Data & Privacy - Philippines

RA 10173 (Data Privacy Act of 2012) is the comprehensive statute protecting personal information in government and private-sector systems; it was enacted on 15 August 2012, with Implementing Rules and Regulations issued in 2016 and full enforcement from March 2017.

The National Privacy Commission (NPC) is the independent regulator created by the DPA, attached to the Department of Information and Communications Technology and headed by the Privacy Commissioner; it administers the Act, issues advisories/circulars, investigates, and enforces compliance.

Individuals hold rights to be informed, to access, to object, to rectification, to erasure or blocking, to data portability, and to damages for misuse of personal data — closely mirroring GDPR-style rights.

Personal data may only be processed under a lawful basis (consent or other recognized grounds); controllers must provide transparency, appoint a Data Protection Officer, implement organizational/physical/technical security measures, and register certain data processing systems with the NPC.

Under NPC Circular 16-03, controllers must notify the NPC and affected data subjects within 72 hours of knowledge of a personal data breach that may give rise to a real risk of serious harm.

In 2024 the NPC issued Advisory No. 2024-01 on model contractual clauses for cross-border transfers and Advisory No. 2024-04 applying the DPA across the AI lifecycle; the controller remains accountable for data transferred abroad.

Violations carry criminal penalties including imprisonment and fines up to PHP 5 million, plus NPC administrative fines (up to 3% of annual gross income, capped at PHP 5 million per violation).