Philippines: Entry into force of Implementing Rules and Regulation of the Data Privacy Act of 2012 including data protection regulation

On 9 September 2016, the Implementing Rules and Regulations of the Data Privacy Act of 2012 entered into force, including data protection regulation. The Rules are applicable to any processing of personal data of Philippine citizens. The Rules specify the data privacy principles as prescribed by the Act. Additionally, the Rules provide details on how to ensure transparency, legitimate purpose and proportionality during data processing, principles related to the collection and retention of data as well as for data sharing. The Rules further lay out the legal bases necessary for the processing of regular data and sensitive data. Beyond that, the Rules specify the rights of data subjects and how data controllers must adhere to and respond to them. The rights of data subjects include the right to information, objection, access, ratification, erasure or blocking, damages and data portability. Lastly, the Rules specify how a data breach must be handled and what a notification of a data breach must contain, such as the data affected and the measures taken. The Rules stipulate the penalties for any breaches of the regulations.