1. BANKING LAWS:
2.4 Accountability of Transfer
of Information
2.5 Penalties for Violation Group 5
Osin, Riche
Osorio, Marian
Quiao, Stephenjon
Repolidon, Margaret
2. Questions;
1. Is there a general Accountability obligation for Data Privacy?
2. What are the 5 pillars of data privacy accountability and compliance?
3. Is a Data Protection Officer (DPA) accountable for it's compliance from the PIC or PIP on
the Data Privacy Act?
4. Does an organization always need your consent about sharing your personal data without
permission?
5. How does the data privacy Act protect individuals from violations?
6. What if the offender is a partnership, corporation, or any juridical person?
7. What are the issues of NPC regarding the Circular on Administrative Fines for data privacy
infractions of the PIC or PIP and explain?
8. What are the administrative violations of a PIC or PIP regarding data privacy?
9. What are the amount of fine if the PIC or PIP shall be subject to an administrative violation
of data privacy?
10. What will happen if a PIC or PIP that refuses to pay the administrative fine regarding the
Circular of data privacy infractions?
3. Answers;
1. Is there a general Accountability obligation for Data Privacy?
Yes, the Personal information Controllers and Personal Information Processors must implement
reasonable and appropriate organizational, physical, and technical security measures for the
protection of personal data.
2. What are the 5 pillars of data privacy accountability and compliance?
(1) Appoint a data protection officer. (2) Conduct a privacy impact assessment to identify capabilities,
threats, and risks. (3) Develop a privacy management programme. (4) Implement data privacy
governance to ensure proper execution of security measures. (5) Prepare data breach protocols.
3. Is a Data Protection Officer (DPA) accountable for it's compliance from the PIC or PIP on the
Data Privacy Act?
Yes, a Data Protection Officer shall be accountable for ensuring the compliance by the PIC or PIP
with the Data Privacy Act, its Implementing Rules and Regulations (IRR), issuances by the National
Privacy Commission (NPC), and other applicable laws and regulations relating to privacy and data
protection.
4. Answers;
4. Does an organization always need your consent about sharing your personal data
without permission?
No. Organizations don't always need your consent to use your personal data, because
anyone can use it without consent if they have a valid reason.
5. How does the data privacy Act protect individuals from violations?
The right to erasure or blocking: Under the law, you have the right to suspend, withdraw or
order the blocking, removal or destruction of your personal data.
6. What if the offender is a partnership, corporation, or any juridical person?
Answer: The law says that the penalty shall be imposed upon the responsible officers, as the
case may be, who participated in, or by their gross negligence, allowed the commission of
the crime.
5. 5
7. What are the issues of NPC regarding the Circular on Administrative Fines for data
privacy infractions of the PIC or PIP and explain?
Answer: Depending on whether the violation is grave or major, the NPC will impose
administrative fines ranging from 0.5% to 3% and 0.25% to 2%, respectively, of the annual
gross income of the PIC or PIP that committed the infraction. If a PIC or PIP has not been
operating for more than one year, the base for computing administrative fines will be the
entity’s total gross income at the time the violation was committed.
8. What are the administrative violations of a PIC or PIP regarding data privacy?
(1) failure to register the true identity or contact details of the PIC, the data processing
system, or information on automated decision making; or (2) failure to provide updated
information as to the identity or contact details of the PIC, the data processing system, or
information on automated decision making.
Answers;
6. Answers;
9.What are the amount of fine if the PIC or PIP shall be subject to an administrative
violation of data privacy?
The PIC or PIP shall be subject to an administrative fine of not less than Fifty Thousand
Pesos (Php 50,000.00) but not exceeding Two Hundred Thousand Pesos (Php 200,000.00).
10. What will happen if a PIC or PIP that refuses to pay the administrative fine
regarding the Circular of data privacy infractions?
Answer: PICs or PIPs that refuse to pay the administrative fine under the circular may be
subject to a Cease and Desist Order, other processes or reliefs as the Commission may be
authorized to initiate pursuant to Section 7 of the Data Privacy Act, and appropriate
contempt proceedings under the Rules of Court.
7. REPUBLIC ACT NO. 10173
Accountability for Transfer of Personal
Information
Section 21 Principle of Accountability
- The personal information controller is accountable for
complying with the requirements of this Act and shall use
contractual or other reasonable means to provide a
comparable level of protection while the information are
being processed by a third party.
