Frequently Asked Questions


Basic Concepts and Principles



What is personal data?
Personal data is the collective term used to refer to personal information, sensitive personal information, and privileged information.


What are personal information?
Personal information is one or more data point from which the identity of an individual is obvious or can be reasonably and directly determined by the entity holding it.


What are sensitive personal information?
Sensitive personal information are those personal information that:

1. refer to an individual’s: race, ethnic origin, marital status, age, color, affiliations (religious, philosophical, or political), health, education, genetic or sexual life;
2. refer to any proceeding for any offense allegedly or actually committed by an individual, including the disposal of or the court’s sentence in such proceeding;
3. are issued by government agencies peculiar to an individual (e.g., social security number, previous or current health records, licenses [including its denials, suspension, or revocation], tax returns, etc.);
4. are classified, as established by an Executive Order or a law enacted by Congress.


What are privileged information?
Privileged information refers to all data classified under the (Philippine) Rules of Court and other laws as “privileged communication”. Under the Rules of Court, in particular, they refer to:

1. any communication shared in confidence between husband and wife;
2. any communication or advice between an attorney and a client
3. any advice or treatment given, or any information acquired by a doctor from a patient
4. any confession made by a person to a minister or priest, as well as any advice subsequently given by the latter to that person
5. communication made to a public officer in official confidence


What is a data subject?
The data subject is the individual whose personal data is the subject of processing. The personal data pertains to him or her.

Can an organization or a group be a data subject?
NO. Only a natural person can be a data subject. A company or an organization is not a data subject.

What is a personal information controller?
A personal information controller or “PIC” is the person or organization who controls the processing of personal data. Even if a person or organization decides to outsource or instruct another to perform the processing on its behalf, it shall remain as the PIC.

The term excludes individual who processes personal data in connection with his or her personal, family, or household affairs. Nevertheless, he or she is still responsible for the personal data he or she processes.

What is a personal information processor?
A personal information processor or “PIP” is a person or organization who processes personal data on behalf of a personal information controller. The PIP must be separate and distinct from the PIC. This means, under ordinary circumstances, an officer, employee, or agent of a company or organization is not the latter’s PIP.

Can a person or organization be both a personal information controller and personal information processor?
YES. If a person or organization qualifies under the definitions of both PIC and PIP, it can assume both roles. This means an organization can be processing some personal data for its own purposes, while at the same time, processing other personal data on behalf of 1 or more other persons or organizations.

Is there an agency in charge of implementing the DPA?
YES. The National Privacy Commission is primarily tasked to administer and implement the provisions of the DPA. It also has the responsibility of monitoring and ensuring the compliance of the Philippines with international data protection standards.

University Data Protection Office

Room 200, Manila Observatory,
Ateneo de Manila University Loyola Heights campus,
Katipunan Avenue, Loyola Heights,
Quezon City 1108

+63 2 426-6001 local 4801

Email (Inquiries) (Complaints)

Contact Form [doc] [pdf]
Use this form to submit or file inquiries, concerns, complaints, or to report a security incident or data breach.

Incident Report Form [doc] [pdf]
For University Personnel, use this form to report a security incident or data breach.