<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=5678177&amp;fmt=gif">

Philippines Republic Act 10173

The Philippines' privacy law.

Book a Demo

What is Republic Act 10173?

The Republic Act 10173, officially known as the Data Privacy Act of 2012 (DPA), is Philippine’s data privacy law, aiming to “to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth” while also ensuring “that personal information in information and communications systems in the government and in the private sector are secured and protected.” The law became enforceable as of September 8, 2012 and the regulating authority, the NPC, was established 4 years later, in 2016. As of September 9, 2016 the NPC published ‘Implementing Rules and Regulations of Republic Act No. 10173, known as the Data Privacy Act of 2012,’ or the IRR, to help with the understanding of the requirements imposed on covered entities. 

What is Personal Information and what are other key definitions?

Under Republic Act 10173, consent is “any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her” which has to be recorded through “written, electronic or recorded means.” Consent can also be given on behalf of a data subject by someone who has been specifically authorized to do so.

Along the same lines, a ‘data subject’ is “an individual whose personal information is processed,” and ‘personal information’ means “any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.” In the case of ‘sensitive personal information’ the law defines this as personal information that includes the following: 

  • an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
  • an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
  • personal information issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
  • personal information specifically established by an executive order or an act of Congress to be kept classified.

In addition, the law defines ‘privileged information’ which is “any and all forms of data which under the Rules of Court and other pertinent laws constitute privileged communication.” This type of data, along with sensitive personal information, has a special regime of protection in the Philippine privacy law.

Republic Act 1017 also includes definitions for ‘data controller’ and ‘data processor’ as well as what types of entities are excluded from this definition. A data controller is “a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf” but excludes “a person or organization who performs such functions as instructed by another person or organization; and an individual who collects, holds, processes or uses personal information in connection with the individual’s personal, family or household affairs.” 

A data processor is “any natural or juridical person” that is qualified to act as a processor for a data controller who would share personal information with them for this purpose.

Last but not least, according to the law, ‘processing’ means “any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.”

Who has to comply with Republic Act 10173?

The Philippines’ Republic Act 10173 applies “to the processing of all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines.” 

The law also clarifies its extraterritorial application mandating that the Republic Act 10173 also applies “to an act done or practice engaged in and outside of the Philippines by an entity if the act, practice or processing relates to personal information about a Philippine citizen or a resident; or if the entity has a link with the Philippines, and the entity is processing personal information in the Philippines or even if the processing is outside the Philippines as long as it is about Philippine citizens or residents.” The act referred to here may be a contract entered in the Philippines, a juridical entity “unincorporated in the Philippines but has central management and control in the country,” or “an entity that has a branch, agency, office or subsidiary in the Philippines and the parent or affiliate of the Philippine entity has access to personal information.” Additionally, if an entity carries business in the Philippines or the personal information was “collected or held by an entity in the Philippines,” this is also covered by the country’s data protection law.

Who is excluded from Republic Act 10173 compliance? 

  • Just like with other data protection laws, Republic Act 10173 exempts certain types of data, such as: 

    • Information about any individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual, including:
      • The fact that the individual is or was an officer or employee of the government institution;
      • The title, business address and office telephone number of the individual;
      • The classification, salary range and responsibilities of the position held by the individual; and
      • The name of the individual on a document prepared by the individual in the course of employment with the government;
    • Information about an individual who is or was performing service under contract for a government institution that relates to the services performed, including the terms of the contract, and the name of the individual given in the course of the performance of those services;
    • Information relating to any discretionary benefit of a financial nature such as the granting of a license or permit given by the government to an individual, including the name of the individual and the exact nature of the benefit;
    • Personal information processed for journalistic, artistic, literary or research purposes;
    • Information necessary in order to carry out the functions of public authority which includes the processing of personal data for the performance by the independent, central monetary authority and law enforcement and regulatory agencies of their constitutionally and statutorily mandated functions. Nothing in this Act shall be construed as to have amended or repealed Republic Act No. 1405, otherwise known as the Secrecy of Bank Deposits Act; Republic Act No. 6426, otherwise known as the Foreign Currency Deposit Act; and Republic Act No. 9510, otherwise known as the Credit Information System Act (CISA);
    • Information necessary for banks and other financial institutions under the jurisdiction of the independent, central monetary authority or Bangko Sentral ng Pilipinas to comply with Republic Act No. 9510, and Republic Act No. 9160, as amended, otherwise known as the Anti-Money Laundering Act and other applicable laws; and
    • Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.


How can I keep my organization Republic Act 10173 compliant? 

Both the text of the law and the IRR document list a series of obligations for covered entities that relate to processing of personal data. 

According to the IRR, data controllers and data processors who have 250 or more employees or who process the sensitive personal information of 1,000 or more data subjects have an obligation to register their data processing systems on the NPC’s Registration System. Additionally, data controllers and processors have to notify the NPC “of automated processing operations where the processing becomes the sole basis of making decisions that would significantly affect the data subject” and to provide an “annual report of the summary of documented security incidents and personal data breaches.”

Section 11 of the law lists the general data privacy principles that apply to the processing of personal data, namely transparency, legitimate purpose, and proportionality. Section 21 adds to this the principle of accountability, according to which, controllers are “responsible for personal information under [their] control or custody, including information that has been transferred to a third party for processing, whether domestically or internationally, subject to cross-border arrangement and cooperation.” 

