National Privacy Commission Advisories for Compliance with Philippine Data Privacy Laws


Personal data protection in the Philippines is governed by the Data Privacy Act of 2012 (“DPA”), and is implemented by rules, regulations and advisories issued by the National Privacy Commission (“NPC”). The NPC, formed in 2016, has the primary focus of ensuring that rights of Philippine data subjects are protected through strict enforcement of Philippine data privacy laws to ensure compliance of public and private entities alike.

For the purpose of enforcing Philippine data privacy laws, the NPC requires registration of entities, which are deemed to be Personal Information Controller (“PICs”) or Personal Information Processors (“PIPs”).

An entity is deemed to have control of personal information, and will be referred to as a PIC, if it decides on what information is collected, or the purpose or extent of its processing. On the other hand, a person which processes personal data, but does not have control, is referred to as a PIP.

Processing refers to any operation or set of operations performed upon personal information, such as but not limited to collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. A PIC or PIP is required to disclose to its data subjects the specified and legitimate purpose for data collection, which should be processed in a manner that is adequate, relevant, suitable, necessary and not excessive in relation to the purpose of collection.

Sections 46 and 47 of the Implementing Rules and Regulations (“IRR”) of the DPA require a PIC or PIP to register its Data Processing System with the NPC, if:

  • it employs at least 250 people;
  • the processing includes sensitive personal information of at least 1,000 individuals;
  • the processing is likely to pose a risk to the rights and freedoms of individuals; or
  • the processing is not occasional.

The registration process involves the designation of a Data Protection Officer (“DPO”) (Phase I) and registration of Data Processing Systems (Phase II).The NPC earlier divided the registration process into 2 phases and extended the deadline for the more rigorous second phase to 8 March 2018. The first phase, however, already lapsed on 9 September 2017.

Nonetheless, the NPC will continue to accept DPO registration papers from information controllers and processors even after the deadline of Phase I but they will be considered late registrants, and included in the list of priority organizations for a compliance check. In this light, covered clients are urged to register with the NPC their duly appointed DPOs, whose qualifications are provided under NPC Advisory No. 2017-01 (Designation of Data Protection Officers), among which include:

  • possession of specialized knowledge and reliability necessary for the performance of his or her duties and responsibilities, which entails expertise in relevant data protection or privacy policies and practices;
  • having sufficient understanding of the processing operations being carried out by the PIC or PIP, including the latter’s information systems and/or data protection needs;
  • being a full-time or organic employee of the PIC or PIP with a regular position;
  • where the employment of the DPO is based on a contract, the term or duration thereof should at least be 2 years to ensure stability; and
  • possession of independence in the performance of his or her functions to avoid conflict of interest, and should be accorded a significant degree of autonomy by the PIC or PIP.

With regard to Phase II, covered entities should be made aware of the impending deadline on 8 March 2018 in order to ensure compliance. Subject to changes and additions that may be imposed by the NPC through subsequent advisories, the IRR of the DPA provides the following information and documents necessary for registration for Phase II:

  • the name and address of the PIC or PIP, and of its representative, if any, including their contact details;
  • the purpose or purposes of the processing, and whether processing is being done under an outsourcing or subcontracting agreement;
  • a description of the category or categories of data subjects, and of the data or categories of data relating to them;
  • the recipients or categories of recipients to whom the data might be disclosed;
  • proposed transfers of personal data outside the Philippines;
  • a general description of privacy and security measures for data protection;
  • a brief description of the data processing system;
  • copy of all policies relating to data governance, data privacy, and information security;
  • attestation to all certifications attained that are related to information and communications processing; and
  • name and contact details of the compliance or data protection officer, which shall immediately be updated in case of changes.

Aside from the registration of Data Processing Systems, PICs are reminded to submit their 2017 Annual Security Incident Report on or before 31 March 2018.The law does not distinguish as to whether or not the PIC is registered; thus, all PICs must comply with this requirement. PICs must document security incidents (including personal data breaches), which are adverse events that have an impact on the availability, integrity, or confidentiality of personal data, even if these adverse events prove unsuccessful. More particularly under NPC Circular No. 16-03 on Personal Data Breach Management, the Annual Report should contain general information on the number of incidents and breaches encountered, classified according to their impact on the availability, integrity, or confidentiality of personal data. Currently, there is no prescribed format by the NPC regarding this document. To submit this 2017 annual report, a PIC may send the Annual Report on or before the deadline via email to .

Companies that do not comply with the deadlines may be subject to compliance checks or ultimately, civil or even criminal liability. However, aggressive enforcement is yet to be seen as the NPC cannot prosecute violators of the law for which criminal penalties can be imposed. Under the law, all the NPC can do is to recommend to the Department of Justice (DOJ) the prosecution of crimes and imposition of penalties.

Data privacy is a relatively new regulation in the Philippines, which is why compliance and enforcement of data privacy laws are not yet manifest in the country. Given the global trend to enforce data privacy laws, data privacy compliance gives businesses in the Philippines a competitive edge. According to NPC Commissioner Raymund Liboro, “With ASEAN integration coming up soon, companies in the Philippines need to implement their data protection and data privacy obligations not only to keep their existing clients, but also to assure future growth.”

If you have any questions or require any additional information, please contact Felix Sy or Lorybeth Baldrias Serrano or the ZICO Law partner you usually deal with.

This alert is for general information only and is not a substitute for legal advice.