MODULE 11

Data Privacy Act

RA 10173, Data Privacy Act
REPUBLIC ACT NO. 10173
AN ACT PROTECTING INDIVIDUAL PERSONAL INFORMATION
IN INFORMATION AND COMMUNICATIONS SYSTEMS IN THE
GOVERNMENT AND THE PRIVATE SECTOR, CREATING FOR
THIS PURPOSE A NATIONAL PRIVACY COMMISSION, AND FOR
OTHER PURPOSES
▪ Discuss definitions
▪ Discuss the scope of application
▪ Describe the data privacy principles
▪ Illustrate proper processing of data
▪ Identify the security measures for protection of personal data
▪ Determine the rights of data subject
▪ Apply data breach notification
▪ Discuss outsourcing and subcontracting agreements
▪ Determine registration and compliance requirements
What is RA 10173?

RA 10173, or the Data Privacy Act, protects individuals from

unauthorized processing of personal information that is
(1) private, not publicly available; and
(2) identifiable, where the identity of the individual is apparent
either through direct attribution or when put together with other
available information.
Scope and Application

 The Data Privacy Act is broadly applicable to individuals

and legal entities that process personal information.
 Extraterritorial in application, applying not only to
businesses with offices in the Philippines, but also when
equipment based in the Philippines is used for
processing.
 The act further applies to the processing of the
personal information of Philippines citizens regardless
of where they reside.
Section 2. Declaration of Policy

1. to protect the fundamental human right of privacy, of

communication while ensuring free flow of information to
promote innovation and growth.
2. to recognize the vital role of information and
communications technology in nation-building and its
inherent obligation to ensure that personal information in
information and communications systems in the
government and in the private sector are secured and
protected.
Section 3. Definition of Terms

“Commission” refers to the National Privacy Commission;

“Consent of the data subject” refers to any freely given,
specific, informed indication of will, whereby the data
subject agrees to the collection and processing of his or her
personal, sensitive personal, or privileged information.
Consent shall be evidenced by written, electronic or
recorded means. It may also be given on behalf of a data
subject by a lawful representative or an agent specifically
authorized by the data subject to do so.
Section 3. Definition of Terms

“Data subject” refers to an individual whose personal,

sensitive personal, or privileged information is processed;

“Data processing systems” refers to the structure and

procedure by which personal data is collected and further
processed in an information and communications system or
relevant filing system, including the purpose and intended
output of the processing;
Section 3. Definition of Terms

“Data sharing” is the disclosure or transfer to a third party of

personal data under the custody of a personal information
controller or personal information processor. In the case of the
latter, such disclosure or transfer must have been upon the
instructions of the personal information controller concerned. The
term excludes outsourcing, or the disclosure or transfer of
personal data by a personal information controller to a personal
information processor;

“Direct marketing” refers to communication by whatever means

of any advertising or marketing material which is directed to
particular individuals;
Section 3. Definition of Terms

“Filing system” refers to any set of information relating to

natural or juridical persons to the extent that, although the
information is not processed by equipment operating
automatically in response to instructions given for that
purpose, the set is structured, either by reference to
individuals or by reference to criteria relating to individuals,
in such a way that specific information relating to a
particular individual is readily accessible;
Section 3. Definition of Terms

Information and Communications System refers to a system

for generating, sending, receiving, storing or otherwise
processing electronic data messages or electronic documents
and includes the computer system or other similar device by
or which data is recorded, transmitted or stored and any
procedure related to the recording, transmission or storage
of electronic data, electronic message, or electronic
document.
Section 3. Definition of Terms

Personal information refers to any information whether

recorded in a material form or not, from which the identity
of an individual is apparent or can be reasonably and
directly ascertained by the entity holding the information,
or when put together with other information would directly
and certainly identify an individual.
Section 3. Definition of Terms

“Information and communications system” refers to a

system for generating, sending, receiving, storing, or
otherwise processing electronic data messages or electronic
documents, and includes the computer system or other
similar device by which data is recorded, transmitted, or
stored, and any procedure related to the recording,
transmission, or storage of electronic data, electronic
message, or electronic document;
Section 3. Definition of Terms