- The personal information controller shall designate an
individual or individuals who are accountable for the
organization’s compliance with this Act. The identity of the
individual(s) so designated shall be made known to any
data subject upon request..
DATA PRIVACY ACT
- It is the policy of the State to
protect the fundamental
human right of privacy, of
communication while ensuring
free flow of information to
promote innovation and
growth.
8. Accountability for violation of the Act, the
Rules and Other Issuances of the
Commission
A.) Any natural or juridical person, or other body involved in the
processing of personal data, who fails to comply with Act, the Rules,
and other issuances of the commission, shall be liable for such
violation, and shall be subject to its corresponding sanction, penalty,
or fine, without prejudice to any civil or criminal liability, as may be
applicable.
9. B.) In cases where a data subject files a complaint for violation of his
or her rights as data subjects, and for any injury suffered as a result
of the processing of his or her personal data, the Commission may
award indemnity on the basis of the applicable provisions of the New
Civil Code.
C.) In case of criminal acts and their corresponding personal
penalties, the person who committed the unlawful act or omission
shall be recommended for prosecution by the commission based on
substantial evidence.
9
Accountability for violation of the Act, the Rules
and Other Issuances of the Commission (Cont.)
10. DATA BREACH NOTIFICATION
A.) The Commission and affected data subjects shall be notified by the
personal information controller within 72 hours upon knowledge of, or when
there is reasonable belief by the personal information controller or personal
information processor that, a personal data breach requiring notification has
occurred.
B.) Notification of personal data breach shall be required when sensitive
personal information or any other information that may, under the
circumstances, be used to enable identity fraud are reasonably believed to
have been acquired by an unauthorized person, and the personal information
controller or the Commission believes that such unauthorized acquisition is
likely to give rise to a real risk of serious harm to any affected data subject.
11. DATA BREACH NOTIFICATION(Cont.)
C.) Depending on the nature of the incident, or if there is delay or
failure to notify, the Commission may investigate the circumstances
surrounding the personal data breach. Investigation may include on-
site examination of systems and procedures.
12. Contents of Notification
The notification shall at least describe the nature of the breach, the
personal data possibly involved, and the measures taken by the entity
to address the breach. The notification shall also include measures
taken to reduce the harm or negative consequences of the breach, the
representatives of the personal information controller, including their
contact details, from whom the data subject can obtain additional
information about the breach, and any assistance to be provided to the
affected data subjects.
13. Delay of Notification
- Notification may be delayed only to the extent necessary to
determine the scope of the breach. To prevent further disclosures,
or to restore reasonable integrity to the information and
communications system.
- In evaluating if notification is unwarranted, the Commission may
take into account compliance by the personal information controller
with this section and existence of good faith in the acquisition of
personal data.
14. - The Commission may exempt a personal information
controller from notification where, in its reasonable
judgment, such notification would not be in the public
interest, or in the interest of the affected data subjects.
- The Commission may authorize postponement of
notification where it may hinder the progress of a criminal
investigation related to a serious breach.
14
Delay of Notification
15. Breach Report
- The personal information controller shall notify the Commission by
submitting a report, whether written or electronic, containing the
required contents of notification. The report shall also include the
name of a designated representative of the personal information
controller, and his or her contact details.
- All security incidents and personal data breaches shall be
documented through written reports, including those not covered by
the notification requirements.
16. Enforcement of the Data Privacy Act
- Pursuant to the mandate of the Commission to administer and
implement the Act, and to ensure the compliance of personal
information controllers with its obligations under the law, the
Commission requires the following:
A.) Registration of personal data processing systems operating in
the country that involves accessing or requiring sensitive
personal information.
17. B.) Notification of automated processing operations where the
processing becomes the sole basis of making decisions.
C.) Annual report of the summary of documented security
incidents and personal data breaches.
D.) Compliance with other requirements that may be provided
in other issuances of the Commission.
17
Enforcement of the Data Privacy Act (Cont.)
18. Registration of Personal Data Processing
Systems
A.) The contents of registration shall include:
1. The name and address of the personal information controller or personal
information processor
2. The purpose or purposes of the processing, and whether processing is
being done under an outsourcing or subcontracting agreement;
3. A description of the category or categories of data subjects, and of the
data or categories of data relating to them;
4. The recipients or categories of recipients to whom the data might be
disclosed;
5. Proposed transfers of personal data outside the Philippines;
19. Registration of Personal Data Processing
Systems(Cont.)
