NPC Circular No. 2022-04 - REGISTRATION OF PERSONAL DATA PROCESSING SYSTEM, NOTIFICATION REGARDING AUTOMATED DECISION-MAKING OR PROFILING, DESIGNATION OF DATA PROTECTION OFFICER, AND THE NATIONAL PRIVACY COMMISSION SEAL OF REGISTRATION NATIONAL PRIVACY COMMISSION REGISTRATION SYSTEM (“NPCRS”)
- WHAT IS NPC REGISTRATION SYSTEM (“NPCRS”)?
- WHO CAN USE THE NPCRS?
- WHO CAN CREATE AN NPCRS ACCOUNT?
- WHEN IS REGISTRATION IN NPCRS REQUIRED?
- Mandatory Registration
- Personal Information Controllers (PIC) or Personal Information Processors (PIP) employing two hundred fifty (250) or more persons
- PIC or PIP processing sensitive personal information of one thousand (1,000) or more individuals
- PIC or PIP involves processing data that will likely pose a risk to the rights and freedoms of data subjects
- Government Agency or Instrumentality
- Voluntary Registration
- Exemption from Data Processing System Registration
- WHO SHOULD REGISTER DATA PROCESSING SYSTEMS?
- ARE MULTIPLE DATA PROTECTION OFFICERS FOR ONE ENTITY ALLOWED?
- HOW ABOUT COMMON DATA POTECTION OFFICER, IS IT ALLOWED?
- WHEN SHOULD THE REGISTER USING THE NPCRS?
- WHEN TO DO MAJOR AMENDMENTS?
- WHAT ARE CONSIDERED MINOR AMENDMENTS?
- WHAT IF MY DATA PROCESSING SYSTEM HAS CHANGES OR IS DECOMMISSIONED?
- WHAT SUPPORTING DOCUMENTS SHOULD I HAVE TO SUCCESFULLY REGISTER MY ACCOUNT?
- For government agencies:
- For domestic private entities
- For Corporations:
- For One Person Corporation
- For Partnerships
- Sole Proprietorships
- For foreign private entities:
Authenticated copy or Apostille of Secretary’s Certificate authorizing the appointment or designation of DPO, or any other document that demonstrates the appointment or designation, with an English translation thereof if in a language other than English.
Authenticated copy or Apostille of the following documents, with an English translation thereof if in a language other than English, where applicable:
- WHEN IS THE END OF THE TRANSITORY PERIOD TO COMPLY?
- I HAVE A CERTIFICATE OF REGISTRATION STILL VALID UNTIL 08 MARCH 2023, WILL THIS BE INVALIDATED?
- I HAVE A CERTIFICATE OF REGISTRATION VALID UNTIL 08 MARCH 2022 OR EARLIER, IS THIS STILL VALID?
- WILL MY PREVIOUS REGISTRATION RECORD BE TRANSFERRED TO THE NPCRS?
- WHAT WILL HAPPEN TO MY OLD REGISTRATION RECORD?
- IS THE SIGNED/NOTARIZED PRIOR APPLICATION FORM VALID TO BE UPLOADED IN THE NPCRS?
- IS THE PREVIOUSLY SUBMITTED SECRETARY’S CERTIFICATE ON THE DESIGNATION OR APPOINTMENT OF A DPO AN ACCEPTED SUPPORTING DOCUMENT?
- IN CASE MY DPO ACCOUNT IS INACCESSIBLE, HOW DO I RETRIEVE IT?
- OUR ORGANIZATION HAS MORE THAN TWENTY (20) DATA PROCESSING SYSTEM (DPS), CAN I ACCESS THE DPO ACCOUNT SIMULTANEOUSLY WITH MULTIPLE DEVICE?
- IF WE REGISTER OUR COMPLIANCE OFFICER FOR PRIVACY (COP), WILL IT MEAN THAT THE RESPECTIVE REGION/BRANCH/OFFICE IS REGISTERED?
- WILL THEY BE ISSUED THEIR CERTIFICATES AS WELL OR SHOULD WE JUST REGISTER EACH REGION/BRANCH/OFFICE SEPARATELY?
- WHAT HAPPENS IF WE DO NOT COMPLY WITH THE REJECTION OF OUR DPO/DPS REGISTRATION
The NPC Registration system is a secure and reliable web-based portal for the registration of Data Processing System and Data Protection Officers (DPO). The platform will expedite the process for registration of Data Processing Systems (DPS) in the Philippines as required by the Data Privacy Act of 2012 and its Implementing Rules and Regulations, which includes online web-based and mobile applications that process personal information and/or sensitive personal information.
Personal Information Controllers (PIC) Personal Information Processor under the direct control of a PIC Individual Professionals as PIC or PIP
A Personal Information Controller and A Personal Information Processor through their designated Data Protection Officers (DPO) may create an NPCRS account.
An Individual Professional, as DPO or through an appointed DPO may likewise create the same.
In compliance with NPC Circular No. 2022-04 effective 11 January 2022, all application for registration of Data Processing System and Data Protection Officer shall be through the NPCRS only.
