1.

The NPC which are contrary to law, morals,

a. Organization (9, 10) public policy and good customs
Organizational Structure of the even if he or she acted under
Commission orders or instructions of superiors
attached to the Department of in case a lawsuit is filed against
Information and Communications such official on the subject of the
Technology (DICT) performance of his or her duties,
headed by a Privacy Commissioner; where such performance is lawful,
as Chairman of the Commission he or she shall be reimbursed by
assisted by two (2) Deputy Privacy the Commission for reasonable
Commissioners: Data Processing costs of litigation.
Systems and one to be responsible
for Policies and Planning. The Secretariat
appointed by the President of the
Philippines for a term of three (3) Majority served for at least five (5)
years, and may be reappointed for years in any agency of the
another term of three (3) years government that is involved in the
processing of personal information
filled in the same manner in which including, but not limited to, the
the original appointment was following offices: Social Security
made. System (SSS), Government Service
Insurance System (GSIS), Land
Privacy Commissioner Transportation Office (LTO), Bureau
of Internal Revenue (BIR),
-be at least thirty-five (35) years; of Philippine Health Insurance
good moral character, Corporation (PhilHealth),
unquestionable integrity and Commission on Elections
known probity, recognized expert (COMELEC), Department of Foreign
in the field of information Affairs (DFA), Department of Justice
technology and data privacy enjoy (DOJ), and Philippine Postal
the benefits, privileges and Corporation (Philpost).
emoluments equivalent to the rank
of Secretary. b. Powers and function (7)
1. administer and implement the
Deputy Privacy Commissioners- provisions of this Act
recognized experts in the field of 2. to monitor and ensure
information and communications compliance of the country with
technology and data privacy. rank international standards set for data
of Undersecretary protection

(a) Ensure compliance of personal

not be civilly liable for acts done in information controllers with the
good faith in the performance of provisions of this Act;
their duties. be liable for willful or (b) Receive complaints, institute
negligent acts done by him or her investigations, facilitate or enable
settlement of complaints through policies to strengthen the
the use of alternative dispute protection of personal information
resolution processes, adjudicate, in the country;
award indemnity on matters (g) Publish on a regular basis a
affecting any personal information, guide to all laws relating to data
prepare reports on disposition of protection;
complaints and resolution of any (h) Publish a compilation of agency
investigation it initiates, and, in system of records and notices,
cases it deems appropriate, including index and other finding
publicize any such aids;
report: Provided, That in resolving (i) Recommend to the Department
any complaint or investigation of Justice (DOJ) the prosecution and
(except where amicable settlement imposition of penalties specified in
is reached by the parties), the Sections 25 to 29 of this Act;
Commission shall act as a collegial (j) Review, approve, reject or
body. For this purpose, the require modification of privacy
Commission may be given access codes voluntarily adhered to by
to personal information that is personal information
subject of any complaint and to controllers:Provided, That the
collect the information necessary privacy codes shall adhere to the
to perform its functions under this underlying data privacy principles
Act; embodied in this Act: Provided,
(c) Issue cease and desist orders, further,That such privacy codes
impose a temporary or permanent may include private dispute
ban on the processing of personal resolution mechanisms for
information, upon finding that the complaints against any
processing will be detrimental to participating personal information
national security and public controller. For this purpose, the
interest; Commission shall consult with
(d) Compel or petition any entity, relevant regulatory agencies in the
government agency or formulation and administration of
instrumentality to abide by its privacy codes applying the
orders or take action on a matter standards set out in this Act, with
affecting data privacy; respect to the persons, entities,
(e) Monitor the compliance of other business activities and business
government agencies or sectors that said regulatory bodies
instrumentalities on their security are authorized to principally
and technical measures and regulate pursuant to the
recommend the necessary action in law: Provided, finally. That the
order to meet minimum standards Commission may review such
for protection of personal privacy codes and require changes
information pursuant to this Act; thereto for purposes of complying
(f) Coordinate with other with this Act;
government agencies and the (k) Provide assistance on matters
private sector on efforts to relating to privacy or data
formulate and implement plans and protection at the request of a
