Unlawful Processing of Personal Information: Criminal Liabilities of Corporate Data Protection Officers (DPOs) Under the Data Privacy Act
Introduction
Companies often treat data privacy as a compliance checklist, but the Philippine Data Privacy Act of 2012 treats certain violations as criminal offenses punishable by imprisonment. For corporate officers and compliance leaders—especially Data Protection Officers (DPOs) and executives who influence data use—this means exposure not only to regulatory sanctions, but also to jail time where the mishandling of customer data is intentional and unlawful.
This article explains how unlawful (unauthorized) processing and related offenses arise under the Data Privacy Act, when consent is not enough (or is absent), and why corporate roles do not automatically shield individuals from criminal liability.
Governing Law: Data Privacy Act and Its Implementing Rules
The primary statute is R.A. No. 10173 (Data Privacy Act of 2012). Its penal provisions include criminal liability for unlawful processing and unauthorized disclosure, among others. The IRR of R.A. No. 10173 contains parallel penalty provisions and supports enforcement.
Two provisions matter most for “compliance warning” purposes where executives intentionally mishandle customer data:
- Processing personal information or sensitive personal information for unauthorized purposes (R.A. No. 10173, Section 28).
- Unauthorized disclosure of personal information or sensitive personal information (R.A. No. 10173, Section 32).
What “Processing” Covers (and Why Executives Can Be Implicated)
Under the Data Privacy Act concept, “processing” is broad and commonly covers the end-to-end data lifecycle: collection, recording, storage, updating, retrieval, use, sharing/transmission, and deletion of personal data. As a result, unlawful processing risks may arise not only from IT operations, but also from management decisions—such as instructing teams to collect excessive data, repurpose data for collections tactics, or share customer details with third parties.
In disciplinary proceedings involving a lawyer, the Supreme Court discussed the elements for liability under unauthorized processing and examined whether requesting, obtaining, and using a marriage certificate in litigation is “processing” and whether it is authorized—emphasizing the central question of authorization under the Act or existing law (Azarraga v. Jalbuna, A.C. No. 13678, 2023).
Offense 1: Processing Personal Information for Unauthorized Purposes (R.A. No. 10173, Sec. 28)
R.A. No. 10173, Section 28 penalizes the processing of personal information (and separately, sensitive personal information) for purposes not authorized by the data subject or otherwise authorized under the Act or existing laws.
Penalties Under Section 28
Section 28 sets different penalties depending on whether the data is personal information or sensitive personal information:
- Personal information for unauthorized purposes: imprisonment of 1 year and 6 months to 5 years, and a fine of Php 500,000 to Php 1,000,000 (R.A. No. 10173, Section 28).
- Sensitive personal information for unauthorized purposes: imprisonment of 2 years to 7 years, and a fine of Php 500,000 to Php 2,000,000 (R.A. No. 10173, Section 28).
Common Corporate Scenarios That Trigger Section 28 Risk
Below are typical patterns that can be argued as “unauthorized purpose” processing—especially when done intentionally:
- Collections and shaming tactics: using a borrower’s contact list or personal details to send messages to friends or coworkers to pressure payment, when that purpose was not properly disclosed and consented to.
- Repurposing customer data: using customer onboarding data (e.g., IDs, addresses, employment details) for marketing, profiling, or disclosure to affiliates beyond what the privacy notice authorizes.
- Overcollection + repurposing: gathering more data than needed, then using it for objectives not aligned with the declared purpose.
In Trimillos v. FCash Global Lending, Inc., G.R. No. 271360, 2025, the National Privacy Commission (NPC) case narrative described alleged overcollection and processing beyond the company’s stated privacy policy, including sending messages to the complainant’s contacts.
Offense 2: Unauthorized Disclosure (R.A. No. 10173, Sec. 32)
R.A. No. 10173, Section 32 punishes a personal information controller (PIC) or personal information processor (PIP), and their officials, employees, or agents, who disclose personal information or sensitive personal information to a third party without consent (when not covered by the preceding section referenced by the law).
Penalties Under Section 32
- Unauthorized disclosure of personal information: imprisonment of 1 year to 3 years and a fine of Php 500,000 to Php 1,000,000 (R.A. No. 10173, Section 32[a]).
- Unauthorized disclosure of sensitive personal information: imprisonment of 3 years to 5 years and a fine of Php 500,000 to Php 2,000,000 (R.A. No. 10173, Section 32[b]).
