Quick answer

Any business collecting customer, employee, or other personal data must comply with Republic Act No. 10173 as a personal information controller. The law requires processing personal data only for specified, legitimate, and declared purposes; implementing reasonable organizational, physical, and technical security measures proportionate to the data's sensitivity; and promptly notifying the National Privacy Commission and affected individuals of a breach likely to cause serious harm. Unauthorized processing carries criminal penalties of 1 to 6 years imprisonment and fines of ₱500,000 to ₱4,000,000, depending on whether sensitive personal information is involved.

Who this law applies to

The Data Privacy Act applies to virtually any business that collects personal information — customer names and contact details, employee records, billing information, or any data that identifies a specific individual. A business in this role is a “personal information controller” under the law, and carries specific, affirmative compliance obligations, not merely a passive duty to avoid misuse.

The core processing principles (Section 11)

Section 11 requires that personal information processed by a business must be:

The overarching standard behind all of this is transparency, legitimate purpose, and proportionality — a business should be able to explain, clearly, why it is collecting a given piece of data, and should not be collecting more than that stated purpose actually requires.

Security measures (Section 20)

Section 20 requires a personal information controller to implement reasonable and appropriate organizational, physical, and technical measures to protect personal data against accidental or unlawful destruction, alteration, disclosure, and any other unlawful processing, taking into account the nature of the data, the risks of the processing, the size and complexity of the organization, current best practices, and the cost of implementation. Subject to Commission guidelines, the measures must include: safeguards against unauthorized network access and interference; a documented security policy for processing personal information; a process for identifying vulnerabilities and taking preventive and corrective action; and regular monitoring for security breaches.

Businesses must also ensure that third parties processing personal data on their behalf implement equivalent security measures, and employees or agents involved in processing must hold personal information in strict confidentiality — an obligation that continues even after they leave the company or transfer to another role.

Breach notification: a real, active duty

Section 20(f) requires prompt notification to the National Privacy Commission and affected data subjects when sensitive personal information, or other information that could enable identity fraud, is reasonably believed to have been acquired by an unauthorized person, and the acquisition is likely to give rise to a real risk of serious harm. The notification must describe the nature of the breach, the information possibly involved, and the measures taken to address it. Delay is permitted only to the extent necessary to determine the scope of the breach, prevent further disclosure, or restore system integrity — not as a matter of convenience.

Penalties for getting it wrong

Section 25 penalizes unauthorized processing — processing personal information without the data subject's consent or other legal authorization — at 1 to 3 years imprisonment and a fine of ₱500,000 to ₱2,000,000. Where sensitive personal information is involved, the penalty rises to 3 to 6 years imprisonment and a fine of ₱500,000 to ₱4,000,000. Other provisions of the law separately penalize negligent handling of data, improper disclosure, and malicious processing, each with its own penalty scale.

Practical compliance checklist for a Philippine business

Frequently Asked Questions

Does the Data Privacy Act apply to small businesses, not just large corporations? Yes. Any business that collects and processes personal information — customer, employee, or otherwise — is a personal information controller under RA 10173, regardless of size, though the National Privacy Commission's specific registration thresholds may vary by data volume and sensitivity.

What is the deadline for reporting a data breach in the Philippines? The law requires prompt notification to the National Privacy Commission and affected data subjects once a breach involving sensitive personal information is reasonably believed to have occurred and poses a real risk of serious harm — delay is permitted only to determine the breach's scope, prevent further disclosure, or restore system integrity.

What is the penalty for processing personal data without consent? 1 to 3 years imprisonment and a fine of ₱500,000 to ₱2,000,000 for unauthorized processing of ordinary personal information, rising to 3 to 6 years and a fine of ₱500,000 to ₱4,000,000 if sensitive personal information is involved.

Is a business responsible for how a third-party vendor handles data it shares with them? Yes. Section 20 of the Data Privacy Act requires a personal information controller to ensure that third parties processing personal data on its behalf implement the same required security measures.

This commentary is for general informational purposes only and does not constitute legal advice. For guidance specific to your situation, please consult a licensed attorney.

If you have questions about your rights or options under Philippine law, our firm is available to assist. You may reach us via Viber or WhatsApp, call us at 0995 433 5550, or send an email to vivasnobles@gmail.com. We look forward to hearing from you.