OBLIGATION

ART. 1156
A juridical necessity to give, to do or not to do.

4 Elements
- Active and Passive Subject
- Juridical Tie or Vinculum Juris
- Prestation / Object
SOURCES OF OBLIGATION
ART. 1157
1. LAW
2. CONTRACTS
3. QUASI-CONTRACTS
4. ACTS OR OMISSIONS PUNISHED BY LAW
5. QUASI-DELICTS
 Data Privacy Act Awareness
R.A. No. 10173 of 2012

“Personal Data is the New Currency,

Keep Yours Safe and Secured.”
 Overview of the Data Privacy Act
“Sec. 2 Art 3 of the Constitution. “The right of the
people to be secure in their persons, houses,
papers, and effects against unreasonable searches
and seizures of whatever nature and for any purpose
shall be inviolable.”
“Sec. 3. (1) The privacy of communication and correspondence shall be
inviolable except upon lawful order of the court, or when public safety
or order requires otherwise as prescribed by law.”
Overview of the Data Privacy Act
WHY IS IT IMPORTANT?
What is the purpose of the Data Privacy Law?

• Safeguard the fundamental

human right to privacy.

• Ensure that personal data in

information and communications
systems in the government and in
the private sector are secured and
protected.
Under RA No. 10173,
organizations who deal with your
personal details, whereabouts,
and preferences are dutybound to
observe and respect your data
privacy rights.
Penalties for Violation

• Imprisonment of 1 year to 6 years

• Fine of P500,000.00 to P5,000,000.00

Is a school required to disclose or share information
on disciplinary case of their students?
• Schools receive, process, and resolve complaints involving
its students, faculty members and administrative personnel.
• In the course of such proceedings and up until their
conclusion, various parties would attempt to obtain – in
some cases, demand – access to some or all information
relating to such proceedings.
• Is the school required to disclose or share information
(including personal data) about a particular disciplinary
case of its student?
• A: The disclosure or sharing of personal and sensitive
personal information (collectively, personal data) is
considered as processing under the DPA.
• Hence, the same should be based on any of the lawful
criteria for processing under Sections 12 and 13 of the
law, depending on the nature of personal data being
disclosed or shared.
• Generally, the processing of sensitive personal
information is prohibited, except in certain instances, i.e.
when the processing is provided for by existing laws and
regulations or necessary for establishment, exercise or
defense of legal claims.
• NOTE:
• For cases falling under The Safe Spaces Act (SSA) – RA
No. 11313 (2019), the law requires confidentiality at any
stage of the investigation, prosecution and trial of an
offense, where the rights of the victim and the accused
who is a minor shall be recognized.
• Section 22 (8) of the SSA provides that the institution
shall guarantee confidentiality to the greatest extent
possible and Section 26 of the same law states that the
rights of a minor, who may either be the victim or
accused, shall be recognized in all stages of the
proceedings.
Know Your
Data Privacy Rights
Know Your
Data Privacy Rights
 Transparency and
Right to be Informed
• Staff took a picture of her Credit Card and Company ID and sent it to the
OIC via messenger
• Staff explained claimed company’s procedure and limited access
• Respondent: acts are not part of company’s standard practice
• Incident was caused by their staff’s lack of knowledge on processing credit
card transactions,
• Only to seek guidance from the OIC and not to commit any malicious act
• Acknowledged that taking photos of credit card and ID and sending those
via messenger are risky processes that may cause serious inconvenience
and potential damage to their customers.
 Transparency and
Right to be Informed

• The principle of transparency: data subjects must be aware of the nature, purpose,
and extent of the processing of his or her personal data.
• Right: “the data subject shall be notified and furnished with information indicated
hereunder before the entry of his or her personal data into the processing system of
the personal information controller, or at the next practical opportunity.
• Respondent failed to provide the purpose and justification as to the need of
processing the Complainant’s personal information through taking pictures.
• It took the Complainant four (4) inquiries before getting a substantial answer from the
staff
 Transparency and
Right to be Informed
 Privacy Notice and Consent

According to Answer of Respondent, the user is required to click

“Agree” to the Privacy Policy during sign up in the application. Upon
making a loan, the borrower is also required to click “Agree” to the Credit
Agreement…
The mere posting of a PIC’s privacy policy or notice and requiring the
consumers to agree thereon via the online platform does not equate to
obtaining the consent of the data subject for purposes of processing his or
her personal information as required under the law.
 CONSENT, Characteristics thereof:

“To determine whether the consent given by the data subject is proper, an
examination must be made whether such consent was freely given, specific,
informed, and an indication of will. Respondent points to the fact that it was
Complainant himself who provided his personal information to XXX as proof
of consent. While this may show that there was a positive act showing an
indication of will on the part of the Complainant and that such act was freely
given, it is not enough to show that the given consent was specific or informed.
Know Your
Data Privacy Rights
Know Your
Data Privacy Rights
Know Your
Data Privacy Rights
Know Your
Data Privacy Rights
 NPC Decisions

• Bank erroneously tagged C’s loan account as past due despite PDC
and endorsed the account to 3rd party collector agency;
• Error was caused by bank personnel to deposit PDC;
• Alleged unauthorized processing; unauthorized disclosure of
personal info to 3rd party agents;

Deputization of Plantilla Lawyers in CID

 PI: accurate, relevant and up to date

• NO unauthorized processing
• Basis: Sec 12(b) - The processing of personal information is necessary
and is related to the fulfilment of a contract with the data subject
• BUT failed to observe Sec 11(c) (Principles), in relation to Sec 16(f)
• Bank was ordered to pay Nominal Damages for unnecessary
disclosure of personal data to 3rd party agents

(f) Be indemnified for any damages sustained due to such

inaccurate, incomplete, outdated, false, unlawfully
obtained or unauthorized use of personal information;
Know Your
Data Privacy Rights
Know Your
Data Privacy Rights
https://www.privacy.gov.ph/complaints-main/
Know Your
Data Privacy Rights
Acts Considered Violations
• Unauthorized processing of information (no consent)
• Facilitating unauthorized access (negligence);
• Improper disposal of data (public area/trash bin);
• Processing for unauthorized purposes;
• Unauthorized access or intentional breach (break-in);
• Concealment of security breaches;
• Malicious disclosure of false data;
• Unauthorized disclosure.
 AI and Data-
driven Algorithmic
Discrimination Liabilities and
Data-driven
Justice

Misinformation Data Privacy and

RA 10173 and Security Digital Ownership and
Data Privacy Law Disinformation Control

RA 10175
Anti-Cybercrime Law
Data Poverty Data Quality
 Data Privacy Act Awareness
R.A. No. 10173 of 2012
"Cyberspace has made possible all that we can
gain through information, communication and
finance. Conversely, it has also made possible
all that we can lose."
 Data Privacy Act Awareness of
2012 / R.A. No. 10173
“In this digital era, information is the
currency of power – valuable, coveted,
but at a very high risk”.
Senator Edgardo Angara