Data Protection and Privacy Act in the Philippines

Now that the world is becoming more digitally connected, the issue of data protection and privacy is becoming more and more important. With more and more people using social media every day, it’s important to know your options for protecting yourself online.

This article will give you an overview of how data protection works in the Philippines and how to protect your personal information from being misused by social media companies.

Data Protection and Privacy in the Philippines

Data Protection in the Philippines

Data protection refers to the laws that are put into place to protect the privacy and security of your personal data. The main goal of data protection laws is to ensure that people have control over their own information, and they can only be used for certain purposes.

When it comes to social media in the Philippines, there are two main pieces of legislation: Republic Act No. 10175 or “The Cybercrime Prevention Act” (CPA) and the Data Privacy Act (DPA).

The Cybercrime Prevention Act

The Cybercrime Prevention Act of 2012—Republic Act No. 10175–entitled “An act to provide for a comprehensive approach in dealing with cybercrime by establishing a framework and institutional mechanisms that will enhance cooperation, coordination and consistency among different agencies involved in the prosecution of these crimes while maintaining each agency’s continued independence,” was approved on September 12th 2012. The law addresses legal issues concerning online interactions and internet use in the Philippines; it is violated when computers are improperly used or accessed by unauthorized individuals to commit illegal acts such as fraud and hacking.

What is a computer?

The law says:

This term refers to a variety of electronic, magnetic, optical, or electrochemical devices that are capable of performing various data processing and storage functions. These devices are grouped together and can be used to perform various routing, storage, and logical functions.

This term refers to various types of computer devices, such as tablets, smartphones, and computers with data processing capabilities.

Also, it is important to keep in mind that computer data refers to information or concepts that are capable of being processed by a computer system. These include programs that are designed to cause a computer to perform a function. Electronic documents and data messages are also included in this category.

With the implementation of a new law, there is also a larger discussion about “Cybersecurity”.

The law says:

The concept of cybersecurity refers to the various tools and policies that are designed to help organizations and individuals protect their assets and cyber environment. To comply with the law, service providers must also help law enforcers collect and store data.

Service providers are organizations that provide various services to their customers. These include the ability to communicate with their users using a computer system. They also process and store data on behalf of their customers.

The Cybercrime Prevention Act requires service providers to safeguard the information that they collect and use related to their customers’ communications services. This includes the details of their customers’ traffic data, such as their destination, origin, and duration of their communication.

The Act requires service providers to retain the data of their customers for a period of six months from the date of their transaction. Similarly, their content data should be preserved for six months from the date of their receipt of an order from the law enforcers. However, the authorities may extend this period by one year.

The Data Privacy Act

In 2012, the Philippines enacted the Data Privacy Act, which was designed to protect the privacy of individuals and ensure that the free flow of information is not restricted. It also established a national privacy commission that is responsible for overseeing and enforcing the law.

The final regulations and rules implementing the Act were released on September 9, 2016. They added more specificity to the Privacy Act.

Scope and Application

The Philippines’ Data Privacy Act is generally applicable to both legal entities and individuals who process personal information. It applies to both businesses and individuals operating in the country. This law also applies to the processing of such information regardless of where the individual lives.

However, an exception is made in the Act. It does not apply to the collection and use of personal information from foreign jurisdictions. This means that cloud computing companies in the Philippines can still process and store such information.


The Philippines’ Data Privacy Act requires that the processing of personal data be carried out in line with the principles of transparency, proportionality, and legitimate purpose.

Collection, processing, and consent

The purpose of the collection of personal data is stated in the act. It also provides that prior to the processing of the data, consent is required.

It states that the data subject must be informed about the purpose and extent of the processing of their personal data. This includes the automated processing of their data for marketing and direct marketing.

The definition of consent is stated in the act, and it requires that the data subject be given explicit, specific, and informed consent. However, processing may not always require consent.

In most cases, the processing of personal data is not required when the data subject is a party to a contract. This means that it can be processed for the purpose of fulfilling the contract. Other factors such as the protection of the data subject’s vital interests and the response to a national emergency can also be considered when it comes to seeking consent.

In certain cases, however, there is an exemption to the requirement for consent. This means that the data can be processed for the legitimate interests of the company.

Required agreements

When it comes to sharing information, the law requires that the data be protected and that the agreement that is used to collect and use it be reviewed by the National Privacy Commission.

