The Data Privacy Act of 2012 (R.A. 10173) is landmark legislation in the Philippines that aims to protect individuals’ personal information by regulating the collection, processing, and storage of data, ensuring their security, and holding organizations accountable for compliance with privacy standards.
Under the DPA, government agencies and certain private organizations are required to register with the National Privacy Commission (NPC) based on the nature, scale, and sensitivity of the data they process. The registration requires the submission of key information about the organization’s data processing activities and the implementation of appropriate policies and measures that safeguard personal information.
What Are PICs and PIPs?
If you’re part of a company that processes personal data, whether the subjects are located within or outside the Philippines, you need Personal Information Controllers (PICs) and/or Personal Information Processors (PIPs) to oversee data collection and processing activities.
A Personal Information Controller (PIC) is an individual or organization that determines how personal information is collected, held, processed, or used. This also includes anyone who directs others to handle personal data on their behalf.
On the other hand, a Personal Information Processor (PIP) is an individual or organization that, under the DPA, is authorized to process personal data on behalf of a PIC. A PIC can outsource the processing of personal data to a PIP, but the PIP must act under the instructions of the PIC.
What Is a DPO?
Now, both PIC and PIP roles require a Data Protection Officer (DPO), who is accountable for ensuring their compliance with the DPA, its Implementing Rules and Regulations (IRR), related issuances of the NPC, and other applicable laws and regulations related to data privacy and security.
While the PIC or PIP is the de facto DPO, it is also possible to outsource or subcontract the functions of a DPO (or even the COP), who must oversee the performance of his or her functions by the third-party service provider and remain the contact person of the PIC or PIP vis-à-vis the NPC.
A Compliance Officer for Privacy (COP) can perform certain DPO functions in specific cases, such as within Local Government Units (LGUs), government agencies, private sector branches, or analogous situations, under the supervision of a DPO and with NPC approval as necessary.
What Are the Qualifications of a DPO?
A Data Protection Officer (DPO) must meet specific qualifications to effectively manage data privacy and protection responsibilities within an organization: A DPO should:
-
- Be a full-time or organic employee of the PIC or PIP (i.e., if the employment is based on a contract, the term should be at least two (2) years);
- Be knowledgeable on relevant privacy or data protection policies and practices;
- Have adequate knowledge and understanding of the processing operations being carried out by the PIC or PIP, including information systems, data security, and data protection needs; and
- Be given sufficient time, resources, and training to carry out his or her functions.
What Are the Responsibilities of a DPO?
To effectively fulfill the role of ensuring the organization’s compliance with the DPA and other applicable laws, a DPO has the following responsibilities:
-
- Monitor the PIC’s or PIP’s compliance with the DPA, its IRR, issuances by the NPC, and other applicable laws and policies;
- Ensure the conduct of Privacy Impact Assessments (PIA) relative to activities, measures, projects, programs, or systems of the PIC or PIP;
- Advise the PIC or PIP regarding complaints and/or the exercise by data subjects of their rights (e.g., requests for information, clarifications, rectification, or deletion of personal data);
- Ensure proper data breach and security incident management by the PIC or PIP, including the latter’s preparation and submission to the NPC of reports and other documentation concerning security incidents or data breaches within the prescribed period;
- Inform and cultivate awareness on privacy and data protection within the organization, including all relevant laws, rules and regulations, and issuances of the NPC;
- Advocate for the development, review, and/or revision of policies, guidelines, projects, and/or programs of the PIC or PIP relating to privacy and data protection by adopting a privacy-by-design approach;
- Serve as the contact person of the PIC or PIP vis-à-vis data subjects, the NPC, and other authorities in all matters concerning data privacy or security issues or concerns and the PIC or PIP;
- Cooperate, coordinate, and seek advice from the NPC regarding matters concerning data privacy and security; and
- Perform other duties and tasks that may be assigned by the PIC or PIP that will further the interest of data privacy and security and uphold the rights of the data subjects.
What Documents Should Contain the Contact Details of the DPO?
