Philippines: Processing by Local Establishment

The Philippines' Data Privacy Act of 2012 (DPA) and its Implementing Rules and Regulations (IRR) use the "Processing by Local Establishment" factor to determine the law's applicability. This factor extends the scope of the law to entities with a physical presence or business operations in the Philippines.

Text of Relevant Provisions

DPA of 2012 Section 6(c): "This Act applies to an act done or practice engaged in and outside of the Philippines by an entity if: [...] (c) The entity has other links in the Philippines such as, but not limited to:(1) The entity carries on business in the Philippines; and(2) The personal information was collected or held by an entity in the Philippines."

IRR Section 4(a) and (d): "The Act and these Rules apply to the processing of personal data by any natural and juridical person in the government or private sector. They apply to an act done or practice engaged in and outside of the Philippines if:a. The natural or juridical person involved in the processing of personal data is found or established in the Philippines;[...]d. The act, practice or processing of personal data is done or engaged in by an entity with links to the Philippines, with due consideration to international law and comity, such as, but not limited to, the following:[...]4. An entity that has a branch, agency, office or subsidiary in the Philippines and the parent or affiliate of the Philippine entity has access to personal data;"

Analysis of Provisions

The "Processing by Local Establishment" factor is primarily addressed through these provisions, which extend the law's applicability based on an entity's presence or operations in the Philippines.

The DPA Section 6(c) applies the law to entities that "carry on business in the Philippines" or where "personal information was collected or held by an entity in the Philippines". This broad language captures a wide range of business activities and data processing operations within the country.

The IRR further clarifies and expands this concept. Section 4(a) applies the law to any "natural or juridical person involved in the processing of personal data" that is "found or established in the Philippines". This provision ensures that the law covers all types of entities, whether individuals or organizations, that have a physical presence in the country.

Additionally, IRR Section 4(d)(4) extends the law's reach to entities that have "a branch, agency, office or subsidiary in the Philippines" and where "the parent or affiliate of the Philippine entity has access to personal data". This provision is particularly significant as it captures multinational corporations with local operations and ensures that data transfers within corporate groups are subject to the law's requirements.

Implications

The "Processing by Local Establishment" factor has several important implications for businesses:

Local entities: Any company established or operating in the Philippines must comply with the DPA, regardless of where their data subjects are located.
Foreign companies with local presence: Multinational corporations with branches, offices, or subsidiaries in the Philippines are subject to the law, even if their main operations are elsewhere.
Data collection and storage: Entities collecting or holding personal information within the Philippines fall under the law's scope, regardless of the data subjects' location.
Corporate group data access: If a parent company or affiliate outside the Philippines has access to personal data held by a Philippine entity, the entire data processing operation may be subject to the DPA.
Broad interpretation of "business": The term "carries on business in the Philippines" may be interpreted broadly, potentially including online businesses targeting Philippine customers without a physical presence.

These provisions ensure that the DPA has a wide reach, covering both local and international entities that process personal data in connection with the Philippines. Businesses must carefully assess their operations and data flows to determine if they fall under the law's scope based on this factor.

Jurisdiction Overview

Philippines

👮🏿 Exemption for Official Information of Public Servants 🏦 Central Bank and Financial Institutions Exclusion 🏛️ Government and Public Agency Exemption 🪑 Entity's Link or Presence in Jurisdiction 🤝🏿 Applicability Based on Contract Concluded in Jurisdiction 🔗 Processing in Context of Local Establishment 🏠 Processing in jurisdiction 🛂 Applicability to Citizens and Residents' Data 📍 Processing by Local Establishment 🎯 Exemption for Specific Purposes of Processing 🛡️ Exemption for Personal Data of Foreign Origin with Adequate Protection 🚎 Public License and Permit Information Exemption 🖥️ Use of Equipment Within Jurisdiction Physical Location/Residency of Data Subject in Jurisdiction ⚖️ Sectoral Exceptions Regulated by Other Laws 💼 Doing Business in Jurisdiction