Privacy Policy for Website Fill out the template

How does it work?

1. Choose this template

Start by clicking on "Fill out the template"

1 / Choose this template

2. Complete the document

Answer a few questions and your document is created automatically.

2 / Complete the document

3. Save - Print

Your document is ready! You will receive it in Word and PDF formats. You will be able to modify it.

3 / Save - Print

Privacy Policy for Website

Last revision Last revision 07/06/2024
Formats FormatsWord and PDF
Size Size8 to 12 pages
Fill out the template

Last revisionLast revision: 07/06/2024

FormatsAvailable formats: Word and PDF

SizeSize: 8 to 12 pages

Fill out the template

What is a Privacy Policy?

A Privacy Policy can be used by any person or organization in the Philippines that owns a website (also referred to as the Personal Information Controller or PIC) to lay down the manner by which the collection or handling of data or information of the website's users is done. These users are known as the "data subjects".

A website that collects and handles data or information (also known as personal information) should have this document to enable the users to know how their data or information is collected and processed.


What is the difference between a Privacy Policy and Terms and Conditions for a Website?

While it is encouraged that both documents are used by the website and posted thereon, Terms and Conditions are different from a Privacy Policy. If the document requires the terms and conditions concerning the privacy rights of its users, this Privacy Policy should be used. On the other hand, if the document requires the terms and conditions concerning the general usage of the website, then Terms and Conditions for a Website should be used.


Is it mandatory to have Terms and Conditions for a Website?

If the owner of a website processes or takes data from users and uses them to render services or sell products under a website then a Privacy Policy is mandatory. On the other hand, if the owner of the website does not take data from users (e.g. posting content only on the website such as articles without any interaction from the users), then a Privacy Policy is not mandatory.

Note that processing may mean any activity done to data or information pertaining to users such as collection, organization, usage, combination, deletion, etc.

Further, a Privacy Policy is necessary to set up the expectations for the user with respect to the data that they share on the website.


What are the different kinds of user information under a Privacy Policy?

  • Personal Information. This refers to information about the user whether alone or combined with other pieces of information which tend to ascertain their identity. This can be directly ascertained (e.g. the full name of the user) or indirectly by a combination of pieces of information (e.g. the date of birth of the user, address, and contact information).
  • Sensitive Personal. This kind of user information is:
    • Information about the user's race, ethnic origin, marital status, age, color, religious, philosophical or political affiliations, health, education, genetic information, sexual life,
    • Information regarding a proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings,
    • Information issued by government agencies related to the user which includes, but is not limited to, social security numbers, previous or current health records, licenses or their denials, suspension or revocation, tax returns, and
    • Information that is specifically established by law or regulation to be kept classified.
  • Privileged Information. This refers to any and all forms of data or information, which cannot be disclosed due to its confidential nature. An example of privileged information is the communication between a lawyer and a client, a doctor and a patient, and a bank and a client.


When can personal information be processed?

For the processing of Personal Information to be lawful, any of the following conditions must be complied with:

  • The user must have given his or her consent prior to the collection, or as soon as possible (i.e. through a button when the user first visits the website),
  • The processing involves the personal information of the user who is a party to a contractual agreement, in order to fulfill obligations under the contract or to take steps at the request of the user prior to entering the said agreement,
  • The processing is necessary for compliance with a legal obligation to which the owner of the website (Personal Information Controller) is subject,
  • The processing is necessary to protect the vitally important interests of the user, including his or her life and health,
  • The processing of personal information is necessary to respond to national emergencies or to comply with the requirements of public order and safety, as prescribed by law,
  • The processing of personal information is necessary for the fulfillment of the constitutional or statutory mandate of a public authority, or
  • The processing is necessary to pursue the legitimate interests of the owner of the website (Personal Information Controller), or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the user.

Other specific types of personal information are Sensitive Personal Information and Privileged Information, for which stricter rules apply due to the sensitive nature of the data. Sensitive Personal Information and Privileged Information can only be processed when this is justified i.e. with the consent of the user, if allowed by existing laws and regulations, if necessary for lawful, non-commercial objectives of certain organizations, if necessary for the user's medical treatment, and if necessary for legal claims or defense of lawful rights and interests of persons. The National Privacy Commission's website should be checked to determine in detail the conditions to validly process Sensitive and Privileged Information.


What must a Privacy Policy contain?

A Privacy Policy contains the following information:

  • Description of the data or information to be entered into the website's system;
  • Purposes for which they are being or will be processed;
  • Criteria or Basis of processing, when processing is not based on the consent of the user;
  • Scope and method of the processing;
  • The recipients or classes of recipients to whom the personal data are or may be disclosed such as third parties;
  • Methods utilized for automated access, if the same is allowed by the user, and the extent to which such access is authorized;
  • The identity and contact details of the personal information controller or its personal information processor;
  • The identity and contact details of the Data Privacy Officer if one is appointed;
  • The period for which the information will be stored; and
  • The existence of their rights as data subjects.


Who is involved in the Privacy Policy?

The parties in this document are the owner of the website and the website user. The owner of the website is also called the "Personal Information Controller or PIC" who will lay down the manner by which the collection or handling of data or information of the website's users is done. The website users are also known as the "data subjects".

While it should be agreed upon by both parties, it usually cannot be changed by the user so that if the user uses the website, they agree to accept the Privacy Policy of the website. However, if they don't agree to the Privacy Policy, then they should not use the website.


What has to be done once the Privacy Policy is ready?

After completing all the information required for the Privacy Policy, the owner of the website should review the same.

Once the document is complete and reviewed, it should be published on the website in order for the users of the website to have access to it. It should be posted on its own separate page on a website which is ideally linked and can be accessed from the home page under the phrase "Privacy Policy".

It is the choice of the website owner if he wants any of the following:

  • To show the Privacy Policy at the first instance the user visits the website, and to place a button or link by which the user can click to agree to the Privacy Policy. If the user does not agree to the Privacy Policy, the user's access to the website will be blocked.
  • To post the Privacy Policy on a page within the website, and the user will simply have to discontinue using the website if he does not agree with the posted Privacy Policy without blocking him from the website without blocking the user's access to the website.


What are the costs involved in the finalization of the Privacy Policy?

No costs or fees need to be paid for the Privacy Policy, as it only requires postage of the same to a web page in the Website itself.


Which laws are applicable to the Privacy Policy?

This document is governed by the Provisions of R.A. 10173 or the Data Privacy Act of 2012 and its rules and regulations.


How to modify the template?

You fill out a form. The document is created before your eyes as you respond to the questions.

At the end, you receive it in Word and PDF formats. You can modify it and reuse it.

Fill out the template