RADAR Blog

IAPP Matchup: The Philippines' Data Privacy Act and the General Data Protection Regulation

This article By Alex Wall, CIPP/E, CIPP/US, CIPM, was originally published in the IAPP Privacy Tracker.


In the IAPP Privacy Tracker series, industry expers look at laws from across the globe and match them up against the EU General Data Protection Regulation. The aim is to help determine how much duplication of operational effort you might avoid as you move toward GDPR compliance and help you focus your efforts. In this installment, RADAR Global Privacy Officer and Senior Counsel Alex Wall compares the Philippines’ Data Privacy Act of 2012, as supplemented by the Implementing Rules and Regulations, with the principles expressed by the GDPR.

Below is an excerpt from the matchup – click here to view the full comparison

Philippines data breach laws vs GDPR

Definition of Personal Data 

Philippines Personal Data Protection Act and Implementing Rules and Regulations: Personal information refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information or when put together with other information would directly and certainly identify an individual. Sensitive personal data is personal data:

  • About an individual’s race, ethnic origin, marital status, age, color and religious, philosophical or political affiliations;
  • About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings or the sentence of any court in such proceedings;
  • Issued by government agencies peculiar to an individual, which includes but not limited to social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and 
  • Specifically established by an executive order or an act of Congress to be kept classified.

EU General Data Protection Regulation (GDPR): Personal data means any information relating to an identified or identifiable natural person. Special categories of data that are considered particularly sensitive are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

GDPR Readiness

Definition of Breach

Philippines Personal Data Protection Act and Implementing Rules and Regulations: A notifiable breach occurs when sensitive personal information or any other information, whether recorded in a material form or not, that may, under the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized person, and the personal information controller or the Commission believes that such unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject.

EU General Data Protection Regulation (GDPR): Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed.

Breach Notification Requirements

Philippines Personal Data Protection Act and Implementing Rules and Regulations: The National Privacy Commission and affected data subjects shall be notified by the personal information controller within 72 hours upon knowledge of or when there is a reasonable belief by that an unauthorized acquisition of sensitive personal information is likely to give rise to a real risk of serious harm to any affected data subject. A real risk of serious harm includes whether any information may, under the circumstances, be used to enable identity fraud.

EU General Data Protection Regulation (GDPR): The GDPR requires assessment of data incidents and prompt notification of the breach to data subjects when there is a high risk to the rights and freedoms of natural persons and, with respect to supervisory authorities, notification when the breach is likely to result in a risk to the rights and freedoms of natural persons.

View the full matchup in the IAPP Privacy Tracker.


Related Reading: 

Topics: Press, GDPR