• Email: adm@admprivacy.com
  • Phone +63 (02) 921-9035
  • Mobile (0917) 100 4848

  • Why register with the National Privacy Commission?

     Why register with the National Privacy Commission?   The Data Privacy Act of the Philippines (Republic Act 10173/DPA) and its Implementing Rules and Regulations (IRR) require Personal Information Controllers (PICs)  and Processors (PIPs) to register their Data Protection Officer (DPO) and Data Processing Systemwith the National Privacy Commission (NPC).   These privacy laws provide that if the PICs/PIPs fall under any of the following, they should register with the NPC:   1.        Have at least 250 employees; or 2.        Process sensitive personal information of at least 1,000 individuals; or 3.        Processing poses a risk to the rights of the data subject; or 4.        Processing of personal information is conducted in the regular course of business.   The registration of a Data Protection Officer is due last September 9, 2017, while the registration of a Data Processing System is due on March 8, 2018.   The designated DPO shall be accountable for ensuring the compliance by the PIC or PIP with the DPA, its IRR, issuances by the NPC, and other applicable laws and regulations relating to privacy and data protection.   The Data Processing System in a nutshell provides for the PIC/PIP’s purposes for processing of personal information, a general description of its privacy measures, and the policies relating to data governance, data privacy, and information security.   Registration of a DPO is required prior to the registration of the Data Processing System. Upon registration of a DPO, an access code will be given to the PIC/PIP that will allow it to register its Data Processing System. In the absence of a registered DPO, a PIP/PIC will not be able to register its Data Processing System.   In case of failure to comply with these registration requirements, the PIC/PIP will be exposing itself to the risk of committing acts which are considered violations of the privacy laws such as unauthorized processing of information and facilitating unauthorized access, among others. Acts which are considered violations of the privacy laws are punishable by imprisonment of 1 year to 6 years and a fine of P500,000.00 to P4,000,000.00. The PIC/PIP may also be prevented/restrained from processing personal information. These are on top of any damages that may be claimed by the data subject.   In response to the growing public awareness and regard for data protection, it is therefore expected that PICs/PIPs will comply with its obligations to register with the NPC. Considering that personal information has become a significant oil for commerce, compliance with the directives of the privacy laws will help PICs/PIPs to become more competitive and to gain more of its stakeholders’ trust and confidence.   Atty. Arnel D. Mateo President & CEO ADM and Partners Data Privacy and Consulting Inc. http://www.admprivacy.com    

    View this Post

  • Steps on how to Register with the NPC

    Wondering how to register with the NPC? Here are the steps!If you encounter any concern in the registration process, send us an email at compliancesupport@privacy.gov.ph     https://www.facebook.com/privacy.gov.ph/videos/2069495053333580/

    View this Post

  • NPC investigates multiple government website breach

    NPC investigates multiple government website breach April 24, 2018 | 9:57 AM PHT Last Edit: April 24, 2018 1. The National Privacy Commission (NPC) yesterday summoned the management and other responsible officials of seven schools, institutions, and local government units as it investigates data breaches they sustained following an organized attack on government and commercial organizations last April 1, 2018. 2. The privacy body earlier sent notice to top officials of Taguig City University; the Department of Education offices in Bacoor City and Calamba City; the Province of Bulacan; Philippine Carabao Center; Republic Central Colleges in Angeles City; and Laguna State Polytechnic University, to appear before it from April 23 to 24. This, to explain why they did not notify, within 72 hours of the breach, the NPC nor the affected data subjects, whose personal data were made available for download via links posted on Facebook. 3. As of yesterday, none of the affected organizations were able to issue any data breach notifications whatsoever, as part of their obligations as Personal Information Controllers (PICs) under the Data Privacy Act of 2012. “PICs are required to employ organizational, technical, and physical measures to protect personal data,” said Privacy Commissioner Raymund Enriquez Liboro. “This includes the duty to inform data subjects and this Commission if there is a serious data breach.” 4. The move comes after digital investigators from the National Privacy Commission determined that each of the exposed databases contained sensitive personal information or information that could be used to perpetuate identity fraud; that the exposed data is in the hands of unauthorized persons; and that the exposure of the data raises a real risk of serious harm to the affected data subjects. 5. In its initial estimate, the NPC said the combined number of exposed records in the breach were those of at least 2,000 individual data subjects. They include their name, address, phone number, email address, and in some instances, even passwords and school details.  

