PHILIPPINES Law and Practice Contributed by: Francis L. Fragante and Jennifer Marie G. Castro, Cruz Marcelo & Tenefrancia
• appointing a Data Privacy Officer (DPO); • registering the data processing system; • conducting a Privacy Impact Assessment (PIA) within the organisation; • creating a privacy manual or programme; • implementing of measures for privacy and data protection; and • regular exercise of breach reporting procedures. The DPA provides that processing of personal infor - mation is allowed, unless prohibited by law. On the other hand, processing of sensitive personal informa - tion and privileged information is prohibited, except in cases enumerated under the DPA IRR. In case of data breach, the National Privacy Commis - sion (NPC) and affected data subjects must be noti -
fied by the personal information controller within 72 hours upon knowledge of the incident. Notification of personal data breaches shall be required when sensi - tive personal information or any other information that may be used to enable identity fraud are reasonably believed to have been acquired by an unauthorised person, and the personal information controller or the NPC believes that such unauthorised acquisition is likely to give rise to a real risk of serious harm to any affected data subject. Any natural or juridical person, or other body involved in the processing of personal data, who fails to comply with the DPA, the DPA IRR and other issuances of the NPC, shall be liable for such violation, and shall be subject to its corresponding sanction, penalty or fine, without prejudice to any civil or criminal liability.
480 CHAMBERS.COM
Powered by FlippingBook