Book a demo Log in / Sign up

Data Privacy Notice And Consent Form Template for the Philippines

Generate a bespoke document

  • England and Wales
  • Scotland
  • Northern Ireland
  • Ireland
  • United States
  • Alabama (USA)
  • Alaska (USA)
  • Arizona (USA)
  • Arkansas (USA)
  • California (USA)
  • Colorado (USA)
  • Connecticut (USA)
  • Delaware (USA)
  • Florida (USA)
  • Georgia (USA)
  • Hawaii (USA)
  • Idaho (USA)
  • Illinois (USA)
  • Indiana (USA)
  • Iowa (USA)
  • Kansas (USA)
  • Kentucky (USA)
  • Louisiana (USA)
  • Maine (USA)
  • Maryland (USA)
  • Massachusetts (USA)
  • Michigan (USA)
  • Minnesota (USA)
  • Mississippi (USA)
  • Missouri (USA)
  • Montana (USA)
  • Nebraska (USA)
  • Nevada (USA)
  • New Hampshire (USA)
  • New Jersey (USA)
  • New Mexico (USA)
  • New York (USA)
  • North Carolina (USA)
  • North Dakota (USA)
  • Ohio (USA)
  • Oklahoma (USA)
  • Oregon (USA)
  • Pennsylvania (USA)
  • Rhode Island (USA)
  • South Carolina (USA)
  • South Dakota (USA)
  • Tennessee (USA)
  • Texas (USA)
  • Utah (USA)
  • Vermont (USA)
  • Virginia (USA)
  • Washington (USA)
  • West Virginia (USA)
  • Wisconsin (USA)
  • Wyoming (USA)
  • Austria
  • Denmark
  • France
  • Germany
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • Switzerland
  • Australia
  • New Zealand
  • Singapore
  • Hong Kong
  • India
  • Malaysia
  • Pakistan
  • United Arab Emirates
  • Qatar
  • Saudi Arabia
  • South Africa
  • Nigeria
  • Canada
  • Brasil
  • Monaco
  • Bermuda
  • Cayman Islands
  • Gibraltar
  • Isle of Man
  • Mauritius

What is a Data Privacy Notice And Consent Form?

The Data Privacy Notice And Consent Form is a crucial document required under Philippine data protection law, specifically the Data Privacy Act of 2012 (RA 10173). Organizations must provide this document whenever they collect personal information from individuals (data subjects). The document serves dual purposes: it ensures transparency by informing individuals about how their personal data will be handled, and it obtains their explicit consent for such processing activities. This form should be used at the point of data collection, whether during employee onboarding, customer registration, or any other instance where personal information is gathered. It must contain specific disclosures required by law, including the types of data collected, purposes of processing, data subject rights, and security measures implemented. Regular updates may be necessary to reflect changes in data processing activities or regulatory requirements.

Frequently Asked Questions

Is a Data Privacy Notice and Consent Form legally required in the Philippines?

Yes, under the Data Privacy Act of 2012 (RA 10173), organizations must provide a privacy notice and obtain consent when collecting personal information. The National Privacy Commission can impose penalties ranging from PHP 500,000 to PHP 5,000,000 for non-compliance. This requirement applies to all entities processing personal data of Filipino citizens or residents.

Can my business be fined if our Data Privacy Notice is incomplete or missing?

Yes, the National Privacy Commission can impose administrative fines from PHP 500,000 to PHP 5,000,000 for violations of the Data Privacy Act. Incomplete notices that fail to disclose processing purposes, data retention periods, or third-party sharing can result in penalties. Criminal liability may also apply for malicious disclosure or unauthorized processing.

How long should personal data be retained according to Philippines privacy law?

Under RA 10173, personal data must only be retained as long as necessary for the declared purpose or as required by law. Your Data Privacy Notice must specify the exact retention period for each type of data collected. The National Privacy Commission requires organizations to have clear data disposal procedures once the retention period expires.

How is a Data Privacy Notice different from a Data Processing Agreement in the Philippines?

A Data Privacy Notice informs data subjects about how their personal information will be processed and obtains their consent. A Data Processing Agreement is a contract between a data controller and processor that governs how personal data is handled on behalf of the controller. Both are required under different circumstances under RA 10173.

How long does it typically take to prepare a compliant Data Privacy Notice in the Philippines?

Creating a compliant Data Privacy Notice usually takes 2-4 weeks depending on your organization's complexity and data processing activities. This includes reviewing your data flows, consulting with legal counsel or a DPO, drafting the notice according to NPC guidelines, and conducting internal reviews. Rush implementations may take 1-2 weeks but increase compliance risks.

