Compliance with the Philippine Data Privacy Act 2023 - A Guide For Employers

Share this article
Example H2
Example H3
Example H4


Most organizations in the Philippines conduct pre-employment background checks to verify the candidate’s credentials and reduce the risk of bringing in bad hires. However, it’s not enough to simply complete the checks. The Philippines, after all, has a strict law that dictates the proper way to conduct them. Is your company compliant with the law? What are the consequences of processing personal information without the right order in place? Learn more about the Philippine Data Privacy Act (DPA) and how it affects background checks for employment here.


Types Of Background Checks Businesses Commonly Run On Filipino Employees And Contractors

Before signing the employment contract or officially onboarding the candidate, companies often conduct standard background checks, including the following:

  • Criminal History. Employers usually ask candidates to present an NBI Clearance form, which shows that their criminal background check by the National Bureau of Investigation (NBI) came back clean. 
  • Employment Verification. The HR Department usually gets in touch with the candidate’s previous employers to determine details like dates of employment, roles, and achievements. 
  • Reference Checks by contacting the references provided by the applicant to gain insights into their credentials and work attitude. 
  • Educational Background. Companies often call the candidate’s previous college or university to request information, like graduation dates, courses, and honors. 

Depending on the industry and position, organizations may also conduct additional background checks, like credit scores, health checks, and social media profiles


But, Are Background Checks Legal in The Philippines?

Conducting these background checks requires the processing of personal, and sometimes, sensitive information. For it to be legal, the whole process should be in accordance with the Data Privacy Act.  Processing refers to any operation performed upon personal information, including, but not limited to, collection, storage, and destruction of data. 

Generally, pre-employment background screening is legal so long as the stipulations of the law are met. As an employer, if you process personal information illegally, you may pay fines and even face imprisonment. 

Data Privacy Act in the Philippines and How It Affects Background Checks for Employment

The Data Privacy Act in the Philippines is not designed specifically for background screening. However, its stipulations dictate how an organization can process personal, and sometimes, sensitive information. Failure to comply with these conditions has legal consequences. In the following sections, we’ll discuss DPA in connection with background checks for employment. 

What’s Considered As Personal Information?

When you conduct background checks, you need to process personal information. Personal information refers to any information that can be used to identify the candidate or employee. It also includes information that, when combined with other data, can directly or certainly identify the individual. 

General Principles of the Data Privacy Act

The processing of personal information, which employers utilize for background checks, is allowed as long as it complies with the DPA and other applicable laws. The general principles of the Philippine Data Privacy Act center on the following:

  • The information should only be processed in a way that’s compatible with a legitimate, declared, and specified purpose. Note that the purpose must not be contrary to morals, laws, or public policy. 
  • Employers must process personal information that is only necessary, relevant, adequate, and not excessive for the declared legitimate purpose. 
  • The information should be accurate and complete; inaccurate or incomplete data must be corrected, supplemented, or destroyed, or there should be restrictions in processing them further. 
  • Companies must only keep personal information for only as long as necessary for the purpose for which it was collected. 
  • The information must also be kept in a form that identifies the candidate or employee for no longer than necessary. 


What It Means For The Information To Be Processed and Retained Lawfully 

As an employer, you must know how to legally process and retain personal information. 

The processing of information is lawful when it follows the principles of DPA, is not prohibited by the law, and when at least one condition outlined in Section 12 of DPA exists. 

There are several conditions listed in Section 12. Among them, the most relevant for employers is obtaining the candidate or employee consent. They must be informed of the purpose, nature, and extent of the processing of their information. This involves the safeguards and risks involved and their rights. Note that the applicant has the right to refuse, withdraw consent or object. 

Another condition that makes the processing of information lawful is when the processing is necessary for the company to comply with a legal obligation they are subject to. 

On the other hand, the retention of personal information should only be for as long as necessary for the legitimate purpose declared. Aside from this, companies can also retain the information:

  • For the establishment, exercise, and defense of legal claims 
  • For a legitimate business purpose consistent with the standards followed by the industry or approved by the appropriate government agency 

After retaining the information per the law, it should be disposed of or discarded securely in such a way that prevents unauthorized access, further processing, or disclosure to another party or the public. 


Is Processing of Sensitive Personal Information Legal?

While conducting background checks, employers usually need to access some sensitive personal information. According to the DPA, sensitive personal information includes:

  • Age
  • Ethnic origin 
  • Race
  • Marital status
  • Color 
  • Philosophical, religious, and political affiliations
  • Education 
  • Genetics 
  • Health
  • Intimate relationships
  • Proceeding for any offense committed or alleged to have been committed by an individual
  • Government-issued IDs 
  • Those established by an executive order or an act of Congress to be kept classified.


However, the processing of sensitive personal information is prohibited. Employers can only process sensitive personal information if they satisfy certain conditions under the Data Privacy Act. One such condition is when the candidate or employee has given their consent before the processing. 

