Republic Act No. 10173 August 15, 2012 Republic of the Philippines Congress of the Philippines Metro Manila Fifteenth Congress Second Regular Session Begun and held in Metro Manila, on Monday, the twenty-fth day o July, two thousand eleven. [!"#B$%& A&' (). 101*+ AN AC PR!"C#N$ #N%#&#%'A( P"RS!NA( #NF!RMA#!N #N #NF!RMA#!N AN% C!MM'N#CA#!NS C!MM'N#CA#!NS S)S"MS #N *" $!&"RNM"N AN% *" PR#&A" S"C!R+ CR"A#N$ F!R *#S P'RP!S" A NA#!NA( PR#&AC) C!MM#SS#!N+ AN% F!R !*"R P'RP!S"S Be it enacted, by the Senate and House of Representatives of the Philippines in Congress assembled: &A"'! % !(!A$ ")/%%)( !&'% !&'%)( )( 1. Shor Shortt Titl Title. e. 'his At shall e 3nown as the 4ata "rivay At o 20126. !&. 2. !eclaration of Policy. %t is the 7oliy o the tate to 7rot 7rote ett the the und unda8 a8en enta tall hu8a hu8an n righ rightt o 7riv 7riva ay, y, o o88uni o88uniation ation while ensuring ensuring ree 9ow o inor8at inor8ation ion to 7ro8ote innovation and growth. 'he tate reogni:es the
vital role o inor8ation and o88uniations tehnology in nation- nation-uild uilding ing and its inheren inherentt oligation oligation to ensure ensure that 7ersonal 7ersonal inor8atio inor8ation n in inor8atio inor8ation n and o88uni o88uniation ations s syste8s in the govern8ent and in the 7rivate setor are seured and 7roteted. !&. +. !e"nition of Terms. ; a? Commission sha shall reer er to the (at (ation ional &o88ission reated y virtue o this At.
"riva ivay y
>? Consent of the data sub#ect reers to any reely given, s7ei s7eif, f, inor inor8ed 8ed india indiatio tion n o will, will, wher where ey y the data data su@et agrees to the olletion and 7roessing o 7ersonal inor8ati inor8ation on aout aout andor andor relatin relating g to hi8 or her. her. &onsent &onsent shall e evidened y written, eletroni or reorded 8eans. %t 8ay also e given on ehal o the data su@et y an agent s7eifally authori:ed y the data su@et to do so. >? !ata sub#ect sub#ect reer reers s to an indivi individua duall whose whose 7erson 7ersonal al inor8ation is 7roessed. >d? !irect mar$eting reers to o88uniation y whatever 8eans 8eans o any advertising advertising or 8ar3etin 8ar3eting g 8aterial 8aterial whih is direted to 7artiular individuals. >e? %iling system reers to any at o inor8ation relating to natural or @uridial 7ersons to the etent that, although the inor inor8at 8ation ion is not 7roe 7roesse ssed d y eCui7 eCui78en 8entt o7erat o7erating ing auto8ati auto8atially ally in res7ons res7onse e to instru instrutions tions given or that 7ur7 7ur7ose ose,, the the set is stru strutur tured ed,, eithe eitherr y reer reeren ene e to individuals or y reerene reerene to riteria relating to individuals, in suh suh a way way that that s7e s7eif if inor inor8a 8ati tion on rela relati ting ng to a 7artiular 7erson is readily aessile.
>? &nformation and Communications System reers to a syste8 or generating, sending, reeiving, storing or otherwise 7roessing eletroni data 8essages or eletroni dou8ents and inludes the o87uter syste8 or other si8ilar devie y or whih data is reorded, trans8itted or stored and any 7roedure related to the reording, trans8ission or storage o eletroni data, eletroni 8essage, or eletroni dou8ent. >g? Personal information reers to any inor8ation whether reorded in a 8aterial or8 or not, ro8 whih the identity o an individual is a77arent or an e reasonaly and diretly asertained y the entity holding the inor8ation, or when 7ut together with other inor8ation would diretly and ertainly identiy an individual. >h? Personal information controller reers to a 7erson or organi:ation who ontrols the olletion, holding, 7roessing or use o 7ersonal inor8ation, inluding a 7erson or organi:ation who instruts another 7erson or organi:ation to ollet, hold, 7roess, use, transer or dislose 7ersonal inor8ation on his or her ehal. 'he ter8 eludes= >1? A 7erson or organi:ation who 7eror8s suh untions as instruted y another 7erson or organi:ationD and >2? An individual who ollets, holds, 7roesses or uses 7ersonal inor8ation in onnetion with the individualEs 7ersonal, a8ily or household aFairs. >i? Personal information processor reers to any natural or @uridial 7erson Cualifed to at as suh under this At to who8 a 7ersonal inor8ation ontroller 8ay outsoure the 7roessing o 7ersonal data 7ertaining to a data su@et. >@? Processing reers to any o7eration or any set o o7erations 7eror8ed u7on 7ersonal inor8ation inluding, ut not li8ited to, the olletion, reording, organi:ation,
storage, u7dating or 8odifation, retrieval, onsultation, use, onsolidation, lo3ing, erasure or destrution o data. >3? Privileged information reers to any and all or8s o data whih under the ules o &ourt and other 7ertinent laws onstitute 7rivileged o88uniation. >l? Sensitive inor8ation=
personal
information reers
to
7ersonal
>1? Aout an individualEs rae, ethni origin, 8arital status, age, olor, and religious, 7hiloso7hial or 7olitial aGliationsD >2? Aout an individualEs health, eduation, geneti or seual lie o a 7erson, or to any 7roeeding or any oFense o88itted or alleged to have een o88itted y suh 7erson, the dis7osal o suh 7roeedings, or the sentene o any ourt in suh 7roeedingsD >+? %ssued y govern8ent agenies 7euliar to an individual whih inludes, ut not li8ited to, soial seurity nu8ers, 7revious or 8-rent health reords, lienses or its denials, sus7ension or revoation, and ta returnsD and >H? 7eifally estalished y an eeutive order or an at o &ongress to e 3e7t lassifed. !&. H. Scope. ; 'his At a77lies to the 7roessing o all ty7es o 7ersonal inor8ation and to any natural and @uridial 7erson involved in 7ersonal inor8ation 7roessing inluding those 7ersonal inor8ation ontrollers and 7roessors who, although not ound or estalished in the "hili77ines, use eCui78ent that are loated in the "hili77ines, or those who 8aintain an oGe, ranh or ageny in the "hili77ines su@et to the i88ediately sueeding 7aragra7h= Provided, 'hat the reCuire8ents o etion 5 are o87lied with.
