Category Archive: Announcement

• REMINDER ON MANDATORY DATA PROTECTION OFFICER AND DATA PROCESSING SYSTEM REGISTRATION

  July 7, 2023 3:54 pm Comments Off on REMINDER ON MANDATORY DATA PROTECTION OFFICER AND DATA PROCESSING SYSTEM REGISTRATION

  The National Privacy Commission (NPC) reminds the public that all covered personal information controllers (PICs) and personal information processors (PIPs) under Section 5 of NPC Circular No. 2022-04 dated 05 December 2022 are mandated to register their Data Protection Officer (DPO) and Data Processing Systems (DPS) within the periods provided for under Section 7 of the Circular, to wit:

  “SECTION 7. When to Register. A covered PIC or PIP shall register its newly implemented Data Processing System or inaugural DPO in the NPC’s official registration platform within twenty (20) days from the commencement of such system or the effectivity date of such appointment.

  In the event a covered PIC or PIP seeks to apply minor amendments to its existing registration information, which includes updates on an existing Data Processing System, or a change in DPO, the PIC or PIP shall update the system within ten (10) days from the system update or effectivity of the appointment of the new DPO.” (underlining supplied)

  Despite the aforestated deadlines, covered PICs and PIPS are allowed until 10 July 2023 to comply with the mandatory registration pursuant to Section 39 of the Circular as follows:

  “SECTION 39. Transitory Period. Notwithstanding the period in the first paragraph of Section 7 of this Circular; all covered PICs, and PIPs shall complete their Data Processing System and DPO registration within one hundred eighty (180) days from the effectivity of this Circular.” (underlining supplied)

  Additionally, please be clarified that the NPC Registration System (NPCRS) remains open even after 10 July 2023. However, non-compliance with Section 7 in relation to Section 39 of the Circular may constitute a violation thereof which may be subjected to enforcement action by the NPC.

  Certificates of registration with validity period until 08 March 2023 is only extended until 10 July 2023. New certificates of registration issued through the NPCRS will carry one year validity period. Certificates of registration shall remain valid until the certificate expires (e.g., issuance of certificate of registration and seal of registration is on 10 August 2023 - this shall be valid until 09 August 2024).

  Regular compliance checks of PICs and PIPs shall also continue as part of NPC’s monitoring function. Non-registration of DPO and DPS shall be considered during investigations related to

  ________________________________

  SECTION 5. Mandatory Registration. A PIC or PIP that employs two hundred fifty (250) or more persons, or those processing sensitive personal information of one thousand (1,000) or more individuals, or those processing data that will likely pose a risk to the rights and freedoms of data subjects shall register all Data Processing Systems.

  A. A Data Processing System processing personal or sensitive personal information involving automated decision-making or profiling shall, in all instances, be registered with the Commission.

  B. A PIC or PIP shall register its own Data Processing System. In instances where the PIC provides the PIP with the system, the PIC is obligated to register the same. A PIC who uses a system as a service shall register the same indicating the fact that processing is done through a service provider. A PIP who uses its own system as a service to process personal data must register with the Commission.

  C. A PIC or PIP who is an Individual Professional for mandatory registration shall register with the Commission. For this purpose, the following shall be considered: 1. An Individual Professional is self-employed and practicing his or her profession as defined under this Circular; 2. A business establishment, if registered as a PIC and operating under a different business name, partnership, firm, or other organization, shall not register separately as an Individual Professional; 3. An Individual Professional shall be considered as the de facto DPO.

  complaints, personal data breaches, and evaluations of mandatory breach notifications involving a DPS specifically for the imposition of administrative fines.

• Data privacy seminar for the insurance industry

  February 16, 2023 2:07 pm Comments Off on Data privacy seminar for the insurance industry

  In collaboration with Pru Life UK and FinTech Alliance PH, the National Privacy
  Commission invites the members of the insurance industry to join the data privacy
  seminar on February 23, 2023 from 9:00 AM to 5:00 PM at the Marquis Events Place, Bonifacio
  Global Street, Taguig City.

  In this seminar entitled “Privacy Matters in a Technological World: Privacy and Data
  Protection Seminar – Workshop for Insurers,” NPC officials will share policy updates and its key
  priorities for the coming months. Representatives from Pru Life UK, Prudential, IBM, C&G Law
  Firm, and Straits Interactive will also participate in panel sessions discussing data privacy and
  protection technologies and best practices when responding to incidents. Attendees will learn
  about the latest developments in data privacy and protection and how they can leverage
  technology to protect their customers’ personal data.

  The seminar is free-of-charge. Limited slots are available.

  Register here: Link

  

• Notice of Public Hearing

  November 14, 2022 4:40 pm Comments Off on Notice of Public Hearing

  Concerned organizations, stakeholders, and other interested parties are invited to submit their valuable inputs regarding the draft new registration circular to be adopted by the National Privacy Commission.

