Diaryo
4notify Philippines · Official Gazette
OFFICIAL · NPC · RA 10173 · DND list
Diaryo No
DRY-PH-005
Date
2026-05-27
Status
In force
Category
Privacy

Data Privacy Act, NPC and the do-not-disturb list: the permission framework for transactional and commercial delivery

The National Privacy Commission (NPC) enforces Republic Act 10173, the Data Privacy Act of 2012. For commercial outreach, consent is required, and sensitive personal information is given heightened protection. Additionally, the NPC and NTC operate a do-not-disturb regime — a number on the DND list cannot be solicited. 4notify pins the lawful basis to every envelope and verifies consent and the DND list at the API edge, on every send.

EmailSMSWebhook
Preamble

Whereas, pursuant to Republic Act No. 10173 (Data Privacy Act of 2012), the NPC's Implementing Rules and Regulations and the operator do-not-disturb registries, the present Diaryo is issued on the management of consent in electronic delivery.

Statutory basis
RA 10173 — Data Privacy Act of 2012

Lawful bases of processing, data-subject rights and the NPC's jurisdiction.

NPC Implementing Rules and Regulations

Registration of data-processing systems and obligations of the personal-information controller.

Operator DND registries (NTC-supervised)

Do-not-disturb opt-out registries kept by Globe, Smart and DITO and enforced by 4notify before every send.

Implementation
01

Lawful-basis pinning per envelope

Each envelope carries one of the RA 10173 lawful bases (consent, contract, legal obligation, legitimate interest); the basis is locked at template registration.

02

Commercial-consent + DND verification

On commercial messages, both consent and the DND-list state are checked at the envelope level; deliveries without permission are blocked at the API edge.

03

30-day deletion right

Erasure requests propagate within 24 hours through 4notify; the suppression list updates across the three operators and the email gateway.

04

Breach-notification webhook

Any envelope-level event raises a webhook to the personal-information controller in under one hour — matching the NPC's 72-hour upstream notification rule.

Delivery envelope
json
{
  "event": "delivery.consent_envelope",
  "controller_id": "PH-PIC-12345",
  "lawful_basis": "consent",
  "consent": {
    "record": "NPC-2026-001234",
    "consent_date": "2025-09-14",
    "opt_out_link_present": true
  },
  "dnd_state": "not_listed",
  "delivery": { "channel": "email", "template": "promo_v2" },
  "suppression_check": "approved"
}
Sample message
EmailSubject: Your marketing preference has been updated

Dear customer, Your marketing consent has been revoked. You will no longer receive promotional emails, but you will keep receiving transactional notices (order confirmations, delivery alerts). For your other rights under the Data Privacy Act: [email protected]

Compliance checklist
  • NPC registration of the data-processing system current
  • Data Protection Officer designated and reachable
  • Consent preserved per commercial envelope
  • Breach-notification webhook reachable and tested
The 4notify difference

4notify is the only A2P provider that pins the RA 10173 lawful basis on every envelope, enforces the operator DND list before each send and raises a sub-hour breach-notification webhook aligned with the NPC's 72-hour upstream rule.

Frequently asked questions
Does consent also apply to SMS?

Yes — RA 10173 covers all commercial communication that processes personal data: SMS, email, messaging. Each one needs a valid lawful basis.

What if the controller never registered with the NPC?

4notify blocks commercial delivery at the API edge until NPC registration is valid; transactional delivery (contract-basis) remains available so service messages still clear.

Issued
4notify Operations Department
2026-05-27 · DRY-PH-005

Start free

14 days, no card. English-speaking support on weekdays.

Other entries in this issue