The NPC Registration system is a secure and reliable web-based portal for the registration of Data Processing System and Data Protection Officers (DPO). The platform will expedite the process for registration of Data Processing Systems (DPS) in the Philippines as required by the Data Privacy Act of 2012 and its Implementing Rules and Regulations, which includes online web-based and mobile applications that process personal information and/or sensitive personal information.
Personal Information Controllers (PIC) Personal Information Processor under the direct control of a PIC Individual Professionals as PIC or PIP
A Personal Information Controller and A Personal Information Processor through their designated Data Protection Officers (DPO) may create an NPCRS account.
An Individual Professional, as DPO or through an appointed DPO may likewise create the same.
In compliance with NPC Circular No. 2022-04 effective 11 January 2022, all application for registration of Data Processing System and Data Protection Officer shall be through the NPCRS only.
Not all entities are required to create and account with the NPCRS. Under Section 5 of NPC Circular No. 2022-04, a PIC/PIP shall be required to register under the online platform when ANY of the following are present:
An application for registration by a Personal Information Controller (PIC) or Personal Information Processor (PIP) processing personal data who does not operate under any of the conditions set forth under Section 5 of NPC Circular No. 2022-04, the PIC or PIP may register voluntarily
A Personal Information Controller or Personal Information Processor who will not elect voluntary registration is required to file a duly notarized sworn declaration and undertaking, this is Annex 1 of NPC Circular No. 2022-04.
Data Protection Officers (DPO) of Personal Information Controllers (PIC) who owns the Data Processing System (DPS).
DPOs of PICs providing Personal Information Processors (PIP) with a DPS.
DPOs of PICs using systems as a service shall register the DPS and indicate that processing is done through a service provider.
DPOs of PIPs using its own DPS to process personal data under the instruction of the PIC.
NO, only one DPO is allowed per entity. The entity may appoint as many Compliance Officers for Privacy as required to implement data protection measures.
YES, common DPO is allowed as long as registration is on a per entity basis. The DPO however is not allowed to use the same Official DPO email.
We will follow the One Entity, One Official DPO email, One Registration Rule.
Entities who are required to register must register a new Data Processing System within twenty (20) days from the launch of the system.
Entities who are required to register must register the appointment or designation of a new Data Protection Officer within twenty (20) days from the designation or Appointment.
Amendments to the Name of the Entity or the Business Address are considered major and should be through the registration system within 30 days from the effectivity of the change.
All other changes are considered minor, and shall be effected using the registration platform within 10 days from the change.
The NPCRS allows you to do minor amendments to your registration information pertaining to your Data Processing System.
DPS may be tagged as inactive through the minor amendment process.
An application for registration filed by a Data Protection Officer must be duly notarized and be accompanied by the following documents:
Special or Office Order, or any similar document, designating or appointing the DPO of the PIC or PIP;
a) (1) duly notarized Secretary’s Certificate authorizing the appointment or designation of DPO, or (2) any other document demonstrating the validity of the appointment or designation of the DPO signed by the Head of the Organization with an accompanying valid document conferring authority to the Head of Organization to designate or appoint persons to positions in the organization.
b) Securities and Exchange Commission (SEC) Certificate of Registration.
c) certified true copy of latest General Information Sheet.
d) valid business permit.
a) (1) duly notarized Secretary’s Certificate authorizing the appointment or designation of DPO, or (2) any other document that demonstrates the validity of the appointment or designation of DPO signed by the sole director of the One Person Corporation.
b) SEC Certificate of Registration
c) valid business permit.
a) duly notarized Partnership Resolution or Special Power of Attorney authorizing the appointment or designation of DPO, or any other document that demonstrates the validity of the appointment or designation.
b) SEC Certificate of Registration.
c) valid business permit
a) duly notarized document appointing the DPO and signed by the sole proprietor, in case the same should elect to appoint or designate another person as DPO.
b) DTI Certificate of Registration.
c) valid business permit.
Authenticated copy or Apostille of Secretary’s Certificate authorizing the appointment or designation of DPO, or any other document that demonstrates the appointment or designation, with an English translation thereof if in a language other than English.
Authenticated copy or Apostille of the following documents, with an English translation thereof if in a language other than English, where applicable:
a) Latest General Information Sheet or any similar document.
b) Registration Certificate (Corporation, Partnership, Sole Proprietorship) or any similar document.
c) valid business permit or any similar document
Since NPC Circular No. 2022-04 was effective last 11 January 2023, the 180 days period will end on 10 July 2023.
NO, all Certificates of Registration with effectivity date until the 8th of March 2023 will have an extended validity until the 10th of July 2023.
If the Data Protection Officer completes the registration process through the NPCRS before the lapse of the 180 days, the validity of the Certificate of Registration and the NPC Seal of Registration will be 1 year from its issuance.
NO, you must do the initial registration with the NPCRS right away.
NO, we have implemented a clean database for the NPCRS, all are required to go through with the initial registration process.
Your old registration record shall be stored and disposed of according to the Commissions’ Privacy Policy. The Commission is implementing sufficient Organizational, Technical, and Physical Security Measures to protect personal data that we process.
NO. only a notarized system generated form of the NPCRS will be accepted upon validation.
Only if it was Notarized in 2022 and used then to renew registration, provided that there are no changes in the appointed or designated DPO.
On the NPCRS landing page, you may click “Inaccessible account? Retrieve here”. Upon which, you will be required to input your specific organization together with a new DPO email address and upload of a notarized justification letter.
As a security measure, the system will prompt that multiple sessions are taking place. Organizations are required to implement organizational security measures like role based access control to secure their NPCRS accounts.
In the meantime, within the 180 days transitory period, we highly recommend that you prioritize registering your critical Data Processing Systems (DPS):
(1) Those with automated decision making and/or profiling;
(2) Client or customer facing ONLINE web based or mobile applications; and
(3) Those processing sensitive personal information.
Submit registration to acquire your certificate and seal of registration then amend your registration record by adding your other DPS.
NO.
The registration of COPs will not grant their respective region/branch/office a separate certificate and seal of registration. The Data Protection Officer (DPO) shall forward the NPC Seal of Registration to its region/branch/office for display.
A region/branch/office is not allowed to create a separate registration in the NPCRS.