FREQUENTLY ASKED QUESTIONS (FAQs)
FREQUENTLY ASKED QUESTIONS (FAQs)

NPC Circular No. 2022-04 - REGISTRATION OF PERSONAL DATA PROCESSING SYSTEM, NOTIFICATION REGARDING AUTOMATED DECISION-MAKING OR PROFILING, DESIGNATION OF DATA PROTECTION OFFICER, AND THE NATIONAL PRIVACY COMMISSION SEAL OF REGISTRATION NATIONAL PRIVACY COMMISSION REGISTRATION SYSTEM (“NPCRS”)

  1. WHAT IS NPC REGISTRATION SYSTEM (“NPCRS”)?

    2. The NPC Registration system is a secure and reliable web-based portal for the registration of Data Processing System and Data Protection Officers (DPO). The platform will expedite the process for registration of Data Processing Systems (DPS) in the Philippines as required by the Data Privacy Act of 2012 and its Implementing Rules and Regulations, which includes online web-based and mobile applications that process personal information and/or sensitive personal information.

  2. WHO CAN USE THE NPCRS?

    3. Personal Information Controllers (PIC) Personal Information Processor under the direct control of a PIC Individual Professionals as PIC or PIP

  3. WHO CAN CREATE AN NPCRS ACCOUNT?

    4. A Personal Information Controller and A Personal Information Processor through their designated Data Protection Officers (DPO) may create an NPCRS account.

    An Individual Professional, as DPO or through an appointed DPO may likewise create the same.

  4. WHEN IS REGISTRATION IN NPCRS REQUIRED?

    5. In compliance with NPC Circular No. 2022-04 effective 11 January 2022, all application for registration of Data Processing System and Data Protection Officer shall be through the NPCRS only.

    1. Mandatory Registration

      2. Not all entities are required to create and account with the NPCRS. Under Section 5 of NPC Circular No. 2022-04, a PIC/PIP shall be required to register under the online platform when ANY of the following are present:

      1. Personal Information Controllers (PIC) or Personal Information Processors (PIP) employing two hundred fifty (250) or more persons
      2. PIC or PIP processing sensitive personal information of one thousand (1,000) or more individuals
      3. PIC or PIP involves processing data that will likely pose a risk to the rights and freedoms of data subjects
      4. Government Agency or Instrumentality
    2. Voluntary Registration

      3. An application for registration by a Personal Information Controller (PIC) or Personal Information Processor (PIP) processing personal data who does not operate under any of the conditions set forth under Section 5 of NPC Circular No. 2022-04, the PIC or PIP may register voluntarily

    3. Exemption from Data Processing System Registration

      4. A Personal Information Controller or Personal Information Processor who will not elect voluntary registration is required to file a duly notarized sworn declaration and undertaking, this is Annex 1 of NPC Circular No. 2022-04.

  5. WHO SHOULD REGISTER DATA PROCESSING SYSTEMS?

    6. Data Protection Officers (DPO) of Personal Information Controllers (PIC) who owns the Data Processing System (DPS).

    DPOs of PICs providing Personal Information Processors (PIP) with a DPS.

    DPOs of PICs using systems as a service shall register the DPS and indicate that processing is done through a service provider.

    DPOs of PIPs using its own DPS to process personal data under the instruction of the PIC.

  6. ARE MULTIPLE DATA PROTECTION OFFICERS FOR ONE ENTITY ALLOWED?

    7. NO, only one DPO is allowed per entity. The entity may appoint as many Compliance Officers for Privacy as required to implement data protection measures.

  7. HOW ABOUT COMMON DATA POTECTION OFFICER, IS IT ALLOWED?

    8. YES, common DPO is allowed as long as registration is on a per entity basis. The DPO however is not allowed to use the same Official DPO email.

    We will follow the One Entity, One Official DPO email, One Registration Rule.

  8. WHEN SHOULD THE REGISTER USING THE NPCRS?

    9. Entities who are required to register must register a new Data Processing System within twenty (20) days from the launch of the system.

    Entities who are required to register must register the appointment or designation of a new Data Protection Officer within twenty (20) days from the designation or Appointment.

  9. WHEN TO DO MAJOR AMENDMENTS?

    10. Amendments to the Name of the Entity or the Business Address are considered major and should be through the registration system within 30 days from the effectivity of the change.

  10. WHAT ARE CONSIDERED MINOR AMENDMENTS?

    11. All other changes are considered minor, and shall be effected using the registration platform within 10 days from the change.

  11. WHAT IF MY DATA PROCESSING SYSTEM HAS CHANGES OR IS DECOMMISSIONED?

    12. The NPCRS allows you to do minor amendments to your registration information pertaining to your Data Processing System.

    DPS may be tagged as inactive through the minor amendment process.

  12. WHAT SUPPORTING DOCUMENTS SHOULD I HAVE TO SUCCESFULLY REGISTER MY ACCOUNT?

    13. An application for registration filed by a Data Protection Officer must be duly notarized and be accompanied by the following documents:

    1. For government agencies:

      2. Special or Office Order, or any similar document, designating or appointing the DPO of the PIC or PIP;

    2. For domestic private entities
      1. For Corporations:

          2. a) (1) duly notarized Secretary’s Certificate authorizing the appointment or designation of DPO, or (2) any other document demonstrating the validity of the appointment or designation of the DPO signed by the Head of the Organization with an accompanying valid document conferring authority to the Head of Organization to designate or appoint persons to positions in the organization.

          b) Securities and Exchange Commission (SEC) Certificate of Registration.

          c) certified true copy of latest General Information Sheet.

          d) valid business permit.

