Privacy Policy (Philippines)
PRIVACY POLICY
Data Privacy Act of 2012 (Republic Act 10173) | NPC Implementing Rules and Regulations
Effective Date: [Effective Date]
Website: [Website URL]
[Organization Name] ("Organization," "we," "us," or "our"), with principal office at [Organization Address], registration number [Registration Number], is committed to protecting the personal data of our customers, employees, and other data subjects in accordance with the Data Privacy Act of 2012 (Republic Act 10173, "DPA") and the implementing rules and regulations issued by the National Privacy Commission (NPC) at privacy.gov.ph. This Privacy Policy describes how we collect, use, store, share, and protect personal data, and the rights available to data subjects under RA 10173.
1. PERSONAL DATA WE COLLECT
1.1 We collect the following categories of personal data: [Data Types Collected]
1.2 Where applicable, we may also collect the following sensitive personal information as defined under Section 3(l) of RA 10173: [Sensitive Data Types]
1.3 Personal data is collected directly from data subjects (through registration forms, transactions, and communications), automatically (through cookies, log data, and device identifiers), and from third-party sources (such as public registries, social media platforms, and business partners) where lawfully permitted.
2. PURPOSES AND LAWFUL BASIS FOR PROCESSING
2.1 We process personal data for the following purposes: [Processing Purposes]
2.2 The lawful bases for processing under Section 12 of RA 10173 include: consent of the data subject; performance of a contract to which the data subject is a party; compliance with a legal obligation applicable to the Organization; protection of the vital interests of the data subject; performance of a task carried out in the public interest; and the legitimate interests of the Organization, except where overridden by the fundamental rights of the data subject.
3. DATA RETENTION
3.1 We retain personal data for [Retention Period], or for such longer period as may be required by applicable Philippine law — including the National Internal Revenue Code (NIRC), the General Banking Law (RA 8791), and applicable SEC or BIR record-keeping requirements. After the applicable retention period, personal data is securely deleted or anonymized.
3.2 Where personal data is the subject of a legal dispute, NPC investigation, or pending legal obligation, retention is extended for the duration of such proceedings.
4. DATA SHARING AND TRANSFERS
4.1 We may share personal data with the following categories of recipients: [Third Party Recipients]. All third-party processors are bound by Data Processing Agreements compliant with Section 14 of RA 10173.
4.2 Where personal data is transferred outside the Philippines to the following countries: [Cross Border Transfer Countries], we ensure that appropriate safeguards are in place as required under Section 21(c) of RA 10173, including contractual clauses imposing RA 10173-equivalent protections on the foreign recipient.
4.3 We do not sell personal data to third parties. We may disclose personal data to government agencies — including the Bureau of Internal Revenue (BIR), Securities and Exchange Commission (SEC), Anti-Money Laundering Council (AMLC), and courts of competent jurisdiction — where required by law or court order.
5. RIGHTS OF DATA SUBJECTS
5.1 Under Sections 16 to 20 of RA 10173, data subjects have the following rights: (a) Right to be Informed — the right to be notified of the processing of personal data; (b) Right to Access — the right to request access to personal data held by the Organization; (c) Right to Object — the right to object to the processing of personal data; (d) Right to Erasure or Blocking — the right to suspend, withdraw, or order the blocking or removal of personal data from the Organization's filing system; (e) Right to Damages — the right to be indemnified for damages sustained as a result of inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of personal data; (f) Right to File a Complaint — the right to file a complaint before the NPC at privacy.gov.ph; (g) Right to Rectify — the right to dispute inaccurate or erroneous data; (h) Right to Data Portability — the right to obtain a copy of personal data in an electronic or structured format.
5.2 To exercise any of the above rights, contact our Data Protection Officer: [DPO Name], [DPO Email].
6. DATA SECURITY
6.1 We implement appropriate organizational, physical, and technical security measures under Section 20 of RA 10173 to protect personal data against unauthorized access, disclosure, alteration, or destruction, including encryption, access controls, regular security assessments, and staff data privacy training.
6.2 In the event of a personal data breach, we will notify the NPC and affected data subjects within 72 hours of discovery, as required under NPC Circular 2016-03.
7. CONTACT AND UPDATES
7.1 For questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, contact our Data Protection Officer: [DPO Name], [DPO Email], [Organization Address].
7.2 We may update this Privacy Policy from time to time. The updated Policy will be posted at [Website URL] with a revised effective date. Continued use of our services after the effective date constitutes acceptance of the updated Policy.