'his At does not a77ly to the ollowing= >a? %nor8ation aout any individual who is or was an oGer or e87loyee o a govern8ent institution that relates to the 7osition or untions o the individual, inluding= >1? 'he at that the individual is or was an oGer or e87loyee o the govern8ent institutionD >2? 'he title, usiness address and oGe tele7hone nu8er o the individualD >+? 'he lassifation, salary range and res7onsiilities o the 7osition held y the individualD and >H? 'he na8e o the individual on a dou8ent 7re7ared y the individual in the ourse o e87loy8ent with the govern8entD >? %nor8ation aout an individual who is or was 7eror8ing servie under ontrat or a govern8ent institution that relates to the servies 7eror8ed, inluding the ter8s o the ontrat, and the na8e o the individual given in the ourse o the 7eror8ane o those serviesD >? %nor8ation relating to any disretionary eneft o a fnanial nature suh as the granting o a liense or 7er8it given y the govern8ent to an individual, inluding the na8e o the individual and the eat nature o the eneftD >d? "ersonal inor8ation 7roessed or @ournalisti, artisti, literary or researh 7ur7osesD >e? %nor8ation neessary in order to arry out the untions o 7uli authority whih inludes the 7roessing o 7ersonal data or the 7eror8ane y the inde7endent, entral 8onetary authority and law enore8ent and regulatory agenies o their onstitutionally and statutorily 8andated
untions. (othing in this At shall e onstrued as to have a8ended or re7ealed e7uli At (o. 1H05, otherwise 3nown as the erey o Ban3 e7osits AtD e7uli At (o. IH2I, otherwise 3nown as the oreign &urreny e7osit AtD and e7uli At (o. K510, otherwise 3nown as the &redit %nor8ation yste8 At >&%A?D >? %nor8ation neessary or an3s and other fnanial institutions under the @urisdition o the inde7endent, entral 8onetary authority or Bang3o entral ng "ili7inas to o87ly with e7uli At (o. K510, and e7uli At (o. K1I0, as a8ended, otherwise 3nown as the Anti-Money $aundering At and other a77liale lawsD and >g? "ersonal inor8ation originally olleted ro8 residents o oreign @urisditions in aordane with the laws o those oreign @urisditions, inluding any a77liale data 7rivay laws, whih is eing 7roessed in the "hili77ines. !&. 5. Protection '(orded to )ournalists and Their Sources. (othing in this At shall e onstrued as to have a8ended or re7ealed the 7rovisions o e7uli At (o. 5+, whih aFords the 7ulishers, editors or duly aredited re7orters o any news7a7er, 8aga:ine or 7eriodial o general irulation 7rotetion ro8 eing o87elled to reveal the soure o any news re7ort or inor8ation a77earing in said 7uliation whih was related in any onfdene to suh 7ulisher, editor, or re7orter. !&. I. *+traterritorial 'pplication. 'his At a77lies to an at done or 7ratie engaged in and outside o the "hili77ines y an entity i= >a? 'he at, 7ratie or 7roessing relates to 7ersonal inor8ation aout a "hili77ine iti:en or a residentD >? 'he entity has a lin3 with the "hili77ines, and the entity is 7roessing 7ersonal inor8ation in the "hili77ines or even
i the 7roessing is outside the "hili77ines as long as it is aout "hili77ine iti:ens or residents suh as, ut not li8ited to, the ollowing= >1? A ontrat is entered in the "hili77inesD >2? A @uridial entity uninor7orated in the "hili77ines ut has entral 8anage8ent and ontrol in the ountryD and >+? An entity that has a ranh, ageny, oGe or susidiary in the "hili77ines and the 7arent or aGliate o the "hili77ine entity has aess to 7ersonal inor8ationD and >? 'he entity has other lin3s in the "hili77ines suh as, ut not li8ited to= >1? 'he entity arries on usiness in the "hili77inesD and >2? 'he 7ersonal inor8ation was olleted or held y an entity in the "hili77ines. &A"'! %% '! (A'%)(A$ "%/A&L &)MM%%)( !&. *. %unctions of the ational Privacy Commission. 'o ad8inister and i87le8ent the 7rovisions o this At, and to 8onitor and ensure o87liane o the ountry with international standards set or data 7rotetion, there is herey reated an inde7endent ody to e 3nown as the (ational "rivay &o88ission, winh shall have the ollowing untions= >a? !nsure o87liane o 7ersonal inor8ation ontrollers with the 7rovisions o this AtD >? eeive o87laints, institute investigations, ailitate or enale settle8ent o o87laints through the use o alternative dis7ute resolution 7roesses, ad@udiate, award
inde8nity on 8atters aFeting any 7ersonal inor8ation, 7re7are re7orts on dis7osition o o87laints and resolution o any investigation it initiates, and, in ases it dee8s a77ro7riate, 7ulii:e any suh re7ort= Provided, 'hat in resolving any o87laint or investigation >ee7t where a8iale settle8ent is reahed y the 7arties?, the &o88ission shall at as a ollegial ody. or this 7ur7ose, the &o88ission 8ay e given aess to 7ersonal inor8ation that is su@et o any o87laint and to ollet the inor8ation neessary to 7eror8 its untions under this AtD >? %ssue ease and desist orders, i87ose a te87orary or 7er8anent an on the 7roessing o 7ersonal inor8ation, u7on fnding that the 7roessing will e detri8ental to national seurity and 7uli interestD >d? &o87el or 7etition any entity, govern8ent ageny or instru8entality to aide y its orders or ta3e ation on a 8atter aFeting data 7rivayD >e? Monitor the o87liane o other govern8ent agenies or instru8entalities on their seurity and tehnial 8easures and reo88end the neessary ation in order to 8eet 8ini8u8 standards or 7rotetion o 7ersonal inor8ation 7ursuant to this AtD >? &oordinate with other govern8ent agenies and the 7rivate setor on eForts to or8ulate and i87le8ent 7lans and 7oliies to strengthen the 7rotetion o 7ersonal inor8ation in the ountryD >g? "ulish on a regular asis a guide to all laws relating to data 7rotetionD >h? "ulish a o87ilation o ageny syste8 o reords and noties, inluding inde and other fnding aidsD
