COMPARATIVE GUIDE
11 February 2025

Data Privacy Comparative Guide

Cruz Marcelo & Tenefrancia

Contributor

Cruz Marcelo & Tenefrancia logo
Explore Firm Details
Data Privacy Comparative Guide for the jurisdiction of Philippines, check out our comparative guides section to compare across multiple countries
Philippines Privacy
Ramon Manolo A. Alcasabas and Jena Veronica F. Fernandez

1 Legal and enforcement framework

1.1 Which legislative and regulatory provisions govern data privacy in your jurisdiction?

Republic Act No. 10173, fully titled "An Act Protecting Individual Personal Information in Information and Communications Systems in the Government and the Private Sector, Creating for this Purpose a National Privacy Commission, and for Other Purposes", otherwise known as the Data Privacy Act of 2012 ("DPA") was enacted to protect individual personal information in information and communications systems in the government and the private sector. The National Privacy Commission ("NPC") was established under this law as the lead agency to implement the provisions thereof, and for this reason promulgated its Implementing Rules and Regulations ("IRR").

1.2 Do any special regimes apply in specific sectors (eg, banking, insurance, telecommunications, healthcare, advertising) or to specific data types (eg, biometric data)?

The DPA generally applies to all sectors and data types in the private sector. However, for the banking and finance sectors, the Congress enacted the following special laws which remain valid despite the enactment of the Data Privacy Law of 2012:

  1. The Secrecy of Bank Deposits Act, which states that all deposits of whatever nature with banks or banking institutions in the Philippines are considered confidential in nature and may not be examined, inquired, or looked into by any person, government official, bureau, or office, save for certain exceptions provided in the law;
  2. The Foreign Currency Deposit Act, which declares that all foreign currency deposits are declared and considered of an absolutely confidential nature;
  3. The Credit Information System Act which provides that the Credit Information Corporation and other concerned entities shall hold the credit information under strict confidentiality and shall use the same only for the declared purpose of establishing the creditworthiness of the borrower; and
  4. The Anti-Money Laundering Act, which states that the Anti Money Laundering Council may inquire into or examine any deposit or investment with any banking institution upon order of any competent court in cases of violation of this Act, notwithstanding the provisions of other relevant laws.

In the healthcare sector, the Philippine HIV and AIDS Policy Act provides that the confidentiality and privacy of any individual who has been tested for HIV, has been exposed to HIV, has an HIV infection or HIV and AIDs-related illnesses, or was treated for HIV-related illnesses shall be guaranteed.

For the media sector, Republic Act No. 53 affords publishers, editors, or duly accredited reporters of any publication of general circulation protection from being compelled to reveal the source of any news report or information appearing in said publication which was related in confidence to such publisher, editor, or reporter.

1.3 Do any bilateral and multilateral instruments on data privacy have effect in your jurisdiction?

The General Data Protection Regulation applies to companies based in the Philippines that are engaged in businesses involving European Union ("EU") citizens, specifically organizations operating in the EU and/or processes the personal information of EU citizens, regardless of the organization's size or location.

1.4 Which bodies are responsible for enforcing the data privacy legislation in your jurisdiction? What powers do they have?

The NPC is an independent body responsible for enforcing data privacy legislation in the Philippines. Under Section 7 of the DPA, it is mandated to administer and implement the law, to monitor and ensure compliance of the country with international standards set for data protection, and to perform the following functions:

  1. Rulemaking – the NPC shall develop, promulgate, review, or amend rules and regulations for the effective implementation of the DPA;
  2. Advisory – the NPC shall be the advisory body on matters affecting protection of personal data;
  3. Public education – the NPC shall undertake necessary or appropriate efforts to inform and educate the public of data privacy, data protection, and fair information rights and responsibilities;
  4. Compliance and monitoring – the NPC shall perform compliance and monitoring functions to ensure effective implementation of the DPA, its IRR, and other issuances;
  5. Complaints and investigations - the NPC shall adjudicate on complaints and investigations on matters affecting personal data;
  6. Enforcement – the NPC shall perform all acts as may be necessary to effectively implement the DPA, its IRR, and its other issuances, and to enforce its Orders, Resolutions, or Decisions, including the imposition of administrative sanctions, fines, or penalties; and
  7. Other functions as may be necessary to fulfil its mandate under the DPA.

1.5 What role do industry standards or best practices play in terms of compliance and regulatory enforcement?

Rule III, Section 9(a)(3) of the DPA provides that current data privacy best practices are considered by the NPC in issuing guidelines for organizational, physical, and technical security measures for personal data protection.

Rule VI, Section 29 of the IRR of the DPA provides that current data privacy best practices are likewise considered by the NPC in monitoring compliance of natural or juridical persons or other bodies involved in the processing of personal data, specifically their security measures, with the guidelines provided in the IRR and subsequent issuances of the NPC.

