Professional Documents
Culture Documents
Under the implementing rules and regulations (IRR), the Personal Information Controllers (PICs) and
the Personal Information Processors (PIPs) are mandated to register their personal data processing
systems with the NPC under the following conditions:
Registration
A PIC or PIP shall register through the Commission’s official website (https://privacy.gov.ph/) in
two (2) phases:
A. Phase I.
e. Independent in the exercise of his or her functions such that the performance
of his or her duties will not give rise to a conflict of interest.
Upon review and validation of the submission, the Commission shall provide the PIC
or PIP via email an access code, which shall allow it to proceed to Phase II of the
registration process
* Initial registration has already ended on September 11, 2017. But PICs and PIPs are
still allowed to register but will be considered as late registrants and will be a priority
in the NPC’s audit.
B. Phase II. Using the access code provided by the Commission, a PIC or PIP shall proceed to
the online registration platform and provide all relevant information regarding its data
processing systems. The Commission shall notify the PIC or PIP via email to confirm the
latter’s successful completion of the registration process.
Subject to additional requirements as may be imposed by the NPC, covered entities should
prepare the following information and documents:
1. The name and address of the personal information controller or personal information
processor, and of its representative, if any, including their contact details
2. The purpose or purposes of the processing, and whether processing is being done
under an outsourcing or subcontracting agreement
3. A description of the category or categories of data subjects, and of the data or
categories of data relating to them
4. The recipients or categories of recipients to whom the data might be disclosed
5. Proposed transfers of personal data outside the Philippines
6. A general description of privacy and security measures for data protection
7. Brief description of the data processing system
8. Copy of all policies relating to data governance, data privacy, and information
security
9. Attestation to all certifications attained that are related to information and
communications processing, and
10. Name and contact details of the DPO.
PICs and PIPs are also encouraged to fill out the Privacy Impact Assessment because though this is
supposed to be merely an internal matter, the NPC usually asks for this. A template is provided for in
this website: https://privacy.gov.ph/wp-content/uploads/NPC-PIA-Template-v2.pdf