The Yardstick Between Data Privacy and Tax Enforcement in Condominium Living

by: Atty. Reannah R. Reonal and Pauline S. Herrera | 24 October 2025

NPC Clarifies that Condominium Corporations May Disclose Owners’ Data to the BIR Without Consent in Certain Cases When the Bureau of Internal Revenue (BIR) sent an “Access Letter” to an upscale Taguig condominium, it bypassed individual owners and asked the Verve Residences Condominium Corporation (VRCC) for the names, unit and parking details, and TINs of owners allegedly engaged in rentals or Airbnb-type activities. VRCC hesitated, worried that sharing personal data without consent might violate the Data Privacy Act of 2012 (DPA).[1] In Advisory Opinion No. 2025-006,[2] however, the National Privacy Commission (NPC)[3] said that condominium corporations may lawfully disclose the requested data without consent, provided legal procedures are followed. The ruling has reignited debate over how far government can reach into personal data in the name of public duty.

The NPC’s opinion rests on two grounds under the DPA. First, Section 12(c) permits processing of personal information when necessary to comply with a legal obligation even without the consent of the data subject. Here, the condominium corporation’s duty to respond to the tax bureau’s information-gathering powers under the Tax Code.[4] Second, Section 13(f) allows processing of sensitive personal information when provided to a government or public authority for a mandate-driven purpose. These provisions provide the lawful basis for processing of personal data where even when consent is not first obtained from the data subject. NPC emphasized that consent may not always be the most appropriate basis for processing personal data. When a statute or regulatory duty exists, it can override the need to ask for consent.

The Commission also invoked Section 5(d) of the Implementing Rules and Regulations (IRR) on “Special Cases,” which narrows the DPA’s application where the obtained personal information is needed to carry out a constitutionally or statutorily mandated law-enforcement or regulatory function, but only to the minimum extent necessary to achieve the specific purpose, function, or activity.

Because the BIR acts pursuant to its lawful mandate to assess and collect the proper taxes by obtaining the names, unit and parking details, and TINs of condominium owners allegedly engaged in rental or Airbnb-type activities, the acquisition of such information without the owners’ consent does not constitute a violation of data privacy rights. Accordingly, the NPC concluded that the consent of condominium owners is not required, provided that applicable laws, policies, and procedures are duly observed.

This opinion underscores that a condominium corporation’s duty to comply with a lawful BIR directive prevails over individual objections based on data privacy or lack of consent. It serves as a reminder that the Data Privacy Act was never intended to serve as an absolute shield against legitimate government processes and lawful orders.

Section 4 of the DPA (Scope) and Section 5 of the IRR (Special Cases) were drafted to avoid constraining government regulators and enforcers as tax collection, anti-fraud efforts, and similar functions often require timely access to personal data. The NPC’s view is not new. Advisory Opinions 2020-015 and 2021-028 already recognized the BIR’s authority to obtain information to evaluate taxpayers’ compliance, treating such processing as falling within the DPA’s “special cases.”[5] 

The BIR’s mandate to assess and collect proper taxes does not grant it unrestricted authority to obtain personal data by any means or without observing proper procedures, nor may it do so when such data is not necessary to achieve its lawful purpose. In Advisory Opinion 2024-016, involving a Makati condominium targeted by a BIR Tax Compliance Verification Drive, the NPC criticized a verbal BIR request for being vague and potentially excessive such as when asking for contact numbers and notarized contracts without clear necessity.[6] The Commission reminded the BIR that its own rules, specifically Revenue Memorandum Order 9-2006, did not list some of the data being sought and that the DPA’s principles still apply even in special-case scenarios.

While the NPC recognized that consent is not required, it insisted on specificity, relevance, proportionality, and to collect no more than what is strictly needed for the stated purpose and cautioned that overcollection of personal data could still violate the DPA.[7]

Despite the NPC’s observation in its Advisory Opinion 2024-016 that the BIR may have exceeded its authority in obtaining taxpayers’ personal data without clear necessity, the NPC nevertheless recognizes that disclosures to regulators acting under lawful mandates are generally permissible, provided that the personal data collected is necessary and not excessive. Beyond the condominium context, Advisory Opinion 2025-001 approved the Commission on Audit’s request to access a Department of Agriculture database for audit purposes, again under the public-authority exception.[8] 

In Advisory Opinion 2025-005, involving the BIR and the Makati City Business Permits and Licensing Office, the NPC clarified that neither a data-sharing agreement nor individual consent is required when a lawful mandate supports the request.[9] Local offices cannot use privacy law to resist a properly grounded inquiry by a national regulator.

