Republic of the Philippines

NATIONAL PRIVACY COMMISSION

NPC Circular No. 2022-04

DATE : 05 December 2022

SUBJECT : REGISTRATION OF PERSONAL DATA PROCESSING SYSTEM,

NOTIFICATION REGARDING AUTOMATED DECISION-MAKING
OR PROFILING, DESIGNATION OF DATA PROTECTION OFFICER,
AND THE NATIONAL PRIVACY COMMISSION SEAL OF
REGISTRATION

WHEREAS, Article II, Section 24, of the 1987 Constitution provides that the State
recognizes the vital role of communication and information in nation-building. At the same
time, Article II, Section 11 thereof emphasizes that the State values the dignity of every human
person and guarantees full respect for human rights;

WHEREAS, Section 2 of Republic Act No. 10173, also known as the Data Privacy Act
of 2012 (DPA), provides that it is the policy of the State to protect the fundamental human
right of privacy of communication while ensuring free flow of information to promote
innovation and growth. The State also recognizes its inherent obligation to ensure that
personal information in information and communications systems in the government and in
the private sector are secure and protected;

WHEREAS, Section 16 of the DPA and Section 34 of its Implementing Rules and
Regulations (IRR) provide that data subjects shall be furnished with and given access to their
personal data that are being processed in Data Processing System, as well as the purpose,
scope, method, and manner of such processing, including the existence of automated decision-
making;

WHEREAS, pursuant to Section 7 of the DPA, the National Privacy Commission

(NPC) is charged with the administration and implementation of the provisions of the law,
which includes ensuring the compliance by a personal information controller (PIC) with the
provisions thereof, publishing a compilation of an agency’s system of records and notices, and
carrying out efforts to formulate and implement plans and policies that strengthen the
protection of personal data, in coordination with other government agencies and private
entities;

WHEREAS, Section 9 of the IRR provides that, among the NPC’s functions, is to
develop, promulgate, review, or amend rules and regulations for the effective implementation
of the DPA;

WHEREAS, Section 24 of the DPA states that, when entering into any contract that
may involve accessing or requiring sensitive personal information from at least one thousand

NPC_DIT_CRLR-V1.0,R0.0,22 June 2022

5th Floor, Philippine International Convention Center, Vicente Sotto Avenue, Pasay City, Metro Manila 1307
URL: https//www.privacy.gov.ph Email Add: info@privacy.gov.ph Tel No. 8234-2228
(1,000) individuals, a government agency shall require the contractor and its employees to
register its personal information processing system with the NPC in accordance with the DPA
and to comply with the law’s provisions. Furthermore, Section 14 of the DPA mandates that
a personal information processor (PIP) shall also comply with all requirements of the DPA
and other applicable laws;

WHEREAS, in line with Sections 46 and 47 of the IRR, a PIC or PIP that employs fewer
than two hundred fifty (250) persons shall not be required to register unless the processing it
carries out is likely to pose a risk to the rights and freedoms of data subjects, is not occasional,
or includes sensitive personal information of at least one thousand (1,000) individuals.
Moreover, Section 48 thereof declares that a PIC carrying out any automated processing
operation that is intended to serve a single or several related purposes must notify the NPC
when the operation becomes the sole basis for making decisions about a data subject, and
when such decision would significantly affect the data subject;

WHEREAS, Sections 46 and 47, Rule XI of the IRR also require the effective and
efficient monitoring of a Data Processing Systems that are likely to pose a risk to the rights
and freedoms of data subjects including those that involve information likely to affect national
security, public safety, public order, or public health or information required by applicable
laws or rules to be confidential; vulnerable data subjects like minors, the mentally ill, asylum
seekers, the elderly, patients, those involving criminal offenses, or in any other case where an
imbalance exists in the relationship between a data subject and a PIC or PIP, especially those
involving automated decision-making or profiling;

WHEREFORE, in consideration of these premises, the NPC hereby issues this Circular
governing the registration of Data Processing System and Data Protection Officer, notification
regarding automated decision-making or profiling, and the NPC seal of registration:

PRELIMINARY PROVISIONS

SECTION 1. Scope. The provisions of this Circular shall apply to any natural or juridical
person in the government or private sector processing personal data and operating in the
Philippines, subject to the relevant provisions of the DPA, its IRR, and other applicable
issuances of the NPC.