“Personal information processor” refers to any natural or

juridical person or any other body to whom a personal
information controller may outsource or instruct the
processing of personal data pertaining to a data subject;
Section 3. Definition of Terms

“Processing” refers to any operation or any set of

operations performed upon personal data including, but not
limited to, the collection, recording, organization, storage,
updating or modification, retrieval, consultation, use,
consolidation, blocking, erasure or destruction of data.
Processing may be performed through automated means, or
manual processing, if the personal data are contained or are
intended to be contained in a filing system;
Section 3. Definition of Terms

“Personal data” refers to all types of personal information;

“Personal data breach” refers to a breach of security leading to

the accidental or unlawful destruction, loss, alteration,
unauthorized disclosure of, or access to, personal data
transmitted, stored, or otherwise processed;

“Personal information” refers to any information, whether

recorded in a material form or not, from which the identity of an
individual is apparent or can be reasonably and directly
ascertained by the entity holding the information, or when put
together with other information would directly and certainly
identify an individual
Section 3. Definition of Terms

“Profiling” refers to any form of automated processing of

personal data consisting of the use of personal data to
evaluate certain personal aspects relating to a natural
person, in particular to analyze or predict aspects
concerning that natural person’s performance at work,
economic situation, health, personal preferences, interests,
reliability, behavior, location or movements;
Section 3. Definition of Terms

“Privileged information” refers to any and all forms of data, which,

under the Rules of Court and other pertinent lawsconstitute privileged
communication;

“Public authority” refers to any government entity created by the

Constitution or law, and vested with law enforcement orregulatory
authority and functions;

“Security incident” is an event or occurrence that affects or tends to

affect data protection, or may compromise the availability, integrity and
confidentiality of personal data. It includes incidents that would result to
a personal data breach, if not for safeguards that have been put in place;
Section 3. Definition of Terms
Sensitive personal information refers to personal information:
1. About an individual’s race, ethnic origin, marital status, age, color,
and religious, philosophical or political affiliations;
2. About an individual’s health, education, genetic or sexual life of a
person, or to any proceeding for any offense committed or alleged to
have been committed by such individual, the disposal of such
proceedings, or the sentence of any court in such proceedings;
3. Issued by government agencies peculiar to an individual which
includes, but is not limited to, social security numbers, previous or
current health records, licenses or its denials, suspension or
revocation, and tax returns; and
4. Specifically established by an executive order or an act of Congress
to be kept classified.
Section 4. Scope
This Act applies to the
 processing of all types of personal information and
 to any natural and juridical person involved in personal
information processing
including those
 personal information controllers and processors who,
although not found or established in the Philippines, use
equipment that are located in the Philippines, or those
who maintain an office, branch or agency in the
Philippines
Section 4. Scope, IRR Data Privacy Act
Section 4. Scope. The Act and these Rules apply to the processing of
personal data by any natural and juridical person in the government or
private sector. They apply to an act done or practice engaged in and
outside of the Philippines if:
a. The natural or juridical person involved in the processing of
personal data is found or established in the Philippines;
b. the act, practice or processing relates to personal data about a
Philippine citizen or Philippine resident;
c. The processing of personal data is being done in the Philippines; or
d. The act, practice or processing of personal data is done or engaged
in by an entity with links to the Philippines, with due consideration to
international law and comity.
Section 7. Protection Afforded to Journalists
and their Sources, IRR, Data Privacy Act

 Publishers, editors, or duly accredited reporters of any newspaper,

magazine or periodical of general circulation shall not be compelled
to reveal the source of any news report or information appearing in
said publication if it was related in any confidence to such publisher,
editor, or reporter.
 Publishers, editors, or duly accredited reporters who are likewise
personal information controllers or personal information processors
within the meaning of the law are still bound to follow the Data
Privacy Act and related issuances with regard to the processing of
personal data, upholding rights of their data subjects and maintaining
compliance with other provisions that are not incompatible with the
protection provided by Republic Act No. 53.
National Privacy Commission

Functions
1. Rule Making
2. Advisory
3. Public Education
4. Compliance and Monitoring
5. Complaints and Investigations
6. Enforcement
7. Other functions
Section 8. Confidentiality.

