< All Topics

ZCC. Data Privacy Act

1. CONCEPT

“Consent of the data subject” – refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of his or her personal, sensitive personal, or privileged information. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of a data subject by a lawful representative or an agent specifically authorized by the data subject to do so. (Section 3[c], Rule I, Implementing Rules and Regulations of Data Privacy Act of 2012)

“Personal data” – refers to all types of personal information. (Section 3[j], Ibid.)

“Personal data breach” – refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. (Section 3[k], Ibid.)

“Personal information” – refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual. (Section 3[l], Ibid.)

“Personal information controller” – refers to a natural or juridical person, or any other body who controls the processing of personal data, or instructs another to process personal data on its behalf. The term excludes:

1) A natural or juridical person, or any other body, who performs such functions as instructed by another person or organization; or

2) A natural person who processes personal data in connection with his or her personal, family, or household affairs;

There is control if the natural or juridical person or any other body decides on what information is collected, or the purpose or extent of its processing. (Section 3[m], Ibid.)

“Personal information processor” – refers to any natural or juridical person or any other body to whom a personal information controller may outsource or instruct the processing of personal data pertaining to a data subject. (Section 3[n], Ibid.)

“Processing” – refers to any operation or any set of operations performed upon personal data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Processing may be performed through automated means, or manual processing, if the personal data are contained or are intended to be contained in a filing system. (Section 3[o], Ibid.)

“Sensitive personal information” – refers to personal information:

1) About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;

2) About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings;

3) Issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and

4) Specifically established by an executive order or an act of Congress to be kept classified. (Section 3[t], Ibid.)

2. CRIMES

a. Unauthorized Processing of Personal Information and Sensitive Personal Information

Modes

1) UNAUTHORIZED PROCESSING OF PERSONAL INFORMATION: The unauthorized processing of personal information shall be penalized by imprisonment ranging from one (1) year to three (3) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Two million pesos (Php2,000,000.00) shall be imposed on persons who process personal information without the consent of the data subject, or without being authorized under this Act or any existing law. (Section 25[a], R.A. 10173)

2) UNAUTHORIZED PROCESSING OF SENSITIVE PERSONAL INFORMATION: The unauthorized processing of personal sensitive information shall be penalized by imprisonment ranging from three (3) years to six (6) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Four million pesos (Php4,000,000.00) shall be imposed on persons who process personal information without the consent of the data subject, or without being authorized under this Act or any existing law. (Section 25[b], Ibid.)

b. Accessing Personal Information and Sensitive Personal Information Due to Negligence

Modes

1) ACCESSING PERSONAL INFORMATION DUE TO NEGLIGENCE: Accessing personal information due to negligence shall be penalized by imprisonment ranging from one (1) year to three (3) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Two million pesos (Php2,000,000.00) shall be imposed on persons who, due to negligence, provided access to personal information without being authorized under this Act or any existing law. (Section 26[a], Ibid.)

2) ACCESSING SENSITIVE PERSONAL INFORMATION DUE TO NEGLIGENCE: Accessing sensitive personal information due to negligence shall be penalized by imprisonment ranging from three (3) years to six (6) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Four million pesos (Php4,000,000.00) shall be imposed on persons who, due to negligence, provided access to personal information without being authorized under this Act or any existing law. (Section 26[b], Ibid.)

c. Improper Disposal of Personal Information and Sensitive Personal Information

Modes

1) IMPROPER DISPOSAL OF PERSONAL INFORMATION: The improper disposal of personal information shall be penalized by imprisonment ranging from six (6) months to two (2) years and a fine of not less than One hundred thousand pesos (Php100,000.00) but not more than Five hundred thousand pesos (Php500,000.00) shall be imposed on persons who knowingly or negligently dispose, discard or abandon the personal information of an individual in an area accessible to the public or has otherwise placed the personal information of an individual in its container for trash collection. (Section 27[a], Ibid.)

2) IMPROPER DISPOSAL OF SENSITIVE PERSONAL INFORMATION: The improper disposal of sensitive personal information shall be penalized by imprisonment ranging from one (1) year to three (3) years and a fine of not less than One hundred thousand pesos (Php100,000.00) but not more than One million pesos (Php1,000,000.00) shall be imposed on persons who knowingly or negligently dispose, discard or abandon the personal information of an individual in an area accessible to the public or has otherwise placed the personal information of an individual in its container for trash collection. (Section 27[b], Ibid.)

d. Processing of Personal Information and Sensitive Personal Information for Unauthorized Purposes

Modes

1) PROCESSING OF PERSONAL INFORMATION FOR UNAUTHORIZED PURPOSES: The processing of personal information for unauthorized purposes shall be penalized by imprisonment ranging from one (1) year and six (6) months to five (5) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00) shall be imposed on persons processing personal information for purposes not authorized by the data subject, or otherwise authorized under this Act or under existing laws. (Section 28, Ibid.)

