Phase II Registration with National Privacy Commission
By: Franchette M. Acosta, Senior Partner, Villaraza & Angangco
E: fm.acosta@thefirmva.com l http://www.thefirmva.com
Pursuant to the Data Privacy Act of 2012, covered Personal Information Controllers (PICs) and Personal Information Processors (PIPs) complied with Phase I registration with the National Privacy Commission (NPC) by 8 September 2017 or within 2 months from commencement of their data processing systems. Registration of the PICs or PIPs under Phase I was accomplished through the designated Data Protection Officer (“DPO”).
The regulations of the National Privacy Commission state that Phase II of the registration requirement will be triggered by an NPC notice providing an access code for online registration. Regulations provide that through the online registration, the PIC or the PIP should provide the following information:
-
name and contact details of the PIC or PIP and DPO;
-
purpose of the entity;
-
information on privacy and security measures for data protection, including policies relating to data governance, data privacy, and information security;
-
data processing certifications secured by the PIC or PIP or personnel;
-
description of the data processing system, including name of the system, purpose of processing, whether processing is done as PIC, PIP or both and whether processing is outsourced or subcontracted;
-
notification regarding automated decision-making operation;
-
categories of data subjects;
-
recipients or categories of recipients to whom the personal data might be disclosed; and
-
whether any of the personal data will be transferred outside the Philippines.
However, the NPC appears to have simplified the process and requires the disclosure of the name and contact details of the PIC, PIP and DPO, the purpose of the entity and the name of the data processing system and its purpose.
The NPC will issue a Certificate of Registration upon completion of registration. Unless revoked by the NPC, a certificate of registration is valid up to 8 March of the following year. If there are any significant changes in registration information and data processing system, amendments should be reported within a period of 2 months from the date of change. Significant changes include changes in the purpose of processing, categories of data subjects and recipients of personal data. New data processing systems or automated decision-making processes will also have to be disclosed. The NPC is mandated to verify registration information provided by a PIC or PIP through on-site examination of its data processing system.
Deadline for Phase II registration is 8 March 2018. The NPC has started notifying DPOs regarding Phase II registration. PICs who have not received an e-mail from NPC may contact the NPC directly.
This summary of relevant NPC circulars is for information purposes only and is not intended to constitute legal advice.