Data Protection in the Philippines

Breach notification in the Philippines

The PIC is required to notify both the regulator (which is the NPC) and the affected data subjects within seventy-two (72) hours upon knowledge of, or when there is reasonable belief by the PIC or PIP that, a personal data breach requiring notification has occurred.

A security incident is treated as a reportable data breach if Sensitive Personal Information or other information has been acquired by an unauthorized person, and:

  • such Personal Information may, under the circumstances, be used to enable identity fraud; and
  • the PIC or the NPC believes that such unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject.

The notification shall at least describe the nature of the breach, the Sensitive Personal Information possibly involved, and the measures taken by the entity to address the breach. The notification shall also include measures taken to reduce the harm or negative consequences of the breach, the representatives of the PIC, including their contact details, from whom the data subject can obtain additional information about the breach, and any assistance to be provided to the affected data subjects.

Notification may be delayed only to the extent necessary to determine the scope of the breach, to prevent further disclosures, or to restore reasonable integrity to the information and communications system. The NPC may also authorize postponement of notification where such notification may hinder the progress of a criminal investigation related to a serious breach.

There can be no delay in the notification if the breach involves at least one hundred (100) data subjects, or the disclosure of Sensitive Personal Information will harm or adversely affect the data subject. In either case, the Commission must be notified within the 72-hour period based on available information.

The full report of the personal data breach must be submitted within five (5) days from notification, unless the PIC is granted additional time by the Commission to comply.

Notification is not required if the NPC determines:

  • that notification is unwarranted after taking into account compliance by the PIC with the Act and the existence of good faith in the acquisition of Personal Information; or
  • in the reasonable judgment of the NPC, such notification would not be in the public interest or in the interests of the affected data subjects.

In April 2022, the NPC launched the Data Breach Notification Management System (DBNMS), an interface that facilitates tracking and submission of personal data breach notifications and annual security incident reports.

Continue reading

  • no results

Previous topic
Back to top