Receiving a Data Privacy Act complaint can feel alarming because the notice may mention privacy violations, data breaches, damages, fines, and even possible criminal referral. In the Philippines, however, a Data Privacy Act case is not automatically valid just because someone filed it. Many complaints before the National Privacy Commission (NPC) are dismissed because they are procedurally defective, unsupported by evidence, outside the scope of Republic Act No. 10173, or filed before the complainant first gave the respondent a fair chance to address the issue. The correct approach depends on where the case is pending: the NPC, the prosecutor’s office/DOJ, or a court.
First, identify what kind of “Data Privacy Act case” you are facing
A “Data Privacy Act case” in the Philippines can mean different things:
| Type of case | Where it is handled | What dismissal usually means |
|---|---|---|
| NPC administrative complaint | National Privacy Commission | Complaint dismissed outright, dismissed after investigation, settled, withdrawn, or dismissed due to lack of merit |
| Criminal complaint | Prosecutor’s office or DOJ, often after NPC referral | Complaint dismissed at preliminary investigation, or information not filed in court |
| Civil claim for damages | Regular courts, sometimes linked to NPC findings | Case dismissed under the Rules of Court or claim denied on the merits |
| Internal complaint or demand letter | Company, school, employer, platform, bank, clinic, condo admin, etc. | Matter resolved before it becomes an NPC complaint |
Most people searching “how to dismiss a Data Privacy Act case” are dealing with an NPC complaint. That is important because the NPC’s current procedural rules do not allow a regular “motion to dismiss” in the way many people expect from court practice. Under the 2021 NPC Rules of Procedure, as amended by NPC Circular No. 2024-01, motions to dismiss are prohibited pleadings; instead, a respondent raises dismissal grounds as affirmative defenses in the verified comment.
The legal basis: what the Data Privacy Act actually covers
The main law is Republic Act No. 10173, or the Data Privacy Act of 2012. It protects personal information in government and private-sector information systems and created the National Privacy Commission to administer and enforce the law.
The law applies to the processing of personal information by natural or juridical persons, including some controllers and processors not established in the Philippines if they use equipment in the Philippines or have the required Philippine link. It also has extraterritorial application when the act or processing relates to personal information about a Philippine citizen or resident, or when the entity has links with the Philippines. (National Privacy Commission)
Key terms matter:
- Personal information means information from which an individual’s identity is apparent or can be reasonably and directly ascertained.
- Sensitive personal information includes data about health, education, marital status, age, government-issued identifiers, licenses, tax returns, and similar protected information.
- Processing includes collection, recording, storage, use, disclosure, sharing, blocking, erasure, and destruction of personal data. (National Privacy Commission)
A complaint is weaker if it does not clearly identify:
- the personal data involved;
- the specific processing act complained of;
- the respondent’s role as personal information controller, processor, employee, officer, or agent;
- the DPA provision or NPC issuance allegedly violated; and
- the evidence showing harm, unauthorized processing, breach, unlawful disclosure, or another legally recognized violation.
Can a Data Privacy Act case be dismissed?
Yes. A DPA case may be dismissed for procedural defects, lack of jurisdiction, lack of evidence, prescription, prior judgment, pending related action, waiver, settlement, withdrawal, or failure to show a violation of the Data Privacy Act.
But in an NPC complaint, the practical answer is this:
Do not file a pleading titled “Motion to Dismiss” unless the NPC specifically allows it in a particular context. The usual response is a verified comment that raises all defenses, including affirmative defenses that, if accepted, justify dismissal.
Under the amended NPC Rules, the Investigating Officer may dismiss a complaint outright within 30 calendar days from receipt of the complaint on any of these grounds:
- the complaint is insufficient in form or does not comply with the required contents;
- the complainant did not give the respondent an opportunity to address the complaint, unless justified;
- the complaint does not pertain to a DPA violation or does not involve a privacy violation or data breach;
- there is insufficient information to substantiate the allegations; or
- the parties, except responsible officers of juridical persons, cannot be identified or traced despite diligence.