national or local agency, a private maintain an office, branch or
entity or any person; agency in the Philippines subject to
(l) Comment on the implication on the immediately succeeding
data privacy of proposed national paragraph:
or local statutes, regulations or
procedures, issue advisory opinions does not apply to the following:
and interpret the provisions of this (a) Information about any
Act and other data privacy laws; individual who is or was an officer
(m) Propose legislation, or employee of a government
amendments or modifications to institution that relates to the
Philippine laws on privacy or data position or functions of the
protection as may be necessary; individual, including:
(n) Ensure proper and effective (1) The fact that the individual is or
coordination with data privacy was an officer or employee of the
regulators in other countries and government institution;
private accountability agents, (2) The title, business address and
participate in international and office telephone number of the
regional initiatives for data privacy individual;
protection; (3) The classification, salary range
(o) Negotiate and contract with and responsibilities of the position
other data privacy authorities of held by the individual; and
other countries for cross-border (4) The name of the individual on a
application and implementation of document prepared by the
respective privacy laws; individual in the course of
(p) Assist Philippine companies employment with the government;
doing business abroad to respond (b) Information about an individual
to foreign privacy or data who is or was performing service
protection laws and regulations; under contract for a government
and institution that relates to the
(q) Generally perform such acts as services performed, including the
may be necessary to facilitate terms of the contract, and the
cross-border enforcement of data name of the individual given in the
privacy protection. course of the performance of those
services;
(c) Information relating to any
2. Coverage (4, 3g-l) discretionary benefit of a financial
applies to the processing of all nature such as the granting of a
types of personal information and license or permit given by the
to any natural and juridical person government to an individual,
involved in personal information including the name of the
processing including those personal individual and the exact nature of
information controllers and the benefit;
processors who, although not found (d) Personal information processed
or established in the Philippines, for journalistic, artistic, literary or
use equipment that are located in research purposes;
the Philippines, or those who
(e) Information necessary in order (h) Personal information controller-
to carry out the functions of public person or organization who controls
authority which includes the the collection, holding, processing
processing of personal data for the or use of personal information,
performance by the independent, including a person or organization
central monetary authority and law who instructs another person or
enforcement and regulatory organization to collect, hold,
agencies of their constitutionally process, use, transfer or disclose
and statutorily mandated functions. personal information on his or her
Nothing in this Act shall be behalf. The term excludes:
construed as to have amended or (1) A person or organization who
repealed Republic Act No. 1405, performs such functions as
otherwise known as the Secrecy of instructed by another person or
Bank Deposits Act; Republic Act No. organization; and
6426, otherwise known as the (2) An individual who collects,
Foreign Currency Deposit Act; and holds, processes or uses personal
Republic Act No. 9510, otherwise information in connection with the
known as the Credit Information individual’s personal, family or
System Act (CISA); household affairs.
(f) Information necessary for banks (i) Personal information processor-
and other financial institutions natural or juridical person qualified
under the jurisdiction of the to act as such under this Act to
independent, central monetary whom a personal information
authority or Bangko Sentral ng controller may outsource the
Pilipinas to comply with Republic processing of personal data
Act No. 9510, and Republic Act No. pertaining to a data subject.
9160, as amended, otherwise (j) Processing - operation or set of
known as the Anti-Money operations performed upon
Laundering Act and other personal information including, but
applicable laws; and not limited to, the collection,
(g) Personal information originally recording, organization, storage,
collected from residents of foreign updating or modification, retrieval,
jurisdictions in accordance with the consultation, use, consolidation,
laws of those foreign jurisdictions, blocking, erasure or destruction of
including any applicable data data.
privacy laws, which is being (k) Privileged information- any and
processed in the Philippines. all forms of data which under the
Section3 Rules of Court and other pertinent
(g) Personal information- any laws constitute privileged
information from which the identity communication.
