Eleveted, night view of Makati, the business district of Metro Manila.

In brief

On 8 July 2020, the National Privacy Commission (NPC) released NPC PHE Bulletin No. 15 to guide establishments on the proper handling and protection of personal data collected from customers and visitors of barbershops, salons, restaurants, and fast-food businesses, in relation to the guidelines covering such establishments issued by the Department of Trade and Industry (DTI).


    1. Collect only what is necessary. Collection of personal data should be limited to only such information as required under existing government issuances and the processing of such should be proportional to the purpose of contact tracing. Establishments may adopt sample health checklist forms issued by government agencies.
    2. Be transparent. Establishments should inform their customers and visitors of the collection of their personal data and the reasons for such collection. This can be done by posting a privacy notice which is readily visible within the establishment’s premises or, if electronic means is used, posted in the platform prior to collection. The privacy notice should be easy to access and understandable, and must use clear and plain language.
    3. Use information only for the declared purpose. Repurposing the use of personal data collected for purposes other than contact tracing and storing data for speculative use is not allowed. Establishments are responsible for reminding their employees and third-party service providers, such as security personnel, that doing is punishable under the Data Privacy Act of 2012 (DPA).
    4. Implement security measures. Establishments have the obligation to implement reasonable and appropriate safeguards (organizational, physical, and/or technical security measures) to protect the personal data of their customers and visitors against any accidental or unlawful processing, alteration, disclosure, and destruction.
    5. Keep the data only for a limited period. All personal data collected for the purpose of contact tracing shall be retained only for a period allowed by existing government issuances. After which, all personal data should be disposed of in a secure manner.

Actions to consider

Clients who are part of the covered establishments are advised to strictly comply with the guidelines to prevent any data privacy and security issues from arising. The bulletin is also a helpful guide for clients who may not be engaged in the aforementioned industries, but have reopened their establishments or are planning to reopen in the near future. Clients are advised to review their current data privacy and security measures and protocols to ensure that these are up-to-date.

1. DTI Memorandum Circular No. 20-37

2. DTI Memorandum Circular No. 20-28

*In cooperation with Quisumbing Torres, a member firm of Baker & McKenzie International, a Swiss Verein. Please contact QTInfoDesk@quisumbingtorres.com for inquiries

Previous articleSouth Africa: The de-globalizing pandemic – FDI and preparing for the post-COVID reality
Next articleChina: CBIRC to conduct follow-up checks on banking and insurance sector to ensure industry problems are being addressed