Data Privacy Rights in the Philippines: What Companies Can and Can’t Do with Your Info

By /
data privacy

In our digital age, companies collect, store, and process vast amounts of personal data — from names and phone numbers to IP addresses and payment details. In the Philippines, the Data Privacy Act of 2012 (Republic Act No. 10173) protects individuals by setting rules on how personal information should be handled. But what does that mean in practice for businesses — and for ordinary people whose data is being processed?

This article breaks down the essentials: the rights you have as a data subject, the limits on what companies can do with your information, practical compliance steps for businesses, and what to do if your data is compromised.

What is “personal data” under the law?

Personal data is any information that identifies you or can be used to identify you — including obvious items (name, address, birthdate) and less-obvious identifiers (email, device IDs, IP addresses, and even customer transaction histories). Special categories (sensitive personal information) — such as health data, biometric data, and race or religion — receive heightened protection.

Your Rights as a Data Subject

Under the Data Privacy Act, individuals have enforceable rights. Key rights include:

  • Right to be informed — You must be told why your data is being collected and how it will be used.
  • Right to access — You can request a copy of personal data a company holds about you.
  • Right to rectification — You can ask for inaccurate or incomplete data to be corrected.
  • Right to erasure/blocking — In certain circumstances you can request deletion or blocking of your data.
  • Right to object — You may object to processing on legitimate grounds (e.g., direct marketing).
  • Right to data portability — You can request your data in a usable format to transfer to another provider.
  • Right to damages — You can seek compensation for damages suffered due to unlawful processing.

(These rights are subject to legal limits and exceptions, especially where other laws, public interest, or contractual obligations apply.)

What Companies ARE Allowed To Do (If They Comply With the Law)

Companies can collect and process personal data when they have a lawful basis. Examples of lawful bases include:

  • Consent — The data subject has given clear, informed consent.
  • Contractual necessity — Processing is necessary to perform a contract with the person.
  • Legal obligation — Processing is required to comply with the law (e.g., tax reporting).
  • Protecting life/health — Necessary for vital interests of the data subject.
  • Legitimate interests — Where the company’s interests don’t override the rights of the individual (subject to safeguards).

When lawful, companies may:

  • Send transactional emails (order confirmations, shipping notices).
  • Process payments and billing information.
  • Use data for customer service and to fulfill contracts.
  • Keep records as required by law (BIR, regulatory bodies), subject to retention limits.

But: companies must collect only what is necessary, be transparent, and apply appropriate security measures.

What Companies CANNOT Do (or Must Not Do Without Safeguards)

Even when companies have access to data, there are clear limits:

  • No undisclosed purposes — Companies can’t repurpose your data for a new use without informing you and, where required, obtaining consent.
  • No selling or sharing your data without notice/consent — Third-party sharing requires clear disclosure and, in many cases, consent or a lawful basis.
  • No retaining data longer than necessary — Data must be deleted or anonymized when the purpose is fulfilled and legal retention periods expire.
  • No insecure processing — Companies must protect data with reasonable technical and organizational measures; negligence can lead to liability.
  • No ignoring data subject requests — Requests for access, correction, or deletion must be honored within legal timelines (subject to valid exceptions).

Mandatory Corporate Duties (Practical Checklist)

Companies operating in the Philippines should implement the following compliance measures:

  1. Appoint a Data Protection Officer (DPO) if required (large organizations or those processing sensitive data).
  2. Register with the National Privacy Commission (NPC) when applicable; follow NPC guidance.
  3. Publish a clear Privacy Notice explaining what data you collect, why, how long you keep it, and how users can exercise rights.
  4. Obtain valid consent mechanisms (clear opt-in; no pre-checked boxes) for non-contractual processing such as marketing.
  5. Limit data collection (collect only what you need).
  6. Use Data Processing Agreements (DPAs) when sharing data with third-party processors (cloud providers, payment gateways).
  7. Implement reasonable security measures (encryption, access controls, secure backups, strong password and patching policies).
  8. Adopt a Data Breach Response Plan — designate incident responders and set notification procedures.
  9. Conduct Privacy Impact Assessments (PIAs) or DPIAs for high-risk processing.
  10. Train staff regularly on privacy and data handling.

Breach Notification: What Companies Must Do

If a personal data breach occurs, companies must act quickly:

  • Contain and assess the breach immediately.
  • Notify the National Privacy Commission (NPC) and affected data subjects as required — early notification is critical (the law prescribes prompt reporting).
  • Provide meaningful information to victims about the breach, risks, and remedial steps (password resets, credit monitoring, etc.).

Failing to notify or to implement reasonable safeguards can lead to administrative sanctions and possible criminal penalties.

Practical Steps for Individuals (How to Protect Your Data)

If you’re a consumer or user, follow these practical tips:

  • Read privacy notices before giving personal data.
  • Limit sharing of sensitive information online (e.g., ID numbers, bank details) unless necessary and secure.
  • Use strong, unique passwords and enable two-factor authentication (2FA) whenever possible.
  • Keep records of transactions (receipts, confirmation emails) and screenshots of consent forms.
  • Exercise your rights — request access or correction if your data seems wrong.
  • Report breaches to the company first; if unresolved, file a complaint with the NPC.
  • Be cautious with third-party apps and social logins — check what data they request.

 Common Questions (Quick Answers)

Q: Can companies sell my data to marketers?
 A: Not without a valid legal basis and usually not without explicit consent and clear disclosure.

Q: Can I ask a company to delete my data?
 A: Yes, in many circumstances — but there are exceptions (e.g., legal retention requirements, ongoing investigations).

Q: What if a company refuses my access request?
 A: Ask for a written explanation. If unsatisfied, you can file a complaint with the NPC and seek remedy.

Example: What a Simple Privacy Notice Should Say

A short privacy notice for a website might include:

  • Who we are (company name & contact)
  • What personal data we collect (name, email, payment info)
  • Why we collect it (to process orders, provide services)
  • Legal basis (consent, contractual necessity, legal obligation)
  • How long we keep it (e.g., “for the duration of the customer relationship and as required by law”)
  • How to exercise rights (email DPO@example.com)
  • Third-party processors (payment gateway, analytics) with links to their privacy policies

Enforcement and Penalties

The Data Privacy Act empowers the National Privacy Commission to investigate complaints, issue corrective orders, impose administrative fines, and refer criminal cases. Penalties for serious violations may include administrative fines and criminal liability. Companies should treat compliance as a legal and reputational priority.

How VCMP Law Can Help

Data privacy law is technical and enforcement is active. If your business needs help with:

  • Drafting privacy policies and consent forms
  • Registering with the NPC and preparing DPIAs
  • Drafting Data Processing Agreements and vendor contracts
  • Responding to data breaches and regulatory inquiries
  • Handling data subject requests and defending against complaints

VCMP Law Offices can guide you through compliance and represent you if disputes or investigations arise.

👉 Book a legal consultation: Contact Us / Book Now

Disclaimer: This article provides general information only and does not constitute legal advice. For advice tailored to your situation, consult a licensed attorney.

Let’s Talk Legal Solutions

For inquiries or to schedule an appointment, please contact us at:

UG10 City and Land Mega Plaza ADB Avenue corner Garnet Road Ortigas Center, Barangay San Antonio Pasig City, Metro Manila 1605 Philippines

Landline No.: (02) 8553 0218

Mobile No.: +63 917 793 6309 / +63 995 0801762

Email: info@vcmplaw.com

Scroll to Top