FREQUENTLY ASKED QUESTIONS
TELECOMMUNICATION COMPANIES AND INTERNET SERVICE PROVIDERS
Scope of the DPA
The law applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing. As long as the entity processes personal data in its operations, both internal and external, it is covered by the law, its Implementing Rules and Regulations, and issuances of the National Privacy Commission (NPC).
Personal information controllers and processors who are not found or established in the Philippines are still covered by the law when they use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines.
Moreover, Section 6 of the DPA provides for the extraterritorial application of the law. It still applies to an act done or practice engaged in and outside of the Philippines by an entity if:
According to Section 3(b) of the DPA, consent refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of his or her personal, sensitive personal or privileged information. It may also be given on behalf of a data subject by a lawful representative or an agent specifically authorized by the data subject to do so.
Implied consent is not permissible under the DPA. The law explicitly states that consent shall be evidenced by written, electronic or recorded means. The data subject must willingly indicate and express his or her approval and permission to the processing of his or her personal data.
Consent is only one of the several conditions that will justify the processing of personal information.
Section 12 of the DPA provides that processing of personal information shall be permitted only if not otherwise prohibited by law, and when at least one of the following conditions exists:
Data Subjects and Personal Information
Data subjects are those whose personal information is processed. In this sector, the data subjects are the customers and subscribers.
Personal information, as defined in Section 3(g) of the DPA, refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
The name, billing address, contact number and email address of the customers are considered as personal information.
The mobile number of a subscriber is considered as personal information. Particularly with post-paid subscribers since telecommunication companies assign a distinct and specific mobile number to every post-paid subscriber. It then becomes their customer identification number with regard to all transactions with the company.
Similarly, with prepaid subscribers, the identify the subscriber may be ascertained when the mobile number is combined with other identifiers.
Recital 30 of the European Union’s General Data Protection Regulation (GDPR) states that natural persons may be associated with online identifies, including a data subject’s Internet Protocol (IP) address and cookie identifiers, among others, considering that this may be combined with other unique identifiers generated by servers which may then be linked to particular individuals.
Personal information controller, personal information processor
And personal data processing
A personal information controller is a person or an organization who controls the collection, holding, processing or use of personal information, including a person or an organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf. However, it excludes:
Hence, the company is the personal information controller. The offices, divisions or departments within the company who process personal data are considered as process owners under the personal information controller.
A personal information processor is any natural or juridical person qualified to act as such under the law to whom a personal information controller may outsource the processing of personal data pertaining to a data subject.
The outsourcing or subcontracting agreement with the personal information processor shall be in accordance with Rule X of the Implementing Rules and Regulations of the DPA.
These foreign cloud service providers are considered as personal information processors under the law since they are outsourced by the personal information controller to store personal data and there is no prohibition in outsourcing such activity. However, they are likewise required to comply with the law, IRR and relevant issuances.
It is incumbent upon the personal information controller to ensure that the foreign cloud service providers that compliant.
Every personal information controller must take steps to ensure that those engaged by the company are compliant with the DPA. Moreover, the duties and obligations of the personal information processors under the law must be incorporated in the outsourcing contract.
Processing covers any activity or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.
The definition of processing covers the storage of personal data, may it be for current use or storage for documentation and reportorial requirements.
There is no fixed or imposed period of retention of personal data. However, personal data shall be retained only for as long as necessary:
The company has to determine a specific period of time it deems necessary and sufficient to protect both the rights of the customers and the company.
Upon expiration of the retention period, the personal information controller and personal information processor shall safely and securely dispose or discard personal data in a manner that would prevent further processing, unauthorized access, or disclosure to any other party or the public, or prejudice the interests of the data subjects.
A privacy notice is a statement made to data subjects that describe how the organization or entity collects, uses, retains and discloses personal information. It enumerates the exact information gathered, purpose of collection and recipients in case the information is shared or transferred to another entity.
The privacy notice should be revised when there is a change in any of the contents of a notice. If there is a new process, purpose or use of personal information collected, the privacy notice should be revised and the data subjects must be informed of these changes.
Appointment of a Data Protection Officer
According to NPC Advisory 2017-01, all natural and juridical persons engaged in the processing of personal data within and outside of the Philippines are required to appoint or designate an individual or individuals who shall function as DPO, regardless of the size of their business.
The DPO shall be accountable for ensuring the compliance by the personal information controller or personal information processor with the DPA, its IRR, NPC issuances, and other applicable laws and regulations relating to privacy and data protection.
Subject to the approval of the NPC, a group of related companies may appoint or designate the DPO of one of its members to be primarily accountable for ensuring the compliance of the entire group with all data protection policies. Where such common DPO is allowed by the NPC, the other members of the group must still have a compliance officer for privacy (COP).
The company may outsource or subcontract the functions of its DPO or COP. However, the DPO or COP must be a full-time or organic employee of the personal information controller or personal information processor given that he or she will be the contact person of the entity vis-à-vis the NPC.
Registration of data processing system
It refers to a structure and procedure by which personal data is collected and further processed in an information and communications systems or relevant filing system, including the purpose and intended output of the processing.
Pursuant to NPC Circular 2017-01, a personal information controller or personal information processor shall register its data processing systems if it is processing personal data and operating in the country under any of the following conditions:
Furthermore, Appendix 1 of the same circular mandates those listed sectors to register. Telecommunications networks, internet service providers and other entities or organizations providing similar services are among those enumerated to register since the processing of personal data is likely to pose a risk to the rights and freedoms of data subjects.
Data Breach and Notification
As stated in NPC Advisory 2018-01, it refers to an event or occurrence that affects or tends to affect data protection or may compromise the availability, integrity, and confidentiality of personal data. It shall include incidents that would result to a personal data breach if not for safeguards that have been put in place.
It refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. A personal data breach may be in the nature of:
Each and every data subject must be notified by the personal information controller because the nature of information, extent and effect of the breach may vary from one data subject to another.
The NPC does not impose or require investment in sophisticated technologies, certifications and accreditations to demonstrate its compliance with the law, the IRR and NPC issuances. The NPC directs telcos and ISPs to conduct a privacy impact assessment (PIA) to determine the information collected, the risks associated in processing such personal data, and the measures currently being implemented. After which, the organization is directed to administer and enforce sufficient organizational, physical and technical measures to address the threats, risks and harms present.
The Credit Information Corporation is statutorily mandated to comply with the directives of the CIC, when applicable (e.g. post-paid subscribers).
Marketing messages in relation to the current services rendered or availed of by the subscriber is permitted. However, sending of promotional materials for services and products completely unrelated such current services availed of by a particular subscriber require his or her consent.
FREQUENTLY ASKED QUESTIONS
TELECOMMUNICATION COMPANIES AND INTERNET SERVICE PROVIDERS
Scope of the DPA
The law applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing. As long as the entity processes personal data in its operations, both internal and external, it is covered by the law, its Implementing Rules and ...