2 Scope of application

2.1 Which entities are captured by the data privacy regime in your jurisdiction?

Section 4 of the DPA applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers ("PIC") and personal information processors ("PIP") who, although not found or established in the Philippines, use equipment located in the Philippines, or those who maintain an office, branch, or agency in the Philippines.

2.2 What exemptions from the data privacy regime, if any, are available in your jurisdiction?

Under Section 4 of the DPA, its provisions do not apply to the following:

  1. Information about any individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual, including the fact of his her/employment, his/her title, business address and office number, classification, salary range and work responsibilities, and his/her name on a document prepared by him/her in the course of employment;
  2. Information about an individual who is or was performing service under contract for a government institution that relates to the services performed;
  3. Information relating to any discretionary benefit of a financial nature, including the name of the individual and the exact nature of the benefit;
  4. Personal information processed for journalistic, artistic, literary, or research purposes;
  5. Information necessary to carry out the functions of public authority which includes the processing of personal data for the performance of their constitutionally and statutorily mandated functions;
  6. Information necessary for banks and other financial institutions under the jurisdiction of the Bangko Sentral ng Pilipinas to comply with relevant laws; and
  7. Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions which is being processed in the Philippines.

Under Section 5, publishers, editors, or duly accredited reporters of any publication of general circulation are protected from being compelled to reveal the source of any news report or information appearing in said publication which was related in confidence to that publisher, editor, or reporter.

2.3 Does the data privacy regime have extra-territorial application?

Under Section 6 of the DPA, the law applies to an act done or practice engaged in and outside of the Philippines by an entity if:

  1. The act, practice or processing relates to personal information about a Philippine citizen or a resident;
  2. The entity has a link with the Philippines, and the entity is processing personal information in the Philippines or even if the processing is outside the Philippines as long as it is about Philippine citizens or residents such as, but not limited to, the following:
    1. A contract is entered in the Philippines;
    2. A juridical entity unincorporated in the Philippines but has central management and control in the country; and
    3. An entity that has a branch, agency, office, or subsidiary in the Philippines and the parent or affiliate of the Philippine entity has access to personal information; and
  3. The entity has other links in the Philippines such as, but not limited to:
    1. The entity carries on business in the Philippines; and
    2. The personal information was collected or held by an entity in the Philippines.

3 Definitions

3.1 How are the following terms (or equivalents) defined in your jurisdiction? (a) Data processing; (b) Data processor; (c) Data controller; (d) Data subject; (e) Personal data; (f) Sensitive personal data; and (g) Consent.

Section 3 of the DPA defines the following terms as follows:

  1. Data processing – any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure, or destruction of data.
  2. Data processor – [PIP] refers to any natural or juridical person qualified to act as such under the DPA to whom a PIC may outsource the processing of personal data pertaining to a data subject.
  3. Data controller – [PIC] refers to a person or organization who controls the collection, holding, processing, or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer, or disclose personal information on his or her behalf. The term excludes:
    1. A person or organization who performs such functions as instructed by another person or organization; and
    2. An individual who collects, holds, processes, or uses personal information in connection with the individual's personal, family or household affairs.
  4. Data subject – an individual whose personal information was processed.
  5. Personal data – [personal information] refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
  6. Sensitive personal data – refers to personal information:
    1. About an individual's race, ethnic origin, marital status, age, color, and religious, philosophical, or political affiliations;
    2. About an individual's health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
    3. Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
    4. Specifically established by an executive order or an act of Congress to be kept classified.
  7. Consent - any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her. Consent shall be evidenced by written, electronic, or recorded means. It may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so.

3.2 What other key terms are relevant in the data privacy context in your jurisdiction?

Section 3(k) of the DPA, Section 3(e) of the IRR of the DPA defines the following terms as follows:

Privileged information - refers to all forms of data which under the Rules of Court and other pertinent laws constitute privileged communication.

Data processing systems - refers to the structure and procedure by which personal data is collected and further processed in an information and communications system or relevant filing system, including the purpose and intended output of the processing.

NPC Circular No. 2022-04 dated 05 December 2022 likewise defines Data Protection Officer as follows:

Data Protection Officer - an individual designated by the head of agency or organization to ensure its compliance with the DPA, its IRR, and other issuances of the NPC.

4 Registration

4.1 Is registration of data controllers and processors mandatory in your jurisdiction? What are the consequences of failure to register?

Under Section 5, NPC Circular No. 2022-04, only the following PICs or PIPs operating in the country are mandated to register its Data Processing Systems ("DPS") and Data Privacy Officer ("DPO") through the NPC Registration System ("NPCRS") (accessible at: https://npcregistration.privacy.gov.ph):

  1. Those that employ two hundred fifty (250) or more persons; or
  2. Those processing sensitive personal information of one thousand (1,000) or more individuals; or
  3. Those processing data that will likely pose a risk to the rights and freedoms of data subjects.