Other cases where the processing of sensitive personal information is legal is when it is:

  • Necessary to achieve the lawful and noncommercial objectives of public organizations and their associations, provided that the information stays within the bona fide members of the concerned organization or associations, is not transferred to third parties, and provided that the individual has given their consent before the processing. 
  • Provided for by existing laws and regulations, provided that the said laws and regulations do not require the individual’s consent and guarantee the protection of personal data. 
  • Necessary to protect the health and life of the individual or another person, and the concerned cannot physically or legally provide their consent before the processing.  
  • Necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise, or defense of legal claims, or when provided to government or public authority.
  • It is necessary for medical treatment, provided that it is carried out by a medical practitioner or institution and that measures were taken to protect the information. 

The Rights of Candidates According to the Data Privacy Act

Before the processing of their personal information, an applicant or employee must be informed that their personal information will be processed. As employers, you must inform them of the following before entering their personal data into your system:

  • The description of the personal information to be entered into the system
  • The reason why they are being or will be processed
  • The scope and method of the personal information processing
  • The recipients or classes of recipients to whom the information is or may be disclosed
  • The methods used for automated access, if allowed by the candidate or employee, and the extent to which such access is permitted
  • The identity and contact details of the ones processing the information
  • The existence of the employee's or candidate’s rights

The individual also has the right to demand reasonable access to their information, including the content and sources from which the data was obtained. 

Likewise, the candidate or employee has the right to dispute incomplete or inaccurate information and ask the company to correct it. The third parties who have received the previous information must also be informed of its inaccuracies and rectifications upon the request of the applicant or employee. 

If there is proof that the personal information is inaccurate, outdated, incomplete, illegally obtained, used for unauthorized purposes, or are no longer necessary for the purposes for which they were collected, the individual has the right to order the blocking, removal, or destruction of the information from the company’s system. 

Finally, should there be damages due to inaccurate, outdated, incomplete, illegally obtained and used information, the individual has the right to be protected from legal consequences. 


Penalties For Failing To Comply

The Philippine Data Privacy Act has a long list of penalties should the data process controller, which in this case, is the company, fails to comply with the stipulations. Below is a table showing the type of violation and and their corresponding penalties: 

Violation Imprisonment Fine
Personal Information Sensitive Personal Information Personal Information Sensitive Personal Information
Unauthorized Processing 1 – 3 years 3 – 6 years P500,000 – P2,000,000 P500,000 – P4,000,000
Accessing Due to Negligence 1 – 3 years 3 – 6 years P500,000 – P2,000,000 P500,000 – P4,000,000
Improper Disposal 6 months – 2 years 1 – 3 years P100,000 – P500,000 P100,000 – P1,000,000
Processing for Unauthorized Purposes 1 year and 6 months – 5 years 2 – 7 years P500,000 – P1,000,000 P500,000 – P2,000,000
Unauthorized Disclosure 1 – 3 years 3 – 5 years P500,000 – P1,000,000 P1,000,000 – P5,000,000
Concealment of Security Breaches 1 year and 6 months – 5 years P500,000 – P1,000,000
Unauthorized Access or Intentional Breach 1 – 3 years P500,000 – P2,000,000
Malicious Disclosure 1 year and 6 months – 5 years P500,000 – P1,000,000
Combination or Series of Acts 3 – 6 years P1,000,000 – P5,000,000

Proposed Changes to the Data Privacy Act

In 2022, two House Bills - 892 and 898 - were filed, seeking to make some amendments to the current Data Privacy Act. Should amendments from House Bill 892 be approved, employers can expect the following changes:

  • Increased penalties both for fines and period of imprisonment for violating DPA
  • Perpetual and absolute disqualification for a public official or employee who violates DPA

Meanwhile, some of the amendments House Bill 898 seeks include:

  • Defining biometric and genetic data
  • Including biometric and genetic data, and labor affiliation, under sensitive information
  • Including the performance of a contract as a new criterion of the lawful basis for processing sensitive personal information.

Background Check Mistakes to Avoid in the Philippines

Considering the stipulations under the Data Privacy Act, below are some of the common mistakes employers make when conducting background checks:

  • Not having a strong policy in place to process, store, and discard personal information securely. This opens your company to errors that may have legal consequences. 
  • Not obtaining formal written consent. Many private companies in the Philippines simply ask candidates to provide documents, such as Annual Physical Exam results and Transcripts of Records from their colleges and universities. However, they usually do not obtain formal written consent specifically explaining how they are going to process and store these documents. Education and health information are sensitive personal information and processing them without consent is illegal. Learn more about verifying application documents here.
  • Collecting more information than necessary. Some companies feel that it’s better to collect more information in case they need it later. However, having more information also means the company is more vulnerable to legal violations. 
  • Electing to ignore the law altogether thinking that mistakes made by small companies go undetected. 


Many startups or small businesses also make the huge mistake of skipping background checks. Background checks verify if the credentials a candidate presents are authentic, helping you choose the talent that has the knowledge and skills to take on the role. Furthermore, some background checks, like criminal history checks, help promote workplace safety, preventing you from hiring someone who might be a threat to the company and the public. Hence, it’s a huge mistake to not conduct background checks at all. Learn more about Background Checks for Small Businesses here.

