NPC clarifies rules on exemption, postponement of data breach notifications

On May 11, the National Privacy Commission (NPC) issued NPC Advisory No. 2026-02, titled “Clarification on the Submission of Personal Data Breach Notification Through Data Breach Notification Management System,” as reported by BusinessWorld . The advisory addresses how personal information controllers (PICs) may request exemption, postponement, or use alternative means of notification for data breach incidents.

Under Section 20(f) of Republic Act No. 10173, or the Data Privacy Act, PICs are required to promptly notify the NPC and affected data subjects in the event of a personal data breach. The new advisory clarifies the process for submitting such notifications through the Data Breach Notification Management System, including when exemptions or postponements may be granted.

The NPC emphasized that requests for alternative notification methods must be justified and submitted in accordance with the advisory’s guidelines. This move aims to streamline compliance while ensuring that data subjects are adequately informed of breaches that may compromise their personal information.

Related stories

ICTSI acquires 100% stake in Brazil firm

US eyes new tariffs on Philippines, 59 other countries

Customs posts record P11.3 billion surplus as of June 2