Why appoint a DPO?
Appointing a Data Protection Officer (DPO) is a legal
requirement for personal information controllers (PICs) and personal
information processors (PIPs), under the Data Privacy Act of 2012.
Apart from complying with the legal obligation, having a DPO will do
your organization a lot of good. In this information age, where
personal data serve as building blocks of any organization, assigning a
focal person to ensure the protection of your personal data collection
and processing is a must. A DPO increases your chance to remain
competitive in the dynamic global landscape of data protection. At the
same time, it improves your customer service and enhances your
responsiveness to growing public awareness and regard for personal data
Back To Top
Should I assign a DPO?
You should assign a DPO if you are a natural or juridical
person or any other body in the government or private sector engaged in
the processing of personal data of individuals living within and
outside the Philippines. An individual PIC or PIP shall be a de facto
Back To Top
What should I look for in a DPO?
Your DPO should have expertise in relevant privacy or data
protection policies and practices. He or she should have sufficient
understanding of the processing operations being carried out by the PIC
or PIP, including the latter’s information systems, data security
and/or data protection needs. Knowledge by the DPO of the sector or
field of the PIC or PIP, and the latter’s internal structure, policies,
and processes is also useful.
Back To Top
What is a COP?
A Compliance Officer for Privacy (COP) is an individual or
individuals who perform some of the functions of a DPO in these cases:
Back To Top
- Local Government Units (LGUs). Aside
from having a DPO, a component city, municipality, or barangay can
designate a COP, as long as the COP shall be under the supervision of
- Government Agencies. Aside from having a
DPO, a government agency that has regional, provincial, district, city,
municipal offices, or any other similar sub-units, may designate or
appoint COP for each sub-unit. The COPs shall be under the supervision
of the DPO.
- Private Sector. Where a private entity
has branches, sub-offices, or any other component units, it may also
appoint or designate a COP for each component unit.
Subject to the approval of the NPC, a group of related companies may
appoint or designate the DPO of one of its members to be primarily
accountable for ensuring the compliance of the entire group with all
data protection policies. Where such common DPO is allowed by the NPC,
the other members of the group must still have a COP, as defined in the
- Other Analogous Cases. PICs or PIPs that
are under similar or analogous circumstances may also seek the approval
of the NPC for the appointment or designation of a COP, in lieu of a
What are my obligations as PIC or PIP, relative to the DPO or
Back To Top
- effectively communicate to your personnel, the designation
of the DPO or COP and his or her functions;
- allow the DPO or COP to be involved from the earliest stage
possible in all issues relating to privacy and data protection;
- provide sufficient time and resources (financial,
infrastructure, equipment, training, and staff) necessary for the DPO
or COP to keep himself or herself updated with the developments in data
privacy and security and to carry out his or her tasks effectively and
- grant the DPO or COP appropriate access to the personal
data it is processing, including the processing systems;
- where applicable, invite the DPO or COP to participate in
meetings of senior and middle management to represent the interest of
privacy and data protection;
- promptly consult the DPO or COP in the event of a personal
data breach or security incident; and
- ensure that the DPO or COP is made a part of all relevant
working groups that deal with personal data processing activities
conducted inside the organization, or with other organizations.
Can I outsource or subcontract DPO functions, as a PIC or PIP?
Yes. You may outsource or subcontract the functions of its DPO
or COP. However, to the extent possible, the DPO or COP must oversee
the performance of his or her functions by the third-party service
provider or providers. The DPO or COP shall also remain the contact
person of the PIC or PIP vis-à-vis the NPC.
Back To Top
I am a DPO. What can I expect?
You must be independent in the performance of your functions,
and should be accorded a significant degree of autonomy by the PIC or
PIP. You may perform (or be assigned to perform) other tasks or assume
other functions that do not give rise to any conflict of interest.
Your PIC or PIP should not directly or indirectly penalize or
dismiss you for performing your tasks. It is not necessary that the
penalty is actually imposed or meted out. A mere threat is sufficient
if it has the effect of impeding or preventing you from performing your
tasks. However, nothing shall preclude the legitimate application of
labor, administrative, civil or criminal laws against you, based on
just or authorized grounds.
Your opinion as DPO or COP must be given due weight. In case
of disagreement, and should the PIC or PIP choose not to follow the
advice of the DPO or COP, it is recommended, as good practice, to
document the reasons for such choice.
Back To Top
What are my duties and responsibilities as DPO?
You shall, among others:
- monitor the PIC’s or PIP’s compliance with the DPA, its
IRR, issuances by the NPC and other applicable laws and policies. You
- collect information to identify the processing
operations, activities, measures, projects, programs, or systems of the
PIC or PIP, and maintain a record thereof;
- analyze and check the compliance of processing
activities, including the issuance of security clearances to and
compliance by third-party service providers;
- inform, advise, and issue recommendations to the PIC or
- ascertain renewal of accreditations or certifications
necessary to maintain the required standards in personal data
- advice the PIP or PIP as regards the necessity of
executing a Data Sharing Agreement with third parties, and ensure its
compliance with the law;
- ensure the conduct of Privacy Impact Assessments relative
to activities, measures, projects, programs, or systems of the PIC or
- advise the PIC or PIP regarding complaints and/or the
exercise by data subjects of their rights (e.g., requests for
information, clarifications, rectification or deletion of personal
- ensure proper data breach and security incident management
by the PIC or PIP, including the latter’s preparation and submission to
the NPC of reports and other documentation concerning security
incidents or data breaches within the prescribed period;
- inform and cultivate awareness on privacy and data
protection within your organization, including all relevant laws, rules
and regulations and issuances of the NPC;
- advocate for the development, review and/or revision of
policies, guidelines, projects and/or programs of the PIC or PIP
relating to privacy and data protection, by adopting a privacy by
- serve as the contact person of the PIC or PIP vis-à-vis
data subjects, the NPC and other authorities in all matters concerning
data privacy or security issues or concerns and the PIC or PIP;
- cooperate, coordinate and seek advice of the NPC regarding
matters concerning data privacy and security; and
- perform other duties and tasks that may be assigned by the
PIC or PIP that will further the interest of data privacy and security
and uphold the rights of the data subjects.
Except for items (a) to (c), a COP shall perform all other
functions of a DPO. Where appropriate, he or she shall also assist the
supervising DPO in the performance of the latter’s functions.
You must have due regard for the risks associated with the
processing operations of the PIC or PIP, considering the nature, scope,
context and purposes of processing. Accordingly, he or she must
prioritize his or her activities and focus his or her efforts on issues
that present higher data protection risks.
Back To Top
For the full DPO Guidelines, see: NPC
Advisory No. 2017-01: Designation of Data Protection Officers