SECTION 2. Definition of Terms. For the purpose of this Circular, the definition of terms in
the Data Privacy Act of 2012 and it’s IRR are adopted, and the following terms are defined, as
follows:

A. “Automated Decision-making” refers to a wholly or partially automated processing

operation that can make decisions using technological means totally independent of
human intervention; automated decision-making often involves profiling;

B. “Common DPO” refers to an individual who is a member of a group of related

companies or an individual consultant under contract with several separate PICs and
PIPs who is appointed or designated to be primarily responsible for ensuring the

NPC_DIT_CRLR-V1.0,R0.0,22 June 2022

5th Floor, Philippine International Convention Center, Vicente Sotto Avenue, Pasay City, Metro Manila 1307
URL: https//www.privacy.gov.ph Email Add: info@privacy.gov.ph Tel No. 8234-2228
 compliance of each of the concerned entities with the DPA, its IRR and all other
relevant issuances of the Commission;

C. “Compliance Officer for Privacy” or “COP” refers to an individual that performs the
functions or some of the functions of a DPO in a particular region, office, branch, or
area of authority;

D. “Data Protection Officer” or “DPO” refers to an individual designated by the head of

agency or organization to ensure its compliance with the Act, its IRR, and other
issuances of the Commission: Provided, that, except where allowed otherwise by law
or the Commission, the individual must be an organic employee of the government
agency or private entity: Provided further, that a government agency or private entity
may not have more than one DPO;

E. “Data sharing” is the sharing, disclosure, or transfer to a third party of personal data
under the custody of a personal information controller to one or more other personal
information controllers;

In the case of a personal information processor, data sharing should only be allowed
if it is carried out on behalf of and upon the instructions of the personal information
controller it is engaged with via a subcontracting agreement. Otherwise, the sharing,
transfer, or disclosure of personal data that is incidental to a subcontracting agreement
between a personal information controller and a personal information processor
should be excluded.

F. “Government Agency” refers to a government branch, body, or entity, including

national government agencies, instrumentalities, bureaus, or offices, constitutional
commissions, local government units, government-owned and controlled
corporations and subsidiaries, government financial institutions, state colleges and
universities;

G. “Head of Agency” refers to:

1. the head of the government entity or body, for national government agencies,
constitutional commissions or offices, or branches of the government;

2. the governing board or its duly authorized official for government-owned and
-controlled corporations, government financial institutions, and state colleges
and universities;

3. the local chief executive, for local government units;

H. “Head of Organization” refers to the head or decision-making body of a private entity

or organization;

For private organizations or government-owned and controlled corporations

organized as private corporations, the Head of Organization may be the President, the
Chief Executive Officer, or the Chairman of the Board of Directors or any officer of
equivalent rank in the organization.
NPC_DIT_CRLR-V1.0,R0.0,22 June 2022

5th Floor, Philippine International Convention Center, Vicente Sotto Avenue, Pasay City, Metro Manila 1307
URL: https//www.privacy.gov.ph Email Add: info@privacy.gov.ph Tel No. 8234-2228
 I. “Individual Professional” refers to individuals who are self-employed and who derive
income practicing their professions, with or without license from a regulatory board
or body, not being part of a partnership, firm, or other organization, which should
otherwise be registered as a personal information controller, and which practice
includes the processing of personal data. The individual professional is the de facto
DPO;

J. “Operating in the country” refers to PICs and PIPs who, although not founded or
established in the Philippines, use equipment that are located in the Philippines, or
those who maintain an office, branch, or agency in the Philippines;

K. “Private entity” or “Private organization” refers to any natural or juridical person that
is not a unit of the government, including, but not limited to, a corporation,
partnership, company, non-profit organization, or any other legal entity;

L. “Profiling” refers to any form of automated processing of data consisting of the use of
personal data, such as an individual’s economic situation, political or religious beliefs,
behavioral or marketing activities, personal preferences, electronic communication
data, location data, and financial data, among others, in order to evaluate, analyze, or
predict his or her performance, qualities, and behavior, among others;

M. “Registration information” refers to the completed registration details as inputted by

the registrant into the NPC’s official registration platform.

SECTION 3. Purpose. This Circular establishes the following:

A. The framework for registration of Data Processing Systems in the Philippines,

including online web-based and mobile applications that process personal data;

B. The mandatory or voluntary registration of Data Protection Officers (DPO) in both the
government and private entities as hereby prescribed in the succeeding sections; and

C. The imposition of other requirements to achieve the following objectives:

1. ensure that PICs and PIPs covered by this Circular and as provided for in the
succeeding sections are able to register its DPO;

2. ensure that PICs and PIPs keep a record of their data processing activities;

3. guarantee that information about Data Processing System owned by PICs or PIP
operating in the country are made accessible to the Commission to enable a more
efficient compliance monitoring process and uphold the exercise of data subject
rights under the DPA; and

4. promote transparency and accountability in the processing of personal data.

