Republic Act No. 10173 Philippines

    Overview

    The Philippines Republic Act No. 10173, also known as the Data Privacy Act of 2012, along with its Implementing Rules and Regulations (IRR), seeks to protect individual personal information in both government and private sector systems. The law aims to protect the security of personal data while promoting transparency and trust in digital systems, safeguarding privacy without compromising the free flow of information for innovation and growth. The Act establishes the National Privacy Commission  (NPC) as the primary regulatory authority for overseeing its implementation and compliance.

     

    Regulation Summary

    Timeline
    • August 15, 2012: Enactment of Republic Act No. 10173.
    • September 2016: Implementing Rules and Regulations (IRR) issued.
    • March 2017: Full enforcement by the National Privacy Commission (NPC).
    What Businesses Are Affected
    • All entities processing personal data within the Philippines.
    • Foreign entities processing data of individuals in the Philippines.
    • Both private and public sector organizations handling personal information.
    Exemptions
    • Personal data collected for personal or household activities.
    • Information processed for journalistic, artistic, or literary purposes.
    • Data collected for national security, law enforcement, or public order purposes.
    Responsibilities for Businesses
    • Obtain lawful and informed consent before collecting personal data.
    • Ensure transparency in data collection and processing.
    • Implement security measures to prevent unauthorized access and data breaches.
    • Notify the National Privacy Commission (NPC) and affected individuals of data breaches.
    • Appoint a Data Protection Officer (DPO) for entities processing significant amounts of personal data.
    Specific Responsibilities for Website Owners
    • Implement cookie consent mechanisms.
    • Provide a clear and accessible privacy policy.
    • Ensure secure online forms for collecting personal data.
    • Enable users to exercise data rights through an online platform.
    Additional Requirements
    • Cross-Border Data Transfers: Data transfers outside the Philippines must comply with adequacy standards or legal safeguards.
    • Privacy Impact Assessments: Required for high-risk processing activities, such as biometric data or profiling.
    • Mandatory Data Protection Officers (DPOs): Required for companies processing large-scale personal data or sensitive information.
    Data Subject Rights
    • Access: Request information about personal data collected.
    • Correction: Rectify inaccurate or outdated personal information.
    • Erasure: Request deletion of personal data under specific conditions.
    • Portability: Transfer data to another service provider in a structured format.
    • Objection: Refuse processing of personal data for certain purposes.
    • Restriction: Limit how personal data is processed under certain circumstances.
    Enforcement
    • Regulatory Authority: National Privacy Commission (NPC).
    • Penalties: Violations can result in fines of up to PHP 5 million (~USD 90,000) and imprisonment for up to six years.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you.

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596