In this Privacy Tracker series, we look at laws from across the globe and match them up against the EU General Data Protection Regulation. The aim is to help you determine how much duplication of operational effort you might avoid as you move toward GDPR compliance and help you focus your efforts. In this installment, Radar Global Privacy Officer and Senior Counsel Alex Wall, CIPP/E, CIPP/US, CIPM, compares the Philippines’ Data Privacy Act of 2012, as supplemented by the Implementing Rules and Regulations, with the principles expressed by the GDPR.
| Philippines Personal Data Protection Act and Implementing Rules and Regulations | GDPR | |
|---|---|---|
| Purpose | To protect the fundamental human right of privacy while ensuring the free flow of information to promote innovation and growth. | To enable the free movement of personal data within the Union while protecting fundamental rights and freedoms of natural persons and, in particular, their right to the protection of personal data. |
| Material Scope | The law applies to the processing of all types of personal information and to any natural person or legal entity involved in personal information processing. | Applies to the processing of personal data wholly or partly by automated means, within the scope of Union law. |
| Territorial Scope | Applies to data controllers and processors who are located in the Philippines, use equipment that is located in the Philippines or who maintain an office, branch or agency in the Philippines. Also applies to actions outside of the territory of the Philippines where the act, practice or processing relates to personal data about a Philippine citizen or resident, or where the entity carries on business in the Philippines and information is collected or held by an entity. | Applies to processing that takes place in the Union or by a processor who has an establishment in the Union within the context of activities in the Union or to processing activities that are related to the offering of goods and services to (or behavioral monitoring of) data subjects in the Union. |
| Personal Data | Personal information refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information or when put together with other information would directly and certainly identify an individual. | Personal data means any information relating to an identified or identifiable natural person. |
| Sensitive Personal Data | Sensitive personal data is personal data: · About an individual’s race, ethnic origin, marital status, age, color and religious, philosophical or political affiliations; · About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings or the sentence of any court in such proceedings; · Issued by government agencies peculiar to an individual, which includes but not limited to social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and · Specifically established by an executive order or an act of Congress to be kept classified. | Special categories of data that are considered particularly sensitive are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. |
| Data Controller | Refers to a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf. | Means the natural or legal person, public authority, agency or other body, which, alone or jointly with others, determines the purposes and means of the processing of personal data. |
| Data Processors | Refers to any natural or juridical person qualified to act as such under this act to whom a personal information controller may outsource the processing of personal data pertaining to a data subject. | Means a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller. |
| Publicly Available Information | The act excludes from scope information necessary in order to carry out the functions of public authority, which includes the processing of personal data for the performance by the independent, central monetary authority and law enforcement and regulatory agencies of their constitutionally and statutorily mandated functions. | The processing of publicly available information may be permitted for certain archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, insofar as providing notice is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases, the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available. |
| Preventing Harm Principle | The requirement to notify affected data subjects of a breach is predicated upon an assessment of whether the unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject. | Protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. |
| Lawfulness, Fairness and Transparency | Personal data shall be processed fairly and lawfully. | Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. |
| Purpose Limitation | Personal data should be collected for specified and legitimate purposes determined and declared before or as soon as reasonably practicable after collection and later processed in a way compatible with such declared, specified and legitimate purposes only. | Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. |
| Data Minimization | Personal data shall be adequate and not excessive in relation to the purposes for which they are collected and processed. | Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. |
| Accuracy | Personal data should be accurate, relevant and, where necessary for purposes for which it is to be used the processing of personal information, kept up to date; inaccurate or incomplete data must be rectified, supplemented, destroyed or their further processing restricted. | Personal data should be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, is erased or rectified without delay. Personal data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures. |
| Storage Limitation | Personal data shall be retained only for as long as necessary for the fulfillment of the purposes for which the data was obtained or for the establishment, exercise or defense of legal claims, or for legitimate business purposes or as provided by law. | Personal data shall be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organizational measures required by this regulation in order to safeguard the rights and freedoms of the data subject. |
