PHILIPPINES: New development in the Philippines Data Protection Laws

The Philippine Data Protection Law of 2012, that came in force simultaneously with the European GDPR in 2016, and can be considered as one of the most data subject friendliest data protection laws in Asia, is experiencing another exacerbation.

The law is designed to ensure that the personal information of Filipinos is handled responsibly, securely and lawfully. Furthermore, it seeks to protect the rights of citizens when it comes to the use of their data. The Philippines Data Protection Law of 2012 sets out requirements and obligations that business owners should meet in order to protect and process personal information.

Under the Philippines Data Protection Law of 2012, each business or company must comply with a number of requirements and standards when it comes to processing and storing personal data. These requirements include the secure collection and storage of any personal information shared by customers. Businesses must also ensure that customers are aware of how their personal data is being processed and have the right to access and alter the information if necessary. Additionally, the law states that if a customer requests, their personal data must be deleted and businesses must take active steps to protect the security of their customers’ data.

According to a new circular from the Nation Data Protection Commission (NPC) – which came into force in January 2023 – personal information controllers (PICs) and personal information processors (PIPs) operating in the Philippines are now required to register with the NPC as long as they meet any of the conditions for registration. Registration has to be affected until 10 July 2023 via the NPC’s online registration system (NPCRS).

The circular distinguishes between mandatory and voluntary registration.

Mandatory registration is required, where

• at least 250 individuals are employed
• sensitive personal information of at least 1,000 individuals is processed
• personal data that will likely pose a risk to the rights and freedoms of data subjects is processed

PICs and PIPs covered by the scope of the Circular but which do not meet any of the foregoing criteria are not required to register with the NPC. Nevertheless, they are required to submit a sworn declaration to the NPC attesting to the fact that they are not covered by the registration requirement.

Among other details such as name of their system and the purpose of the processing, the PIPs and PICs must explain furthermore

• to which recipients or categories of recipients the personal data might be disclosed
• the security measures
• the general information on the data life cycle
• whether personal data is transferred outside of the Philippines and whether data sharing agreements with other parties exist.

If consent is used as the basis for processing, the PIC or PIP must submit either the consent form used or explain other manner of obtaining consent.

Any registration will be valid for a period of one year from the date of issuance of the certificate of registration and must be renewed 30 days before the date of expiration.

Upon submission of the registration form and approval by the NPC the certificate of registration will be issued. Furthermore, a digital seal that is awarded by the NPC shall be displayed on the PIC’s or PIP’s main website, or at least the webpage specifically pertaining to the Philippines for global websites, and only as either: a clickable link leading to the privacy notice or displayed directly on the privacy notice page.

PIPs and PICs who do not comply will face penalties include compliance and enforcement orders, cease and desist orders, temporary or permanent bans on the processing of personal data, or payment of administrative fines.

Data Processors should therefore now consider if under the data processing activities they should either register with the NPC or at least must submit a sworn declaration, that they do not need to register.

—

Your point of contact in the Philippines: Lutz Kaiser

Villanueva Gabionza & Dy Law Offices

20th/F Corporate Center
139 Valero St., Salcedo Village
Makati City 1227, Philippines

CELL: +63 995 985 4957
TEL: +63 2 8813 3351
FAX: +63 2 8816 6741

www.vgdlaw.ph
manila@adwa-law.com

Marketing Services in India for Foreign Companies are “Service Exports”

A commission agent promoted and marketed goods for foreign-based companies in India. The tax authority wanted to levy “Service Tax” (replaced in 2017 by the “Goods and Services Tax”), but the Appellate Tribunal rejected this: The recipient of the services is abroad and paid in foreign currency, hence this is an export of services, which is not taxable. This helps foreign-based companies. Hopefully, the same will apply to the new “Goods and Services Tax.”

—

Your contact person in India: Dr. Jörg Schendel

Suman Khaitan & Co.

W-13, West Wing, Greater Kailash Part-II
Delhi 110048, India

CELL: +91 97 11 08 04 03
TEL: +91 11 49 50 15 00
FAX: +91 11 49 50 15 99

www.sumankhaitanco.in
germandesk@sumankhaitanco.in
schendel@adwa-law.com

Supply chain guidelines also issued in Japan

The Japanese government issued Guidelines on Respecting Human Rights in Responsible Supply Chains in September 2022.

