Why register with the National Privacy Commission?

The Data Privacy Act of the Philippines (Republic Act 10173/DPA) and its Implementing Rules and Regulations (IRR) require Personal Information Controllers (PICs)  and Processors (PIPs) to register their Data Protection Officer (DPO) and Data Processing Systemwith the National Privacy Commission (NPC).

These privacy laws provide that if the PICs/PIPs fall under any of the following, they should register with the NPC:

1.        Have at least 250 employees; or

2.        Process sensitive personal information of at least 1,000 individuals; or

3.        Processing poses a risk to the rights of the data subject; or

4.        Processing of personal information is conducted in the regular course of business.

The registration of a Data Protection Officer is due last September 9, 2017, while the registration of a Data Processing System is due on March 8, 2018.

The designated DPO shall be accountable for ensuring the compliance by the PIC or PIP with the DPA, its IRR, issuances by the NPC, and other applicable laws and regulations relating to privacy and data protection.

The Data Processing System in a nutshell provides for the PIC/PIP’s purposes for processing of personal information, a general description of its privacy measures, and the policies relating to data governance, data privacy, and information security.

Registration of a DPO is required prior to the registration of the Data Processing System. Upon registration of a DPO, an access code will be given to the PIC/PIP that will allow it to register its Data Processing System. In the absence of a registered DPO, a PIP/PIC will not be able to register its Data Processing System.

In case of failure to comply with these registration requirements, the PIC/PIP will be exposing itself to the risk of committing acts which are considered violations of the privacy laws such as unauthorized processing of information and facilitating unauthorized access, among others. Acts which are considered violations of the privacy laws are punishable by imprisonment of 1 year to 6 years and a fine of P500,000.00 to P4,000,000.00. The PIC/PIP may also be prevented/restrained from processing personal information. These are on top of any damages that may be claimed by the data subject.

In response to the growing public awareness and regard for data protection, it is therefore expected that PICs/PIPs will comply with its obligations to register with the NPC. Considering that personal information has become a significant oil for commerce, compliance with the directives of the privacy laws will help PICs/PIPs to become more competitive and to gain more of its stakeholders’ trust and confidence.

Atty. Arnel D. Mateo

President & CEO

ADM and Partners

Data Privacy and Consulting Inc.

http://www.admprivacy.com