Strong grounds to seek dismissal of an NPC Data Privacy Act complaint
1. The complainant did not first exhaust remedies
Before an NPC complaint is given due course, the complainant must generally prove that he or she first informed the personal information controller, personal information processor, or concerned entity in writing about the alleged privacy violation or personal data breach, and that the respondent failed to take timely or appropriate action or failed to respond within 15 calendar days from receipt.
This is one of the most practical dismissal grounds.
Examples:
- A customer immediately files with the NPC without first emailing the bank’s data protection officer.
- An employee complains to the NPC but never sent a written privacy request or complaint to the employer.
- A tenant files against a condominium corporation but did not first ask the condo admin to address the CCTV or ID-processing issue.
- A borrower files against an online lending app but attaches no proof that the app was first informed in writing.
A respondent should attach proof such as:
- the absence of any prior written complaint in company records;
- screenshots or email logs showing no prior notice;
- DPO or customer-support records;
- proof that the complainant’s concern was already addressed within the 15-day period; or
- a written response explaining the lawful basis for processing.
The NPC may waive exhaustion in serious cases, such as where urgent NPC action is needed to prevent grave and irreparable damage, but the complainant must properly allege and prove the basis for waiver.
2. The complaint is not really a Data Privacy Act issue
Not every conflict involving information is a DPA case. A complaint may be dismissible if the real issue is:
- unpaid debt;
- employment discipline;
- defamation or cyberlibel;
- harassment unrelated to data processing;
- a consumer refund dispute;
- a school disciplinary issue;
- a family or relationship dispute;
- an internal corporate fight;
- a purely contractual disagreement; or
- a complaint about information that is not personal data.
For example, a customer who is angry because a company refused a refund may mention “privacy” but fail to identify any unlawful processing of personal information. A former employee may object to an employer keeping HR records, but retention may be lawful if needed for labor, tax, audit, or legal-claim purposes.
A good defense explains the actual nature of the dispute and shows why it falls outside the DPA.
3. There is a lawful basis for processing
A respondent does not always need consent. Under Section 12 of RA 10173, personal information may be processed when at least one lawful basis exists, such as consent, contract, legal obligation, vital interests, public authority, or legitimate interests that are not overridden by the data subject’s fundamental rights and freedoms. (National Privacy Commission)
For sensitive personal information, the rules are stricter, but processing may still be allowed in situations such as specific consent, existing law or regulation, medical treatment, protection of life and health, legal claims, court proceedings, or submission to a government/public authority. (National Privacy Commission)
Common lawful-basis defenses include:
- an employer processed employee records for payroll, benefits, tax, discipline, or DOLE compliance;
- a bank processed customer information for KYC, anti-money laundering, fraud prevention, or BSP-regulated obligations;
- a hospital processed health information for treatment and billing;
- a school processed student data for enrollment, grades, discipline, or statutory reporting;
- a landlord or condominium processed IDs for security and visitor management;
- a business retained transaction records for accounting, tax, audit, legal claims, or fraud prevention.
The defense should identify the specific lawful basis and connect it to the actual facts.
4. The complaint lacks evidence
NPC complaints must include a narration of material facts and supporting testimonial or documentary evidence showing the alleged DPA violation, privacy violation, or personal data breach. The complaint must also attach relevant correspondence and supporting documents, including witness affidavits when necessary. Failure to comply may lead to outright dismissal.
Weak complaints often rely only on statements like:
- “They violated my privacy.”
- “They used my data without permission.”
- “They leaked my information.”
- “They embarrassed me online.”
- “They refused to delete my record.”
Those statements are not enough by themselves. The complainant should normally show what data was processed, who processed it, when, how, why it was unlawful, and what evidence supports the claim.
As respondent, you should point out missing links in the complaint:
- no proof that the alleged disclosure came from you;
- no screenshot, email header, access log, recording, or document trail;
- no evidence that the complainant’s data was included in a breach;
- no proof that your officer or employee participated;
- no proof of damage;
- no proof that the data was inaccurate, unlawfully obtained, or used for an unauthorized purpose.
