How much does a website cost?

Our websites start at ₱3,000 for a single-page business site and go up depending on complexity. E-commerce sites start at ₱7,000, and custom business systems start at ₱8,000. We always provide a clear quote before starting any work — no surprises.

How long does it take to build a website?

A simple business website typically takes 5–7 working days. More complex projects like e-commerce sites or custom systems take 2–4 weeks. We provide a timeline estimate during your free consultation.

Do you offer ongoing support after launch?

Yes! All our plans include post-launch support (30–60 days depending on the plan). After that, we offer affordable monthly maintenance packages or you can reach out anytime for one-time fixes and updates.

What is a Data Protection Officer (DPO) service?

As a certified DPO, we help your business comply with the Data Privacy Act of 2012 (RA 10173) and international data protection standards. This includes creating privacy policies, conducting data audits, handling compliance documentation, and serving as your outsourced DPO.

Do I need to be in the Philippines to work with you?

Not at all! We work with clients worldwide. Everything is handled online — consultations, project updates, file sharing, and support. We use our client portal so you can track progress from anywhere.

Can I see my project progress while it's being built?

Absolutely. Every client gets access to our Client Portal where you can view project status, track tasks, see invoices, and sign agreements. You'll always know exactly where your project stands.

What technologies do you use?

We primarily build with Next.js, React, TypeScript, and Tailwind CSS for websites and web applications. For databases, we use Supabase (PostgreSQL). All our solutions are modern, fast, and mobile-responsive.

Is the free consultation really free?

Yes, completely free with no obligation. We'll discuss your needs, recommend solutions, and give you a clear quote. You decide if you want to proceed — no pressure, no hidden fees.

Do you accept international payments?

We're currently setting up international payment options including Stripe and PayPal. For now, we can arrange payment via bank transfer. Contact us and we'll work out the best option for you.

What if I need changes after the project is delivered?

Minor revisions are included during and after the build phase. For larger changes or new features after launch, we provide a quote based on the scope of work. Our clients often come back for ongoing improvements as their business grows.

NPC Penalties Philippines: What It Actually Costs to Get Caught

Most small business owners in the Philippines think the Data Privacy Act is a "big company problem." It is not. In the last two years the National Privacy Commission (NPC) has investigated clinics, schools, lending apps, BPO support shops, and even single-branch retailers — and the fines have been real.

This guide walks through the actual financial and criminal exposure your business faces under Republic Act 10173 and NPC Circular 2022-01, written by a certified Data Protection Officer. No legal scare tactics. Just the numbers.

There Are TWO Tracks of Penalties — Most Business Owners Only Know About One

Every NPC violation can hit your business on two separate tracks at the same time:

Criminal penalties under RA 10173 — fines plus prison time, prosecuted in regular courts
Administrative fines under NPC Circular 2022-01 — issued directly by the NPC, calculated as a percentage of your annual gross income

And on top of those, affected data subjects can sue you separately for civil damages under the same law. One violation, three bills.

Track 1 — Criminal Penalties Under RA 10173

Here are the nine specific offenses written into the Data Privacy Act, with the actual fines and prison time:

Unauthorized Processing of Personal Information - Fine: ₱500,000 to ₱2,000,000 - Prison: 1 to 3 years - What triggers it: Collecting or using customer data without consent and without a lawful basis. Example: sharing your customer list with another business.

Accessing Personal Data Due to Negligence - Fine: ₱500,000 to ₱2,000,000 - Prison: 1 to 3 years - What triggers it: Leaving an employee laptop unlocked, emailing client data to the wrong recipient, or failing to install basic security on a system holding personal data.

Improper Disposal of Personal Information - Fine: ₱100,000 to ₱500,000 - Prison: 6 months to 2 years - What triggers it: Throwing client documents in the trash without shredding. Selling old computers without wiping them. This is the most common violation small businesses commit without realizing it.

Processing for Unauthorized Purposes - Fine: ₱500,000 to ₱2,000,000 - Prison: 1 year and 6 months to 7 years - What triggers it: Using customer contact info collected for one purpose (delivery confirmation) for a different purpose (marketing blasts) without separate consent.

Unauthorized Access or Intentional Breach - Fine: ₱500,000 to ₱2,000,000 - Prison: 1 to 3 years - What triggers it: An employee accessing data they have no business reason to see. Looking up a celebrity client's records out of curiosity. Snooping on a colleague.

Concealment of Security Breaches - Fine: ₱500,000 to ₱1,000,000 - Prison: 1 year and 6 months to 5 years - What triggers it: A breach happens and you do not report it to the NPC within 72 hours, or you do not notify affected data subjects when required. This penalty often hits harder than the original breach.

Malicious Disclosure - Fine: ₱500,000 to ₱1,000,000 - Prison: 1 year and 6 months to 5 years - What triggers it: A DPO, employee, or officer disclosing personal data with malicious intent — for example, posting a customer's private complaint on social media.

