04/07/2023
When should a Personal Information Controller notify the NPC of a personal data breach?
Notification shall be required upon knowledge of or when there is reasonable belief by the personal information controller or personal information processor that a personal data breach requiring notification has occurred, under the following conditions:
(a) The personal data involves sensitive personal information or any other information that may be used to enable identity fraud.For this purpose, βother informationβ shall include, but not be limited to: data about the financial or economic situation of the data subject; usernames, passwords and other login data; biometric data; copies of identification documents, licenses or unique identifiers like Philhealth, SSS, GSIS, TIN number; or other similar information, which may be made the basis of decisions concerning the data subject, including the grant of rights or benefits.
(b) There is reason to believe that the information may have been acquired by an unauthorized person; and
(c) The personal information controller or the Commission believes that the unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject.
Tags:
