LabanPH

My personal data was leaked or breached โ€” what are my rights?

Last updated: 2026-07-11 ยท Educational content; not legal advice.

Short answer

Under the Data Privacy Act (RA 10173), a company that suffers a breach of sensitive personal information that is likely to cause serious harm must promptly notify both the National Privacy Commission and the affected data subjects (ยง20(f)). As a data subject you have the right to be informed, to access your data, to correct it, to block or erase it, and to be indemnified for damages you suffered from the unlawful or unauthorized processing (ยง16). If a company hid a breach or was negligent, you can complain to the NPC, which can investigate, fine, and refer the matter for prosecution.

Primary sources

Frequently asked

When must a company tell me about a breach?

RA 10173 ยง20(f) and NPC Circular 16-03 require notification within 72 hours of knowledge of a breach of sensitive personal information that is likely, under the circumstances, to give rise to a real risk of serious harm to affected data subjects. Notice goes to both the NPC and to you.

Can I claim money for a breach?

RA 10173 ยง16(f) gives a right to be indemnified for damages sustained due to inaccurate, unlawfully obtained, or unauthorized use of your data. Damages are pursued through the NPC process and, ultimately, the courts; keep proof of the loss or harm you suffered.

What if the company covered it up?

Concealing a breach that must be reported is itself an offense under RA 10173. File with the NPC โ€” it can investigate, impose administrative fines, and refer intentional concealment for criminal prosecution.

Take action

Related issues

Got a similar problem?

File a complaint and we'll pre-fill BSP, SEC, DTI, and small-claims letters for you.

More on Data Privacy โ†’

Contact-list scraping, unauthorized data use, and how to file with the NPC.

Other questions

๐Ÿ’ฌ