Philippine Privacy Protection Laws and Regulations

Implementing Rules and Regulations of the Data Privacy Act of 2012 was issued by the Philippine National Privacy Council (NPC) on August 24, 2016. It interprets general principles for personal data protection and aims to regulate and ensure the implementation of the provisions in Data Privacy Act of the Philippines.

The Implementing Rules and Regulations of the Data Privacy Act of 2012 and Data Privacy Act of the Philippines have the same regulatory scope.

NPC Circular No.16-03–Personal Data Breach Management was issued by the National Privacy Council on December 15, 2016. The circular provides framework guidelines for personal data breach management, as well as guidelines for prevention of personal data breaches, response procedures, and notification requirements.

NPC Circular No.16-03–Personal Data Breach Management applies to any natural and legal person in the government or private sector who processes personal data in or outside the Philippines. Personal data processing activities shall comply with this circular and the relevant provisions stated in Data Privacy Act of the Philippines and Implementing Rules and Regulations of the Data Privacy Act of 2012.

NPC Circular No.20-03 - Data Sharing Agreements was issued by the National Privacy Council on December 23, 2020. The circular provides the policies and requirements related to the data sharing agreements.

The circular applies to the personal data that is controlled or kept by a personal data controller (PIC) in the Philippines and is shared, disclosed, or transferred to another PIC, or the personal data that is shared, disclosed, or transferred outside the Philippines against Philippine residents or citizens.

NPC Circular No. 23-04 – Guidelines on Consent was issued by the National Privacy Council on 7 November 2023. This circular provides guidance on the use of consent as a lawful basis for the processing of personal data.

The circular applies to all PICs in the Philippines who have obtained the consent of data subjects to engage in the processing of personal data.

The privacy protection laws of the Philippines define three roles: personal data subject, personal data controller, and personal data processor.

A personal data subject has the right to know and obtain their personal data; the right to object to the processing of their personal data; the right to update or rectify their personal data; the right to delete their personal data; the right to withdraw their consent, and the right to claim compensation for failure to protect their personal data.

Basic obligations of personal data processors: a personal data processor shall process personal data as required or agreed by data controllers; ensure personal data confidentiality; record personal data processing activities; implement appropriate measures to ensure the security of personal data in accordance with applicable privacy laws and regulations; assist the personal data controller in responding to data subjects' requests for rights; cooperate with the personal data controller and other authorized audit organizations to conduct audits; and report violations.

Compared with personal data processors, personal data controllers shall comply with more specific obligations, including notifications, consents, purpose restriction, responses to data subject's rights, personal data accuracy protection, personal data protection, personal data retention and cross-border transfer restriction, notifications of personal data breaches, DPO assignment, personal data protection policy development, and personal data subcontracting restriction.

For details about each obligation, see Huawei Cloud Compliance with Philippine's Privacy Protection Regulations.