The National Privacy Commission (NPC) reminds the public that all covered personal information controllers (PICs) and personal information processors (PIPs) under Section 5 of NPC Circular No. 2022-04 dated 05 December 2022 are mandated to register their Data Protection Officer (DPO) and Data Processing Systems (DPS) within the periods provided for under Section 7 of the Circular, to wit:

    “SECTION 7. When to Register. A covered PIC or PIP shall register its newly implemented Data Processing System or inaugural DPO in the NPC’s official registration platform within twenty (20) days from the commencement of such system or the effectivity date of such appointment.

    In the event a covered PIC or PIP seeks to apply minor amendments to its existing registration information, which includes updates on an existing Data Processing System, or a change in DPO, the PIC or PIP shall update the system within ten (10) days from the system update or effectivity of the appointment of the new DPO.” (underlining supplied)

Despite the aforestated deadlines, covered PICs and PIPS are allowed until 10 July 2023 to comply with the mandatory registration pursuant to Section 39 of the Circular as follows:

    “SECTION 39. Transitory Period. Notwithstanding the period in the first paragraph of Section 7 of this Circular; all covered PICs, and PIPs shall complete their Data Processing System and DPO registration within one hundred eighty (180) days from the effectivity of this Circular.” (underlining supplied)

Additionally, please be clarified that the NPC Registration System (NPCRS) remains open even after 10 July 2023. However, non-compliance with Section 7 in relation to Section 39 of the Circular may constitute a violation thereof which may be subjected to enforcement action by the NPC.

Certificates of registration with validity period until 08 March 2023 is only extended until 10 July 2023. New certificates of registration issued through the NPCRS will carry one year validity period. Certificates of registration shall remain valid until the certificate expires (e.g., issuance of certificate of registration and seal of registration is on 10 August 2023 - this shall be valid until 09 August 2024).

Regular compliance checks of PICs and PIPs shall also continue as part of NPC’s monitoring function. Non-registration of DPO and DPS shall be considered during investigations related to


SECTION 5. Mandatory Registration. A PIC or PIP that employs two hundred fifty (250) or more persons, or those processing sensitive personal information of one thousand (1,000) or more individuals, or those processing data that will likely pose a risk to the rights and freedoms of data subjects shall register all Data Processing Systems.

A. A Data Processing System processing personal or sensitive personal information involving automated decision-making or profiling shall, in all instances, be registered with the Commission.

B. A PIC or PIP shall register its own Data Processing System. In instances where the PIC provides the PIP with the system, the PIC is obligated to register the same. A PIC who uses a system as a service shall register the same indicating the fact that processing is done through a service provider. A PIP who uses its own system as a service to process personal data must register with the Commission.

C. A PIC or PIP who is an Individual Professional for mandatory registration shall register with the Commission. For this purpose, the following shall be considered: 1. An Individual Professional is self-employed and practicing his or her profession as defined under this Circular; 2. A business establishment, if registered as a PIC and operating under a different business name, partnership, firm, or other organization, shall not register separately as an Individual Professional; 3. An Individual Professional shall be considered as the de facto DPO.

complaints, personal data breaches, and evaluations of mandatory breach notifications involving a DPS specifically for the imposition of administrative fines.