Definition of Terms
- PIP → outsourced by PIC
- PIC → controls the processing, EXCLUDES
(1) instructed by others
(2) for personal / family affairs
Scope or Applicability
- processing of all types of personal information
- XPN : relates to government, public authority
- XPN : banks, foreign residents
- XPN : discretionary benefit of financial nature (e.g. list of passers)
- XPN : JAR-L purposes → journalistic, artistic, research, literary
Journalists → protected from being compelled to reveal sources
Extraterritorial Application
- if related to PH citizen or resident
- if with link to PH (e.g. PH branch of MCDO, call centers)
Principles of Data Privacy
1. Legitimate Purpose
2. Proportionality
3. Transparency
Yes
Types of Personal Data
1. Personal Information → related to identity (apparent or directly ascertained)
2. Sensitive Personal Information → MARE CPR SHE
3. Privileged Information
(1) attorney-client
(2) doctor-patient
(3) priest-confessor
Extension of Privileged Information → e.g. hospital
May be subcontracted by PIC → PIC is still the one liable
MARE CPR SHE
- Marital Status, Age
- Race, Ethnicity, Color
- Philosophical or Religious affiliation
- Sexual life, Health, Education
- issued by gov’t → e.g. SSS, ITR
PROCESSING OF PERSONAL INFORMATION
Allowed if
- with waiver
- necessary and related to
(1) fulfillment of contract
(2) compliance with laws
(3) vitally important interests, legitimate interests
(4) national emergency, public order, and safety
Yes
PROCESSING OF SENSITIVE / PRIVILEGED INFORMATION
General Rule : Prohibited
XPN : Allowed if
- with waiver
- necessary and related to
(1) lawful objectives of public org
(2) compliance with laws
(3) lawful rights and interests
(4) medical emergency or treatment
Yes
Rights of a Data Subject
- Informed Consent
- Withhold Consent → in case of changes (XPN : subpoena, law, contract)
- Access
- Erasure → notify 3rd parties
- Object
- Correct
- Damages
- Data Portability → electronic means, standardized format
These rights are transmissible to heirs and assigns
These rights are not applicable in case of
- scientific or statistical research
- investigation
Notification to Commission
- if with data breach → within ? from knowledge
(1) no delay → if involves at least ? data subjects
(2) adversely affect the data subject
within ? → provide full report to the commission
- 72 hours
- 100 (large-scale)
5 days
-
RA Number10
-
Obligations84
-
Contracts40
-
Sales55
-
Credit Transactions30
-
Partnership40
-
Private Corporation74
-
Securities Regulation Code14
-
Cooperatives46
-
Government Procurement Law20
-
Labor Standards40
-
Intellectual Property Law29
-
FRIA30
-
Anti Money Laundering Act13
-
Social Security Law25
-
Insurance24
-
Lemon Law7
-
Philippine Competition Act11
-
Bank Secrecy Law6
-
Truth in Lending Act2
-
PDIC8
-
Consumer Protection Act10
-
Ease of Doing Business7
-
Anti Bouncing Checks Law5
-
E-Commerce4
-
Data Privacy7
