Data Privacy Act
Data Privacy Act
Data Privacy Act
a. the PIC or PIP employs at least two hundred fifty (250) employees;
b. the processing includes sensitive personal information of at least one thousand (1,000)
individuals;
c. the processing is likely to pose a risk to the rights and freedoms of data subjects. Processing
operations that pose a risk to data subjects include those that involve:
i. Information that would likely affect national security, public safety, public order, or public
health;
ii. Information required by applicable laws or rules to be confidential;
iii. Vulnerable data subjects like minors, the mentally ill, asylum seekers, the elderly,
patients, those involving criminal offenses, or in any other case where an imbalance
exists in the relationship between a data subject and a PIC or PIP;
iv. Automated decision-making; or
v. Profiling;
d. the processing is not occasional: Provided, that processing shall be considered occasional if it is
only incidental to the mandate or function of the PIC or PIP, or, it only occurs under specific
circumstances and is not regularly performed. Processing that constitutes a core activity of a PIC
or PIP, or is integral thereto, will not be considered occasional:
In determining the existence of the foregoing conditions, relevant factors, such as the number of
employees, or the records of individuals whose sensitive personal information are being
processed, shall only be considered if they are physically located in the Philippines.
HOW TO REGISTER
A PIC or PIP shall register through the Commission’s official website in two (2) phases:
A. Phase I. A PIC or PIP, through its DPO, shall accomplish the prescribed application form, and
submit the same to the Commission together with all supporting documents. Upon review and
validation of the submission, the Commission shall provide the PIC or PIP via email an access
code, which shall allow it to proceed to Phase II of the registration process
B. Phase II. Using the access code provided by the Commission, a PIC or PIP shall proceed to the
online registration platform and provide all relevant information regarding its data processing
systems. The Commission shall notify the PIC or PIP via email to confirm the latter’s successful
completion of the registration process:
As per IRR of Data Privacy Act 2012 Sec. 47, the contents of registration shall include:
1. The name and address of the personal information controller or personal information processor,
and of its representative, if any, including their contact details;
2. The purpose or purposes of the processing, and whether processing is being done under an
outsourcing or subcontracting agreement;
3. A description of the category or categories of data subjects, and of the data or categories of data
relating to them;
4. The recipients or categories of recipients to whom the data might be disclosed;
5. Proposed transfers of personal data outside the Philippines;
6. A general description of privacy and security measures for data protection;
7. Brief description of the data processing system;
8. Copy of all policies relating to data governance, data privacy, and information security;
9. Attestation to all certifications attained that are related to information and communications
processing; and
Name and contact details of the compliance or data protection officer, which shall immediately be
updated in case of changes.
SUPPORTING DOCUMENTS
Source: https://register.privacy.gov.ph/Home/About
DATA PRIVACY OFFICER
Source: https://register.privacy.gov.ph/Home/About