– The Commission shall ensure at all times the

confidentiality of any personal information that comes to its
knowledge and possession.
Section 9. Organizational Structure of
the Commission
The Commission shall be attached to the Department of
Information and Communications Technology (DICT) and shall be:
 headed by a Privacy Commissioner, who shall also act as
Chairman of the Commission.
 The Privacy Commissioner shall be assisted by two (2) Deputy
Privacy Commissioners, one to be responsible for Data
Processing Systems and one to be responsible for Policies and
Planning.
 The Privacy Commissioner and the two (2) Deputy Privacy
Commissioners shall be appointed by the President of the
Philippines for a term of three (3) years, and may be
reappointed for another term of three (3) years. Vacancies in
the Commission shall be filled in the same manner in which the
original appointment was made.
Qualifications

The Privacy Commissioner must be:

 at least thirty-five (35) years of age,
 of good moral character,
 unquestionable integrity and known probity, and
 a recognized expert in the field of information technology
and data privacy.

The Privacy Commissioner shall enjoy the benefits, privileges

and emoluments equivalent to the rank of Secretary.
Qualifications

The Deputy Privacy Commissioners must be:

 recognized experts in the field of information and
communications technology and data privacy.

They shall enjoy the benefits, privileges and emoluments

equivalent to the rank of Undersecretary.
Effect of Lawful Performance of Duty

The Privacy Commissioner, the Deputy Commissioners, or any person

acting on their behalf or under their direction,
 shall not be civilly liable for acts done in good faith in the
performance of their duties.
 He or she shall be liable for willful or negligent acts.
 Provided, That in case a lawsuit is filed against such official on the
subject of the performance of his or her duties, where such
performance is lawful, he or she shall be reimbursed by the
Commission for reasonable costs of litigation.
Section 10. The Secretariat.
Majority of the members of the Secretariat must have served for at least five (5)
years in any agency of the government that is involved in the processing of personal
information including, but not limited to, the following offices:
1. Social Security System (SSS),
2. Government Service Insurance System (GSIS),
3. Land Transportation Office (LTO),
4. Bureau of Internal Revenue (BIR),
5. Philippine Health Insurance Corporation (PhilHealth),
6. Commission on Elections (COMELEC),
7. Department of Foreign Affairs (DFA),
8. Department of Justice (DOJ), and
9. Philippine Postal Corporation (Philpost).
CHAPTER III
PROCESSING OF PERSONAL
INFORMATION
Personal information

 “Personal information” refers to any information, whether

recorded in a material form or not, from which the
identity of an individual is apparent or can be reasonably
and directly ascertained by the entity holding the
information, or when put together with other information
would directly and certainly identify an individual
General Data Privacy Principles

The processing of personal data shall be allowed, subject to

compliance with the requirements of the Act and other laws
allowing disclosure of information to the public, and
adherence to the principles of
 transparency,
 legitimate purpose, and
 proportionality.
IRR Rule IV. Data Privacy Principles, Section 17.
Transparency

The data subject must be aware of the nature, purpose, and

extent of the
 processing of his or her personal data, including the risks
and safeguards involved,
 the identity of personal information controller,
 his or her rights as a data subject, and
 how these can be exercised.
LEGITIMATE PURPOSE

 The processing of information shall be compatible with a

declared and specified purpose which must not be
contrary to law, morals, or public policy.
Proportionality

