Data Privacy Act Compliance for Foreign Companies in the Philippines: A Senior Attorney's Guide to RA 10173, NPC Enforcement, and the 2025–2026 Regulatory Landscape

Introduction: Why This Guide Matters Now

The Data Privacy Act of 2012 (Republic Act No. 10173, hereinafter “RA 10173” or “the DPA”) has been in force for over a decade, but the period from late 2024 through mid-2026 has produced the most significant regulatory developments since the law’s implementing rules were promulgated in 2016. The National Privacy Commission (NPC), the agency tasked with administering and enforcing RA 10173, has issued a series of circulars and advisories that have materially expanded the scope of compliance obligations — particularly for foreign companies that collect, process, or store personal data of Philippine residents.

Three developments have fundamentally changed the compliance calculus for foreign investors and their counsel. First, NPC Advisory No. 2024-04, issued on December 19, 2024, extended the DPA’s reach to artificial intelligence systems, establishing that AI training, testing, and deployment activities are subject to the same privacy principles as traditional data processing. Second, NPC Advisory No. 2026-01, issued on April 13, 2026, imposed stringent new requirements on data scraping activities — restrictions that directly affect foreign companies that rely on automated data collection from Philippine sources, including those training AI models on Philippine personal data. Third, the SEC’s new Beneficial Ownership Disclosure Rules (effective January 1, 2026), which require disclosure of ultimate natural-person beneficial owners holding at least 20% of voting rights or capital in SEC-registered entities, create a new intersection between corporate transparency obligations and data privacy compliance that foreign investors have not fully appreciated.

This guide is written for foreign investors, multinational compliance officers, and their Philippine counsel who need a precise understanding of the legal obligations — not a marketing summary. Every citation herein is drawn from verifiable primary sources: Republic Act No. 10173 (lawphil.net), the NPC’s official circulars and advisories (privacy.gov.ph), SEC Memorandum Circular No. 15, Series of 2025 and SEC Memorandum Circular No. 8, Series of 2026, and the relevant implementing rules.

The analysis proceeds in ten parts: legal framework, scope and extraterritorial application, key definitions, PIC and PIP obligations, DPO registration, breach reporting, the new AI and data scraping advisory framework, the SEC beneficial ownership intersection, penalties and enforcement, and a compliance checklist for foreign companies.

Part I: Legal Framework — The Architecture of RA 10173

1.1 The Statute and Its Purpose

Republic Act No. 10173, entitled “An Act Protecting Individual Personal Information in Information and Communications Systems in the Government and the Private Sector, Creating for This Purpose a National Privacy Commission, and for Other Purposes,” was signed into law on August 15, 2012, and took effect on September 8, 2012. The law was enacted in response to the Philippines’ rapidly growing business process outsourcing (BPO) sector and the increasing volume of personal data being processed by both government and private entities. Its stated policy, articulated in Section 2, is to protect the fundamental human right to privacy of individuals while ensuring the free flow of information to promote innovation and growth.

RA 10173 is structurally organized into twelve titles covering: the declaration of policy; definitions; the scope of application; the national data privacy principles; the rights of data subjects; the role of the National Privacy Commission; the obligations of personal information controllers and processors; security obligations; the data breach notification framework; penalties; miscellaneous provisions; and implementing rules.

1.2 The Implementing Rules and Regulations (IRR)

The IRR of RA 10173 was promulgated on March 11, 2016, and became enforceable on September 9, 2016 — exactly four years after the statute’s effective date. The IRR fills in the procedural and substantive details that RA 10173 left to the NPC’s rulemaking authority, including the criteria for valid consent, the standards for organizational, physical, and technical security measures, the procedures for DPO registration, and the detailed framework for data breach notification and reporting.

The IRR is the document that practitioners reference most frequently in day-to-day compliance work, and foreign companies operating in the Philippines must treat it as equally binding as the parent statute. The NPC has issued numerous circulars and advisories since 2016 that supplement or modify specific provisions of the IRR; these include NPC Circular No. 2022-04 (DPO registration), NPC Circular No. 2023-04 (consent guidelines), NPC Circular No. 2023-06 (security requirements), NPC Advisory No. 2024-04 (AI systems), and NPC Advisory No. 2026-01 (data scraping), each analyzed in detail below.

1.3 The National Privacy Commission (NPC)

The NPC is an independent government body attached to the Department of Information and Communications Technology (DICT). Its mandates under RA 10173 include: administering and implementing the DPA; monitoring compliance; instituting investigations; receiving and resolving complaints; issuing compliance orders and enforcement notices; imposing administrative fines; recommending prosecution to the Department of Justice; and negotiating international data protection agreements with foreign counterparts.

