Want your company and data protected and compliant? Send us an email today!

FAQs About Republic Act No. 10173 (Data Privacy Act of 2012)

We are currently living in an era where data and information are considered to be our most valuable resources. Not only that, they are also known to be the most powerful tool that can be used against us or against others. Think about it – anyone who has the right piece of information could potentially bring down private corporations, government agencies, and people in power. 

What’s scary about all this is the fact that people’s abilities to acquire data and information get better and better as time passes and technology advances. As a way to counteract this fast progress, countries implement laws that try to prevent the mishandling of data. Among those who have done so are the UK, South Korea, USA, Canada, Norway, Germany, Japan, and, of course, the Philippines.

It may have taken us a long time but we’ve finally gotten to the point where we don’t have to fear loss and leak of data or at least not as much as before. The threat is still there – and we should accept that it always will be – but there are now measures to reduce them and penalties for those who attempt such unlawful actions.

All this is made possible through the issuance of Republic Act No. 10173 (Data Privacy Act of 2012). There’s a lot that needs to be known about this specific act, which is why we’ve made this extensive FAQ article. Through this, we hope to educate people about this important addition to our country’s legislation for each of our sakes!

In 2012, the State finally recognized its crucial role in data protection and obligation to ensure that information – whether in the public or private sector – is kept secured and, therefore, passed Republic Act No. 10173 into the Philippine Congress. RA 10173 or the Data Privacy Act (DPA) of 2012 was then made into a law four years later in 2016.

According to official records, the DPA aims to “protect the fundamental human right of privacy, of communication while ensuring the free flow of information to promote innovation and growth” (Republic Act. No. 10173, Ch. 1, Sec. 2). Simply put, the act aims to ensure that information flow – an aspect necessary for the growth of individuals, institutions, and countries – continues to happen while assuring parties involved that their rights to privacy are still secured.

Through the implementation of DPA, the State is hoping to protect specific forms of information and prevent their unauthorized use and processing that may or may not be detrimental to an individual.

RA 10173 also established the National Privacy Commission (NPC) – a separate body that is assigned to oversee the implementation and to administrate the provisions of the DPA. Although autonomous, the NPC is connected to the fairly new – created in 2016 – Department of Information and Communications Technology. The NPC has many functions including:
  • Ensure and monitor compliance with the different provisions of the DPA
  • Receive, process, and resolve complaints as well as prompt investigations, giving them access to personal information that are subjects of complaints
  • Stop personal information processing operations through the issuance of cease and desist orders or through imposing temporary or permanent bans
  • Compel any and all entities to abide by its rules and orders and take appropriate actions in matters concerning data privacy
  • Propose additions or modifications to Philippine Law on data privacy and protection
  • Publish guides on a regular basis to make people aware and help them comprehend the different laws related to data protection
  • Recommend penalties to the Department of Justice (DOJ)
  • Assist private and public entities on matters regarding data privacy and protection
  • Facilitate cross-border negotiations and enforcement of privacy laws
Before we can answer more questions about the DAP, we first need to define a few terms that we are going to use throughout the rest of this composition. All these terms and definitions are from the actual RA but are simplified for easy understanding:

Data Subject

Any individual – person or entity – who is having or has had their information processed is considered a data subject.


Consent or lack thereof is what separates acts that are allowable and punishable which is why it is important to define the term for the understanding of the DPA. In legal terms, consent refers to a data subject’s indication of will or agreement to the collection and processing of personal information relating to them. Evidence of consent must be presented in any of three forms – recorded, written, or electronic. In cases when the data subject is not able to give consent – i.e. injury – it may be given by an agent that is authorized to do so.

Personal Information Controller (PIC)

As the name suggests, a personal information controller is someone or something – an organization, company, institution, legal entity – that participates in collecting, using, processing, and holding of personal information. Those who instruct separate bodies to perform such acts on their behalf are also included in this definition

Excluded, however, are those individuals that are instructed by but do not work for separate organizations. For example, if a company orders or coerces someone to collect data for their benefit, the company is considered as a PIC, but the person who does it is not, since they do not gain anything from the act.

Individuals, who process personal information for things relating to personal and family affairs, are also exempted. A mother who collects personal information on her spouse for a visa application, for instance, is not a PIC.