      2. For One Person Corporation

          3. a) (1) duly notarized Secretary’s Certificate authorizing the appointment or designation of DPO, or (2) any other document that demonstrates the validity of the appointment or designation of DPO signed by the sole director of the One Person Corporation.

          b) SEC Certificate of Registration

          c) valid business permit.

      3. For Partnerships

          4. a) duly notarized Partnership Resolution or Special Power of Attorney authorizing the appointment or designation of DPO, or any other document that demonstrates the validity of the appointment or designation.

          b) SEC Certificate of Registration.

          c) valid business permit

      4. Sole Proprietorships

          5. a) duly notarized document appointing the DPO and signed by the sole proprietor, in case the same should elect to appoint or designate another person as DPO.

          b) DTI Certificate of Registration.

          c) valid business permit.

    3. For foreign private entities:

      1. Authenticated copy or Apostille of Secretary’s Certificate authorizing the appointment or designation of DPO, or any other document that demonstrates the appointment or designation, with an English translation thereof if in a language other than English.

      2. Authenticated copy or Apostille of the following documents, with an English translation thereof if in a language other than English, where applicable:

          3. a) Latest General Information Sheet or any similar document.

          b) Registration Certificate (Corporation, Partnership, Sole Proprietorship) or any similar document.

          c) valid business permit or any similar document

  13. WHEN IS THE END OF THE TRANSITORY PERIOD TO COMPLY?

    14. Since NPC Circular No. 2022-04 was effective last 11 January 2023, the 180 days period will end on 10 July 2023.

  14. I HAVE A CERTIFICATE OF REGISTRATION STILL VALID UNTIL 08 MARCH 2023, WILL THIS BE INVALIDATED?

    15. NO, all Certificates of Registration with effectivity date until the 8th of March 2023 will have an extended validity until the 10th of July 2023.

    If the Data Protection Officer completes the registration process through the NPCRS before the lapse of the 180 days, the validity of the Certificate of Registration and the NPC Seal of Registration will be 1 year from its issuance.

  15. I HAVE A CERTIFICATE OF REGISTRATION VALID UNTIL 08 MARCH 2022 OR EARLIER, IS THIS STILL VALID?

    16. NO, you must do the initial registration with the NPCRS right away.

  16. WILL MY PREVIOUS REGISTRATION RECORD BE TRANSFERRED TO THE NPCRS?

    17. NO, we have implemented a clean database for the NPCRS, all are required to go through with the initial registration process.

  17. WHAT WILL HAPPEN TO MY OLD REGISTRATION RECORD?

    18. Your old registration record shall be stored and disposed of according to the Commissions’ Privacy Policy. The Commission is implementing sufficient Organizational, Technical, and Physical Security Measures to protect personal data that we process.

  18. IS THE SIGNED/NOTARIZED PRIOR APPLICATION FORM VALID TO BE UPLOADED IN THE NPCRS?

    19. NO. only a notarized system generated form of the NPCRS will be accepted upon validation.

  19. IS THE PREVIOUSLY SUBMITTED SECRETARY’S CERTIFICATE ON THE DESIGNATION OR APPOINTMENT OF A DPO AN ACCEPTED SUPPORTING DOCUMENT?

    20. Only if it was Notarized in 2022 and used then to renew registration, provided that there are no changes in the appointed or designated DPO.

  20. IN CASE MY DPO ACCOUNT IS INACCESSIBLE, HOW DO I RETRIEVE IT?

    21. On the NPCRS landing page, you may click “Inaccessible account? Retrieve here”. Upon which, you will be required to input your specific organization together with a new DPO email address and upload of a notarized justification letter.

  21. OUR ORGANIZATION HAS MORE THAN TWENTY (20) DATA PROCESSING SYSTEM (DPS), CAN I ACCESS THE DPO ACCOUNT SIMULTANEOUSLY WITH MULTIPLE DEVICE?

    22. As a security measure, the system will prompt that multiple sessions are taking place. Organizations are required to implement organizational security measures like role based access control to secure their NPCRS accounts.

    In the meantime, within the 180 days transitory period, we highly recommend that you prioritize registering your critical Data Processing Systems (DPS):

    (1) Those with automated decision making and/or profiling;

    (2) Client or customer facing ONLINE web based or mobile applications; and

    (3) Those processing sensitive personal information.

    Submit registration to acquire your certificate and seal of registration then amend your registration record by adding your other DPS.

  22. IF WE REGISTER OUR COMPLIANCE OFFICER FOR PRIVACY (COP), WILL IT MEAN THAT THE RESPECTIVE REGION/BRANCH/OFFICE IS REGISTERED?

    23. NO.

  23. WILL THEY BE ISSUED THEIR CERTIFICATES AS WELL OR SHOULD WE JUST REGISTER EACH REGION/BRANCH/OFFICE SEPARATELY?

    24. The registration of COPs will not grant their respective region/branch/office a separate certificate and seal of registration. The Data Protection Officer (DPO) shall forward the NPC Seal of Registration to its region/branch/office for display.

    A region/branch/office is not allowed to create a separate registration in the NPCRS.

  24. WHAT HAPPENS IF WE DO NOT COMPLY WITH THE REJECTION OF OUR DPO/DPS REGISTRATION

    25. The system is designed to remove pending registration/s with "Rejected" status in 5 days. This is in line with Circular 2022-04 Section 9.F.

REPUBLIC OF THE PHILIPPINES

All content is in the public domain unless otherwise stated.

ABOUT GOVPH

Learn more about the Philippine government, its structure, how government works and the officials behind it.

GOV.PH
Open Data Portal
Official Gazette
GOVERNMENT LINKS
Department of Information and Communications Technology
Office of the President
Office of the Vice President
Senate of the Philippines
House of Representatives
Supreme Court
Court of Appeals
Sandiganbayan
NPC PRIVACY NOTICE
CONTACT US

+632 5322 1322

[email protected]