Support Centre



Law: The Data Privacy Act of 2012 (Republic Act No. 10173) ('the Act')

Regulator: The National Privacy Commission ('NPC') 

Summary: The Act came into effect in 2012 and is the first comprehensive data privacy law in the Philippines. The NPC was established in 2016 and supplemented the Act through the Implementing Rules and Regulations of Republic Act No. 10173 ('IRR'), which provides details on the requirements under the Act as well as sanctions for non-compliance. The NPC has also released over 100 advisory opinions in response to queries on topics such as data breach management, notifications regarding automated decision-making, the designation of data protection officers, Privacy Impact Assessments, and access to personal data. In addition, the Act Defining Cybercrime, Providing for the Prevention, Investigation, Suppression and the Imposition of Penalties therefore and for Other Purposes (Republic Act No. 10175) ('the Cybercrime Law'), which entered into effect in 2012, stipulates, among other things, requirements for service providers to maintain the security of computer data. The Philippines recently began the application process in order to participate in the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules ('APEC CBPR') system.


The National Privacy Commission (NPC) issued NPC Circular No. 2024-01 (the Circular) on January 26, 2024, entitled Amendments to Certain Provisions of the 2021 Rules of Procedure of the National Privacy Commission (the 2021 NPC Rules of Procedure).

Edsel F. Tupaz, Senior Partner at Gorriceta Africa Cauton & Saavedra and Lead of the firm's Data Privacy, Cybersecurity, and AI Initiatives practice group, discusses the salient amendments under the Circular and their practical implications for Personal Information Controllers (PICs). In particular, Edsel breaks down and describes the practical import of the amended provisions found in the new procedure of the National Privacy Commission for compliance checks, alternative dispute resolutions (ADR), and decisions.

The National Privacy Commission (NPC) issued the NPC Circular No. 2023-07 (the Circular) on December 13, 2023. This Circular is entitled Guidelines on Legitimate Interest and seeks to clarify the framework within which a personal information controller (PIC) may establish legitimate interest as a basis for processing personal data. The Circular is not meant to introduce any new basis for processing personal information, rather, it seeks to clarify concepts and requirements of legitimate interest, which is a lawful basis for processing personal information under Philippine privacy laws. Edsel F. Tupaz, from Gorriceta Africa Cauton & Saavedra, walks through these guidelines and their implications for PICs.  

The Circular should be read alongside part one and part two of the series on the NPC Guidelines on Consent, which comprise important tool kits for PICs and personal information processors that process the personal data of Philippine data subjects.  

Since the release of the National Privacy Commission (NPC) Circular No. 2023-04 (the Circular) and the Guidelines on Consent, privacy practitioners and businesses have scurried to review and revise their privacy notices. Part one of this series addressed the implications the Circular had on the ways in which personal information controllers (PICs) obtain the consent of data subjects. In this second part, Edsel F. Tupaz, from Gorriceta Africa Cauton & Saavedra, continues with a discussion on the Circular's rules for PICs on using continued use of service as a stand-in for written consent, the documentation of consent, obtaining consent for direct marketing, data sharing, and automated profiling systems. Edsel concludes with some strategies for webmasters and app developers to enhance their products' compliance with the Circular. 

In today's digital landscape, consent is a cornerstone of effective privacy management and a critical safeguard for the rights of data subjects. In the Philippines, the National Privacy Commission (NPC) released the NPC Circular No. 2023-04 (the Circular) on November 7, 2023, providing guidelines on the use of consent as a lawful basis for data processing, ensuring compliance thereof by affected personal information controllers (PICs), and prohibiting, among others, the use of deceptive design patterns. On the same date, the NPC issued Advisory No. 2023-01 (the Advisory), which comprises the Guidelines on Deceptive Design Patterns. Both the Circular and the Advisory make references to each other and must be read together. 

In this Insight Article, Edsel F. Tupaz, from Gorriceta Africa Cauton & Saavedra, discusses the more salient, practical implications of the Circular and the Advisory on affected PICs. He focuses on the Circular's impact on existing mechanisms for privacy notices, timing of consent, withdrawal of consent, and level of granularity, as well as underscoring the use of the 'average member of the target audience' standard, prohibitions against deceptive design patterns, and the compliance period. 

The National Privacy Commission ('NPC'), the Philippine agency tasked to implement the Data Privacy Act of 2012 (Republic Act No. 10173) ('the Act'), recently issued Circular No. 2022-04 ('the Circular') which took effect on 11 January 2023. The Circular prescribes guidelines for the registration of personal data processing systems, notification regarding automated decision-making or profiling, and designation of data protection officers ('DPOs').

In this Insight article, Mary Thel Mundin, Dwight Garvy Tan, and Maria Angelica Torio, from Gatmaytan Yap Patacsil Gutierrez & Protacio (C&G Law), discuss the Circular's provisions regarding registration requirements for DPOs, how and when to register, automated decision-making and profiling, as well as penalties.

The processing of children's personal data, from collection to destruction, generally carries with it special considerations. Indeed, the level of protection afforded to children is often higher, due to in part their capacity to understand the consequences of providing their information and the potential risks associated with their use or misuse. In part two of this series, OneTrust DataGuidance considers the rules in the APAC region which govern children's personal data, featuring perspectives from New Zealand, the Philippines, and Singapore.

For insight into handling children's personal data in Australia, China, India, and Japan, please see part one here.

For many organisations, the first step towards compliance in a jurisdiction may involve ensuring that their online presence is in line with any locally applicable rules and regulations. OneTrust DataGuidance provides an overview of online privacy in the Philippines, with a focus on relevant topics such as cookies, emarketing, and privacy policies.

Ten years after the implementation of the Data Privacy Act of 2012 (Republic Act No. 10173) ('the Act'), and six years after the creation of the National Privacy Commission ('NPC') through the Implementing Rules and Regulations of Republic Act No. 10173 ('IRRs'), the ambiguity of the Act on the treatment of foreign persons personal data has been clarified to some extent. OneTrust DataGuidance provides an analysis of the treatment of foreign persons personal data under the Act featuring insights from JJ Disini, Managing Partner at Disini & Disini Law Office.