of an individual is apparent or can (l) Sensitive personal information-
be reasonably and directly personal information:
ascertained by the entity holding (1) About an individual’s race,
the information/ put together with ethnic origin, marital status, age,
other information would directly color, and religious, philosophical
and certainly identify an individual. or political affiliations;
(2) About an individual’s health, destroyed or their further
education, genetic or sexual life of processing restricted;
a person, or to any proceeding for (d) Adequate and not excessive in
any offense committed or alleged relation to the purposes for which
to have been committed by such they are collected and processed;
person, the disposal of such (e) Retained only for as long as
proceedings, or the sentence of necessary for the fulfillment of the
any court in such proceedings; purposes for which the data was
(3) Issued by government agencies obtained or for the establishment,
peculiar to an individual which exercise or defense of legal claims,
includes, but not limited to, social or for legitimate business purposes,
security numbers, previous or or as provided by law; and
current health records, licenses or (f) Kept in a form which permits
its denials, suspension or identification of data subjects for
revocation, and tax returns; and no longer than is necessary for the
(4) Specifically established by an purposes for which the data were
executive order or an act of collected and
Congress to be kept classified. processed: Provided, That personal
information collected for other
3. Processing of personal purposes may lie processed for
information (11-15) historical, statistical or scientific
processing of personal information, purposes, and in cases laid down in
allowed, subject to compliance with law may be stored for longer
the requirements of this Act and periods: Provided, further,That
other laws allowing disclosure of adequate safeguards are
information to the public and guaranteed by said laws
adherence to the principles of authorizing their processing.
transparency, legitimate purpose The personal information controller
and proportionality must ensure implementation of
personal information processing
personal information must, be:, principles set out herein.
(a) Collected for specified and processing of personal information
legitimate purposes determined shall be permitted only if not
and declared before, or as soon as otherwise prohibited by law at least
reasonably practicable after one of the following conditions
collection, and later processed in a exists:
way compatible with such declared, (a) The data subject has given his
specified and legitimate purposes or her consent;
only; (b) The processing of personal
(b) Processed fairly and lawfully; information is necessary and is
(c) Accurate, relevant and, where related to the fulfillment of a
necessary for purposes for which it contract with the data subject or in
is to be used the processing of order to take steps at the request
personal information, kept up to of the data subject prior to entering
date; inaccurate or incomplete data into a contract;
must be rectified, supplemented,
(c) The processing is necessary for data subjects are not required by
compliance with a legal obligation law or regulation permitting the
to which the personal information processing of the sensitive
controller is subject; personal information or the
(d) The processing is necessary to privileged information;
protect vitally important interests (c) The processing is necessary to
of the data subject, including life protect the life and health of the
and health; data subject or another person,
(e) The processing is necessary in and the data subject is not legally
order to respond to national or physically able to express his or
emergency, to comply with the her consent prior to the processing;
requirements of public order and (d) The processing is necessary to
safety, or to fulfill functions of achieve the lawful and
public authority which necessarily noncommercial objectives of public
includes the processing of personal organizations and their
data for the fulfillment of its associations: Provided, That such
mandate; or processing is only confined and
(f) The processing is necessary for related to the bona fide members
the purposes of the legitimate of these organizations or their
interests pursued by the personal associations: Provided,
information controller or by a third further, That the sensitive personal
party or parties to whom the data information are not transferred to
is disclosed, except where such third parties: Provided, finally, That
interests are overridden by consent of the data subject was
fundamental rights and freedoms obtained prior to processing;
of the data subject which require (e) The processing is necessary for
protection under the Philippine purposes of medical treatment, is
Constitution. carried out by a medical
practitioner or a medical treatment
Sensitive Personal Information and institution, and an adequate level
Privileged Information- prohibited, of protection of personal
except in the following cases: information is ensured; or
(a) given his or her consent, (f) The processing concerns such
specific to the purpose prior to the personal information as is
processing, or in the case of necessary for the protection of
privileged information, all parties to lawful rights and interests of
the exchange have given their natural or legal persons in court
consent prior to processing; proceedings, or the establishment,
(b) The processing of the same is exercise or defense of legal claims,
provided for by existing laws and or when provided to government or
regulations: Provided, That such public authority.
