CHAPTER 3

RISK MANAGEMENT FOR

HOSPITALITY INDUSTRY
Data security is a primary concern of most industries primarily in the hospitality
sector considering the thrust that the guests have been giving to the hotel
management from the time of check-in up to check out. Personal information of the
Guests is being given to the front desk officer up to the extent of giving their debit
or credit cards for the transaction of their payment for whatever consumptions they
will be having during the entire duration of their stay in the hotel.
Hotels and similar industry are prone to hackers and cyber criminals
considering the bulk of information that they have been getting from the
guests before the accomodation per se to assure the payment for damages
and sometimes a means to introduce their own rewards programs. Single
breach by the hotel management on the data protection could compromise
the information’s personal to the guests (addresses, the government issued
id’s, account details, others). Hence, hotel management is duty bound to
safeguard the privacy of the guests.
Hotel management is expected to make sure that all the information gathered from
all the guests are protected because breach of security could produce damages to
them. It should be the responsibility of the management to inform the present and
previous guests if the data have been compromised even if it would mean expense on
the part of the management.
Some important provisions of RA 10173
-- Data Privacy Act of 2012

SEC. 2. Declaration of Policy. - It is the policy of the State to protect the

fundamental human right of privacy, of communication while ensuring the
free flow of information to promote innovation and growth. The State
recognizes the vital role of information and communications technology in
nation-building and its inherent obligation to ensure that personal
information in information and communications systems in the government
and in the private sector are secured and protected.
Some important provisions of RA 10173
-- Data Privacy Act of 2012

SEC. 4. Scope. - This Act applies to the processing of all types of personal
information and to any natural and juridical person involved in personal information
processing including those personal information controllers and processors who,
although not found or established in the Philippines, use equipment that are located
in the Philippines, or those who maintain an office, branch or agency in the
Philippines subject to the immediately succeeding parapgraph: Provided, That the
requirements of Section 5 are complied with.
Some important provisions of RA 10173
-- Data Privacy Act of 2012
SEC. 4. Scope. - This Act applies to the processing of all types of personal information and to any natural and juridical person involved in
personal information processing including those personal information controllers and processors who, although not found or established in
the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines
subject to the immediately succeeding parapgraph: Provided, That the requirements of Section 5 are complied with.

This Act does not apply to the following:

(a) Information about any individual who is or was an officer or employee of a government
institution that relates to the position or functions of the individual, including:
1.1. The fact that the individual is or was an officer or employee of the government institution;
2. The title, business address and office telephone number of the individual;
2.
3. The classification, salary range and responsibilities of the position held by the individual; and
3.
4. The name of the individual on a document prepared by the individual in the course of
4.
employment with the government;
Some important provisions of RA 10173
-- Data Privacy Act of 2012

(b) Information about an individual who is or was performing service under contract for a
government institution that relates to the services performed, including the terms of the
contract, and the name of the individual given in the course of the performance of those
services;

(c) Information relating to any discretionary benefit of a financial nature such as the granting
of a license or permit given by the government to an individual, including the name of the
individual and the exact nature of the benefit;
Some important provisions of RA 10173
-- Data Privacy Act of 2012
(d) Personal information processed for journalistic, artistic, literary or research purposes;

(e) Information necessary to carry out the functions of public authority which include the
processing of personal data for the performance by the independent, central monetary
authority and law enforcement and regulatory agencies of their constitutionally and statutorily
mandated functions. Nothing in this Act shall be construed as to have amended or repealed
Republic Act No. 1405, otherwise known as the Secrecy of Bank Deposits Act; Republic Act No.
6426, otherwise known as the Foreign Currency Deposit Act; and Republic Act No. 9510,
otherwise known as the Credit Information System Act (CISA);
Some important provisions of RA 10173
-- Data Privacy Act of 2012
(f) Information necessary for banks and other financial institutions under the jurisdiction of the
independent, central monetary authority or Bangko Sentral ng Pilipinas to comply with Republic Act
No. 9510, and Republic Act No. 9160, as amended, otherwise known as the Anti-Money Laundering
Act and other applicable laws; and (8) Personal information originally collected from residents of
foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any
applicable data privacy laws, which is being processed in the Philippines.

