Guidelines on Exemption From Registration

GUIDELINES TO EXEMPTION

 

In line with our commitment to providing a more efficient and streamlined process, we have implemented a new system for exemptions from the mandatory registration, as required by Section 5 of NPC Circular No. 2022-04.

The steps below will guide you through the process of submitting your application for exemption.


Step 1: LOG IN USING YOUR CREDENTIALS

Access the NPCRS using your username and password

SELECT APPLICABLE DPS/DPO REGISTRATION

Once logged in, navigate to the registration page and select the appropriate tab based on the type of DPS/DPO registration that applies to your organization.

CONFIRM SELECTED REGISTRATION TYPE

After selecting your registration type, a confirmation window will appear, Check the box you are Applying For Exemption from Data Processing System Registration click “Yes, Continue” to proceed to be directed to the form download page


Step 2: FILL OUT THE DOWNLOADED FORM

Complete the form Sworn Declaration and Undertaking (SDAU) with the necessary information, print the form, and have it notarized.


Step 3: UPLOAD NOTARIZED DOCUMENT

Once the document is notarized, upload the notarized form in your NPCRS account.

EMAIL CONFIRMATION

After successfully uploading the document, you will receive a confirmation email acknowledging receipt of your submission of your SDAU.

 

IMPORTANT REMINDERS:

  • Your SDAU is a legally binding document, you may use the same in lieu of a Certificate of Registration and NPC Seal of Registration only issued to those who completed a mandatory or voluntary Data Processing System Registration.
  • To be eligible for exemption, organizations must first evaluate if they are exempted from the mandatory registration pursuant to Sec. 5 of the NPC Circular No. 2022-04. To be exempted, the PIC/PIP must answer “YES” to all the questions below:
      1. Does the PIC/PIP employ less than two hundred fifty (250) persons?;
      2. Does the processing by PIC/PIP not include sensitive personal information of at least one thousand (1,000) individuals?;
      3. Does the PIC/PIP not process any information likely to pose a risk to the rights and freedoms of data subjects including those that involve information likely to affect national security, public safety, public order, or public health or information required by applicable laws or rules to be confidential; vulnerable data subjects like minors, the mentally ill, asylum seekers, the elderly, patients, those involving criminal offenses, or in any other case where an imbalance exists in the relationship between a data subject and a PIC or PIP, especially those involving automated decision-making or profiling?; and
      4. The PIC/PIP is not a government agency or instrumentality?
     
  • Even if an organization has submitted its application for exemption, they remain subject to compliance checks by the Compliance and Monitoring Division (CMD). All organizations must still adhere to the mandates of the DPA and other relevant issuances of the National Privacy Commission.