Skip to content
Orkids
← All briefs

RA 10173

RA 10173 Data Privacy Act: Handling Obligations for Enterprise Software

Republic Act No. 10173, the Data Privacy Act of 2012, imposes specific obligations on enterprise software vendors and their clients as Personal Information Controllers. This brief summarizes data subject rights, PIC duties, security baseline requirements, and NPC registration obligations relevant to Philippine enterprise deployments.

March 15, 2026·3 min read·Pending CPA review

Overview

Republic Act No. 10173, known as the Data Privacy Act of 2012, establishes the legal framework governing the collection, processing, storage, and disclosure of personal information by public and private entities in the Philippines. Enterprise software deployments — particularly systems handling employee records, customer data, and financial transactions — create specific obligations for both the software vendor and the client organization as Personal Information Controllers (PICs) and, where applicable, Personal Information Processors (PIPs).

This brief provides a factual summary based on publicly available guidance from the National Privacy Commission (NPC).

Scope and Applicability

RA 10173 applies to the processing of personal information by any natural or juridical person whose principal place of business is in the Philippines, or who uses equipment located in the Philippines. Enterprise software clients who collect and process employee or customer personal data are typically classified as Personal Information Controllers. Software vendors who process data on behalf of clients may be classified as Personal Information Processors.

Data Subject Rights

Under RA 10173, individuals whose personal data is processed retain the following rights:

  • Right to be informed of the purpose, scope, and method of data collection
  • Right to access personal data held by the PIC upon written request
  • Right to rectify inaccurate or incomplete personal data
  • Right to erasure or blocking of data processed in violation of RA 10173
  • Right to data portability for structured, commonly used formats where technically feasible
  • Right to object to processing for direct marketing or profiling without consent

PIC Obligations for Enterprise Deployments

Organizations deploying enterprise software must:

  • Implement organizational, physical, and technical security measures appropriate to the nature of the personal data processed
  • Execute Data Sharing Agreements with third-party vendors processing data on their behalf
  • Designate a Data Protection Officer (DPO) if the organization regularly and systematically monitors data subjects or processes sensitive personal information at scale
  • Report personal data breaches to the NPC within 72 hours of discovery, and to affected data subjects without undue delay

NPC Registration

Certain PICs are required to register their data processing systems with the National Privacy Commission. Covered entities should assess registration obligations based on the volume and sensitivity of personal data processed. NPC registration is typically completed through the NPC's online portal.

Last updated: Pending CPA review. This brief is prepared for informational purposes based on publicly available NPC and BIR guidance. Consult a qualified legal or compliance professional for advice specific to your organization.