In this case, Respondent Paymaya Philippines, Inc is hereby ORDERED to furnish the Complainant MGLB the name of the recipient of her personal information in compliance with Section 16 (c) (3) of the Data Privacy Act, and pay the Complainant the amount of Forty Thousand (P40,000) Pesos as nominal damages to vindicate Complainant’s right to access, whichContinue reading “MGLB vs. PAYMAYA PHILIPPINES, INC. (NPC 19-653)”

RLA v. PLDT Enterprise (NPC 18-010)

In this case, the recorded means that manifest the consent of the Complainant is PLDT’s Application Form and the attached PLDT’s Terms and Conditions that was printed on the back of the Form. We note however, that while the Terms and Conditions discuss the contractual relations that govern the usage, grant and maintenance of the DSL servicesContinue reading “RLA v. PLDT Enterprise (NPC 18-010)”

RTB v. East West Banking Corporation (NPC 21-086)

The Commission resolves to DISMISS the Complaint of RTB against East West Banking Corporation (EWBC). The Commission AWARDS nominal damages, in the amount of Fifteen Thousand Pesos (P15,000.00), to RTB for EWBC’s failure to fulfill its obligation as a Personal Information Controller under Section 11 (c) of the Data Privacy Act of 2012.  The existenceContinue reading “RTB v. East West Banking Corporation (NPC 21-086)”

MSH vs. RSF & TCC (NPC 18-142)

The Commission finds that the respondent should indemnify MSH for the damages sustained due to the inaccurate and false information found in her previous TORs.  Based on Section 11(c) of the DPA, and Section 19(d) of the IRR of the DPA, the respondent, being a PIC, had the obligation to ensure that MSH’s personal informationContinue reading “MSH vs. RSF & TCC (NPC 18-142)”

MVC, et al vs DSL (NPC 21-010 to NPC 21-015)

NPC finds that the respondent is liable for Section 32 (Unauthorized Disclosure) of the Data Privacy Act of 2012 and recommends his prosecution for the said offense. Respondent cannot rely on compliance of a legal obligation because he disclosed Complainants’ personal information for a completely different purpose. While it is necessary to process the delinquentContinue reading “MVC, et al vs DSL (NPC 21-010 to NPC 21-015)”

MAF v. Shopee Philippines, Inc. (NPC 21-167)

Shopee violated the general privacy principle of proportionality.  Shopee’s act of taking the son’s photo as proof of delivery is disproportional to the declared and specified purpose. The act of taking the son’s photo is not necessary to the declared and specified purpose and the means is not the least intrusive means available. Shopee couldContinue reading “MAF v. Shopee Philippines, Inc. (NPC 21-167)”

Understanding App Permissions

Permissions are the activities that the app can perform on your phone or device. These include access to your calendar, camera, contacts, microphone, phone, and even your location. The permissions asked by apps vary depending on the purpose where the data collected are to be used.  The following are some common app permissions as describedContinue reading “Understanding App Permissions”

Mandatory Data Processing Activities during MECQ and GCQ

Since some of the establishments will be reopening under the MEQC and GCQ, processing of personal data will play a role in preventing further spread of Covid19.  Under the DTI and DOLE Interim Guidelines on Workplace Prevention and Control of Covid-19, there are measures that should be implemented in all workplaces consistent with the objectives ofContinue reading “Mandatory Data Processing Activities during MECQ and GCQ”

Tips for DPOs when Discussing Data Privacy

One of the functions of a Data Protection Officer (DPO) is to inform and cultivate awareness on privacy and data protection within the organization of the Personal Information Controller (PIC) or Personal Information Processor (PIP), including all relevant laws, rules and regulations and issuances of the National Privacy Commission (NPC).  Such task is not asContinue reading “Tips for DPOs when Discussing Data Privacy”

Tips in Conducting your PIA by Asha Abdulraheem

Privacy Impact Assessment (PIA) is the second pillar of data privacy accountability and compliance. After registering your Data Protection Officer (DPO) with the National Privacy Commission (NPC), the next step is to know, evaluate, and manage the data privacy risks that are present in your operations. Here are some tips that can help you inContinue reading “Tips in Conducting your PIA by Asha Abdulraheem”