>i? eo88end to the e7art8ent o Justie >)J? the 7roseution and i87osition o 7enalties s7eifed in etions 25 to 2K o this AtD
>o? (egotiate and ontrat with other data 7rivay authorities o other ountries or ross-order a77liation and i87le8entation o res7etive 7rivay lawsD
>@? eview, a77rove, re@et or reCuire 8odifation o 7rivay odes voluntarily adhered to y 7ersonal inor8ation ontrollers= Provided, 'hat the 7rivay odes shall adhere to the underlying data 7rivay 7rini7les e8odied in this At= Provided, further, 'hat suh 7rivay odes 8ay inlude 7rivate dis7ute resolution 8ehanis8s or o87laints against any 7artii7ating 7ersonal inor8ation ontroller. or this 7ur7ose, the &o88ission shall onsult with relevant regulatory agenies in the or8ulation and ad8inistration o 7rivay odes a77lying the standards set out in this At, with res7et to the 7ersons, entities, usiness ativities and usiness setors that said regulatory odies are authori:ed to 7rini7ally regulate 7ursuant to the law= Provided, "nally. 'hat the &o88ission 8ay review suh 7rivay odes and reCuire hanges thereto or 7ur7oses o o87lying with this AtD
>7? Assist "hili77ine o87anies doing usiness aroad to res7ond to oreign 7rivay or data 7rotetion laws and regulationsD and
>3? "rovide assistane on 8atters relating to 7rivay or data 7rotetion at the reCuest o a national or loal ageny, a 7rivate entity or any 7ersonD >l? &o88ent on the i87liation on data 7rivay o 7ro7osed national or loal statutes, regulations or 7roedures, issue advisory o7inions and inter7ret the 7rovisions o this At and other data 7rivay lawsD >8? "ro7ose legislation, a8end8ents or 8odifations to "hili77ine laws on 7rivay or data 7rotetion as 8ay e neessaryD >n? !nsure 7ro7er and eFetive oordination with data 7rivay regulators in other ountries and 7rivate aountaility agents, 7artii7ate in international and regional initiatives or data 7rivay 7rotetionD
>C? enerally 7eror8 suh ats as 8ay e neessary to ailitate ross-order enore8ent o data 7rivay 7rotetion. !&. . Con"dentiality. 'he &o88ission shall ensure at all ti8es the onfdentiality o any 7ersonal inor8ation that o8es to its 3nowledge and 7ossession. !&. K. -rganiational Structure of the Commission. 'he &o88ission shall e attahed to the e7art8ent o %nor8ation and &o88uniations 'ehnology >%&'? and shall e headed y a "rivay &o88issioner, who shall also at as &hair8an o the &o88ission. 'he "rivay &o88issioner shall e assisted y two >2? e7uty "rivay &o88issioners, one to e res7onsile or ata "roessing yste8s and one to e res7onsile or "oliies and "lanning. 'he "rivay &o88issioner and the two >2? e7uty "rivay &o88issioners shall e a77ointed y the "resident o the "hili77ines or a ter8 o three >+? years, and 8ay e rea77ointed or another ter8 o three >+? years. /aanies in the &o88ission shall e flled in the sa8e 8anner in whih the original a77oint8ent was 8ade. 'he "rivay &o88issioner 8ust e at least thirty-fve >+5? years o age and o good 8oral harater, unCuestionale integrity and 3nown 7roity, and a reogni:ed e7ert in the feld o inor8ation tehnology and data 7rivay. 'he "rivay &o88issioner shall en@oy the enefts, 7rivileges and e8olu8ents eCuivalent to the ran3 o eretary.
'he e7uty "rivay &o88issioners 8ust e reogni:ed e7erts in the feld o inor8ation and o88uniations tehnology and data 7rivay. 'hey shall en@oy the enefts, 7rivileges and e8olu8ents eCuivalent to the ran3 o #nderseretary. 'he "rivay &o88issioner, the e7uty &o88issioners, or any 7erson ating on their ehal or under their diretion, shall not e ivilly liale or ats done in good aith in the 7eror8ane o their duties. owever, he or she shall e liale or willul or negligent ats done y hi8 or her whih are ontrary to law, 8orals, 7uli 7oliy and good usto8s even i he or she ated under orders or instrutions o su7eriors= Provided, 'hat in ase a lawsuit is fled against suh oGial on the su@et o the 7eror8ane o his or her duties, where suh 7eror8ane is lawul, he or she shall e rei8ursed y the &o88ission or reasonale osts o litigation. !&. 10. The Secretariat. ; 'he &o88ission is herey authori:ed to estalish a eretariat. Ma@ority o the 8e8ers o the eretariat 8ust have served or at least fve >5? years in any ageny o the govern8ent that is involved in the 7roessing o 7ersonal inor8ation inluding, ut not li8ited to, the ollowing oGes= oial eurity yste8 >?, overn8ent ervie %nsurane yste8 >%?, $and 'rans7ortation )Ge >$')?, Bureau o %nternal evenue >B%?, "hili77ine ealth %nsurane &or7oration >"hilealth?, &o88ission on !letions >&)M!$!&?, e7art8ent o oreign AFairs >A?, e7art8ent o Justie >)J?, and "hili77ine "ostal &or7oration >"hil7ost?. &A"'! %%% ")&!%( ) "!)(A$ %()MA'%)( !&. 11. /eneral !ata Privacy Principles. ; 'he 7roessing o 7ersonal inor8ation shall e allowed, su@et to o87liane with the reCuire8ents o this At and other laws allowing dislosure o inor8ation to the 7uli and adherene to the
7rini7les o trans7areny, 7ro7ortionality.
