ALBURO ALBURO AND ASSOCIATES LAW OFFICES ALBURO ALBURO AND ASSOCIATES LAW OFFICES

contact

MON-SAT 8:30AM-5:30PM

Registration of Data Processing System and Designation of Data Protection Officer mandated by NPC Circular No. 2022-04

Photo from Unsplash | Markus Spiske


The following post does not create a lawyer-client relationship between Alburo Alburo and Associates Law Offices (or any of its lawyers) and the reader. It is still best for you to engage the services of a lawyer or you may directly contact and consult Alburo Alburo and Associates Law Offices to address your specific legal concerns, if there is any.

Also, the matters contained in the following were written in accordance with the law, rules, and jurisprudence prevailing at the time of writing and posting, and do not include any future developments on the subject matter under discussion.

 


AT A GLANCE:

On December 5, 2022, the National Privacy Commission (NPC) issued Memorandum Circular (MC) No. 2022-04, which sets forth the framework for the Registration of Personal Data Processing System, Notification Regarding Automated Decision-Making or Profiling, Designation of Data Protection Officer, and the National Privacy Commission Seal of Registration.


The provisions of the said Circular shall apply to any natural or juridical person in the government or private sector processing personal data and operating in the Philippines, subject to the relevant provisions of the Data Privacy Act, its Implementing Rules and Regulations, and other applicable issuances of the NPC


 

What is a Data Protection Officer?

In the said Memorandum, a Data Protection Officer was defined as an individual designated by the head of agency or organization to ensure its compliance with the Act, its IRR, and other issuances of the Commission: Provided, that, except where allowed otherwise by law or the Commission, the individual must be an organic employee of the government agency or private entity: Provided further, that a government agency or private entity may not have more than one DPO.

 

SALIENT PROVISIONS OF MC NO. 2022-04

SECTION 5. Mandatory Registration: A Personal Information Controller (PIC) or Personal Information Processor (PIP) that employs two hundred fifty (250) or more persons, or those processing sensitive personal information of one thousand (1,000) or more individuals, or those processing data that will likely pose a risk to the rights and freedoms of data subjects shall register all Data Processing Systems.  

  1. A Data Processing System processing personal or sensitive personal information involving automated decision-making or profiling shall, in all instances, be registered with the Commission. 
  2. A PIC or PIP shall register its own Data Processing System. In instances where the PIC provides the PIP with the system, the PIC is obligated to register the same. A PIC who uses a system as a service shall register the same indicating the fact that processing is done through a service provider.  A PIP who uses its own system as a service to process personal data must register with the Commission.
  3. A PIC or PIP who is an Individual Professional for mandatory registration shall register with the Commission. For this purpose, the following shall be considered: 
  1. An Individual Professional is self-employed and practicing his or her profession as defined under this Circular;
  2. A business establishment, if registered as a PIC and operating under a different business name, partnership, firm, or other organization, shall not register separately as an Individual Professional; 
  3. An Individual Professional shall be considered as the de facto Data Privacy Officer (DPO).

 

SECTION 6. Voluntary Registration. An application for registration by a PIC or PIP whose Data Processing System does not operate under any of the conditions set out in the preceding Section may register voluntarily following the process outlined in this Circular. 

A PIC or PIP who does not fall under mandatory registration and does not undertake voluntary registration shall submit a sworn declaration. The Commission through an Order may require a PIC or PIP to submit supporting documents related to this submission. 

 

SECTION 7. When to Register. A covered PIC or PIP shall register its newly implemented Data Processing System or inaugural DPO in the NPC’s official registration platform within twenty (20) days from the commencement of such system or the effectivity date of such appointment.  In the event a covered PIC or PIP seeks to apply minor amendments to its existing registration information, which includes updates on an existing Data Processing System, or a change in DPO, the PIC or PIP shall update the system within ten (10) days from the system update or effectivity of the appointment of the new DPO. 

