The Philippine National Privacy Commission just issued its latest guidelines concerning the renewal of existing Data Protection Officer (DPO) registrations, as well as the revised process for new applications, renewal applications, requests for amendment and registration of common DPOs.
In an announcement made on 4 March 2022, the Philippine National Privacy Commission (NPC) officially extended the validity of all existing Certificates of Registration issued in 2021 from 8 March 2022 to 8 March 2023.
For Certificates of Registration issued in 2020 or earlier, which are expiring this 8 March 2022, the NPC is directing all affected personal information controllers (PICs) and personal information processors (PIPs)1 to renew their registration with the Commission.
The announcement also provides the NPC’s latest guidelines for processing new applications, renewal applications, requests for amendments, and registration of common Data Protection Officers (DPOs).
Clients are advised to immediately review their Certificate of Registration and determine when the same was issued by the NPC. In case said certificate was issued in 2020 or earlier, the same must be renewed with the NPC as soon as possible.
Additionally, for those PICs and PIPs who intend to appoint and register a common DPO, please be advised that the NPC no longer requires the review of such application; provided, that the application for registration is filed separately on a per entity basis and that there should be a unique email address per entity.
Please feel free to reach out to Quisumbing Torres’ Intellectual Property, Data and Technology Practice Group for assistance on these data privacy compliance matters.
In more detail
Validity of Certificates of Registration
The NPC officially extended the validity of all existing Certificates of Registration issued in 2021 or later, from 8 March 2022 to 8 March 2023.
However, for those PICs and PIPs whose Certificates of Registration were issued in 2020 or earlier, they are required to renew their existing registration with the NPC.
Guidelines for Processing New Registration, Renewal, and Amendments
The NPC has laid down its revised guidelines on the processing of new applications, renewal applications, and requests for amendments of DPO registration, as follows:
A. For both new and renewal applications
1. PICs and PIPs are required to use a generic DPO email address, which is not personally identified with the DPO (e.g., email@example.com).
a. For new applications: New_Registration_(Name of PIC/PIP/Individual Professional)
b. For renewal applications: Renew_Registration_(Name of PIC/PIP/Individual Professional)
B. For requests for amendment covering PICs and PIPs who registered with the NPC in 2021 and 2022
1. Complete requests must be submitted either through firstname.lastname@example.org or email@example.com. The NPC requires the use of the following subject line in the emails:
Amendment_(Name of PIC/PIP/Individual Professional)
Upon completion of the process, the NPC will issue a new or amended Certificate of Registration, depending on the type of application/request filed.
Guidelines for Common DPOs
For PICs and PIPs who have previously filed a request for approval of the appointment of a common DPO with the NPC, the Commission has announced that all such pending requests are hereby deemed approved.
Additionally, the NPC has announced that it will no longer review such requests, moving forward.
Nevertheless, for those PICs and PIPs who intend to register a common DPO with the NPC, the Commission requires that the applications be filed separately on a per entity basis. Moreover, the NPC will only accept a unique email address per entity. Thus, if an individual will be registered as the common DPO of two entities which form part of a group of companies, said individual should have two unique email addresses corresponding to each entity, as required by the Commission.
1 Registration with the NPC is required for PICs and PIPs processing personal data and operating within the Philippines under any of the following conditions:
• Processing the sensitive personal information of at least 1,000 individuals
• Employing at least 250 individuals
• Belonging to a business/industry sector identified by the NPC (NPC Circular No. 17-01) as subject to mandatory registration.
Please contact QTInfoDesk@quisumbingtorres.com for inquiries.