SECTION 4. General Principles. This Circular shall be governed by the following general
principles:

NPC_DIT_CRLR-V1.0,R0.0,22 June 2022

5th Floor, Philippine International Convention Center, Vicente Sotto Avenue, Pasay City, Metro Manila 1307
URL: https//www.privacy.gov.ph Email Add: info@privacy.gov.ph Tel No. 8234-2228
 A. Registration of an entity’s Data Processing System and DPO with the Commission
shall be one of the means through which a PIC or PIP demonstrates its compliance
with the DPA, its IRR, and other relevant issuances of the NPC.

B. Registration information submitted by a PIC or PIP to the NPC are presumed to

contain all required information on its Data Processing System that are active or
existing during the validity of such registration. Any information excluded therefrom
are deemed nonexistent.

C. Registration information submitted by a PIC or PIP to the NPC on the identity and
official contact details of the designated DPO shall remain effective unless otherwise
amended or updated in accordance with the process in this Circular.

D. Unless otherwise provided in this Circular, any information, file, or document

submitted by a PIC or PIP to the NPC shall be kept confidential.

E. Any doubt in the interpretation of the provisions of this Circular shall be liberally
interpreted in a manner that would uphold the rights and interests of data subjects.

REGISTRATION OF DATA PROCESSING SYSTEM

AND DATA PROTECTION OFFICER

SECTION 5. Mandatory Registration. A PIC or PIP that employs two hundred fifty (250) or
more persons, or those processing sensitive personal information of one thousand (1,000) or
more individuals, or those processing data that will likely pose a risk to the rights and
freedoms of data subjects shall register all Data Processing Systems.

A. A Data Processing System processing personal or sensitive personal information

involving automated decision-making or profiling shall, in all instances, be registered
with the Commission.

B. A PIC or PIP shall register its own Data Processing System. In instances where the PIC
provides the PIP with the system, the PIC is obligated to register the same. A PIC who
uses a system as a service shall register the same indicating the fact that processing is
done through a service provider. A PIP who uses its own system as a service to process
personal data must register with the Commission.

C. A PIC or PIP who is an Individual Professional for mandatory registration shall

register with the Commission. For this purpose, the following shall be considered:

1. An Individual Professional is self-employed and practicing his or her profession

as defined under this Circular;

2. A business establishment, if registered as a PIC and operating under a different

business name, partnership, firm, or other organization, shall not register
separately as an Individual Professional;

NPC_DIT_CRLR-V1.0,R0.0,22 June 2022

5th Floor, Philippine International Convention Center, Vicente Sotto Avenue, Pasay City, Metro Manila 1307
URL: https//www.privacy.gov.ph Email Add: info@privacy.gov.ph Tel No. 8234-2228
 3. An Individual Professional shall be considered as the de facto DPO.

SECTION 6. Voluntary Registration. An application for registration by a PIC or PIP whose

Data Processing System does not operate under any of the conditions set out in the preceding
Section may register voluntarily following the process outlined in this Circular.

A PIC or PIP who does not fall under mandatory registration and does not undertake
voluntary registration shall submit a sworn declaration (see Annex 1). The Commission
through an Order may require a PIC or PIP to submit supporting documents related to this
submission.

SECTION 7. When to Register. A covered PIC or PIP shall register its newly implemented
Data Processing System or inaugural DPO in the NPC’s official registration platform within
twenty (20) days from the commencement of such system or the effectivity date of such
appointment.

In the event a covered PIC or PIP seeks to apply minor amendments to its existing registration
information, which includes updates on an existing Data Processing System, or a change in
DPO, the PIC or PIP shall update the system within ten (10) days from the system update or
effectivity of the appointment of the new DPO.

SECTION 8. Authority to Register. A PIC or PIP shall file its application for registration
through its designated DPO. A PIC or PIP shall only be allowed to register one (1) DPO,
provided that in cases where a PIC or PIP has several branches, offices, or has a wide scope of
operations, the PIC or PIP may designate one (1) or more Compliance Officers for Privacy
(COP) who shall then be indicated as such in the DPO registration. Approval of the
Commission is not required for COP designations.

