Philippines Data Privacy Act: A Complete Guide to Your Rights Under RA 10173

Every time you fill out a form at a clinic, register a SIM card, apply for a credit card, or sign up for a rewards program, you hand over personal information. In the Philippines, the Data Privacy Act of 2012 (Republic Act No. 10173) governs how organizations collect, store, process, and protect that information.

Most Filipinos know the law exists but are unclear about what it actually means for them. This guide explains your rights in plain language.

What Is the Data Privacy Act?

The Data Privacy Act (DPA) is the Philippines' comprehensive data protection law. It was signed into law in 2012 and is enforced by the National Privacy Commission (NPC). It applies to:

• All Philippine government agencies
• Private companies operating in the Philippines
• Foreign organizations processing data of Filipino citizens
• Individuals who process personal data for commercial purposes

The law covers all forms of personal information — digital files, paper documents, and any other medium.

Your 8 Rights Under the DPA

1. Right to Be Informed

You have the right to know that your personal data is being collected, the purpose of collection, how it will be processed, and who will have access to it. Organizations must tell you this before or at the time of collection.

2. Right to Object

You can refuse to have your personal data processed. You can also withdraw consent that you previously gave. If you object, the organization must stop processing your data unless they have a legal basis to continue.

3. Right to Access

You can request a copy of all personal information an organization holds about you. They must provide it within a reasonable timeframe.

4. Right to Rectification

If your personal data is inaccurate, incomplete, or outdated, you can demand that the organization correct it.

5. Right to Erasure or Blocking

You can request that your personal data be deleted or blocked from further processing when it is no longer necessary for the purpose it was collected, when you withdraw consent, or when it was unlawfully obtained.

6. Right to Damages

If you suffer damage due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of your personal data, you have the right to claim compensation.

7. Right to Data Portability

You can obtain your personal data in an electronic or structured format and transfer it to another organization.

8. Right to File a Complaint

If you believe your data privacy rights have been violated, you can file a complaint directly with the National Privacy Commission.

How to Exercise Your Rights

Action	How to Do It	Where
Request access to your data	Written request to the organization's Data Protection Officer (DPO)	The organization that holds your data
Object to processing	Written notice to the organization	The organization's DPO
Request deletion	Written request citing the legal basis	The organization's DPO
File a complaint	Online complaint form	npc.gov.ph
Report a data breach	Online report or email	complaints@privacy.gov.ph

Common Violations You Should Know About

1. Excessive Data Collection

A restaurant asks for your full name, birthday, address, and phone number just to use their WiFi. This violates the proportionality principle — they are collecting more data than necessary for the service.

2. Sharing Data Without Consent

A bank shares your contact information with an insurance company without your explicit consent. You start receiving calls about products you never asked about.

3. Failure to Secure Data

A company stores customer records including government IDs on an unsecured server. The data gets leaked. The company is liable under the DPA for failing to implement reasonable security measures.

4. No Privacy Notice

A website collects your email, name, and phone number without displaying a privacy notice explaining how the data will be used.

5. Unauthorized CCTV

A private establishment records you on CCTV without any notice and shares the footage with third parties for non-security purposes.

Penalties for Violations

The DPA imposes serious penalties:

• Unauthorized processing of personal data: 1 to 3 years imprisonment and PHP 500,000 to PHP 2,000,000 fine
• Negligence leading to unauthorized access: 1 to 3 years and PHP 500,000 to PHP 2,000,000
• Improper disposal of personal data: 6 months to 2 years and PHP 100,000 to PHP 500,000
• Unauthorized disclosure: 1 to 3 years and PHP 500,000 to PHP 1,000,000

Organizations that suffer data breaches must notify the NPC and affected individuals within 72 hours.

Practical Tips for Protecting Your Data

1. Read privacy notices before signing up for services — yes, actually read them
2. Ask why when businesses request personal information. If it is not necessary for the service, you can refuse
3. Minimize the data you share — use initials instead of full names when possible
4. Request deletion of your data when you stop using a service
5. Do not give photocopies of IDs unless absolutely necessary. Ask if showing the original is sufficient
6. Report violations to the NPC — your complaint can lead to real consequences
7. Check organizations' privacy policies on their websites before sharing data

Protecting Your Data in Daily Digital Life

Beyond formal complaints and legal rights, practical protection matters. When you need to share sensitive personal information online — government IDs, tax documents, medical records — sending them through Messenger or email creates permanent copies that are vulnerable to hacking.

LOCK.PUB lets you create password-protected, self-expiring links for sharing sensitive documents. The recipient enters a password to view the information, and it disappears after the set expiration. This is especially useful when sharing documents for job applications, apartment rentals, or bank transactions.

Key NPC Resources

• NPC Website: npc.gov.ph
• Complaints: complaints@privacy.gov.ph
• Hotline: (02) 8234-2228
• Data Breach Notification: npc.gov.ph/breach-notification

Conclusion

The Data Privacy Act gives every Filipino powerful rights over their personal information. But rights only matter if you exercise them. The next time a business collects more data than necessary, shares your information without permission, or fails to protect your records, you have the legal tools to hold them accountable.

For everyday protection of sensitive information you need to share, visit LOCK.PUB to create free encrypted links that keep your data in your control.