The NPC’s enforcement powers are broad. It can issue cease and desist orders, impose temporary or permanent bans on personal data processing, award indemnity to data subjects who suffer injury due to privacy violations, and recommend criminal prosecution for DPA violations. For foreign companies subject to Philippine jurisdiction, the NPC is the primary regulatory interlocutor — and its enforcement activity has increased measurably since 2022.

Part II: Scope and Extraterritorial Application — Does RA 10173 Apply to Your Company?

2.1 Who Must Comply: The Basic Rule

RA 10173 applies to “personal information controllers” (PICs) and “personal information processors” (PIPs) who are:

• Entities incorporated or organized under Philippine law;
• Individuals or juridical entities unincorporated in the Philippines but carrying on activities in the Philippines;
• Entities not incorporated in the Philippines but using equipment located in the Philippines for processing personal data; or
• Entities not incorporated in the Philippines that have a link to the Philippines through contracts, branches, agencies, offices, or subsidiaries within Philippine territory.

The critical question for foreign investors is what constitutes a “link” to the Philippines sufficient to trigger DPA compliance. The IRR specifies that a link exists when the entity:

1. Entered into a contract within Philippine territory;
2. Maintains a branch, agency, office, or subsidiary in the Philippines;
3. Uses equipment located in the Philippines for processing personal data;
4. Is a juridical entity unincorporated in the Philippines but having central management and control in the country;
5. Carries on business in the Philippines; or
6. Collects or holds personal data in the Philippines.

For a foreign company that has incorporated a Philippine subsidiary, the subsidiary is a separate juridical entity that is unquestionably subject to RA 10173. But the foreign parent company itself may also be subject to the DPA if it processes personal data of Philippine residents — for example, if it receives HR data from its Philippine subsidiary, operates a customer-facing platform accessible in the Philippines, or uses cloud infrastructure physically located in the Philippines to process Philippine personal data.

2.2 The Extraterritorial Reach: Section 6 of RA 10173

Section 6 of RA 10173 is the provision that most directly concerns foreign companies that do not have a physical Philippine presence but nonetheless process data of Philippine residents. The section provides that the DPA applies to the processing of personal data of Philippine citizens or residents, regardless of where the data subject is located or where the data is processed, if the processing is done by:

• An entity organized under Philippine law;
• An entity not organized under Philippine law but engaged in the processing of personal data in the Philippines or using means in the Philippines; or
• An entity not organized under Philippine law but that processes personal data of Philippine residents where the processing is related to the entity’s activities in the Philippines.

This language is broad enough to capture a foreign e-commerce company whose platform is accessed by Philippine residents, a foreign SaaS provider whose servers process data submitted by Philippine users, or a foreign employer whose Philippine-based employees submit personal data to a global HR system hosted outside the Philippines. In each case, the extraterritorial application depends on whether the processing relates to the entity’s activities in the Philippines — a factual determination that requires careful legal analysis.

2.3 The BPO Exception: Processing Data of Foreign Nationals

The DPA contains an important exception for data collected from residents of foreign jurisdictions and processed in the Philippines — for example, call center data processed on behalf of US or UK clients. Under Section 4(c) of the IRR, the DPA does not apply to personal data originally collected from residents of foreign jurisdictions that is being processed in the Philippines, provided that the collection was made in accordance with the data privacy laws of the data subject’s country of residence.

This exception is critical for the BPO sector and for foreign companies that have established Philippine operations for data processing services. However, the exception does not apply if the processing involves personal data of Philippine residents, even if the client is a foreign entity. The exception is narrowly construed and requires affirmative proof that the data subject’s home jurisdiction’s data privacy laws were followed at the point of collection.

Part III: Key Definitions — PICs, PIPs, Personal Information, and Sensitive Personal Information

3.1 Personal Information Controller (PIC)

A Personal Information Controller (PIC) is defined under Section 3(g) of RA 10173 as a natural or juridical person, or any other body, who controls the collection, holding, processing, or use of personal information, or who instructs another entity to do so on their behalf. A PIC has direct accountability for the personal information under its control and bears the primary compliance obligations under the DPA.

For a foreign company that has established a Philippine subsidiary, the subsidiary is the PIC for personal data collected in the Philippines. However, if the foreign parent company instructions the subsidiary to process personal data in a particular way, the parent may also be treated as an indirectly controlling the processing — and may thus bear parallel obligations.

3.2 Personal Information Processor (PIP)

A Personal Information Processor (PIP) is defined as a natural or juridical person, or any other body, to whom a PIC entrusts the processing of personal information. PIPs have independent compliance obligations under the DPA, particularly with respect to security measures and breach reporting. The PIP is accountable to the PIC under their data processing agreement, but the NPC can direct enforcement actions against the PIP directly.

