Salient Features of the Implementing Rules and Regulations of R.A.10173 or the Data Privacy Act of 2012

Salient Features of the Implementing Rules and Regulations of R.A.10173 or the Data Privacy Act of 2012

The Data Privacy act of 2012 was enacted and signed into law by the late President Benigno Aquino Jr. It is in accordance with the policy of the State to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth. 

However, only after four (4) years of effectivity of aforesaid Act that the National Privacy Commission (NPC) pursuant to its mandate under the same promulgated the Implementing Rules and Regulations (IRR). The IRR is also promulgated in order to provide guidelines to monitor the compliance of the Philippines with the international standards of data protection.

The IRR provided some features for the implementation and enforcement of said Act. Here are the salient features of the IRR;


A Data Subject is defined under IRR as Data subject” refers to an individual whose personal, sensitive personal, or privileged information is processed. Per IRR, Data Subjects are entitled to the following rights, to wit;

  1. Right to be informed.
  2. Right to object.
  3. Right to Access. 
  4. Right to Rectification. 
  5. Right to Erasure or Blocking. 
  6. Right to damages. 


Under the IRR and NPC Advisory No. 2017-01the Act ensure that the appointment of Data Protection Officer (DPO) or Compliance Officer for Privacy (COP) is mandatory in an organization, to wit;

  1. Local Government Units (LGUs). 
  2. Government Agencies; and
  3. Private Sector. 

The Data Protection Officer or the Compliance Officer of Privacy shall be accountable for ensuring compliance with the appropriate data protection laws and regulations. 


For the Enforcement of the Act, the Commission requires compliance of all organizations of the following; 

  1. Registration of personal data processing systems operating in the Philippines that involves accessing or requiring sensitive personal information of at least one thousand (1,000) individuals, including the personal data processing system of contractors, and their personnel, entering into contracts with government agencies;
  2. Notification of automated processing operations where the processing becomes the sole basis of making decisions that would significantly affect the data subject;
  3. Annual report of the summary of documented security incidents and personal data breaches; and
  4. Compliance with other requirements that may be provided in other issuances of the NPC.

The Personal Information Controllers (PIC) or Personal Information Providers (PIP) that employs fewer than two hundred fifty (250) persons shall not be required to register unless the processing it carries out is likely to pose a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes sensitive personal information of at least one thousand (1,000) individuals.

The Data Privacy Act takes the approach that “The processing of personal data shall be allowed subject to adherence to the principles of transparency, legitimate purpose, and proportionality.” Truly, the Act is a 21st century measure by the Government to address and solve 21st century crimes and concerns. 

Written by: Jaime Jurado II

Leave a Reply