SEC. 5. Protection Afforded to Journalists and Their Sources. - Nothing in this Act shall be construed
as to have amended or repealed the provisions of Republic Act No. 53, which affords the publishers,
editors or duly accredited reporters of any newspaper, magazine or periodical of general circulation
protection from being compelled to reveal the source of any news report or information appearing
in said publication which was related in any confidence to such publisher, editor, or reporter.
 Some important provisions of RA 10173
-- Data Privacy Act of 2012

SEC. 6. Extraterritorial Application. - This Act applies to an act done or practice engaged in and
outside of the Philippines by an entity if:

(a) The act, practice or processing relates to personal information about a Philippine citizen or a
resident;

(b) The entity has a link with the Philippines, and the entity is processing personal information in
the Philippines or even if the processing is outside the Philippines as long as it is about Philippine
citizens or residents such as, but not limited to, the following:
 Some important provisions of RA 10173
-- Data Privacy Act of 2012
(1) A contract is entered in the Philippines;
(2) A juridical entity unincorporated in the Philippines but has central management and control in
the country; and
(3) An entity that has a branch, agency, office or subsidiary in the Philippines and the parent or
affiliate of the Philippine entity has access to personal information; and

(c) The entity has other links in the Philippines such as, but not limited to:

(1) The entity carries on business in the Philippines; and

(2) The personal information was collected or held by an entity in the Philippines.
Chapter III - Processing of Personal Information
SEC. 11. General Data Privacy Principles. - The processing of personal information
shall be allowed, subject to compliance with the requirements of this Act and other
laws allowing disclosure of information to the public and adherence to the
principles of transparency, legitimate purpose, and proportionality.
Personal information must be:
Collected for specified and legitimate purposes
Processed fairly and lawfully;
Accurate, relevant, kept up to date; rectify/destroy inaccurate or incomplete data
destroyed or their further processing restricted
Adequate and not excessive
Retained only for as long as necessary for the fulfillment of the purposes for which the data
was obtained or for the establishment, exercise or defense of legal claims, or for legitimate
business purposes, or as provided by law; and
Chapter III - Processing of Personal Information
Personal information must be:
Data should be retained in a form that allows identification of data subjects only for the
duration necessary for the original collection and processing purposes. However, personal
information collected for other reasons can be processed for historical, statistical, or
scientific purposes, and in cases specified by law, it may be stored for extended periods. It's
essential that the laws providing for such storage ensure adequate safeguards.
The personal information controller must ensure implementation of personal
information processing principles set out herein.

SEC. 12. Criteria for Lawful Processing of Personal Information. - The processing of personal
information shall be permitted only if not otherwise prohibited by law, and when at least one of
the following conditions exists:
Chapter III - Processing of Personal Information
The data subject has given his or her consent;
The processing of personal information is necessary and is related to the fulfillment of a
contract with the data subject or in order to take steps at the request of the data subject
prior to entering into a contract;
The processing is necessary for compliance with a legal obligation to which the personal
information controller is subject
The processing is necessary to protect vitally important interests of the data subject,
including life and health
The processing is necessary in order to respond to national emergency, to comply with the
requirements of public order and safety, or to fulfill functions of public authority which
necessarily includes the processing of personal data for the fulfillment of its mandate
Processing involves personal information necessary for safeguarding the lawful rights and
interests of individuals or legal entities in legal proceedings, the execution or defense of
legal claims, or when shared with government or public authorities.
Chapter III - Processing of Personal Information
SEC. 13. Sensitive Personal Information .
Sensitive Personal Information
is a type of personal information. If revealed, it can leave an individual vulnerable to
discrimination or harassment.

