In compliance with NPC Circular No. 2022-04 effective 11 January 2022, all Data Processing Systems processing personal or sensitive personal information involving automated decision-making or profiling shall, in all instances, be registered with the National Privacy Commission (“NPC”). Moreover, all covered personal information controllers (“PIC”) and personal information processors (“PIP”) shall complete the registration of all data processing systems within one hundred eighty (180) days from the effectivity date of the Circular, or until 10 July 2023, via the National Privacy Commission Registration System (“NPCRS”) (https://npcregistration.privacy.gov.ph).
Under said Circular, all applications for registration of Data Processing Systems (“DPS”) and Data Protection Officer (“DPO”) shall only be made through the NPCRS. Registration through physical submission of requirements is not allowed. Thus, PICs or PIPs who will register must create an account with the NPCRS.
Mandatory Registration
Please note that not all entities are required to create and account with the NPCRS. Only the following PICs or PIPs are mandated to register its data processing systems:
a. A PIC or PIP that employs two hundred fifty (250) or more persons; or
b. Those processing sensitive personal information of one thousand (1,000) or more individuals; or
c. Those processing data that will likely pose a risk to the rights and freedoms of data subjects shall egister all Data Processing Systems; or
d. Government Agency or Instrumentality.
In instances where the PIC provides the PIP with the system, it is the PIC who is obligated to register the same with the NPC. Further, A PIC who uses a system as a service shall register the same indicating the fact that processing is done through a service provider.
Voluntary Registration
PICs or PIPs whose Data Processing System does not operate under any of the conditions set out above may register voluntarily.
When to Register
A covered PIC or PIP shall register its newly implemented Data Processing System or inaugural DPO in the NPC’s official registration platform within twenty (20) days from the commencement of such system or the effectivity date of such appointment.
In the event a covered PIC or PIP seeks to apply minor amendments to its existing registration information, which includes updates on an existing Data Processing System, or a change in DPO, the PIC or PIP shall update the system within ten (10) days from the system update or effectivity of the appointment of the new DPO.
Registration Process
A PIC or PIP shall create an account by signing up in the NPC’s official registration platform through the NPCRS. The prescribed application form shall be accomplished and shall be uploaded together with all the supporting documents.
The NPC shall issue a Certificate of Registration in favor of a PIC or PIP that has successfully completed the registration process.
Validity
The Certificate of Registration shall be valid for one (1) year from its date of issuance.
Imposition of Administrative Fines
Finally, a PIC or PIP covered by Mandatory Registration who shall be in violation of the same, shall be subject to the corresponding fine in accordance with NPC Circular No. 2022-01 or the Guidelines on Administrative Fines.
Our team of legal professionals is well-versed in data privacy law and have completed extensive work on corporate compliance on data privacy regulations, data privacy litigation, and assistance to clients for compliance with Orders and Inspections by the NPC, among others.
In view of the nearing deadline for the mandatory registration of the company’s Data Processing Systems and Data Protection Officer on 10 July 2023, please feel free to reach out to us if you have any questions or if you would like to discuss how we can assist you on this matter. You may contact:
RAMON MANOLO A. ALCASABAS
Partner
JEROME D. CANLAS
Partner