The exemption to the general rule of obtaining consent is not unrestricted. The NPC repeatedly underscores two guardrails: (1) collect and use only the minimum necessary data for the specific mandate, and (2) comply with due process and formal procedures. The government agency must uphold the DPA’s core principles of transparency, legitimate purpose, and proportionality, and implement security measures and retention limits. Agencies that overreach can still face complaints and enforcement actions.

Impact on Condominium Corporations and Condominium Unit Owners

For data subjects, the immediate impact of the NPC’s Opinion can feel jarring. Personal information given to a condominium corporation for property management may be repurposed for tax enforcement without consent. The NPC recommends updating privacy notices to inform condominium unit owners that disclosures of their personal data to authorities may occur under lawful mandates.

When a government authority requests the disclosure of personal data, condominium corporations must proceed with caution and due diligence. The first step is to verify the lawful basis and scope of the request. As far as practicable, it should require a formal, specific written request clearly identifying the statutory provisions invoked and the personal data being sought. Where the intended purpose can be achieved with fewer personal data disclosures, corporations should advocate for such. Strict data protection measures must also be implemented. Only the information explicitly requested should be shared, and it must be transmitted through secure channels. Corporations should keep a clear record of who accessed the data, what was disclosed, when the disclosure occurred, and for what purpose.

Condominium corporations should update their privacy notices to reflect such disclosures to inform affected data subjects and maintain a log of all legitimate personal data disclosures made to government agency in case individuals invoke their data privacy rights or file complaints.

For individuals, awareness is key. Even if your personal data is lawfully shared with a government agency, you still have the right to expect transparency, security, and purpose limitation. Transparency means you should be informed why your data is being collected, how it will be used, and under what authority it is being disclosed. Security ensures that once shared, your data is handled with proper safeguards such as encryption, restricted access, and safe storage to prevent leaks or misuse. Purpose limitation means your information can only be used for the specific, lawful purpose that justified its collection or disclosure, and not for unrelated or broader purposes. These principles ensure that even when consent is not required, government agencies and organizations remain accountable for how they handle your personal information

Ultimately, Advisory Opinion No. 2025-006 clarifies that data privacy is not absolute when the State wields a demonstrable, legally grounded need for data.

[1] Republic Act No. 10173 or the “Data Privacy Act of 2012”.

[2] NPC Advisory Opinion No. 2025-006.

[3] Commission.

[4] Gasapo, N. (January 26, 2023). MT&F: The BIR’s power to obtain information. Retrieved from https://mtfcounsel.com/2023/01/26/bir-power-obtain-ninformation/#:~:text=For%20the%20exemption%20to%20apply%2C,the%20scope%20of%20the%20DPA

[5] NPC Advisory Opinions No. 2020-015 and 2021-028.

[6] NPC Advisory Opinion No. 2024-016.

[7] Bilyonaryo. (January 2025). Makati condo residents’ privacy at risk? NPC raises red flags over BIR’s data requests. Retrieved from https://bilyonaryo.com/2025/01/06/makati-condo-residents-privacy- at-risk-npc-raises-red-flags-over-birs-data-requests/business/#:~:text=Tabaquin%20IV%20in%20Privacy%20Policy,016

[8] NPC Advisory Opinion No. 2025-001.

[9] NPC Advisory Opinion No. 2025-005. Disclaimer: The views and opinions expressed in this article are those of the authors and do not necessarily reflect the views and opinions of the Firm or any of its partners. This article shall not be construed as official legal advice from the Firm.  Atty. Reannah R. Reonal is a lawyer who earned both her Juris Doctor and her Bachelor of Arts in Political Science (Honorable Mention) from De La Salle University.

Pauline S. Herrera is a paralegal who earned her Bachelor of Science in Legal Management from San Beda University, where she is also currently pursuing her Juris Doctor degree.

For further inquiries, please contact counsel@dargonlawfirm.com or call (02) 8426-1837.