 The processing of information shall be adequate, relevant,

suitable, necessary, and not excessive in relation to a
declared and specified purpose.
 Personal data shall be processed only if the purpose of the
processing could not reasonably be fulfilled by other
means.
 GENERAL PRINCIPLES IN COLLECTION,
PROCESSING AND RETENTION
a. Collection
must be for a declared, specified, and
legitimate purpose.
1. Consent is required prior to the collection and processing of personal data,
subject to exemptions provided by the Act and other applicable laws and
regulations. Consent given may be withdrawn.
2. The data subject must be provided specific information regarding the purpose
and extent of processing.
3. Purpose should be determined and declared before, or as soon as reasonably
practicable, after collection.
4. Only personal data that is necessary and compatible with declared, specified,
and legitimate purpose shall be collected.
 GENERAL PRINCIPLES IN COLLECTION,
PROCESSING AND RETENTION
b. Personal data shall be processed fairly and lawfully.
1. Processing shall uphold the rights of the data subject, including the right to
refuse, withdraw consent, or object.
2. Information provided to a data subject must always be in clear and plain
language.
3. Processing must be in a manner compatible with declared, specified, and
legitimate purpose.
4. Processed personal data should be adequate, relevant, and limited to what is
necessary in relation to the purposes for which they are processed.
5. Processing shall be undertaken in a manner that ensures appropriate privacy
and security safeguards.
GENERAL PRINCIPLES IN COLLECTION,
PROCESSING AND RETENTION
c. Processing should ensure data quality.
1. Personal data should be accurate and where necessary for
declared, specified and legitimate purpose, kept up to date.
2. Inaccurate or incomplete data must be rectified,
supplemented, destroyed or their further processing
restricted.
GENERAL PRINCIPLES IN COLLECTION,
PROCESSING AND RETENTION
d. Personal Data shall not be retained longer than
necessary.
1. Retention of personal data shall only for as long as
necessary:
2. Retention of personal data shall be allowed in cases
provided by law.
3. Personal data shall be disposed or discarded in a secure
manner.
GENERAL PRINCIPLES IN COLLECTION,
PROCESSING AND RETENTION
e. Any authorized further processing shall have adequate
safeguards.
1. Personal data originally collected for a declared, specified,
or legitimate purpose may be processed further for historical,
statistical, or scientific purposes, and, may be stored for longer
periods, subject to implementation of the appropriate
organizational, physical, and technical security measures.
2. Personal data which is aggregated or kept in a form which
does not permit identification of data subjects may be kept
longer than necessary for the declared, specified, and
legitimate purpose.
3. Personal data shall not be retained in perpetuity in
contemplation of a possible future use yet to be determined.
CRITERIA FOR LAWFUL PROCESSING OF
PERSONAL INFORMATION
 The data subject has given his or her consent;
 The processing of personal information is necessary and is related to the
fulfillment of a contract
 The processing is necessary for compliance with a legal obligation
 The processing is necessary to protect vitally important interests of the data
subject, including life and health;
 The processing is necessary in order to respond to national emergency, to comply
with the requirements of public order and safety, or to fulfill functions of public
authority
 The processing is necessary for the purposes of the legitimate interests pursued by
the personal information controller or by a third party or parties to whom the data
is disclosed.
RIGHTS OF THE DATA SUBJECT

1. Right to be informed
2. Right to object
3. Right to Access
4. Right to rectification
5. Right to Erasure or Blocking
6. Right to damages
Transmissibility of Rights of the Data
Subject
 The lawful heirs and assigns of the data subject may
invoke the rights of the data subject for, which he or
she is an heir or assignee at any time after the death of
the data subject
or
 when the data subject is incapacitated or incapable of
exercising the rights as enumerated in the immediately
preceding section.
Section 18. Right to Data Portability

 The data subject shall have the right, where personal information
is processed by electronic means and in a structured and
commonly used format, to obtain from the personal information
controller a copy of data undergoing processing in an electronic or
structured format, which is commonly used and allows for further
use by the data subject.
ACCOUNTABILITY FOR TRANSFER OF
PERSONAL INFORMATION

Section 21. Principle of Accountability. – Each personal

information controller is responsible for personal
information under its control or custody, including
information that have been transferred to a third party for
processing, whether domestically or internationally, subject
to cross-border arrangement and cooperation.
ACCOUNTABILITY FOR TRANSFER OF
PERSONAL INFORMATION

 A personal information controller shall be accountable for

complying with the requirements of the Act, these Rules, and
other issuances of the Commission. It shall use contractual or
other reasonable means to provide a comparable level of
protection to the personal data while it is being processed by a
personal information processor or third party.
 A personal information controller shall designate an individual
or individuals who are accountable for its compliance with the
Act. The identity of the individual or individuals so designated
shall be made known to a data subject upon request.
SECURITY OF SENSITIVE PERSONAL
INFORMATION IN GOVERNMENT
Section 22. Responsibility of Heads of Agencies. – All sensitive personal
information maintained by the government, its agencies and instrumentalities
shall be secured, as far as practicable, with the use of the most appropriate
standard recognized by the information and communications technology industry,
and as recommended by the Commission.

