Mapping the Philippine Data Privacy Act and GDPR:

A White Paper from the EITSC

About EITSC: The European Innovation, Technology, and Science Center Foundation (EITSC) is an initiative of several European
and Philippine development-oriented organizations. Creating European-Philippine partnerships, the EITSC is the bridge for
Philippine companies into the European market and for European firms to build strategic partnerships with Philippine business in
innovation/ technology/ science, and to set-up beachheads in the country. As part of its commitment to increasing
understanding in Philippine-European relations, EITSC commissioned Mr. Mapa to author this paper.

About the author: Damian “Dondi” Mapa is an expert in information and communications technology and public policy. In 2004,
he was appointed to the Commission on ICT (CICT) by President Gloria Macapagal-Arroyo. In 2016, he was appointed to the
National Privacy Commission (NPC) by President Benigno S. Aquino III. He is a co-author and signatory of the Implementing Rules
and Regulations of the Data Privacy Act of 2012 as well as various NPC circulars and advisories. He is a Certified Information
Privacy Manager (CIPM) and a past member of EITSC’s Board of Trustees.

European Innovation, Technology, and Science Center Foundation, Inc. (EITSC)

19/F Phil AXA Life Centre Sen. Gil Puyat Ave. cor. Tindalo St., Makati City 1200
Tel: (63 2) 759 2247
Email: info@eitsc.com • Website: www.eitsc.com
Mapping the DPA and GDPR

During my term as CICT Commissioner, I was tasked by President Arroyo in 2004 to grow the Philippine
BPO industry and make it more competitive. One of the strategies we pursued was “data protection as a
competitive differentiator for business process outsourcing”. To this end, we invited several EU
consultants in 2005-2006 to give their comments on DTI Administrative Order No. 8-2006, Guidelines for
the Protection of Personal Data, which eventually evolved into Republic Act 10173, the Data Privacy Act
of 2012. Our leader in this undertaking was the late Senator Edgardo J. Angara, then the Chairman of the
Congressional Commission on Science Technology and Engineering (COMSTE).

Thus, it should not come as a surprise to anyone that the Data Privacy Act (DPA) is closely patterned after
the European Union’s General Data Protection Regulation (GDPR). In fact, I would assert that any
Philippine company that is fully compliant with the DPA and related issuances is already 90% compliant
with the GDPR. A corollary to this would be that Filipino Data Protection Officers (DPOs) would naturally
be highly proficient in performing GDPR-compliance roles.

To prove this assertion, I have compiled a point-by-point comparison in the sections below. Please note
that my thesis is not that the DPA is the Philippine version of the GDPR, but rather that the DPA may be
viewed as a Philippine implementation of the GDPR – in alignment with Recital 8 of the GDPR: “States
may, as far as necessary for coherence and for making the national provisions comprehensible to the
persons to whom they apply, incorporate elements of this Regulation into their national law.”

In reading my comments below, please note that when I refer to the “DPA”, I also include the related
issuances of the National Privacy Commission (NPC): namely, the Act’s Implementing Rules and
Regulations (IRR) as well as related circulars and advisories:

• NPC Circular 16-01, Security of Personal Data in Government Agencies,

• NPC Circular 16-02, Data Sharing Agreements involving Government Agencies,
• NPC Circular 16-03, Personal Data Breach Management,
• NPC Circular 17-01, Registration of Data Processing Systems,
• NPC Advisory 17-01, Designation of Data Protection Officers, and
• NPC Advisory 17-03, Guidelines on Privacy Impact Assessments.

1. What is the purpose of these laws/regulations?

GDPR DPA and Related Issuances

To protect fundamental rights Article 1 To safeguard the fundamental IRR Section 2
and freedoms of natural persons human right of every individual
and in particular their right to to privacy
the protection of personal data

To enable the free movement of To ensure the free flow of

personal data within the Union information for innovation,
growth, and national
development
There is substantial alignment.

© 2018 by Damian Domingo O. Mapa, all rights reserved.

