Skip to Main Content
Main Menu
Search Opener
Search Close
Contact us
Regulation

Philippines’ Data Privacy Act

The Philippines’ privacy law, known as the Data Privacy Act of 2012, provides its residents with data privacy rights and data privacy obligations for organizations handling their data. It established the National Privacy Commission, an autonomous entity tasked with overseeing and enforcing compliance with the provisions outlined within this law.

Are you subject to the Philippines’ Data Privacy Act?

The Philippines’ Data Privacy Act of 2012 applies to any organizations worldwide that process the personal information of Philippine residents, irrespective of their location, and/or meet any one of the following criteria: (1) use equipment located in the Philippines and/or (2) maintain an office, branch, or agency in the Philippines.

Obligations & Rights under the Philippines’ Data Privacy Act

This data privacy and protection law requires organizations to provide control and transparency to Philippine residents on how their personal information is collected, processed, and disclosed.
  • Consent & Opt-out

    Prior consent is mandatory before processing an individual’s information. Individuals have the right to suspend or withdraw consent to processing if they discover and substantiate that their data is incomplete, outdated, false, unlawfully obtained, utilized for unauthorized purposes, or no longer necessary for the original purposes of collection.

  • Notice to Individuals

    Individuals must be notified whether their personal information is being or has been processed. Notice must be provided before personal information enters the processing system or at the earliest possible opportunity thereafter. Any information provided to individuals regarding their personal information cannot be changed unless individuals are provided prior notification.

  • Individual Rights

    Individuals have the right to be informed, access, correct, suspend, withdraw, and delete their personal information, alongside the ability to exercise data portability rights. They are also entitled to indemnification for any damages incurred as a result of inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of their personal information.

  • Vendor Management

    Controllers must employ contractual or other reasonable measures to ensure a comparable level of protection when personal information is processed by a third party vendor regardless of the vendor’s location.

Webinar

CBPR – Navigating Cross-Border Data Privacy Compliance

The CBPR system is an internationally recognized framework and certification.

Achieve compliance

FAQs

  • Is a Data Protection Officer (DPO) required under the Philippine’s Data Privacy Act of 2012?

    Controllers are required to appoint an individual or individuals that are responsible for compliance with the Philippines Data Privacy Act and make their identity known to an individual upon request. The duties of the appointed individual are not defined under the Act, unlike the role of a DPO under GDPR.

  • Does the Philippines’ Data Privacy Act of 2012 require the establishment of a security program?

    Organizations need to develop security program priorities and implementation plans taking into consideration the nature of the personal information to be protected, risks represented by the processing, size of the organization and complexity of its operations, current data privacy best practices, and the cost of security implementation.

  • What is personal information and sensitive personal information under the Philippines’ Data Privacy Act of 2012?

    Personal information is any information that, whether recorded in a material form or not, directly allows the individual’s identification, can directly be inferred by the entity holding the said information, or can conclusively and directly identify the individual when combined with other information.

    Sensitive information pertains to various categories, including: (a) race, ethnic origin, marital status, age, color, and religious, philosophical, or political affiliations; (b) details regarding health, education, genetics, or sexual life, or details related to legal proceedings, including allegations of offenses, their disposition, or any court-imposed sentences; (c) government-issued records specific to an individual, encompassing social security numbers, past or present health records, licenses, including denials, suspensions, or revocations, and tax returns; and (d) information designated as classified either through executive order or legislative enactment. Under the Philippines’ Data Privacy Act of 2012, the individual’s consent is required before processing their sensitive personal information.

Related Resources

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.

Back to Top