Not all entities are required to create and account with the NPCRS. Under Section 5 of NPC Circular No. 2022-04, a PIC/PIP shall be required to register under the online platform when ANY of the following are present:
An application for registration by a Personal Information Controller (PIC) or Personal Information Processor (PIP) processing personal data who does not operate under any of the conditions set forth under Section 5 of NPC Circular No. 2022-04, the PIC or PIP may register voluntarily
A Personal Information Controller or Personal Information Processor who will not elect voluntary registration is required to file a duly notarized sworn declaration and undertaking, this is Annex 1 of NPC Circular No. 2022-04.
Data Protection Officers (DPO) of Personal Information Controllers (PIC) who owns the Data Processing System (DPS).
DPOs of PICs providing Personal Information Processors (PIP) with a DPS.
DPOs of PICs using systems as a service shall register the DPS and indicate that processing is done through a service provider.
DPOs of PIPs using its own DPS to process personal data under the instruction of the PIC.
NO, only one DPO is allowed per entity. The entity may appoint as many Compliance Officers for Privacy as required to implement data protection measures.
YES, common DPO is allowed as long as registration is on a per entity basis. The DPO however is not allowed to use the same Official DPO email.
We will follow the One Entity, One Official DPO email, One Registration Rule.
Entities who are required to register must register a new Data Processing System within twenty (20) days from the launch of the system.
Entities who are required to register must register the appointment or designation of a new Data Protection Officer within twenty (20) days from the designation or Appointment.
Amendments to the Name of the Entity or the Business Address are considered major and should be through the registration system within 30 days from the effectivity of the change.
All other changes are considered minor, and shall be effected using the registration platform within 10 days from the change.
The NPCRS allows you to do minor amendments to your registration information pertaining to your Data Processing System.
DPS may be tagged as inactive through the minor amendment process.
An application for registration filed by a Data Protection Officer must be duly notarized and be accompanied by the following documents:
Special or Office Order, or any similar document, designating or appointing the DPO of the PIC or PIP;
a) (1) duly notarized Secretary’s Certificate authorizing the appointment or designation of DPO, or (2) any other document demonstrating the validity of the appointment or designation of the DPO signed by the Head of the Organization with an accompanying valid document conferring authority to the Head of Organization to designate or appoint persons to positions in the organization.
b) Securities and Exchange Commission (SEC) Certificate of Registration.
c) certified true copy of latest General Information Sheet.
d) valid business permit.
a) (1) duly notarized Secretary’s Certificate authorizing the appointment or designation of DPO, or (2) any other document that demonstrates the validity of the appointment or designation of DPO signed by the sole director of the One Person Corporation.
b) SEC Certificate of Registration
c) valid business permit.
a) duly notarized Partnership Resolution or Special Power of Attorney authorizing the appointment or designation of DPO, or any other document that demonstrates the validity of the appointment or designation.
b) SEC Certificate of Registration.
c) valid business permit
a) duly notarized document appointing the DPO and signed by the sole proprietor, in case the same should elect to appoint or designate another person as DPO.
b) DTI Certificate of Registration.
c) valid business permit.
a) Latest General Information Sheet or any similar document.
b) Registration Certificate (Corporation, Partnership, Sole Proprietorship) or any similar document.
c) valid business permit or any similar document
Since NPC Circular No. 2022-04 was effective last 11 January 2023, the 180 days period will end on 10 July 2023.
NO, all Certificates of Registration with effectivity date until the 8th of March 2023 will have an extended validity until the 10th of July 2023.
If the Data Protection Officer completes the registration process through the NPCRS before the lapse of the 180 days, the validity of the Certificate of Registration and the NPC Seal of Registration will be 1 year from its issuance.
NO, you must do the initial registration with the NPCRS right away.
NO, we have implemented a clean database for the NPCRS, all are required to go through with the initial registration process.
NO. only a notarized system generated form of the NPCRS will be accepted upon validation.
Only if it was Notarized in 2022 and used then to renew registration, provided that there are no changes in the appointed or designated DPO.
On the NPCRS landing page, you may click “Inaccessible account? Retrieve here”. Upon which, you will be required to input your specific organization together with a new DPO email address and upload of a notarized justification letter.
As a security measure, the system will prompt that multiple sessions are taking place. Organizations are required to implement organizational security measures like role based access control to secure their NPCRS accounts.
In the meantime, within the 180 days transitory period, we highly recommend that you prioritize registering your critical Data Processing Systems (DPS):
(1) Those with automated decision making and/or profiling;
(2) Client or customer facing ONLINE web based or mobile applications; and
(3) Those processing sensitive personal information.
Submit registration to acquire your certificate and seal of registration then amend your registration record by adding your other DPS.
The registration of COPs will not grant their respective region/branch/office a separate certificate and seal of registration. The Data Protection Officer (DPO) shall forward the NPC Seal of Registration to its region/branch/office for display.
A region/branch/office is not allowed to create a separate registration in the NPCRS.
The system is designed to remove pending registration/s with "Rejected" status in 5 days. This is in line with Circular 2022-04 Section 9.F.