Philippines - NPC Registration Guidelines For Data Processing Systems Takes Effect.
Legal News & Analysis - Asia Pacific - Philippines - Regulatory & Compliance
11 September, 2017
It is mandatory for all natural and juridical persons operating in the Philippines and processing personal information, to register with the National Privacy Commission (NPC) their data processing systems on or before 8 March 2018.1
The NPC Circular 17-01 on the Registration of Data Processing Systems and Notification Regarding Automated Decision- Making ("DPS Registration Circular") shall take effect on 9 September 2017, fifteen (15) days after its publication on 25 August 2017.2 It defines a "Data Processing System" as a structure and procedure by which personal data is collected and further processed in an information and communications system or relevant filing system, including the purpose and intended output of the processing.3
Registration is required if entities meet any of the following criteria:
(a) the personal information controller (PIC) or personal information processor (PIP) employs at least two hundred fifty (250) employees;
(b) the processing includes sensitive personal information of at least one thousand (1,000) individuals;
(c) the processing is likely to pose a risk to the rights and freedoms of data subjects; or
(d) the processing is not occasional.
The NPC also released, together with the DPS Registration Circular, the initial list of sectors or institutions which meet criteria (c) and/or (d) above for mandatory registration of data processing systems.4 The list includes government agencies, banks and financial institutions, telecommunications networks, BPOs, the academe, hospitals, insurance companies and brokers, direct marketers and networkers, providers of reward cards and loyalty programs, pharmaceutical companies engaged in research, PIPs of the foregoing PICs, and operators of data processing systems involving automated decision-making.5
The initial deadline for mandatory registration of existing data processing systems, constituting Phase 26 of the registration process, is 8 March 2018. On the other hand, systems which have yet to operate before said date are required to be registered within two (2) months from start of operations.7 The registration should be renewed annually or within two (2) months preceding March 8 of every year.8
The NPC intends to set up an online registration platform for the registration of data processing systems. If a PIC or PIP did not comply with Phase 1 of the registration process, which is the appointment and registration of Data Protection Officers (DPOs), it will unlikely be able to proceed with said online registration process.9
PICs or PIPs must submit the following information and documents to the NPC:10
- name and contact details of the PIC or PIP, head of agency or organization, and DPO;
- purpose or mandate of the government agency or private entity;
- identification of all existing policies relating to data governance, data privacy, and information security, and other documents that provide a general description of privacy and security measures for data protection;
- attestation regarding certifications attained by the PIC or PIP, including its relevant personnel, that are related to personal data processing;
- brief description of data processing system or systems, as follows:
5.1. name of the system;
5.2. purpose or purposes of the processing;
5.3. whether processing is being done as a PIC, PIP, or both;
5.4. whether the system is outsourced or subcontracted, and if so, the name and contact details of the PIP;
5.5. description of the category or categories of data subjects, and their personal data or categories thereof;
5.6. recipients or categories of recipients to whom the personal data might be disclosed; and
5.7. whether personal data is transferred outside of the Philippines;
6. notification regarding any automated decision-making operation.
Enforcement and Penalties
Registration of data processing systems is one of the ways by which a PIC or PIP shows compliance with the Data Privacy Act of 2012 (DPA).11 Accordingly, the NPC, in the exercise of its authority to enforce the DPA, may check the compliance by PICs and PIPs, through verification of their submitted registration information, onsite examination of data processing systems, and review of policies, documents, and additional information which may be required by the NPC.12
The NPC may impose administrative penalties on PICs and PIPs who fail to register their data processing systems, or those with incomplete, revoked, or expired registration. Penalties include compliance and enforcement orders, cease and desist orders, temporary or permanent bans on the processing of personal data, or payment of fines.13 The NPC may also issue cease-and-desist orders on PICs or PIPs which fail to notify the commission of automated decision-making processes.14
Actions to Consider
Clients are advised to evaluate their current data processing activities to determine whether they are covered by the requirement to register with the NPC. Covered PICs and PIPs should have already appointed their respective DPOs. Under NPC Advisory No. 2017-01 on the Designation of Data Protection Officers, the registration of the appointed DPOs with the NPC must be completed by 9 September 2017.
Additionally, clients are also strongly urged to prepare for the 8 March 2018 deadline for the registration of their respective data processing systems by preparing the information and documents listed above. Compliance with the DPA and its Implementing Rules and Regulations should be manifest in the PIC or PIP's processes and policies. Clients should therefore ensure that their data processing operations include the required consents, privacy notices, privacy manuals or policies, data transfer agreements, outsourcing/subcontracting agreements, and data breach management policies.
A thorough evaluation of, and alignment by, each organization's data processing operations vis-à-vis the requirements of the DPA, the Implementing Rules and Regulations, and issuances of the NPC, should be given paramount priority and urgent importance to avoid any future compliance issues which may result in the organization being ordered by the NPC to cease from any personal data processing activity.
- Section 31, DPS Registration Circular.
- Section 34, DPS Registration Circular.
- Section 3(F), DPS Registration Circular.
- Appendix 1, DPS Registration Circular.
- Section 3(b), DPS Registration Circular. "Automated Decision-making" refers to a wholly or partially automated processing operation that
- serves as the sole basis for making decisions that would significantly affect a data subject. It includes the process of profiling based on an
- individual’s economic situation, political or religious beliefs, behavioral or marketing activities, electronic communication data, location data,
- and financial data, among others.
- Phase 1 of the mandatory registration process, which covers the registration of Data Protection Officers, is due on 9 September 2017. Section 7, DPS Registration Circular.
- Section 17, DPS Registration Circular.
- Per Section 9 of the DPS Registration Circular, a PIC or PIP may only proceed with online registration by using the access code provided by the NPC upon completion of Phase 1 registration. The same section, however, also states that manual registration before the NPC may be done if online access is not available.
- 10 11 12 13 14
- Contact us
- Bienvenido Marquez III
- Partner and Head
- Information, Technology & Communications Industry Group bienvenido.marquez @quisumbingtorres.com
- Section 11, DPS Registration Circular. Section 4(A), DPS Registration Circular. Sections 14 & 26, DPS Registration Circular. Section 29, DPS Registration Circular. Section 30, DPS Registration Circular.
For further information, please contact:
Bienvenido Marquez, Partner, Quisumbing Torres