Sensitive Personal and Privileged Information

The law defines sensitive personal information as being:

  • About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
  • About an individual’s health, education, genetic or sexual life of a person, or to any proceeding or any offense committed or alleged to have committed;
  • Issued by government agencies “peculiar” (unique) to an individual, such as social security number;
  • Marked as classified by executive order or act of Congress.

The collection, storage and dissemination of sensitive personal information is prohibited except in certain circumstances. These exceptions include:

  • Consent of the data subject;
  • Pursuant to law that does not require consent;
  • Necessity to protect life and health of a person;
  • Necessity for medical treatment;
  • Necessity to protect the lawful rights of data subjects in court proceedings, legal proceedings, or regulation.


Interestingly, the Philippines’ Human Security Act of 2007 (which is used for surveillance) states that its use must comply with the Privacy Act.

Privacy program required

The Personal Data Protection Act of 2013 requires that organizations that process or store the personal data of individuals establish and implement procedures that are designed to protect the privacy of the information they collect. These procedures should also include procedures that limit the processing of the data to defined purposes and provide access to the data subjects. In addition to having a privacy program, the act additionally requires that security measures be in place to protect the information they collect.

Data subjects’ rights

The act provides various rights to the individuals who collect and use the information that they collect. These include the ability to access and control the information that they collect, the right to opt out of receiving marketing and promotional offers, and the ability to restrict the processing of their data.

In the Philippines, the law provides the right to be forgotten, which is a type of right that allows individuals to ask the data controller to remove their personal information from the system. However, this right is limited by the fact that the burden of proof is on the data subject, and continued publication of the information is justified by the enumerated rights.

The private right of action is available to individuals who believe that their personal data has been wrongfully obtained or used. This is against the backdrop of the increasing number of complaints about the misuse of private information.

Mandatory personal information breach notification

The law clearly states that the terms “security incident” and “personal data breach” should not be confused. A security incident is an event or occurrence that can affect the availability, integrity, or confidentiality of a person’s data. A personal data breach is an incident that could happen without the proper safeguards in place.

A security incident is a type of event or occurrence that can affect the availability, integrity, or confidentiality of a person’s data. A personal data breach is a subset of this type of incident. It can result in unauthorized access or destruction of a person’s data.

Requirement to notify 

Although the law provides that certain types of personal data breaches don’t require notification, Section 38 of the IRRs provides that there are various bases for not providing adequate notification.

  • The breached information must be sensitive personal information, or information that could be used for identity fraud, and
  • There is a reasonable belief that unauthorized acquisition has occurred, and
  • The risk to the data subject is real, and
  • The potential harm is serious.

The law allows the Commission to decide that notification is unnecessary if an entity has fully complied with the Privacy Act and made a good faith effort at acquiring personal information.

Notification timeline and recipients

The law requires that the National Privacy Commission and affected individuals be notified within 72 hours of a personal data breach. This is done through the notification process that the data controller has undertaken.

It is not clear if the commission would be able to grant a delay in the notification process to allow it to determine if a notification is unwarranted.

Notification contents

The contents of the notification must at least:

  • Describe the nature of the breach; 
  • The personal data possibly involved;
  • The measures taken by the entity to address the breach;
  • The measures take to reduce the harm or negative consequence of the breach;
  • The representatives of the personal information controller, including their contact details;
  • Any assistance to be provided to the affected data subjects.


There are various penalties for violations of the law, and they include imprisonment. There are also multiple counts for unauthorized processing, improper disposal, and intentional breaches of data. Breaches of data involve the unauthorized disclosure of sensitive information.

If a combination of these acts leads to an organization being convicted, it could face up to six (6) years in prison and a fine of approximately $20,000 to $100,000.

Besides these, there are also various private rights of action that can be available to victims of a data breach. These include the right to recover damages.

Penalties for failure to notify

Persons who are aware of a security breach involving the sensitive personal information of others may be held accountable for their actions if they fail to notify the proper authorities. For instance, those who fail to notify the commission of the incident could face imprisonment for 1 1/2 to five years and a fine of approximately $10,000 – $20,000.

Additional violations may also be added to the list of those who are liable for the security breach.

Implementing Rules And Regulations The Data Privacy Act Of 2012

To better understand the act, it is important to note that there are certain rules and regulations that must be implemented, which you can find HERE.

Frequently Asked Questions

1. What is a DPO?

The appointment of a Data Protection Officer is a requirement under the Data Privacy Act of 2012. This individual is responsible for ensuring that the laws are followed and that the activities of the companies that collect and use personal information are in compliance with the Act.