Why DPOs and Executives Face Personal Exposure
From a risk perspective, DPOs and executives become vulnerable where they are alleged to have personally participated in the unlawful processing/disclosure, directed it, or knowingly allowed it as part of policy or operations. The statute expressly reaches “officials, employees, or agents” for unauthorized disclosure (R.A. No. 10173, Section 32), so the fact that an act happened within a corporation does not, by itself, end individual exposure.
In compliance terms, the danger zone is when the internal position is treated as a mere title—while actual decisions and approvals show intentional acts (or approval of acts) that contradict privacy notices, exceed declared purposes, or disregard required authorizations.
Consent Is Not a Universal Shield
Operationally, many violations happen because companies assume “we have consent” ends the analysis. Section 28 is triggered when processing is for a purpose not authorized by the data subject (or by the Act or existing laws) (R.A. No. 10173, Section 28). If consent was vague, bundled, forced, or inconsistent with the actual use, it may not protect the processing—especially where the real use is materially different from what was disclosed.
When Processing Can Be Authorized Without Consent
Philippine privacy law recognizes situations where processing may be allowed under the Act or existing laws even without consent. In Azarraga v. Jalbuna, A.C. No. 13678, 2023, the Supreme Court evaluated the act of obtaining and using a marriage certificate in relation to litigation and treated the question as whether the processing is lawful and authorized under the Data Privacy Act and related rules, in context (Azarraga v. Jalbuna, A.C. No. 13678, 2023).
For corporate settings, “authorized under law” issues often arise in regulated industries (banking, lending, insurance, telecoms) and in compelled disclosures (e.g., lawful orders). These require careful legal review because the scope is not unlimited, and “industry practice” is not the same as a legal basis.
Summary Table: Criminal Penalties Most Relevant to Intentional Mishandling
| Offense | Data Covered | Imprisonment | Fine | Legal Basis |
|---|---|---|---|---|
| Processing for unauthorized purposes | Personal information | 1 year and 6 months to 5 years | Php 500,000 to Php 1,000,000 | R.A. No. 10173, Section 28 |
| Processing for unauthorized purposes | Sensitive personal information | 2 years to 7 years | Php 500,000 to Php 2,000,000 | R.A. No. 10173, Section 28 |
| Unauthorized disclosure to a third party | Personal information | 1 year to 3 years | Php 500,000 to Php 1,000,000 | R.A. No. 10173, Section 32(a) |
| Unauthorized disclosure to a third party | Sensitive personal information | 3 years to 5 years | Php 500,000 to Php 2,000,000 | R.A. No. 10173, Section 32(b) |
Compliance Notes for DPOs and Executives
The compliance objective is to prevent business-driven “workarounds” from becoming evidence of intentional unlawful processing. The following controls are commonly expected in mature programs:
- Purpose limitation discipline: lock data uses to specific, documented purposes; treat new use cases as a formal change requiring legal review and updated notices/consents where needed.
- Collections governance: prohibit harassment/shaming workflows that rely on contact scraping or third-party disclosures; ensure collections vendors follow the same rules.
- Role-based access and audit trails: restrict who can export/share customer data and keep logs that can prove legitimate use.
- Vendor controls: require contractual restrictions on processors, including limits on sub-processing and sharing.
- Incident response that preserves evidence: where questionable processing is discovered, stop the activity, document remedial steps, and obtain counsel for exposure assessment.
Final Observations
The Data Privacy Act treats intentional misuse of customer information as a criminal matter in defined situations, particularly where data is processed for an unauthorized purpose or disclosed without consent. For DPOs and corporate decision-makers, risk is highest when internal policies, directives, or tolerated practices show that the organization knowingly used personal or sensitive personal information in ways not permitted by the data subject’s authorization or by law (R.A. No. 10173, Sections 28 and 32).
A defensible program is one where declared purposes match actual processing, third-party disclosures are controlled, and escalation occurs before “business-as-usual” becomes a criminal exposure issue.
About Nicolas and De Vega Law Offices
Nicolas and de Vega Law Offices is a full-service law firm in the Philippines. You may visit us at the 16th Flr., Suite 1607 AIC Burgundy Empire Tower, ADB Ave., Ortigas Center, 1605 Pasig City, Metro Manila, Philippines. You may also call us at +632 84706126, +632 84706130, +632 84016392 or e-mail us at [email protected]. Visit our website https://ndvlaw.com.