1.1. Information pertaining to an individual's race, ethnic origin, marital status, age, color,
affiliations (religious, philosophical, or political), health, education, genetic characteristics,
or sexual life.
2. Details related to any legal proceedings involving an individual, including allegations or
2.
convictions of offenses, as well as court sentences.
3. Personal records issued by government agencies that are unique to an individual, such as
3.
social security numbers, past or present health records, licenses (including denials,
suspensions, or revocations), tax returns, and more.
4. Information that is categorized as sensitive based on classification criteria established by
4.
an Executive Order or a law enacted by Congress
Chapter III - Processing of Personal Information
SEC. 13. Sensitive Personal Information .
Privileged Information
Privileged information, as defined in the Philippine Rules of Court and other applicable laws,
includes:

Confidential communications between husband and wife.

2. Communications or advice exchanged between an attorney and a client.

3. Information, advice, or treatment provided by a doctor to a patient.

4. Confessions made by an individual to a minister or priest, as well as any advice subsequently

offered by the religious figure.

[Link] made to a public officer in an official capacity and under the assurance of
confidentiality.
Chapter III - Processing of Personal Information

SEC. 14. Subcontract of Personal Information

DATA CONTROLLER VS DATA PROCESSOR

A data controller controls the A data processor processes any data

procedures and purpose of data that the data controller gives them.
usage,
Chapter III - Processing of Personal Information

SEC. 14. Subcontract of Personal Information

A personal information controller can delegate personal information processing but is

responsible for ensuring safeguards, confidentiality, and legal compliance. The personal
information processor must also adhere to this Act and related laws.
Chapter III - Processing of Personal Information

SEC. 15. Extension of Privileged Communication

What Is Privileged Communication?

Privileged communication is an interaction between two parties in which the law recognizes
a private, protected relationship. Whatever is communicated between the two parties must
remain confidential, and the law cannot force their disclosure
Chapter III - Processing of Personal Information
SEC. 15. Extension of Privileged Communication
Common examples of privileged communication include:
1.1. Attorney-Client Privilege: Communications between an attorney and their client are
typically protected by attorney-client privilege. This means that clients can speak
freely with their lawyers, knowing that their discussions are confidential and cannot be
used against them in court.
2. Doctor-Patient Privilege: Conversations and medical records shared between a patient
2.
and their healthcare provider are often protected by doctor-patient privilege. This
helps ensure that patients can openly discuss their health concerns without fear of
disclosure.
3. Spousal Privilege: In many jurisdictions, communications between spouses are
3.
considered privileged and generally cannot be compelled to be disclosed in court, with
certain exceptions.
4. Clergy-Penitent Privilege: Certain religious communications, such as confessions made
4.
to a priest or minister, may be protected under clergy-penitent privilege.
Chapter III - Processing of Personal Information

SEC. 15. Extension of Privileged Communication

Personal information controllers have the right to invoke the principle of privileged
communication over privileged information that they legally control or process.
However, it's essential to note that, subject to existing laws and regulations, any
evidence obtained from privileged information is generally considered inadmissible in
legal proceedings. This protection is in place to preserve the confidentiality and
privacy of privileged information.
Chapter IV - Rights of the Data Subject
SEC. 16. Rights of the Data Subject. - The data subject is entitled to:
(a) Be informed whether personal information pertaining to him or her shall be, are being or have
been processed.
(b) Be furnished the information indicated hereunder before the entry of his or her personal
information into the processing system of the personal information controller, or at the next
practical opportunity:
Description of the personal information to be entered into the system;
Purposes for which they are being or are to be processed;
Scope and method of the personal information processing;
The recipients or classes of recipients to whom they are or may be disclosed;
Methods utilized for automated access, if the same is allowed by the data subject, and the
extent to which such access is authorized;
The identity and contact details of the personal information controller or its representative;
The period for which the information will be stored; and
Chapter IV - Rights of the Data Subject