Further, a DPS processing personal or sensitive personal information involving automated decision-making or profiling shall, in all instances, be registered with the NPC.

A covered PIP or PIC shall file its application for registration through its designated DPO via the NPCRS.

A PIC or PIP who fails to comply with an Order of the NPC to submit documents or to register its DPO or DPS shall be liable for failure to register and failure to comply and shall be subject to the corresponding fine in accordance with the Guidelines on Administrative Fines issued by the NPC.

4.2 What is the process for registration?

A PIC or PIP shall first create an account by signing up via NPCRS. NPC Circular No. 2022-02 provides that the following process must be observed:

  1. Upon signing up, the PIC or PIP shall input the name and contact details of the DPO together with a unique and dedicated email address, specific to the position of DPO.
  2. During registration proper, the PIC or PIP shall encode the name and contact details of the Head of the Organization or Head of Agency.
  3. The prescribed application form shall be accomplished and shall be uploaded together with all supporting documents.
  4. The details of all DPS owned by the PIC or PIP at the time of the initial registration shall be encoded into the platform.
  5. The PIC or PIP shall identify and register all publicly facing online mobile or web-based applications.
  6. The submissions of the PIC or PIP shall undergo review and validation by the NPC. In case of any deficiency, the PIC or PIP shall be informed of the same and shall be given five (5) days to submit the necessary requirements. Once the submissions have been validated and considered complete, the PIC or PIP shall be informed that the Certificate of Registration is available for download.

An Individual Professional shall register only under his/her name and indicate his/her principal business address and contact details. Registration through physical submission of requirements is not allowed.

4.3 Is registered information publicly accessible?

No, registered information is not publicly accessible. The QR code in the NPC Seal issued after successful registration of a PIC or PIP with the NPC only contains the PIC or PIP's name, email address, and date of validity of the NPC seal.

5 Data processing

5.1 What lawful bases for processing personal data are recognised in your jurisdiction? Do these vary depending on the type of data being processed?

Sections 12 and 13 of the DPA provides two separate criteria for lawful processing of 1) personal information and 2) sensitive personal information and privileged information.

Processing of personal information shall be permitted only if not otherwise prohibited by law and when at least one of the following conditions exists:

  1. The data subject has given consent;
  2. The processing of personal information is necessary and is related to the fulfilment of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract;
  3. The processing is necessary for compliance with a legal obligation to which the PIC is subject;
  4. The processing is necessary to protect vitally important interests of the data subject, including life and health;
  5. The processing is necessary in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate; or
  6. The processing is necessary for the purposes of the legitimate interests pursued by the PIC or by a third parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.

Processing of sensitive personal information and privileged information shall be prohibited, except in the following cases:

  1. The data subject has given consent, specific to the purpose prior to the processing, or in the case of privileged information, all parties to the exchange have given their consent prior to processing;
  2. The processing of the same is provided for by existing laws and regulations; provided, that such regulatory enactments guarantee the protection of the sensitive personal information and the privileged information; provided, further, that the consent of the data subjects are not required by law or regulation permitting the processing of the sensitive personal information or the privileged information;
  3. The processing is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his or her consent prior to the processing;
  4. The processing is necessary to achieve the lawful and non-commercial objectives of public organizations and their associations; provided, that such processing is only confined and related to the bona fide members of these organizations or their associations; provided, further, that the sensitive personal information are not transferred to third parties; provided, finally, that consent of the data subject was obtained prior to processing;
  5. The processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal information is ensured; or
  6. The processing concerns such personal information as is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise or defence of legal claims, or when provided to government or public authority.

5.2 What key principles apply (eg, notice) when processing personal data in your jurisdiction? Do these vary depending on the type of data being processed? Or on whether it is outsourced?

The processing of personal information shall comply with the requirements under the DPA and adherence to the principles of transparency, legitimate purpose, and proportionality.

Section 11 provides that personal information must be:

  1. Collected for specified and legitimate purposes determined and declared before, or as soon as possible after collection, and processed in a way compatible with such declared, specified and legitimate purposes only;
  2. Processed fairly and lawfully;
  3. Accurate, relevant and, where necessary, kept up to date; inaccurate or incomplete data must be rectified, supplemented, destroyed, or their further processing restricted;
  4. Adequate and not excessive in relation to the purposes for which they are collected and processed;
  5. Retained only for as long as necessary for the fulfillment of the purposes for which the data was obtained or for the establishment, exercise or defense of legal claims, or for legitimate business purposes, or as provided by law; and
  6. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected and processed; provided, that personal information collected for other purposes may be processed for historical, statistical or scientific purposes, and in cases laid down in law may be stored for longer periods; provided, further, that adequate safeguards are guaranteed by said laws authorizing their processing.

