Philippines Data Privacy Act

Philippines

19 domains

36 controls

Philippines Data Privacy Act of 2012 (RA 10173) + IRR 2016 + NPC circulars.

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (19)

Breach

2 controls

Controls in the Breach domain of Philippines Data Privacy Act — 2 controls
Code	Title	Description
NPC-16-03-BMT	Breach Management Team and Procedures	PICs must establish a Data Breach Response Team responsible for managing security incidents and personal data breaches,...
NPC-16-03-BREACH	Personal Data Breach Notification	The PIC must notify the NPC and affected data subjects within 72 hours upon knowledge of, or reasonable belief that, a p...

Cross-border Transfers

1 controls

Controls in the Cross-border Transfers domain of Philippines Data Privacy Act — 1 controls
Code	Title	Description
RA10173-S21	Principle of Accountability for Cross-Border Transfers	The PIC remains responsible for personal information transferred to third parties or processed across borders. The PIC m...

DPIA

1 controls

Controls in the DPIA domain of Philippines Data Privacy Act — 1 controls
Code	Title	Description
NPC-18-02-PIA	Privacy Impact Assessment	PICs must conduct a Privacy Impact Assessment for any program, process, or system that involves personal data processing...

Data Subject Rights

8 controls

Controls in the Data Subject Rights domain of Philippines Data Privacy Act — 8 controls
Code	Title	Description
NPC-18-01-RIGHTS	Exercise of Data Subject Rights Procedure	PICs must establish procedures and reasonable response timelines for data subjects to exercise their rights, including i...
RA10173-S16-A	Right to be Informed	Data subjects must be informed before their personal data enters the processing system or before any change in policy, o...
RA10173-S16-B	Right to Access	Data subjects have the right to reasonable access upon demand to contents of their personal data, sources, recipients, p...
RA10173-S16-C	Right to Object	Data subjects may object to processing, including for direct marketing, automated processing, or profiling. When objecti...
RA10173-S16-D	Right to Erasure or Blocking	Data subjects may order the blocking, removal, or destruction of their personal data from the PIC filing system upon dis...
RA10173-S16-E	Right to Damages	Data subjects are entitled to be indemnified for damages sustained due to inaccurate, incomplete, outdated, false, unlaw...
RA10173-S18	Right to Data Portability	Where personal data is processed by electronic means and in a structured and commonly used format, the data subject has...
RA10173-S19	Non-Applicability and Filing of Complaints	Data subjects may file complaints with the NPC for violations. Rights of access and objection do not apply where process...

Enforcement

2 controls

Controls in the Enforcement domain of Philippines Data Privacy Act — 2 controls
Code	Title	Description
RA10173-S22-25	Penalties: Unauthorized Processing and Access	Unauthorized processing, access due to negligence, improper disposal, processing for unauthorized purposes, unauthorized...
RA10173-S34-LARGE	Large-Scale or Sensitive Information Aggravated Penalties	Maximum penalties apply when the offense involves the personal information of at least one hundred persons or sensitive...

Exemptions

1 controls

Controls in the Exemptions domain of Philippines Data Privacy Act — 1 controls
Code	Title	Description
NPC-RESEARCH	Research Exemption Conditions	Processing for research purposes is permitted subject to safeguards including ethics review, anonymisation where feasibl...

Governance

2 controls

Controls in the Governance domain of Philippines Data Privacy Act — 2 controls
Code	Title	Description
IRR-S26-PRIVACY-MANUAL	Privacy Management Program and Manual	The PIC must develop, document, implement, and maintain a Privacy Management Program and Privacy Manual covering all per...
NPC-16-01-DPO	Mandatory Designation of Data Protection Officer	Every PIC and PIP must designate a Data Protection Officer. A Compliance Officer for Privacy may be designated only by b...

HR

1 controls

Controls in the HR domain of Philippines Data Privacy Act — 1 controls
Code	Title	Description
NPC-EMPLOYEE	Employee Personal Data Processing	Employers must inform employees of data processing related to employment, payroll, benefits, performance, and monitoring...

Lawful Basis

2 controls

Controls in the Lawful Basis domain of Philippines Data Privacy Act — 2 controls
Code	Title	Description
RA10173-S12	Criteria for Lawful Processing of Personal Information	Processing of personal information is permitted only when consent is obtained or one of five other statutory bases appli...
RA10173-S13	Sensitive Personal Information and Privileged Information	Processing of sensitive personal information (race, ethnic origin, health, education, genetic, sexual life, offenses, go...

