The Data Privacy Act of 2012
Atty. Dana Batnag
Data Privacy Law Milestones Timeline
DTI AO 8 2006
DTI AO 2006, was the first regulation on processing of personal data
IRR AND CREATION OF NPC (2016)
The National Privacy Commission was created in 2016
DATA PRIVACY ACT OF 2012
The Data Privacy Act was enacted into law in 2012
NPC DECISIONS AND SC JURISPRUDENCE
Data Privacy Principles
Data Subjects should be informed prior to or at the most practicable opportunity that their personal data will be, is being, or has been processed
Transparency
Only as much personal data as is needed to achieve the legitimate purpose must be processed
Proportionality
Processing must have a legitimate purpose and not contrary to law or public interest
Legitimate Purpose
Basis for Processing Personal Information
Consent
Functions of Public Authority
Legal Obligation
Contract
Vital Interests of the Data Subject
Legitimate Interest
Basis for Processing Sensitive Personal Information
Consent
Medical Treatment
To protect life and health
Provided by existing laws and regulations
Lawful and non-commercial objectives of public organizations
Exercise or defense of legal claims
Obligations of Controllers and Processors
Personal Information Controllers (PICs) and Personal Information Processors (PIPs) should ensure that the personal data is secure through organizational, technical, and physical security policies
Protect the Personal Data
PICs and PIPs should respect data subject rights
Respect Data Subject Rights
PICs and PIPs should ensure the confidentiality, integrity, and accuracy, of the personal data processed.
Ensure CIA
Data Subject Rights
Data subjects must be informed of the processing prior to or at the soonest possible opportunity
Right to Information
If the information is patently wrong, data subjects may demand that the personal data be corrected
Right to Correct
Data subjects have the right to know the sources and recipients of the personal data about them, and the manner of processing
Right to Access
Data Subject Rights
In some instances, data subjects may demand for the deletion or blocking of their personal data
Right to Delete/Block
Data subjects must be informed of their right to file complaints and be compensated for violations in the handling of their personal data
Right to Damages
If the processing is based on consent or legitimate interest, a data subjec tmay object to the processing of personal data
Right to Object
Jurisprudence
AYER V CAPULONG (1988)
public officials have limited privacy rights
PSE V SECRETARY OF FINANCE
Exempted processing must still observe data privacy principles
OPLE V TORRES (1998)
right to privacy is a fundamental right
FUTURE PRIVACY LAW DEVELOPMENTS
Thank you!