1 of 10

The Data Privacy Act of 2012

Atty. Dana Batnag

2 of 10

Data Privacy Law Milestones Timeline

DTI AO 8 2006

DTI AO 2006, was the first regulation on processing of personal data

IRR AND CREATION OF NPC (2016)

The National Privacy Commission was created in 2016

DATA PRIVACY ACT OF 2012

The Data Privacy Act was enacted into law in 2012

NPC DECISIONS AND SC JURISPRUDENCE

3 of 10

Data Privacy Principles

Data Subjects should be informed prior to or at the most practicable opportunity that their personal data will be, is being, or has been processed

Transparency

Only as much personal data as is needed to achieve the legitimate purpose must be processed

Proportionality

Processing must have a legitimate purpose and not contrary to law or public interest

Legitimate Purpose

4 of 10

Basis for Processing Personal Information

Consent

Functions of Public Authority

Legal Obligation

Contract

Vital Interests of the Data Subject

Legitimate Interest

5 of 10

Basis for Processing Sensitive Personal Information

Consent

Medical Treatment

To protect life and health

Provided by existing laws and regulations

Lawful and non-commercial objectives of public organizations

Exercise or defense of legal claims

6 of 10

Obligations of Controllers and Processors

Personal Information Controllers (PICs) and Personal Information Processors (PIPs) should ensure that the personal data is secure through organizational, technical, and physical security policies

Protect the Personal Data

PICs and PIPs should respect data subject rights

Respect Data Subject Rights

PICs and PIPs should ensure the confidentiality, integrity, and accuracy, of the personal data processed.

Ensure CIA

7 of 10

Data Subject Rights

Data subjects must be informed of the processing prior to or at the soonest possible opportunity

Right to Information

If the information is patently wrong, data subjects may demand that the personal data be corrected

Right to Correct

Data subjects have the right to know the sources and recipients of the personal data about them, and the manner of processing

Right to Access

8 of 10

Data Subject Rights

In some instances, data subjects may demand for the deletion or blocking of their personal data

Right to Delete/Block

Data subjects must be informed of their right to file complaints and be compensated for violations in the handling of their personal data

Right to Damages

If the processing is based on consent or legitimate interest, a data subjec tmay object to the processing of personal data

Right to Object

9 of 10

Jurisprudence

AYER V CAPULONG (1988)

public officials have limited privacy rights

PSE V SECRETARY OF FINANCE

Exempted processing must still observe data privacy principles

OPLE V TORRES (1998)

right to privacy is a fundamental right

FUTURE PRIVACY LAW DEVELOPMENTS

10 of 10

Thank you!