regulatory enactments guarantee SEC. 14. Subcontract of Personal
the protection of the sensitive Information. – A personal
personal information and the information controller may
privileged information: Provided, subcontract the processing of
further, That the consent of the personal information: Provided,
ensure that proper safeguards are (7) The period will be stored; and
in place to ensure the (8) rights to access, correction, as
confidentiality of the personal well as the right to lodge a
information processed, prevent its complaint before the Commission.
use for unauthorized purposes, and Any information supplied or
generally, comply with the declaration shall not be amended
requirements of this Act and other without prior notification of data
laws for processing of personal subject: Provided, That the
information. The personal notification under subsection (b)
information processor shall comply shall not apply should the personal
with all the requirements of this Act information be needed pursuant to
and other applicable laws. a subpoena or when the collection
SEC. 15. Extension of Privileged and processing are for obvious
Communication. PIC may invoke purposes, including when it is
the principle of privileged necessary for the performance of
communication over privileged or in relation to a contract or
information that they lawfully service or when necessary or
control or process. Subject to desirable in the context of an
existing laws and regulations, any employer-employee relationship,
evidence gathered on privileged between the collector and the data
information is inadmissible. subject, or when the information is
being collected and processed as a
result of legal obligation;
4. Rights of data subject (16-19) (c) Reasonable access to, upon
(a) Be informed whether personal demand, the following:
information pertaining to him or (1) Contents of his or her personal
her shall be, are being or have information that were processed;
been processed; (2) Sources from which personal
(b) Be furnished the information information were obtained;
before the entry into the (3) Names and addresses of
processing system of the personal recipients of the personal
information controller, or at the information;
next practical opportunity: (4) Manner by which such data
(1) Description of the personal were processed;
information (5) Reasons for the disclosure of
(2) Purposes; the personal information to
(3) Scope and method; recipients;
(4) The recipients or classes of (6) Information on automated
recipients processes where the data will or
(5) Methods utilized for automated likely to be made as the sole basis
access, if the same is allowed by for any decision significantly
the data subject, and the extent to affecting or will affect the data
which such access is authorized; subject;
(6) The identity and contact details (7) Date when his or her personal
of the personal information information concerning the data
controller or its representative;
subject were last accessed and unlawfully obtained or
modified; and unauthorized use of personal
(8) The designation, or name or information.
identity and address of the SEC. 17. Transmissibility of Rights.
personal information controller; – The lawful heirs and assigns of
(d) Dispute the inaccuracy or error the data subject may invoke the
in the personal information and rights of the data subject for, which
have the personal information he or she is an heir or assignee at
controller correct it immediately any time after the death,
and accordingly, unless the request incapacitated or incapable of
is vexatious or otherwise exercising the rights
unreasonable. If the personal SEC. 18. Right to Data Portability.
information have been corrected, – personal information is processed
the personal information controller by electronic means and in a
shall ensure the accessibility of structured and commonly used
both the new and the retracted format, to obtain from the personal
information and the simultaneous information controller a copy of
receipt of the new and the data undergoing processing in an
retracted information by recipients electronic or structured format,
thereof: Provided, That the third which is commonly used and allows
parties who have previously for further use by the data subject.
received such processed personal The Commission may specify the
information shall he informed of its electronic format referred to above,
inaccuracy and its rectification as well as the technical standards,
upon reasonable request of the modalities and procedures for their
data subject; transfer.
