When is a personal information controller required to notify the Commission about a security breach?

When is a personal information controller required to notify the Commission about a security breach?

A personal information controller is strictly mandated to promptly notify the Commission and the affected data subjects in the event of a severe security breach. This urgent notification is required when sensitive personal information or data usable for identity fraud is reasonably believed to have been acquired by an unauthorized person. It must be executed if the controller or the Commission believes the illicit acquisition gives rise to a real risk of serious harm to any affected data subject. The strict legal protocols and conditions for breach notification are firmly established in Section 20 Data Privacy Act. “(f) The personal information controller shall promptly notify the Commission and affected data subjects when sensitive personal information or other information that may, under the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized person, and the personal information controller or the Commission believes that such unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject.” 21-May-26

About Nicolas and De Vega Law Offices

 Nicolas and De Vega Law Offices is a full-service law firm in the Philippines.  You may visit us at the 16th Flr., Suite 1607 AIC Burgundy Empire Tower, ADB Ave., Ortigas Center, 1605 Pasig City, Metro Manila, Philippines.  You may also call us at +632 84706126, +632 84706130, +632 84016392 or e-mail us at [email protected]. Visit our website https://ndvlaw.com/.

SEARCH