All Things Registration: National Privacy Commission Issues New Rules on Registration of Data Processing Systems

On December 5, 2022, the National Privacy Commission (NPC), the Philippine’s privacy regulator, issued NPC Circular No. 2022-04 entitled “Registration of Personal Data Processing System, Notification Regarding Automated Decision-Making or Profiling, Designation of Data Protection Officer, and the National Privacy Commission Seal of Registration” (Registration Circular), which took effect on January 11, 2023. The Registration Circular amended the registration framework for Data Processing Systems (DPS), previously governed by NPC Circular No. 17-01. The issuance of the Registration Circular was followed by the roll-out of the NPC Registration System (NPCRS) on February 3, 2023.

Personal Information Controllers (PICs) or Personal Information Processors (PIPs), including those not having a legal presence in the Philippines but nonetheless operate DPS in the Philippines, must assess whether any of their DPS meet the conditions for mandatory registration, and if so, register their DPS by July 10, 2023. Newly implemented DPS or inaugural DPO, on the other hand, are required to be registered within 20 days from the commencement of such system or the effectivity date of such appointment.

The Registration Circular covers online web-based and mobile applications that process personal data. PICs and PIPs not covered by mandatory registration must submit a Sworn Declaration and Undertaking for Exemption from Registration of DPS.

A PIC or PIP that is determined to have violated the registration requirements may, upon notice and hearing, be subject to compliance and enforcement orders, cease and desist orders, temporary or permanent bans on the processing of personal data, or payment of administrative fines.

Key provisions

  • Mandatory Registration. PICs or PIPs operating their DPS in the Philippines that employs at least 250 individuals or processes sensitive personal information of at least 1,000 individuals, among others, are required to register their DPS with the NPC.
  • Voluntary Registration. PICs or PIPs not covered by mandatory registration may nevertheless register their DPS.
  • Certificate of Registration. Registration shall be evidenced by a Certificate of Registration, which shall be valid for one year reckoned from its issuance. This Certificate of Registration may only be renewed within 30 days before the date of expiration.

Read the latest SyCipLaw TMT and Data Bulletin here or via this link.