Unauthorized Disclosure - Fine: ₱500,000 to ₱1,000,000 - Prison: 1 to 3 years - What triggers it: Sharing personal data with anyone who is not authorized to receive it, even without malicious intent. A casual mention to a friend about a customer counts.

Combination of Acts (the worst case) - Fine: ₱1,000,000 to ₱5,000,000 - Prison: 3 to 6 years - What triggers it: When two or more of the above offenses are committed together — typical in actual breach cases.

Important: When a company commits a violation, the responsible officers and the DPO can be held personally liable. The fine and the prison time can attach to a named individual, not just the business.

Track 2 — Administrative Fines Under NPC Circular 2022-01

Separately from the criminal track, the NPC can impose administrative fines directly on your business — no court case required. The fines are tiered by severity and calculated as a percentage of your annual gross income:

Grave Infractions - 0.5% to 3% of annual gross income - Cap: ₱5,000,000 per related violation - Examples: Failure to register a data processing system; processing without lawful basis; unauthorized disclosure of sensitive personal information.

Major Infractions - 0.25% to 2% of annual gross income - Cap: ₱4,000,000 per related violation - Examples: Failure to implement reasonable security measures; failure to notify the NPC of a breach on time; failure to respond to a data subject's request.

Minor Infractions - 0.1% to 1% of annual gross income - Cap: ₱3,000,000 per related violation - Examples: Missing or incomplete privacy notice; failure to update NPC registration; minor record-keeping lapses.

This means a business with ₱20,000,000 annual revenue can be fined up to ₱600,000 for a single grave infraction — entirely separate from any criminal case running in parallel.

Track 3 — Civil Damages From Affected Data Subjects

Section 16 of the Data Privacy Act gives every data subject the right to be indemnified for any damages sustained. A single breach affecting 500 customers can trigger 500 separate civil claims — each with its own legal fees, lost productivity, and reputational cost. In recent NPC adjudications, awards have ranged from ₱10,000 to over ₱500,000 per individual depending on the harm proven.

What Actually Triggers an NPC Investigation?

In our experience as DPO consultants, investigations almost always start from one of these five sources:

A complaint from a customer or former employee — by far the most common trigger
A reported data breach that you submitted (yes, your own report can become the investigation)
A media leak or viral social-media post about your handling of data
A whistleblower inside your organization
NPC's own sweep audits of specific industries — lending, healthcare, schools, BPOs have all been targeted in recent years

The takeaway: you do not need to be a big company to be investigated. You just need one upset customer who knows their rights.

The 5 Things Every Philippine Business Should Have Today

If you have not done these five things, you are already exposed:

A registered DPO (Data Protection Officer) — required for almost every business that processes personal data. The NPC publishes the registration form on their website.
A current Privacy Notice on every channel that collects data — your website, your enrollment forms, your patient intake sheets, your booking system.
A documented Data Processing Inventory — what data you collect, why, where it lives, who has access, and how long you keep it.
A Breach Response Plan — written, rehearsed, and dated. The 72-hour notification clock starts the moment you discover a breach, not when you confirm it.
NPC Registration — if you process the data of 250 or more individuals, or process sensitive personal information, you must register your data processing systems with the NPC.

If any of those five items are missing or out of date, the next customer complaint can become a multi-track penalty.

Frequently Asked Questions

Does the Data Privacy Act apply to small businesses with only a few customers?

Yes. The law applies to anyone who processes personal data in the Philippines — there is no minimum size threshold. The only "exemption" relates to purely personal or household processing (your own family contacts), which does not cover business activity.

Can I just appoint myself as DPO?

For very small businesses, yes — but you must meet the qualifications, be officially designated in writing, register your appointment with the NPC, and complete DPO training. Many owner-DPOs run into trouble because they never complete the registration step, which itself is a violation.

What is the difference between RA 10173 fines and NPC administrative fines?

RA 10173 penalties are criminal — prosecuted in regular courts, with prison time attached. NPC administrative fines are issued by the NPC itself, do not require a court case, and are based on a percentage of your revenue. Both can apply to the same violation.

How long does an NPC investigation take?

Typical investigations run six months to two years from initial complaint to adjudication, depending on complexity. The clock starts when the complaint is filed — not when you find out about it.

Are penalties retroactive?

Yes, for any violations committed after the law took effect in 2012. The NPC Circular 2022-01 administrative fines apply prospectively from January 2022 onward.

Don't Wait for a Complaint to Find Out You Are Exposed

Most Philippine businesses we onboard for DPO services discover, within the first audit, that they are out of compliance on at least three of the five items above. That gap is fixable — but only before a complaint is filed.

At RDahunan I.T. Services we provide certified DPO services for small and medium Philippine businesses — registration, privacy notice drafting, data inventory, breach response planning, and ongoing compliance support.

Want to know exactly where your business stands? Send us a message for a free 30-minute DPO consultation. We will give you a clear, honest read on your exposure — no scare tactics, no contract pressure.

This article is general information from a certified Data Protection Officer in the Philippines. It is not legal advice. For specific cases, consult a Philippine lawyer or contact the NPC directly.