Data Protection Officer / Authorized Representative
________________
Signature
What Is a Privacy Policy (Philippines)?
A Privacy Policy (Philippines) in Philippines a Privacy Policy in the Philippines is a formal document that informs individuals — referred to as data subjects — about how an organization collects, uses, stores, transfers, and disposes of their personal data. In the Philippines, Privacy Policies are legally mandated by the Data Privacy Act of 2012 (Republic Act 10173, RA 10173) and its Implementing Rules and Regulations (IRR), enforced by the National Privacy Commission (NPC) established under Section 7 of RA 10173 with its official website at privacy.gov.ph.
RA 10173 applies to any natural or juridical person in the Philippines — whether a sole proprietor registered with the DTI, a corporation registered under the Revised Corporation Code (RA 11232, 2019) with the SEC, or a government agency — that processes personal information as a personal information controller (PIC) or personal information processor (PIP). The law also has extraterritorial effect: it applies to foreign entities that process personal data of Philippine residents, process data using equipment located in the Philippines, or have a link to the Philippines as determined under Section 6 of RA 10173.
The NPC has issued numerous advisory opinions, circulars, and orders clarifying the requirements for Privacy Policies. NPC Circular 2016-01 sets out the registration requirements for personal information controllers, and NPC Advisory Opinion 2020-026 clarifies the requirements for valid consent under RA 10173. The Privacy Policy must be written in clear and plain language accessible to the data subjects and must be made available prior to or at the time of data collection.
A Philippine Privacy Policy differs from a general Terms and Conditions agreement in that it specifically addresses the data subject's rights under Sections 16 to 20 of RA 10173 — namely the right to be informed, right to access, right to object, right to erasure and blocking, right to damages, right to file a complaint, right to rectify, and right to data portability. The Privacy Policy is also distinct from a Data Processing Agreement (DPA), which is a contract between a personal information controller and a personal information processor under Section 14 of RA 10173.
The legal framework governing the Privacy Policy (Philippines) in Philippines draws on several key statutes and regulatory bodies. Under Philippine law, the Civil Code of the Philippines (Republic Act No. 386) governs contractual obligations. The Revised Corporation Code (Republic Act No. 11232) regulates corporate entities through the Securities and Exchange Commission (SEC). The Labor Code of the Philippines (Presidential Decree No. 442) and Department of Labor and Employment (DOLE) govern employment matters. The Data Privacy Act of 2012 (Republic Act No. 10173) and the National Privacy Commission (NPC) protect personal data. The Bureau of Internal Revenue (BIR) administers tax obligations under the National Internal Revenue Code. Parties executing a Privacy Policy (Philippines) in Philippines should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Data Privacy Act (RA 10173) sets the foundational requirements.
When Do You Need a Privacy Policy (Philippines)?
A Privacy Policy is required under Philippine law for any organization that collects, records, organizes, stores, updates, retrieves, discloses, or destroys personal information of Philippine residents.
Any website, mobile application, or e-commerce platform that collects user registration details, purchase histories, IP addresses, device identifiers, or behavioral data from Philippine users requires a Privacy Policy published on the platform prior to data collection, as mandated by Section 13 of RA 10173 and the NPC's Advisory Opinions on online data collection.
Any employer — whether a corporation registered with the SEC or a business registered with the DTI — that collects and processes employee personal data, including biometric data for time and attendance, SSS numbers, PhilHealth IDs, Pag-IBIG/HDMF membership numbers, TINs, and medical records, must have an internal Privacy Policy and inform employees of their data rights under RA 10173.
A healthcare provider, hospital, or clinic processing sensitive personal information — defined under Section 3(l) of RA 10173 to include medical records, health data, and genetic information — must comply with the heightened requirements for sensitive personal information under Section 13 of RA 10173 and the NPC's sector-specific guidelines on health data.
Any organization that collects data from children below 13 years of age must obtain verifiable parental consent under NPC Advisory Opinion 2017-049 before collecting personal data, making a specific Privacy Policy addressing minors' data essential.
A personal information controller employing 250 or more persons, or whose core activities involve large-scale processing of sensitive personal information, must register its data processing systems with the NPC under NPC Circular 2017-01 — and a compliant Privacy Policy is a prerequisite for that registration.