  As such, personal information must, be:

  • Collected for specified and legitimate purposes determined and declared before, or as soon as reasonably practicable after collection, and later processed in a way compatible with such declared, specified and legitimate purposes only;
  • Processed fairly and lawfully;
  • Accurate, relevant and, where necessary for purposes for which it is to be used the processing of personal information, kept up to date; inaccurate or incomplete data must be rectified, supplemented, destroyed or their further processing restricted;
  • Adequate and not excessive in relation to the purposes for which they are collected and processed;
  • Retained only for as long as necessary for the fulfillment of the purposes for which the data was obtained or for the establishment, exercise or defense of legal claims, or for legitimate business purposes, or as provided by law; and
  • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected and processed.

Within Section 12 covered entities can find the criteria for lawful processing of personal information, such as:

  • consent given by the data subject; 
  • the necessity of processing for any of the following:
    • the fulfillment of a contract;
    • for compliance with a legal obligation;
    • to protect vitally important interests of the data subject, including life and health;
    • in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate; or
    • for the purposes of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed.

As regards the processing of sensitive personal information, Section 13 states that  the processing of sensitive personal information and privileged information shall be prohibited, except certain cases apply, such as when:

  • the data subject has given his or her consent, specific to the purpose prior to the processing, or in the case of privileged information, all parties to the exchange have given their consent prior to processing;
  • the processing is provided for by existing laws and regulations where such regulatory enactments guarantee the protection of the sensitive personal information and the privileged information and the consent of the data subjects is not required by law or regulation, thus permitting the processing of the sensitive personal information or the privileged information;
  • the processing is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his or her consent prior to the processing;
  • the processing is necessary to achieve the lawful and noncommercial objectives of public organizations and their associations, where the processing is restricted to the bona fide members of these organizations or their associations, no sensitive personal information is transmitted to any third party, and consent has been obtained prior to processing;
  • the processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal information is ensured; or
  • the processing concerns such personal information as is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise or defense of legal claims, or when provided to government or public authority.

Republic Act 10173 mandates in Section 20 that controllers have an obligation to ensure the security of personal information through “reasonable and appropriate organizational, physical and technical measures intended for the protection of personal information against any accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing, [...] natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.” The appropriate level of security will have to take into account “the nature of the personal information to be protected, the risks represented by the processing, the size of the organization and complexity of its operations, current data privacy best practices and the cost of security implementation.” 

According to Section 20 (f) in the event of a data breach, “the personal information controller shall promptly notify the Commission and affected data subjects when sensitive personal information or other information that may, under the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized person, and the personal information controller or the Commission believes that such unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject.” The IRR clarifies this further by stating that “the Commission and affected data subjects shall be notified by the personal information controller within seventy-two (72) hours upon knowledge of the data breach.” However, the law grants that “notification may be delayed only to the extent necessary to determine the scope of the breach, to prevent further disclosures, or to restore reasonable integrity to the information and communications system.”

The notification will have to contain several details such as:

  • the nature of the breach, 
  • the sensitive personal information possibly involved, and
  • the measures taken by the entity to address the breach. 

Republic Act 10173 compliant website with Clym

Book a Demo

What data access rights does Republic Act 10173 grant? 

According to the official text, and as clarified by the IRR, data subjects have the following access rights: 

  • Right to be informed
  • Right to object to the processing of his or her personal data, including processing for direct marketing, automated processing or profiling 
  • Right to Access
  • Right to Rectification (Right to Correct)
  • Right to Erasure or Blocking (Right to Delete)
  • Right to Data Portability - where a data subject’s personal data is processed by electronic means and in a structured and commonly used format, the data subject has the right to obtain from the personal information controller a copy of such data in an electronic or structured format that is commonly used and allows for further use by the data subject.
  • Right to damages - where the data subject stood to suffer due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal data, taking into account any violation of his or her rights and freedoms as data subject.
  • Right to transmit data subject rights - where one data subject is nominated as heir or is what the law calls an ‘assignee,’ on behalf of another data subject, they can invoke the rights of the individual “at any time after the death of the data subject or when the data subject is incapacitated or incapable of exercising the rights.”

How should organizations address data subject access requests under Republic Act 10173?

Neither the Republic Act 10173, nor the IRR offer any guideline on how data subject requests should be answered and what the deadline for these requests is. The only mention is in relation to the Right to Correct, where controllers have to “correct it immediately and accordingly, unless the request is vexatious or otherwise unreasonable.”

Enforcement and penalties

The enforcing authority is the National Privacy Commission (NPC) whose duties include: ensuring compliance, handling complaints, recommending penalties to the Department of Justice. Regarding penalties, Sections 25 through 36 list the various types of violations and the associated penalties which consist of both criminal and financial sanctions. Imprisonment can be between 6 months and 7 years, coupled with a financial sanction ranging between Php100,000.00 (approx. $ 1765) and Php4,000,000.00 (approx. $ 70,500). Any combination of violations listed in Sections 25 through 36 can result in a sanction consisting of imprisonment for a period between  3 and 6 years and a fine between Php100,000.00 (approx. $ 17650) and Php5,000,000.00 (approx. $ 88,000). 

Data Subject Rights - GDPR vs. Republic Act 10173


How can Clym help?

Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:

  • All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
  • Seamless integration into your website;
  • Adaptability to your users’ location and applicable regulation;
  • Customizable branding;
  • ReadyCompliance™: Covering 30+ data privacy regulations;
  • Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.

You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.

illustration of means of contact


If you would like to learn more, our compliance experts are happy to support you.

Leave us a Message
+1 980 446 8535 +1 866 275 2596