HomeLegal Glossary › RA 10173 — Data Privacy Act of 2012
Philippine Privacy Law

RA 10173 — Data Privacy Act of 2012

Republic Act No. 10173, the Data Privacy Act of 2012, protects personal data rights of Filipinos, establishes the National Privacy Commission, and imposes obligations on employers and organisations that collect and process personal data.

Legal Definition

Republic Act No. 10173, the Data Privacy Act of 2012 (DPA), is administered by the National Privacy Commission (NPC). It grants data subjects — individuals whose personal data is processed — the following rights: the right to be informed about data collection; the right to access their personal data; the right to object to processing; the right to correct inaccurate data; the right to have their data erased or blocked; and the right to damages for violations. Personal data includes any information that can identify a person, including name, address, biometrics, and online identifiers. Organisations (called personal information controllers or processors) that collect, store, or process personal data must: register with the NPC if processing sensitive personal information of at least 1,000 individuals; appoint a Data Protection Officer; implement reasonable security measures; obtain the data subject's consent (unless another lawful basis applies); and notify the NPC and affected individuals within 72 hours of a personal data breach. Employers have specific obligations: they may only collect employee data that is necessary for the employment relationship, must keep it secure, and cannot share it with third parties without consent or legal basis. Violations of the DPA carry criminal penalties (imprisonment of one to six years) and civil liability. Complaints can be filed with the NPC online at privacy.gov.ph.

📖 Constitutional / Statutory Basis: Republic Act No. 10173 (Data Privacy Act of 2012); Article III, Section 3 of the 1987 Philippine Constitution (privacy of communication and correspondence)

Practical Example

A Philippine BPO company shares its employees' home addresses and medical records with a third-party marketing firm without consent. An employee files a complaint with the National Privacy Commission. The NPC investigates, finds a violation, and recommends criminal charges against the company's responsible officers.

Frequently Asked Questions

How do I file a complaint with the National Privacy Commission in the Philippines?
File online at privacy.gov.ph or email the NPC at complaints@privacy.gov.ph. You can also visit the NPC office in Pasay City. First, try to resolve the issue directly with the organisation. If unresolved within 15 days, file an NPC complaint with supporting documents (correspondence, evidence of the violation). Filing is free.
Can my Philippine employer share my personal data with other companies without my consent?
No. Under the Data Privacy Act, employers may only process employee data for the purpose it was collected (the employment relationship). Sharing personal data with third parties requires the employee's consent or a legitimate legal basis. Unauthorised sharing is a DPA violation and can be reported to the NPC.
What is a Data Protection Officer (DPO) in the Philippines?
Organisations covered by the DPA must appoint a Data Protection Officer responsible for ensuring DPA compliance — handling data subject requests and complaints, overseeing data security, and liaising with the NPC. Employees can approach the DPO to exercise their data rights before escalating to the NPC.

Related Terms

RA 7394 — Consumer Act of the Philippines RA 11313 — Safe Spaces Act (Bawal Bastos Law) Labor Code of the Philippines (PD 442)

Know the law. Know what to say.

The Advocate covers Filipino law and Scripture — 389 real scenarios across 7 countries with exact rebuttals and law references. Free to start.

Explore Filipino Rights — Free
or get a free checklist