5. The respondent is wrongly named
A complaint may be defective if it names the wrong party.
Examples:
- The complainant sues the employee personally, but the actual controller is the corporation.
- The complainant sues a platform user, but the platform is only a processor or intermediary.
- A branch employee is named, but the complaint does not allege that the employee personally participated or acted with gross negligence.
- A foreign affiliate is named, but the Philippine entity had no access to the complained-of data.
- A service provider is sued, but it processed data only under the controller’s documented instructions.
For corporations and other juridical entities, responsible officers may be included if they participated in, or through gross negligence allowed, the alleged DPA violation. The defense should clarify corporate roles, contracts, data flows, and authority.
6. The action has prescribed or is otherwise barred
The amended NPC Rules allow respondents to raise prescription as an affirmative defense. The Rules also state that the NPC adopts the prescriptive periods for violations penalized by special laws under Act No. 3326 for penal DPA provisions.
Prescription can be fact-heavy. It depends on the specific violation alleged, when the complainant discovered it, whether the case is administrative or penal, and whether later acts are being treated as separate violations or continuing consequences.
Other bar defenses include:
- prior final judgment;
- another pending action between the same parties for the same cause;
- waiver;
- abandonment;
- settlement;
- payment or satisfaction of claim; or
- bad-faith, frivolous, or vexatious filing.
The NPC Rules specifically list these types of affirmative defenses that may be raised in the comment instead of a motion to dismiss.
Step-by-step: how to seek dismissal before the NPC
1. Read the NPC order carefully
Check:
- the date you received it;
- the deadline to file a verified comment;
- whether the case is still in pre-investigation;
- whether the NPC already gave the complaint due course;
- whether there is a request for temporary ban on processing;
- the email or physical address for filing;
- whether service on the complainant is required.
If the respondent is ordered to comment, the usual period is 15 calendar days from receipt of the order.
2. Calendar the deadline immediately
Use calendar days, not working days, unless the order clearly says otherwise. Missing the deadline can cause the complaint to be submitted for resolution based on the available record.
Administrative due process in the Philippines focuses on a fair opportunity to be heard. The Supreme Court has repeatedly stated that a party who is given the chance to explain and submit evidence but chooses not to use it generally cannot later complain of denial of due process. (Supreme Court E-Library)
3. Prepare a verified comment, not a motion to dismiss
Your verified comment should:
- answer each material allegation;
- raise all affirmative defenses;
- explain why the complaint should be dismissed;
- attach supporting evidence;
- include authority documents if filing for a company;
- include an affidavit of service if required; and
- comply with the NPC’s filing instructions.
A verified pleading means the party swears that the allegations are true based on personal knowledge or authentic records.
4. Raise affirmative defenses clearly
A practical structure is:
- Lack of jurisdiction / outside DPA scope
- Failure to exhaust remedies
- No privacy violation or personal data breach
- Lawful basis for processing
- Insufficient evidence
- Wrong party / no participation / no gross negligence
- Prescription
- Prior action, settlement, waiver, or abandonment
- Bad faith or vexatious filing, if supported by facts
Avoid merely saying “the complaint is baseless.” Explain the facts and attach documents.
5. Attach the right evidence
Useful evidence may include:
| Defense | Helpful documents |
|---|---|
| Failure to exhaust remedies | DPO records, customer-service logs, email inbox search results, proof of no prior complaint, or proof of timely response |
| Lawful processing | Privacy notice, consent form, contract, employment document, KYC record, statutory basis, retention policy |
| No breach | System logs, incident report, access controls, audit trail, cybersecurity report |
| Wrong respondent | corporate documents, data processing agreement, outsourcing contract, organizational chart |
| Lack of evidence | comparison chart showing missing elements in the complaint |
| Settlement or waiver | settlement agreement, quitclaim, affidavit of desistance, release |
| Foreign/corporate authority | board resolution, secretary’s certificate, special power of attorney, apostilled or consularized document when applicable |
6. File and serve properly
NPC pleadings may be filed personally, by registered mail, by courier, or by electronic mail when authorized by the Commission. The NPC’s complaint page also notes that a formal complaint must be in a specific format, notarized, and submitted through available modes such as in person, courier, or email.