  Please see attached NPC Circular for reference. Click here

  Please see attached Regulatory Impact Statement. Click here

  This Circular aims to replace NPC Circular 17-01, which, together with the new NPC Registration System (NPCRS), shall make it easy for personal information controllers, personal information processors, and individual professionals comply with the registration requirement of the Data Privacy Act of 2012.

  Please send your valuable inputs to [email protected] not later than 19 November 2022.

  The Commission will conduct a second virtual public hearing on 21 November 2022 from 2:00-3:00 PM. Interested participants who wish to join may send an email to the address provided above on or before 18 November 2021

  Thank you.

• Guidelines on the Lawful Processing of Personal and/or Sensitive Personal Information Based on Consent, Contract and/or Legitimate Interests

  September 9, 2022 9:53 am Comments Off on Guidelines on the Lawful Processing of Personal and/or Sensitive Personal Information Based on Consent, Contract and/or Legitimate Interests

  The Data Privacy Act of 2012 (DPA) mandates the National Privacy Commission (NPC) to monitor the country’s compliance with international standards for data protection.

  Pursuant to this mandate, the NPC is currently crafting guidelines for the processing of personal and sensitive personal information based on Consent, Contract, and Legitimate Interests (Guidelines).

  NPC wants to hear from you.

  To aid us in drafting a more responsive regulation, the NPC requests your input on specific issues and concerns you have encountered in using Consent, Contract and/or Legitimate Interests as bases for personal data processing. The submission of concrete examples and use cases detailing these issues will be greatly appreciated.

  Your contributions will truly help in the creation of sound policies in the furtherance of the right to data privacy in the country.

  You may submit your comments, recommendations, and papers to [email protected] with the subject: “Call for Public Input - Guidelines on Consent, Contract and Legitimate Interests” until 8 April 2022.

  We look forward to your responses. Thank you.

• Announcement regarding validity of existing Certificate of Registration, revised process on new application, renewal, and amendment of registration, and guidelines on common Data Protection Officers

  9:47 am Comments Off on Announcement regarding validity of existing Certificate of Registration, revised process on new application, renewal, and amendment of registration, and guidelines on common Data Protection Officers

  A. DURATION OF THE VALIDITY OF CERTIFICATES OF REGISTRATION

  The Commission is extending the validity of ALL EXISTING Certificates of Registration (CORs) issued in the year 2021 from 08 March 2022 to 08 March 2023.

  For Certificates of Registration issued before 2021, PICs and PIPs are directed to RENEW their registration with the Commission.

  B. GUIDELINES FOR PROCESSING NEW REGISTRATION, RENEWAL, AND AMENDMENTS

  1. For both REGISTRATIONS AND RENEWAL, strictly follow the set guidelines herein provided as follows:

  a. PICs and PIPs are required to use a generic DPO email address which is not personally identified with the person (the appointed DPO) but with the position (i.e. [email protected]).

  b. DPO Forms may be submitted through [email protected] or [email protected] along with the supporting documents. Please use the subject:

  New_Registration_(Name of PIC/PIP/Individual Professional)

  Renew_Registration_(Name of PIC/PIP/Individual Professional)

  a. Government and Private Institutions

  b. Individual - Professional

  Upon completion, a new Certificate of Registration to the PIC/PIP/Individual Professional shall be issued.

  2. For AMENDMENTS covering 2021 and 2022 registrants:

  a. Submit the updated DPO Forms to [email protected] or [email protected] along with the supporting documents:

  i. The amendment cover letter

  ii. Updated Data Protection Officer form; and

  iii. The copy of the Certificate of Registration issued by the NPC in lieu of the following:

  - Certificate of Registration (SEC, DTI, or any similar Document); and

  - Franchise, license to operate or any similar document.

  b. In emailing the required submissions, please use the subject: Amendment_(Name of PIC/PIP/Individual Professional/)

  Upon completion, an amended Certificate of Registration to the PIC/PIP/Individual Professional shall be issued.

  C. ON COMMON DPOs

  1. All previously filed applications for Common DPO are now deemed APPROVED by the Commission. Furthermore, application for such will no longer be required and need not be reviewed by the NPC; and

  2. Common DPOs shall be registered individually and separately per entity. The Compliance and Monitoring Division shall only accept unique email address per entity.

  For questions and other concerns regarding registration and compliance, please email [email protected] .

   

  Approved by:

  ATTY. RAINIER ANTHONY M. MILANES

  OIC - Director IV, DaSCO / Chief, CMD

• eRehistro: NPC’s new registration and renewal platform

  March 1, 2021 10:36 am Comments Off on eRehistro: NPC’s new registration and renewal platform

  We’re making this registration season easier for you with the launch of NPC’s new registration and renewal platform!

