Data Privacy Act

Who are covered:

Under the implementing rules and regulations (IRR), the Personal Information Controllers (PICs) and
the Personal Information Processors (PIPs) are mandated to register their personal data processing
systems with the NPC under the following conditions:

• If sensitive personal information of at least 1,000 individuals is processed;

o Sensitive personal information refers to personal information:
§ About an individual’s race, ethnic origin, marital status, age, color, and
religious, philosophical or political affiliations;
§ About an individual’s health, education, genetic or sexual life of a person, or
to any proceeding for any offense committed or alleged to have been
committed by such individual, the disposal of such proceedings, or the
sentence of any court in such proceedings;
§ Issued by government agencies peculiar to an individual which includes, but
is not limited to, social security numbers, previous or current health records,
licenses or its denials, suspension or revocation, and tax returns; and
§ Specifically established by an executive order or an act of Congress to be
kept classified.
• If the personal information controller or processor employs at least 250 persons;
• If less than 250 persons are employed but the processing is not occasional; or
• If less than 250 persons are employed but the processing of the information might pose a
risk to the rights and freedoms of the data subject.

Registration

A PIC or PIP shall register through the Commission’s official website (https://privacy.gov.ph/) in
two (2) phases:

A. Phase I.

i. Appoint a Data Protection Officer (DPO), who has:

a. Expertise in relevant privacy or data protection policies and practices

b. Sufficient understanding of their organisation's processing operations,

information systems, data security, and/or data protection needs

c. A full-time or organic employee of the personal information controller or

processor, as applicable

d. A regular or permanent employee of the personal information controller or

processor, as applicable, who should hold at least a 2-year employment
contract with his or her organisation, and

e. Independent in the exercise of his or her functions such that the performance
of his or her duties will not give rise to a conflict of interest.

o By submitting Duly-notarized Secretary’s Certificate authorizing the appointment

or designation of DPO, or any other document that demonstrates the validity of the
appointment or designation.
 ii. A PIC or PIP, through its DPO, shall accomplish the prescribed application form,
have it notarized and submit the same to the Commission together with all supporting
documents such as:

a. Certified true copy of any of the following documents, where applicable:

a) Certificate of Registration (SEC Certificate, DTI Certification of

Business Name or Sole Proprietorship) or any similar document;
and/or
b) Franchise, license to operate, or any similar document.

Upon review and validation of the submission, the Commission shall provide the PIC
or PIP via email an access code, which shall allow it to proceed to Phase II of the
registration process

* Initial registration has already ended on September 11, 2017. But PICs and PIPs are
still allowed to register but will be considered as late registrants and will be a priority
in the NPC’s audit.

B. Phase II. Using the access code provided by the Commission, a PIC or PIP shall proceed to
the online registration platform and provide all relevant information regarding its data
processing systems. The Commission shall notify the PIC or PIP via email to confirm the
latter’s successful completion of the registration process.

Subject to additional requirements as may be imposed by the NPC, covered entities should
prepare the following information and documents:

1. The name and address of the personal information controller or personal information
processor, and of its representative, if any, including their contact details
2. The purpose or purposes of the processing, and whether processing is being done
under an outsourcing or subcontracting agreement
3. A description of the category or categories of data subjects, and of the data or
categories of data relating to them
4. The recipients or categories of recipients to whom the data might be disclosed
5. Proposed transfers of personal data outside the Philippines
6. A general description of privacy and security measures for data protection
7. Brief description of the data processing system
8. Copy of all policies relating to data governance, data privacy, and information
security
9. Attestation to all certifications attained that are related to information and
communications processing, and
10. Name and contact details of the DPO.

Deadline of compliance for Phase 2 is on March 8, 2018.

PICs and PIPs are also encouraged to fill out the Privacy Impact Assessment because though this is
supposed to be merely an internal matter, the NPC usually asks for this. A template is provided for in
this website: https://privacy.gov.ph/wp-content/uploads/NPC-PIA-Template-v2.pdf