Support Centre

Philippines

Summary

Law: The Data Privacy Act of 2012 (Republic Act No. 10173) ('the Act')

Regulator: The National Privacy Commission ('NPC') 

Summary: The Act came into effect in 2012 and is the first comprehensive data privacy law in the Philippines. The NPC was established in 2016 and supplemented the Act through the Implementing Rules and Regulations of Republic Act No. 10173 ('IRR'), which provides details on the requirements under the Act as well as sanctions for non-compliance. The NPC has also released over 100 advisory opinions in response to queries on topics such as data breach management, notifications regarding automated decision-making, the designation of data protection officers, Privacy Impact Assessments, and access to personal data. In addition, the Act Defining Cybercrime, Providing for the Prevention, Investigation, Suppression and the Imposition of Penalties therefore and for Other Purposes (Republic Act No. 10175) ('the Cybercrime Law'), which entered into effect in 2012, stipulates, among other things, requirements for service providers to maintain the security of computer data. The Philippines recently began the application process in order to participate in the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules ('APEC CBPR') system.

News

Insights

March 2024

Philippines: The NPC's Guidelines on Legitimate Interest

The National Privacy Commission (NPC) issued the NPC Circular No. 2023-07 (the Circular) on December 13, 2023. This Circular is entitled Guidelines on Legitimate Interest and seeks to clarify the framework within which a personal information controller (PIC) may establish legitimate interest as a basis for processing personal data. The Circular is not meant to introduce any new basis for processing personal information, rather, it seeks to clarify concepts and requirements of legitimate interest, which is a lawful basis for processing personal information under Philippine privacy laws. Edsel F. Tupaz, from Gorriceta Africa Cauton & Saavedra, walks through these guidelines and their implications for PICs.  

The Circular should be read alongside part one and part two of the series on the NPC Guidelines on Consent, which comprise important tool kits for PICs and personal information processors that process the personal data of Philippine data subjects.  

February 2024

Philippines: The NPC releases Guidelines on Consent - part two

Since the release of the National Privacy Commission (NPC) Circular No. 2023-04 (the Circular) and the Guidelines on Consent, privacy practitioners and businesses have scurried to review and revise their privacy notices. Part one of this series addressed the implications the Circular had on the ways in which personal information controllers (PICs) obtain the consent of data subjects. In this second part, Edsel F. Tupaz, from Gorriceta Africa Cauton & Saavedra, continues with a discussion on the Circular's rules for PICs on using continued use of service as a stand-in for written consent, the documentation of consent, obtaining consent for direct marketing, data sharing, and automated profiling systems. Edsel concludes with some strategies for webmasters and app developers to enhance their products' compliance with the Circular. 

January 2024

Philippines: The NPC releases Guidelines on Consent - part one

In today's digital landscape, consent is a cornerstone of effective privacy management and a critical safeguard for the rights of data subjects. In the Philippines, the National Privacy Commission (NPC) released the NPC Circular No. 2023-04 (the Circular) on November 7, 2023, providing guidelines on the use of consent as a lawful basis for data processing, ensuring compliance thereof by affected personal information controllers (PICs), and prohibiting, among others, the use of deceptive design patterns. On the same date, the NPC issued Advisory No. 2023-01 (the Advisory), which comprises the Guidelines on Deceptive Design Patterns. Both the Circular and the Advisory make references to each other and must be read together. 

In this Insight Article, Edsel F. Tupaz, from Gorriceta Africa Cauton & Saavedra, discusses the more salient, practical implications of the Circular and the Advisory on affected PICs. He focuses on the Circular's impact on existing mechanisms for privacy notices, timing of consent, withdrawal of consent, and level of granularity, as well as underscoring the use of the 'average member of the target audience' standard, prohibitions against deceptive design patterns, and the compliance period. 

April 2023

Philippines: Rules on registration of DPOs and data processing systems - What you need to know

The National Privacy Commission ('NPC'), the Philippine agency tasked to implement the Data Privacy Act of 2012 (Republic Act No. 10173) ('the Act'), recently issued Circular No. 2022-04 ('the Circular') which took effect on 11 January 2023. The Circular prescribes guidelines for the registration of personal data processing systems, notification regarding automated decision-making or profiling, and designation of data protection officers ('DPOs').

In this Insight article, Mary Thel Mundin, Dwight Garvy Tan, and Maria Angelica Torio, from Gatmaytan Yap Patacsil Gutierrez & Protacio (C&G Law), discuss the Circular's provisions regarding registration requirements for DPOs, how and when to register, automated decision-making and profiling, as well as penalties.

June 2022

Philippines: Data Protection in the Financial Sector

May 2022

Philippines: Cybersecurity

March 2022

International: Handling children's personal data in the APAC region – Part two

The processing of children's personal data, from collection to destruction, generally carries with it special considerations. Indeed, the level of protection afforded to children is often higher, due to in part their capacity to understand the consequences of providing their information and the potential risks associated with their use or misuse. In part two of this series, OneTrust DataGuidance considers the rules in the APAC region which govern children's personal data, featuring perspectives from New Zealand, the Philippines, and Singapore.

For insight into handling children's personal data in Australia, China, India, and Japan, please see part one here.

March 2022

Philippines: Online privacy

For many organisations, the first step towards compliance in a jurisdiction may involve ensuring that their online presence is in line with any locally applicable rules and regulations. OneTrust DataGuidance provides an overview of online privacy in the Philippines, with a focus on relevant topics such as cookies, emarketing, and privacy policies.

January 2022

Philippines: Data Privacy Act of 2012 – Understanding the treatment of foreign persons personal data

Ten years after the implementation of the Data Privacy Act of 2012 (Republic Act No. 10173) ('the Act'), and six years after the creation of the National Privacy Commission ('NPC') through the Implementing Rules and Regulations of Republic Act No. 10173 ('IRRs'), the ambiguity of the Act on the treatment of foreign persons personal data has been clarified to some extent. OneTrust DataGuidance provides an analysis of the treatment of foreign persons personal data under the Act featuring insights from JJ Disini, Managing Partner at Disini & Disini Law Office.

October 2021

Philippines: An overview of Vendor Privacy Contracts

March 2021

Philippines: NPC Toolkit

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.
Feedback