The designation, postal address, dedicated telephone number, and email address of the DPO should be included and published on the company website, privacy notice, privacy policy, and privacy manual.
While the name(s) of the DPO do not need to be published, it should be made available upon request by a data subject or the NPC. Additionally, when registering data processing systems, the name and contact information of the DPO must also be provided.
How to Appoint a DPO in the Philippines
Appointing a Data Protection Officer (DPO) in the Philippines involves a structured process to ensure compliance with the DPA and safeguard personal data within organizations.
1. Identify the Need for a DPO.
The first step is determining whether your organization or company needs a DPO. If you are into processing personal data regularly or on a large scale, or if you are a public authority or body, then the appointment of a DPO is required under the DPA.
2. Select a Qualified Candidate.
Once the need for a DPO is established, proceed to selecting a qualified candidate, who should have expertise in privacy laws and data protection practices and a clear understanding of your organization’s data processing activities. Refer to the qualifications discussed above for more information.
3. Formalize the Appointment.
After selecting the most suitable candidate, formalize the appointment by issuing an official contract or letter of appointment. The document should outline the DPO’s responsibilities, including overseeing compliance with the DPA, managing data protection risks, and serving as a point of contact for the NPC and data subjects.
4. Register the DPO with the NPC.
Your organization is then required to notify the National Privacy Commission (NPC) of the appointment. This can be done by submitting the necessary documentation and information, such as the DPO’s contact details, through the NPC’s online portal or through manual registration.
5. Provide Ongoing Support and Training.
After the DPO is appointed and registered, your organization must provide continuous support and training to ensure the DPO is equipped to effectively manage data protection responsibilities. Regular updates on changes to data protection laws and best practices, as well as adequate resources, should be provided to maintain a strong data privacy framework.
How to Register a DPO with the National Privacy Commission (NPC)
The registration of a Data Protection Officer (DPO) can be done either manually or online, giving organizations flexibility and convenience in meeting the data protection requirements.
Manual DPO Registration
You may manually process the DPO registration with NPC by following these steps:
[1] Download and accomplish the DPO Registration Form from the NPC official website and have it signed by your Head of Agency and the DPO.
[2] Notarize the form and attach supporting documents, such as the Special/Office Order/Secretary’s Certificate appointing the DPO and CTC of Business Registration (e.g., SEC Certificate, DTI Certification of Business Name, etc.).
[3] Submit the registration documents to the NPC at the 5th Floor Delegation Building, PICC Complex, Roxas Boulevard, Pasay City, Metro Manila, Philippines.
[4] Pay the necessary registration fees and secure the DPO Certificate of Registration.
Online DPO Registration
You may also process the DPO registration online via the NPC official website by following these steps.
[1] Visit the NPC official website and access the National Privacy Commission Registration System (NPCRS).
[2] Sign up and provide the name and contact details of the DPO.
[3] Select the Type of DPO/DPS Registration.
[4] Encode additional details, such as the name and contact details of your Head of Organization/Agency, data processing details, etc.
[5] Upload the prescribed supporting documents and save the registration.
[6] Export the DPO Form (PDF) automatically generated by the system.
[7] Print, sign, and notarize the form.
[8] Scan, upload, and submit.
[9] Pay the registration fees as instructed.
[10] Download the DPO Certificate of Registration.
Appointing and registering a Data Protection Officer (DPO) with the National Privacy Commission (NPC) is important to ensure that your organization complies with the Data Privacy Act (DPA) and upholds the highest standards of data protection. Your DPO plays a vital role in safeguarding personal information, managing risks, and ensuring that your data processing activities align with standards and legal requirements.
By registering with the NPC, your organization not only fulfills its regulatory obligations but also demonstrates its commitment to protecting the privacy rights of individuals. This proactive approach helps you build trust with clients and stakeholders, mitigates potential legal risks, and promotes a culture of privacy and security.
… and you might just need our assistance.
Ready to register your Data Protection Officer (DPO)? Set up a consultation with FilePino today! Call us at (02) 8478-5826 (landline) and 0917 892 2337 (mobile) or send an email to info@filepino.com.