What is the mandatory time frame for officially reporting a personal data breach to the Commission?
A personal information controller is strictly required by law to formally notify both the Commission and the heavily affected data subjects within an urgent operational time frame. The specific legal deadline is exactly seventy-two hours upon gaining confirmed and verified knowledge of the breach. This rule also fully applies when there is a reasonable belief by the active controller or processor that a serious data breach requiring formal notification has unfortunately occurred. This crucial temporal requirement for breach reporting is mandated in Section 38 IRR. “a. The Commission and affected data subjects shall be notified by the personal information controller within seventy-two (72) hours upon knowledge of, or when there is reasonable belief by the personal information controller or personal information processor that, a personal data breach requiring notification has occurred.” 20-May-26About Nicolas and De Vega Law Offices
Nicolas and De Vega Law Offices is a full-service law firm in the Philippines. You may visit us at the 16th Flr., Suite 1607 AIC Burgundy Empire Tower, ADB Ave., Ortigas Center, 1605 Pasig City, Metro Manila, Philippines. You may also call us at +632 84706126, +632 84706130, +632 84016392 or e-mail us at [email protected]. Visit our website https://ndvlaw.com/.