For respondents, make sure scanned documents are readable, complete, signed, and in PDF format where required. Illegible or malfunctioning electronic submissions may not be considered.
7. Attend preliminary conference or mediation if ordered
Dismissal can still happen later even if the complaint is not dismissed outright. During preliminary conference, the NPC may simplify issues, explore admissions, determine whether discovery is needed, and assess mediation.
A mediated settlement confirmed by the NPC has the effect of a decision or judgment on the complaint but is without prejudice to Rule X, meaning the NPC may still act on broader public-interest or compliance concerns where warranted.
8. Address any temporary ban request immediately
A complainant may ask the NPC to temporarily ban the respondent’s processing of personal data. This can be disruptive for businesses, schools, clinics, employers, platforms, and associations.
A temporary ban requires, among others, facts showing entitlement to relief, necessity to preserve rights or protect public interest, a bond unless exempted, and a summary hearing. The complaint proceedings are suspended while the temporary-ban application is resolved.
Documents, fees, and timelines
| Item | Practical point |
|---|---|
| Verified comment | Main pleading where respondent raises defenses and asks for dismissal |
| Board resolution / secretary’s certificate | Needed when a corporation or juridical entity authorizes a representative |
| Special power of attorney | Needed when a representative acts for an individual data subject or authorized party |
| Evidence attachments | Emails, notices, logs, policies, contracts, affidavits, screenshots, incident reports |
| Filing fee for complaints | NPC Circular No. 2023-01 lists a ₱500 filing fee for complaints |
| Motion for reconsideration fee | NPC fee schedule lists ₱500 for motion for reconsideration |
| Temporary ban bond | Computed under the NPC fee schedule and capped at ₱50,000 |
| Outright dismissal review | Investigating Officer may act within 30 calendar days from receipt of complaint |
| Comment period | Respondent is generally given 15 calendar days from receipt of order to file verified comment |
| Finality of NPC decision | Commission decision becomes final and executory 15 calendar days from notice unless an MR or appeal is filed |
NPC Circular No. 2023-01 also provides exemptions for indigent litigants and government entities in specified situations.
Special issues for foreigners, OFWs, and foreign companies
Non-resident Filipino complainants
The amended NPC Rules expressly allow a non-resident citizen who has no authorized representative in the Philippines, or cannot appoint one, to submit a complaint if it is notarized by a Philippine Embassy or Consulate or accompanied by an apostille certificate from the country of origin.
As respondent, check whether the overseas complaint is properly verified, authenticated, and complete.
Foreign respondents
A foreign company may still be covered if the processing has the required Philippine link, such as processing data about Philippine citizens or residents, carrying on business in the Philippines, having a Philippine branch or subsidiary, or collecting or holding personal information in the Philippines.
A common defense for foreign entities is that the named respondent has no Philippine link, no control over the processing, no access to the personal data, or is not the correct controller or processor.
Overseas evidence
Documents executed abroad may need apostille or consular notarization depending on how they will be used. For corporate respondents, equivalent foreign corporate authority documents should clearly show who may represent the company and sign pleadings.
Common mistakes that weaken a dismissal strategy
Ignoring the NPC notice
Silence is risky. If the respondent fails to file a comment on time, the NPC may proceed based on available records.
Filing the wrong pleading
A motion to dismiss is generally prohibited in NPC complaint proceedings. Put dismissal grounds in the verified comment as affirmative defenses.
Treating consent as the only lawful basis
Many valid data-processing activities do not depend solely on consent. Contract, law, legitimate interest, legal claims, public authority, and vital interests may be relevant depending on the facts.
Over-collecting evidence from the complainant
Do not respond to a privacy complaint by unnecessarily exposing more of the complainant’s data. Use only what is relevant and proportionate.