 

SECTION 8. Authority to Register. A PIC or PIP shall file its application for registration through its designated DPO. A PIC or PIP shall only be allowed to register one (1) DPO, provided that in cases where a PIC or PIP has several branches, offices, or has a wide scope of operations, the PIC or PIP may designate one (1) or more Compliance Officers for Privacy (COP) who shall then be indicated as such in the DPO registration. Approval of the Commission is not required for COP designations.  

A COP shall always be under the direct supervision of the DPO. Under no circumstance shall the registered COP be treated as a DPO unless the DPO registration is amended to reflect such changes. 

Further, in cases where a COP is designated by the PIC or PIP, the registration shall be accompanied by the list of COPs clearly indicating the branch, office, unit, or region to which they are assigned along with the official e-mail address and contact number. 

In all cases, a PIC or a PIP is required to provide its DPO’s dedicated e-mail address that should be separate and distinct from the personal and work e-mail of the personnel assigned as a DPO. The DPO’s dedicated e-mail address must be maintained at all times to ensure that the Commission is able to communicate with the PIC and PIP. In case the individual designated as DPO vacates the position, the PIC or PIP should designate an interim DPO to monitor any communications sent through the official DPO e-mail address. 

A Common DPO shall be allowed so long as entities are registered separately. The Common DPO shall register each entity individually. Approval of the Commission is not required for Common DPO appointments. 

An Individual Professional shall register himself or herself as the DPO. In cases where the Individual Professional contracts another person to act as DPO he or she shall indicate such fact and provide the required contact details of such person in the registration record. The Commission through an Order may require a PIC or PIP to submit supporting documents related to this submission. 

 

SECTION 9. Registration Process. A PIC or PIP shall create an account by signing up in the NPC’s official registration platform where it shall provide details about the entity. 

  1. Upon signing up, the PIC or PIP shall input the name and contact details of the DPO together with a unique and dedicated email address, specific to the position of DPO pursuant to the provisions of the fourth paragraph of Section 8.
  2. During registration proper, the PIC or PIP shall encode the name and contact details of the Head of the Organization or Head of Agency.
  3. The prescribed application form shall be accomplished and shall be uploaded together with all supporting documents as provided under Section 11.
  4. The details of all Data Processing System owned by the PIC or PIP shall be encoded into the platform. All Data Processing System of the PIC or PIP at the time of initial registration must be encoded into the system. 
  5. The PIC or PIP shall identify and register all publicly facing online mobile or web based applications.
  6. The submissions of the PIC or PIP shall undergo review and validation by the Commission. In case of any deficiency, the PIC or PIP shall be informed of the same and shall be given five (5) days to submit the necessary requirements. Once the submissions have been validated and considered complete, the PIC or PIP shall be informed that the Certificate of Registration is available for download.  

An Individual Professional shall register only under his or her name, and indicate his or her principal business address and contact details.  

Registration through physical submission of requirements is not allowed. 

 

SECTION 10. Mandatory Appointment of DPO in the Government. A Government Agency is required to designate and register a DPO with a rank not lower than an Assistant Secretary or Executive Director IV in case the highest ranking official is a Department Secretary or a position of equivalent rank; at least Director IV level in case the highest ranking official is an Undersecretary or a position of equivalent rank; at least Director II level in case the highest ranking official is an Assistant Secretary or a position of equivalent rank; and at least a Division Chief in case the highest ranking official is a Regional Director or a position of equivalent rank.  For Local Government Units (LGUs), the Provincial, City and Municipal levels shall designate and register a DPO with a rank not lower than Department Head.  

Cities and Municipalities can designate a COP at the Barangay level, provided that the COP shall be under the supervision of the DPO of the corresponding City, or Municipality that the Barangay is part of. 