Mapping the DPA and GDPR

2. What “rights” are being granted by these laws and regulations?

GDPR DPA and Related Issuances

Right to be informed Articles 13 Right to be informed IRR Section
and 14 34.a
Right to lodge a complaint Article 15.1.f Right to lodge a complaint IRR Section
and 77 34.a.2.i
Right to restriction of processing, Article 18, 19, Right to object (to withhold IRR Section
to object 21 and 22 consent to processing) 34.b
Right to access Article 15 Right to access IRR Section
34.c
Right to rectification (to correct) Article 16 and Right to rectification (to correct) IRR Section
19 34.d
Right to erasure (to be forgotten) Article 17 and Right to erasure or blocking IRR Section
19 34.e
Right to data portability Article 20 Right to data portability IRR Section
36
Right to compensation and Article 82 Right to be indemnified IRR Section
liability 34.f
There is substantial alignment.

3. Who are these rights granted to?

GDPR DPA and Related Issuances

Natural persons, whatever their Recitals 1, 2, Philippine citizens, Philippine IRR Section 4
nationality or place of residence, 14, Article 3 residents, and any natural
whose personal data is being persons whose personal data is
processed in the Union; and data being processed in the
subjects who are in the Union Philippines
whose personal data is being
processed outside the Union for
the purpose of offering
goods/services, or monitoring of
behavior within the Union.
Transmissibility of rights to lawful IRR Section
heirs and assigns 35

The GDPR aspires to cover all data subjects, regardless of nationality or place of residence. Whereas the
DPA covers Philippine citizens primarily, whether they are in the Philippines, or travelling abroad. One
way of simplifying this scope is to state: “If you are in the EU, expect to be covered by the GDPR, and if
you are in the Philippines, expect to be covered by the DPA.” Given the 100% alignment seen in paragraph
2 above, then this is tantamount to saying that all 8 rights mentioned above are expected to be upheld in
both the Philippines, as well as in the Union.

© 2018 by Damian Domingo O. Mapa, all rights reserved.

Mapping the DPA and GDPR

There is one substantial difference under the DPA: the addition of “transmissibility of rights”, which gives
the lawful heirs and assigns of a data subject the ability to invoke the rights of a data subject who has
passed away or been incapacitated. This means that data controllers and processors must be prepared to
uphold these rights, even in the absence of the data subject.

There is also a substantial difference under the GDPR: for those outside the Union, if you are processing
data of subjects who are in the Union for the purpose of offering goods/services, or for monitoring their
behavior within the Union, then you must also comply with GDPR.

4. Who must comply with these obligations?

GDPR DPA and Related Issuances

Data controllers and data Articles 24 to Personal information controllers IRR Sections
processors 31 and personal information 3.m, 3.n, 43
processors to 45, 50 to
51
There is substantial alignment.

5. What type of data is covered?

GDPR DPA and Related Issuances

Personal data Article 4.1 Personal information IRR Section
3.l
Special categories of personal Article 9.1 Sensitive personal information IRR Sections
data and 87 and Privileged information 3.q and 3.t

There is very close alignment in this area, with personal information referring to information that will
allow one to be identified, and sensitive (or “special”) data referring to information that falls under
specifically enumerated categories. Under the DPA, this enumeration includes government-issued
identification numbers, as well as privileged information.

Another distinction to be aware of is that, under the IRR and related issuances, “personal data” is used as
a catch-all phrase that includes personal information, sensitive personal information, and privileged
information.

© 2018 by Damian Domingo O. Mapa, all rights reserved.

Mapping the DPA and GDPR

6. What are the conditions under which personal information may be processed?

GDPR DPA and Related Issuances

Consent, Contractual agreement,
Legal obligation, Protection of
vital interests, Public
interest/exercise of official
authority, Legitimate interests
There is substantial alignment.
Recitals 39- Consent, Contractual agreement, IRR Sections
52, Article 6 Legal obligation, Protection of 21 and 37
vital interests, Public
interest/exercise of public
authority, Legitimate interests

7. What are the conditions under which sensitive personal information (or special categories of
personal data) may be processed?

GDPR DPA and Related Issuances

Consent, Legal obligation,
Protection of vital interests,
Legitimate activities of non-
profits, Public data, Court
proceedings, Substantial Public
interest, Medical diagnosis or
treatment, Archiving for
scientific or historical research or
statistical purposes
Recitals 53 Consent, Legal obligation, IRR Sections
and 54, Protection of vital interests, 22 and 37
Article 9 Medical treatment, Lawful and
non-commercial objectives of
public organizations, Court
proceedings, Exercise of public
authority, Scientific and
statistical research

The DPA is slightly more restrictive when it comes to processing of sensitive personal information, as it
does not explicitly allow for processing of “data which are manifestly made public by the data subject”.
In addition, data processed for scientific and statistical research shall be held under strict confidentiality
and shall be used only for the declared purpose (IRR Section 37).

