The National Privacy Commission (NPC) sets forth criteria for the mandatory registration of Data Processing Systems (DPS) and Data Protection Officer (DPO) by a business organization. This article will guide you through everything you need to know about NPC registration and how we can help you stay compliant and protect your business.
- When Do You Need to Register With NPC?
- When is the Registration of DPS and DPO of a Covered Business?
- What is an NPC Certificate of Registration and the Seal of Registration
- Is it Mandatory to Display the NPC Seal of Registration?
- What are the Five Pillars of Compliance of the NPC?
- What We Offer
- FAQ’s about NPC Registration
Register Your Entity With NPC
Your business may need to be registered with the NPC if it meets the following conditions:
- It employs two hundred fifty (250) or more persons
- It processes sensitive personal information of one thousand (1,000) or more individuals
- It processes data that will likely pose a risk to the rights and freedoms of data subjects
If the business does not operate under any of the above conditions, it may register voluntarily following the process outlined for mandatory registration.
However, if the same business organization does not fall under mandatory registration and does not undertake voluntary registration, it shall submit a notarized Sworn Declaration and Undertaking for Exemption from Registration of Data Processing Systems (NPC Circular 2022-04 Annex 1) and be ready to substantiate this, as ordered by the Commission, by submitting additional documents and other relevant information.
Registration of DPS and DPO through the NPC Registration System (NPCRS)
A covered business shall register its newly implemented Data Processing System or inaugural DPO in the NPC’s official registration platform within twenty (20) days from the commencement of such system or the effectivity date of such appointment.
The NPC Certificate of Registration and the Seal of Registration
After registering the business’ data processing systems and details of its DPO on the NPC Registration System and uploading company registration documents, a DPO Form will be automatically generated, which has to be signed by the head of the organization, and duly notarized and re-uploaded onto the same platform.
The NPC shall issue a Certificate of Registration and a Seal of Registration, downloadable from the NPCRS upon successful registration.
The Seal of Registration shall be valid for one (1) year from the date of issuance, subject to renewal thereafter.
Mandatory Display of the NPC Seal of Registration
The business must display its Seal of Registration at the main entrance of the place of business or the most conspicuous place to ensure visibility to all data subjects.
They are also required to display the Seal of Registration on their main website either as:
- A clickable link leading to the privacy notice
- Displayed directly on the privacy notice page
The NPC Five Pillars of Compliance
What We Offer
If you find data privacy compliance exhaustive, let InCorp Philippines assist you and perform the work for you, so you can focus on your core business operations.
- DPO and Data Processing Systems Registration. Obtain assistance in registering a DPO and Data Processing Systems via the online NPC Registration System (NPCRS). Secure the Seal of Registration and the Certificate of Registration from NPC.
- Personal Data Inventory. Identify, document, and make an inventory of active Data Processing Systems within the client organization.
- Data Privacy Compliance Framework Audit. Gain third-party assessment and recommendations about the maturity of the client’s overall Data Privacy Accountability and Compliance Framework.
- Conduct of Privacy Impact Assessment. dentify the risks of collecting, maintaining and disseminating Personally Identifiable Information. Come up with security measures to address or mitigate any potential privacy risks.<
- Data Privacy Manualization. Document the organization’s internal policies, procedures, and practices related to data protection and privacy.
- Privacy Notice and Consent Form Drafting. Support the client in conveying to data subjects what, how and why personal data is being collected from them. Enables the client organization to allow their data subjects to consent to the collection and processing of their personal data.
- Data Sharing Agreement and Outsourcing Agreement Drafting. Enables the client to manage third-party relationships while maintaining compliance with the DPA.
- Privacy Awareness Training, Workshops, or Campaigns. Establish a culture of data protection awareness and compliance within the organization. Equip internal stakeholders with relevant knowledge and skills related to DPA compliance. Provide updates to employees on new regulations and issuances from the NPC.
- Drafting of Job Descriptions of the Internal Privacy Management Team. Let us assist in the drafting of job descriptions for your privacy management team.
- Data Breach Response Management. Establish the Breach Management policy, team, and procedures. Respond to breaches, and perform compliance reporting to the NPC following security incident and breach reporting protocols.
- Respond to Data Subject Complaints and Requests. Address data subject requests based on the rights vested upon them by the Data Privacy Act of 2012. Respond to possible complaints raised by the data subject.
- Data Privacy Consultation. Consult a Legal Counsel for the interpretation of evolving data privacy laws. Get advisory services with legal obligations like data subject requests and complaints, as well as advice on data breach response management.
Allow Us to Assist You With Your NPC Registration Compliance
If you need help with your NPC registration, you may reach out to us, and our experienced Data Privacy Officer is dedicated to helping you comply with the commission.
Frequently Asked Questions
When Do You Need to Register With NPC?
Your business may need to register with the NPC if it meets any of the following conditions:
- Employs 250 or more people
- Processes sensitive personal information of 1,000 or more individuals
- Handles data that poses a risk to the rights and freedoms of data subjects
Do You Need to Display the NPC Seal of Registration?
The business must display its Seal of Registration at the main entrance or a highly visible location to ensure it is noticeable to all data subjects.
Additionally, the Seal of Registration must be displayed on the main website, either as:
- A clickable link leading to the privacy notice
- Displayed directly on the privacy notice page
How Long is the Validity of the Seal of Registration?
The Seal of Registration is valid for one year from the date of issuance and must be renewed annually.