(e) Suspend, withdraw or order the SEC. 19. Non-Applicability. – The
blocking, removal or destruction of immediately preceding sections are
his or her personal information not applicable if the processed
from the personal information personal information are used only
controller’s filing system upon for the needs of scientific and
discovery and substantial proof statistical research and, on the
that the personal information are basis of such, no activities are
incomplete, outdated, false, carried out and no decisions are
unlawfully obtained, used for taken regarding the data
unauthorized purposes or are no subject: Provided, That the
longer necessary for the purposes personal information shall be held
for which they were collected. In under strict confidentiality and
this case, the personal information shall be used only for the declared
controller may notify third parties purpose. Likewise, the immediately
who have previously received such preceding sections are not
processed personal information; applicable to processing of
and personal information gathered for
(f) Be indemnified for any damages the purpose of investigations in
sustained due to such inaccurate, relation to any criminal,
incomplete, outdated, false, administrative or tax liabilities of a
data subject. (3) A process for identifying and
5. Security of personal information accessing reasonably foreseeable
(20) vulnerabilities in its computer
SEC. 20. Security of Personal networks, and for taking
Information. – preventive, corrective and
(a) PIC implement reasonable and mitigating action against security
appropriate organizational, physical incidents that can lead to a security
and technical measures for breach; and
protection of personal information (4) Regular monitoring for security
against any accidental or unlawful breaches and a process for taking
destruction, alteration and preventive, corrective and
disclosure, as well as against any mitigating action against security
other unlawful processing. incidents that can lead to a security
(b) implement reasonable and breach.
appropriate measures to protect (d) PIC must further ensure that
personal information against third parties processing personal
natural dangers such as accidental information on its behalf shall
loss or destruction, and human implement the security measures
dangers such as unlawful access, required by this provision.
fraudulent misuse, unlawful (e) The employees, agents or
destruction, alteration and representatives of a personal
contamination. information controller who are
(c) The determination of the involved in the processing of
appropriate level of security must personal information shall operate
take into account the nature of the and hold personal information
personal information to be under strict confidentiality if the
protected, the risks represented by personal information are not
the processing, the size of the intended for public disclosure. This
organization and complexity of its obligation shall continue even after
operations, current data privacy leaving the public service, transfer
best practices and the cost of to another position or upon
security implementation. termination of employment or
Subject to guidelines as the contractual relations.
Commission may issue from time (f) PIC shall promptly notify the
to time, the measures implemented Commission and affected data
must include: subjects when sensitive personal
(1) Safeguards to protect its information or other information
computer network against that may, under the circumstances,
accidental, unlawful or be used to enable identity fraud
unauthorized usage or interference are reasonably believed to have
with or hindering of their been acquired by an unauthorized
functioning or availability; person, and the personal
(2) A security policy with respect to information controller or the
the processing of personal Commission believes (bat such
information; unauthorized acquisition is likely to
give rise to a real risk of serious
harm to any affected data subject. (a) complying with the
The notification shall at least requirements of this Act and use
describe the nature of the breach, contractual or other reasonable
the sensitive personal information means to provide a comparable
possibly involved, and the level of protection while the
measures taken by the entity to information are being processed by
address the breach. Notification a third party.
may be delayed only to the extent (b) designate an individual or
necessary to determine the scope individuals who are accountable for
of the breach, to prevent further the organization’s compliance with
disclosures, or to restore this Act. The identity of the
reasonable integrity to the individual(s) so designated shall be
information and communications made known to any data subject
system. upon request.
(1) In evaluating if notification is
unwarranted, the Commission may 6. Security of sensitive personal
take into account compliance by information in the government (22-
the personal information controller 24)
with this section and existence of SEC. 22. Responsibility of Heads of
good faith in the acquisition of Agencies. – All sensitive personal
personal information. information maintained by the
(2) The Commission may exempt a government, its agencies and
personal information controller instrumentalities shall be secured,
from notification where, in its as far as practicable, with the use
reasonable judgment, such of the most appropriate standard
notification would not be in the recognized by the information and
public interest or in the interests of communications technology
the affected data subjects. industry, and as recommended by
(3) The Commission may authorize the Commission.
postponement of notification where The head of each government
it may hinder the progress of a agency or instrumentality -
criminal investigation related to a responsible for complying with the
serious breach. security requirements mentioned
herein
a. Accountability for transfer of Commission- monitor the
personal information (21) compliance and may recommend
SEC. 21. Principle of Accountability. the necessary action in order to
PIC responsible for personal satisfy the minimum standards.