The existence of their rights, i.e., to access, correction, as well as the right to lodge a
complaint before the Commission.
Any information supplied or declaration made to the data subject on these matters
shall not be amended without prior notification of data subject: Provided, That the
notification under subsection (b) shall not apply should the personal information be
needed pursuant to a subpoena or when the collection and processing are for obvious
purposes, including when it is necessary for the performance of or in relation to a
contract or service or when necessary or desirable in the context of an employer-
employee relationship, between the collector and the data subject, or when the
information is being collected and processed as a result of legal obligation;
Chapter IV - Rights of the Data Subject

(c) Reasonable access to, upon demand, the following:

Contents of his or her personal information that were processed;
Sources from which personal information were obtained;
Names and addresses of recipients of the personal information;
Manner by which such data were processed;
Reasons for the disclosure of the personal information to recipients;
Information on automated processes where the data will or likely to be made as the sole
basis for any decision significantly affecting or will affect the data subject;
Date when his or her personal information concerning the data subject were last accessed
and modified; and
The designation, or name or identity and address of the personal information controller;
Chapter IV - Rights of the Data Subject
(d) Dispute the inaccuracy or error in the personal information and have the personal information
controller correct it immediately and accordingly, unless the request is vexatious or otherwise
unreasonable. If the personal information has been corrected, the personal information
controller shall ensure the accessibility of both the new and the retracted information and the
simultaneous receipt of the new and the retracted information by recipients thereof: Provided,
That the third parties who have previously received such processed personal information shall be
informed of its inaccuracy and its rectification upon reasonable request of the data subject;

(e) Suspend, withdraw or order the blocking, removal or destruction of his or her personal
information from the personal information controller's filing system upon discovery and
substantial proof that the personal information are incomplete, outdated, false, unlawfully
obtained, used for unauthorized purposes or are no longer necessary for the purposes for which
they were collected. In this case, the personal information controller may notify third parties
who have previously received such processed personal information; and
Chapter IV - Rights of the Data Subject
(f) Be indemnified for any damages sustained due to such inaccurate, incomplete, outdated,
false, unlawfully obtained or unauthorized use of personal information.

SEC. 17. Transimissibility of Rights of the Data Subject. - The lawful heirs and assigns of the data
subject may invoke the rights of the data subject for, which he or she is an heir or assignee at
any time after the death of the data subject or when the data subject is incapacitated or
incapable of exercising the rights as enumerated in the immediately preceding section.

SEC. 18. Right to Data Portability. - The data subject shall have the right, where personal
information is processed by electronic means and in a structured and commonly used format, to
obtain from the personal information controller a copy of data undergoing processing in an
electronic or structured format, which is commonly used and allows for further use by the data
subject. The Commission may specify the electronic format referred to above, as well as the
technical standards, modalities, and procedures for their transfer.
Chapter IV - Rights of the Data Subject
SEC. 19. Non-Applicability. - The immediately preceding sections are not applicable if the
processed personal information is used only for the needs of scientific and statistical research
and, on the basis of such, no activities are carried out, and no decisions are taken regarding the
data subject: Provided, That the personal information shall be held under strict confidentiality
and shall be used only for the declared purpose. Likewise, the immediately preceding sections
are not applicable to the processing of personal information gathered for investigations about
any criminal, administrative or tax liabilities of a data subject.
Chapter V - Security of Personal Information
SEC. 20. Security of Personal Information.
(a) The personal information controller must implement reasonable and appropriate
organizational, physical and technical measures intended for the protection of personal
information against any accidental or unlawful destruction, alteration and disclosure, as well as
against any other unlawful processing.

