Philippines

Phase II Registration with National Privacy Commission

By: Franchette M. Acosta, Senior Partner, Villaraza & Angangco
E: fm.acosta@thefirmva.com l http://www.thefirmva.com

Pursuant to the Data Privacy Act of 2012, covered Personal Information Controllers (PICs) and Personal Information Processors (PIPs) complied with Phase I registration with the National Privacy Commission (NPC) by 8 September 2017 or within 2 months from commencement of their data processing systems. Registration of the PICs or PIPs under Phase I was accomplished through the designated Data Protection Officer (“DPO”).

cyber_privacy_1_small_1920The regulations of the National Privacy Commission state that Phase II of the registration requirement will be triggered by an NPC notice providing an access code for online registration. Regulations provide that through the online registration, the PIC or the PIP should provide the following information:

  • name and contact details of the PIC or PIP and DPO;

  • purpose of the entity;

  • information on privacy and security measures for data protection, including policies relating to data governance, data privacy, and information security;

  • data processing certifications secured by the PIC or PIP or personnel;

  • description of the data processing system, including name of the system, purpose of processing, whether processing is done as PIC, PIP or both and whether processing is outsourced or subcontracted;

  • notification regarding automated decision-making operation;

  • categories of data subjects;

  • recipients or categories of recipients to whom the personal data might be disclosed; and

  • whether any of the personal data will be transferred outside the Philippines.

However, the NPC appears to have simplified the process and requires the disclosure of the name and contact details of the PIC, PIP and DPO, the purpose of the entity and the name of the data processing system and its purpose.

The NPC will issue a Certificate of Registration upon completion of registration. Unless revoked by the NPC, a certificate of registration is valid up to 8 March of the following year. If there are any significant changes in registration information and data processing system, amendments should be reported within a period of 2 months from the date of change. Significant changes include changes in the purpose of processing, categories of data subjects and recipients of personal data. New data processing systems or automated decision-making processes will also have to be disclosed. The NPC is mandated to verify registration information provided by a PIC or PIP through on-site examination of its data processing system.

Deadline for Phase II registration is 8 March 2018. The NPC has started notifying DPOs regarding Phase II registration. PICs who have not received an e-mail from NPC may contact the NPC directly.

This summary of relevant NPC circulars is for information purposes only and is not intended to constitute legal advice.Franchette M. Acosta

E: fm.acosta@thefirmva.com
W: http://www.thefirmva.com

Related Articles by Firm
Law passed promoting ease of doing business in the Philippines
A law promoting the ease of doing business and efficient delivery of government services took effect this June 2018.
Non-bank credit card issuers subject to new Bangko Sentral Regulations
To ensure that credit card issuers have the capacity to deliver services efficiently and securely, management must implement appropriate risk management and control systems.
Joint Venture Guidelines of the Philippine Reclamation Authority
The Guidelines govern all JVAs formed for the development and disposition of PRA’s existing properties and projects.
The Philippine Anti-Money Laundering Commission extends compliance requirement
Jewellery dealers, dealers in precious metals and dealers in precious stones are now deemed covered persons.
Philippines: Bureau of Internal Revenue Clarifies Taxes on Offshore Gaming
The Bureau of Internal Revenue (BIR) issued Revenue Circular No. 102-2017 clarifying the tax imposed on entities engaged in Philippine offshore gaming operations ...
Law Passed Strengthening Consumer Protection in the Philippines
On December 19, 2017, the Gift Check Act of 2017 (Republic Act No. 10962) was signed into law ...
Casino Covered by Philippine Anti-Money Laundering Laws
The Philippine government has expanded anti-money laundering laws to include casinos, including internet and ship-based casinos ...
Philippine rules on merger procedure
The Philippine Competition Commission issued the Rules on Merger Procedure which explain the timing for the filing of a notice for covered transactions, the procedure for notification, Phase 1 and Phase 2 review and other matters, including confidentiality claims ...
Philippines: Timing for Notification under the PCC Rules on Merger Procedure
The Philippine Competition Commission published its Rules on Merger Procedure ...
Joint Venture Agreements with Philippine Local Government Units as Public-Private Partnership Modality
The Duterte Administration is poised to fund its aggressive infrastructure program internally and through official development assistance ...
Update on Data Privacy Law Compliance in the Philippines
Automated Decision-Making Operations, Institutions Likely to Pose Threats to Data Subjects and Phase 1 and Phase 2 of Registration with the NPC ...
Philippine Competition Commission Merger Review Guidelines
On 23 March 2017 the The Philippine Competition Commission (PCC) released the Merger Review Guidelines ...
Related Articles
Related Articles by Jurisdiction
Implementation of the data privacy act in Philippines now in full swing
Since 2012, the Philippines has had a comprehensive law governing personal data privacy. However, full implementation ...
Cyber bullying in the Philippines
The pen is mightier than the sword or so the adage goes. When this was once said, it was to highlight the power of thoughts and ideas over brute force and violence as a way to effect change. Today, the ...
Latest Articles