2 March 2026
Through recent announcements issued via its official communication channels, including its website and social media pages, the Philippine National Privacy Commission (NPC) reminded all personal information controllers (PICs) and personal information processors (PIPs) subject to Republic Act No. 10173, or the Data Privacy Act of 2012 (DPA), to submit their 2025 annual security incident report (ASIR) by 31 March 2026. The NPC emphasized in its announcement that the obligation to file the ASIR applies regardless of an organization’s registration classification under NPC Circular No. 2022‑04.
The NPC also reminded covered PICs and PIPs that ASIRs must be submitted only through the Data Breach Notification Management System (DBNMS) online platform. Submissions made through other means will not be accepted.
Once an ASIR has been filed, it cannot be amended or modified. Thus, to avoid any errors, the NPC advises PICs and PIPs to make use of the “Save as Draft” function within the DBNMS while completing the report, particularly where information is still being validated or finalized.
If a submitted ASIR contains inaccuracies, the reporting organization may request the removal of the erroneous filing by contacting admindbnms@privacy.gov.ph. After the deletion is confirmed, the PIC or PIP may prepare and submit a replacement report.
Failure to submit an ASIR constitutes noncompliance with the NPC requirements and may result in the issuance of a compliance order directing the organization to file the required report. Continued noncompliance with such an order may lead to the imposition of an administrative penalty of up to PHP 50,000 (approximately USD 900).
Recommended Action
Organizations covered by the DPA are encouraged to begin internal preparations to ensure timely and accurate submission of their 2025 ASIR ahead of the 31 March 2026 deadline.
Quisumbing Torres is prepared to assist organizations by reviewing draft ASIRs, clarifying submission requirements under NPC regulations, and advising on practical measures to minimize filing errors.
For further information or assistance with data privacy and security compliance matters, please contact Quisumbing Torres’ Intellectual Property, Data and Technology Practice Group.