A stricter regime for profiling07 June 2016
Philippine Data Privacy Law is Signed into Law
The Act applies to “the processing of all types of personal information” and to any person, including both government and private-sector entities, “involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines.” The term “Personal Information” is defined as any information “from which the identity of an individual is apparent or can be reasonably and directly ascertained” or that “when put together with other information would directly and certainly identify an individual.”
The Act contains provisions that govern the processing of personal information, the rights of data subjects (e.g., notice, access, and data portability), and the security of personal information (which includes a breach notification requirement). In addition, the Act creates the National Privacy Commission, which is tasked with administering and implementing the provisions of the Act and monitoring and ensuring compliance with international standards for data protection.
The law sets forth a detailed schedule of penalties for violations of Act, which include both imprisonment and fines. For example, the unauthorized processing of personal information is penalized by imprisonment of one to three years and a fine of not less than 500,000 pesos (approximately $11,850 USD) but not more than two million pesos (approximately $47,390 USD). If the unauthorized processing involves sensitive personal information, the penalties increase to imprisonment of three to six years and a fine of up to four million pesos (approximately $94,780 USD). In addition, the Act also penalizes – by imprisonment and fine – the improper disposal of personal information, the processing of personal information for unauthorized purposes, the concealment of a security breach, and the malicious and unauthorized disclosure of personal information.
The Regulation aims to strengthen the rights of individuals. It does so by retaining rights that already exist under the Data Protection Directive and introducing the new rights of data...06 June 2016
Grounds for processing03 June 2016