Japan is thus joining the global trend of urging companies to prevent human rights violations in their supply chains. Japan is also taking the UN Guiding Principles on Business and Human Rights as a basis. However, the Japanese Guidelines are not legally binding. They do not entitle the government to impose requirements or sanctions on companies. These guidelines therefore go nowhere near as far as the German Supply Chain Act.

The avoidance and minimisation of negative impacts on human rights is nevertheless an important step to specifically address the human rights risks identified in the context of human rights due diligence. The government plans to introduce a system in April 2023 to give preferential treatment to companies that take human rights into account when tendering for public works projects, procurement of goods and other services. The guidelines aim to create a system to help companies establish strategies to fulfil their responsibilities to respect human rights and take corrective action when problems arise. The guidelines present an approach called “human rights due diligence”, according to which companies should regularly check whether human rights violations have occurred at their respective suppliers. The government therefore plans to set up a system to give better marks to companies that deal with human rights issues in government procurement projects in the areas of public works, information technology and other services.

From a lawyer’s perspective, interrelationships with other standards are of particular importance when advising on compliance with the Supply Chain Directive. In particular, when influencing suppliers, care must be taken not to violate antitrust law. In particular, caution is required with regard to horizontal conduct (conduct between competing companies). This is because the guidelines do not (at least not yet) have the same status as antitrust law in this interrelationship in Japan. The latter takes precedence as mandatory law and its principles may lead to limited compliance with the Guidelines.

—

Your point of contact in Japan: Michael Müller

Mueller Foreign Law Office

Shin-Kasumigaseki Building
3-3-2 Kasumigaseki, Chiyoda-ku
Tokyo 100-0013, Japan

TEL:       +81 3 6805 5161
FAX:       +81 3 6805 5162

www.mueller-law.jp
info@mueller-law.jp

What foreign companies are doing wrong in Korea

Korea is an economically successful democratic country, with a well-educated workforce, an export quota only comparable to Germany, and very affluent consumers. Nevertheless, companies from Germany, Austria and Switzerland regularly fail in the Korean market, or at least fall miles short of the success that would be possible if they were familiar with the market and its customs.

One of the biggest problems from Joachim Nowak’s point of view – our ADWA lawyer in Korea – is that no one in the parent company keeps track with Korean subsidiary and there is no contact person there for the Korean management to take up the Korean interests and needs and who feels responsible for the subsidiary, helps the parent company with coordination and, i.e. someone solving problems for Korea.

Koreans have their cultural characteristics, and one of them is that most Koreans never (or at least almost never, but always late) go to their supervisor with a problem. While the employees from Germany, Switzerland or Austria address problems promptly on their own, the same cannot be expected from Korean employees, including Korean management.

Therefore, Joachim Nowak often deals with the same problems, for example:

The Korean subsidiary is run by an Asian holding company (e.g., in Hong Kong or Singapore), in addition to several other Asian subsidiaries. The holding company de facto contributes nothing to sales but has the most employees of all the Asian subsidiaries. The four other Asian subsidiaries contribute 20 % of sales in Asia, while the Korean subsidiary generates 80 % of sales for Asia. The Korean subsidiary has 20 % of the employees in Asia and is not getting new employees approved or simply not finding them due to the current labor market situation. The management of the Asian holding company does not let go of the unproductive employees in the holding company and other countries, which is not well received by the extremely hard-working Korean employees and tends to promote attrition. Since Korean management is extremely reluctant to address problems directly (unfortunately, Koreans are very capable of suffering) if something went extremely wrong, the mother company will only find out when it is too late. If this happens repair is often very difficult or impossible, and in any case extremely cost-intensive.

From the point of view of many managers at the parent company or the Asia holding company, the problem lies entirely with the Korean managers on the ground. So, what should the managers from Germany, Switzerland and Austria or the holding company have done differently? Joachim Nowak’s answer:

Among other things, read the figures and reporting of the accounting and draw appropriate business conclusions and actively and regularly (preferably weekly) keep in touch with the management in Korea to be informed about all projects. But always keep in mind that it is very unusual for someone in Korea to raise problems on their own, usually by then a lawyer will already be needed to resolve them (e.g., in labor law). So, it is important to anticipate problems and always ask actively, check the relevant figures and try to draw conclusions from them. In addition, it is better to go and see directly on site and not only talk to the managing director, but also actively communicate with the Korean employees. If representatives are never there, problems cannot be brought to your attention.