6. A general description of privacy and security measures for data protection;
7. Brief description of the data processing system;
8. Copy of all policies relating to data governance, data privacy, and
information security;
9. Attestation to all certifications attained that are related to information and
communications processing; and
10. Name and contact details of the compliance or data protection officer,
which shall immediately be updated in case of changes.
B.) The procedure for registration shall be in accordance with the rules and
other issuances of the commission.
20. Notification of Automated Processing
Operations
The notification shall include the following information:
1. Purpose of processing;
2. Categories of personal data to undergo processing;
3. Category or categories of data subject;
4. Consent forms or manner of obtaining consent;
5. The recipients or categories of recipients to whom the data are to be
disclosed;
21. 6. The length of time the data are to be stored;
7. Methods and logic utilized for automated processing;
8. Decisions relating to the data subject that would be made on the basis
of processed data;
9. Names and contract details of the compliance or data protection officer.
No decision with legal effects concerning a data subject shall be made
solely on the basis of automated processing without the consent of the
data subject.
21
Notification of Automated Processing
Operations (Cont.)
22. Violations, Jurisdiction, Penalties, and
Immunity
Any person who performs or cause the performance of the following
acts shall be liable:
- Refusal to accept application or request with complete requirements
being submitted by an applicant or requesting party without due cause;
- Imposition of additional requirements other than those listed in the
Citizen’s Charter;"(c) Imposition of additional costs not reflected in the
Citizen’s Charter;
- Failure to give the applicant or requesting party a written notice on the
disapproval of an application or request;
23. Violations, Jurisdiction, Penalties, and
Immunity(Cont.)
- Failure to render government services within the prescribed processing
time on any application or request without due cause;
- Failure to attend to applicants or requesting parties who are within the
premises of the office or agency concerned prior to the end of official
working hours and during lunch break.
- Failure or refusal to issue official receipts; and
- Fixing and/or collusion with fixers in consideration of economic and/or
other gain or advantage.
24. Penalties and Liabilities.
Any violations of the preceding actions will warrant the following
penalties and liabilities.
• Criminal liability - shall also be incurred through the commission of
bribery, extortion, or when the violation was done deliberately and
maliciously to solicit favor in cash or in kind. In such cases, the pertinent
provisions of the Revised Penal Code and other special laws shall apply.
• Civil and Criminal Liability - Not Barred. The finding of administrative
liability under this Act shall not be a bar to the filing of criminal, civil or
other related charges under existing laws arising from the same act or
omission as herein enumerated.
25. • Administrative Jurisdiction. - The administrative
jurisdiction on any violation of the provisions of this Act
shall be vested in either the CSC, or the Office of the
Ombudsman as determined by appropriate laws and
issuances."
25
Penalties and Liabilities. (Cont.)
26. Immunity, Discharge of Co-
Respondent/Accused to be a Witness.
Any public official or employee or any person having been charged
with another offense under this Act and who voluntarily gives
information pertaining to an investigation or who willingly testifies
therefore, shall be exempt from prosecution in the case/s where
his/her information and testimony are given. The discharge may be
granted and directed by the investigating body or court upon the
application or petition of any of the respondent/accused-informant and
before the termination of the investigation:
27. Immunity, Discharge of Co-
Respondent/Accused to be a Witness.(Cont.)
Provided, That:
A.) There is absolute necessity for the testimony of the respondent/accused-
informant whose discharge is requested;
B.) There is no other direct evidence available for the proper prosecution of
the offense committed, except the testimony of said respondent/accused-
informant;"
C.) The testimony of said respondent can be substantially corroborated in its
material points;"
28. D.) The respondent/accused-informant has not been previously
convicted of a crime involving moral turpitude; and the said
respondent/accused-informant does not appear to be the most guilty.
Evidence adduced in support of the discharge shall automatically
form part of the records of the investigation. Should the investigating
body or court deny the motion or request for discharge as a witness,
his/her sworn statement shall be inadmissible as evidence.
28
Immunity, Discharge of Co-
Respondent/Accused to be a Witness.(Cont.)