The topics below may be relevant to your daily activities, especially those which involve business law, labor law, and other legal areas of your business.
Business Law and Labor Law Updates
GENERAL PRINCIPLES IN COLLECTION, PROCESSING AND RETENTION OF DATA UNDER THE DATA PRIVACY ACT
Collection must be for a declared, specified, and legitimate purpose.
Personal data shall be processed fairly and lawfully.
Processing of data should ensure data quality and personal data collected shall not be retained longer than necessary.
EXEMPTION FROM NOTIFICATION REQUIREMENTS IN CASES OF DATA PRIVACY BREACH
The personal information controller must notify the National Privacy Commission (Commission) and the data subjects affected whenever there are data privacy breaches.
The different factors shall be considered in determining whether the Commission may exempt a personal information controller from notification.
In evaluating if notification is unwarranted, the Commission may take into account the compliance by the personal information controller with the law and existence of good faith in the acquisition of personal data.
PROCEDURE FOR NOTIFYING THE DATA SUBJECTS IN CASE OF DATA PRIVACY BREACH
The data subjects shall be notified within seventy-two (72) hours upon knowledge of or reasonable belief by the personal information controller or personal information processor that a personal data breach has occurred.
A personal information controller may be exempted from the notification requirement where the National Privacy Commission determines that such notification would not be in the public interest or in the interest of the affected data subjects.
The personal information controller shall take the necessary steps to ensure the proper identity of the data subject being notified, and to safeguard against further unnecessary disclosure of personal data.
PROCEDURE FOR NOTIFYING THE NATIONAL PRIVACY COMMISSION IN CASE OF DATA PRIVACY BREACH
The Commission shall be notified within seventy-two (72) hours upon knowledge of or the reasonable belief by the personal information controller or personal information processor that a personal data breach has occurred.
Notification may only be delayed to the extent necessary to determine the scope of the breach, to prevent further disclosures, or to restore reasonable integrity to the information and communications system.
There shall be no delay in the notification if the breach involves at least one hundred (100) data subjects, or the disclosure of sensitive personal information will harm or adversely affect the data subject.