The distinction between PIC and PIP matters because the compliance obligations flow differently. The PIC is primarily responsible for ensuring that processing is lawful, for establishing the lawful basis for processing, and for maintaining the data subject’s rights. The PIP must comply with the PIC’s instructions and implement security measures appropriate to the risk, but it does not bear the primary accountability for the lawfulness of the processing itself.

3.3 Personal Information vs. Sensitive Personal Information

RA 10173 draws a critical distinction between personal information and sensitive personal information (SPI). This distinction determines which processing activities require heightened consent, which security standards apply, and what penalties attach to unauthorized processing.

Personal information is defined under Section 3(j) of RA 10173 as any information from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual. This is a broad definition that captures names, addresses, contact information, employee numbers, financial data, and many other categories of information.

Sensitive personal information (SPI) is defined under Section 3(l) of RA 10173 as personal information:

• About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical, or political affiliations;
• About an individual’s health, education, genetic or sexual life, or any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
• Issued by government agencies peculiar to an individual, such as social security numbers, previous or current health records, licenses (including denials, suspension, or revocation), and tax returns;
• Specifically declared by an executive order or an act of Congress as classified.

SPI is afforded heightened protection under the DPA. Processing of SPI is generally prohibited unless one of the enumerated exceptions applies — including the data subject’s consent, necessity for medical treatment, protection of public health or safety, or compliance with a legal obligation. For foreign companies with Philippine employees, SPI includes health records (which implicate HMO and PhilHealth data), biometric data used for timekeeping or access control, and — critically for certain industries — any data related to labor union membership (though proposed amendments to include labor affiliation as SPI under HB 898 have not yet been enacted as of May 2026).

Part IV: The National Data Privacy Principles

4.1 The Seven Principles

RA 10173 codifies seven data privacy principles that govern all personal data processing by PICs and PIPs operating in or affecting Philippine data subjects:

1. General Data Privacy Principle (Section 11): Personal information must be processed lawfully, fairly, and in a non-discriminatory manner. Processing must be with the consent of the data subject, subject to certain exceptions enumerated in the law.

2. Purpose Limitation Principle (Section 11): Personal information must be collected for a specified, legitimate, and declared purpose. It may not be processed for purposes incompatible with the declared purpose.

3. Transparency Principle (Section 11): The data subject must be aware of the nature, purpose, and extent of processing. PICs must publish a privacy notice that clearly articulates what data is collected, why it is collected, how it is used, and with whom it is shared.

4. Data Minimization Principle (Section 11): Only personal information that is necessary and compatible with the declared purpose should be collected and processed. Collection must be adequate, sufficient, and not excessive.

5. Legitimate Purpose and Proportionality Principle (Section 11): The processing operation must be proportionate to the declared purpose. The means used must be necessary and not disproportionate to the processing goal.

6. Data Retention Principle (Section 11): Personal information must not be retained indefinitely. It must be retained only for as long as necessary for the declared purpose, after which it must be disposed of securely.

7. Accountability Principle (Section 11): The PIC is accountable for complying with these principles. It must be able to demonstrate compliance to the NPC upon request.

4.2 Lawful Basis for Processing

The IRR of RA 10173 (specifically Rule 9) identifies the lawful bases for processing personal information. For most commercial contexts involving foreign companies and Philippine data subjects, the relevant lawful bases are:

• Consent: The data subject voluntarily agrees to the processing after being informed of the purpose. Consent must be: specific (granular to the processing purpose), informed (the data subject knows what they are agreeing to), freely given (not coerced or unduly pressured), and documented. Under NPC Circular No. 2023-04, consent must be an affirmative action — pre-ticked boxes or implied consent are not sufficient.
• Contract: Processing is necessary to perform obligations under a contract to which the data subject is a party — for example, processing employee payroll data under an employment contract.
• Legal Obligation: Processing is necessary to comply with a legal obligation — for example, reporting taxable income to the BIR.
• Legitimate Interests: Processing is necessary for the PIC’s legitimate interests, provided those interests are not overridden by the data subject’s fundamental rights and freedoms. This basis is narrowly construed and requires a balancing test.

For SPI, the lawful bases are more restricted. Consent must be explicit, and certain categories of SPI (health, genetic, sexual life) have additional requirements.

Part V: Data Protection Officer (DPO) Registration — Who Must Register and How

5.1 Mandatory Registration Criteria

Under NPC Circular No. 2022-04 (effective January 11, 2023), Personal Information Controllers and Personal Information Processors must register their Data Protection Officer (DPO) and Data Processing Systems (DPS) with the NPC if they meet any of the following criteria:

1. The organization employs at least 250 individuals;
2. The organization processes the sensitive personal information of at least 1,000 individuals; or
3. The processing of personal data is likely to pose a risk to the rights and freedoms of data subjects.