8. What are the privacy principles that must be observed when processing personal information/data?

GDPR DPA and Related Issuances

Lawfulness, fairness, Article 5 Transparency, Legitimate IRR Sections
transparency, purpose limitation, Purpose, Proportionality, 17 to 20, 50
data minimization, accuracy, purpose limitation, lawfulness, to 51
storage limitation, integrity and fairness, confidentiality,
confidentiality, accountability accuracy, storage limitation,
accountability

There is very close alignment in this area, with DPA adding the principle of “proportionality”, which is
somewhat similar to the “data minimization” principle under the GDPR.

© 2018 by Damian Domingo O. Mapa, all rights reserved.

Mapping the DPA and GDPR

9. How is consent defined?

GDPR DPA and Related Issuances

Freely given, specific, informed, Articles 7 and Freely given, specific, informed, IRR Sections
unambiguous, may be 8 written or recorded or 3.c and
withdrawn, respects age of data electronically evidenced, time- 19.a.1
subject bound, may be withdrawn

While there is close alignment in this area, there are some slight differences. The GDPR has introduced
the concept of “granularity” in Article 7.2, whereas the DPA has introduced the concept of “time-bound”
consent in Section 19.a.1 of the IRR.

Also, while the GDPR allows parents to provide consent for children aged 16 years and even down to 13
years old, the DPA is silent with regard to the age of the data subject, though it should be noted that in
the Philippines, the age of majority is defined as 18 years old by Republic Act 6809.

10. What are the obligations around appointing a Data Protection Officer (DPO)?

GDPR DPA and Related Issuances

Controllers and processors Articles 27, All controllers and processors IRR Sections
should designate a data and 37 to 39 should designate an individual/s 50.b,
protection officer (or, for accountable for compliance Advisory 17-
controllers and processors not 01
established in the Union, a data
protection "representative in the
Union")

There is close alignment in this area. Whereas the GDPR lists down the 3 situations where a DPO is needed,
the DPA requires all controllers and processors to designate a DPO, and this is most likely the case as well
in EU countries that have passed local laws to implement the GDPR.

However, one notable difference in the GDPR is the requirement to designate “data protection
representatives” for controllers and processors who do not have an established presence in the Union,
but who process data of subjects who are in the Union for the purpose of offering goods/services, or for
monitoring their behavior within the Union.

One notable difference in the DPA is that the DPO must be an employee of the company, or if employed
by contract, the contracted period should be a minimum of two years. In addition, while the functions of
a DPO may be outsourced, the DPO should always have the role of being contact person for the NPC.

© 2018 by Damian Domingo O. Mapa, all rights reserved.

Mapping the DPA and GDPR

11. What are the obligations around the conduct of a privacy impact assessment?

GDPR DPA and Related Issuances

Controller should carry out an Articles 35 A privacy impact assessment Advisory 17-
assessment of the impact of and 36 should be carried out for every 03, IRR
processing operations on the processing system that involves Section 29
protection of personal data personal data

Other than the title of the document (DPIA or Data Protection Impact Assessment in GDPR, PIA or Privacy
Impact Assessment in DPA), there is very close alignment in this area.

In addition, NPC Advisory 17-03 specifically mentions ISO/IEC 29134 as an acceptable methodology for
the conduct of a privacy impact assessment. Under this methodology, there is the possibility of conducting
a “pre-assessment”, otherwise known as a threshold analysis.

12. What are the obligations around reporting breaches of personal data?

GDPR DPA and Related Issuances

Notification of the supervisory Articles 33 Notification of the NPC and IRR Sections
authority within 72 hours; and 34 affected data subjects within 72 38 to 42,
notification of the data subject hours Circular 16-03
without undue delay

The DPA defines security incident as “an event or occurrence that affects or tends to affect data
protection, or may compromise the availability, integrity and confidentiality of personal data”, and under
GDPR, there is a similar definition: “a breach of security leading to the accidental or unlawful destruction,
loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise
processed.”