legiti8ate
7ur7ose
and
"ersonal inor8ation 8ust, e= >a? &olleted or s7eifed and legiti8ate 7ur7oses deter8ined and delared eore, or as soon as reasonaly 7ratiale ater olletion, and later 7roessed in a way o87atile with suh delared, s7eifed and legiti8ate 7ur7oses onlyD >? "roessed airly and lawullyD >? Aurate, relevant and, where neessary or 7ur7oses or whih it is to e used the 7roessing o 7ersonal inor8ation, 3e7t u7 to dateD inaurate or ino87lete data 8ust e retifed, su77le8ented, destroyed or their urther 7roessing restritedD >d? AdeCuate and not eessive in relation to the 7ur7oses or whih they are olleted and 7roessedD >e? etained only or as long as neessary or the ulfll8ent o the 7ur7oses or whih the data was otained or or the estalish8ent, eerise or deense o legal lai8s, or or legiti8ate usiness 7ur7oses, or as 7rovided y lawD and >? Ne7t in a or8 whih 7er8its identifation o data su@ets or no longer than is neessary or the 7ur7oses or whih the data were olleted and 7roessed= Provided, 'hat 7ersonal inor8ation olleted or other 7ur7oses 8ay lie 7roessed or historial, statistial or sientif 7ur7oses, and in ases laid down in law 8ay e stored or longer 7eriods= Provided, further, 'hat adeCuate saeguards are guaranteed y said laws authori:ing their 7roessing.
'he 7ersonal inor8ation ontroller 8ust ensure i87le8entation o 7ersonal inor8ation 7roessing 7rini7les set out herein. !&. 12. Criteria for 0a1ful Processing of Personal &nformation. ; 'he 7roessing o 7ersonal inor8ation shall e 7er8itted only i not otherwise 7rohiited y law, and when at least one o the ollowing onditions eists= >a? 'he data su@et has given his or her onsentD >? 'he 7roessing o 7ersonal inor8ation is neessary and is related to the ulfll8ent o a ontrat with the data su@et or in order to ta3e ste7s at the reCuest o the data su@et 7rior to entering into a ontratD >? 'he 7roessing is neessary or o87liane with a legal oligation to whih the 7ersonal inor8ation ontroller is su@etD >d? 'he 7roessing is neessary to 7rotet vitally i87ortant interests o the data su@et, inluding lie and healthD >e? 'he 7roessing is neessary in order to res7ond to national e8ergeny, to o87ly with the reCuire8ents o 7uli order and saety, or to ulfll untions o 7uli authority whih neessarily inludes the 7roessing o 7ersonal data or the ulfll8ent o its 8andateD or >? 'he 7roessing is neessary or the 7ur7oses o the legiti8ate interests 7ursued y the 7ersonal inor8ation ontroller or y a third 7arty or 7arties to who8 the data is dislosed, ee7t where suh interests are overridden y unda8ental rights and reedo8s o the data su@et whih reCuire 7rotetion under the "hili77ine &onstitution. !&. 1+. Sensitive Personal &nformation and Privileged &nformation. ; 'he 7roessing o sensitive 7ersonal
inor8ation and 7rivileged inor8ation shall e 7rohiited, ee7t in the ollowing ases= >a? 'he data su@et has given his or her onsent, s7eif to the 7ur7ose 7rior to the 7roessing, or in the ase o 7rivileged inor8ation, all 7arties to the ehange have given their onsent 7rior to 7roessingD >? 'he 7roessing o the sa8e is 7rovided or y eisting laws and regulations= Provided, 'hat suh regulatory enat8ents guarantee the 7rotetion o the sensitive 7ersonal inor8ation and the 7rivileged inor8ation= Provided, further, 'hat the onsent o the data su@ets are not reCuired y law or regulation 7er8itting the 7roessing o the sensitive 7ersonal inor8ation or the 7rivileged inor8ationD >? 'he 7roessing is neessary to 7rotet the lie and health o the data su@et or another 7erson, and the data su@et is not legally or 7hysially ale to e7ress his or her onsent 7rior to the 7roessingD >d? 'he 7roessing is neessary to ahieve the lawul and nono88erial o@etives o 7uli organi:ations and their assoiations= Provided, 'hat suh 7roessing is only onfned and related to the bona "de 8e8ers o these organi:ations or their assoiations= Provided, further, 'hat the sensitive 7ersonal inor8ation are not transerred to third 7arties= Provided, "nally, 'hat onsent o the data su@et was otained 7rior to 7roessingD >e? 'he 7roessing is neessary or 7ur7oses o 8edial treat8ent, is arried out y a 8edial 7ratitioner or a 8edial treat8ent institution, and an adeCuate level o 7rotetion o 7ersonal inor8ation is ensuredD or >? 'he 7roessing onerns suh 7ersonal inor8ation as is neessary or the 7rotetion o lawul rights and interests o
natural or legal 7ersons in ourt 7roeedings, or the estalish8ent, eerise or deense o legal lai8s, or when 7rovided to govern8ent or 7uli authority. !&. 1H. Subcontract of Personal &nformation. ' 7ersonal inor8ation ontroller 8ay suontrat the 7roessing o 7ersonal inor8ation= Provided, 'hat the 7ersonal inor8ation ontroller shall e res7onsile or ensuring that 7ro7er saeguards are in 7lae to ensure the onfdentiality o the 7ersonal inor8ation 7roessed, 7revent its use or unauthori:ed 7ur7oses, and generally, o87ly with the reCuire8ents o this At and other laws or 7roessing o 7ersonal inor8ation. 'he 7ersonal inor8ation 7roessor shall o87ly with all the reCuire8ents o this At and other a77liale laws. !&. 15. *+tension of Privileged Communication. "ersonal inor8ation ontrollers 8ay invo3e the 7rini7le o 7rivileged o88uniation over 7rivileged inor8ation that they lawully ontrol or 7roess. u@et to eisting laws and regulations, any evidene gathered on 7rivileged inor8ation is inad8issile. &A"'! %/ %' ) '! A'A #BJ!&' !&. 1I. Rights of the !ata Sub#ect. ; 'he data su@et is entitled to= >a? Be inor8ed whether 7ersonal inor8ation 7ertaining to hi8 or her shall e, are eing or have een 7roessedD >? Be urnished the inor8ation indiated hereunder eore the entry o his or her 7ersonal inor8ation into the 7roessing syste8 o the 7ersonal inor8ation ontroller, or at the net 7ratial o77ortunity=