Organizations that do not meet these thresholds are not required to register but must submit a sworn declaration to the NPC attesting to their non-applicability.

5.2 DPO Requirements and Qualifications

The DPO is the individual designated by the PIC or PIP as the primary point of contact for NPC compliance and data subject rights matters. Under NPC Circular No. 2022-04, the DPO must:

• Possess specialized knowledge in data privacy — typically demonstrated through formal training or certification in data protection;
• Be formally appointed via a Board Resolution or Secretary’s Certificate, which serves as the legal basis for the DPO’s authority within the organization;
• Be an organic employee of the corporation (though external DPOs are permissible under certain conditions, subject to contractual requirements — no exclusivity, minimum two-year contract term);
• Hold a position that allows independent judgment without a conflict of interest;
• Have their designation, postal address, dedicated telephone number, and email address published on the company’s website, privacy notice, privacy policy, and privacy manual.

The DPO’s independence requirement is critical. The NPC has found that designating a DPO who reports to a superior whose activities are subject to the DPO’s review creates an unacceptable conflict. In practice, many Philippine companies designate their Chief Privacy Officer or Head of Legal/Compliance as DPO, provided those individuals have the requisite specialized knowledge.

5.3 DPO Registration Process

The registration process is conducted through the NPC Registration System (NPCRS) and proceeds as follows:

1. Account Creation: The DPO or authorized representative creates an NPCRS account, providing the DPO’s name, contact details, and a unique, dedicated official DPO email address (e.g., dataprotection@company.com.ph — personal email addresses are not accepted).

2. Registration Proper: The organization encodes its details, including the name and contact of the Head of Organization, and details of all Data Processing Systems.

3. Document Upload and Notarization: Prescribed supporting documents are uploaded. The NPCRS automatically generates a DPO Form (PDF), which must be printed, signed by both the DPO and the Head of Organization, notarized, scanned, and re-uploaded.

4. NPC Review and Validation: The NPC reviews the submission. If deficiencies are found, the organization has a five-day window to rectify them.

5. Payment and Certificate Issuance: Once validated, the status changes to “For Payment.” After payment of the registration fee, the Certificate of Registration and NPC Seal of Registration can be downloaded.

Critical timing rule: The DPO must be registered with the NPC within 20 days of appointment. The registration is valid for one year and must be renewed 30 days before expiration.

5.4 DPO Registration for Foreign Companies

Foreign companies that have incorporated Philippine subsidiaries must treat DPO registration as a mandatory compliance obligation if the subsidiary meets the registration thresholds. For foreign companies that do not have a Philippine subsidiary but whose activities create a “link” to the Philippines under RA 10173 Section 6 and the IRR, the question of DPO registration depends on whether the NPC would regard the entity as a PIC subject to Philippine jurisdiction. In practice, the NPC expects foreign companies that actively target the Philippine market (through a website, app, or commercial activity directed at Philippine residents) to designate a DPO and register with the NPC.

The NPC has confirmed that foreign, external third-party DPOs are permissible under Philippine law. A foreign company can appoint a third-party DPO (a professional services firm, a specialized DPO-as-a-service provider, or an individual contractor) provided: (1) the contract has a minimum term of two years; (2) the contract does not contain an exclusivity clause that would prevent the PIC from engaging other DPOs if needed; and (3) the DPO has a dedicated Philippine contact number and postal address.

Part VI: The Data Breach Notification Framework — 72 Hours and Counting

6.1 What Constitutes a Reportable Data Breach

Under RA 10173 and its IRR, a personal data breach is a security incident in which sensitive personal information or other information that could enable identity fraud has been acquired by an unauthorized person, and there is a reasonable belief that it may cause serious harm to the data subjects. The breach notification obligation is triggered not by the mere occurrence of a security incident, but by a breach that meets these criteria.

A security incident (such as a system intrusion or unauthorized access attempt) that does not result in the acquisition of sensitive personal information or identity-enabling data may not constitute a reportable data breach — but it must still be documented in the organization’s Annual Security Incident Report (ASIR). This distinction is important: the ASIR covers all security incidents, while the 72-hour breach notification obligation covers only qualifying breaches.

6.2 The 72-Hour Notification Rule

The core breach reporting obligation under RA 10173 requires PICs and PIPs to notify the NPC and affected data subjects within 72 hours upon knowledge or reasonable belief that a reportable data breach has occurred. This is one of the most demanding compliance timelines in Philippine data protection law — and one that has proven operationally challenging for organizations that do not have robust incident detection and response procedures.