The head of each government agency or instrumentality shall be responsible for

complying with the security requirements mentioned herein while the
Commission shall monitor the compliance and may recommend the necessary
action in order to satisfy the minimum standards.
SECURITY OF SENSITIVE PERSONAL
INFORMATION IN GOVERNMENT
Section 23. Requirements Relating to Access by Agency Personnel to
Sensitive Personal Information. –
(a) On-site and Online Access –
No employee of the government shall have access to sensitive personal
information on government property or through online facilities unless
the employee has received a security clearance from the head of the
source agency.
SECURITY OF SENSITIVE PERSONAL
INFORMATION IN GOVERNMENT
Section 23. Requirements Relating to Access by Agency Personnel to
Sensitive Personal Information. –
(b) Off-site Access –
Sensitive personal information maintained by an agency may not be
transported or accessed from a location off government property unless a
request for such transportation or access is submitted and approved by
the head of the agency.
SECURITY OF SENSITIVE PERSONAL
INFORMATION IN GOVERNMENT
Section 23. Requirements Relating to Access by Agency Personnel to
Sensitive Personal Information. –
(b) Off-site Access –
Sensitive personal information maintained by an agency may not be
transported or accessed from a location off government property unless a
request for such transportation or access is submitted and approved by
the head of the agency.
Rule IX. Data Breach Notification, IRR

Section 38. Data Breach Notification.

a. The Commission and affected data subjects shall be

notified by the personal information controller within
seventy-two (72) hours upon knowledge of, or when there is
reasonable belief by the personal information controller or
personal information processor that, a personal data breach
requiring notification has occurred.
Rule IX. Data Breach Notification, IRR

Section 38. Data Breach Notification.

xxx
b. Notification of personal data breach shall be required when
sensitive personal information or any other information that may,
under the circumstances,
 be used to enable identity fraud are reasonably believed to
have been acquired by an unauthorized person, and
 the personal information controller or the Commission believes
that such unauthorized acquisition is likely to give rise to a
real risk of serious harm to any affected data subject.
Rule IX. Data Breach Notification, IRR

c.
 Depending on the nature of the incident, or
 if there is delay or failure to notify,
the Commission may investigate the circumstances surrounding the
personal data breach.
Investigations may include on-site examination of systems and
procedures.
Rule IX. Data Breach Notification, IRR

Section 39. Contents of Notification.

The notification shall at least describe the
 nature of the breach,
 the personal data possibly involved, and
 the measures taken by the entity to address the breach.
The notification shall also include measures taken to reduce the harm
or negative consequences of the breach, the representatives of the
personal information controller, including their contact details, from
whom the data subject can obtain additional information about the
breach, and any assistance to be provided to the affected data
subjects.
Rule IX. Data Breach Notification, IRR

Section 40. Delay of Notification.

Notification may be delayed only to the extent necessary
 to determine the scope of the breach,
 to prevent further disclosures, or
 to restore reasonable integrity to the information and
communications system.
Rule IX. Data Breach Notification, IRR

 Section 41. Breach Report.

