4 June 2026
The National Privacy Commission (NPC) has issued Advisory No. 2026-02 (“Advisory”), prescribing additional guidelines on the submission of personal data breach notifications through the Data Breach Notification Management System (DBNMS).
In particular, the Advisory clarifies the rules applicable to requests for postponement, exemption, or alternative means of notifying affected data subjects, as well as requests for extension in the submission of required documents under NPC Circular No. 16‑03 on Personal Data Breach Management.
Organizations that have experienced, or may experience, a personal data breach should review their breach response procedures against these clarifications to avoid business disruption, administrative penalties, and potential liabilities under Philippine data privacy regulations.
Key takeaways
The Advisory introduces the following procedural clarifications:
- A personal information controller (PIC) may not simultaneously file: (1) a request for exemption to notify affected data subjects and a request for postponement of such notification; or (2) a request for exemption and a request for alternative means of notification, for the same breach incident. Filing mutually exclusive requests may result in the denial of one or all such requests.
- A request for postponement and a request for alternative means of notification may, however, be filed concurrently.
- A personal data breach is treated as a single incident where it involves the same affected data subjects, personal data, and nature of breach. Changes in circumstances must be reflected in the full breach report.
- PICs must clearly state the grounds for each request and submit supporting documents.
- Submitting a request through the DBNMS does not suspend a PIC’s obligations under NPC Circular No. 16-03. Unless such request is acted upon, the full breach report must be submitted within five (5) days from the date of discovery to admindbnms@privacy.gov.ph.
- NPC inaction does not constitute approval. All approvals must be expressly issued in writing by the Commission.
In more detail
The Advisory provides structured guidance across the following areas:
- Mutually exclusive requests. A PIC may not simultaneously file a request for exemption alongside either a request for postponement or a request for alternative means of notification for the same breach. These are mutually exclusive requests since an exemption presupposes that notification is not owed, while the other two presuppose that it is. Invoking incompatible requests may result in the denial of one or all of them.
- Single incident rule. A personal data breach is treated as a single incident where it involves the same affected data subjects, personal data, and nature of breach. Any change in circumstances, including a change in the number of affected data subjects or the data elements involved, must be included in the full breach report.
- Grounds and documentation. PICs must determine and clearly state the most appropriate grounds for each request, supported by corresponding documentation. With respect to requests for alternative means of notification, nothing prevents the PIC from advising stakeholders of the fact of the breach pending approval of such request.
- Continuing compliance obligations. Submission of a request through the DBNMS does not relieve the PIC of its obligations under NPC Circular No. 16-03. Unless the request is acted upon, the full breach report must be submitted within five (5) days from the date of discovery to admindbnms@privacy.gov.ph with the subject line FBR_NameofPIC_NameofDPO. Compliance-related queries (except those pertaining to DBNMS requests) may be directed to compliancesupport@privacy.gov.ph.
- No implied approval and sanctions for non-compliance. All approvals must be expressly issued in writing. NPC inaction shall not be construed as approval, implied consent, or automatic grant of any request, nor may it serve as a justification for noncompliance. Violations of the foregoing rules may result in administrative fines under NPC Circular No. 2022-01 on Guidelines on Administrative Fines.
How this affects your business
Organizations should review their breach response playbooks to reflect the mutually exclusive nature of certain DBNMS requests, ensure that full breach reports are filed within the mandatory five-day window regardless of any pending request, and document the grounds and supporting materials for any request submitted to the NPC. If you have questions about how the Advisory applies to your organization, or if you would like to update or review your data breach response protocols and procedures, our team in Quisumbing Torres is well-equipped to assist.