Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Philippines: Rules on registration of DPOs and data processing systems - What you need to know
The National Privacy Commission ('NPC'), the Philippine agency tasked to implement the Data Privacy Act of 2012 (Republic Act No. 10173) ('the Act'), recently issued Circular No. 2022-04 ('the Circular') which took effect on 11 January 2023. The Circular prescribes guidelines for the registration of personal data processing systems, notification regarding automated decision-making or profiling, and designation of data protection officers ('DPOs').
In this Insight article, Mary Thel Mundin, Dwight Garvy Tan, and Maria Angelica Torio, from Gatmaytan Yap Patacsil Gutierrez & Protacio (C&G Law), discuss the Circular's provisions regarding registration requirements for DPOs, how and when to register, automated decision-making and profiling, as well as penalties.
Registration requirements
Under the Circular, entities which process personal data and operate within the Philippines are required to register their DPO and data processing systems if they:
- employ 250 or more persons;
- process sensitive personal information of 1,000 or more individuals; or
- process data that will likely pose a risk to the rights and freedoms of data subjects.
A data processing system involving automated decision-making or profiling, on the other hand, is required to register in all instances, regardless if it meets any of the foregoing criteria.
Entities not required to register with the NPC may either:
- register voluntarily; or
- submit a sworn declaration and undertaking for exemption to the NPC.
How to register
Entities may register through the NPC Registration System which launched on 3 February 2023. This requires the entity to create an account on the platform through its DPO, who should generally be an organic employee.
On the other hand, sworn declarations and undertakings for exemption must be submitted to the NPC via email to [email protected].
When to register
The Circular states that all entities processing personal data must register their DPO and data processing systems with the NPC within 180 days from the effectivity of the Circular, or on or before 10 July 2023.
On the other hand, for newly implemented data processing systems or inaugural DPOs, the entity concerned must undertake the registration with twenty days from the commencement of such system or the effectivity date of such appointment.
Once the registration application is successfully completed, the NPC will issue a Certificate of Registration, which shall be valid for one year from its date of issuance. The registration is required to be renewed annually (within 30 days before the expiration of the one-year validity of the Certificate of Registration).
A seal of registration will be issued simultaneously with the Certificate of Registration. The seal must be displayed at the registrant's main entrance of the place of business, office, or at the most conspicuous place to ensure visibility to all data subjects. It is also required to be displayed in the registrant's main website (or at least the specific webpage pertaining to the Philippines for global websites).
Major amendments to the registration information, which refer to changes in the personal information controller's ('PIC') or personal information processor's ('PIP') name and office address, shall be made within 30 days from the date that such changes enter into effect. Updates on all other information are considered minor amendments which require the updating of the registration information within ten days from the date on which such changes enter into effect.
Notification of automated decision-making and profiling
PICs or PIPs carrying out automated decision-making or profiling are required to notify the NPC by indicating and identifying in the registration record the data processing system involved in the automated decision-making or profiling operation. Automated decision-making, which often involves profiling, refers to wholly or partially automated processing operations that can make decisions using technological means totally independent of human intervention.
Apart from identifying the data processing system, the PIC or PIP is also required to provide the following information regarding its automated decision-making or profiling operation:
- lawful basis for processing;
- retention period for the processed data;
- methods and logic used for automated processing; and
- possible decisions relating to the data subject based on the processed data, particularly if the decisions would significantly affect the data subject's rights and freedoms.
Penalties
Entities whose Certificates of Registration have been revoked or who have violated the registration requirements prescribed under the Circular may also be subject to compliance and enforcement orders, cease and desist orders, temporary or permanent bans on the processing of personal data, and payment of administrative fines. For this purpose, the registration requirements shall pertain to the provisions on mandatory registration, amendments and updates, and renewal of registration.
Given the Circular, entities processing personal data should assess their data processing systems to determine whether they are required to register with the NPC. Compliance with the Circular is necessary considering the NPC's proactive approach in implementing Philippine data privacy laws.
Mary Thel Mundin Partner
[email protected]
Dwight Garvy Tan Senior Associate
[email protected]
Maria Angelica Torio Associate
[email protected]
Gatmaytan Yap Patacsil Gutierrez & Protacio (C&G Law), Makati City