a. The personal information controller shall notify the Commission by submitting a
report, whether written or electronic, containing the required contents of
notification. The report shall also include the name of a designated representative
of the personal information controller, and his or her contact details.
b. All security incidents and personal data breaches shall be documented through
written reports, including those not covered by the notification requirements. In
the case of personal data breaches, a report shall include the facts surrounding an
incident, the effects of such incident, and the remedial actions taken by the
personal information controller.
 In other security incidents not involving personal data, a report containing
aggregated data shall constitute sufficient documentation. These reports shall
be made available when requested by the Commission. A general summary of
the reports shall be submitted to the Commission annually.
Rule X. Outsourcing and Subcontracting
Agreements
Section 43. Subcontract of Personal Data.
 A personal information controller may subcontract or outsource the
processing of personal data:
Provided, that the personal information controller shall use contractual
or other reasonable means to ensure that proper safeguards are in place,
to ensure the confidentiality, integrity and availability of the personal
data processed, prevent its use for unauthorized purposes, and
generally, comply with the requirements of the Act, these Rules, other
applicable laws for processing of personal data, and other issuances of
the Commission.
Rule X. Outsourcing and Subcontracting
Agreements, IRR
Section 44. Agreements for Outsourcing.
 Processing by a personal information processor shall be
governed by a contract or other legal act that binds the
personal information processor to the personal
information controller.
 Rule XI. Registration and Compliance
Requirements, IRR
Section 46. Enforcement of the Data Privacy Act. Pursuant to the mandate of the
Commission to administer and implement the Act, and to ensure the compliance of
personal information controllers with its obligations under the law, the Commission
requires the following:
a. Registrationof personal data processing systems operating in the country that involves
accessing or requiring sensitive personal information of at least one thousand
(1,000) individuals, including the personal data processing system of contractors, and
their personnel, entering into contracts with government agencies;
b. Notificationof automated processing operations where the processing becomes the
sole basis of making decisions that would significantly affect the data subject;
c. Annualreport of the summary of documented security incidents and personal data
breaches;
d. Compliancewith other requirements that may be provided in other issuances of the
Commission.
Section 47. Registration of Personal Data
Processing Systems, IRR
 The personal information controller or personal information
processor that employs fewer than two hundred fifty (250)
persons shall not be required to register
unless the processing it carries out is likely
 to pose a risk to the rights and freedoms of data subjects,
 the processing is not occasional, or
 the processing includes sensitive personal information of at
least one thousand (1,000) individuals.
Section 47. Registration of Personal Data
Processing Systems, IRR
 The personal information controller or personal information
processor that employs fewer than two hundred fifty (250)
persons shall not be required to register
unless the processing it carries out is likely
 to pose a risk to the rights and freedoms of data subjects,
 the processing is not occasional, or
 the processing includes sensitive personal information of at
least one thousand (1,000) individuals.
Penalties

Unauthorized Processing of Personal Information and Sensitive Personal

Information.
a. A penalty of imprisonment ranging from one (1) year to three (3)
years and a fine of not less than Five hundred thousand pesos (Php500,000.00)
but not more than Two million pesos (Php2,000,000.00) shall be imposed on
persons who process personal information without the consent of the data
subject, or without being authorized under the Act or any existing law.
b. A penalty of imprisonment ranging from three (3) years to six (6)
years and a fine of not less than Five hundred thousand pesos (Php500,000.00)
but not more than Four million pesos (Php4,000,000.00) shall be imposed on
persons who process sensitive personal information without the consent of
the data subject, or without being authorized under the Act or any existing
law.
Penalties

Accessing Personal Information and Sensitive Personal Information Due

to Negligence.
a. A penalty of imprisonment ranging from one (1) year to three
(3) years and a fine of not less than Five hundred thousand pesos
(Php500,000.00) but not more than Two million pesos (Php2,000,000.00)
shall be imposed on persons who, due to negligence, provided access to
personal information without being authorized under the Act or any
existing law.
b. A penalty of imprisonment ranging from three (3) years to six (6)
years and a fine of not less than Five hundred thousand pesos
(Php500,000.00) but not more than Four million pesos (Php4,000,000.00)
shall be imposed on persons who, due to negligence, provided access to
sensitive personal information without being authorized under the Act or
any existing law.
Penalties
Improper Disposal of Personal Information and Sensitive Personal Information.
a. A penalty of imprisonment ranging from six (6) months to two (2) years
and a fine of not less than One hundred thousand pesos (Php100,000.00) but not
more than Five hundred thousand pesos (Php500,000.00) shall be imposed on
persons who knowingly or negligently dispose, discard, or abandon the personal
information of an individual in an area accessible to the public or has otherwise
placed the personal information of an individual in its container for trash
collection.
b. A penalty of imprisonment ranging from one (1) year to three (3) years
and a fine of not less than One hundred thousand pesos (Php100,000.00) but not
more than One million pesos (Php1,000,000.00) shall be imposed on persons who
knowingly or negligently dispose, discard or abandon the sensitive personal
information of an individual in an area accessible to the public or has otherwise
placed the sensitive personal information of an individual in its container for
trash collection.
Penalties
Processing of Personal Information and Sensitive Personal Information for
Unauthorized Purposes.
a. A penalty of imprisonment ranging from one (1) year and six (6) months to
five (5) years and a fine of not less than Five hundred thousand pesos
(Php500,000.00) but not more than One million pesos (Php1,000,000.00)
shall be imposed on persons processing personal information for purposes not
authorized by the data subject, or otherwise authorized under the Act or
under existing laws.
b. A penalty of imprisonment ranging from two (2) years to seven (7) years
and a fine of not less than Five hundred thousand pesos (Php500,000.00) but
not more than Two million pesos (Php2,000,000.00) shall be imposed on
persons processing sensitive personal information for purposes not
authorized by the data subject, or otherwise authorized under the Act or
under existing laws.
Penalties
Unauthorized Access or Intentional Breach.

