On Possibility of Processing as Actual Processing
Is possibility of processing tantamount to actual processing? If someone hands you a box for safekeeping and inside the box is a handful of business cards, are you processing personal information contained in such business cards already?
According to NPC Advisory Opinion No. 2022-007, a courier handling physical media with personal information inside (such as documents or hard drives) cannot be considered as processor of such information if they have no (legal) way of obtaining knowledge of such information inside. They may be considered as processor for knowing the personal information of the sender and receiver instead. Thus, generally, they may not be liable for unlawful processing due to negligence if such physical media has been damaged or lost during their care (since they are not a processor).
Take note, however, of NPC Advisory Opinion No. 2021-09. A lessor took possession of servers abandoned by the lessee. May the lessor delete the contents of the data server which may or may not contain personal information and reuse such servers for another purpose? According to the NPC, it depends on the lease agreement and court order, since deleting is still processing, and “by having the control of and discretion in the use of personal information of individuals, they are already considered the controller. They are thus accountable for the protection of the information and for the observation of the obligations under the law.”
I believe the difference between the two advisory opinions lies on the fact that in the first situation, the courier does not own the physical media with personal information inside. On the other hand, in the second situation, the lessor has complete control over the hard drivers which were abandoned by the lessee, making them controller to the personal information kept inside such hard drives.