 

SECTION 11. Application Form. An application for registration filed by a PIC or PIP must be duly notarized and be accompanied by the following documents:  

A. For government agencies:  Special or Office Order, or any similar document, designating or appointing the DPO of the PIC or PIP; 

B. For domestic private entities: 

1. For Corporations:   

  1. (1) duly notarized Secretary’s Certificate authorizing the appointment or designation of DPO, or (2) any other document demonstrating the validity of the appointment or designation of the DPO signed by the Head of the Organization with an accompanying valid document conferring authority to the Head of Organization to designate or appoint persons to positions in the organization.  
  1. Securities and Exchange Commission (SEC) Certificate of Registration. 
  2. certified true copy of latest General Information Sheet. 
  3. valid business permit. 

2. For One Person Corporation 

  1. (1) duly notarized Secretary’s Certificate authorizing the appointment or designation of DPO, or (2) any other document that demonstrates the validity of the appointment or designation of DPO signed by the sole director of the One Person Corporation. 
  2. SEC Certificate of Registration 
  3. valid business permit.

3. For Partnerships 

  1. duly notarized Partnership Resolution or Special Power of Attorney authorizing the appointment or designation of DPO, or any other document that demonstrates the validity of the appointment or designation. 
  2. SEC Certificate of Registration. 
  3. valid business permit. 

4. Sole Proprietorships:  

  1. duly notarized document appointing the DPO and signed by the sole proprietor, in case the same should elect to appoint or designate another person as DPO. 
  2. DTI Certificate of Registration. 
  3. valid business permit. 

 

C. For foreign private entities:

  1. Authenticated copy or Apostille of Secretary’s Certificate authorizing the appointment or designation of DPO, or any other document that demonstrates the appointment or designation, with an English translation thereof if in a language other than English.
  2. Authenticated copy or Apostille of the following documents, with an English translation thereof if in a language other than English, where applicable:   
  1.  Latest General Information Sheet or any similar document. 
  2.  Registration Certificate (Corporation, Partnership, Proprietorship) or any similar document. 
  3.  valid business permit or any similar document.  

 

SECTION 12. Details of Registration. In the NPC’s online registration platform, a PIC or PIP shall provide the following registration information:  

A. Details of the PIC or PIP, the Head of Agency or Organization, and the Data Protection Officer. 

  1.  name and contact details of the PIC or PIP, Head of Agency or Organization, and DPO as well as the designated COP, if any, with supporting documents. 
  2.  a unique and official email address specific to the position of DPO of the PIC or PIP, and not with the person who is the DPO. 
  3.  primary purpose of the private entity or the constitutional or statutory mandate of the government agency; 

B. Brief description per Data Processing System: 

  1.  name of the system;  
  2.  basis for the processing of information; 
  3.  purpose or purposes of the processing; 
  4.  whether processing is being performed as a PIC or PIP, if an organization uses the same system as a PIC and as a PIP, then the organization shall register such usage separately; 
  5.  whether the system is outsourced or subcontracted, and if so, the name and contact details of the PIP;  
  6.  description of the category or categories of data subjects, and their personal data or categories thereof;  
  7.  recipients or categories of recipients to whom the personal data might be disclosed;  
  8.  description of security measures (Organizational, Physical, and Technical) 
  9.  general information on the Data Life Cycle (Time, Manner, or Mode of Collection, Retention Period, and Disposal/Destruction/Deletion Method/Procedure) 
  10.  whether personal data is transferred outside of the Philippines; and 
  11.  the existence of Data Sharing Agreements with other parties; 

C. Identify all publicly facing online mobile or web-based applications, including    internal apps with PIC or PIP employees as clients. 

D. Notification regarding any automated decision-making operation or profiling.  

 

SECTION 13. Certificate of Registration. The Commission shall issue a Certificate of Registration in favor of a PIC or PIP, that has successfully completed the registration process. The Certificate of Registration shall only be considered as proof of such registration and not a verification of the contents thereof. 

Any party may request, in writing, an authenticated copy of the Certificate of Registration of a PIC or PIP, subject to payment of reasonable fees covered by a separate issuance for this specific purpose. 

 

SECTION 14. Validity. A Certificate of Registration shall be valid for one (1) year from its date of issuance; provided, that the certificate may be revoked by the Commission on any of the grounds provided for under this Circular and upon service of a Notice of Revocation to the PIC or PIP.  