  Narito ang ilang mga paunang detalye tungkol sa eRehistro:

  1. What is eRehistro?
     Ang eRehistro ay ang EC online registration system ng National Privacy Commission.Easy-to-use dahil sa simpleng interface at Convenient dahil maliban sa maaari kang magregister, amend at renew ng iyong registration, magkasama na rin sa eRehistro ang Phase 1: Data Protection Officer (DPO) at Phase 2: Data Processing System (DPS) Registration!
  2. Ano ang epekto ng eRehistro sa March 7 renewal of registration?
     Dahil sa paglaunch ng eRehistro, ang validity ng existing registrations ay extended hanggang June 30, 2021. Ito ay upang bigyang sapat na panahon ang lahat na makapaghanda sa account creation process dahil parehong DPO at DPS ang dapat i-register sa eRehistro.
  3. May mga kailangan bang ihandang dokumento para sa eRehistro?
     Mayroon pa rin! Abangan ang mga susunod na announcement ng NPC para sa listahan ng mga documentary requirements na kailangang i-upload sa eRehistro at para masagot ang iba pang mga katanungan.

• Notice of Public Consultation for the Rules on the Issuance of Cease and Desist Order

  August 5, 2020 12:20 am Comments Off on Notice of Public Consultation for the Rules on the Issuance of Cease and Desist Order

  Concerned organizations, stakeholders, and other interested parties are invited to submit their comments/suggestions/opinions and other valuable inputs regarding the Draft Rules on the Issuance of Cease and Desist Orders to be adopted by the National Privacy Commission.

  Download the Draft Rules on Issuance of Cease and Desist Order here.

  These Rules aim to outline the rules of procedure governing the application, and the subsequent issuance of a Cease and Desist Order as provided for in Section 7(c) of R.A. 10173 or the Data Privacy Act of 2012.

  Please send your comments/suggestions/opinions and other valuable inputs to [email protected] not later than 19 August 2020.

  The Commission will conduct an online public consultation on the Draft Rules on the Issuance of Cease and Desist Orders on 19 August 2020 from 10:00-11:00 a.m. Interested participants may send an email to the address provided above on or before 14 August 2020.

• NPC Extends Validity of Registration Until March 2021

  June 30, 2020 12:04 am Comments Off on NPC Extends Validity of Registration Until March 2021

  The National Privacy Commission (NPC) is continuously making improvements in its online registration system. In light of the exigencies brought about by the COVID-19 pandemic, the NPC Registration System will be available on 4 January 2021.

  In this regard, the NPC is extending the validity of existing registrations of Personal Information Controllers (PICs) and Personal Information Processors (PIPs) until 7 March 2021.

  For queries, DPOs may reach NPC via email at [email protected]

• Suspension of Hearing Until Further Notice

  March 12, 2020 9:48 pm Comments Off on Suspension of Hearing Until Further Notice

  

• Order: Violations of the Data Privacy Act by Several Companies Operating Online Lending Applications

  October 23, 2019 1:45 pm Comments Off on Order: Violations of the Data Privacy Act by Several Companies Operating Online Lending Applications

  Order to Stop Personal Data Processing in re: Violations of the Data Privacy Act by Several Companies Operating Online Lending Applications

  As published in The Philippine Star, The Daily Tribune and Philippine Daily Inquirer on 21 October 2019.

  

  

  
  

• Violations of the Data Privacy Act of Several Companies Operating Online Lending Applications

  October 8, 2019 4:03 pm Comments Off on Violations of the Data Privacy Act of Several Companies Operating Online Lending Applications

  Order for Summary Hearing on 15 October 2019 re Violations of the Data Privacy of Several Companies Operating Online Lending Applications

  As published in The Philippine Star, The Daily Tribune and Philippine Daily Inquirer on 04 October 2019

  

  

  
  

• NOTICE TO THE PUBLIC: Beware of fakers pretending to represent the NPC

  September 4, 2019 2:56 pm Comments Off on NOTICE TO THE PUBLIC: Beware of fakers pretending to represent the NPC

  This is to warn the public about scammers pretending to be employees of the National Privacy Commission (NPC).

  The NPC has received several reports that the administrator/s of a Facebook page named “Anti-Loan Shark Philippines” are claiming to be employed or connected with us. Worse, they pretend to be authorized to collect fees for individuals who have decided to file complaints against online lending applications. Said Facebook page is also posting the Commission’s orders and proceedings, as well as pleadings and agreements of involved parties.

  These documents and recordings are confidential in nature. The Commission does not post or share any information about its internal proceedings and keeps the confidentiality of these information, as provided in NPC Circular 16-04.

  The public is further informed that the Commission does not collect docket fees nor has authorized any entity to do so. Likewise, the posts on the Facebook page are not statements or releases from the Commission.

  The Commission has an official Facebook page, website, email addresses and official numbers where it may be reached. Any form of communication from the Commission is coursed through these official channels.

  If you find yourself contacted by any person purporting to act for or on behalf of the National Privacy Commission, report the incident immediately through the following official communication channels:

  1. https://facebook.com/privacy.gov.ph
  2. https://twitter.com/PrivacyPH
  3. https://www.privacy.gov.ph
  4. [email protected]
  5. NPC Trunkline No: 234-22-28
     Local Numbers:
     • For registration & compliance concerns – 118
     • For complaints – 114
     • For advisory opinions – 110