Philippines: Company Compliance With The Philippines' Data Privacy Act

Last Updated: 11 September 2017
Article by Joyce Ilagan

Applicable companies in the Philippines that missed the 8 September deadline to register their personal information controller and processor systems with the authorities should do so asap.

In line with the Philippines' Data Privacy Act 2012, personal information controllers (PICs) and personal information processors (PIPs) are expected to appoint a Data Protection Officer (DPO), who must be a full-time or organic employee of the PICs or PIPs. The one-year grace period for this action ended on Friday, 8 September 2017.

Need help to complete this process? Get in touch with the TMF Philippines team today.


In 2012 the Philippines passed the Data Privacy Act, an act protecting individual personal data in information and communications systems in both the government and the private sector (Republic Act. No. 10173). This comprehensive privacy law also established the National Privacy Commission (NPC), which is tasked with implementing the provisions of the Act.

On 9 September 2016, the implementing rules and regulations (IRRs) came into force. The law is intended to bring the Philippines to the next level and ensure compliance with international standards of data protection.


Under the implementing rules and regulations (IRR), the PICs and the PIPs are mandated to register their personal data processing systems with the NPC under the following conditions:

  • If sensitive personal information of at least 1,000 individuals is processed
  • If the personal information controller or processor employs at least 250 persons
  • If less than 250 persons are employed but the processing is not occasional

  • If less than 250 persons are employed but the processing of the information might pose a risk to the rights and freedoms of the data subject.

The IRR sets the required security measures for the protection of personal data:

  • assign someone to function as data protection officer, compliance officer or any other officer accountable for ensuring compliance with applicable laws and regulations on data privacy and security
  • implement appropriate data protection policies that provide for organisation, physical, and technical security measures
  • maintain records that sufficiently describe their data processing system and identify the duties and responsibilities of those individuals who will have access to personal data
  • select, train and supervise employees, agents, or representatives who will have access to personal data
  • develop, implement and review policies and procedures for the collection and processing of personal data, for data subjects to exercise their rights under the DPA, access management, system monitoring, protocols for security incidents or technical problems, and data retention
  • ensure through appropriate contractual agreements that their personal information processors shall also implement the security measures required by the law and the IRR
  • comply, where appropriate, with physical security guidelines set forth in the IRR, and
  • adopt and establish technical security measures such as, but not limited to, security policy for the processing of personal data; safeguards to protect their computer network, periodic evaluation of security measures' effectiveness; and personal data encryption.

To monitor the compliance of PICs and PIPs with the law, summaries of documented security incidents and personal data breaches have to be reported by the PICs and PIPs to the NPC. In case of any data breach, the NPC and the affected data subject should be notified by the concerned PIC or PIP within 72 hours from the discovery of the personal data breach.


The Act and these rules apply to the processing of personal data by any natural and juridical person in the government or private sector. They apply to an act done or practice engaged in and outside of the Philippines if:

  1. the natural or juridical person involved in the processing of personal data is found or established in the Philippines
  2. the act, practice or processing relates to personal data about a Philippine citizen or Philippine resident
  3. the processing of personal data is being done in the Philippines, or
  4. the act, practice or processing of personal data is done or engaged in by an entity with links to the Philippines, with due consideration to international law and comity, such as, but not limited to, the following:

    1. use of equipment located in the country, or maintains an office, branch or agency in the Philippines for processing of personal data
    2. a contract is entered in the Philippines
    3. a juridical entity unincorporated in the Philippines but has central management and control in the country
    4. an entity that has a branch, agency, office or subsidiary in the Philippines and the parent or affiliate of the Philippine entity has access to personal data.

Impact on businesses – local or foreign

The NPC has initially determined the business sectors or institutions processing personal data and operating in the Philippines as PICs and PIPs. To ensure compliance, business entities should conduct assessment and evaluation of their respective organisations.


Rule XIII of the IRR specifies the penalties for violations pertaining to personal information and sensitive personal information that include unauthorised processing, access due to negligence, improper disposal, processing for unauthorised purposes, unauthorised access or intentional breach, concealment of security breaches, malicious disclosure, and unauthorised disclosure.

There are corresponding fines and periods of imprisonment for each of these violations, ranging from P100,000 to P5,000,000 and six months to seven years imprisonment.


The IRRs allowed for a one-year period (ending on 8 September 2017) within which PICs and PIPs had to appoint a Data Protection Officer. This is done by submitting a notarised DPO reporting form with supporting documents. In NPC Advisory No. 2017-01 (Designation of Data Protection Officers), a DPO should have the following qualifications:

  1. Expertise in relevant privacy or data protection policies and practices
  2. Sufficient understanding of their organisation's processing operations, information systems, data security, and/or data protection needs
  3. A full-time or organic employee of the personal information controller or processor, as applicable
  4. A regular or permanent employee of the personal information controller or processor, as applicable, who should hold at least a 2-year employment contract with his or her organisation, and
  5. Independent in the exercise of his or her functions such that the performance of his or her duties will not give rise to a conflict of interest.

Organisations covered by the requirement to register their data processing systems with the NPC should also prepare for the 8 March 2018 deadline for phase two of the registration process. In line with the requirements of the IRR of the Data Privacy Act of 2012, and subject to additional requirements as may be imposed by the NPC, covered entities should prepare the following information and documents:

  1. The name and address of the personal information controller or personal information processor, and of its representative, if any, including their contact details
  2. The purpose or purposes of the processing, and whether processing is being done under an outsourcing or subcontracting agreement
  3. A description of the category or categories of data subjects, and of the data or categories of data relating to them
  4. The recipients or categories of recipients to whom the data might be disclosed
  5. Proposed transfers of personal data outside the Philippines
  6. A general description of privacy and security measures for data protection
  7. Brief description of the data processing system
  8. Copy of all policies relating to data governance, data privacy, and information security
  9. Attestation to all certifications attained that are related to information and communications processing, and
  10. Name and contact details of the DPO.

Any automated processing operation, where processing is the sole basis of making decisions that would significantly affect the data subject, must also be notified.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
Related Articles
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions