+632 8571 4886


The Firm provides the following services in for persons who wish to comply with the Data Privacy Law

  1. Introduction to Data Privacy Law and Compliance Talks
  2. Privacy Risk Assessment
  3. Preparation of the Privacy Manual, Privacy Policy Management Program
  4. Implementation of the privacy programs
  5. Breach Monitoring and Reporting


What is the Data Privacy Law?

Republic Act No. 10173 is a law that seeks to protect individual personal information in information and communications systems of government and the private sector.

What is the scope of the law?

It applies to processing of all types of personal information and to any natural or juridical person involved in personal information processing including those personal information controllers and processors, who although not found in the Philippines, use equipment that are located in the Philippines or those who maintain an office, bracnch or agency in the Philippines.

What are the general principles provided under the law?

The law requires that processing of personal information shall be subject to certain requirements and allows disclosure of information to the public under principles of transparency, legitimate purpose and proportionality.

Personal information must be:

(a) Collected for specified and legitimate purposes determined and declared before, or as soon as reasonably practicable after collection, and later processed in a way compatible with such declared, specified and legitimate purposes only;

(b) Processed fairly and lawfully;

(c) Accurate, relevant and, where necessary for purposes for which it is to be used the processing of personal information, kept up to date; inaccurate or incomplete data must be rectified, supplemented, destroyed or their further processing restricted;

(d) Adequate and not excessive in relation to the purposes for which they are collected and processed;

(e) Retained only for as long as necessary for the fulfillment of the purposes for which the data was obtained or for the establishment, exercise or defense of legal claims, or for legitimate business purposes, or as provided by law; and

(f) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected and processed: Provided, That personal information collected for other purposes may lie processed for historical, statistical or scientific purposes, and in cases laid down in law may be stored for longer periods: Provided, further,That adequate safeguards are guaranteed by said laws authorizing their processing.

The personal information controller must ensure implementation of personal information processing principles set out herein.

What are the rights of a data subject?

  • Right to information
  • Right to object
  • Right to access
  • Right to correct
  • Right to erase
  • Right to damages
  • Right to data portability
  • Right to file a complaint

What is “personal information”?

Any information whether recorded in a material form or not from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.

What is “sensitive personal information”?

•Race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations

•Health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings or sentence of any court in such proceedings

•Information issued by government agencies, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and

•Classified information

How do you comply?

The National Privacy Commission provides for five (5) pillars of compliance with the law.

1. Appoint a Data Protection Officer

2. Conduct a Privacy Impact Assessment

3. Create your Privacy Management Program

4. Implement your privacy and data protection measures

5. Regularly exercise your Breach Reporting Procedures

What are the penalties provided under the law?

The following acts are punished under the law:

•Processing of personal/sensitive information for unauthorized purpose

Imprisonment of 1 year 6 months to 7 years, fine of P500,000 to P2,000,000

•Access to personal/sensitive information due to negligence

Imprisonment of 1-6 years, fine of P500,000 to P4,000,000

•Concealment of Security Breach

Imprisonment of 1 year 6 months to 5 years, fine of P500,000 to P1,000,000

•Improper Disposal

Imprisonment of 6 months to 3 years, fine of P100,000 to P1,000,000

Can we outsource a Data Protection Officer?

The law requires that all organisations appoint a Data Protection Officer (“DPO”) who shall be accountable for ensuring compliance with  data protection laws and regulations. The DPO must be organic, full-time members of the organisation. The function of the DPO however may be outsourced.


  • Unit 2201 Atlanta Center, Annapolis Street
    Greenhills, City of San Juan, Metro Manila
  • Phone: +632 8571 4886
  • Email: info@mblawofficesph.com