Search for:

Philippines: NPC circular on registration of Data Protection Officers and Data Processing Systems

By and 7 Mins Read

The National Privacy Commission recently issued Circular No. 2022-04, which takes effect today, 11 January 2023.

In brief

The National Privacy Commission (NPC) issued Circular No. 2022-04 on 5 December 2022 (“Circular”), which sets out the registration framework of Data Protection Officers (DPO) and Data Processing Systems (DPS).1 Under the Circular, personal information controllers (PICs) and personal information processors (PIPs) operating in the Philippines are required to register with the NPC as long as they meet any of the conditions for registration.

The Circular takes effect today, 11 January 2023. All covered PICs and PIPs shall complete their registration within 180 days from the effectivity date, or until 10 July 2023, via the NPC’s online registration system (NPCRS). At the time of writing, however, the NPCRS is not yet available to the public.

In more detail

Mandatory registration

PICs and PIPs operating in the country2 are required to register with the NPC if they meet any of the following criteria:

  • Employing at least 250 individuals
  • Processing the sensitive personal information of at least 1,000 individuals
  • Processing personal data that will likely pose a risk to the rights and freedoms of data subjects3

Covered PICs and PIPs are required to register their respective DPO and DPS with the NPC.

Voluntary registration

PICs and PIPs covered by the scope of the Circular4 but do not meet any of the foregoing criteria are not required to register with the NPC. Nevertheless, they are required to submit a sworn declaration to the NPC (see Annex 1 of the Circular) attesting to the fact that they are not covered by the registration requirement.

At the time of writing, however, please note that the NPC has not published any guidance on the process for submission of the sworn declaration. We will provide a separate update once the same has been released by the NPC.

Registration procedure

Covered PICs and PIPs are required to register their respective DPO and existing DPS within 180 days from the effectivity of the Circular, or until 10 July 2023, via the NPCRS. On the other hand, DPS that have yet to operate before said date are required to be registered within 20 days from the commencement of such system. The registration will be valid for a period of one year from the date of issuance of the certificate of registration and must be renewed 30 days before the date of expiration.

Under the Circular, the following information must be submitted via the NPCRS:

  1. Details of the PIC or PIP, head of agency or organization, and the DPO (including the documentary requirements mentioned in the Circular)
  2. Brief description of each DPS:
    • Name of the system
    • Lawful basis for the processing of personal data
    • Purpose or purposes of the processing
    • Whether processing is being performed as a PIC or PIP (if an organization uses the same system as a PIC and as a PIP, then it must register such usage separately)
    • Whether the system is outsourced or subcontracted, and if so, the name and contact details of the PIP
    • Description of the category or categories of data subjects and their personal data or categories thereof
    • Recipients or categories of recipients to whom the personal data might be disclosed
    • Description of security measures
    • General information on the data life cycle (i.e., time, manner, or mode of collection, retention period, and disposal/destruction/deletion procedure)
    • Whether personal data is transferred outside of the Philippines
    • Existence of data sharing agreements with other parties
  3. All publicly facing online mobile or web-based applications, including internal apps with PIC or PIP employees as clients
  4. Notification regarding any automated decision-making operation or profiling
    • Lawful basis for the processing of personal data
      1. Other relevant information pertaining to the specified lawful basis specifying the specific law or regulation, among others
      2. If consent is used as the basis for processing, the PIC or PIP must submit either: (a) the consent form used; or (ii) other manner of obtaining consent.
    • Retention period for the processed personal data
    • Methods and logic utilized for automated processing
    • Possible decisions relating to the data subject based on the processed data, particularly if the decisions would significantly affect the data subject’s rights and freedoms

At the time of writing, however, please note that the NPCRS is not yet available to the public. We will provide a separate update once the same has been launched by the NPC.

Seal of registration

In addition to the certificate of registration, the NPC will also issue a downloadable seal of registration. Under the Circular, PICs and PIPs who receive such seal are required to display the same at the main entrance of their place of business, office, or at the most conspicuous place to ensure visibility to all data subjects.

Moreover, the NPC requires that the seal be displayed on the PIC’s or PIP’s main website, or at least the webpage specifically pertaining to the Philippines for global websites, and only as either: (i) a clickable link leading to the privacy notice; or (ii) displayed directly on the privacy notice page.

As of writing, however, please note that the NPC has not revealed to the public the actual seal of registration. We will provide a separate update once the same has been released by the NPC.

Enforcement and penalties

The NPC may impose administrative penalties on PICs and PIPs covered by the requirements under the Circular but fail to comply with the same. Penalties include compliance and enforcement orders, cease and desist orders, temporary or permanent bans on the processing of personal data, or payment of administrative fines.

