After a data breach exposed my info, must the company notify me โ and how fast?
Last updated: 2026-07-12 ยท Educational content; not legal advice.
Short answer
Yes, in the serious cases. NPC Circular No. 16-03 (Personal Data Breach Management) requires a company to notify both the National Privacy Commission and the affected data subjects within 72 hours of knowing, or reasonably believing, that a notifiable breach happened. A breach is notifiable when it involves sensitive personal information or information that could be used for identity fraud, was likely acquired by an unauthorized person, and poses a real risk of serious harm. The company must also submit a full breach report to the NPC (within five days unless the NPC grants more time). If you were not notified when you should have been, that failure is itself a violation you can report.
Primary sources
Frequently asked
What must the notice tell me?
Under NPC Circular 16-03 the notice should describe the nature of the breach, the personal data likely involved, the measures taken or proposed to address it, and how you can reduce your risk (e.g., change passwords, watch for fraud). It must be given in a way that reasonably reaches you.
Does every breach have to be reported?
No. Mandatory notification is triggered when the breach involves sensitive personal information or data enabling identity fraud, was likely acquired by an unauthorized person, and creates a real risk of serious harm. Lower-risk incidents may not require individual notice, but the company must still document them.
They knew for weeks and never told me โ is that illegal?
Failing to notify within the 72-hour window for a notifiable breach, or concealing a breach, is a violation. Report it to the NPC; concealment of a security breach can carry criminal penalties under RA 10173.
Take action
Related companies
Got a similar problem?
File a complaint and we'll pre-fill BSP, SEC, DTI, and small-claims letters for you.
Contact-list scraping, unauthorized data use, and how to file with the NPC.