>1? esri7tion o the 7ersonal inor8ation to e entered into the syste8D >2? "ur7oses or whih they are eing or are to e 7roessedD >+? o7e and 7roessingD
8ethod
o
the
7ersonal
inor8ation
>H? 'he rei7ients or lasses o rei7ients to who8 they are or 8ay e dislosedD >5? Methods utili:ed or auto8ated aess, i the sa8e is allowed y the data su@et, and the etent to whih suh aess is authori:edD >I? 'he identity and ontat details o the 7ersonal inor8ation ontroller or its re7resentativeD >*? 'he 7eriod or whih the inor8ation will e storedD and >? 'he eistene o their rights, i.e., to aess, orretion, as well as the right to lodge a o87laint eore the &o88ission. Any inor8ation su77lied or delaration 8ade to the data su@et on these 8atters shall not e a8ended without 7rior notifation o data su@et= Provided, 'hat the notifation under susetion >? shall not a77ly should the 7ersonal inor8ation e needed 7ursuant to a subpoena or when the olletion and 7roessing are or ovious 7ur7oses, inluding when it is neessary or the 7eror8ane o or in relation to a ontrat or servie or when neessary or desirale in the ontet o an e87loyer-e87loyee relationshi7, etween the olletor and the data su@et, or when the inor8ation is eing olleted and 7roessed as a result o legal oligationD
>? easonale aess to, u7on de8and, the ollowing= >1? &ontents o his or her 7ersonal inor8ation that were 7roessedD >2? oures ro8 whih 7ersonal inor8ation were otainedD >+? (a8es and addresses o rei7ients o the 7ersonal inor8ationD >H? Manner y whih suh data were 7roessedD >5? easons or the dislosure o the 7ersonal inor8ation to rei7ientsD >I? %nor8ation on auto8ated 7roesses where the data will or li3ely to e 8ade as the sole asis or any deision signifantly aFeting or will aFet the data su@etD >*? ate when his or her 7ersonal inor8ation onerning the data su@et were last aessed and 8odifedD and >? 'he designation, or na8e or identity and address o the 7ersonal inor8ation ontrollerD >d? is7ute the inauray or error in the 7ersonal inor8ation and have the 7ersonal inor8ation ontroller orret it i88ediately and aordingly, unless the reCuest is veatious or otherwise unreasonale. % the 7ersonal inor8ation have een orreted, the 7ersonal inor8ation ontroller shall ensure the aessiility o oth the new and the retrated inor8ation and the si8ultaneous reei7t o the new and the retrated inor8ation y rei7ients thereo= Provided, 'hat the third 7arties who have 7reviously reeived suh 7roessed 7ersonal inor8ation shall he inor8ed o its inauray and its retifation u7on reasonale reCuest o the data su@etD
>e? us7end, withdraw or order the lo3ing, re8oval or destrution o his or her 7ersonal inor8ation ro8 the 7ersonal inor8ation ontrollerEs fling syste8 u7on disovery and sustantial 7roo that the 7ersonal inor8ation are ino87lete, outdated, alse, unlawully otained, used or unauthori:ed 7ur7oses or are no longer neessary or the 7ur7oses or whih they were olleted. %n this ase, the 7ersonal inor8ation ontroller 8ay notiy third 7arties who have 7reviously reeived suh 7roessed 7ersonal inor8ationD and >? Be inde8nifed or any da8ages sustained due to suh inaurate, ino87lete, o utdated, alse, unlawully otained or unauthori:ed use o 7ersonal inor8ation. !&. 1*. Transmissibility of Rights of the !ata Sub#ect. 'he lawul heirs and assigns o the data su@et 8ay invo3e the rights o the data su@et or, whih he or she is an heir or assignee at any ti8e ater the death o the data su@et or when the data su@et is ina7aitated or ina7ale o eerising the rights as enu8erated in the i88ediately 7reeding setion. !&. 1. Right to !ata Portability. 'he data su@et shall have the right, where 7ersonal inor8ation is 7roessed y eletroni 8eans and in a strutured and o88only used or8at, to otain ro8 the 7ersonal inor8ation ontroller a o7y o data undergoing 7roessing in an eletroni or strutured or8at, whih is o88only used and allows or urther use y the data su@et. 'he &o88ission 8ay s7eiy the eletroni or8at reerred to aove, as well as the tehnial standards, 8odalities and 7roedures or their transer. !&. 1K. on2'pplicability. ; 'he i88ediately 7reeding setions are not a77liale i the 7roessed 7ersonal inor8ation are used only or the needs o sientif and statistial researh and, on the asis o suh, no ativities are arried out and no deisions are ta3en regarding the
data su@et= Provided, 'hat the 7ersonal inor8ation shall e held under strit onfdentiality and shall e used only or the delared 7ur7ose. $i3ewise, the i88ediately 7reeding setions are not a77liale to 7roessing o 7ersonal inor8ation gathered or the 7ur7ose o investigations in relation to any ri8inal, ad8inistrative or ta liailities o a data su@et.
>2? A seurity 7oliy with res7et to the 7roessing o 7ersonal inor8ationD
&A"'! / !&#%'L ) "!)(A$ %()MA'%)(
>H? egular 8onitoring or seurity reahes and a 7roess or ta3ing 7reventive, orretive and 8itigating ation against seurity inidents that an lead to a seurity reah.
>+? A 7roess or identiying and aessing reasonaly oreseeale vulnerailities in its o87uter networ3s, and or ta3ing 7reventive, orretive and 8itigating ation against seurity inidents that an lead to a seurity reahD and
!&. 20. Security of Personal &nformation. ; >a? 'he 7ersonal inor8ation ontroller 8ust i87le8ent reasonale and a77ro7riate organi:ational, 7hysial and tehnial 8easures intended or the 7rotetion o 7ersonal inor8ation against any aidental or unlawul destrution, alteration and dislosure, as well as against any other unlawul 7roessing.