How Veremark Can Help

While most companies are aware that the country has a Data Privacy Act, many may not have adequate knowledge of how its principles affect their business. It’s also possible that they understand its conditions but don’t have the resources and experience to ensure compliance. As a result, they may unintentionally process candidate and employee data illegally while conducting background checks. 

Veremark has the processes, technology, and compliance framework to safeguard personal information. Trusted by the world’s best workplaces, including countless Filipino business in the Tech, IT, Outsourcing and Staffing and Professional Services sectors, Veremark conducts background checks in accordance with the Data Privacy Act and other relevant laws, significantly reducing the risk of legal consequences. We guarantee an accurate and straightforward presentation of screening results so you can make informed hiring decisions and ensure total compliance throughout.


It’s a best practice to conduct background checks on candidates to verify their credentials and gain insights into their personality. However, it’s not enough to simply complete the necessary checks. If your company processes personal information and sensitive data without the right order in place, you risk paying at least hundreds of thousands of pesos and facing several years in prison. It is for this reason that many organizations choose to partner with expert third parties like Veremark, a background screening provider capable of conducting multiple checks while staying compliant with the Data Privacy Act and other applicable rules and regulations. 

Share this article

Popular Packages



No items found.


What background check do I need?

This depends on the industry and type of role you are recruiting for. To determine whether you need reference checks, identity checks, bankruptcy checks, civil background checks, credit checks for employment or any of the other background checks we offer, chat to our team of dedicated account managers.

Why should employers check the background of potential employees?

Many industries have compliance-related employment check requirements. And even if your industry doesn’t, remember that your staff have access to assets and data that must be protected. When you employ a new staff member you need to be certain that they have the best interests of your business at heart. Carrying out comprehensive background checking helps mitigate risk and ensures a safer hiring decision.

How long do background checks take?

Again, this depends on the type of checks you need. Simple identity checks can be carried out in as little as a few hours but a worldwide criminal background check for instance might take several weeks. A simple pre-employment check package takes around a week. Our account managers are specialists and can provide detailed information into which checks you need and how long they will take.

Can you do a background check online?

All Veremark checks are carried out online and digitally. This eliminates the need to collect, store and manage paper documents and information making the process faster, more efficient and ensures complete safety of candidate data and documents.

What are the benefits of a background check?

In a competitive marketplace, making the right hiring decisions is key to the success of your company. Employment background checks enables you to understand more about your candidates before making crucial decisions which can have either beneficial or catastrophic effects on your business.

What does a background check show?

Background checks not only provide useful insights into a candidate’s work history, skills and education, but they can also offer richer detail into someone’s personality and character traits. This gives you a huge advantage when considering who to hire. Background checking also ensures that candidates are legally allowed to carry out certain roles, failed criminal and credit checks could prevent them from working with vulnerable people or in a financial function.

Transform your hiring process

Request a discovery session with one of our background screening experts today.

10 Biggest Problems Recruiters Face and How to Overcome Them

What are the ten biggest problems recruiters face?

Recruitment is one of the most challenging processes a company faces, but if done well, it can pay off well in the long run. As the resignation wave rises, the competition for top talent will only intensify in the future.

In such a competitive recruitment landscape, the talent acquisition teams face many challenges in their hiring processes.

A recruiter plays a vital role in the entire recruitment process and is key to ensuring a good candidate experience. Moreover, he deals with each phase of the recruitment process, from attracting the most suitable candidates to screening, interview scheduling, final selection, and onboarding. Even though the most critical success criteria for a recruiter is to fill the open position within a minimum time, they also must ensure cordial relationships with candidates who have not been successful in enhancing the employer brand value of the company. A good recruiter can handle rejection gracefully and convert the denial into a fruitful relationship.

The recruiter has to give equal focus and effort to each stage of the recruitment process and move along with successful candidates until the onboarding stage. Moreover, they must confront challenges along the recruitment process, and the ten most significant problems they face are covered in this paper.

In this report, we discuss:

- Attracting the right talent

- Hiring efficiently

- Engaging quickly and warmly with qualified candidates

- Getting selected candidates on-boarding on time

- Recruiting accurately and fairly

- Ensuring diversity in hiring

- Meeting client briefs

- Value creation for the client

- Data-driven recruitment

- Create an efficient recruiting process

- Methods to overcome problems

- Creating a talent pipeline

- Upskilling and Reskilling Internal candidates

- Ensuring a good candidate experience for enhanced employer brand value

- Multiple tests to improve hiring accuracy

- Leverage multiple sourcing channels to diversify your candidate base

- Human Resource (HR) Technology Implementation

- Application Tracking System (ATS)

- Artificial Intelligence and Automation in Hiring

- Conversational AI for improved candidate experience

- Digital reference check and background verification

- Video Interviews

- Blockchain in hiring

The future of work is still in progress and it will continue to evolve as organisations adopt newer workplace models to meet emoloyee expectations. The remote work model, along with the great resignation wave, has made recruiter tasks challenging, as they have a limited talent pool from which to fill open positions.

The challenges will continue to persist as organisations must reimagine the future of work to overcome the challenge of this great resignation wave, and other changes in demand for improved candidate and employee experiences.

Get your own copy!