Skip to Main Content
Main Menu

Philippines’ Data Privacy Act

The Philippines’ privacy law, known as the Data Privacy Act of 2012, provides its residents with data privacy rights and data privacy obligations for organizations handling their data. It established the National Privacy Commission, an autonomous entity tasked with overseeing and enforcing compliance with the provisions outlined within this law.

Are you subject to the Philippines’ Data Privacy Act?

The Philippines’ Data Privacy Act of 2012 applies to any organizations worldwide that process the personal information of Philippine residents, irrespective of their location, and/or meet any one of the following criteria: (1) use equipment located in the Philippines and/or (2) maintain an office, branch, or agency in the Philippines.

Obligations & Rights under the Philippines’ Data Privacy Act

This data privacy and protection law requires organizations to provide control and transparency to Philippine residents on how their personal information is collected, processed, and disclosed.

CBPR – Navigating Cross-Border Data Privacy Compliance

The CBPR system is an internationally recognized framework and certification.


  • Is a Data Protection Officer (DPO) required under the Philippine’s Data Privacy Act of 2012?

    Controllers are required to appoint an individual or individuals that are responsible for compliance with the Philippines Data Privacy Act and make their identity known to an individual upon request. The duties of the appointed individual are not defined under the Act, unlike the role of a DPO under GDPR.

  • Does the Philippines’ Data Privacy Act of 2012 require the establishment of a security program?

    Organizations need to develop security program priorities and implementation plans taking into consideration the nature of the personal information to be protected, risks represented by the processing, size of the organization and complexity of its operations, current data privacy best practices, and the cost of security implementation.

  • What is personal information and sensitive personal information under the Philippines’ Data Privacy Act of 2012?

    Personal information is any information that, whether recorded in a material form or not, directly allows the individual’s identification, can directly be inferred by the entity holding the said information, or can conclusively and directly identify the individual when combined with other information.

    Sensitive information pertains to various categories, including: (a) race, ethnic origin, marital status, age, color, and religious, philosophical, or political affiliations; (b) details regarding health, education, genetics, or sexual life, or details related to legal proceedings, including allegations of offenses, their disposition, or any court-imposed sentences; (c) government-issued records specific to an individual, encompassing social security numbers, past or present health records, licenses, including denials, suspensions, or revocations, and tax returns; and (d) information designated as classified either through executive order or legislative enactment. Under the Philippines’ Data Privacy Act of 2012, the individual’s consent is required before processing their sensitive personal information.

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.

Back to Top