>d? 'he 7ersonal inor8ation ontroller 8ust urther ensure that third 7arties 7roessing 7ersonal inor8ation on its ehal shall i87le8ent the seurity 8easures reCuired y this 7rovision.
>? 'he 7ersonal inor8ation ontroller shall i87le8ent reasonale and a77ro7riate 8easures to 7rotet 7ersonal inor8ation against natural dangers suh as aidental loss or destrution, and hu8an dangers suh as unlawul aess, raudulent 8isuse, unlawul destrution, alteration and onta8ination.
>e? 'he e87loyees, agents or re7resentatives o a 7ersonal inor8ation ontroller who are involved in the 7roessing o 7ersonal inor8ation shall o7erate and hold 7ersonal inor8ation under strit onfdentiality i the 7ersonal inor8ation are not intended or 7uli dislosure. 'his oligation shall ontinue even ater leaving the 7uli servie, transer to another 7osition or u7on ter8ination o e87loy8ent or ontratual relations.
>? 'he deter8ination o the a77ro7riate level o seurity under this setion 8ust ta3e into aount the nature o the 7ersonal inor8ation to e 7roteted, the ris3s re7resented y the 7roessing, the si:e o the organi:ation and o87leity o its o7erations, urrent data 7rivay est 7raties and the ost o seurity i87le8entation. u@et to guidelines as the &o88ission 8ay issue ro8 ti8e to ti8e, the 8easures i87le8ented 8ust inlude= >1? aeguards to 7rotet its o87uter networ3 against aidental, unlawul or unauthori:ed usage or intererene with or hindering o their untioning or availailityD
>? 'he 7ersonal inor8ation ontroller shall 7ro87tly notiy the &o88ission and aFeted data su@ets when sensitive 7ersonal inor8ation or other inor8ation that 8ay, under the iru8stanes, e used to enale identity raud are reasonaly elieved to have een aCuired y an unauthori:ed 7erson, and the 7ersonal inor8ation ontroller or the &o88ission elieves >at suh unauthori:ed aCuisition is li3ely to give rise to a real ris3 o serious har8 to any aFeted data su@et. 'he notifation shall at least desrie the nature o the reah, the sensitive 7ersonal inor8ation 7ossily involved, and the 8easures ta3en y the entity to address the reah. (otifation 8ay e delayed only to the etent neessary to deter8ine the
so7e o the reah, to 7revent urther dislosures, or to restore reasonale integrity to the inor8ation and o88uniations syste8.
organi:ationEs o87liane with this At. 'he identity o the individual>s? so designated shall e 8ade 3nown to any data su@et u7on reCuest.
>1? %n evaluating i notifation is unwarranted, the &o88ission 8ay ta3e into aount o87liane y the 7ersonal inor8ation ontroller with this setion and eistene o good aith in the aCuisition o 7ersonal inor8ation.
&A"'! /%% !&#%'L ) !(%'%/! "!)(A$ %()MA'%)( %( )/!(M!('
>2? 'he &o88ission 8ay ee87t a 7ersonal inor8ation ontroller ro8 notifation where, in its reasonale @udg8ent, suh notifation would not e in the 7uli interest or in the interests o the aFeted data su@ets. >+? 'he &o88ission 8ay authori:e 7ost7one8ent o notifation where it 8ay hinder the 7rogress o a ri8inal investigation related to a serious reah. &A"'! /% A&&)#('AB%$%'L ) 'A(! ) "!)(A$ %()MA'%)( !&. 21. Principle of 'ccountability. !ah 7ersonal inor8ation ontroller is res7onsile or 7ersonal inor8ation under its ontrol or ustody, inluding inor8ation that have een transerred to a third 7arty or 7roessing, whether do8estially or internationally, su@et to ross-order arrange8ent and oo7eration. >a? 'he 7ersonal inor8ation ontroller is aountale or o87lying with the reCuire8ents o this At and shall use ontratual or other reasonale 8eans to 7rovide a o87arale level o 7rotetion while the inor8ation are eing 7roessed y a third 7arty. >? 'he 7ersonal inor8ation ontroller shall designate an individual or individuals who are aountale or the
!& 22. Responsibility of Heads of 'gencies. ; All sensitive 7ersonal inor8ation 8aintained y the govern8ent, its agenies and instru8entalities shall e seured, as ar as 7ratiale, with the use o the 8ost a77ro7riate standard reogni:ed y the inor8ation and o88uniations tehnology industry, and as reo88ended y the &o88ission. 'he head o eah govern8ent ageny or instru8entality shall e res7onsile or o87lying with the seurity reCuire8ents 8entioned herein while the &o88ission shall 8onitor the o87liane and 8ay reo88end the neessary ation in order to satisy the 8ini8u8 standards. !&. 2+. Re3uirements Relating to 'ccess by 'gency Personnel to Sensitive Personal &nformation. >a? )n-site and )nline Aess ; !e7t as 8ay e allowed through guidelines to e issued y the &o88ission, no e87loyee o the govern8ent shall have aess to sensitive 7ersonal inor8ation on govern8ent 7ro7erty or through online ailities unless the e87loyee has reeived a seurity learane ro8 the head o the soure ageny. >? )F-site Aess ; #nless otherwise 7rovided in guidelines to e issued y the &o88ission, sensitive 7ersonal inor8ation 8aintained y an ageny 8ay not e trans7orted or aessed ro8 a loation oF govern8ent 7ro7erty unless a reCuest or suh trans7ortation or aess is su8itted and a77roved y the head o the ageny in aordane with the ollowing guidelines=
>1? eadline or A77roval or isa77roval ; %n the ase o any reCuest su8itted to the head o an ageny, suh head o the ageny shall a77rove or disa77rove the reCuest within two >2? usiness days ater the date o su8ission o the reCuest. %n ase there is no ation y the head o the ageny, then suh reCuest is onsidered disa77rovedD >2? $i8itation to )ne thousand >1,000? eords ; % a reCuest is a77roved, the head o the ageny shall li8it the aess to not 8ore than one thousand >1,000? reords at a ti8eD and >+? !nry7tion ; Any tehnology used to store, trans7ort or aess sensitive 7ersonal inor8ation or 7ur7oses o oF-site aess a77roved under this susetion shall e seured y the use o the 8ost seure enry7tion standard reogni:ed y the &o88ission. 'he reCuire8ents o this susetion shall e i87le8ented not later than si >I? 8onths ater the date o the enat8ent o this At. !&. 2H. 'pplicability to /overnment Contractors. ; %n entering into any ontrat that 8ay involve aessing or reCuiring sensitive 7ersonal inor8ation ro8 one thousand >1,000? or 8ore individuals, an ageny shall reCuire a ontrator and its e87loyees to register their 7ersonal inor8ation 7roessing syste8 with the &o88ission in aordane with this At and to o87ly with the other 7rovisions o this At inluding the i88ediately 7reeding setion, in the sa8e 8anner as agenies and govern8ent e87loyees o87ly with suh reCuire8ents. &A"'! /%%% "!(A$'%! !&. 25. 4nauthoried Processing of Personal &nformation and Sensitive Personal &nformation. >a? 'he unauthori:ed 7roessing o 7ersonal inor8ation shall e 7enali:ed y