The notification to the NPC must include:

• The nature of the breach — what happened, how it occurred (to the extent known);
• The categories and approximate number of data subjects affected;
• The categories and approximate volume of personal data compromised;
• The likely consequences of the breach; and
• The measures taken or proposed to address the breach and mitigate its effects.

The notification to affected data subjects must inform them of:

• The nature of the breach and what data was affected;
• The likely consequences; and
• The corrective measures being implemented.

No delay is permitted when the breach involves at least 100 data subjects or involves sensitive personal information likely to cause harm. However, an extension may be requested from the NPC if necessary to determine the scope of the breach, prevent further unauthorized disclosures, or restore system integrity.

6.3 Full Report — Within Five Days

A full report must be submitted to the NPC within five days from the initial notification, unless the NPC grants an extension. The full report provides the detailed technical analysis of the breach, including the root cause, the systems affected, the data exfiltrated, and the remediation measures implemented. Organizations should not treat the five-day deadline as a target — it is a hard deadline, and failure to submit a timely full report exposes the organization to enforcement action even if the initial 72-hour notification was complete.

6.4 Annual Security Incident Report (ASIR)

The ASIR is a comprehensive report of all security incidents and personal data breaches — including those that did not rise to the level of reportable data breaches — that occurred during the covered period. The 2025 ASIR was due on March 31, 2026. Critically, failure to submit the ASIR creates a presumption that no security incident or personal data breach occurred during the covered period — a presumption that could be damaging if the NPC later discovers evidence of an unreported breach.

The ASIR must be submitted by all registered PICs and PIPs, as well as by organizations that are not required to register but that have experienced security incidents during the year. The submission is made through the NPCRS.

Part VII: The 2025–2026 Regulatory Developments — AI Systems and Data Scraping

7.1 NPC Advisory No. 2024-04: AI Systems and the DPA

On December 19, 2024, the NPC issued Advisory No. 2024-04, titled “Guidelines on the Adoption of Artificial Intelligence (AI) Systems for the Protection of Personal Data in the Philippines.” This advisory, the first of its kind from the NPC, clarifies that the DPA and its IRR apply to AI systems throughout their entire lifecycle — including training, testing, and deployment.

For foreign companies operating AI-powered platforms or services in the Philippines, this advisory has several significant implications:

Privacy Principles Apply to AI: AI systems must comply with the same data privacy principles — transparency, accountability, fairness, accuracy, data minimization — as traditional data processing operations. This means that deploying an AI system that makes decisions about Philippine residents (hiring, lending, service denial) requires the same lawful basis, transparency disclosure, and accountability framework as any other processing operation.

Transparency Obligations for AI: PICs must clearly inform data subjects about:

• The purpose, scope, nature, and scale of AI processing;
• The potential risks and expected outputs of the AI system;
• The mechanisms available to challenge AI decisions; and
• The identity and contact details of the AI system’s operator.

Data Subject Rights Apply to AI: Data subjects retain their rights — including the right to object, correct, or erase their personal data — even when that data has been incorporated into AI training datasets. Organizations must implement effective mechanisms for data subjects to exercise these rights in the AI context.

Fairness and Bias Mitigation: PICs must implement measures to identify, monitor, and limit systemic, human, and statistical biases in AI systems to ensure fair outputs. The NPC explicitly warns against “AI Washing” — the practice of falsely claiming AI capabilities or compliance that do not exist.

Human Oversight for High-Impact Decisions: Automated decisions that significantly impact individuals — such as AI-driven recruitment screening, credit scoring, or service denial — must be reviewable by a human before taking effect. A purely automated decision with no human review pathway is likely non-compliant.

Privacy Impact Assessments (PIAs) for AI: The advisory strongly encourages — and in practice requires for high-risk AI applications — the conduct of a Privacy Impact Assessment (PIA) specifically for AI systems. NPC Circular No. 2023-06 (discussed below) mandates PIAs for every processing system and is the regulatory basis for this requirement.

7.2 NPC Advisory No. 2026-01: Data Scraping and Publicly Available Personal Data

On April 13, 2026, the NPC issued Advisory No. 2026-01, providing guidelines on the scraping of publicly available personal data. The advisory’s core message is unambiguous: the public availability of personal data does not equate to blanket consent for its use, and data scraping is a form of personal data processing under the DPA.

For foreign companies engaged in market research, talent acquisition, competitive intelligence, or AI training that involves scraping data from Philippine sources (websites, public databases, social media), this advisory creates immediate compliance obligations:

Lawful Basis Required: Organizations scraping publicly available personal data must establish a valid lawful basis for the processing. Public availability alone is not sufficient.

