Support Centre



Law: The Data Privacy Act of 2012 (Republic Act No. 10173) ('the Act')

Regulator: The National Privacy Commission ('NPC') 

Summary: The Act came into effect in 2012 and is the first comprehensive data privacy law in the Philippines. The NPC was established in 2016 and supplemented the Act through the Implementing Rules and Regulations of Republic Act No. 10173 ('IRR'), which provides details on the requirements under the Act as well as sanctions for non-compliance. The NPC has also released over 100 advisory opinions in response to queries on topics such as data breach management, notifications regarding automated decision-making, the designation of data protection officers, Privacy Impact Assessments, and access to personal data. In addition, the Act Defining Cybercrime, Providing for the Prevention, Investigation, Suppression and the Imposition of Penalties therefore and for Other Purposes (Republic Act No. 10175) ('the Cybercrime Law'), which entered into effect in 2012, stipulates, among other things, requirements for service providers to maintain the security of computer data. The Philippines recently began the application process in order to participate in the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules ('APEC CBPR') system.


The National Privacy Commission ('NPC'), the Philippine agency tasked to implement the Data Privacy Act of 2012 (Republic Act No. 10173) ('the Act'), recently issued Circular No. 2022-04 ('the Circular') which took effect on 11 January 2023. The Circular prescribes guidelines for the registration of personal data processing systems, notification regarding automated decision-making or profiling, and designation of data protection officers ('DPOs').

In this Insight article, Mary Thel Mundin, Dwight Garvy Tan, and Maria Angelica Torio, from Gatmaytan Yap Patacsil Gutierrez & Protacio (C&G Law), discuss the Circular's provisions regarding registration requirements for DPOs, how and when to register, automated decision-making and profiling, as well as penalties.

The processing of children's personal data, from collection to destruction, generally carries with it special considerations. Indeed, the level of protection afforded to children is often higher, due to in part their capacity to understand the consequences of providing their information and the potential risks associated with their use or misuse. In part two of this series, OneTrust DataGuidance considers the rules in the APAC region which govern children's personal data, featuring perspectives from New Zealand, the Philippines, and Singapore.

For insight into handling children's personal data in Australia, China, India, and Japan, please see part one here.

For many organisations, the first step towards compliance in a jurisdiction may involve ensuring that their online presence is in line with any locally applicable rules and regulations. OneTrust DataGuidance provides an overview of online privacy in the Philippines, with a focus on relevant topics such as cookies, emarketing, and privacy policies.

Ten years after the implementation of the Data Privacy Act of 2012 (Republic Act No. 10173) ('the Act'), and six years after the creation of the National Privacy Commission ('NPC') through the Implementing Rules and Regulations of Republic Act No. 10173 ('IRRs'), the ambiguity of the Act on the treatment of foreign persons personal data has been clarified to some extent. OneTrust DataGuidance provides an analysis of the treatment of foreign persons personal data under the Act featuring insights from JJ Disini, Managing Partner at Disini & Disini Law Office.