(b) The personal information controller shall implement reasonable and appropriate measures to
protect personal information against natural dangers such as accidental loss or destruction, and
human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and
contamination.
Chapter V - Security of Personal Information
(c) The determination of the appropriate level of security under this section must take into
account the nature of the personal information to be protected, the risks represented by the
processing, the size of the organization and complexity of its operations, current data privacy
best practices and the cost of security implementation. Subject to guidelines as the Commission
may issue from time to time, the measures implemented must include:
Safeguards to protect its computer network against accidental, unlawful or unauthorized
usage or interference with or hindering of their functioning or availability;
A security policy with respect to the processing of personal information;
A process for identifying and accessing reasonably foreseeable vulnerabilities in its
computer networks, and for taking preventive, corrective and mitigating action against
security incidents that can lead to a security breach; and
Regular monitoring for security breaches and a process for taking preventive, corrective
and mitigating action against security incidents that can lead to a security breach.
Chapter V - Security of Personal Information
(d) The personal information controller must further ensure that third parties processing
personal information on its behalf shall implement the security measures required by this
provision.

(e) The employees, agents or representatives of a personal information controller who are
involved in the processing of personal information shall operate and hold personal information
under strict confidentiality if the personal information are not intended for public disclosure. This
obligation shall continue even after leaving the public service, transfer to another position or
upon termination of employment or contractual relations.
Chapter V - Security of Personal Information
(f) The personal information controller shall promptly notify the Commission and affected data
subjects when sensitive personal information or other information that may, under the
circumstances, be used to enable identity fraud are reasonably believed to have been acquired
by an unauthorized person, and the personal information controller or the Commission believes
that such unauthorized acquisition is likely to give rise to a real risk of serious harm to any
affected data subject. The notification shall at least describe the nature of the breach, the
sensitive personal information possibly involved, and the measures taken by the entity to
address the breach. Notification may be delayed only to the extent necessary to determine the
scope of the breach, to prevent further disclosures, or to restore reasonable integrity to the
information and communications system.
In evaluating if notification is unwarranted, the Commission may take into account
compliance by the personal information controller with this section and existence of good
faith in the acquisition of personal information.
 Chapter V - Security of Personal Information
The Commission may exempt a personal information controller from notification where, in
its reasonable judgment, such notification would not be in the public interest or in the
interests of the affected data subjects.
The Commission may authorize postponement of notification where it may hinder the
progress of a criminal investigation related to a serious breach.

Chapter VI - Accountability for Transfer of Personal Information

SEC. 21. Principle of Accountability. - Each personal information controller is responsible for
personal information under its control or custody, including information that has been
transferred to a third party for processing, whether domestically or internationally, subject to
cross-border arrangement and cooperation.
Chapter VI - Accountability for Transfer of Personal Information
SEC. 21. Principle of Accountability. - Each personal information controller is responsible for
personal information under its control or custody, including information that has been
transferred to a third party for processing, whether domestically or internationally, subject to
cross-border arrangement and cooperation.
The personal information controller is accountable for complying with the requirements of
this Act and shall use contractual or other reasonable means to provide a comparable level
of protection while the information are being processed by a third party.
The personal information controller shall designate an individual or individuals who are
accountable for the organization's compliance with this Act. The identity of the individual(s)
so designated shall be made known to any data subject upon request.
Chapter VII - Security of Sensitive Personal Information in Government

SEC. 22. Responsibility of Heads of Agencies. - All sensitive personal information maintained by
the government, its agencies and instrumentalities shall be secured, as far as practicable, with
the use of the most appropriate standard recognized by the information and communications
technology industry, and as recommended by the Commission. The head of each government
agency or instrumentality shall be responsible for complying with the security requirements
mentioned herein while the Commission shall monitor the compliance and may recommend the
necessary action in order to satisfy the minimum standards.