Can I use generic consent language in my Data Privacy Notice for Philippines compliance?

No, the National Privacy Commission requires consent to be specific, informed, and freely given. Generic or blanket consent statements violate RA 10173 requirements. Your notice must clearly specify each processing purpose, type of data collected, retention periods, and third-party sharing arrangements. Consent must be obtained separately for each distinct purpose.

Must my Data Privacy Notice include contact information for data subject rights in the Philippines?

Yes, under RA 10173, your notice must include clear instructions on how data subjects can exercise their rights to access, correct, delete, or port their data. You must provide specific contact details for your Data Protection Officer or designated privacy contact. The notice should also explain the process and timeframes for handling data subject requests as required by the National Privacy Commission.

Reviewed by

Swetha Meenal

Legal Engineer, GenieAI

Swetha Meenal profile photo

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

LinkedIn

Reviewed by

Imad Mohammed Nazar

Legal Engineer, GenieAI

Imad Mohammed Nazar profile photo

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

LinkedIn

Jurisdiction

Philippines

Reviewed by

Swetha Meenal & Imad Mohammed Nazar

Publisher

GenieAI

Category

Privacy Notice

Sector

Business

Cost

Free to use

Last updated

About the Data Privacy Notice And Consent Form

A Data Privacy Notice And Consent Form is your organization's legal shield and transparency tool under Philippine data protection law. This document serves the dual purpose of informing individuals about your data processing activities while obtaining their explicit consent, as required by Republic Act No. 10173, the Data Privacy Act of 2012.

When do you need this document?

You must provide this form whenever you collect personal information from individuals in the Philippines. This includes situations such as employee recruitment and onboarding, customer registration for services, membership applications, event registrations, and online account creation. The form is also required when collecting sensitive personal information like health records, financial data, or government-issued IDs. Any business operating in the Philippines, whether local or international, must use this document when processing Filipino citizens' personal data. Additionally, you need updated forms when changing your data processing activities or adding new purposes for data collection.

Key legal considerations

Your form must clearly identify your organization as the data controller and specify the legal basis for processing under the Data Privacy Act. Include comprehensive details about the types of personal data you collect, from basic contact information to sensitive categories like biometric data. Clearly state all purposes for data processing, whether for service delivery, marketing, legal compliance, or employee management. The form must outline data retention periods, storage locations, and security measures you've implemented. Crucially, include information about data subject rights, such as the right to access, correct, delete, or port their personal data. You must also disclose any third-party processors or international data transfers, along with the safeguards in place. Include your Data Protection Officer's contact details and procedures for filing complaints with the National Privacy Commission.

Legal requirements in Philippines

Under the Data Privacy Act of 2012 and its Implementing Rules and Regulations, your consent form must meet specific standards. The consent must be freely given, specific, informed, and unambiguous, with clear opt-in mechanisms rather than pre-ticked boxes. For sensitive personal information, you need explicit written consent with additional safeguards. The National Privacy Commission requires that privacy notices be written in plain language that ordinary individuals can understand. You must provide the form in Filipino or the local language if your data subjects primarily speak these languages. The document should include breach notification procedures as outlined in NPC Circular No. 2020-03. For organizations processing large volumes of personal data, consider appointing a Data Protection Officer as recommended by the National Privacy Commission. Remember that consent can be withdrawn at any time, and you must provide easy mechanisms for individuals to exercise this right without penalty.

GOVERNING LAW

Applicable law

This Data Privacy Notice And Consent Form is drafted to comply with Philippines law. Key legislation includes:

Republic Act No. 10173: Data Privacy Act of 2012 - The primary law governing personal data protection in the Philippines. It establishes the guidelines for processing personal information and creates the National Privacy Commission.
IRR of RA 10173: Implementing Rules and Regulations of the Data Privacy Act - Provides detailed guidelines on how to implement the Data Privacy Act, including specific requirements for privacy notices and consent mechanisms.
NPC Circular No. 16-01: Security of Personal Data in Government Agencies - While primarily for government agencies, provides good practices for data protection that private entities often reference.
NPC Circular No. 2020-03: Guidelines on Personal Data Breach Management - Important for including breach notification procedures in privacy notices.
NPC Advisory No. 2017-01: Designation of Data Protection Officers (DPO) - Relevant for including DPO contact information in privacy notices.
NPC Circular No. 16-03: Personal Data Breach Management - Provides guidelines on breach notification and management that should be reflected in privacy notices.

Explore 208,390+ legal templates

Explore 208,390+ legal templates

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it