i87rison8ent ranging ro8 one >1? year to three >+? years and a fne o not less than ive hundred thousand 7esos >"h7500,000.00? ut not 8ore than 'wo 8illion 7esos >"h72,000,000.00? shall e i87osed on 7ersons who 7roess 7ersonal inor8ation without the onsent o the data su@et, or without eing authori:ed under this At or any eisting law. >? 'he unauthori:ed 7roessing o 7ersonal sensitive inor8ation shall e 7enali:ed y i87rison8ent ranging ro8 three >+? years to si >I? years and a fne o not less than ive hundred thousand 7esos >"h7500,000.00? ut not 8ore than our 8illion 7esos >"h7H,000,000.00? shall e i87osed on 7ersons who 7roess 7ersonal inor8ation without the onsent o the data su@et, or without eing authori:ed under this At or any eisting law. !&. 2I. 'ccessing Personal &nformation and Sensitive Personal &nformation !ue to egligence. ; >a? Aessing 7ersonal inor8ation due to negligene shall e 7enali:ed y i87rison8ent ranging ro8 one >1? year to three >+? years and a fne o not less than ive hundred thousand 7esos >"h7500,000.00? ut not 8ore than 'wo 8illion 7esos >"h72,000,000.00? shall e i87osed on 7ersons who, due to negligene, 7rovided aess to 7ersonal inor8ation without eing authori:ed under this At or any eisting law. >? Aessing sensitive 7ersonal inor8ation due to negligene shall e 7enali:ed y i87rison8ent ranging ro8 three >+? years to si >I? years and a fne o not less than ive hundred thousand 7esos >"h7500,000.00? ut not 8ore than our 8illion 7esos >"h7H,000,000.00? shall e i87osed on 7ersons who, due to negligene, 7rovided aess to 7ersonal inor8ation without eing authori:ed under this At or any eisting law. !&. 2*. &mproper !isposal of Personal &nformation and Sensitive Personal &nformation. >a? 'he i87ro7er dis7osal o 7ersonal inor8ation shall e 7enali:ed y i87rison8ent
ranging ro8 si >I? 8onths to two >2? years and a fne o not less than )ne hundred thousand 7esos >"h7100,000.00? ut not 8ore than ive hundred thousand 7esos >"h7500,000.00? shall e i87osed on 7ersons who 3nowingly or negligently dis7ose, disard or aandon the 7ersonal inor8ation o an individual in an area aessile to the 7uli or has otherwise 7laed the 7ersonal inor8ation o an individual in its ontainer or trash olletion. ? 'he i87ro7er dis7osal o sensitive 7ersonal inor8ation shall e 7enali:ed y i87rison8ent ranging ro8 one >1? year to three >+? years and a fne o not less than )ne hundred thousand 7esos >"h7100,000.00? ut not 8ore than )ne 8illion 7esos >"h71,000,000.00? shall e i87osed on 7ersons who 3nowingly or negligently dis7ose, disard or aandon the 7ersonal inor8ation o an individual in an area aessile to the 7uli or has otherwise 7laed the 7ersonal inor8ation o an individual in its ontainer or trash olletion. !&. 2. Processing of Personal &nformation and Sensitive Personal &nformation for 4nauthoried Purposes. 'he 7roessing o 7ersonal inor8ation or unauthori:ed 7ur7oses shall e 7enali:ed y i87rison8ent ranging ro8 one >1? year and si >I? 8onths to fve >5? years and a fne o not less than ive hundred thousand 7esos >"h7500,000.00? ut not 8ore than )ne 8illion 7esos >"h71,000,000.00? shall e i87osed on 7ersons 7roessing 7ersonal inor8ation or 7ur7oses not authori:ed y the data su@et, or otherwise authori:ed under this At or under eisting laws. 'he 7roessing o sensitive 7ersonal inor8ation or unauthori:ed 7ur7oses shall e 7enali:ed y i87rison8ent ranging ro8 two >2? years to seven >*? years and a fne o not less than ive hundred thousand 7esos >"h7500,000.00? ut not 8ore than 'wo 8illion 7esos >"h72,000,000.00? shall e i87osed on 7ersons 7roessing sensitive 7ersonal inor8ation or 7ur7oses not authori:ed y the data su@et,
or otherwise authori:ed under this At or under eisting laws. !&. 2K. 4nauthoried 'ccess or &ntentional Breach. 'he 7enalty o i87rison8ent ranging ro8 one >1? year to three >+? years and a fne o not less than ive hundred thousand 7esos >"h7500,000.00? ut not 8ore than 'wo 8illion 7esos >"h72,000,000.00? shall e i87osed on 7ersons who 3nowingly and unlawully, or violating data onfdentiality and seurity data syste8s, rea3s in any way into any syste8 where 7ersonal and sensitive 7ersonal inor8ation is stored. !&. +0. Concealment of Security Breaches &nvolving Sensitive Personal &nformation. 'he 7enalty o i87rison8ent o one >1? year and si >I? 8onths to fve >5? years and a fne o not less than ive hundred thousand 7esos >"h7500,000.00? ut not 8ore than )ne 8illion 7esos >"h71,000,000.00? shall e i87osed on 7ersons who, ater having 3nowledge o a seurity reah and o the oligation to notiy the &o88ission 7ursuant to etion 20>?, intentionally or y o8ission oneals the at o suh seurity reah. !&. +1. 5alicious !isclosure. Any 7ersonal inor8ation ontroller or 7ersonal inor8ation 7roessor or any o its oGials, e87loyees or agents, who, with 8alie or in ad aith, disloses unwarranted or alse inor8ation relative to any 7ersonal inor8ation or 7ersonal sensitive inor8ation otained y hi8 or her, shall e su@et to i87rison8ent ranging ro8 one >1? year and si >I? 8onths to fve >5? years and a fne o not less than ive hundred thousand 7esos >"h7500,000.00? ut not 8ore than )ne 8illion 7esos >"h71,000,000.00?. !&. +2. 4nauthoried !isclosure. >a? Any 7ersonal inor8ation ontroller or 7ersonal inor8ation 7roessor or any o its oGials, e87loyees or agents, who disloses to a third 7arty 7ersonal inor8ation not overed y the
i88ediately 7reeding setion without the onsent o the data su@et, shall he su@et to i87rison8ent ranging ro8 one >1? year to three >+? years and a fne o not less than ive hundred thousand 7esos >"h7500,000.00? ut not 8ore than )ne 8illion 7esos >"h71,000,000.00?.
