Compliance Requisites under the Data Privacy Act for Foreign Entities

I. Extra-territorial Application of the DPA

The Data Privacy Act (hereinafter, DPA or Act) and its Implementing Rules (hereinafter, IRR) apply to both natural and juridical persons who are involved in the collection, recording, organization, storage, updating, consultation, erasure, or destruction of personal information. The DPA is applicable even if the processing is conducted abroad, so long as it relates to personal information of Philippine citizens or residents. For instance, dating websites which handle personal information of Filipino citizens or residents are therefore covered by the Act. Match.com, which is established in Texas and operated beyond the Philippines’ territorial jurisdiction, would be covered by the Act with respect to Philippine citizens’ or residents’ personal information—hair color, eye color, relationship status, among other things.¹ The Acts’ extra-territorial application is also triggered when the entity has a link the Philippines.² These “links” may include: a contract entered within the Philippine territory or jurisdiction, or having a central management, branch, office, or subsidiary located in the Philippines.³

Entities covered by the Act may fall within two categories: 1) personal information controller, or 2) personal information processor. A “controller” is one who controls the collection, holding, processing or use of personal information. This term excludes a person who processes personal information as instructed by another and a person who processes information in connection with another’s personal, family, or household affairs. Doctors, banks, clubs, and government departments are all examples of data controllers. On the other hand, a data processor processes personal data in behalf of the controller but neither exercises responsibility for nor has control over said data.⁴ This arrangement is often seen in accountancy firms and market research companies wherein enterprises would hire accountants or researchers, either internationally or domestically, to manage the business’ bookkeeping and other business activities.⁵ In this scenario, the individual hired would be considered as the data processor.

It must be pointed out that only the personal information controller is bound by the extra-territorial provision of the Act.⁶

II. Compliance Requirements

An entity covered by the Act must observe the data privacy principles⁷, uphold the rights of the data subjects⁸, implement appropriate security measures⁹, register their processing systems¹⁰, notify the proper parties in case of breach¹¹, and submit an annual report to the National Privacy Commission (“Commission”). ¹²

To find out more about data privacy principles and rights, please visit: link of article on data privacy and rights

Security Measures

Personal information controllers and processors are required to implement organizational, physical, and technical security measures for the protection of personal data. These measures must be able to maintain the availability, integrity, and confidentiality of personal data and should likewise protect the data against any accident or unlawful processing.¹³

As for organizational security measures, entities involved in the processing of personal data are required to designate a person responsible and accountable for ensuring compliance with applicable laws for the protection of data privacy and security. They are also obliged to implement appropriate data protection policies.¹⁴

For physical security measures, entities are required to design their workstations in a matter that provides privacy to anyone processing personal data and prevents the mechanical or natural destruction of files and equipment.¹⁵ For technical security measures, it is compulsory that entities establish safeguards to protect their computer network against any unlawful or accidental interference. They must also create a process for testing and evaluating the effectiveness of the security measures, establish an encryption system of personal data during storage, and adopt other security measures that would limit control and access to said data.¹⁶

Registration

Personal information controllers and processors are not required to register their personal data processing systems if they employ less than two hundred fifty (250) persons. However, even if they employ less than the said number of employees, they must still register their personal data processing systems if the processing involves accessing sensitive personal information of at least one thousand (1,000) individuals; if the processing is not occasional; or if the processing is likely to pose a risk to the rights and freedoms of an individual.¹⁷

Notification

The IRR also requires that personal information controllers send out notifications in cases of data breach and automated processing operations. Personal information controllers performing automated processing operations must notify the Commission when such processing becomes the sole basis for making decisions about a data subject and when such decision would significantly affect said data subject.¹⁸

For more information about data breach notification, please visit: http://privacy.com.ph/feature-article/data-breach-notification-under-the-data-privacy-act/

Annual Report

Personal information controllers and processors must submit an annual report of documented security incidents and personal data breaches.¹⁹ “Personal data breach” refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed,²⁰ regardless of how the breach was committed.

The Act does not apply to each and every piece of personal information. Information originally collected from residents of another country, which is processed in the Philippines, would be excluded from the law’s ambit. In this instance, entities, whether established in the Philippines or abroad, must show that the collection was made in accordance with the laws of the country in which the data subject resides.²¹ This is accomplished by either presenting the official publication of the law or a copy attested by the officer having the custody of the law,²² and by providing concrete evidence showing that there was compliance. The copy must also be accompanied by a certification that said officer has custody.²³

Consistent with the doctrine of processual presumption, the IRR provides that if the applicable foreign law has not been proven, it will be presumed that the foreign law is the same as the Act and its IRR.²⁴

III. Consequences for Failure to Comply

In cases where a data subject files a complaint against a foreign entity for violation of his privacy rights or for any injury suffered as a result of the processing of his personal data, the Commission may award indemnity based on the applicable provisions of the New Civil Code.²⁵

In case of criminal acts , the data subject who, on the basis of substantial evidence, committed the unlawful act or omission may be subject to prosecution upon recommendation by the Commission. If the offender is a corporation, partnership, or any juridical person, the responsible officers who participated in, or whose gross negligence resulted in the commission of the crime, may be prosecuted.²⁶