Purpose Limitation: Scraped data may only be used for the specific, legitimate purpose declared at the time of collection. Using scraped data for secondary purposes — for example, training a commercial AI model beyond the declared research purpose — requires separate consent or another valid lawful basis.

Transparency and Notice: PICs who scrape publicly available personal data must inform data subjects about the scraping activity — either beforehand or at the earliest practical opportunity. This obligation is particularly acute for organizations that scrape social media or other platforms where data subjects have a reasonable expectation that their publicly posted information may be accessed.

Data Minimization: Scraped data collection must be proportionate and not excessive. Only data strictly necessary for the declared purpose should be collected.

PIA Requirement: PICs conducting data scraping must conduct a Privacy Impact Assessment covering the scraping activity.

Sensitive Personal Information: Scraping sensitive personal information — including health data, biometric data, financial data, or any of the SPI categories under RA 10173 Section 3(l) — is generally prohibited under the advisory, unless strict conditions are met (valid lawful basis, enhanced security measures, and compelling justification).

Heightened Scrutiny for Vulnerable Populations: Scraping data involving minors, elderly persons, or persons with disabilities receives heightened scrutiny and is subject to additional safeguards.

Unauthorized Practices: The advisory explicitly states that bypassing website safeguards, using deceptive techniques, or violating platform terms of service constitutes unauthorized processing and may lead to civil, criminal, or administrative liability. The NPC’s position is that terms of service restrictions on scraping are legally relevant to the lawfulness of the scraping activity.

For foreign AI companies that have been training models on data scraped from Philippine websites or databases, this advisory is a significant compliance wake-up call. The NPC has drawn a clear line: scraping publicly available data is processing under the DPA, requires a lawful basis, and must comply with all applicable data privacy principles.

7.3 NPC Circular No. 2023-06: Minimum Security Requirements

NPC Circular No. 2023-06, which had a compliance deadline of March 30, 2025, updated the minimum security requirements for personal data in both government and private sectors. The circular mandates:

• Privacy Impact Assessments (PIAs): Required for every processing system — including new AI systems, data scraping operations, and HR data processing platforms.
• Data Protection Control Framework: PICs must implement an organizational, physical, and technical control framework consistent with internationally recognized standards (ISO 27001 is the reference standard most commonly cited).
• Privacy by Design: Privacy considerations must be embedded into system design and development from the earliest stage — not retrofitted after a system is deployed.

For foreign companies with Philippine operations, the March 30, 2025 deadline for Circular No. 2023-06 compliance means that any organization not yet compliant is operating in violation of an NPC directive. The NPC has been progressively increasing enforcement activity on security standards, and non-compliance with Circular No. 2023-06 is a significant regulatory risk.

Part VIII: The SEC Beneficial Ownership Disclosure Rules — A New Intersection with RA 10173

8.1 SEC Memorandum Circular No. 15, Series of 2025 and No. 8, Series of 2026

Effective January 1, 2026, the Securities and Exchange Commission (SEC) of the Philippines implemented new Beneficial Ownership Disclosure Rules under SEC Memorandum Circular No. 15, Series of 2025, further elaborated by SEC Memorandum Circular No. 8, Series of 2026 (Rules of Procedure). These rules require all SEC-registered corporations — including foreign corporations licensed to do business in the Philippines — to disclose their beneficial owners to the SEC through the Hierarchical and Applicable Relations and Beneficial Ownership Registry (HARBOR), the SEC’s new web-based registry.

Key requirements for foreign companies:

• A beneficial owner is defined as any natural person who directly or indirectly owns at least 20% of the voting rights, shares, or capital of the reporting entity.
• If no natural person meets the 20% ownership threshold, any natural person exercising effective control at any level of the ownership chain must be identified.
• The disclosure must include: full legal name, any former or alias names, nationality, residential address, date of birth, government-issued identification number (TIN, passport number), nature and extent of beneficial interest, date beneficial ownership was acquired, and whether the person is a politically exposed person (PEP).
• Any change in beneficial ownership must be reported to the SEC within seven calendar days of such change.

8.2 The Intersection with RA 10173

For foreign companies that are also PICs under RA 10173, the beneficial ownership disclosure requirements create a new compliance consideration: the personal data collected for HARBOR filings — names, birthdates, addresses, government ID numbers — is itself personal data that must be processed in compliance with the DPA.

The SEC’s new rules require companies to ensure their data processing agreements, privacy notices, and internal data retention policies cover the collection and storage of beneficial ownership information. The personal data of beneficial owners (who are often foreign nationals themselves) will be stored in a government registry and may be accessed by regulatory authorities — which raises questions about whether consent is the appropriate lawful basis for this processing, or whether the legal obligation exception applies.