2) PROCESSING OF SENSITIVE PERSONAL INFORMATION FOR UNAUTHORIZED PURPOSES: The processing of sensitive personal information for unauthorized purposes shall be penalized by imprisonment ranging from two (2) years to seven (7) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Two million pesos (Php2,000,000.00) shall be imposed on persons processing sensitive personal information for purposes not authorized by the data subject, or otherwise authorized under this Act or under existing laws. (Paragraph 2, Section 28, Ibid.)

e. Unauthorized Access or Intentional Breach

The penalty of imprisonment ranging from one (1) year to three (3) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Two million pesos (Php2,000,000.00) shall be imposed on persons who knowingly and unlawfully, or violating data confidentiality and security data systems, breaks in any way into any system where personal and sensitive personal information is stored. (Section 29, Ibid.)

f. Concealment of Security Breaches Involving Sensitive Personal Information

The penalty of imprisonment of one (1) year and six (6) months to five (5) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00) shall be imposed on persons who, after having knowledge of a security breach and of the obligation to notify the Commission pursuant to Section 20(f), intentionally or by omission conceals the fact of such security breach. (Section 30, Ibid.)

g. Malicious Disclosure

Any personal information controller or personal information processor or any of its officials, employees or agents, who, with malice or in bad faith, discloses unwarranted or false information relative to any personal information or personal sensitive information obtained by him or her, shall be subject to imprisonment ranging from one (1) year and six (6) months to five (5) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00). (Section 31, Ibid.)

h. Unauthorized Disclosure

Mode

1) UNAUTHORIZE DISCLOSURE OF PERSONAL INFORMATION: Any personal information controller or personal information processor or any of its officials, employees or agents, who discloses to a third party personal information not covered by the immediately preceding section without the consent of the data subject, shall he subject to imprisonment ranging from one (1) year to three (3) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00). (Section 32[a], Ibid.)

2) UNAUTHORIZE DISCLOSURE OF SENSITIVE PERSONAL INFORMATION: Any personal information controller or personal information processor or any of its officials, employees or agents, who discloses to a third party sensitive personal information not covered by the immediately preceding section without the consent of the data subject, shall be subject to imprisonment ranging from three (3) years to five (5) years and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than Two million pesos (Php2,000,000.00). (Section 32[b], Ibid.)

i. Combination or Series of Acts

Any combination or series of acts as defined in Sections 25 to 32 shall make the person subject to imprisonment ranging from three (3) years to six (6) years and a fine of not less than One million pesos (Php1,000,000.00) but not more than Five million pesos (Php5,000,000.00). (Section 33, Ibid.)

3. EXTENT OF LIABILITY

JURIDICAL PERSON: If the offender is a corporation, partnership or any juridical person, the penalty shall be imposed upon the responsible officers, as the case may be, who participated in, or by their gross negligence, allowed the commission of the crime. If the offender is a juridical person, the court may suspend or revoke any of its rights under this Act. If the offender is an alien, he or she shall, in addition to the penalties herein prescribed, be deported without further proceedings after serving the penalties prescribed. If the offender is a public official or employee and lie or she is found guilty of acts penalized under Sections 27 and 28 of this Act, he or she shall, in addition to the penalties prescribed herein, suffer perpetual or temporary absolute disqualification from office, as the case may be. (Section 34, Ibid.)

LARGE-SCALE: The maximum penalty in the scale of penalties respectively provided for the preceding offenses shall be imposed when the personal information of at least one hundred (100) persons is harmed, affected or involved as the result of the above mentioned actions. (Section 35, Ibid.)

OFFENSE COMMITTED BY PUBLIC OFFICER: When the offender or the person responsible for the offense is a public officer as defined in the Administrative Code of the Philippines in the exercise of his or her duties, an accessory penalty consisting in the disqualification to occupy public office for a term double the term of criminal penalty imposed shall he applied. (Section 36, Ibid.)

RESTITUTION: Restitution for any aggrieved party shall be governed by the provisions of the New Civil Code. (Section 37, Ibid.)

Previous ZBB. Safe Spaces Act
Table of Contents