Personal Information Processor (PIP)

Personal information processors are those that are, under the DPA, qualified to perform personal information processing functions – by law, they are professionals. They may be employed by personal information controllers in order to legally process data related to the data subject.

Data Processing

Processing is an extremely ambiguous term that may refer to an action or set of actions performed upon personal information. Some of the most basic ones include recording, organization, storage, collection, modification, retrieval, destruction, and use of personal information. Keep in mind that the term is not limited to these actions and may extend to others that the NPC see apt.

As mentioned earlier, the law only protects specific forms of data and information and they are the following:

Personal Information

Personal information is any piece of information – written, recorded, or otherwise – that may make an individual’s identity apparent or discernible to the party that is holding the information. It may be a direct link or something that, when pieced together with other information, would correctly identify an individual.

Simply put, anything that can be used to make you readily identifiable is considered personal information; prime examples include name, age, address, phone number, and sex.

Sensitive Personal Information

The only difference between personal information and sensitive personal information is that the latter has been kept classified by an executive order or through the powers of Congress.

Privileged Information

Privileged information is pieces of information that an individual cannot, under the eye of the law, disclose or discover. Strictly speaking, it’s confidential. A good example of this would be information shared between lawyers and their clients which are protected by attorney-client privilege.
While the DPA aims to protect all individuals, the provisions only apply to a select few, namely individuals and legal entities that are involved in the processing and controlling of personal information. What this means is they are the only ones required to comply with the rules and provisions stated in the law.

Businesses in the Philippines are legal entities. This means that they are based and equipped for information processing. Foreign entities that process the personal information of Filipino citizens are also included regardless of where they operate.

Businesses that operate in the Philippines but lawfully process and collect personal information of residents from foreign jurisdictions are the only exemption under the DPA.
The implementation of the DPA denotes three things:

Firstly, processing of personal information must only be done for specified and legitimate reasons. Data subjects must be aware of what these reasons are and must willfully agree or consent to every action to be performed upon their data. In addition, no kind of data processing may be done without the prior consent of the data subject.

Secondly, handling of said personal information must be done properly. Aside from only being used for the intended purpose, they must also be appropriately disposed of once there is no more reasonable need for them.

Third and lastly, the processing, handling, and disposal of personal information must be done in such a way that unauthorized third parties may not be able to gain access to them.

These three are the main obligations of PICs, PIPs, and any other entity involved in the practice of data processing.
Every living individual can become a data subject, which is why it is important to know what rights they have under the DPA. These rights may be enforced against entities that perform data processing like personal information controllers and processers. Once invoked or enforced by the data subject, these entities are bound by law to respect and observe them. These rights, according to the NPC, are:

The Right to Information

As said previously, you are entitled to all information related to the processing of your personal information. Organizations must tell you things such as the identity of the processor or controller, type of data they want, the reason behind their data processing or collection, specific actions to be performed upon your information, recipients (if any), where it will be stored, and until when they plan to keep it. You can also ask other questions and they are legally required to answer them as long as they only pertain to your own, personal data.

The Right to Refuse

After receiving information regarding the data processing, you then have the right to refuse or withhold your consent. There are also cases when the information previously given to you needs to be changed. These changes must be relayed to you, the data subject. You will, then, have the option to accept or object them.

Once you withhold consent, PIPs and PICs are prohibited from collecting or using your personal information or data unless, of course, it is a result of a legal obligation or a pursuant to a subpoena.

The Right to Access Upon Demand

As a data subject, you also have the right to know whether or not organizations, companies, or third parties possess any kind of data or information about you. Upon your demand, they must be able to provide you what these pieces of information are as well as an explanation as to why they have them. Moreover, they must be able to give you these in a way that is easy to access with a language that is easy to understand, meaning no use of jargons and legal terms.

If you want, you may also demand access to things such as how and when they obtained your data, what they have done to it, who was/were responsible for the act and such.

The Right to Dispute Inaccuracies

Any inaccuracies or errors about your data can and must be corrected upon your request. Immediate and accurate action must be done by PICs and PIPs to fulfill this unless your request is deemed unreasonable. Once corrections have been done, you should be notified of the changes and given access to both information – new and retracted. Additionally, should you request it again, they are required to inform third-party recipients of the apparent change.