The same general principles apply regardless of the type of data being processed or whether data is outsourced or not.

5.3 What other requirements, restrictions and best practices should be considered when processing personal data in your jurisdiction?

The following two (2) NPC issuances should also be considered when processing personal data in the Philippines:

1. NPC Circular No. 2023-07 (13 December 2023)

The Guidelines on Legitimate Interest provides guidelines on the application of Section 12(f) of the DPA, i.e., processing of personal information that is necessary for the legitimate interests pursued by the PIC or a third party to whom the personal information is disclosed.

Thus, processing based on legitimate interest requires the fulfilment of the following conditions:

  1. The legitimate interest is lawful and established, and does not override fundamental rights and freedoms of data subjects; and
  2. The means to fulfil the legitimate interest is both necessary and lawful.

However, a PIC or third party cannot lawfully rely on legitimate interest when the processing undertaken overrides the data subject's fundamental rights and freedoms. Thus, the PIC or third party shall look at the effect or impact of accomplishing the legitimate interest and consider the purpose of processing the interest established and how it is fulfilled.

2. NPC Circular No. 2023-04 (07 November 2023)

The Guidelines on Consent provides guidance on what constitutes valid consent, and how it shall be obtained and managed in compliance with the DPA and its IRR.

Accordingly, the elements of consent are:

  1. Freely given;
  2. Specific;
  3. Informed;
  4. An indication of will; and
  5. Evidenced by written, electronic, or recorded means.

6 Data transfers

6.1 What requirements and restrictions apply to the transfer of data to third parties?

Under Rule IV, Section 20 of the IRR of the DPA, data sharing shall be allowed under certain conditions such as:

  1. When it is expressly authorized by law;
  2. Data sharing shall be allowed in the private sector if consent is obtained, and the following conditions are present:
    1. Consent for data sharing shall be required even when the data is to be shared with an affiliate or mother company, or similar relationships;
    2. Data sharing for commercial purposes, including direct marketing, shall be covered by a data sharing agreement;
    3. The data subject shall be provided with the following information prior to collection or before data is shared:
      1. Identity of the PIC/PIPs that will be given access to the personal data;
      2. Purpose of data sharing;
      3. Categories of personal data;
      4. Intended recipients of the personal data;
      5. Existence of the rights of data subjects;
      6. Other information that would sufficiently notify the data subject of the nature and extent of data sharing and the manner of processing.
    4. Further processing of shared data shall adhere to the data privacy principles laid down in the DPA, its IRR, and other issuances of the NPC.
  3. Data collected from parties other than the data subject for purpose of research shall be allowed when the personal data is publicly available or has the consent of the data subject for purpose of research; provided, that adequate safeguards are in place, and no decision directly affecting the data subject shall be made based on the data collected or processed. The rights of the data subject shall be upheld without compromising research integrity.
  4. Data sharing between government agencies for the purpose of a public function or provision of a public service shall be covered by a data sharing agreement.
    1. Any or all government agencies party to the agreement shall comply with the DPA, its IRR, and all other issuances of the NPC, including putting in place adequate safeguards for data privacy and security.
    2. The data sharing agreement shall be subject to review of the NPC, on its own initiative or upon complaint of the data subject.

However, despite the wording above, it is worthy of note that NPC Circular No. 2020-03 does not mandate the execution of a Data Sharing Agreement. This was further clarified by the NPC in several of its subsequent Advisory Opinions, including Advisory Opinion No. 2023-014 (21 June 2023), wherein the NPC stated that the execution of a Data Sharing Agreement is no longer mandatory, and the parties may resort to other contractual schemes containing the terms and conditions of the sharing arrangement. Nevertheless, the execution of a DSA is considered as a best practice and a demonstration of accountability by the personal information controllers.

Further, in Advisory Opinion No. 2021-043 (16 December 2021), the NPC stated that the data sharing may be based on any of the criteria for lawful processing of personal data in Sections 12 and 13 of the DPA and may also be allowed pursuant to Section 4 of the DPA which specifies special cases.

6.2 What requirements and restrictions apply to the transfer of data abroad? Do these vary depending on the destination?

Rule XII, Section 50, IRR of the DPA provides that for transfers of data abroad, a PIC shall be responsible for any personal data under its control or custody, including information that have been outsourced or transferred to a PIP or a third party for processing, whether domestically or internationally, subject to cross-border arrangement and cooperation.

6.3 What other requirements, restrictions and best practices should be considered when transferring personal data, both within your jurisdiction and abroad?

Under Rule XII, Section 50, IRR of the DPA:

  1. A PIC shall be accountable for complying with the requirements of the DPA, its IRR, and other issuances of the NPC. It shall use contractual or other reasonable means to provide a comparable level of protection to the personal data while it is being processed by a PIP or third party.
  2. A PIC shall designate an individual or individuals who are accountable for its compliance with the DPA. The identity of the individual or individuals so designated shall be made known to a data subject upon request.