A COP shall always be under the direct supervision of the DPO. Under no circumstance shall
the registered COP be treated as a DPO unless the DPO registration is amended to reflect such
changes.

Further, in cases where a COP is designated by the PIC or PIP, the registration shall be
accompanied by the list of COPs clearly indicating the branch, office, unit, or region to which
they are assigned along with the official e-mail address and contact number.

In all cases, a PIC or a PIP is required to provide its DPO’s dedicated e-mail address that
should be separate and distinct from the personal and work e-mail of the personnel assigned
as a DPO. The DPO’s dedicated e-mail address must be maintained at all times to ensure that
the Commission is able to communicate with the PIC and PIP. In case the individual
designated as DPO vacates the position, the PIC or PIP should designate an interim DPO to
monitor any communications sent through the official DPO e-mail address.

A Common DPO shall be allowed so long as entities are registered separately. The Common
DPO shall register each entity individually. Approval of the Commission is not required for
Common DPO appointments.

An Individual Professional shall register himself or herself as the DPO. In cases where the
Individual Professional contracts another person to act as DPO he or she shall indicate such
NPC_DIT_CRLR-V1.0,R0.0,22 June 2022

5th Floor, Philippine International Convention Center, Vicente Sotto Avenue, Pasay City, Metro Manila 1307
URL: https//www.privacy.gov.ph Email Add: info@privacy.gov.ph Tel No. 8234-2228
fact and provide the required contact details of such person in the registration record. The
Commission through an Order may require a PIC or PIP to submit supporting documents
related to this submission.

SECTION 9. Registration Process. A PIC or PIP shall create an account by signing up in the
NPC’s official registration platform where it shall provide details about the entity.

A. Upon signing up, the PIC or PIP shall input the name and contact details of the DPO
together with a unique and dedicated email address, specific to the position of DPO
pursuant to the provisions of the fourth paragraph of Section 8.

B. During registration proper, the PIC or PIP shall encode the name and contact details
of the Head of the Organization or Head of Agency.

C. The prescribed application form shall be accomplished and shall be uploaded together
with all supporting documents as provided under Section 11.

D. The details of all Data Processing System owned by the PIC or PIP shall be encoded
into the platform. All Data Processing System of the PIC or PIP at the time of initial
registration must be encoded into the system.

E. The PIC or PIP shall identify and register all publicly facing online mobile or web-
based applications in accordance with Section 3(A).

F. The submissions of the PIC or PIP shall undergo review and validation by the
Commission. In case of any deficiency, the PIC or PIP shall be informed of the same
and shall be given five (5) days to submit the necessary requirements. Once the
submissions have been validated and considered complete, the PIC or PIP shall be
informed that the Certificate of Registration is available for download.

An Individual Professional shall register only under his or her name, and indicate his or her
principal business address and contact details.

Registration through physical submission of requirements is not allowed.

SECTION 10. Mandatory Appointment of DPO in the Government. A Government Agency

is required to designate and register a DPO with a rank not lower than an Assistant Secretary
or Executive Director IV in case the highest ranking official is a Department Secretary or a
position of equivalent rank; at least Director IV level in case the highest ranking official is an
Undersecretary or a position of equivalent rank; at least Director II level in case the highest
ranking official is an Assistant Secretary or a position of equivalent rank; and at least a
Division Chief in case the highest ranking official is a Regional Director or a position of
equivalent rank.

For Local Government Units (LGUs), the Provincial, City and Municipal levels shall designate
and register a DPO with a rank not lower than Department Head.

NPC_DIT_CRLR-V1.0,R0.0,22 June 2022

5th Floor, Philippine International Convention Center, Vicente Sotto Avenue, Pasay City, Metro Manila 1307
URL: https//www.privacy.gov.ph Email Add: info@privacy.gov.ph Tel No. 8234-2228
Cities and Municipalities can designate a COP at the Barangay level, provided that the COP
shall be under the supervision of the DPO of the corresponding City, or Municipality that the
Barangay is part of.

SECTION 11. Application Form. An application for registration filed by a PIC or PIP must be
duly notarized and be accompanied by the following documents:

A. For government agencies:

Special or Office Order, or any similar document, designating or

appointing the DPO of the PIC or PIP;

B. For domestic private entities:

1. For Corporations:

a) (1) duly notarized Secretary’s Certificate authorizing the

appointment or designation of DPO, or (2) any other document
demonstrating the validity of the appointment or designation of the
DPO signed by the Head of the Organization with an
accompanying valid document conferring authority to the Head of
Organization to designate or appoint persons to positions in the
organization.

b) Securities and Exchange Commission (SEC) Certificate of

Registration.

c) certified true copy of latest General Information Sheet.

d) valid business permit.