information under its control or SEC. 23. Requirements Relating to
custody, including information that Access by Agency Personnel to
have been transferred to a third Sensitive Personal Information. –
party for processing, whether (a) On-site and Online Access –
domestically or internationally, Except as may be allowed through
subject to cross-border guidelines to be issued by the
arrangement and cooperation. Commission, no employee of the
government shall have access to
sensitive personal information on sensitive personal information from
government property or through one thousand (1,000) or more
online facilities unless the individuals, an agency shall require
employee has received a security a contractor and its employees to
clearance from the head of the register their personal information
source agency. processing system with the
(b) Off-site Access – Unless Commission in accordance with this
otherwise provided in guidelines to Act and to comply with the other
be issued by the Commission, provisions of this Act including the
sensitive personal information immediately preceding section, in
maintained by an agency may not the same manner as agencies and
be transported or accessed from a government employees comply
location off government property with such requirements.
unless a request for such
transportation or access is 7. Penalties for violation (25-37)
submitted and approved by the SEC. 25. Unauthorized Processing
head of the agency in accordance of:
with the following guidelines: Personal information
(1) Deadline for Approval or imprisonment ranging from one (1)
Disapproval-shall approve or year to three (3) years
disapprove the request within two and a fine of not less than Five
(2) business days after the date of hundred thousand pesos
submission of the request. no (Php500,000.00) but not more than
action by the head of the agency, Two million pesos
considered disapproved; (Php2,000,000.00) shall be
(2) Limitation to One thousand imposed on persons who process
(1,000) Records –the head limit the personal information
access to not more than one without the consent of the data
thousand (1,000) records at a time; subject, or without being
and authorized under this Act or any
(3) Encryption – Any technology existing law.
used to store, transport or access Sensitive information
sensitive personal information for imprisonment ranging from three
purposes of off-site access (3) years to six (6) years
approved under this subsection and a fine of not less than Five
shall be secured by the use of the hundred thousand pesos
most secure encryption standard (Php500,000.00) but not more than
recognized by the Commission. Four million pesos
The requirements of this subsection (Php4,000,000.00)
shall be implemented not later without the consent of the data
than six (6) months after the date subject, or without being
of the enactment of this Act. authorized under this Act or any
SEC. 24. Applicability to existing law.
Government Contractors. – In SEC. 26. Accessing
entering into any contract that may (a) Accessing personal information
involve accessing or requiring due to negligence
imprisonment ranging from one (1) imprisonment ranging from one (1)
year to three (3) years year to three (3) years
and a fine of not less than Five and a fine of not less than One
hundred thousand pesos hundred thousand pesos
(Php500,000.00) but not more than (Php100,000.00) but not more than
Two million pesos One million pesos
(Php2,000,000.00) (Php1,000,000.00)
shall be imposed on persons who, shall be imposed on persons who
due to negligence, provided access knowingly or negligently dispose,
to personal information without discard or abandon the personal
being authorized under this Act or information of an individual in an
any existing law. area accessible to the public or has
sensitive personal information otherwise placed the personal
imprisonment ranging from three information of an individual in its
(3) years to six (6) years container for trash collection.
and a fine of not less than Five SEC. 28. Processing of Personal
hundred thousand pesos Information and Sensitive Personal
(Php500,000.00) but not more than Information for Unauthorized
Four million pesos Purposes. –
(Php4,000,000.00) The processing of personal
shall be imposed on persons who, information for unauthorized
due to negligence, provided access purposes
to personal information without imprisonment ranging from one (1)
being authorized under this Act or year and six (6) months to five (5)
any existing law. years
SEC. 27 and a fine of not less than Five
The improper disposal of personal hundred thousand pesos
information (Php500,000.00) but not more than
imprisonment ranging from six (6) One million pesos
months to two (2) years (Php1,000,000.00)
and a fine of not less than One shall be imposed on persons
hundred thousand pesos processing personal information for
(Php100,000.00) but not more than purposes not authorized by the
Five hundred thousand pesos data subject, or otherwise
(Php500,000.00) authorized under this Act or under
shall be imposed on persons who existing laws.
