Data Privacy Act of 2012
Data Privacy Act of 2012
Data Privacy Act of 2012
It is the policy of the State to protect the fundamental human right of privacy, of communication while
ensuring free flow of information to promote innovation and growth.
What is protected is data from natural persons. It does not include juridical persons since the
title provided “INDIVIDUAL PERSONAL INFORMATION”.
It requires that when obtaining consent, the data subject be informed about the extent and
purpose of processing, and it specifically mentions the “automated processing of his or her
personal data for profiling, or processing for direct marketing, and data sharing.” Consent is
further required for sharing information with affiliates or even mother companies.
PROCESS
Registration of personal data processing systems operating in the country that involves
accessing or requiring sensitive personal information of at least one thousand (1,000)
individuals, including the personal data processing system of contractors, and their personnel,
entering into contracts with government agencies;
1. The name and address of the personal information controller or personal information
processor, and of its representative, if any, including their contact details;
2. The purpose or purposes of the processing, and whether processing is being done under an
outsourcing or subcontracting agreement;
3. A description of the category or categories of data subjects, and of the data or categories of
data relating to them;
8. Copy of all policies relating to data governance, data privacy, and information security;
9. Attestation to all certifications attained that are related to information and communications
processing; and
10. Name and contact details of the compliance or data protection officer, which shall
immediately be updated in case of changes.
11. The procedure for registration shall be in accordance with these Rules and other issuances
of the Commission.