The Data Privacy Act of 2012, or Republic Act No. 10173 Read this blog post is a landmark legislation that protects all forms of private, personal, and sensitive information shared or transmitted by individuals and legal entities on digital platforms.
The law sets the ground rules for the processing of personal information. “Processing” refers to the collection, organization, storage, updating, retrieval, consultation, consolidation, blocking, or destruction of data.
The general privacy principles governing the processing of data
Under the Data Privacy Act, personal information must be:
- Collected for specified and legitimate purposes only
- Processed fairly and lawfully. Data processing must satisfy at least one of the following conditions:
- The owner of the personal information, also referred to as the data subject, has willingly expressed specific and informed consent through written, electronic, or recorded means. When obtaining consent, owners of the information must be told about the extent and purpose of the personal information being gathered.
- Processing is a required to fulfill a contract with the owner, or is a requisite step prior to entering into a contract.
- Data processing is necessary for compliance with a legal obligation to which the “personal information controller” is subject. A personal information controller is a “person or organization who controls the collection, holding, processing or use of personal information.” Learn more about it <link to Month 24 (June), Blog 2>
- Data processing is needed to protect the vital interests of the data subject, such as his/her life and health.
- Data processing is required in order to respond to a national emergency, to comply with public order and safety standards, or to fulfill functions of public authority.
- Data processing is necessary for the legitimate interests pursued by the personal information controller or by a third party to whom the data is disclosed.
- Accurate, relevant, and kept up to date. Inaccuracies must be addressed before the data can be processed.
- Adequate and not excessive for the purposes justifying the collection and processing.
- Kept only for as long as the purpose of the processing is fulfilled
- Kept in a form which allows the identification of the data subject only for as long as it is needed. Exceptions to this condition apply when personal information is used for historical, statistical, or scientific purposes. Such information may be stored for longer periods provided that there are legal bases that authorize their processing and there are adequate safeguards to protect them.
The rights of the data owner
The Data Privacy Act protects the interests of data owners through two sets of rights.
- Substantive rights entitle data owners to know how their personal information is being used and to pursue corrective actions. These rights include the:
- Right to be informed
- Right of access
- Right to correction
- Right to suspend, withdraw, or order the removal of personal information from the controller’s filing system
- Right to indemnity
- Right to “data portability,” which means data subjects can obtain and reuse their personal information for their own purposes for different services, and have the ability to transfer their data safely without affecting its usability.
- Auxiliary rights enable data owners to hold those who control or process their personal information liable in cases of willful or negligent acts. Data owners have the right to lodge a complaint before the National Privacy Commission read this blog post, as well as the right to know the identity of accountable individuals.
For more information on how the Philippine Data Privacy Act impacts your business, read this blog post.
Learn more about setting up a business in the Philippines with FilePino. Contact us today at +1.806.553.6552 (USA) or +63.917.8922337 (Philippines). You may also send your inquiries here.