7 Common Data Privacy Violations in the Philippines (And How to Avoid Them)
The National Privacy Commission (NPC) has been increasingly active in investigating and penalizing data privacy violations across the Philippines. What many business owners don’t realize is that most violations are unintentional—simple oversights or outdated practices that expose the organization to significant fines and reputational damage.
Having worked with businesses across Region 8, I’ve seen the same compliance gaps repeated across industries. The good news? These violations are entirely preventable with the right knowledge and systems in place.
Here are the 7 most common data privacy violations I encounter—and how to avoid them.
1. Collecting Personal Data Without a Privacy Notice
The Violation
Many businesses collect customer information (names, contact details, addresses) without informing individuals what data is being collected, why, and how it will be used.
Real-World Examples:
- A retail store collects customer phone numbers for “follow-up” without explaining that they’ll send marketing messages
- A clinic asks for patient information without a visible privacy notice
- An online form collects email addresses without explaining the purpose
- An employment application requests sensitive information without disclosure
Why It’s a Problem
Under Section 11 of RA 10173, organizations must be transparent about data collection. Collecting data without disclosure violates the transparency principle and can result in administrative fines.
How to Fix It
Create and display a clear Privacy Notice that includes:
- What personal information you collect
- Why you collect it (purpose)
- How you will use it
- Who you might share it with
- How long you’ll keep it
- How individuals can access or correct their data
- Your contact information
Where to display it:
- On your website (footer and contact forms)
- At your physical location (front desk, waiting area)
- On paper forms that collect information
- In employment applications
Template Language:
“We collect your name, contact information, and [other data] for the purpose of [processing your order/providing services/employment]. Your information will be kept confidential and used only for this purpose. For our full Privacy Policy, visit [website] or ask our staff.”
2. No Consent for Marketing Communications
The Violation
Sending unsolicited marketing emails, text messages, or calls to customers without their explicit consent.
Real-World Examples:
- Automatically subscribing customers to a mailing list after a purchase
- Using a pre-checked “I agree to receive promotions” box on forms
- Sending SMS promotions to customers who only provided their number for delivery purposes
- Adding customers to a Facebook Messenger broadcast list without permission
Why It’s a Problem
NPC Circular No. 16-02 requires free, specific, informed, and explicit consent for marketing communications. This is one of the most frequently reported violations to the NPC.
How to Fix It
For Email Marketing:
- Use double opt-in (customer subscribes, then confirms via email)
- Never pre-check consent boxes—make it an active choice
- Clearly explain what they’re signing up for
- Include an easy unsubscribe option in every email
For SMS Marketing:
- Get written or electronic consent before sending promotional messages
- Clearly state the frequency of messages
- Provide a way to opt-out (e.g., “Reply STOP to unsubscribe”)
For existing customer lists:
If you’ve been sending marketing without proper consent, send a re-permission campaign:
“We want to make sure you’re happy to receive our updates. Click here to confirm you’d like to stay subscribed, otherwise you’ll be removed from our list.”
3. Storing Personal Data Indefinitely
The Violation
Keeping customer, employee, or client data forever “just in case” you might need it someday, without a clear business or legal reason.
Real-World Examples:
- Keeping employee files for 20 years after they resign
- Never deleting old customer accounts or purchase history
- Storing job applicant information from years ago
- Maintaining email lists of people who haven’t engaged in years
Why It’s a Problem
The proportionality principle (Section 11 of RA 10173) requires that personal data be kept only for as long as necessary for the declared purpose. Indefinite storage creates unnecessary risk—the more data you have, the more you’re exposed if there’s a breach.
How to Fix It
Create a Data Retention Schedule:
| Data Type | Retention Period | Reason |
|---|---|---|
| Employee records | 5 years after separation | Labor laws |
| Tax records | 10 years | BIR requirements |
| Customer purchase records | 5 years | Warranty/disputes |
| Job applications (not hired) | 6 months | Recruitment needs |
| Marketing consent | Until withdrawn | Active consent |
| CCTV footage | 30-60 days | Security purposes |
Implementation:
- Set calendar reminders to review and delete old data
- Use automated deletion for digital records where possible
- Securely dispose of physical documents (shredding)
- Document your deletion process
4. Weak Security Measures
The Violation
Failing to implement “reasonable and appropriate” security measures to protect personal data from unauthorized access, disclosure, or breaches.
Real-World Examples:
- Employees using weak passwords like “password123”
- Multiple staff sharing the same login credentials
- Leaving customer files on an unlocked desk overnight
- No encryption for sensitive data
- Unprotected databases accessible from the internet
- No access controls—everyone can access everything
Why It’s a Problem
Section 20 of RA 10173 mandates that organizations implement security measures. A data breach caused by inadequate security can result in massive fines, criminal liability, and devastating reputational damage.
How to Fix It
Organizational Security:
- Implement password policies (minimum length, complexity, regular changes)
- Use unique accounts for each employee (no shared logins)
- Create access controls (employees only access data they need for their job)
- Sign confidentiality agreements with all employees
- Conduct regular privacy training
Physical Security:
- Lock filing cabinets containing personal data
- Implement visitor logs and ID checks
- Shred documents before disposal
- Secure after-hours access to data storage areas
Technical Security:
- Use antivirus software on all computers
- Enable firewalls
- Implement HTTPS on your website
- Encrypt sensitive data (especially health or financial data)
- Regular software updates and patches
- Daily or weekly backups stored securely
For small businesses in Region 8: Even basic security measures like strong passwords, locked cabinets, and regular backups can prevent 80% of common breaches.
5. Failing to Report Data Breaches Within 72 Hours
The Violation
Not reporting a personal data breach to the NPC within 72 hours of becoming aware of it, or failing to notify affected individuals.