    View this Post

  • Summary of the Philippine Identification System Act

      Philippine Identification System Act (Republic Act 11055) Summary written by Atty. Arnel D. Mateo, President and CEO of ADM and Partners Data Privacy and Consulting Inc.   I.                    Purposes and Objectives of the law. The purpose of the law is to establish a single national identification system (PhilSys) for all citizens and residents of the Philippines.   It aims to achieve the following:   1.       to promote seamless delivery of services, 2.       to improve the efficiency, transparency, and targeted delivery of public and social services; 3.       to enhance administrative governance; 4.       to reduce corruption and curtail bureaucratic red tape; 5.       to avert fraudulent transactions and misrepresentations; 6.       to strengthen financial inclusion; 7.       to promote the ease of doing business.   The objective of the law is to establish a valid proof of identity as a means of simplifying public and private transactions. It seeks to eliminate the need to present other forms of identification when transacting with the government and the private sector. The PhilID shall be honoured and accepted, subject to authentication, in all transactions requiring proof or verification of citizens or residents aliens identity.   II.                  To whom shall the PhilID be issued. Under the law, a PhilID shall be issued to all citizens or residents aliens registered under the PhilSys.   III.                Contents of the PhilID. The PhilID will contain the following:   1.       PhilSys Number (PSN) 2.       Full name 3.       Sex 4.       Blood type 5.       Marital status (optional) 6.       Place of birth 7.       Front facing photograph 8.       Date of Birth 9.       Address 10.   QR Code which contains fingerprint information Mobile and email information are optional.   IV.                Fees. The issuance and renewal of PhilID for citizens shall be free of charge.   V.                  Registration is required. Every citizen or resident alien shall register personally with the registration centers enumerated under the law and other government agencies as may be assigned by the Philippine Statistics Authority (PSA).   VI.                Unlawful disclosure of information. Disclosure of information of persons registered with the PhilSys is prohibited. It can only be disclosed under the following circumstances:   1.       Consent is given by the registered person specific to the purpose prior to processing; 2.       Compelling interest of public health or safety so requires upon order of a competent court; 3.       When authorized or required by law.   VII.              Implementation of Security measures. The PSA shall implement reasonable and appropriate organizational, technical, and physical security measures to ensure that the information gathered for the PhilSys, including information stored in the PhilSys Registry, is protected from unauthorized access, use, disclosure and against accidental or intentional loss, destruction or damage.   VIII.            Violations and Penalties:   Violation Penalty Refusal to accept, recognize/acknowledge PhilID or PSN Fine of P500,000.00 Unlawful utilization of PhilID or PSN or use to commit fraudulent act Imprisonment   of    6months   to 2years or a fine of P50,000.00 to P500,000.00 Wilful submission of causing to be submitted a fictitious name or false information in the application, renewal, or updating in the PhilSys by any person         Imprisonment of 3years to 6years and a fine of P1,000,000.00 to P3,000,000.00 Unauthorized printing, preparation, or issuance of a PhilID by any person Wilful falsification, mutilation, alteration or tampering of the PhilID by any person Unauthorized possession of a PhilID or possession of a fake, falsified or altered PhilID Wilful transfer of the PhilID or the PSN to any other person Collection or use of personal data in violation of Section 12 (requirements for authentication)     Imprisonment of 6years to 10years imprisonment and a fine of P3,000,000.00 to P5,000,000.00 Use or disclosure of data in violation of Section 17 (unlawful disclosure) Unauthorized access of PhilSys or unauthorized processing   of data   Malicious disclosure of data or information by officials, employees or agents who have custody or responsibility of maintaining the PhilSys Imprisonment    of    10years   to 15years and fine of P5,000,000.00 to P10,000,000.00 Negligence of officials, employees or agents who have custody or responsibility of maintaining the PhilSys thereby facilitating unauthorized access. Imprisonment of 3years to 6years and   fine   of   P1,000,000.00    to P3,000,000.00  

    View this Post


          ADM & PARTNERS AT THE PHILIPPINE INTERNATIONAL CYBERSECURITY CONFERENCE 2018 By: Jayson M. Martinez   ADM and Partners Data Privacy & Consulting Services,Inc. participated in the recently conducted Philippine International Cybersecurity Conference held on October 25 and 26, 2018 at The Grand Regal Hotel in the heart of Davao City. The conference was a 2-day event which tackled topics involving the Philippines’ Road to resiliency, commitment in strengthening the country’s Cybersecurity, as well as possible threats that may pose serious risks in nation-building. The conference was attended by more than 400 delegates from different field and industries, local and international, and was welcomed with parade of colors and well defined exhibits. DICT Assistant Secretary in Cyber security, Asec. Allan S. Cabanlong discussed the mission and vision of the DICT and its National Security Strategy in pursuit of Philippine Development Plan 2017-2022 and the National Security Policy 2017-2022. Some of the key salient topics of the conference which cover some points pertaining to Data Privacy are: The Philippine Cyber Threat Landscape & National Cybersecurity Strategy by Engr. George Tardio, The Digital Certificate for the National ID System by Usec. Lisa Grace S. Bernales, and The Digital Consumer Protection by ASec. Carlos Mayorico E.Caliwara. Engr. George Tardio asserted that the possibility of making the Philippines a cyber resilient nation would be possible by crafting a National Security Strategy Policy and Plans and establish NCERT or the National Computer Emergency Response Team to counter the threats and possibilities of data breach. The Digital Certificate for the National ID System, on the other hand, was met with approval but still with uncertainty. The idea of having a mobile I.D. installed in mobile phones and electronic gadgets for public and private identification purposes really expedites the processing of applications of all citizens and resident aliens, but some are still hesitant to do so because of privacy concerns. The PSA assured that the personal data in their system will not be compromised as it will only be released upon sufficient consent and authorization from the data subject. Citizens and resident alien, meanwhile, would still have to wait as this Mobile I.D. proposition will still need proof of concept with Phil Post which will start on December. Moving on to a more economic approach, Asec. Carlos Mayorico Caliwara from Legal Affairs DICT discussed about the Digital Consumer Protection, online scam in the online market and Redress Mechanism. He addressed the significance and establishment of effective Digital Consumer Protection to prevent data breaches as personal information were always provided by the consumers to online stores to avail warranty. As we progress and subject our industrial and economic sectors to the cyber space, the more we are getting prone to cyber attacks, such assault may not only affect a single department but may inflict huge serious damage involving  the processing of personal data in wide array of private and national services. In this modern age, keen adherence and strong partnership with the international and local sectors will be the key to fortify our defenses against these threats.

