The Philippine Data Privacy Act: Personal information controller vs. personal information processor

The Philippine Data Privacy Act: Personal information controller vs. personal information processor

The Data Privacy Act of 2012, or Republic Act No. 10173 read this blog post features clear and distinguishing definitions for personal information controller and personal information processor.


What is a personal information controller?


According to Privacy.gov, the Philippine Data Privacy Act defines “personal information controller” as any “person or organization who controls the collection, holding, processing or use of personal information.”


Personal information controllers have a say on the overall purpose of the processing of personal information, as well as the means for doing so. They can 

also outsource, authorize, or instruct another person or organization to process personal data.


Persons or entities that collect, process, or use personal data for their own or their family’s use are not considered personal information controllers.


The main responsibilities of a personal information controller include:


  • Compliance with all provisions specified in the Data Privacy Act
  • Ensuring the lawful implementation of all personal information processing as guided by the general privacy principles<link to Month 24 (June), Blog 1> stated in the Data Privacy Act
  • Establishing safeguards to ensure the confidentiality and proper use of the personal data processed by a subcontractor
  • Implementing reasonable and appropriate security measures to protect personal information against accidental or unlawful disclosure, alteration, or destruction


How does a personal information processor differ from a controller?


A personal information processor is any individual or legal entity subcontracted by the controller to process personal data.


Personal information processors are technical partners that are assigned to carry out specific tasks related to the purposes of the controller’s data processing. While they may possess the methods and technologies to carry out the work, they have no control over the data or the purpose and means of its processing.


Why is it important to distinguish between the controller and processor roles?


The Data Privacy Act establishes a clear delineation between the data controller and processor roles so that involved parties are clearly informed of their roles. The data controller and the data processor each have distinct responsibilities, obligations, and limitations when it comes to handling personal information.


The clear delineation of roles protects all involved parties from liability in problematic situations, such as a data breach. Individuals and companies that strictly adhere to their roles as stipulated in the Data Privacy Act will encounter no legal repercussions.


In the Philippines, where business process outsourcing (BPO) and health information technology enterprises thrive, the processing of personal information is a crucial function. It is therefore important for individuals and organizations involved in this line of work to understand their roles.


As a business owner in the Philippines, you need to know and understand where your organization falls between these two roles. Doing so ensures that your business operations and processes are conducted within the national standards of data protection.


Read this blog post to learn more about how the Data Privacy Act applies to your business.


For other expert advice and insights in establishing, launching, and growing a business in the Philippines, contact FilePino. Our team is ready to attend to your questions and concerns at +1.806.553.6552 (USA) or +63.917.8922337 (Philippines). You may also send your inquiries here.