For foreign companies whose beneficial owners include non-Filipino nationals, additional cross-border transfer considerations arise under the DPA: transferring beneficial ownership personal data from the Philippine company to a foreign parent or holding company requires a valid lawful basis for the cross-border transfer, and the Philippine company must ensure the foreign recipient maintains a comparable level of data protection.

8.3 Penalties for Non-Compliance

The SEC beneficial ownership rules impose significant penalties for non-compliance, false declarations, and failure to exercise due diligence:

• Fines of up to PHP 2 million;
• Possible dissolution of the company;
• Disqualification of responsible directors and officers for up to five years; and
• Liability for resident agents and country/regional heads of foreign corporations for failing to exercise due diligence in verifying beneficial ownership information.

For foreign corporations, the resident agent — a Philippine individual or entity mandated under the Revised Corporation Code to accept legal documents on the foreign corporation’s behalf — is directly exposed to liability for failing to exercise due diligence. Foreign investors should ensure their resident agents are properly briefed on the beneficial ownership disclosure obligations and have systems in place to collect and verify the required information from ultimate beneficial owners.

Part IX: Penalties and Enforcement — What Is at Stake

9.1 Administrative Fines

The NPC imposes administrative fines calculated on the basis of the offending entity’s annual gross income from the immediately preceding year when the infraction occurred. The fine structure is tiered:

• Grave infractions (affecting more than 1,000 data subjects; serious violations of privacy principles or data subject rights): 0.5% to 3% of annual gross income.
• Major infractions (affecting 1,000 data subjects or fewer): 0.25% to 2% of annual gross income.
• Other infractions (failing to register true identity or contact details): up to PHP 200,000 per violation.
• Maximum cap: Regardless of the percentage-based calculation, the total administrative fine for a single act or omission is capped at PHP 5 million (approximately USD 100,000).

For a foreign company with significant Philippine revenues, the percentage-based fines can be substantial. A company with PHP 1 billion in annual Philippine gross income that commits a grave infraction affecting more than 1,000 data subjects faces a potential fine of PHP 5 million to PHP 30 million — even before the PHP 5 million cap is applied.

9.2 Criminal Penalties

Certain DPA violations carry criminal penalties, prosecuted by the Department of Justice upon NPC recommendation:

• Failure to notify the NPC or affected data subjects of a personal data breach: Imprisonment of one year and six months to five years and fines of PHP 500,000 to PHP 1,000,000.
• Unauthorized access to personal information: Imprisonment of one to three years and fines of PHP 500,000 to PHP 2,000,000.
• Unauthorized access to sensitive personal information: Imprisonment of three to six years and fines of PHP 500,000 to PHP 4,000,000.

If a criminal act is committed by a corporation, partnership, or any juridical person, the responsible officers whose gross negligence resulted in the crime may be personally prosecuted. For foreign companies with Philippine subsidiaries, this means that the President, Compliance Officer, or DPO who was grossly negligent in allowing a data breach to occur or in failing to notify the NPC can face personal criminal liability — not just the corporate entity.

9.3 Discretionary Penalties and Enforcement Trends

Beyond fines and criminal penalties, the NPC can issue:

• Cease and desist orders prohibiting specific data processing activities;
• Temporary or permanent bans on personal data processing deemed detrimental to national security, public interest, or data subjects’ rights;
• Indemnity awards to data subjects who suffer injury due to privacy violations.

The NPC’s enforcement activity has increased significantly from 2022 through 2026. As of May 2026, the Commission has handled a growing volume of complaints, conducted market studies on high-risk sectors (digital markets, logistics, pharmaceuticals), and initiated suo motu investigations of companies suspected of non-compliance. Foreign companies operating in the Philippines can no longer treat RA 10173 compliance as a peripheral concern — it is a core legal and regulatory obligation with real enforcement consequences.

Part X: Compliance Checklist for Foreign Companies

Foreign companies operating or investing in the Philippines should work through the following compliance checklist, prioritized by urgency:

Immediate (within 30 days):

• Determine whether your Philippine activities create a “link” to the Philippines sufficient to trigger DPA obligations as a PIC or PIP.
• Identify all personal data and SPI in your Philippine operations — employee records, customer data, beneficial ownership data, HR data, payment data, biometric access data.
• Confirm whether your company meets the DPO registration thresholds (250+ employees, SPI of 1,000+ individuals, or likely risk to data subject rights).
• If you have not yet registered your DPO and DPS with the NPC, engage Philippine data privacy counsel and begin the registration process immediately — the 20-day post-appointment deadline runs from the date of appointment.
• Review your data breach response plan. Confirm that your incident detection capabilities can identify a qualifying data breach within a timeframe that allows you to meet the 72-hour NPC notification deadline.