Parties in Philippines should prepare a Privacy Policy (Philippines) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under Philippine law, the Civil Code of the Philippines (Republic Act No. 386) governs contractual obligations. The Revised Corporation Code (Republic Act No. 11232) regulates corporate entities through the Securities and Exchange Commission (SEC). The Labor Code of the Philippines (Presidential Decree No. 442) and Department of Labor and Employment (DOLE) govern employment matters. The Data Privacy Act of 2012 (Republic Act No. 10173) and the National Privacy Commission (NPC) protect personal data. The Bureau of Internal Revenue (BIR) administers tax obligations under the National Internal Revenue Code. Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.
What to Include in Your Privacy Policy (Philippines)
A compliant Philippine Privacy Policy under RA 10173 must include the following essential elements.
Identity and Contact Details of the Personal Information Controller: Full legal name, address, and contact information of the organization, plus the name and contact details of the Data Protection Officer (DPO), who is required under Section 21 of RA 10173 for organizations with 250 or more employees or those processing sensitive personal information at scale.
Types of Personal Data Collected: A clear list of personal data categories collected — distinguishing between ordinary personal information (names, addresses, contact details) and sensitive personal information (health data, government ID numbers, biometric data, financial information) under Section 3(l) of RA 10173.
Purpose and Lawful Basis for Processing: Statement of the specific purpose for each category of data collected and the applicable lawful basis under Section 12 of RA 10173 — consent, contract performance, compliance with legal obligation, vital interests, legitimate interests, or public task.
Data Retention Period: How long personal data is retained and the criteria used to determine retention periods, as required by NPC Advisory Opinion 2018-031 on data retention.
Data Subject Rights: Enumeration of the eight rights under Sections 16 to 20 of RA 10173 — right to be informed, access, object, erasure/blocking, damages, file complaint with NPC, rectify, and data portability — and how data subjects may exercise them.
Cross-Border Data Transfers: Where personal data is transferred outside the Philippines, disclosure of the safeguards in place as required under Section 21(c) of RA 10173 and the NPC's guidelines on cross-border data flows.
Data Breach Notification: Statement of the organization's obligation to notify the NPC and affected data subjects within 72 hours of discovery of a personal data breach under NPC Circular 2016-03.
Additional compliance elements for a Privacy Policy (Philippines) used in Philippines include: Under Philippine law, the Civil Code of the Philippines (Republic Act No. 386) governs contractual obligations. The Revised Corporation Code (Republic Act No. 11232) regulates corporate entities through the Securities and Exchange Commission (SEC). The Labor Code of the Philippines (Presidential Decree No. 442) and Department of Labor and Employment (DOLE) govern employment matters. The Data Privacy Act of 2012 (Republic Act No. 10173) and the National Privacy Commission (NPC) protect personal data. The Bureau of Internal Revenue (BIR) administers tax obligations under the National Internal Revenue Code. Forms-legal.com provides this template as a starting point for Philippines-compliant documentation.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Privacy Policy (Philippines) (Philippines) [Legal document template]. Forms Legal. https://forms-legal.com/philippines/business/contracts/privacy-policy-philippines
"Privacy Policy (Philippines) (Philippines)." Forms Legal, 2026, https://forms-legal.com/philippines/business/contracts/privacy-policy-philippines.
@misc{formslegal-privacy-policy-philippines,
author = {{Forms Legal}},
title = {Privacy Policy (Philippines) (Philippines)},
year = {2026},
howpublished = {\url{https://forms-legal.com/philippines/business/contracts/privacy-policy-philippines}},
note = {Free legal document template. Based on Data Privacy Act (RA 10173)}
}
Frequently Asked Questions
Yes, a Privacy Policy is legally required in the Philippines for any personal information controller under the Data Privacy Act of 2012 (Republic Act 10173). Section 13 of RA 10173 requires personal information controllers to inform data subjects about the purpose of data collection, the type of data collected, the scope and method of processing, the recipients of the data, and the rights of data subjects — information that is typically provided through a Privacy Policy. The National Privacy Commission (NPC), which enforces RA 10173, has issued NPC Advisory Opinion 2017-032 and NPC Circular 2016-01 clarifying the mandatory content of privacy notices. Organizations that fail to provide adequate privacy notices to data subjects may face administrative penalties from the NPC, which under Section 25 of RA 10173 may impose fines of up to PHP 5,000,000 and recommend criminal prosecution under Sections 25 to 34 for serious violations such as unauthorized processing of sensitive personal information.