| Notice and Choice | The data subject is entitled to be informed whether personal information pertaining to him or her shall be, are being or have been processed. Before the entry of his or her personal information into the processing system of the personal information controller or at the next practical opportunity, the data subject should be informed as to the information to be entered, the purposes for which it will be processed, the scope and method of the processing, the recipients or classes of recipients to whom personal data will be disclosed, methods for automated access to the data, the identity and contact details for the data controller, and the period for which the personal data will be stored, as well as the existence of their rights (i.e., to access and correction, and to lodge a complaint before the Commission or its representative). | Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. If the data subject’s consent is given in the context of a written declaration that also concerns other matters, the request for consent shall be presented in a manner that is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. The processing of publicly available information may be permitted for certain archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, insofar as providing notice is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases, the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available. |
| Integrity and Confidentiality | The controller must implement reasonable and appropriate organizational, physical and technical measures intended for the protection of personal information against any accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing. | Personal data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. |
| Accountability | The controller is accountable for complying with the requirements of this act and shall use contractual or other reasonable means to provide a comparable level of protection while the information is being processed by a third party. The controller shall designate an individual or individuals who are accountable for the organization’s compliance with this act. The identity of the individual(s) so designated shall be made known to any data subject upon request. | The controller shall be responsible for and be able to demonstrate compliance with the principles of the processing of personal data under the GDPR. The controller and the processor shall designate a data protection officer where processing requires regular and systematic monitoring of data subjects on a large scale or the core activities of the controller or the processor consist of processing on a large scale of special (sensitive) categories of data or personal data relating to criminal convictions and offenses. |
| Access and Correction | The data subject has the right to dispute the inaccuracy or error in the personal data and have the personal data controller correct it immediately and accordingly unless the request is vexatious or otherwise unreasonable. | The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning them are being processed, and to access the personal data and information about the processing, including what categories of data are processed, the recipients of the data, and rights to erasure and rectification of the personal data, the right to lodge a complaint with a DPA, the source of the data, whether the data was subject to automated profiling (and if so, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject). |
| Data Portability | The data subject shall have the right, where personal information is processed by electronic means and in a structured and commonly used format, to obtain from the personal information controller a copy of data undergoing processing in an electronic or structured format, which is commonly used and allows for further use by the data subject. | The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. |
| Transfer of Personal Data to Another Person or country | The controller shall use contractual or other reasonable means to provide a comparable level of protection while the information is being processed by a third party. The Philippines data protection rules do not categorically prohibit the transfer of personal data to foreign countries. | When a controller sends data to another party to be processed, they are a processor and therefore must be bound by contract with the controller to protect the personal data. Personal data may only be transferred to third countries where the EU has considered the laws to provide adequate protection or where protected by binding corporate rules, approved model clauses, binding agreements combined with an approved code of conduct or approved certification. |
| Breach Definition | A notifiable breach occurs when sensitive personal information or any other information, whether recorded in a material form or not, that may, under the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized person, and the personal information controller or the Commission believes that such unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject. | Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed. |
| Breach Notification | The National Privacy Commission and affected data subjects shall be notified by the personal information controller within 72 hours upon knowledge of or when there is a reasonable belief by that an unauthorized acquisition of sensitive personal information is likely to give rise to a real risk of serious harm to any affected data subject. A real risk of serious harm includes whether any information may, under the circumstances, be used to enable identity fraud. | The GDPR requires assessment of data incidents and prompt notification of the breach to data subjects when there is a high risk to the rights and freedoms of natural persons and, with respect to supervisory authorities, notification when the breach is likely to result in a risk to the rights and freedoms of natural persons. |
| Breach Mitigation | The National Privacy Commission may determine that notification to data subjects is not required after taking into account compliance by the personal information controller with the Privacy Act and the existence of good faith in the acquisition of personal information, or where notification is not in the public interest or in the interests of affected data subjects. | Notification to data subjects is not required if: · The controller has implemented appropriate technical and organizational protection measures, and that those measures were applied to the data affected by the personal data breach, in particular, those that render the data unintelligible to any person who is not authorized to access it, such as encryption; or · The controller has taken subsequent measures that ensure that the high risk for the rights and freedoms of data subjects is no longer likely to materialize; or · It would involve a disproportionate effort. In such case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner. |
photo credit: facts.co
