Ƶ

Book a demo

External Privacy Notice Template for the Philippines

Generate a bespoke document

  • England and Wales
  • Scotland
  • Northern Ireland
  • Ireland
  • United States
  • Alabama (USA)
  • Alaska (USA)
  • Arizona (USA)
  • Arkansas (USA)
  • California (USA)
  • Colorado (USA)
  • Connecticut (USA)
  • Delaware (USA)
  • Florida (USA)
  • Georgia (USA)
  • Hawaii (USA)
  • Idaho (USA)
  • Illinois (USA)
  • Indiana (USA)
  • Iowa (USA)
  • Kansas (USA)
  • Kentucky (USA)
  • Louisiana (USA)
  • Maine (USA)
  • Maryland (USA)
  • Massachusetts (USA)
  • Michigan (USA)
  • Minnesota (USA)
  • Mississippi (USA)
  • Missouri (USA)
  • Montana (USA)
  • Nebraska (USA)
  • Nevada (USA)
  • New Hampshire (USA)
  • New Jersey (USA)
  • New Mexico (USA)
  • New York (USA)
  • North Carolina (USA)
  • North Dakota (USA)
  • Ohio (USA)
  • Oklahoma (USA)
  • Oregon (USA)
  • Pennsylvania (USA)
  • Rhode Island (USA)
  • South Carolina (USA)
  • South Dakota (USA)
  • Tennessee (USA)
  • Texas (USA)
  • Utah (USA)
  • Vermont (USA)
  • Virginia (USA)
  • Washington (USA)
  • West Virginia (USA)
  • Wisconsin (USA)
  • Wyoming (USA)
  • Austria
  • Denmark
  • France
  • Germany
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • Switzerland
  • Australia
  • New Zealand
  • Singapore
  • Hong Kong
  • India
  • Malaysia
  • Pakistan
  • United Arab Emirates
  • Qatar
  • Saudi Arabia
  • South Africa
  • Nigeria
  • Canada
  • Brasil
  • Monaco
  • Bermuda
  • Cayman Islands
  • Gibraltar
  • Isle of Man
  • Mauritius

What is a External Privacy Notice?

An External Privacy Notice is a mandatory document required under the Philippines Data Privacy Act of 2012 for organizations that collect and process personal information. This document must be provided to data subjects (such as customers, users, or website visitors) before or at the time of data collection. The notice should be written in clear, simple language and must include specific information required by law, such as the types of personal data collected, purposes of processing, data sharing practices, security measures, and data subject rights. The External Privacy Notice serves both as a compliance tool and a trust-building mechanism, demonstrating the organization's commitment to data protection and transparency. It must be regularly reviewed and updated to reflect changes in data processing activities or legal requirements, and should be easily accessible to all data subjects, typically through the organization's website or physical locations.

Frequently Asked Questions

Is an External Privacy Notice legally required under Philippine law?

Yes, an External Privacy Notice is mandatory under Republic Act No. 10173 (Data Privacy Act of 2012) in the Philippines. Organizations must provide this notice to data subjects before or at the time of collecting personal information. Failure to comply can result in penalties from the National Privacy Commission ranging from PHP 500,000 to PHP 5,000,000.

Can I be fined if my External Privacy Notice is missing or incomplete in the Philippines?

Yes, the National Privacy Commission can impose significant fines for missing or incomplete External Privacy Notices. Penalties range from PHP 500,000 to PHP 5,000,000 for violations of the Data Privacy Act. Additionally, affected individuals may file complaints that could result in further legal action and reputational damage.

How does an External Privacy Notice differ from an Internal Privacy Policy in the Philippines?

An External Privacy Notice is provided to customers and data subjects to inform them about data collection practices, while an Internal Privacy Policy governs how employees handle personal data within your organization. The External Notice is required under the Data Privacy Act for transparency, whereas the Internal Policy is part of your compliance framework with the National Privacy Commission.

How long does it typically take to prepare an External Privacy Notice for Philippine compliance?

Creating a compliant External Privacy Notice typically takes 1-3 weeks depending on your organization's complexity. This includes reviewing your data collection practices, ensuring compliance with Republic Act No. 10173 requirements, and having legal review. Larger organizations with multiple data processing activities may require additional time for comprehensive coverage.

Which specific information must be included in an External Privacy Notice under Philippine law?

Under the Data Privacy Act, your External Privacy Notice must include the identity of the data controller, purposes of processing, categories of personal data collected, recipients of data, retention periods, and data subject rights. You must also specify the legal basis for processing and provide contact information for data protection inquiries as required by the National Privacy Commission.

Common mistakes businesses make when drafting External Privacy Notices in the Philippines?

Common mistakes include using generic templates not tailored to Philippine law, failing to specify the legal basis for data processing, omitting required contact information for the Data Protection Officer, and not updating the notice when business practices change. Many also forget to provide the notice in Filipino or the local language as required by the National Privacy Commission guidelines.

Can I use the same External Privacy Notice for online and offline data collection in the Philippines?

While you can use one comprehensive External Privacy Notice, it must address both online and offline data collection methods as required under the Data Privacy Act. The notice should specify different collection methods, data types collected through each channel, and ensure accessibility requirements are met for both digital and physical distribution to comply with National Privacy Commission standards.

Reviewed by

Legal Engineer, GenieAI

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

Reviewed by

Legal Engineer, GenieAI

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

Jurisdiction

Philippines

Reviewed by

&

Publisher

GenieAI

Category

Privacy Notice

Sector

Business

Cost

Free to use

Last updated

About the External Privacy Notice

An External Privacy Notice is a critical legal document that every organization collecting personal data in the Philippines must provide to data subjects. Under the Data Privacy Act of 2012, you are legally required to inform individuals about how their personal information will be collected, used, stored, and shared before processing begins.

When do you need this document?

You need an External Privacy Notice whenever your organization collects personal information from customers, website visitors, mobile app users, or any other individuals. This includes e-commerce websites collecting customer details, mobile applications requesting user permissions, marketing campaigns gathering contact information, and physical businesses collecting customer data through forms or transactions. The notice must be provided at the point of collection, whether through your website's privacy policy page, mobile app disclosure screens, or physical forms at your business premises.

Key legal considerations

Your External Privacy Notice must include specific mandatory elements under Philippine law. You must clearly identify yourself as the data controller, specify the types of personal data you collect and their sources, explain the legal basis for processing, and detail how the information will be used. The notice must also disclose any third parties who will receive the data, describe your security measures, explain data retention periods, and inform individuals of their rights including access, correction, and deletion. The language must be clear and understandable, avoiding complex legal jargon that could confuse data subjects. You must also provide contact information for your Data Protection Officer if applicable, and explain how individuals can exercise their rights or file complaints with the National Privacy Commission.

Legal requirements in Philippines

Republic Act No. 10173 and its Implementing Rules and Regulations establish strict requirements for External Privacy Notices in the Philippines. The notice must be provided before or at the time of data collection, and you cannot proceed with processing without proper notification. NPC Circular No. 16-01 provides additional guidance on security disclosures that must be included. Your notice must comply with the constitutional right to privacy under Article III, Section 3 of the 1987 Constitution. For digital businesses, Republic Act No. 8792 (E-Commerce Act) may impose additional disclosure requirements. The National Privacy Commission has enforcement authority and can impose penalties for non-compliance, including fines and cessation orders. Regular updates are required whenever you change your data processing activities, introduce new purposes, or modify security measures.

GOVERNING LAW

Applicable law

This External Privacy Notice is drafted to comply with Philippines law. Key legislation includes:








Explore 208,390+ legal templates

Explore 208,390+ legal templates

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it