knowingly or negligently dispose, The processing of sensitive
discard or abandon the personal personal information for
information of an individual in an unauthorized purposes shall be
area accessible to the public or has penalized by
otherwise placed the personal imprisonment ranging from two (2)
information of an individual in its years to seven (7) years
container for trash collection. and a fine of not less than Five
(b) The improper disposal of hundred thousand pesos
sensitive personal information (Php500,000.00) but not more than
Two million pesos agents, who, with malice or in bad
(Php2,000,000.00) faith, discloses unwarranted or
shall be imposed on persons false information relative to any
processing sensitive personal personal information or personal
information for purposes not sensitive information obtained by
authorized by the data subject, or him or her, imprisonment ranging
otherwise authorized under this Act from one (1) year and six (6)
or under existing laws. months to five (5) years and a fine
SEC. 29. Unauthorized Access or of not less than Five hundred
Intentional Breach. – thousand pesos (Php500,000.00)
imprisonment ranging from one (1) but not more than One million
year to three (3) years pesos (Php1,000,000.00).
and a fine of not less than Five SEC. 32. Unauthorized Disclosure.
hundred thousand pesos – (a) Any personal information
(Php500,000.00) but not more than controller or personal information
Two million pesos processor or any of its officials,
(Php2,000,000.00) employees or agents, who
shall be imposed on persons who discloses to a third party personal
knowingly and unlawfully, or information not covered by the
violating data confidentiality and immediately preceding section
security data systems, breaks in without the consent of the data
any way into any system where subject, shall he subject to
personal and sensitive personal imprisonment ranging from one (1)
information is stored. year to three (3) years and a fine of
SEC. 30. Concealment of Security not less than Five hundred
Breaches Involving Sensitive thousand pesos (Php500,000.00)
Personal Information. – but not more than One million
imprisonment of one (1) year and pesos (Php1,000,000.00).
six (6) months to five (5) years (b) discloses to a third party
and a fine of not less than Five sensitive personal information not
hundred thousand pesos covered by the immediately
(Php500,000.00) but not more than preceding section without the
One million pesos consent of the data subject, shall
(Php1,000,000.00) be subject to
shall be imposed on persons who, imprisonment ranging from three
after having knowledge of a (3) years to five (5) years
security breach and of the and a fine of not less than Five
obligation to notify the Commission hundred thousand pesos
pursuant to Section 20(f), (Php500,000.00) but not more than
intentionally or by omission Two million pesos
conceals the fact of such security (Php2,000,000.00).
breach. SEC. 33. Combination or Series of
SEC. 31. Malicious Disclosure. – Any Acts. – Any combination or series of
personal information controller or acts as defined in Sections 25 to 32
personal information processor or shall make the person subject to
any of its officials, employees or imprisonment ranging from
three (3) years to six (6) years and office for a term double the term of
a fine of not less than One million criminal penalty imposed shall he
pesos (Php1,000,000.00) but not applied.
more than Five million pesos SEC. 37. Restitution. – Restitution
(Php5,000,000.00). for any aggrieved party shall be
SEC. 34. Extent of Liability. – governed by the provisions of the
corporation, partnership or any New Civil Code
juridical person, the penalty shall
be imposed upon the responsible
officers, as the case may be, who
participated in, or by their gross
negligence, allowed the
commission of the crime.
juridical person, the court may
suspend or revoke any of its rights
under this Act.
Alien- addition to the penalties
herein prescribed, be deported
without further proceedings after
serving the penalties prescribed.
public official or employee and lie
or she is found guilty of acts
penalized under Sections 27 and 28
of this Act, he or she shall, in
addition to the penalties prescribed
herein, suffer perpetual or
temporary absolute disqualification
from office, as the case may be.
SEC. 35. Large-Scale. – The
maximum penalty in the scale of
penalties respectively provided for
the preceding offenses shall be
imposed when the personal
information of at least one hundred
(100) persons is harmed, affected
or involved as the result of the
above mentioned actions.
SEC. 36. Offense Committed by
Public Officer. – When the offender
or the person responsible for the
offense is a public officer as
defined in the Administrative Code
of the Philippines in the exercise of
his or her duties, an accessory
penalty consisting in the
disqualification to occupy public