Recommended actions

Clients are advised to evaluate their current data processing activities to determine whether they are covered by the requirement to register or to submit a sworn declaration with the NPC. Clients covered by the registration requirement are strongly encouraged to prepare for the registration of their respective DPO and DPS by preparing the information and documents listed above while waiting for the launch of the NPCRS. On the other hand, clients covered by the Circular but are not subject to the mandatory registration requirement are advised to further monitor developments to be issued by the NPC about the submission of the required sworn declaration.

Clients are likewise encouraged to stay tuned to further updates from the NPC on its implementation of the Circular. Our Firm is closely monitoring developments on this important compliance matter and will provide more updates as soon as they arise.

1 “Data processing systems” refers to the structure and procedure by which personal data is collected and further processed in an information and communications system or relevant filing system, including the purpose and intended output of the processing.
2 “Operating in the country” refers to PICs and PIPs who, although not founded or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines.
3 This includes processing operations that involve the following: (i) information that would likely affect national security, public safety, public order or public health; (ii) information required by applicable laws or rules to be confidential; (iii) vulnerable data subjects like minors, the mentally ill, asylum seekers, the elderly, patients, those involving criminal offenses, or in any other case where an imbalance exists in the relationship between a data subject and a PIC or PIP; or (iv) those involving automated decision-making or profiling.
4 Section 1 of the Circular states, “The provisions of this Circular shall apply to any natural or juridical person in the government or private sector processing personal data and operating in the Philippines, subject to the relevant provisions of the DPA, its IRR, and other applicable issuances of the NPC.”

LOGO Philippines_QuisumbingTorres_Manila

Please contact QTInfoDesk@quisumbingtorres.com for inquiries.

VISIT QUISUMBING TORRES SITE

Categories:
Author

Bienvenido Marquez III is a partner in Quisumbing Torres' Intellectual Property, Data and Technology Practice Group. He also co-heads the Consumer Goods & Retail Industry Group and is a member of the Technology, Media & Telecommunications Group. He participates in initiatives of Baker & McKenzie International of which Quisumbing Torres is a member firm. He is a member of Baker McKenzie's Asia Pacific Intellectual Property Business Unit for Brand Enforcement. He is immediate Past President of the Philippine Chapter of the Licensing Executives Society International (2019-2021), and is currently co-chair of the LESI Asia Pacific. He is also a member of the Anti-Counterfeiting Committee of the International Trademarks Association (INTA). He has been appointed as member of the INTA Asia Global Advisory Council (GAC) for 2022 to 2023, making him the only Philippine representative on the council.

Bien has vast experience in handling IP enforcement litigation, trademark and patent prosecution and maintenance, copyright, data privacy, information security, IT, telecommunications, e-commerce, electronic transactions, cyber security and cybercrime. He has been consistently ranked as a leading individual for Intellectual Property and TMT in Legal 500 Asia Pacific, Chambers Asia Pacific, asialaw Leading Lawyers, Managing IP Stars, Asia IP, and World Trademark Review. He was also recognized as a Volunteer Service Awardee by INTA in 2018.

Author

Divina Ilas-Panganiban, CIPM is a partner and the head of Quisumbing Torres’ Intellectual Property, Data and Technology Practice Group and co-heads the Technology, Media & Telecommunications (TMT) Industry Group. She participates in initiatives of Baker & McKenzie International of which Quisumbing Torres is a member firm. She is a member of Baker & McKenzie International's Asia Pacific TMT, and the Asia Pacific Intellectual Property Steering Committees.
Divina is a Certified Information Privacy Manager by the International Association of Privacy Professionals (IAPP). She currently serves as the Vice-President and Director of the Philippine Chapter of the Licensing Executives Society International, the Regional Vice-chair of the LESI's Education Committee, the Co-chairperson of the Committee on Intellectual Property Rights of The American Chamber of Commerce of the Philippines, and the Chairperson of the IAPP KnowledgeNet Chapter for the Philippines.
Divina was recently appointed to be a member of the Advisory Council for Intellectual Property (ACIP) of the Intellectual Property Office of the Philippines (IPOPHL). The ACIP is an advisory board composed of a select group of people from different sector to which IP is of great value. She was recently recognized in the Hall of Fame for Best External Lecturers by the IP Academy of the IPOPHL.
Divina just finished her stint as the chair the Unreal Campaign of the International Trademarks Association (INTA) for East Asia and the Pacific and continues to organize anti-counterfeiting activities in schools and universities around the country, educating the youth about the importance of intellectual property protection.
Divina is a multi-awarded lawyer with a stellar track record in the IP, data and technology fields. She has garnered numerous awards and accolades, including the Woman Lawyer of the Year by the ALB Philippine Law Awards 2023. She has been cited as leading lawyer for intellectual Property and TMT by The Legal 500 Asia Pacific, Chambers Asia Pacific, Managing IP, World Trademark, Asialaw and IAM Patent 1000, among others. Known for her exceptional legal expertise and unwavering commitment to her clients, Divina has established herself as a leader in her profession.

Related Posts

Write A Comment