DPA TLDR #1: Is your business covered by the Data Privacy Act?

If you are processing personal data, you are covered. There are no ifs or buts about that. And this is true whether your business is conducted in or out of the Philippines.

Just what exactly is “processing personal data”? The Implementing Rules (the “Rules”) define it as any operation or set of operations performed on personal data. Here are some examples: collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction. As you can see, this covers virtually anything that you can think of doing to personal data.

Moreover, if you are thinking that “processing” requires the use of computers or other information technology devices, you are wrong. The Rules apply both in the digital and analog world. You are processing data even if you’re writing them in pieces of paper and stuffing these papers in brown envelopes.

Just to be sure though, you can use these guide questions to know if your business is covered:

  1. Is your business found or set up in the Philippines?
  2. Is the personal data processed that of a Philippine citizen or Philippine resident?
  3. Is the processing being done in the Philippines?
  4. Is the processing done by an entity with links to the Philippines?

Links”, in this case, means any of the following:

  • equipment for processing data is located in the Philippines
    maintains an office, branch, or agency in the Philippines for processing personal data
  • contract is entered into in the Philippines
  • central management or control is in the Philippines
  • has a branch, agency, office, or subsidiary in the Philippines and the parent/affiliate to personal data, — carries on business in the Philippines
    collects or holds personal data in the Philippines.

If the answer to ANY of these questions is YES, you are definitely covered.