Philippines: Processing in Context of Local Establishment

The Philippines Data Privacy Act of 2012 (DPA) incorporates the factor of processing in the context of local establishment as a criterion for determining the law's applicability to entities outside the Philippines.

Text of Relevant Provisions

DPA of 2012 Sec.6(b3):

"This Act applies to an act done or practice engaged in and outside of the Philippines by an entity if:(b) The entity has a link with the Philippines, and the entity is processing personal information in the Philippines or even if the processing is outside the Philippines as long as it is about Philippine citizens or residents such as, but not limited to, the following:(3) An entity that has a branch, agency, office or subsidiary in the Philippines and the parent or affiliate of the Philippine entity has access to personal information; and"

Analysis of Provisions

The DPA extends its applicability to entities outside the Philippines based on their connection to the country through local establishments. Specifically, Section 6(b3) states that the Act applies to entities that have "a branch, agency, office or subsidiary in the Philippines" if "the parent or affiliate of the Philippine entity has access to personal information."

This provision captures a broad range of organizational structures, including branches, agencies, offices, and subsidiaries. The key element is the access to personal information by the parent or affiliate of the Philippine entity. This means that even if the actual processing occurs outside the Philippines, the law still applies if there is a local presence and data access.

The phrase "processing personal information in the Philippines or even if the processing is outside the Philippines" further emphasizes that the location of processing is not the sole determining factor. Instead, the law focuses on the entity's connection to the Philippines and its access to personal data of Philippine citizens or residents.

Implications

This provision has significant implications for multinational companies and foreign entities operating in the Philippines:

Local presence triggers applicability: Any foreign company with a branch, agency, office, or subsidiary in the Philippines must comply with the DPA if it processes personal data of Philippine citizens or residents, regardless of where the actual processing occurs.
Data access is key: The law applies not only to the local entity but also to its parent company or affiliates if they have access to the personal information.
Extraterritorial reach: The provision extends the law's reach beyond Philippine borders, capturing data processing activities that occur outside the country but involve Philippine citizens' or residents' data.
Broad interpretation of "link": The law uses the term "link with the Philippines," which allows for a potentially broad interpretation of what constitutes a sufficient connection to trigger the law's applicability.
Compliance obligations: Foreign entities with any form of establishment in the Philippines must carefully assess their data processing activities and ensure compliance with the DPA, even if the actual processing occurs in other jurisdictions.

Jurisdiction Overview

Philippines

👮🏿 Exemption for Official Information of Public Servants 🏦 Central Bank and Financial Institutions Exclusion 🏛️ Government and Public Agency Exemption 🪑 Entity's Link or Presence in Jurisdiction 🤝🏿 Applicability Based on Contract Concluded in Jurisdiction 🔗 Processing in Context of Local Establishment 🏠 Processing in jurisdiction 🛂 Applicability to Citizens and Residents' Data 📍 Processing by Local Establishment 🎯 Exemption for Specific Purposes of Processing 🛡️ Exemption for Personal Data of Foreign Origin with Adequate Protection 🚎 Public License and Permit Information Exemption 🖥️ Use of Equipment Within Jurisdiction Physical Location/Residency of Data Subject in Jurisdiction ⚖️ Sectoral Exceptions Regulated by Other Laws 💼 Doing Business in Jurisdiction