The National Privacy Commission (NPC) announced1 that Phase 2 of the registration process, which is the registration of personal data processing systems of personal information controllers and processors operating in the Philippines, is now due on 8 March 2018. The deadline to register Data Protection Officers (DPOs) with the NPC, constituting the Phase 1 of the registration process, remains on 9 September 2017.

NPC Newsletter for DPOs

The first issue of the Data Privacy Forum, the NPC's bi-monthly newsletter for the DPO community in the Philippines, was also recently released.2 The electronic newsletter is aimed to provide the Philippine DPO community with updates on the NPC's advisory, monitoring, and enforcement activities. Geared towards providing personal information controllers and processors, particularly DPOs, of relevant information and updates on data privacy matters, the NPC newsletter is available for download from the NPC's official website, www.privacy.gov.ph, or via subscription of DPOs registered with the NPC.

Noteworthy articles in the current issue of the Data Privacy Forum include guidance and recommendations for complying with the European Union General Data Protection Regulation (GDPR) vis-à-vis the Philippine Data Privacy Act of 2012 and best practices on data privacy compliance. Updates from the NPC's Compliance and Monitoring Division include a list of government and private organizations which have registered with the NPC as of 14 August 2017. Also significant is the mention of the current efforts of the Privacy Policy Office of the NPC on the guidelines on the registration of data processing systems and on privacy impact assessments (PIAs) which are soon to be issued. Also included in the newsletter are upcoming NPC-sponsored events for data privacy awareness, such as bi-monthly DPO briefings beginning on 16 and 30 August 2017. Each organization is allowed to send a maximum of three (3) representatives to the briefing.

Actions to Consider 

For Phase 1: Clients are strongly urged to register with the NPC their duly appointed DPOs by the 9 September 2017 deadline, by submitting a notarized DPO reporting form and supporting documents. As advised by the NPC in its Advisory No. 2017-01 (Designation of Data Protection Officers), a DPO should have the following qualifications:

  1. Expertise in relevant privacy or data protection policies and practices;
  2. Sufficient understanding of their organization's processing operations, information systems, data security, and/or data protection needs;
  3. A full-time or organic employee of the personal information controller or processor, as applicable;
  4. A regular or permanent employee of the personal information controller or processor, as applicable, who should hold at least a 2-year employment contract with their organization; and
  5. Independent in the exercise of his or her functions such that the performance of their duties will not give rise to a conflict of interests.

For Phase 2: Organizations covered by the requirement to register their data processing systems with the NPC should have also commenced preparing for the 8 March 2018 deadline. In line with the requirements3 of the Implementing Rules and Regulations of the Data Privacy Act of 2012 and subject to additional requirements as may be imposed by the NPC in the imminent future, clients are advised to prepare the following information and documents for Phase 2 of the registration process:

  1. The name and address of the personal information controller or personal information processor, and of its representative, if any, including their contact details;
  2. The purpose or purposes of the processing, and whether processing is being done under an outsourcing or subcontracting agreement;
  3. A description of the category or categories of data subjects, and of the data or categories of data relating to them;
  4. The recipients or categories of recipients to whom the data might be disclosed;
  5. Proposed transfers of personal data outside the Philippines;
  6. A general description of privacy and security measures for data protection;
  7. Brief description of the data processing system;
  8. Copy of all policies relating to data governance, data privacy, and information security;
  9. Attestation to all certifications attained that are related to information and communications processing; and
  10. Name and contact details of the DPO.

The NPC is set to issue its official guidelines on Phase 2 of the registration process. Our Firm is closely monitoring developments on this important compliance matter. Clients are also encouraged to stay tuned for further updates.