SEC. 23. Requirements Relating to Access by Agency Personnel to Sensitive Personal Information.
(a) On-site and Online Access - Except as may be allowed through guidelines to be issued by the
Commission, no employee of the government shall have access to sensitive personal information
on government property or through online facilities unless the employee has received a security
clearance from the head of the source agency.
Chapter VII - Security of Sensitive Personal Information in Government
(b) Off-site Access - Unless otherwise provided in guidelines to be issued by the Commission,
sensitive personal information maintained by an agency may not be transported or accessed
from a location off government property unless a request for such transportation or access is
submitted and approved by the head of the agency in accordance with the following guidelines:
Deadline for Approval or Disapproval - In the case of any request submitted to the head of
an agency, such head of the agency shall approve or disapprove the request within two
business days after the date of submission of the request. In case there is no action by the
head of the agency, then such request is considered disapproved;
Limitation to One thousand (1,000) Records - If a request is approved, the head of the
agency shall limit the access to not more than one thousand (1,000) records at a time; and
Encryption - Any technology used to store, transport or access sensitive personal
information for purposes of off-site access approved under this subsection shall be secured
by the use of the most secure encryption standard recognized by the Commission.
The requirements of this subsection shall be implemented not later than six months after the
date of the enactment of this Act.
Chapter VII - Security of Sensitive Personal Information in Government

SEC. 24. Applicability to Government Contractors. - In entering into any contract that may involve
accessing or requiring sensitive personal information from one thousand (1,000) or more
individuals, an agency shall require a contractor and its employees to register their personal
information processing system with the Commission in accordance with this Act and to comply
with the other provisions of this Act including the immediately preceding section, in the same
manner as agencies and government employees comply with such requirements.
Chapter VIII - Penalties
SEC. 25. Unauthorized Processing of Personal Information and Sensitive Personal Information.
– (a) The unauthorized processing of personal information shall be penalized by imprisonment
ranging from one (1) year to three (3) years and a fine of not less than Five hundred thousand
pesos (Php500,000.00) but not more than Two million pesos (Php2,000,000.00) shall be imposed
on persons who process personal information without the consent of the data subject, or without
being authorized under this Act or any existing law.

(b) The unauthorized processing of personal sensitive information shall be penalized by

imprisonment ranging from three (3) years to six (6) years and a fine of not less than Five
hundred thousand pesos (Php500,000.00) but not more than Four million pesos
(Php4,000,000.00) shall be imposed on persons who process personal information without the
consent of the data subject, or without being authorized under this Act or any existing law.
Chapter VIII - Penalties
SEC. 26. Accessing Personal Information and Sensitive Personal Information Due to Negligence. –
(a) Accessing personal information due to negligence shall be penalized by imprisonment ranging
from one (1) year to three (3) years and a fine of not less than Five hundred thousand pesos
(Php500,000.00) but not more than Two million pesos (Php2,000,000.00) shall be imposed on
persons who, due to negligence, provided access to personal information without being
authorized under this Act or any existing law.

(b) Accessing sensitive personal information due to negligence shall be penalized by

imprisonment ranging from three (3) years to six (6) years and a fine of not less than Five
hundred thousand pesos (Php500,000.00) but not more than Four million pesos
(Php4,000,000.00) shall be imposed on persons who, due to negligence, provided access to
personal information without being authorized under this Act or any existing law.
Chapter VIII - Penalties
SEC. 27. Improper Disposal of Personal Information and Sensitive Personal Information. – (a) The
improper disposal of personal information shall be penalized by imprisonment ranging from six (6)
months to two (2) years and a fine of not less than One hundred thousand pesos (Php100,000.00)
but not more than Five hundred thousand pesos (Php500,000.00) shall be imposed on persons
who knowingly or negligently dispose, discard or abandon the personal information of an
individual in an area accessible to the public or has otherwise placed the personal information of
an individual in its container for trash collection.

(b) The improper disposal of sensitive personal information shall be penalized by imprisonment
ranging from one (1) year to three (3) years and a fine of not less than One hundred thousand
pesos (Php100,000.00) but not more than One million pesos (Php1,000,000.00) shall be imposed
on persons who knowingly or negligently dispose, discard or abandon the personal information of
an individual in an area accessible to the public or has otherwise placed the personal information
of an individual in its container for trash collection.
Chapter VIII - Penalties
SEC. 28. Processing of Personal Information and Sensitive Personal Information for Unauthorized
Purposes. – The processing of personal information for unauthorized purposes shall be penalized
by imprisonment ranging from one (1) year and six (6) months to five (5) years and a fine of not
less than Five hundred thousand pesos (Php500,000.00) but not more than One million pesos
(Php1,000,000.00) shall be imposed on persons processing personal information for purposes not
authorized by the data subject, or otherwise authorized under this Act or under existing laws.