2. How many employees does a DPO need?

To be considered for the privilege of accessing sensitive information, an organization must have at least 250 employees and have at least 1,000 individuals with access to this information. The DPO should complete and submit the form, along with supporting documents, to the National Personal Information Center (NPIC).

3. What is a PIP?

The Act provides that a person who is qualified to act as a personal information processor (PIP) can perform such duties on behalf of a personal information controller. A data protection officer is also appointed to oversee the protection of the personal data that the individual collects.

4. What is the purpose of PIA?

PIA or Privacy Impact Assessment is a process for evaluating an organization’s programs, policies and procedures to ensure that all employees are informed about their impact on data privacy in accordance with the DPA.

5. When are security incident reports due?

The deadline for organizations that have already registered with the NPC is until March 31, 2018. However, there is no change to this requirement.

6. What is the importance of data privacy law?

These rules are designed to enforce the provisions of the Data Privacy Act and provide a framework for protecting the privacy of individuals’ personal information. They also ensure that the free flow of information is not restricted.

7. What is the purpose of the National Privacy Commission?

The NPC as per the National Privacy Act of 2012 provides a framework for protecting the privacy of individuals’ personal information in the various information systems of the government and private sectors. It aims to establish a national privacy commission and enhance the protection of this information.

8. What are the principles of data privacy?

The processing of personal information shall be allowed, subject to compliance with the requirements of this Act and other laws allowing disclosure of information to the public and adherence to the principles of transparency, legitimate purpose and proportionality.

9. What is data sharing agreement?

A data-sharing agreement is required when it comes to the sharing of information for commercial purposes, such as direct marketing. It should ensure that the information is protected from unauthorized access and use, and it should uphold the rights of the data subjects.

Video: Know Your Data Privacy Rights!

Did you know that you have a right to privacy? Yes, you do! The law protects your personal information from being accessed and used by others without your consent. It gives you the right to know what information is collected about you, how it is used and shared with third parties. By understanding your rights, you can take steps to protect your privacy. The following are some of your rights:

Right to be Informed

The data subject has the right to be informed about the status of his or her personal information. This is done through the provision of the Information Rights Act and the IRR. Before the information is used or disclosed to third parties, the data subject should be given the necessary information.

Right to Object

In addition, the data subject has the right to ask for the deletion or modification of his or her personal information. This can be done through the provision of the IRR. However, there are instances where the processing of his or her personal information may still be carried out despite the objections of the data subject.

Right to Access

The data subject also has the right to access certain details about the personal information he or she has collected. This includes the names and addresses of the individuals who have requested the information, the type of processing that was carried out, and the identity of the data controller.

Right to Rectification

The data subject has the right to ask the personal information controller to correct or update the information that he or she has collected if it is inaccurate or otherwise unreasonable.

Right to Erasure or Blocking

If the data subject believes that his or her personal information has been inaccurate or otherwise unreasonable, then he or she has the right to ask the data controller to remove or block it from the filing system.

Right to Damages

The data subject may be entitled to receive compensation for damages sustained due to the unauthorized, incomplete, or outdated use, or inaccurate of his or her personal data. These damages will be determined based on the extent to which the violation of his or her rights affected him or her.

Right to Data Portability

The data subject has the right to obtain a copy of his or her personal data in a format that is easier to use, for example, in electronic form.

These rights aim to protect the data subject’s privacy and data integrity. They also aim to give him or her control over his or her personal data by allowing them to take their data with them when they switch providers.

Final Thoughts

Data privacy and protection are important in today’s world where data are everywhere. It is vital for both individuals and organizations to understand their rights and obligations under the NPC, which will ensure that they can keep their personal data secure in the Philippines. The Data Privacy Act and the Cybercrime Prevention Act are instituted to protect the data privacy of individuals and organizations from cybercrimes, including identity theft and data breaches. The NPC is also a good resource for both individuals and organizations that want to know their rights and obligations under Philippine law.

We hope that you’ve gained a better understanding of the NPC and how it protects you. If you have any questions or comments, please feel free to leave them in the comment section below.

DISCLAIMER: This post is intended for educational purposes only. It is not intended to be a substitute for professional legal advice. You should not rely on the information contained in this post to make decisions about your legal rights, duties or obligations.

READ NEXT: Sim Card Registration Act: How to Register Mobile Sim Philippines

Leave a Comment