 

SECTION 15. Verification. The Commission may, at any time, verify any or all registration information provided by a PIC or PIP through its compliance check function. Through a privacy sweep of publicly available information, notices of document submission or during on-site examination of the Data Processing System, all relevant documents shall be made available to the Commission.  

 

SECTION 16. Amendments or Updates. Subject to reasonable fees that may be prescribed by the Commission, major amendments to registration information shall be made within thirty (30) days from the date such changes take into effect. Major amendments are the changes to the following:  

  1.  Name of the PIC or PIP; and  
  2.  the Office Address of the PIC or PIP.  

Minor updates shall be made within ten (10) days from the date such changes take into effect. Updates shall include all other information other than those covered as a major amendment.  

The PIC or PIP shall fill-up the necessary form and submit accompanying supporting documents when required.  

 

SECTION 17. Non-Registration. A PIC or PIP shall be considered as unregistered under the following circumstances: 

  1. failure to register with the Commission in accordance with Section 7 of this Circular;
  2. expiration and non-renewal of Certificate of Registration; 
  3. non-submission of any deficiency in supporting documents within five (5) days from notice;
  4. rejection or disapproval of an application for registration, or an application for renewal of registration; or 
  5. revocation of the Certificate of Registration.   

 

SECTION 18. Renewal. A PIC or PIP may only renew its registration thirty (30) days before the expiration of the one-year validity of its Certificate of Registration.   

 

SECTION 19. Reasonable Fees. To recover administrative costs, the Commission may require the payment of reasonable fees for registration, renewal, and other purposes in accordance with a schedule that shall be provided in a separate issuance. 

 

SECTION 20. Imposition of Administrative Fines. A PIC or PIP covered by Mandatory Registration who shall be in violation of the same, shall be subject to the corresponding fine in accordance with the Guidelines on Administrative Fines.  

A PIC or PIP who failed to comply with an Order of the Commission to submit documents in relation to Section 5(A) and the last paragraph of Section 8 shall be liable for failure to register and failure to comply with an Order of the Commission. 

 

SECTION 21. Inaccessible DPO Accounts. In case a DPO account was not properly transferred, or in cases of inaccessibility to the registration platform due to lost credentials, or upon failure of a prior DPO to properly turn over the accountability to the registration platform, the PIC or PIP shall submit a notarized letter of explanation or any similar document as justification as to why the DPO account was lost or not properly transferred without prejudice to any administrative finding of failure to register or to update registration. 

Subject to reasonable fees that may be prescribed by the Commission, the Head of Agency or Head of Organization may request the retrieval of the account.  

 

SECTION 22. Withdrawal of Registration. Withdrawal of registration of information due to cessation of business, or in cases when personal data processing is no longer done or for other similar reasons, shall be made in writing and accompanied by supporting documents such as certified photocopy of SEC Certificates of Dissolution of corporation, or board resolutions, within two (2) months from the date such cessation takes effect which shall be submitted electronically via email. It shall be presumed that the PIC or PIP is still processing personal information or is still operating its business in the absence of an application for the withdrawal of registration. Verily, a PIC or PIP may still be a subject of a compliance check absent any showing that such withdrawal has been applied for. 

In case of death of an Individual Professional registrant, withdrawal may be done by the next of kin through written notification with a copy of the death certificate attached as proof which shall be submitted electronically via email.

 

Related Articles:

PROCEDURE FOR NOTIFYING THE NATIONAL PRIVACY COMMISSION IN CASE OF DATA PRIVACY BREACH

EXEMPTION FROM NOTIFICATION REQUIREMENTS IN CASES OF DATA PRIVACY BREACH

 

Click here to subscribe to our newsletter

 

Alburo Alburo and Associates Law Offices specializes in business law and labor law consulting. For inquiries regarding legal services, you may reach us at info@alburolaw.com, or dial us at (02)7745-4391/ 0917-5772207/ 09778050020.

All rights reserved.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

0 Shares
Share
Tweet
Share