7 Rights of data subjects

7.1 What rights do data subjects enjoy with regard to the processing of their personal data? Do any exemptions apply?

Under Rule VIII, Sections 34, 36, & 37, IRR of the DPA the data subject is entitled to the following rights:

  1. Right to be informed
  2. Right to object
  3. Right to access
  4. Right to correct
  5. Right to rectification, erasure or blocking
  6. Right to data portability
  7. Right to damages
  8. Right to file a complaint

However, the abovementioned rights are not applicable to personal information that is not within the scope of the DPA as discussed in Section 2.2. Further, the abovementioned rights are likewise not applicable if the processed personal data are used only for the needs of scientific and statistical research and, based on such, no activities are carried out and no decisions are taken regarding the data subject; provided, that the personal data shall be held under strict confidentiality and shall be used only for the declared purpose. The above are also not applicable to the processing of personal data gathered for the purpose of investigations in relation to any criminal, administrative, or tax liabilities of a data subject. Any limitations on the rights of the data subject shall only be to the minimum extent necessary to achieve the purpose of said research or investigation.

7.2 How can data subjects seek to exercise their rights in your jurisdiction?

The data subjects may exercise the following rights as follows:

  1. Right to be informed – the data subject may get this information by checking the PIC's or PIP's privacy notice;
  2. Right to damages and right to file a complaint - the data subject may file a complaint with the NPC, in accordance with its Rules of Procedure governing all complaints filed before the NPC;
  3. Right to object, right to access, right to correct, right to rectification, erasure or blocking – the data subject may exercise these rights accordingly, through direct communication with the PIC or PIP's appointed data privacy officer; and
  4. Right to data portability – the data subject may obtain from the PIC a copy of the data subject's personal data and/or have the same transmitted from one PIC to another, in an electronic or structured format that is commonly used.

7.3 What remedies are available to data subjects in case of breach of their rights?

Under Rule II, Sections 1-2, 2021 NPC Rules of Procedure, as amended by NPC Circular 2024-01 (26 January 2024), data subjects who are affected by a privacy violation or personal data breach may file complaints for violations of the DPA. Prior to filing a complaint, the data subject must have first informed the PIC, PIP, or concerned entity in writing of the privacy violation or personal data breach to allow for appropriate action on the same.

8 Compliance

8.1 Is the appointment of a data protection officer mandatory in your jurisdiction? If so, what are the consequences of failure to do so?

Yes, according to the NPC's Brochure on "Appointing a Data Protection Officer" found on the NPC website (accessible at: https://privacy.gov.ph/appointing-a-data-protection-officer/), the appointment of a DPO is a legal requirement for PICs or PIPs under the DPA.

It must be noted, however, that the appointment of a DPO and the registration of the same with the NPC are two separate matters. Under the NPC Circular No. 2022-04 (05 December 2022), the registration with the NPC of the appointed DPO may be mandatory or voluntary, depending on whether the thresholds for mandatory registration of the DPO by the PIC or PIP are met.

On the other hand, a PIC or PIP that is not mandated to register and does not undertake voluntary registration shall submit a Sworn Declaration and Undertaking for Exemption From Registration of DPS to the NPC. However, the DPA, its IRR, and NPC issuances are silent on the consequences of the failure of a PIC or PIP to appoint a DPO if the said PIC or PIP is not mandated to register.

8.2 What qualifications or other criteria must the data protection officer meet?

Pursuant to NPC Circular No. 2022-04 (05 December 2022), the DPO must be an organic employee of the government agency or private entity.

Moreover, pursuant to the NPC's Brochure on "Appointing a Data Protection Officer" found on the NPC website (accessible at: https://privacy.gov.ph/appointing-a-data-protection-officer/), the general qualifications of a DPO are:

  1. Expertise in relevant privacy or data protection policies and practices;
  2. Sufficient understanding of the processing operations being carried out by the PIC or PIP, including the latter's information systems, data security, and/or data protection needs; and
  3. Knowledge by the DPO of the sector or field of the PIC or PIP, and the latter's internal structure, policies, and processes is also useful.

8.3 What are the key responsibilities of the data protection officer?

Pursuant to the NPC's Brochure on "Appointing a Data Protection Officer" found on the NPC website (accessible at: https://privacy.gov.ph/appointing-a-data-protection-officer/), the key responsibilities of a DPO are:

  1. Monitor the PIC's or PIP's compliance with the DPA, its IRR, issuances by the NPC, and other applicable laws and policies:
  2. Ensure the conduct of Privacy Impact Assessments ("PIA") relative to activities, measures, projects, programs, or systems of the PIC or PIP;
  3. Advice the PIC or PIP regarding complaints and/or the exercise by data subjects of their rights;
  4. Ensure proper data breach and security incident management by the PIC or PIP;
  5. Inform and cultivate awareness on privacy and data protection within the organization of the PIC or PIP;
  6. Advocate for the development, review, and/or revision of policies, guidelines, projects, and/or programs of the PIC or PIP relating to privacy and data protection, by adopting a privacy by design approach;
  7. Cooperate, coordinate, and seek advice of the NPC regarding matters concerning data privacy and security; and
  8. Perform other duties and tasks that may be assigned by the PIC or PIP that will further the interest of data privacy and security and uphold the rights of the data subjects.