Marketing

1 controls

Controls in the Marketing domain of Philippines Data Privacy Act — 1 controls
Code	Title	Description
NPC-DIRECT-MARKETING	Direct Marketing Restrictions	Direct marketing requires lawful basis (typically consent or legitimate interests with opt-out), respect for objections,...

Online

1 controls

Controls in the Online domain of Philippines Data Privacy Act — 1 controls
Code	Title	Description
NPC-COOKIES	Cookies and Online Tracking	Where cookies and similar tracking technologies process personal data, PICs must provide a clear cookie notice, obtain c...

Principles

1 controls

Controls in the Principles domain of Philippines Data Privacy Act — 1 controls
Code	Title	Description
RA10173-S11	General Data Privacy Principles	Personal data must be processed in adherence to the principles of transparency, legitimate purpose, and proportionality.

Registration

1 controls

Controls in the Registration domain of Philippines Data Privacy Act — 1 controls
Code	Title	Description
NPC-17-01-DPS	Registration of Data Processing Systems with NPC	PICs and PIPs meeting threshold criteria (250+ employees, or processing sensitive personal information of 1,000+ individ...

Regulator

1 controls

Controls in the Regulator domain of Philippines Data Privacy Act — 1 controls
Code	Title	Description
RA10173-S7-NPC	National Privacy Commission Authority	The NPC monitors and ensures compliance, receives complaints, conducts investigations, issues cease-and-desist orders, r...

Retention

1 controls

Controls in the Retention domain of Philippines Data Privacy Act — 1 controls
Code	Title	Description
IRR-S37-RETENTION	Data Retention and Disposal	Personal data must be retained only as long as necessary for the declared, specified, and legitimate purpose or as requi...

Sector Specific

3 controls

Controls in the Sector Specific domain of Philippines Data Privacy Act — 3 controls
Code	Title	Description
NPC-BPO-SECTOR	BPO and KPO Sector Compliance	BPO and KPO entities acting as PIPs for foreign principals must comply with the DPA regardless of the principal jurisdic...
NPC-GOV-AGENCIES	Government Agencies Specific Obligations	Government agencies acting as PICs must designate accountable officers, implement strict access controls, and follow add...
NPC-HEALTH-SECTOR	Health Sector Personal Data Protections	Hospitals, clinics, and health-related entities processing health information must adopt enhanced protections including...

Security

4 controls

Controls in the Security domain of Philippines Data Privacy Act — 4 controls
Code	Title	Description
IRR-S38-ACCESS-LOGS	Access and Activity Logging	PICs must maintain records that sufficiently describe its data processing system, identification of access controls, log...
RA10173-S20-A	Security of Personal Information: Organizational Measures	The PIC must implement organizational security measures including designation of a Data Protection Officer or Compliance...
RA10173-S20-B	Security of Personal Information: Physical Measures	Physical security measures must protect against natural disasters, power disturbances, external access, and other simila...
RA10173-S20-C	Security of Personal Information: Technical Measures	Technical security measures include encryption, access controls, security incident management, vulnerability monitoring,...

Special Categories

1 controls

Controls in the Special Categories domain of Philippines Data Privacy Act — 1 controls
Code	Title	Description
IRR-S25-CHILDREN	Processing of Personal Information of Minors	Processing personal information of minors requires consent of parents or legal guardians. Marketing to children and proc...

Third Parties

2 controls

Controls in the Third Parties domain of Philippines Data Privacy Act — 2 controls
Code	Title	Description
IRR-S26-PROCESSORS	Personal Information Processors Contracts	PICs must enter into written contracts with PIPs ensuring processing only on documented instructions, confidentiality, s...
NPC-OUTSOURCING	Outsourcing and Subcontracting Agreements	Outsourcing arrangements must include specified contractual provisions covering geographic locations, security measures,...

Frequently Asked Questions

What is Philippines Data Privacy Act?

Philippines Data Privacy Act is a compliance framework from Philippines with 19 domains and 36 controls. Philippines Data Privacy Act of 2012 (RA 10173) + IRR 2016 + NPC circulars. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does Philippines Data Privacy Act have?

Philippines Data Privacy Act has 36 controls organised across 19 domains. The largest domains are Data Subject Rights (8 controls), Security (4 controls), Sector Specific (3 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does Philippines Data Privacy Act map to?

Philippines Data Privacy Act does not currently have cross-framework mappings in our system. Check back as we continuously expand our mapping database.

How do I get started with Philippines Data Privacy Act compliance?

Start your Philippines Data Privacy Act compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about Philippines Data Privacy Act requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 36 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 769 frameworks.

Get Started Free →

Free forever — no credit card required