Published 29 December 2023, The Daily Tribune

While we have expounded on legal remedies for end-users or data subjects in case of a breach of their personal information, we shall also discuss the registration and compliance duties of corporations and organizations as personal information controllers under Republic Act 10173 or the Data Privacy Act of 2012.

As defined under the Data Privacy Act, PIC refers to those persons or entities who control the collection, holding, processing, or use of personal information, including those entities to which they outsource such activities on their behalf. The term, however, excludes those who perform such functions as instructed by another person or organization and those who perform such functions relevant to their own personal, family, or household affairs.

To start, PICs are required to designate their own data privacy officer, or DPO. Such appointment is also mandated under the National Privacy Commission, or NPC, Advisory No. 2017-01 dated 14 March 2017.

The DPO shall be accountable for ensuring compliance with the provisions of the Data Privacy Act, its Implementing Rules and Regulations, issuances of the NPC, and other applicable laws and regulations relating to privacy and data protection.

Under NPC Advisory No. 2017-01, the DPO must possess specialized knowledge necessary for such duties and responsibilities, preferably expertise in privacy or data protection practices and an understanding of data security systems.

The designation must be reported to the NPC by submitting a registration form and other relevant documents.

In addition, the companies or organizations must produce a Privacy Manual to inform and guide their personnel of its measures and to ensure compliance with the law and other issuances of NPC.

To monitor such measures, a thorough checking of the system is essential. Under NPC Advisory No. 2017-03, dated 31 July 2017, a privacy impact assessment aids corporations or organizations in navigating the processing of the personal data flowing into its system, identifying the various privacy risks, and seeking measures to address such issues.

In conducting this privacy impact assessment, which may be done on the recommendation of the DPO, a guide was provided by the NPC on its official website. It is within the discretion of the PIC to allow the DPO to actively participate in the assessment or to simply consult them based on the assessment results.

Lastly, in case of a security incident that may affect or compromise the integrity or confidentiality of data or may result in a personal data breach, this must be recorded and submitted to NPC through the Annual Security Incident Report.

The summary of security incidents and personal data breaches are to be documented, indicating the particular calendar year. The same must also be categorized by the type of security incident, or by the application of breach notification obligations, i.e., mandatory and voluntary notification, as classified in NPC Circular 16-03. The reports must be submitted through the Data Breach Notification Management System launched in 2022. The PICs must have an account with this system.

For more of Dean Nilo Divina’s legal tidbits, please visit For comments and questions, please send an email to