    View this Post

CONGRATULATIONS ADM & PARTNERS DATA PRIVACY AND CONSULTING INC for achieving eight recognitions (out of 11) during the NADPOP'S 1ST DATOS Privados. Congratulations to all other awardees such as PLDT, Microsoft, Unionbank, Quisumbing Torres, Accenture, etc. 


1. INSTITUTIONAL: SOLUTIONS PROVIDERS — Data Privacy Solutions Firm: ADM (Sole Awardee) 
2. INSTITUTIONAL: SOLUTIONS PROVIDERS — Empowerment & Enablement: ADM (Next to TUV) 


1. INSTITUTIONAL: FIVE PILLARS (Corporate Governance) — ADM and Partners Data Privacy and Consulting Inc. (ADM)
2. INDIVIDUAL: FIVE PILLARS (Corporate Governance) — Arnel D. Mateo
3. INSTITUTIONAL: SOLUTIONS PROVIDERS — Data Privacy Law Firm: ADM (Tied with Quisumbing Torres) 
4. CAMPAIGNS & EVENTS — DATA PRIVACY AWARENESS: 7 Privacy Tips for Data Subjects - ADM (Next to Microsoft) 



_ _ _


Thank you NADPOP! Having ADM & Partners and Atty. Arnel Mateo as finalists in 8 categories out of 11 is in itself a recognition already. This will keep us going and inspired in continuing our privacy work. Thanks to everyone for your support. Awarding will happen on March 20, 2019 7pm-930pm at Shangrila Makati! Congratulations to all the finalists.




_ _ _

ADM & Partners Data Privacy Consulting Inc, will be having two upcoming seminars for the month of April, see you there! ?????‍??????‍????

April 12, 2019 (SUBIC Bay Peninsular Hotel) - YOUR JOURNEY TO COMPLIANCE



For inquiries, leave us a message.



Click Here To Register For April 25, 2019!

_ _ _


_ _ _


This 2019, phishing attacks remain rampant and expected to be more persistent.


Be informed with these simple reminders:



_ _ _



A proud member of the Philippine Chamber of Commerce and Industry - Quezon City



_ _ _





ADM & Partner Data Privacy and Consulting Inc is a STOP. THINK. CONNECT.™  international partner!

STOP. THINK. CONNECT.™ is the global online safety education and awareness campaign to help all digital citizens stay safer and more secure online.


© STOP. THINK. CONNECT. Messaging Convention Inc. Used under license. All rights reserved.

2010 STOP. THINK. CONNECT. is a trademark of the Messaging Convention and may only be used in accordance with the license provided at https://stopthinkconnect.org.






-Assist in the registration of the Data Privacy Officer with the National Privacy Commission;

-Conduct compliance training on data privacy; and

-Review contracts, forms, and policies.


-Identification, analysis and evaluation of privacy threats, program and system; and

-Inventory of personal data processed by the company.


-Create, write and disseminate within the organization privacy policies, agreements, notices an manuals (HR, Marketing, Operations); and

-Register data processing system with the National Privacy Commission.



-Monitor and audit implementation of reasonable and appropriate organizational, physical and technical measures; and

-Conduct data privacy drills


-Supervise the creation of data breach response team; 

-Write incident response procedure; and

-Conduct breach drills.


-Provide opinion and advisories on data protection.



- Gain 1 year access to privacy templates such as Data Sharing Agreements, Privacy Policies, Consent Forms, and Request Forms.

- View materials, presentations, and training resources on several data privacy topics.

- Comply independently with the privacy requirements.


- SSL, 256-bit encryption

- Penetration Test