Attacking the complainant personally
Focus on legal elements: data, processing, lawful basis, jurisdiction, evidence, exhaustion, and procedure. Personal attacks rarely help and may create new issues.
Deleting records after receiving the complaint
Deleting emails, logs, chat messages, CCTV files, or access records after notice can look suspicious and may damage credibility. Preserve relevant records under a litigation or investigation hold.
Frequently Asked Questions
Can I file a motion to dismiss an NPC Data Privacy Act complaint?
Usually, no. In NPC complaint proceedings, motions to dismiss are listed as prohibited pleadings. The respondent should raise dismissal grounds as affirmative defenses in the verified comment.
What is the strongest ground to dismiss a Data Privacy Act complaint?
The strongest ground depends on the facts, but common strong grounds are failure to exhaust remedies, lack of DPA violation, insufficient evidence, lawful basis for processing, wrong respondent, prescription, or prior settlement.
What does “failure to exhaust remedies” mean in an NPC case?
It means the complainant should generally have first informed the respondent in writing about the alleged privacy violation or data breach and allowed the respondent to act. If there is no timely or appropriate action, or no response within 15 calendar days, the complainant may proceed to the NPC.
Can a company be personally protected from liability if an employee caused the issue?
A company may still be responsible as controller, but individual officers should not be included automatically. Responsible officers may be named if they participated in, or through gross negligence allowed, the alleged DPA violation. Evidence of roles, authority, supervision, and safeguards is important.
Does lack of consent automatically mean a Data Privacy Act violation?
No. Consent is only one lawful basis. Processing may also be lawful because of contract, legal obligation, vital interests, public authority, legitimate interests, medical treatment, legal claims, or another basis recognized by RA 10173.
Can an NPC complaint be dismissed without prejudice?
Yes. Outright dismissal under the NPC Rules is generally without prejudice, meaning the complainant may be able to refile if the defect can be corrected. Dismissal based on affidavit of desistance, however, may have different consequences under the Rules.
What happens if the NPC dismisses the complaint outright?
The Legal and Enforcement Office Director may issue a decision dismissing the case outright or remand it for investigation. If dismissed outright, the complainant may refile or file a motion for reconsideration within the allowed period.
Can the NPC still investigate even if the complainant withdraws?
Yes. Before submission of the Fact-Finding Report, the complainant may withdraw only with approval. The Investigating Officer may recommend dismissal with or without prejudice, or recommend that the Commission initiate a sua sponte investigation if broader privacy issues remain.
Can an NPC case lead to criminal charges?
Yes. If the NPC finds that criminal prosecution is warranted, it may recommend prosecution to the Department of Justice. RA 10173 penalizes acts such as unauthorized processing, negligent access, improper disposal, unauthorized purposes, intentional breach, concealment of security breaches, malicious disclosure, and unauthorized disclosure. (National Privacy Commission)
Can I settle a Data Privacy Act complaint?
Yes, settlement or mediation may be available. A confirmed mediated settlement can resolve the complaint, but the NPC may still act on matters involving broader compliance or public-interest concerns when allowed by its rules.
Key Takeaways
- A Data Privacy Act complaint is not automatically valid just because it was filed.
- In NPC proceedings, do not rely on a standard motion to dismiss; raise dismissal grounds as affirmative defenses in the verified comment.
- The most common dismissal grounds are failure to exhaust remedies, no DPA violation, insufficient evidence, lawful processing, wrong respondent, prescription, prior judgment, pending related action, waiver, settlement, or bad faith.
- The complainant must usually show prior written notice to the respondent and lack of timely or appropriate action within 15 calendar days.
- Respondents should preserve evidence, calendar deadlines, file a verified comment on time, and attach documents that directly support each defense.
- Foreigners, OFWs, and foreign companies should pay close attention to Philippine links, representative authority, apostille or consular notarization, and proper identification of the actual controller or processor.
- A dismissal before the NPC may be without prejudice, so the stronger goal is not only technical dismissal but a clear record showing no privacy violation, no breach, no unlawful processing, or no liability under RA 10173.