Real-World Examples:
- A hacker gains access to your customer database but you don’t report it
- An employee accidentally emails customer data to the wrong recipient and you keep it quiet
- A laptop containing employee records is stolen and you wait weeks to investigate
- A ransomware attack encrypts customer data but you try to handle it internally
Why It’s a Problem
NPC Circular No. 16-03 requires immediate reporting of breaches that:
- Involve sensitive personal information
- Could result in real risk of serious harm to data subjects
- Affect a significant number of individuals
Failure to report can result in:
- Fines of up to ₱5,000,000
- Criminal charges
- Mandatory public disclosure
- Loss of customer trust
How to Fix It
Create a Data Breach Response Plan:
1. Detection & Assessment (Hour 0-4)
- Identify what data was compromised
- Determine how many individuals are affected
- Assess the risk level
- Contain the breach immediately
2. NPC Notification (Within 72 Hours)
Report to the NPC including:
- Nature of the breach
- Personal data involved
- Number of affected individuals
- Likely consequences
- Measures taken to address the breach
3. Notify Affected Individuals
If there’s real risk of serious harm, notify affected data subjects:
- What happened
- What data was compromised
- What you’re doing about it
- What they should do (change passwords, monitor accounts)
4. Document Everything
Keep records of:
- When the breach was discovered
- What caused it
- What data was affected
- Actions taken
- Who was notified and when
Prevention is Better: Regular security audits and employee training can prevent most breaches before they happen.
6. Processing Employee Data Without Proper Safeguards
The Violation
Many businesses focus exclusively on customer data privacy while neglecting employee data protection—even though employee records often contain sensitive personal information.
Real-World Examples:
- HR files stored in unlocked cabinets accessible to all staff
- Payroll data (including bank account numbers) shared carelessly
- Employee health information disclosed without consent
- Performance reviews accessible to unauthorized employees
- Biometric attendance systems without proper disclosure
Why It’s a Problem
Employee data—especially health information, government IDs, bank details, and performance records—is sensitive personal information under RA 10173 and requires the highest level of protection.
How to Fix It
For HR and Payroll Data:
- Restrict access to HR staff only
- Encrypt digital employee records
- Lock physical employee files
- Never email unencrypted sensitive employee data
- Use secure payroll systems with access controls
For Employee Monitoring:
If you use:
- CCTV cameras
- Biometric systems (fingerprint, facial recognition)
- Email or internet monitoring
- GPS tracking of company vehicles
You must:
- Inform employees in writing what you’re monitoring and why
- Get their consent where required
- Only use monitoring for legitimate purposes
- Secure the monitoring data
For Employee Health Data:
- Keep medical certificates and health records in separate, locked files
- Access limited to designated HR personnel only
- Never disclose health information without employee consent
- Destroy medical records securely after retention period
7. No Data Protection Officer (When Required)
The Violation
Failing to designate a Data Protection Officer (DPO) when your organization is legally required to have one.
Real-World Examples:
- A hospital with 300 employees processing patient data without a DPO
- A BPO processing customer information for international clients with no designated DPO
- A bank or financial institution without a DPO
- A company that knows it needs a DPO but hasn’t gotten around to appointing one
Why It’s a Problem
NPC Circular No. 16-03 mandates DPO appointment for organizations that:
- Process sensitive personal information
- Have data processing as a core business activity
- Employ 250 or more people
- Conduct large-scale systematic monitoring
Operating without a required DPO is a direct violation and creates significant compliance gaps—no one is monitoring compliance, handling data subject requests, or serving as the NPC point of contact.
How to Fix It
Option 1: Appoint an Internal DPO
- Designate a qualified employee (with sufficient training in data privacy)
- Ensure they have independence (can’t be instructed on how to perform DPO duties)
- Provide necessary resources and access to senior management
- Register with the NPC
Option 2: Hire an External DPO Consultant (Recommended for SMEs)
- More cost-effective than a full-time hire
- Immediate access to specialized expertise and certification
- Can serve multiple non-competing organizations
- Maintains independence automatically
For Region 8 Businesses:
Most small and medium enterprises benefit more from an external DPO consultant who provides expert guidance at a fraction of the cost of a full-time employee.
As a TÜV Certified DPO serving Eastern Visayas, I provide DPO consulting services tailored to Region 8 businesses.
The Bottom Line: Prevention is Cheaper Than Penalties
Every violation discussed above is 100% preventable with proper systems, training, and guidance. The cost of compliance is always lower than the cost of NPC penalties, legal fees, and reputational damage from a violation.
Most businesses aren’t trying to violate the law—they simply don’t know what compliance looks like.
Compliance Quick Reference Card
| Violation | Quick Fix | Priority |
|---|---|---|
| No Privacy Notice | Display at all data collection points | HIGH |
| Unsolicited Marketing | Implement double opt-in consent | HIGH |
| Indefinite Data Storage | Create retention schedule | MEDIUM |
| Weak Security | Strong passwords + access controls | HIGH |
| Unreported Breaches | Create 72-hour response plan | CRITICAL |
| Employee Data Neglect | Apply same safeguards as customer data | MEDIUM |
| No DPO (when required) | Appoint internal or external DPO | HIGH |
Need Help Ensuring Compliance?
If you’re concerned that your business might be making any of these common mistakes, I offer free compliance assessments for Region 8 businesses.
As a TÜV Certified Data Protection Officer, I help businesses across Leyte, Samar, and Biliran:
- Identify and fix compliance gaps
- Implement Privacy Management Programs
- Train employees on data privacy
- Serve as your organization’s DPO
- Ensure you’re fully compliant with RA 10173
Request a Free Compliance Assessment →
Don’t wait for an NPC audit or data breach to discover compliance gaps. Get ahead of the curve and protect your business today.