Short-term (within 90 days):

• Audit all AI systems deployed in or affecting Philippine operations for DPA compliance: lawful basis, transparency disclosures, human review for high-impact decisions, bias mitigation measures, PIA completion.
• Audit all data scraping activities for NPC Advisory No. 2026-01 compliance: establish lawful basis, review purpose limitation, implement transparency notices, confirm data minimization, conduct PIA.
• Update privacy notices and policies to reflect the expanded DPA obligations, including the AI and data scraping requirements.
• Ensure data processing agreements with third-party PIPs (cloud providers, payroll processors, IT vendors) include adequate data protection clauses and breach notification obligations.
• Submit the ASIR if not yet filed (the 2025 ASIR was due March 31, 2026 — file immediately with an explanation for late filing if applicable).

Ongoing:

• Monitor proposed amendments to RA 10173 (House Bill Nos. 892 and 898), which if enacted will expand the definition of sensitive personal information to include biometric and genetic data and labor affiliation, and will increase criminal penalties. Track NPC circulars and advisories for new guidance.
• Review SEC beneficial ownership disclosure compliance — confirm HARBOR registration, update within 7 days of any change in beneficial ownership, ensure the personal data processing for beneficial ownership disclosure is covered by your privacy policy.
• Conduct annual DPO registration renewal and update DPS registrations when new data processing systems are deployed.

Conclusion: Privacy as a Strategic Investment, Not a Compliance Burden

For foreign investors and their Philippine counsel, the central message of this guide is straightforward: the Data Privacy Act of 2012 is no longer a peripheral compliance concern to be addressed after establishing operations. It is a fundamental legal framework that shapes how foreign companies collect, process, store, and transfer personal data in the Philippines — and the penalties for getting it wrong are real and escalating.

The regulatory trajectory is clear. The NPC has issued a series of significant advisories in 2024 and 2026 that reflect a maturing regulatory posture — one that is expanding its reach into AI systems and data scraping, tightening the requirements for DPO registration, and imposing increasingly specific obligations on how personal data must be secured and breach reported. The SEC’s beneficial ownership disclosure rules create an additional layer of compliance that intersects with data privacy obligations in ways that many foreign companies have not yet fully addressed.

The foreign companies that will navigate this environment successfully are those that treat data privacy as a strategic investment — one that protects their Philippine operations from enforcement risk, builds trust with Philippine customers and employees, and positions them as responsible corporate citizens in a regulatory environment that rewards compliance and penalizes negligence. The foreign companies that treat it as a box-checking exercise — the bare minimum required to avoid penalty — will find themselves repeatedly behind the regulatory curve, responding to new circulars and advisories after the compliance deadlines have passed.

The lawyers at Tungol & Tan are available to advise foreign companies on DPO registration, data breach response planning, AI system privacy compliance, data scraping risk assessments, and the full range of data privacy matters affecting foreign investors in the Philippines.

This article is for general informational purposes only and does not constitute legal advice. The Data Privacy Act of 2012 (Republic Act No. 10173), its Implementing Rules and Regulations, and the NPC circulars and advisories referenced herein are subject to change. Foreign companies operating or considering investment in the Philippines should consult a qualified Philippine-licensed attorney with expertise in data privacy law for advice tailored to their specific circumstances.

Primary Sources Referenced:

• Republic Act No. 10173 (Data Privacy Act of 2012) — lawphil.net/statutes/repacts/ra2012/ra_10173_2012.html
• IRR of RA 10173 — privacy.gov.ph
• NPC Circular No. 2022-04 (DPO Registration) — privacy.gov.ph
• NPC Circular No. 2023-04 (Consent Guidelines) — privacy.gov.ph
• NPC Circular No. 2023-06 (Minimum Security Requirements) — privacy.gov.ph
• NPC Advisory No. 2024-04 (AI Systems) — privacy.gov.ph/wp-content/uploads/2025/02/Advisory-2024.12.19-Guidelines-on-Artificial-Intelligence-w-SGD.pdf
• NPC Advisory No. 2026-01 (Data Scraping) — privacy.gov.ph/wp-content/uploads/2026/04/SGD_A_1.pdf
• SEC Memorandum Circular No. 15, Series of 2025 (Beneficial Ownership Disclosure Rules) — sec.gov.ph
• SEC Memorandum Circular No. 8, Series of 2026 (Rules of Procedure for Beneficial Ownership) — sec.gov.ph
• NPC Annual Security Incident Report requirements — privacy.gov.ph