Philippines - National Privacy Commission Extends Registration Validity To 8 March 2020; Issues Revised Registration Guidelines.
Legal News & Analysis - Asia Pacific - Philippines - Regulatory & Compliance
26 February, 2019
Personal information controllers and processors who have successfully registered their respective Data Protection Officers (DPO) with the National Privacy Commission (NPC) need not renew the registration when it is set to expire on 8 March 2019. The NPC, through its official website and Facebook page, announced that the validity of existing DPO registrations is extended until 8 March 2020. DPO registrants may also now secure from the NPC a digital certificate of registration by sending an email request to DPO Registration using the DPO’s email address, as registered with the NPC.
The NPC’s requirement for the registration of data processing systems (DPS), or "Phase 2" registration, is currently suspended. Companies which previously completed their DPS registration are presently not required to update the registration information in their respective NPC online accounts. The Commission announced that a personal information controller or processor whose DPO registration has been validated by the NPC is already deemed compliant with the registration requirement.
The NPC requires all organizations, which are covered by the registration requirement, to register their respective DPOs with the NPC. Failure to comply with the registration requirement will be considered as an "aggravating circumstance" by the NPC in the conduct of compliance checks or in case of an investigation of a security incident. Registration of a DPO is initiated by submitting electronic copies of a notarized DPO form and supporting documents to the NPC. Upon the NPC’s finding of sufficiency of the submitted documents, the registered DPO may then request for a digital registration certificate.
Clients are urged to evaluate their personal information processing activities in the Philippines in order to determine whether they are subject to the mandatory registration with the NPC. Those required to register must do so as soon as possible or at most, within two (2) months from the start of operations. Organizations that are currently registered are also mandated to amend or update their DPO registration information within two (2) months from the effective date of the change. All persons and organizations, whether required to register with the NPC or otherwise, should also create and maintain records of their processing activities in order to fully and effectively comply with the Data Privacy Act, its Implementing Rules and Regulations, and the requirements of the NPC.
For further information, please contact:
Bienvenido Marquez, Partner, Quisumbing Torres
 A personal information controller (PIC) or personal information processor (PIP) shall register with the NPC if it is processing personal data and operating in the country under any of the following conditions:
- the PIC or PIP employs at least two hundred fifty (250) employees;
- the processing includes sensitive personal information of at least one thousand (1,000) individuals; or
- it belongs to any of the business sectors identified by the NPC as covered by the registration requirement.
 Implementing Rules and Regulations of the Data Privacy Act of 2012, Rule VI, Section 26(c):
Records of Processing Activities. Any natural or juridical person or other body involved in the processing of personal data shall maintain records that sufficiently describe its data processing system, and identify the duties and responsibilities of those individuals who will have access to personal data. Records should include:
- Information about the purpose of the processing of personal data, including any intended future processing or data sharing;
- A description of all categories of data subjects, personal data, and recipients of such personal data that will be involved in the processing;
- General information about the data flow within the organization, from the time of collection, processing, and retention, including the time limits for disposal or erasure of personal data;
- A general description of the organizational, physical, and technical security measures in place;
- The name and contact details of the personal information controller and, where applicable, the joint controller, the its representative, and the compliance officer or Data Protection Officer, or any other individual or individuals accountable for ensuring compliance with the applicable laws and regulations for the protection of data privacy and security.