Professional Documents
Culture Documents
legislation to protect the fundamental human right of every individual to privacy while ensuring
free flow of information to promote innovation, growth and national development. National
Privacy Commission is created to administer and implement the provisions of this Act, and to
monitor and ensure compliance of the country with international standards set for data
protection. On September 9, 2016, the Implementing Rules and Regulations was put in effect
thus mandating all companies to comply.
For processing of personal information be considered as lawful, consent from data subject is
required, subject to the exceptions provided by the Act and other applicable laws. Consent is
given when the data subject agrees to the collection and processing of his or her personal,
sensitive personal or privileged information. Consent must be freely given, specific and with
informed indication of will. Consent shall be evidenced by written, electronic or recorded means.
The processing of sensitive personal and privileged information is prohibited, except in the
cases stated in the Act.
All collected and processed data shall be held under strict confidentiality and shall be used only
for the declared purpose.
The rights shall not be applicable if the processed personal data are used only for the needs of
scientific and statistical research and, on the basis of such, no activities are carried out and no
decisions are taken regarding the data subject. The rights are also not applicable to the
processing of personal data gathered for the purpose of investigations in relation to any
criminal, administrative or tax liabilities of a data subject.
Notification may be delayed only to the extent necessary to determine the scope of the breach,
to prevent further disclosures, or to restore reasonable integrity to the information and
communications system.
Penalties
Any natural or juridical person, or other body involved in the processing of personal data, who
fails to comply with the Act, the Implementing Rules and Reguations, and other issuances of the
Commission, shall be liable for such violation, and shall be subject to its corresponding
sanction, penalty, or fine, without prejudice to any civil or criminal liability, as may be applicable.
The maximum penalty in the corresponding scale of penalties provided for the preceding
offenses shall be imposed when the personal data of at least one hundred (100) persons are
harmed, affected, or involved, as the result of any of the above-mentioned offenses