The processing of sensitive personal information for unauthorized purposes shall be penalized by
imprisonment ranging from two (2) years to seven (7) years and a fine of not less than Five
hundred thousand pesos (Php500,000.00) but not more than Two million pesos
(Php2,000,000.00) shall be imposed on persons processing sensitive personal information for
purposes not authorized by the data subject, or otherwise authorized under this Act or under
existing laws.
Chapter VIII - Penalties
SEC. 29. Unauthorized Access or Intentional Breach. – The penalty of imprisonment ranging from
one (1) year to three (3) years and a fine of not less than Five hundred thousand pesos
(Php500,000.00) but not more than Two million pesos (Php2,000,000.00) shall be imposed on
persons who knowingly and unlawfully, or violating data confidentiality and security data
systems, breaks in any way into any system where personal and sensitive personal information is
stored.

SEC. 30. Concealment of Security Breaches Involving Sensitive Personal Information. – The
penalty of imprisonment of one (1) year and six (6) months to five (5) years and a fine of not less
than Five hundred thousand pesos (Php500,000.00) but not more than One million pesos
(Php1,000,000.00) shall be imposed on persons who, after having knowledge of a security breach
and of the obligation to notify the Commission pursuant to Section 20(f), intentionally or by
omission conceals the fact of such security breach.
Chapter VIII - Penalties
SEC. 31. Malicious Disclosure. – Any personal information controller or personal information
processor or any of its officials, employees or agents, who, with malice or in bad faith, discloses
unwarranted or false information relative to any personal information or personal sensitive
information obtained by him or her, shall be subject to imprisonment ranging from one (1) year
and six (6) months to five (5) years and a fine of not less than Five hundred thousand pesos
(Php500,000.00) but not more than One million pesos (Php1,000,000.00).

SEC. 32. Unauthorized Disclosure. – (a) Any personal information controller or personal
information processor or any of its officials, employees or agents, who discloses to a third party
personal information not covered by the immediately preceding section without the consent of
the data subject, shall he subject to imprisonment ranging from one (1) year to three (3) years
and a fine of not less than Five hundred thousand pesos (Php500,000.00) but not more than One
million pesos (Php1,000,000.00).
Chapter VIII - Penalties
(b) Any personal information controller or personal information processor or any of its officials,
employees or agents, who discloses to a third party sensitive personal information not covered
by the immediately preceding section without the consent of the data subject, shall be subject
to imprisonment ranging from three (3) years to five (5) years and a fine of not less than Five
hundred thousand pesos (Php500,000.00) but not more than Two million pesos
(Php2,000,000.00).

SEC. 33. Combination or Series of Acts. – Any combination or series of acts as defined in Sections
25 to 32 shall make the person subject to imprisonment ranging from three (3) years to six (6)
years and a fine of not less than One million pesos (Php1,000,000.00) but not more than Five
million pesos (Php5,000,000.00).
Chapter VIII - Penalties
SEC. 34. Extent of Liability. – If the offender is a corporation, partnership or any juridical person,
the penalty shall be imposed upon the responsible officers, as the case may be, who participated
in, or by their gross negligence, allowed the commission of the crime. If the offender is a juridical
person, the court may suspend or revoke any of its rights under this Act. If the offender is an
alien, he or she shall, in addition to the penalties herein prescribed, be deported without further
proceedings after serving the penalties prescribed. If the offender is a public official or employee
and lie or she is found guilty of acts penalized under Sections 27 and 28 of this Act, he or she
shall, in addition to the penalties prescribed herein, suffer perpetual or temporary absolute
disqualification from office, as the case may be.