A penalty of imprisonment ranging from one (1) year to three (3)

years and a fine of not less than Five hundred thousand pesos
(Php500,000.00) but not more than Two million pesos
(Php2,000,000.00) shall be imposed on persons who knowingly and
unlawfully, or violating data confidentiality and security data
systems, breaks in any way into any system where personal and
sensitive personal information are stored.
Penalties
Concealment of Security Breaches Involving Sensitive Personal Information.

A penalty of imprisonment ranging from one (1) year and six (6) months to
five (5) years and a fine of not less than Five hundred thousand pesos
(Php500,000.00) but not more than One million pesos (Php1,000,000.00)
shall be imposed on persons who, after having knowledge of a security
breach and of the obligation to notify the Commission pursuant to Section
20(f) of the Act, intentionally or by omission conceals the fact of such
security breach.
Penalties

Malicious Disclosure.

Any personal information controller or personal information processor, or any

of its officials, employees or agents, who, with malice or in bad faith,
discloses unwarranted or false information relative to any personal
information or sensitive personal information obtained by him or her, shall be
subject to imprisonment ranging from one (1) year and six (6) months to five
(5) years and a fine of not less than Five hundred thousand pesos
(Php500,000.00) but not more than One million pesos (Php1,000,000.00).
Penalties

Unauthorized Disclosure.
a. Any personal information controller or personal information processor,
or any of its officials, employees, or agents, who discloses to a third party
personal information not covered by the immediately preceding section without
the consent of the data subject, shall be subject to imprisonment ranging from
one (1) year to three (3) years and a fine of not less than Five hundred thousand
pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00).
b. Any personal information controller or personal information processor,
or any of its officials, employees or agents, who discloses to a third party
sensitive personal information not covered by the immediately preceding section
without the consent of the data subject, shall be subject to imprisonment
ranging from three (3) years to five (5) years and a fine of not less than Five
hundred thousand pesos (Php500,000.00) but not more than Two million pesos
(Php2,000,000.00).
Penalties

Combination or Series of Acts.

Any combination or series of acts shall make the person subject

to imprisonment ranging from three (3) years to six (6) years and
a fine of not less than One million pesos (Php1,000,000.00) but
not more than Five million pesos (Php5,000,000.00).
Penalties

Extent of Liability.
 If the offender is a corporation, partnership or any juridical person, the
penalty shall be imposed upon the responsible officers, as the case may be,
who participated in, or by their gross negligence, allowed the commission of
the crime. Where applicable, the court may also suspend or revoke any of its
rights under this Act.
 If the offender is an alien, he or she shall, in addition to the penalties herein
prescribed, be deported without further proceedings after serving the
penalties prescribed.
 If the offender is a public official or employee and he or she is found guilty of
acts penalized under Sections 54 and 55 of these Rules, he or she shall, in
addition to the penalties prescribed herein, suffer perpetual or temporary
absolute disqualification from office, as the case may be.
Penalties

Large-Scale.

The maximum penalty in the corresponding scale of penalties

provided for the preceding offenses shall be imposed when the
personal data of at least one hundred (100) persons are harmed,
affected, or involved, as the result of any of the above-mentioned
offenses.
END