Data Privacy Complaints in the Philippines: How to Report a Violation

Data privacy complaints usually start when someone believes personal information was collected, shared, or exposed without proper basis. People often want to know whether the issue is a privacy breach, a cybercrime matter, or both.

This page is a practical starting point for understanding the topic in plain English.

What a data privacy complaint may involve

Unauthorized sharing of personal information
Improper collection or use of data
Exposure of sensitive records
Possible misuse of online accounts or digital records

What to save first

Screenshots
Messages and emails
Names, dates, and timelines
Copies of posts or notices
Any proof of consent or lack of consent

Why evidence matters

Privacy complaints often depend on details. The exact remedy may depend on who shared the data, how it was shared, and whether the act also overlaps with a cybercrime issue.

If the problem happened online, you may also want to review the related cyber libel guide and the main Cyber & Data Privacy Law in the Philippines page.

Where a complaint may begin

Depending on the facts, a complaint may begin with internal reporting, a regulator, a law-enforcement body, or legal counsel. The best path depends on the specific violation and the evidence available.

Frequently asked questions

Is every privacy issue a crime?

No. Some situations may be civil, administrative, or criminal depending on the facts.

Should I report before deleting evidence?

No. Save the evidence first so you do not lose important details.

Can online posts create a privacy issue?

Yes, depending on what was posted, who posted it, and whether the content included personal or sensitive information.

Request a private review

If you need help sorting out a possible privacy violation, you may use the legal consultation page or the private contact page.

This article is for general information only and is not legal advice. Reading it does not create an attorney-client relationship.

What Is a Data Privacy Violation?

A data privacy violation occurs when personal information is collected, processed, stored, or shared in a way that violates the Data Privacy Act of 2012 (Republic Act No. 10173). Common violations include unauthorized disclosure of personal data, processing without consent, data breaches, inadequate security measures, and failure to comply with data subject rights requests.

Who Can File a Complaint?

Any person whose personal information has been misused, improperly disclosed, or inadequately protected may file a complaint with the National Privacy Commission (NPC). This includes:

Individuals whose personal data was accessed without authorization.
Victims of data breaches where sensitive information was exposed.
People whose data was used for purposes beyond what they consented to.
Complaints against both government agencies and private companies.

The NPC Complaint Process

Prepare the complaint — Write a complaint-affidavit or formal letter describing the violation, the personal data involved, the respondent, and the harm suffered. Attach all relevant evidence such as screenshots, emails, notifications, and correspondence.
File with the NPC — Submit the complaint to the National Privacy Commission. The NPC accepts complaints through their online portal, email, or physical filing at their office.
Evaluation by the NPC — The NPC evaluates whether the complaint falls within its jurisdiction and whether there is a prima facie case. If the complaint is dismissed, the NPC will state the reasons.
Mediation or investigation — If accepted, the NPC may offer mediation between the parties or proceed with a formal investigation. Mediation is encouraged for less serious complaints.
Resolution and order — After investigation, the NPC may issue a resolution ordering the respondent to cease the violation, pay damages, implement corrective measures, or take other appropriate action.
Appeal — Either party may appeal the NPC’s decision to the Court of Appeals within the prescribed period.

What Evidence Is Useful?

Screenshots or printouts of unauthorized disclosures or communications.
Copies of consent forms or privacy notices (or their absence).
Notifications about data breaches from companies or agencies.
Correspondence with the data processor or controller.
Proof of damages or harm suffered (financial, reputational, or emotional).
Any relevant contracts, terms of service, or privacy policies.

Remedies and Penalties

The NPC can impose fines of up to PHP 5,000,000 depending on the severity of the violation. The Data Privacy Act also provides for criminal penalties, including imprisonment, for unauthorized processing or malicious disclosure of personal information. In addition to NPC action, victims may pursue civil damages for any harm suffered due to the violation.

Last reviewed: June 2026

Legal Disclaimer

The information on this page is for general legal information only and does not create an attorney-client relationship. Laws, rules, fees, procedures, and office requirements may change. For advice specific to your situation, consult a qualified Philippine lawyer. AttyKalibre Legal Center provides free legal information and general legal guidance. Reading this page does not constitute legal advice or establish a lawyer-client relationship.