Digest.ph

Data Privacy has become a very big deal in recent years.

In the Philippines, the governing law is the Data Privacy Act. Contrary to popular belief, Philippine startups will only have to comply with General Data Privacy Regulation (GDPR) if you collect data from users in the European Union. Other laws to be aware of are the California Consumer Privacy Act and California Privacy Rights Act which may apply if you intend to operate in California, United States.

The first thing to remember is that if you are a startup with a website that collects Philippine user data is that you are considered a personal information controller. You may have gotten this personal information through data voluntarily submitted to you through user signups or through user actions taken on your platform.

On the other hand, your website users are called data subjects.

Your primary job under the law is to protect the rights of these data subjects. These include the right to be informed of when his/her data is being processed.

That is why your website’s Privacy Policy is essential. Here, the data subject is made aware of the nature, purpose, extent, remedies, and safeguards involved in the processing of his/her data. The data subject must give his/her consent before his/her data is processed.

For the startup, that means it should always ask the data subject for their consent to process their data. This could mean something as simple as putting a checkbox for the data subject to click after the data privacy policy has been shown to them.

Remember, you cannot collect all types of data. The data must be necessary with your declared legitimate purpose. There are also certain information called sensitive personal information which are especially protected. Such information includes information on the race, ethnicity, age, marital status and religion of the data subjects.

Merely asking for consent is not enough to comply with our Data Privacy Law.

You are required to designate Data Protection Officers (DPOs) which are required to be regular employees of the company or if contractual, required to stay at least 2 years. The DPOs should ideally have expertise in both data protection regulations and the startup’s data processing operations. More details on DPOs can be found here.

Some of the other requirements are as follows:

• Implementation of appropriate data protection and processing policies
• Description of data processing system with records
• Selection and supervision of employees who have access to personal data

Lastly, if you process the sensitive personal information of at least 1,000 individuals or employ at least 250 persons, you are required to register with the National Privacy Commission.

By complying with Data Privacy regulations, not only will you protect yourself from legal risk but you can build trust with the users who use your platform.

Atty. Raymond Rodis is one of the many lawyers you can find on Digest. Post your legal concern here on Digest and we will find you a lawyer that fits your budget and issue.

Digest is a one-stop shop for Philippine laws, lawyers, and contracts.