A Data Protection Officer (DPO) is a person designated by a personal information controller or personal information processor under Section 21 of the Data Privacy Act of 2012 (RA 10173) to ensure compliance with RA 10173 and all applicable NPC issuances. The DPO serves as the point of contact for data subjects exercising their rights and for the NPC in the event of investigations or data breach notifications. Under NPC Circular 2017-01, all government agencies, private entities with 250 or more employees, and organizations whose core activities involve the large-scale, regular, and systematic processing of personal data or sensitive personal information are required to designate a DPO and register that DPO with the NPC. Even organizations below these thresholds are encouraged by the NPC to designate a DPO as a best practice. The DPO must be registered with the NPC through the NPC's online registration portal and must attend the NPC's DPO Accountability Seminar within six months of designation.
Violations of the Data Privacy Act of 2012 (RA 10173) in the Philippines carry both criminal and administrative penalties. Under Sections 25 to 34 of RA 10173, criminal penalties range from one year imprisonment and PHP 500,000 fine for unauthorized processing of personal information, up to seven years imprisonment and PHP 5,000,000 fine for unauthorized processing of sensitive personal information that causes damage. The National Privacy Commission (NPC) may impose administrative fines of up to PHP 5,000,000 per violation under Section 7(c) of RA 10173. In addition to NPC penalties, data subjects who suffer damages due to a Privacy Act violation may file a civil action under Section 16(f) of RA 10173 for actual, moral, nominal, temperate, liquidated, or exemplary damages under the Civil Code. The NPC has resolved several enforcement cases, including NPC Case No. 17-001, which established precedent on the standard of care required of personal information controllers in securing personal data against unauthorized access.
Yes, a Philippine Privacy Policy should cover employees as a distinct category of data subjects. The Data Privacy Act of 2012 (RA 10173) applies to any personal data processed by an employer, including employee information collected for payroll, SSS registration, PhilHealth enrollment, Pag-IBIG/HDMF contributions, BIR TIN registration, and DOLE-required records under the Labor Code (Presidential Decree 442). The NPC has issued NPC Advisory Opinion 2018-015 on the processing of employee biometric data — particularly fingerprint and facial recognition data for time and attendance systems — clarifying that biometric data constitutes sensitive personal information under Section 3(l) of RA 10173 and requires a clear lawful basis, typically consent or contract performance. Employers should have a separate Employee Privacy Notice or include a dedicated section in the Privacy Policy addressing: data collected during recruitment, during employment, and upon termination; retention of personnel files; and the use of monitoring systems such as CCTV in the workplace, which requires separate notification under NPC guidelines.
Cross-border data transfers — where personal data of Philippine residents is transferred to, accessed from, or stored in a foreign country — are regulated under Section 21(c) of the Data Privacy Act of 2012 (RA 10173) and the NPC's guidelines on cross-border data flows. The Privacy Policy must disclose the fact of cross-border transfers, the countries or jurisdictions involved, and the safeguards in place to protect the personal data during and after transfer. Acceptable safeguards include: contractual clauses that impose RA 10173-equivalent protections on the foreign recipient; binding corporate rules (BCRs) within a corporate group; or transfers to countries the NPC has determined to provide adequate data protection. Cloud computing services that store Philippine personal data on servers located outside the Philippines — common for businesses using US-based SaaS platforms such as Salesforce, AWS, Google Cloud, or Microsoft Azure — constitute cross-border data flows requiring disclosure. The NPC has issued Advisory Opinion 2019-031 on the use of cloud services and cross-border transfers, which emphasizes that the Philippine personal information controller remains accountable for the data even when processed by a foreign processor.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Terms and Conditions (Philippines)
A comprehensive Terms and Conditions agreement for Philippine businesses and websites, compliant with the Electronic Commerce Act (RA 8792), Consumer Act of the Philippines (RA 7394), and Data Privacy Act (RA 10173). Covers user obligations, intellectual property, limitation of liability, governing law, and dispute resolution under Philippine law.
Data Processing Agreement (Philippines)
A Data Processing Agreement (DPA) between a personal information controller and personal information processor under the Data Privacy Act of 2012 (RA 10173). Covers processing instructions, security measures, sub-processor rules, data breach notification, data subject rights assistance, and NPC compliance obligations in the Philippines.
Acceptable Use Policy (Philippines)
An Acceptable Use Policy (AUP) for Philippine businesses and platforms, aligned with the Cybercrime Prevention Act (RA 10175), Data Privacy Act (RA 10173), and Electronic Commerce Act (RA 8792). Defines permitted and prohibited uses, enforcement actions, and user accountability under Philippine law.