The National Privacy Commission (NPC) announced1 that Phase 2 of the registration process, which is the registration of personal data processing systems of personal information controllers and processors operating in the Philippines, is now due on 8 March 2018. The deadline to register Data Protection Officers (DPOs) with the NPC, constituting the Phase 1 of the registration process, remains on 9 September 2017.
NPC Newsletter for DPOs
The first issue of the Data Privacy Forum, the NPC's bi-monthly newsletter for the DPO community in the Philippines, was also recently released.2 The electronic newsletter is aimed to provide the Philippine DPO community with updates on the NPC's advisory, monitoring, and enforcement activities. Geared towards providing personal information controllers and processors, particularly DPOs, of relevant information and updates on data privacy matters, the NPC newsletter is available for download from the NPC's official website, www.privacy.gov.ph, or via subscription of DPOs registered with the NPC.
Actions to Consider
For Phase 1: Clients are strongly urged to register with the NPC their duly appointed DPOs by the 9 September 2017 deadline, by submitting a notarized DPO reporting form and supporting documents. As advised by the NPC in its Advisory No. 2017-01 (Designation of Data Protection Officers), a DPO should have the following qualifications:
- Expertise in relevant privacy or data protection policies and practices;
- Sufficient understanding of their organization's processing operations, information systems, data security, and/or data protection needs;
- A full-time or organic employee of the personal information controller or processor, as applicable;
- A regular or permanent employee of the personal information controller or processor, as applicable, who should hold at least a 2-year employment contract with their organization; and
- Independent in the exercise of his or her functions such that the performance of their duties will not give rise to a conflict of interests.
For Phase 2: Organizations covered by the requirement to register their data processing systems with the NPC should have also commenced preparing for the 8 March 2018 deadline. In line with the requirements3 of the Implementing Rules and Regulations of the Data Privacy Act of 2012 and subject to additional requirements as may be imposed by the NPC in the imminent future, clients are advised to prepare the following information and documents for Phase 2 of the registration process:
- The name and address of the personal information controller or personal information processor, and of its representative, if any, including their contact details;
- The purpose or purposes of the processing, and whether processing is being done under an outsourcing or subcontracting agreement;
- A description of the category or categories of data subjects, and of the data or categories of data relating to them;
- The recipients or categories of recipients to whom the data might be disclosed;
- Proposed transfers of personal data outside the Philippines;
- A general description of privacy and security measures for data protection;
- Brief description of the data processing system;
- Copy of all policies relating to data governance, data privacy, and information security;
- Attestation to all certifications attained that are related to information and communications processing; and
- Name and contact details of the DPO.
The NPC is set to issue its official guidelines on Phase 2 of the registration process. Our Firm is closely monitoring developments on this important compliance matter. Clients are also encouraged to stay tuned for further updates.