8.4 Can the role of the data protection officer be outsourced in your jurisdiction? If so, what requirements, restrictions and best practices should be considered in this regard?

Yes. According to the NPC's Brochure on "Appointing a Data Protection Officer" found on the NPC website (accessible at: https://privacy.gov.ph/appointing-a-data-protection-officer/), a PIC or PIP may outsource or subcontract the functions of its DPO. However, to the extent possible, the DPO or Compliance Office for Privacy ("COP") must oversee the performance of his or her functions by the third-party service provider or providers.

8.5 What record-keeping and documentation requirements apply in the data privacy context?

Under NPC Circular 2023-06 (01 December 2023), the general obligations of PICs and PIPs include the conduct and updating of the following documents:

  1. PIAs on the processing of personal data; and
  2. Privacy Management Program.

8.6 What other requirements, restrictions and best practices should be considered from a compliance perspective in the data privacy context?

Pursuant to NPC Circular 2023-06 (01 December 2023), the following requirements, restrictions, and best practices should be considered from a compliance perspective in the data privacy context:

  1. Registration of a PIC's or PIP's data processing systems with the NPC using the NPCRS;
  2. Create an inventory of all its DPS and activities taking into account Section 26 (c) and (e) of the IRR;
  3. Updating of PIAs;
  4. Periodically train employees, agents, personnel, or representatives on privacy and data protection policies;
  5. Comply with the NPC's orders when the PIC and its PIP's privacy and data protection policies are subject to review and assessment; and
  6. Comply with the updated security requirements on access, usage, storage, retention, and deletion of personal data under NPC Circular 2023-06 (01 December 2023).

9 Data security and data breaches

9.1 What obligations apply to data controllers and processors to preserve the security of personal data?

Under NPC Circular No. 16-03 (15 December 2016), PICs and PIPs have an obligation to implement policies and procedures for the purpose of managing security incidents, including personal data breach. This is called the Security Incident Management Policy. Additionally, PICs and PIPs must have a Data Breach Response Team which shall have at least one (1) member with the authority to make immediate decisions regarding critical action.

9.2 Must data breaches be notified to the regulator? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?

Yes, under Section 15 of NPC Circular No. 16-03 (15 December 2016), the PIC shall notify the NPC upon knowledge of, or when there is reasonable belief that a personal data breach has occurred.

Moreover, under Section 11 of the Circular, notification of data breaches to the NPC is mandatory, when all three (3) elements are present:

  1. The personal data involves sensitive personal information or any other information that may be used to enable identity fraud;
  2. There is reason to believe that the information may have been acquired by an unauthorized person; and
  3. The PIC or the NPC believes that the unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject.

The NPC shall be notified within seventy-two (72) hours upon knowledge of or reasonable belief by the PIC or PIP that a personal data breach has occurred. The PIC or PIP shall report the breach through the NPC's Data Breach Notification Management System.

The full report of the personal data breach must be submitted within five (5) days from notification.

Further, the following are the required contents of the notification requirement to the NPC:

  1. Nature of the Breach;
  2. Personal Data Possibly Involved; and
  3. Measures Taken to Address the Breach.

Finally, there is no set rule on voluntary data breach notification to the NPC.

9.3 Must data breaches be notified to the affected data subjects? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?

Yes, under Section 15 of NPC Circular No. 16-03 (15 December 2016), the PIC shall notify the affected data subjects upon knowledge of, or when there is reasonable belief that a personal data breach has occurred.

Like the above, notification of data breaches to the NPC is mandatory when all three (3) elements are present:

  1. The personal data involves sensitive personal information or any other information that may be used to enable identity fraud;
  2. There is reason to believe that the information may have been acquired by an unauthorized person; and
  3. The PIC or the NPC believes that the unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject.

Accordingly, the affected data subjects shall be individually notified within seventy-two (72) hours upon knowledge of or reasonable belief by the PIC or PIP that a personal data breach has occurred. Further, the following are the prescribed contents of the notification requirement to the data subjects:

  1. nature of the breach;
  2. personal data possibly involved;
  3. measures taken to address the breach;
  4. measures taken to reduce the harm or negative consequences of the breach;
  5. representative of the PIC, including his or her contact details, from whom the data subject can obtain additional information regarding the breach; and
  6. any assistance to be provided to the affected data subjects.

