NPC Privacy Complaint Form (Philippines)

A NPC Privacy Complaint Form in the Philippines records the grievance and the facts relied on, initiating the process before the relevant tribunal or office.

The Data Privacy Act (RA 10173) and its Implementing Rules and Regulations (IRR, NPC Circular No. 16-04) protect three categories of personal information: personal information (any information that identifies or can identify an individual), sensitive personal information (race, ethnic origin, marital status, age, color, religious, philosophical or political affiliation, health, education, genetic or sexual life, proceedings for offenses, government-issued IDs), and privileged information. Processing of these categories requires compliance with the eight data privacy principles: transparency, legitimate purpose, and proportionality under Section 11 of RA 10173.

The NPC has jurisdiction over complaints involving: unauthorized processing of personal data without consent or lawful basis under Section 25 of RA 10173; processing of personal data in violation of data privacy principles under Section 26; negligent handling of data leading to unauthorized disclosure under Section 27; improper disposal of personal data under Section 28; processing of personal data for unauthorized purposes under Section 29; data security breaches notified under Section 20; and violation of data subject rights under Sections 16-19 (right to be informed, access, rectification, erasure, and object).

NPC complaints may result in administrative fines of PHP 500,000 to PHP 5,000,000 under the NPC Rules of Procedure for data privacy cases (NPC Circular No. 2020-01), criminal prosecution under Sections 25-33 of RA 10173 (imprisonment of 1 to 6 years), and orders to comply with data privacy obligations.

The legal framework governing the NPC Privacy Complaint Form (Philippines) in Philippines draws on several key statutes and regulatory bodies. Under Philippine law, the Civil Code of the Philippines (Republic Act No. 386) governs contractual obligations. The Revised Corporation Code (Republic Act No. 11232) regulates corporate entities through the Securities and Exchange Commission (SEC). The Labor Code of the Philippines (Presidential Decree No. 442) and Department of Labor and Employment (DOLE) govern employment matters. The Data Privacy Act of 2012 (Republic Act No. 10173) and the National Privacy Commission (NPC) protect personal data. The Bureau of Internal Revenue (BIR) administers tax obligations under the National Internal Revenue Code. Parties executing a NPC Privacy Complaint Form (Philippines) in Philippines should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Local Government Code (RA 7160) sets the foundational requirements.

An NPC Privacy Complaint in the Philippines is needed when a data subject believes their personal information rights under the Data Privacy Act (RA 10173) have been violated.

An NPC Privacy Complaint is needed when a person's personal information — name, address, ID numbers, financial data, or sensitive personal information — was collected, used, or disclosed without their consent and without a lawful basis under Section 13 of RA 10173, such as unauthorized sharing of customer data by a bank, telecoms company, or e-commerce platform.

An NPC Privacy Complaint is filed when a company experiences a personal data breach — unauthorized access, disclosure, or theft of personal information — and fails to notify the NPC within 72 hours or the affected data subjects within a reasonable period as required by Section 20 of RA 10173 and NPC Circular No. 16-03.

An NPC Privacy Complaint is needed when a data subject exercises their right to erasure or blocking under Section 17 of RA 10173 — requesting that a company delete their personal data that is no longer necessary for the purpose for which it was collected — and the company refuses or fails to comply within the required period.

An NPC Privacy Complaint is filed when an employer or former employer continues to process an employee's personal data (including sharing with background check agencies) after the employment relationship has ended and without the employee's consent, violating Section 11(c) of RA 10173 (data must not be kept longer than necessary).

An NPC Privacy Complaint is needed when a person receives unsolicited marketing messages after withdrawing consent for data processing under Section 16(d) of RA 10173, or when their contact information obtained in one context is used for an entirely different purpose without consent.

A complete NPC Privacy Complaint Form for the Philippines must include the following information to be processed by the National Privacy Commission under NPC Circular No. 2020-01.

Complainant's Identity: Full name, address, contact number, and email address of the data subject (complainant). Where the complainant is filing on behalf of another data subject (e.g., parent filing for a minor), state the representative's name and the legal basis for representation.

Respondent's Identity: The name and contact details of the Personal Information Controller (PIC) or Personal Information Processor (PIP) being complained against — typically a company, government agency, or individual that processes personal data. NPC-registered PICs have registration numbers. Include the respondent's registered address and, if known, the name of their Data Protection Officer (DPO).

Personal Data Involved: A description of the specific personal information or sensitive personal information affected — the category of data (e.g., financial records, health information, government IDs, biometric data), the volume affected (number of records), and how the complainant became aware that their data was involved.

Nature of the Violation: A specific description of the act or omission constituting the Data Privacy Act violation, citing the applicable section of RA 10173: unauthorized processing (Section 25); processing in violation of principles (Section 26); negligent disclosure (Section 27); improper disposal (Section 28); processing for unauthorized purpose (Section 29); or violation of data subject rights (Sections 16-19). State the date(s) the violation occurred.

Evidence: Supporting documents — copies of consent forms, data collection notices, privacy policy, correspondence with the respondent's DPO, screenshots of unauthorized data use, and any other evidence demonstrating the violation.

Prior Complaint to Respondent: Documentation showing that the complainant first raised the privacy concern with the respondent's DPO under Section 21 of RA 10173 before filing with the NPC — NPC Circular No. 2020-01 requires complainants to demonstrate prior exhaustion of internal remedies unless the respondent has no DPO or failed to respond within 15 days.

Relief Sought: The specific remedy requested — order to stop processing, deletion of data, notification to affected parties, administrative fine, or referral to DOJ for criminal prosecution under Sections 25-33 of RA 10173.

Additional compliance elements for a NPC Privacy Complaint Form (Philippines) used in Philippines include: Under Philippine law, the Civil Code of the Philippines (Republic Act No. 386) governs contractual obligations. The Revised Corporation Code (Republic Act No. 11232) regulates corporate entities through the Securities and Exchange Commission (SEC). The Labor Code of the Philippines (Presidential Decree No. 442) and Department of Labor and Employment (DOLE) govern employment matters. The Data Privacy Act of 2012 (Republic Act No. 10173) and the National Privacy Commission (NPC) protect personal data. The Bureau of Internal Revenue (BIR) administers tax obligations under the National Internal Revenue Code. Forms-legal.com provides this template as a starting point for Philippines-compliant documentation.