Learn more about Data Privacy

Running late? The National Privacy Commission will continue to accept Phase 1 registrants beyond 11 September 2017. However, these submissions will be considered as "late registrants".

The DPA provides Philippine residents with control over their personal data through a set of “data subject rights.” This includes the right to:

  • Right to be informed
  • Right to object
  • Right to access
  • Right to correct
  • Right to rectification, erasure or blocking

Noncompliance of businesses to the Data Privacy Act can lead to the following consequences:

  • Being issued an order to stop processing
  • Being ordered to pay damages to data subjects whose rights were violated
  • Jail time for accountable officers


  1. Appoint a Data Protection Officer (DPO). To be appointed by a personal information controller, DPOs will be accountable for ensuring compliance with applicable laws and regulations relating to data protection and privacy.
  2. Conduct a Privacy Impact Assessment to evaluate and manage the impact of the company’s program, process, and/ore measure on data privacy.
  3. Create your Privacy Management Program to align everyone in the organization in the same direction, to facilitate compliance with the Data Privacy Act and issuances of the NPC, and to help your organization in mitigating the impact of a breach.
  4. Implement your Privacy and Data Protection measures which must continuously be assessed, reviewed, and revised as necessary, while training must be regularly conducted.
  5. Regularly exercise your Breach Reporting Procedures. The NPC and affected data subjects shall be notified by the personal information controller within 72 hours upon knowledge of, or when there is reasonable belief by the personal information controller or personal information processor that, a personal data breach requiring notification has occurred. The personal information controller shall notify the NPC by submitting a report, whether written or electronic, containing the required contents of notification.  The report shall also include the name of a designated representative of the personal information controller, and his or her contact details.