Finally, like the discussion above, there is no set rule on voluntary data breach notification to the data subjects under the DPA and its relevant rules and regulations.

9.4 What other requirements, restrictions and best practices should be considered in the event of a data breach?

NPC Circular No. 16-03 (15 December 2016) provides best practices for the prevention of personal data breach and incident response policy and procedure.

Under Section 6 of the said Circular, a security incident management policy shall include measures intended to prevent or minimize the occurrence of a personal data breach.

On the other hand, Section 8 of the Circular provides that the PIC or PIP shall implement policies and procedures for guidance of its data breach response team and other personnel in the event of a security incident.

Additionally, Section 9 of the said Circular provides that all actions taken by a PIC or PIP shall be properly documented. Reports should include:

  1. Description of the personal data breach, its root cause and circumstances regarding its discovery;
  2. Actions and decisions of the incident response team;
  3. Outcome of the breach management, and difficulties encountered; and
  4. Compliance with notification requirements and assistance provided to affected data subjects.

A procedure for post-breach review must be established for the purpose of improving the personal data breach management policies and procedures of the PIC or PIP.

10 Employment issues

10.1 What requirements and restrictions apply to the personal data of employees in your jurisdiction?

There are no special requirements and restrictions that apply specifically to the personal data of employees in the Philippines. Instead, the DPA, its IRR, and relevant issuances of the NPC equally apply to the personal data of employees.

10.2 Is the surveillance of employees allowed in your jurisdiction? What requirements and restrictions apply in this regard?

The surveillance of employees is not absolutely allowed under the DPA. Pursuant to NPC Advisory Opinion No. 2023-010 (15 February 2023), the DPA gives data subjects a reasonable expectation of privacy over their data. While employees have a decreased expectation of privacy with respect to work devise, email accounts, and internet surfing activities, with the DPA in place, employers are expected to be more mindful of the privacy rights of their employees. Accordingly, employees must be aware of the nature, purpose, and extent of the processing of his or her personal data in the workplace. The processing of personal information of employees shall also be compatible with a declared and specified purpose which must not be contrary to law, morals, or public policy. Lastly, the processing of such information shall be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose.

For example, in NPC Advisory Opinion Nos. 2018-084 (28 November 2018) and 2024-003 (02 April 2024), the NPC found that the monitoring of employee activities may be allowed under the DPA when he or she is using an office-issued computer, and the processing falls under any of the criteria for lawful processing of personal data under Sections 12 and/or 13 of the law. For remote workers using office-issued devices, the employee must still be informed, and his/her consent must be obtained (if sensitive personal information is involved) for the processing of his/her data and the purpose, nature, extent, and scope of such processing.

10.3 What other requirements, restrictions and best practices should be considered from an employment perspective in the data privacy context

Pursuant to NPC Advisory Opinion No. 2024-003 (02 April 2024), it is advisable to include in the employment contract specific provisions allowing the installation of equipment/software for furtherance of employment to justify the monitoring of employee activities under Section 12 (b) of the DPA, i.e., processing for the fulfilment of a contract with the data subject.

11 Online issues

11.1 What requirements and restrictions apply to the use of cookies in your jurisdiction?

There is no specific rule governing the use of cookies in the Philippines. The DPA and its IRR also does not define the term "cookies".

Additionally, on the issue of whether information on the use of cookies in a pop-up format on websites is still required even when it is already indicated in the privacy policy, it was held in NPC Advisory Opinion No. 2017-47 that the law does not provide for a specific format or approach for the PIC or PIP to adopt on how this should be properly manifested. The NPC opined that it is discretionary on the part of the PIC or PIP if such incorporation of additional means of informing data subjects through pop-ups on the website would be beneficial in complying with the DPA and upholding data subjects' rights.

However, according to NPC Advisory Opinion No. 2017-63, cookies combined with other pieces of information, e.g., username, password, IP address, MAC address, location, and birthday, may allow an individual to be distinguished from others and may therefore be considered as personal information. Accordingly, the requirements and restrictions in the processing of personal information under the DPA, its IRR, and other relevant NPC issuances must be complied with.

11.2 What requirements and restrictions apply to cloud computing services in your jurisdiction from a data privacy perspective?

Cloud computing services may be considered as PIPs under Section 3 (i) of the DPA. PIPs include any juridical person to whom PICs may outsource the processing of personal data of data subjects. This includes PIPs who, although not found or established in the Philippines, use equipment located in the Philippines, or those who maintain an office, branch or agency in the Philippines.

In this regard, PICs shall be responsible for ensuring that proper safeguards are in place to ensure the confidentiality of the cloud computing services, prevent its use for unauthorized purposes, and generally, comply with the requirements of the DPA, its IRR and other relevant issuances of the NPC.

11.3 What other requirements, restrictions and best practices should be considered from a marketing perspective in the online and networked context?

