PHILIPPINES Law and Practice Contributed by: Kerwin K. Tan, Veronica S. Balbin and Jose Maria B. Buenagua, Tan Hassani and Counsels
data subject or in order to take steps at the request of the data subject prior to entering into a contract; • when the processing is necessary for compliance with a legal obligation to which the personal infor - mation controller is subject; • when the processing is necessary to protect vitally important interests of the data subject, including life and health; • when processing is necessary in order to respond to a national emergency, to comply with the requirements of public order and safety, or to fulfil functions of public authority that necessar - ily include the processing of personal data for the fulfilment of its mandate; or • when the processing is necessary for the purposes of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protec - tion under the Philippine Constitution. It also provides for the criteria for the lawful process - ing of sensitive personal information: • when the data subject has given his or her con - sent, specific to the purpose prior to the process - ing, or in the case of privileged information, all parties to the exchange have given their consent prior to processing; • when the processing of the same is provided for by existing laws and regulations, as long as, such regulatory enactments guarantee the protec - tion of the sensitive personal information and the privileged information and that the consent of the data subjects are not required by law or regulation permitting the processing of the sensitive personal information or the privileged information; • when the processing is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his or her consent prior to the processing; • when the processing is necessary to achieve the lawful and non-commercial objectives of public organisations and their associations, as long as such processing is only confined and related to the bona fide members of these organisations or their
associations, that the sensitive personal informa - tion is not transferred to third parties, and that consent of the data subject was obtained prior to processing; • when the processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal infor - mation is ensured; or • when the processing concerns such personal infor - mation as is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise or defence of legal claims, or when provided to a government or public authority. The DPA allows the cross-border transfer of personal information from the Philippines to another jurisdic - tion. Recently, the National Privacy Commission (NPC) of the Philippines released several advisories and guidelines on the following: • advisory on model contractual clauses for cross- border transfer of personal data (however, the adoption of these clauses is only recommended rather than mandatory); • guidelines for obtaining consent from data subjects and guidelines on the legitimate interest (these guidelines, while not specifically for technology transactions and outsourcing, will serve as helpful guidelines for various industries when it comes to processing personal information of clients, employ - ees, suppliers, and other people that they transact with); • requirements for the security of personal data processed by personal information controllers (PICs) or personal information processors (PIPs) (these guidelines cover, inter alia, transfer of and access to personal information, usage of author - ised devices, disposal and destruction of personal data, business continuity plans, and removable or portable storage media for processing of personal information); and • requirements for a data sharing agreement. Where outsourcing involves personal data, the DPA and its implementing rules apply, and the data con - troller retains ultimate responsibility for compliance
45 CHAMBERS.COM
Powered by FlippingBook