After hiring a new representative director, the task of establishing successful Korean management is far from over. Rather, during the first year of the general manager’s tenure, active weekly inquiries via videoconference about the course of business and its problems, but rather visiting Korea on a quarterly basis to ensure that the new general manager truly understands what is expected, is advisable, as they are most likely different from those of a Korean supervisor or owner. Furthermore, this will give provide a better understanding from which background (legal, tax, business customs, market conditions, competition, etc.) the local general manager can and must operate.

For the tasks described above, a suitable legal framework (e.g., an appropriate Articles of Association defining the rights and obligations of all parties involved) is also important. If you want to know how to set up a company in Asia solidly from the ground up and how the DACH parent company and the Asian headquarters need to get involved, ADWA and its member law firms in China, Hong Kong, India, Japan, Korea, Malaysia, Philippines, Singapore, Taiwan, Thailand, and Vietnam will be happy to talk to you (or help you with a project).

—

Your point of contact in Korea: Joachim Nowak

DAERYOOK & AJU LLC

7 – 16F, Donghoon Tower
317, Teheran-ro, Gangnam-gu
Seoul 06151, Republik Korea

CELL:      +82 10 9001 6430
TEL:        +82 2 3016 9594
FAX:        +82 2 3016 5222

www.draju.com
nowak@draju.com

TAIWAN: The gold of the data society – Personal data protection in Taiwan

Data is considered the gold of the 21st century. Like the great gold rush in the 19th century, there are abuses to illegally exploit the gold, especially personal data of others. Even people in Taiwan are not immune to this, as the recent incidents at the Taiwan General Health Insurance Fund and car rental companies show. The following is an overview of the obligations of companies in the event of a data leak and the possible remedies available to consumers in Taiwan.

Let us assume the following case. A company in Taiwan has a data leak in which data of over 5,000 private individuals was stolen. What are the obligations of the company and what are the rights of the affected individuals?

Let’s first look at the obligations of a company. The protection of personal data in Taiwan is regulated by the Personal Data Protection Act (PDPA). The definition of “personal data” in Article 2 of the PDPA includes anything that can directly/indirectly lead to the identification of a natural person. Importantly, this can include usernames and passwords if their combination with other data makes it possible to identify individuals.

Notifications

In the event of a personal data breach, the company must notify the data subjects.

The notification must contain the facts of the breach and the measures already taken to remedy the breach.

The company must further consider which authorities need to be notified. Companies fall directly under the regulatory jurisdiction of the Taiwan Ministry of Economic Affairs (MOEA), which must be informed in the event of a personal data breach.

Other authorities that would need to be informed, depending on the facts of the case, include the Financial Supervisory Authority and, in some circumstances, authorities listed in the Cybersecurity Management Act.

Legal remedies of data subjects

Data protection is fundamentally important in Taiwan and more and more individuals are aware of their rights and are willing to assert their rights with administrative authorities and/or in court. Individuals can file a civil lawsuit and seek damages for violations of the Data Protection Act under the PDPA and the Taiwanese Civil Code. It should be noted that damages are limited to TWD 500 – 20,000 per incident per person (approximately EUR 15 to EUR 620 at the current exchange rate), with an upper limit of TWD 200,000,000 (approximately EUR 6,180,000 at the current exchange rate). On the positive side, the burden of proof is on the company to exonerate itself. It is difficult for those affected to prove that damage has occurred.

Class actions are possible in Taiwan. Charitable organisations/foundations are eligible to apply if at least 20 affected persons agree to do so. The first personal data class action in Taiwan was brought in 2018 by Consumers’ Foundation against Lion Travel Service Co, Ltd. In 2017, Lion Travel’s computer system was hacked, resulting in the disclosure of the personal data of 360,000 consumers, including names, contact numbers and information about products purchased. The consumer foundation claimed compensation of TWD 3,630,000. The case was later settled by both parties in 2020 without the settlement amount being disclosed to the public.

In case of criminal responsibility, fines of up to one million TWD (approx. 34,000 euros and imprisonment of up to 5 years are possible.

Conclusion

Taiwan’s data protection laws, especially the PDPA, oblige companies to take action in the event of data protection violations and offer affected parties the opportunity to seek compensation for damages. To what extent class actions will be increasingly used remains to be seen.

—

Your point of contact in Taiwan: Michael Werner

Eiger Law

Bldg. A, 2F, 25-2 Ren Ai Rd, Sec. 4
Taipei 10685
Taiwan

CELL:      +886 9 8726 1326
TEL:        +886 2 2771 0086
FAX:       +886 2 2771 0186

www.eiger.law
info@eiger. law