SEC. 35. Large-Scale. – The maximum penalty in the scale of penalties respectively provided for
the preceding offenses shall be imposed when the personal information of at least one hundred
(100) persons is harmed, affected or involved as the result of the above mentioned actions.
 Chapter VIII - Penalties

SEC. 36. Offense Committed by Public Officer. – When the offender or the person responsible for
the offense is a public officer as defined in the Administrative Code of the Philippines in the
exercise of his or her duties, an accessory penalty consisting in the disqualification to occupy
public office for a term double the term of criminal penalty imposed shall he applied.
 Chapter VIII - Penalties

SEC. 36. Offense Committed by Public Officer. – When the offender or the person responsible for
the offense is a public officer as defined in the Administrative Code of the Philippines in the
exercise of his or her duties, an accessory penalty consisting in the disqualification to occupy
public office for a term double the term of criminal penalty imposed shall he applied.

End of Data Privacy

Act of 2012
Steven Tan
 Guest Behavior
Guests may be considered as the lifeblood of the hotel industry. Without the happy and
contented guests who have been patronizing the services of the hotel, survival of the industry
would be up to the lowest extent. There are however some instances wherein the guests are
becoming the source of the threat to the profitability of the hotel, instead of them being the
source of profit.

An example of this is the Resorts world Manila Incident where managements had decided to lock
down the hotel following the reports of gunfire from unidentified men. The CCTV footage would
show that lone gunman entered the establishment up to the time he torched the gaming tables,
fired warning shots, and locked himself up in a room. Losses and damages in this case, however,
cannot be attributed alone to the behavior of the guests considering security lapses in the hotel
based on the investigation.
 Guest Behavior

Suits arising from people who are injured or prejudiced in the guestrooms can also be considered
as a risk to the hotel management, both with regards to their profitability and branding.
Best Practice for Hotel Customer Service Recovery
In the FSC Website, the following best practices for hotel customer service recovery were
enumerated:

11.. Deal with Guest’s Complaints the very moment they arise;
2. Ensure the Complaints can reach the right person;
2.
3. Build a full picture on guest preferences;
3.
4. Keep tabs on recovery service costs;
4.
5. In-depth analysis of service recovery efficiency
5.

The Guest in a hotel must be treated with utmost hospitality to the extent that they would feel
that they are at home. Guest complaints must be attended with the “soonest possible” to ensure
their total customer satisfaction. The use of Friendly Dashboards cpuld be beneficial for the hotel
staff to access the details of the infomration that needs urgent attention. the hotel mangament
can save time, analyze current hotel performance, and can make data-driven decisions.
Liability of Hotel in a Personal Injury Claim
Is a collection of critical hotel data in a usable format, needed by the hotel to analyze the past
The Hotel may be held liable in a lawsuit due the negligence or carelessness of hotel employees.
The liability may rise if it can be proved that the hotel management acted negligently. The
negligence must be in the form of hotel breach of duty they owed to the guest who was injured
on the premises.

Duties of the Hotel to the Guests (2 parts)

Specifically, the hotel is expected to do but not limited to the following:

1.1. Inspect the hotel grounds and maintain the property in a reasonably safe condition. It
includes the reparation of dangerous conditions and taking affirmative steps to protect
guests from knwon or reasonably discoverable conditions.
Management Dashboard
Is a collection of critical hotel data in a usable format, needed by the hotel to analyze the past
and current hotel performance, predict future, and formulate strategies. This means that the
key performance indicators of a hotel can now be traced from a single dashboard without having
to collect reports from multiple sources and compiling them.

Staff
Staffing is another risk that the hospitality industry usually faces with as the quality services
that the clientele desire may only be given to them thorugh the proper dealings of staff at any
given situation, place and time. the hospitality industry should look for a reliable, skilled, and
friendly people (housekeepers; among others) who can be relied on by the guests and potential
guests .- Palermo (1985)