NPC Public Advisory dated 13 November 2023 provides that PICs operating online websites that collect personal data must ensure that its Privacy Notice is displayed on its website. Pursuant to Sections 11 (a) and 16 (b) of the DPA and Sections 18 (a) and 34 (a) of the IRR, the following must be included in the Privacy Notice:

  1. Personal data process and the purpose and basis for the processing of such personal information;
  2. The primary and secondary uses of the data;
  3. The manner of storage of the data collected;
  4. Whether data is disclosed or shared to other parties, the identity of these recipients, the extent of the transfer, and the purpose therefor;
  5. How data is securely disposed;
  6. The risks involved at any stage of the processing;
  7. Whether protection measures are in place to address the risks and what these measures are;
  8. The methods utilized for automated access, if any;
  9. The contact details of the DPO; and
  10. The rights of a data subject recognized under the DPA and how they can exercise them.

Additionally, according to the NPC Public Advisory dated 13 November 2023, the NPC requires that the NPC Seal be made visible to website visitors. This can be done by either embedding it as a link within the PIC's Privacy Notice or prominently displaying it on the PIC's webpage.

12 Disputes

12.1 In which forums are data privacy disputes typically heard in your jurisdiction?

Pursuant to NPC Circular 2024-01 (26 January 2024), the following are the forums that hear data privacy disputes in the Philippines:

  1. The NPC has jurisdiction over complaints filed for violations of the DPA; and
  2. Appeals to the decisions of the NPC may be filed with the proper courts.

12.2 What issues do such disputes typically involve? How are they typically resolved?

Disputes typically involve violations of the DPA, such as personal data breaches or data subjects who are affected by data privacy violations. Rule II, Section 1 of the 2021 NPC Rules of Procedure as amended by NPC Circular 2024-01 (26 January 2024) provides that data subjects who are affected by a privacy violation or data breach may file complaints for violations of the DPA. These disputes are typically resolved by the NPC.

12.3 Have there been any recent cases of note?

There are no recent data privacy cases of note since the Supreme Court has not yet rendered a decision concerning data privacy. On the administrative level, Spouses MCD, JJD v. Victorias Milling Company, et al, NPC 19-758 and 19-1846 (30 June 2023) is the latest decision rendered by the NPC which considered whether processing of the contents of employee disclosure statements violates the DPA. The NPC found that the processing is justified under Section 12 (f) of the DPA, i.e., necessary for the purposes of the legitimate interests pursued by the PIC.

13 Trends and predictions

13.1 How would you describe the current data privacy landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

Since the start of 2024, the NPC has issued several relevant issuances. For example, NPC Circular 2024-01 (26 January 2024) amended certain provisions of the 2021 NPC Rules of Procedure. Key changes include:

  1. Clarifying the criteria for filing a complaint, introducing specific provisions for minors, individuals alleged to be incompetent, and non-resident citizens;
  2. Allowing for multiple parties to join or be joined as either complainants or respondents in one complaint; and
  3. New rules on Compliance Checks conducted by the NPC.

Accordingly, the NPC, through the Compliance Monitoring Division has conducted several Privacy Sweeps on publicly available data found on websites as wells as undertake on-the-spot Privacy Sweeps in malls.

Additionally, NPC Circular No. 2023-06 (01 December 2023), which only became effective last 30 March 2024, provides for updated requirements for the security of personal data processed by PICs and PIPs. Moreover, it requires PICs to comply with the Circular within twelve (12) months from its effectivity or until March 2025.

While there are no specific anticipated developments in Philippine data privacy law in the next twelve (12) months, based on the rate of new issuances of the NPC, it can be expected new developments may arise in the future.

14 Tips and traps

14.1 What are your top tips for effective data protection in your jurisdiction and what potential sticking points would you highlight?

Tips for effective data privacy protection in the Philippines include:

  1. Appoint a DPO, if not yet previously appointed;
  2. Registration of the DPO and DPS with the NPC, if not yet done;
  3. Evaluate and mitigate privacy risks in data processing activities through the regular conduct of PIAs;
  4. Ensure training of employees/staff on data privacy laws, data protection principles, and best practices;
  5. Create a clear and concise Privacy Policy which outlines how personal data is collected, used, stored, and shared, which should be easily accessible to the public;
  6. Create a clear and concise Privacy Manual which outlines how personal data should be processed by employees, and the different physical, organizational, and technical measures for data protection, which should be easily accessible to all employees of the organization/PIC;
  7. Regularly update security protocols to address emerging threats;
  8. Develop a culture of privacy within the organization;
  9. Comply with data security recommendations of the NPC; and
  10. Stay updated with new issuances of the NPC and changes in data protection laws.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Ramon Manolo A. Alcasabas
Ramon Manolo A. Alcasabas
Photo of Jena Veronica F. Fernandez
Jena Veronica F. Fernandez
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More