The Right to Order Disposal

Withdrawal, suspension, removal, destruction, and disposal of personal information is also part of data processing and you have the right to each and every one of them, given that you have found evidence that your information is or was:
  • Outdated, false, and/or incomplete
  • Illegally or unlawfully obtained and processed
  • Used without your authorization
  • Used for purposes not divulged to you
  • Detrimental to you (unless authorized by the court of law)
Additionally, you may withdraw your personal information if you find out the PIC or PIP has, in any way, violated your rights and freedoms as a subject.

The Right to Compensation for Damages

In the occasion that you suffer damages due to the unlawful and unauthorized collection and use of your data or due to your data being inaccurate, false, outdated, and incomplete, you have the right to demand compensation from the PIC or PIP that caused the event.

However, do take note that the NPC does not have the power to deal with compensation claims – this is between the PIC or PIP and data subject.

The Right to File Complaints

The NPC may not be able to ensure you receive proper compensation, but they have the power to penalize parties that misuse and mishandle your personal information and violate DPA provisions. All you have to do then if you feel that this has been done to you is file a complaint and the NPC will take care of the rest.

The Right to Transmissibility

Lawful and assigned heirs have the right to invoke the right of the data subject in the event of death or inability to exercise his/her own rights.

The Right to Portability

The right to portability is given to data subjects to assure them that they remain in full control of their own, personal data. In essence, data portability allows you to securely obtain, move, transfer, and manage your data however you see fit. With this, the flow of personal information across different channels – i.e. the internet – is kept safe and continuous.
The right to transmissibility and portability are revoked if and when the processed data is intended to be used for scientific and statistical research. There is also no assurance of privacy, confidentiality, and limitation to the declared purpose. These rights also don’t apply when personal information is going to be or being processed for investigations relating to administrative, tax, and criminal liabilities. In order to achieve the goals of the research or investigation, any and all rights a data subject has is kept to the minimum.

In short, any information you may have given for the sake of scientific and/or statistical research or obtained for the sake of juridical investigations is basically open to all unless otherwise stated.
Consent is a huge part of data processing but it is not always a necessity. There are instances when consent does not have to be given or simply cannot be given by the data subject yet processing is still considered legal under the DPA. Such instances will be enumerated in subsequent parts.
These information types are treated differently. Personal information is available for data processing given that the personal information processor complied with the requirements of the DPA. On the other hand, processing of the other two types – sensitive personal and privileged information – is generally prohibited and only allowed under specific cases.

Consequently, information that has been made accessible to the public prior to the enactment of the act is not under any kind of protection and continues to stay public.

As you already know, the DPA prohibits the processing of sensitive personal information and privileged information unless:

  • Consent to the act has been given by the data subject. In which case, processing must be limited to what the data subject has been told.
  • It is a matter of life and death for the data subject or other individuals yet the data subject is incapable of giving consent and no lawful or assigned heirs are present.
  • It is needed for the achievement of lawful and non-commercial objectives of government branches, public organizations, and other associations.
  • It is necessary for medical treatment. In such cases, processing must be done by medical practitioners or institutions and they should still be able to provide levels of protection.
  • Processing is needed to protect lawful rights and persons of interest in court and legal proceedings.
Data processing is permitted and considered lawful if and when it meets at least one of the following criteria:
  • Data subject or his/her authorized heirs have given consent.
  • The data subject has entered into a contract with third parties and processing is necessary to fulfill such a contract.
  • Legal obligations necessitate the processing of information.
  • Vital interests of the data subject are on the line – cases of life or death.
  • It is necessary to perform public, statutory, and governmental functions such as administering order and responding to a national emergency – commonly applies to those in positions of power.
  • Processing is done for the pursuit of a business’ or third party’s legitimate interests to whom personal information has been disclosed.
As you can see, only one of these six things must be met in order for data processing to be considered lawful. What this means is – as we mentioned before – consent is not always necessary before data processing can be done.
Any type of data processing that violates the rights of data subject can and will be penalized by the NPC. Many of these acts include:
  • Processing without consent or authorization
  • Giving others access to personal information without authorization – mostly due to negligence
  • Negligent disposal or abandonment of personal information leading to public access and availability
  • Use of personal information for purposes that are different from what was told to the subject or that are unauthorized by the DPA
  • Intentionally and unknowingly gaining unauthorized access to systems holding information (also called intentional breach)
  • Failure to notify the NPC of or intentionally concealing security breaches
  • Disclosing processed information to separate parties with malice or in bad faith
  • Disclosing information to third parties without consent or knowledge of the data subject
  • Any combination of these given acts.
Heavy fines and determinate sentences await those who break the DPA or commit any of the acts listed in the previous section. Fines don’t drop below ₱100,000 and never exceed ₱5,000,000. As for prison sentences, they range from six months to six years. Naturally, penalties depend on the gravity of the crime or act.

If, however, at least 100 people were harmed and affected by any of the mentioned actions, the maximum penalty will be given to the doer. In this case, that’s a ₱5,000,000 on top of six years of prison time. Special penalties are also given to public officers in the form of disqualification from public office for a term that is double the jail time imposed. For example, a public official who was sentenced a year of imprisonment is not allowed to run for or enter a public office for 2 terms.

For starters, businesses and companies who have at least 250 employees or those that have access to personal information relating to at least 1,000 unique individuals are required to register their operations with the NPC. After which, they must abide by 5 rules which are:

Assign a Data Protection Officer (DPO)

Every company must have at least one Data Protection Officer (DPO) in their ranks. Knowledge of the DPA, data security, and data processing activities are necessary for a DPO because their primary role is to monitor and ensure that their company stays in compliance with the law. They should also be able to work independently and should be well-equipped to perform functions such as privacy impact assessments, security incident management, and stakeholder relationship maintenance – NPC included.

Regularly Conduct Privacy Impact Assessments

A privacy impact assessment is undertaken in order to evaluate the impact of programs, projects, systems, products, devices, processes, and measure to the data privacy. Through this assessment – often headed or overseen by the DPO – companies can ascertain things such as whether or not the data in their possession is protected, data flow is not restricted, and whether there are risks to privacy and security.

Put simply, a privacy impact assessment helps organizations come up and implement the latest and best data privacy practices to lessen the risks of violations and breaches for the sake of their business and their clients.

Create a Privacy Management Program

Top management and DPOs aren’t the only ones responsible for ensuring data privacy. Every single person in the company or organization is required to adhere to these laws especially if they are considered PICs or PIPs, meaning they collect and process data on a daily basis.

As such, it is a must for organizations to create a privacy management program or framework that can guide every employee on how to handle personal information and data. The goal of this program is to alight everyone within the organization and ensure that each individual is operating in compliance with the DPA.

Implement Privacy and Data Protection Policies

It is not enough for you to inform your employees about the provisions of the DPA and the punishments that await those that go against them. Theoretical knowledge simply won’t save you from data breaches and leaks. You, as an organization that is separate from the NPC, must create and implement your own privacy and data protection policies that your employees must follow.

These policies and measures that you come up with must also be reviewed and revised whenever necessary. Employee training must also be conducted on a regular basis to further ensure compliance.

Generate a Breach Reporting Procedure

Aside from policies for compliance, you should also lay out a procedure that you and your employees must follow in the discovery or suspicion of a security incident or data breach. Similar to risk management procedures, you should conduct an investigation of the data breach, assess and mitigate its impact, and finally, notify data subjects and the NPC.

All of these must be done within 72 hours of the discovery of the breach most, especially notifying all of the parties involved.

In order to protect yourself from the liabilities caused by violation of the Data Privacy Act, the best thing you can do is comply with the provisions set out by the National Privacy Commission. You can do this independently or with the help of third-party organizations who are experts in the subject of data processing and data security.

We haven’t mentioned it yet, but you can outsource your DPO from said organizations who are authorized to do so. That way, you won’t have to choose someone from your ranks who is likely to be a lot less knowledgeable about the Data Privacy Act. Additionally, they will be able to help you conduct privacy impact assessments, create a privacy management program, write up privacy and data protection policies – implementation is, of course, up to you – and generate breach reporting procedures.

Admittedly, understanding the Data Privacy Act is a daunting task not only because it’s relatively new but there are a lot of complexities within it – as it is with any law. So, in order to lighten your load, why not work hand-in-hand with expert organizations that can guarantee your compliance and protection from these laws?

If you’re looking for the best of the best in the Philippines with regards to such matters, then you won’t have to look far because Data Protect PH is the one. Want your company protected from any liabilities from the Data Privacy Act? Contact us today!