Skills needed to be an effective DPO by Asha Abdulraheem

Data privacy profession is a booming career today. There is a high demand coupled with competitive salary for Data Protection Officers (DPO) and other privacy practitioners world-wide because of the emerging importance of and strict regulations on privacy across the globe. That being said, the expectation is huge as regards the job to be performedContinue reading “Skills needed to be an effective DPO by Asha Abdulraheem”

Importance of Data Privacy Compliance by Asha Abdulraheem

With the rise of technology and the vast products and services that are available to the public, it is said that the personal data of individuals is now the new oil that keeps the economy running. It is the collection or processing of personal data that makes companies and organizations alive and without such, organizationsContinue reading “Importance of Data Privacy Compliance by Asha Abdulraheem”

Conditions for Voluntary Disclosure of Information of PUM/PUI/Covid19 Patients

There is an appeal asking the persons who are PUM/PUI/Covid19+ to make voluntary disclosure of their identities.  It is our opinion that this can be done considering that under the Data Privacy Act (DPA), consent is one of the criteria to lawfully process a personal data. Consent is also one of criteria where data sharingContinue reading “Conditions for Voluntary Disclosure of Information of PUM/PUI/Covid19 Patients”

Privacy Rights under the Data Privacy Act

The Data Privacy Act of 2012 (DPA) or Republic Act 10173 is the law which seeks to protect personal data of individuals and imposes upon the government and the private sector the obligation to safeguard said data. The data subject refers to an individual whose personal, sensitive personal, or privileged information is processed.  Under theContinue reading “Privacy Rights under the Data Privacy Act”


(In this Decision, one of the issues discussed by the National Privacy Commission (NPC) is phishing and the responsibility for avoiding the same. Considering that phishing activities are rampant, it is worthy to note that both the data subject and the Personal Information Controller (PIC) shall exercise all efforts not to fall victim on saidContinue reading “NPC DECISION RE PHISHING: Ignacio v. BPI, CID No. 17-K-004”


There are people who are lobbying for the public disclosure of the name/identity of the covid19 patient/person under investigation (PUI)/person under monitoring (PUM) for the reason of public health/safety concern. In evaluating the validity of this proposition, the questions, answers, and illustrations below will help us better understand the relevance/irrelevance of the said disclosure toContinue reading “IDENTITY DISCLOSURE OF COVID19 PATIENT WILL NOT PREVENT THE SPREAD OF VIRUS”

5 Activities that a DPO can do while Working From Home

On 16 March 2020, following the sharp increase in the number of confirmed Covid19 cases, the President of the Philippines declared an enhanced community quarantine and ordered the imposition of stringent distancing measures over the entire Luzon effective from 17 March 2020 (12am) to 13 April 2020 (12am).   As regards work in the private sector,Continue reading “5 Activities that a DPO can do while Working From Home”


With the global pandemic brought about by covid19, the Philippine government announced several measures that may be observed in order to prevent the spread of the virus. The government has not implemented a total lockdown and but has announced a community quarantine in Metro Manila such as avoidance of mass gatherings, suspension of classes andContinue reading “THE EFFECTS OF ADOPTING AN ALTERNATIVE WORK ARRANGEMENT”

Privacy of Covid19 Patients

Recently, messages and social media posts have been circulating containing the alleged list and photos of some of the patients who were infected by covid19. And there were even clamors among the public to disclose all information of all those who were infected by the virus for public safety and health reasons. How shall weContinue reading “Privacy of Covid19 Patients”

5 Privacy Tips while Working from Home

In the Philippines, Republic Act No. 11165 was enacted by Congress to institutionalize telecommuting as an alternative work arrangement for employees in the private sector. “Telecommuting” refers to a work from an alternative workplace with the use of telecommunications and/or computer technologies. Said work arrangement may be offered by an employer in the private sectorContinue reading “5 Privacy Tips while Working from Home”