Both the GDPR and the DPA lay down clear criteria on when notification is required, these are spelled out
in the sections referred to above. There is very close alignment in this area, with the DPA including the
“affected data subjects” to those who must be notified within 72 hours. Nevertheless, the NPC allows
delay in notification under the conditions listed in Section 40 of the IRR.

13. What other obligations are aligned between GDPR and DPA?

GDPR DPA and Related Issuances

Implement appropriate technical Article 32 Implement reasonable and IRR Section
and organizational measures to appropriate organizational, 25, Circular
ensure a level of security physical, and technical security 16-01
appropriate to the risk measures for the protection of
personal data

© 2018 by Damian Domingo O. Mapa, all rights reserved.

Mapping the DPA and GDPR

GDPR DPA and Related Issuances

Maintain records of processing
activities
Ensure that processors meet the
requirements of this Regulation
and ensure the protection of the
rights of the data subject
Article 30 Maintain records of processing IRR Section
activities 26. C
Article 28 and Processor shall comply with the IRR Sections
29 requirements of the Act, these 43 to 45
Rules, other applicable laws, and
other issuances of the
Commission, in addition to
obligations provided in a
contract, or other legal act with a
personal information controller

Comply with arrangement for Article 26 Comply with the principles for IRR Section
joint controllers data sharing 20, Circular
16-02

14. Are there any obligations with regard to transferring personal data across borders?

GDPR DPA and Related Issuances

Transfers may only be take place
when there is (1) an adequacy
decision, or (2) appropriate
safeguards such as standard
clauses or certification, or (3)
binding corporate rules, or (4)
specific derogations listed in
Article 50.
Articles 44 to There are no restrictions in the IRR Section
50 DPA with regard to transfers. 44.a
However, the geographic location
of the processing must be set out
in the subcontracting agreement.

With regard to certification, GDPR lays down the conditions for having one such common certification,
the European Data Protection Seal, in Articles 42 and 43.

While the DPA and related issuances do not place any restrictions on data residency, there may be sectoral
regulations in place, such as those imposed by the Philippine Central Bank (BSP) on banks and other
financial institutions.

15. What are the consequences of not complying with these laws/regulations?

GDPR DPA and Related Issuances

Payment of damages and/or Articles 82 to Compliance order, cease and IRR Sections
fines, and penalties (laid down 84 desist order, payment of 52 to 65
by Member States) damages (restitution), ban on
processing, and criminal
prosecution

© 2018 by Damian Domingo O. Mapa, all rights reserved.

Mapping the DPA and GDPR

The GDPR famously lays down fines up to 20 million EUR (or up to 4% of the previous year’s turnover). In
addition, further civil, administrative, and criminal penalties may be still defined by the EU Member States.

In the Philippines, violations of the DPA and related issuances can result in the serving of a compliance
order, cease and desist order (ban on processing), payment of damages, and criminal prosecution which
could result in jail terms (up to 7 years) and fines (up to 5 million PHP). The maximum penalties are
imposed when at least 100 data subjects have been affected. If the offense is committed by a public
officer, there is an accessory penalty of disqualification from public office for double the term of the
criminal penalty.

16. Are there any reporting or registration requirements?

Other than breach notifications, the GDPR does not spell out any other reporting or registration
requirements, but rather leaves this up to the EU Member States to specify.

In the Philippines, the requirements include annual registration, and an annual Security Incident Report
(IRR Sections 46 to 48, Circular 16-03, and Circular 17-01).

17. What are the exemptions, if any?

The GDPR lists down several situations where data protection obligations may be relaxed, namely: data
relating to criminal convictions and offences (Article 10), de-identified data (Article 11), restrictions to the
rights and obligations (Article 23) and journalistic, academic, artistic, or literary purposes (Article 85).

The DPA has similar provisions, namely: matters of public concern or “FOI” (IRR Section 5.a), journalistic,
artistic, or literary purposes (IRR Section 5.b), research intended for a public benefit (IRR Section 5.c), and
information collected from residents of foreign jurisdictions (IRR Section 5.f). There is also a limitation on
the rights of data subjects for reasons enumerated in IRR Section 37.

Please note however, that these exemptions are not “blanket” exemptions, and care must therefore be
exercised to ascertain which of the obligations are being waived, if at all.

###

© 2018 by Damian Domingo O. Mapa, all rights reserved.