIA): A Privacy Impact Assessment (PIA) is crucial for identifying and mitigating risks associated with the processing of personal data. The PIA helps organizations evaluate how their data processing activities might affect individuals' privacy rights and ensures that adequate safeguards are in place. During the PIA, organizations should consider factors such as the type of data processed, the purpose of processing, potential harm to data subjects, and legal obligations. The assessment should also review existing security measures to protect personal data from unauthorized access, loss, or disclosure.

3) Create a Privacy Management Program: Developing a Privacy Management Program is vital for establishing a structured approach to data protection. This program should include:

  • Privacy Policy: A comprehensive privacy policy that outlines the organization’s commitment to data protection, detailing how personal data is collected, used, stored, shared, and the rights of data subjects.
  • Data Mapping: A thorough data mapping exercise to track all personal data collected, processed, and stored. This helps identify data flows, potential vulnerabilities, and necessary control measures.
  • Data Protection Measures: Implementation of strong security measures such as encryption, access controls, and regular monitoring to protect personal data from breaches or unauthorized access.
  • Data Breach Response Plan: A plan to address any incidents of unauthorized access or disclosure of personal data, including steps for notifying affected individuals and relevant authorities.

4) Implement Data Privacy and Security Measures: Organizations must implement robust data privacy and security measures to comply with the DPA. This includes setting up strong access controls to prevent unauthorized access to personal data, using multi-factor authentication, and regularly reviewing access privileges. By limiting access to authorized personnel only, organizations can minimize the risk of data breaches and ensure that personal data is handled securely throughout its lifecycle.

5) Regularly Exercise Breach Reporting Procedures: Having and regularly exercising breach reporting procedures is key to an effective response to data breaches. Organizations should conduct mock drills or simulated scenarios to practice their breach response, helping staff members become familiar with the steps needed to address a breach. This preparation helps identify gaps in the response plan and ensures timely action in case of an actual breach. The DPA requires organizations to notify affected individuals and the NPC within 72 hours of becoming aware of a breach, unless the breach is unlikely to cause harm. Regular practice ensures organizations can meet this reporting deadline.

How Ardent Privacy helps to comply with the Philippines Data Privacy Act?

Ardent Privacy assists organizations in complying with the Philippines Data Privacy Act (PDPA) through a variety of tools and services designed to protect personal data and ensure adherence to regulatory requirements. Here’s how they help:

  • Data Discovery and Classification: Ardent Privacy helps organizations identify and classify personal data across their systems. This is essential for knowing where personal data is stored and ensuring its protection in line with PDPA guidelines.
  • Data Protection Impact Assessment (DPIA): Ardent Privacy supports the conduct of DPIAs, which are necessary under the PDPA for assessing and mitigating risks associated with the processing of personal data.
  • Data Minimization: Their solutions focus on data minimization by identifying and eliminating unnecessary or redundant personal data, which aligns with PDPA’s principle of limiting data collection to what is necessary for specific purposes.
  • Data Risk Management: Ardent Privacy provides risk assessment tools that help organizations evaluate potential risks to personal data and implement appropriate security measures to mitigate these risks.
  • Automated Data Rights Management: They offer tools that automate the management of data subject rights, such as the right to access, correct, and delete personal data. This ensures organizations can respond promptly and accurately to data subjects' requests, a key requirement under the PDPA.
  • Data Retention and Disposal: Ardent Privacy assists with setting up proper data retention schedules and ensures secure data disposal when it is no longer needed, in compliance with the PDPA’s guidelines on data retention.

By leveraging these features, Ardent Privacy aids organizations in meeting the compliance requirements of the Philippines Data Privacy Act and enhancing their overall data protection practices.