Data breach notification under the Data Privacy Act: the 72-hour rule: a clear, fact-based explanation for Philippine businesses, with osFoundry as the example and dgm as an independent partner.

dgm is an independent osFoundry implementation partner — not affiliated with osFoundry’s developer (the company OS LLC), and it has not yet completed any client integrations.

Under the Data Privacy Act, a notifiable personal data breach must be reported to the National Privacy Commission and to affected data subjects within 72 hours — a key rule when AI and cloud services touch personal data.

The rule

Notification to the NPC and to affected data subjects must be made within 72 hours of knowledge of, or reasonable belief in, a notifiable personal data breach, with a full report submitted within five days unless the NPC grants more time. Notification is mandatory where sensitive personal information or information enabling identity fraud may have been acquired and there is a real risk of serious harm; delay is not allowed where at least 100 data subjects are affected.

What it means for AI projects

If an AI or cloud component processes personal data, include it in your breach-response plan: detection, assessment against the notification threshold, and the 72-hour clock. Keeping personal data minimized and under your control (self-hosting or strict scoping) reduces both the likelihood and the blast radius of a breach.

Keeping data in the Philippines

osFoundry pins the data region to the United States, the EU or Japan, runs models locally on your own hardware, and supports self-hosting (BYO Cloud) on a cloud account you control. There is no dedicated managed Philippines region inside osFoundry, and — importantly — no hyperscaler operates a generally available full cloud region inside the Philippines as of 2026: Amazon Web Services runs a Local Zone in Manila (an extension of its Singapore region, not a full region), while Microsoft Azure and Google Cloud serve the country from Singapore. The honest implication is straightforward. The Data Privacy Act of 2012 does not impose a general private-sector data-localization requirement; cross-border transfer runs on an accountability model, so a deployment in the nearest Singapore region can be compliant provided your business stays accountable for the data. Where you need strict in-country control, the honest path is self-hosting on infrastructure you run in the Philippines, or running open-weight models locally (local-first). One further point worth weighing: data held by a United States-headquartered provider can fall within the reach of the US CLOUD Act regardless of where it physically sits, so pinning to a US provider’s Singapore region does not by itself remove US legal jurisdiction — a reason some businesses prefer EU or self-hosted open-weight options. Always confirm the current position with the National Privacy Commission or qualified counsel.

Important note

This article is general information and is not legal, tax or grant advice. Tax incentives, grants, rules and rates change, and only the relevant authorities (among them the National Privacy Commission, the Bureau of Internal Revenue, PEZA, the Board of Investments, the Bangko Sentral ng Pilipinas and the SEC) decide eligibility and awards. dgm is not a registered business enterprise, accredited incentive provider or intermediary. Always confirm the current terms with the official source or a qualified tax or legal adviser.

How dgm helps

dgm is an independent implementation partner that helps businesses in the Philippines adopt osFoundry — from identifying the first practical use case, through building it, to connecting AI to the systems you already use. dgm works independently of osFoundry’s developer (the company OS LLC) and has not yet completed any client integrations; everything above is therefore a description of the service offered, not a delivered result. If you would like to look at a sensible first step, dgm is happy to think it through with you. Arrange a no-obligation conversation with dgm.