!&. +5. 0arge2Scale. 'he 8ai8u8 7enalty in the sale o 7enalties res7etively 7rovided or the 7reeding oFenses shall e i87osed when the 7ersonal inor8ation o at least one hundred >100? 7ersons is har8ed, aFeted or involved as the result o the aove 8entioned ations.
>? Any 7ersonal inor8ation ontroller or 7ersonal inor8ation 7roessor or any o its oGials, e87loyees or agents, who disloses to a third 7arty sensitive 7ersonal inor8ation not overed y the i88ediately 7reeding setion without the onsent o the data su@et, shall e su@et to i87rison8ent ranging ro8 three >+? years to fve >5? years and a fne o not less than ive hundred thousand 7esos >"h7500,000.00? ut not 8ore than 'wo 8illion 7esos >"h72,000,000.00?.
!&. +I. -(ense Committed by Public -6cer.
!&. ++. Combination or Series of 'cts. Any o8ination or series o ats as defned in etions 25 to +2 shall 8a3e the 7erson su@et to i87rison8ent ranging ro8 three >+? years to si >I? years and a fne o not less than )ne 8illion 7esos >"h71,000,000.00? ut not 8ore than ive 8illion 7esos >"h75,000,000.00?. !&. +H. *+tent of 0iability. ; % the oFender is a or7oration, 7artnershi7 or any @uridial 7erson, the 7enalty shall e i87osed u7on the res7onsile oGers, as the ase 8ay e, who 7artii7ated in, or y their gross negligene, allowed the o88ission o the ri8e. % the oFender is a @uridial 7erson, the ourt 8ay sus7end or revo3e any o its rights under this At. % the oFender is an alien, he or she shall, in addition to the 7enalties herein 7resried, e de7orted without urther 7roeedings ater serving the 7enalties 7resried. % the oFender is a 7uli oGial or e87loyee and lie or she is ound guilty o ats 7enali:ed under etions 2* and 2 o this At, he or she shall, in addition to the 7enalties 7resried herein, suFer 7er7etual or te87orary asolute disCualifation ro8 oGe, as the ase 8ay e.
!&. +*. Restitution. estitution or any aggrieved 7arty shall e governed y the 7rovisions o the (ew &ivil &ode. &A"'! %O M%&!$$A(!)# ")/%%)( !&. +. &nterpretation. Any dout in the inter7retation o any 7rovision o this At shall e lierally inter7reted in a 8anner 8indul o the rights and interests o the individual aout who8 7ersonal inor8ation is 7roessed. !&. +K. &mplementing Rules and Regulations 7&RR8. ; K0? days ro8 the eFetivity o this At, the &o88ission shall 7ro8ulgate the rules and regulations to eFetively i87le8ent the 7rovisions o this At. !&. H0. Reports and &nformation. ; 'he &o88ission shall annually re7ort to the "resident and &ongress on its ativities in arrying out the 7rovisions o this At. 'he &o88ission shall underta3e whatever eForts it 8ay deter8ine to e neessary or a77ro7riate to inor8 and eduate the 7uli o data 7rivay, data 7rotetion and air inor8ation rights and res7onsiilities.
!&. H1. 'ppropriations Clause. 'he &o88ission shall e 7rovided with an initial a77ro7riation o 'wenty 8illion 7esos >"h720,000,000.00? to e drawn ro8 the national govern8ent. A77ro7riations or the sueeding years shall e inluded in the eneral A77ro7riations At. %t shall li3ewise reeive 'en 8illion 7esos >"h710,000,000.00? 7er year or fve >5? years u7on i87le8entation o this At drawn ro8 the national govern8ent. !&. H2. Transitory Provision. ; !isting industries, usinesses and oGes aFeted y the i87le8entation o this At shall e given one >1? year transitory 7eriod ro8 the eFetivity o the % or suh other 7eriod as 8ay e deter8ined y the &o88ission, to o87ly with the reCuire8ents o this At. %n ase that the %&' has not yet een reated y the ti8e the law ta3es ull ore and eFet, the (ational "rivay &o88ission shall e attahed to the )Ge o the "resident.
!&. H+. Separability Clause. % any 7rovision or 7art hereo is held invalid or unonstitutional, the re8ainder o the law or the 7rovision not otherwise aFeted shall re8ain valid and susisting. !&. HH. Repealing Clause. 'he 7rovision o etion * o e7uli At (o. K+*2, otherwise 3nown as the 4u8an eurity At o 200*6, is herey a8ended. !e7t as otherwise e7ressly 7rovided in this At, all other laws, derees, eeutive orders, 7rola8ations and ad8inistrative regulations or 7arts thereo inonsistent herewith are herey re7ealed or 8odifed aordingly. !&. H5. *(ectivity Clause. 'his At shall ta3e eFet fteen >15? days ater its 7uliation in at least two >2? national news7a7ers o general irulation.