2. For One Person Corporation

a) (1) duly notarized Secretary’s Certificate authorizing the

appointment or designation of DPO, or (2) any other document that
demonstrates the validity of the appointment or designation of
DPO signed by the sole director of the One Person Corporation.

b) SEC Certificate of Registration

c) valid business permit.

3. For Partnerships

a) duly notarized Partnership Resolution or Special Power of

Attorney authorizing the appointment or designation of DPO, or
any other document that demonstrates the validity of the
appointment or designation.

NPC_DIT_CRLR-V1.0,R0.0,22 June 2022

5th Floor, Philippine International Convention Center, Vicente Sotto Avenue, Pasay City, Metro Manila 1307
URL: https//www.privacy.gov.ph Email Add: info@privacy.gov.ph Tel No. 8234-2228
 b) SEC Certificate of Registration.

c) valid business permit.

4. Sole Proprietorships:

a) duly notarized document appointing the DPO and signed by the

sole proprietor, in case the same should elect to appoint or
designate another person as DPO.

b) DTI Certificate of Registration.

c) valid business permit.

C. For foreign private entities:

1. Authenticated copy or Apostille of Secretary’s Certificate authorizing

the appointment or designation of DPO, or any other document that
demonstrates the appointment or designation, with an English translation
thereof if in a language other than English.

2. Authenticated copy or Apostille of the following documents, with an

English translation thereof if in a language other than English, where
applicable:

a) Latest General Information Sheet or any similar document.

b) Registration Certificate (Corporation, Partnership, Sole

Proprietorship) or any similar document.

c) valid business permit or any similar document.

SECTION 12. Details of Registration. In the NPC’s online registration platform, a PIC or PIP
shall provide the following registration information:

A. details of the PIC or PIP, the Head of Agency or Organization, and the Data
Protection Officer.

1.) name and contact details of the PIC or PIP, Head of Agency or
Organization, and DPO as well as the designated COP, if any, with
supporting documents.

2.) a unique and official email address specific to the position of DPO of the
PIC or PIP, and not with the person who is the DPO.

3.) primary purpose of the private entity or the constitutional or statutory

mandate of the government agency;

B. brief description per Data Processing System:

NPC_DIT_CRLR-V1.0,R0.0,22 June 2022

5th Floor, Philippine International Convention Center, Vicente Sotto Avenue, Pasay City, Metro Manila 1307
URL: https//www.privacy.gov.ph Email Add: info@privacy.gov.ph Tel No. 8234-2228
 1.) name of the system;

2.) basis for the processing of information;

3.) purpose or purposes of the processing;

4.) whether processing is being performed as a PIC or PIP, if an

organization uses the same system as a PIC and as a PIP, then the
organization shall register such usage separately;

5.) whether the system is outsourced or subcontracted, and if so, the

name and contact details of the PIP;

6.) description of the category or categories of data subjects, and their

personal data or categories thereof;

7.) recipients or categories of recipients to whom the personal data might

be disclosed;

8.) description of security measures (Organizational, Physical, and

Technical)

9.) general information on the Data Life Cycle (Time, Manner, or Mode of
Collection, Retention Period, and Disposal/Destruction/Deletion
Method/Procedure)

10.) whether personal data is transferred outside of the Philippines; and

11.) the existence of Data Sharing Agreements with other parties;

C. Identify all publicly facing online mobile or web-based applications, including

internal apps with PIC or PIP employees as clients.

D. Notification regarding any automated decision-making operation or

profiling.

SECTION 13. Certificate of Registration. The Commission shall issue a Certificate of

Registration in favor of a PIC or PIP, that has successfully completed the registration process.
The Certificate of Registration shall only be considered as proof of such registration and not a
verification of the contents thereof.

Any party may request, in writing, an authenticated copy of the Certificate of Registration of
a PIC or PIP, subject to payment of reasonable fees covered by a separate issuance for this
specific purpose.

SECTION 14. Validity. A Certificate of Registration shall be valid for one (1) year from its
date of issuance; provided, that the certificate may be revoked by the Commission on any of

NPC_DIT_CRLR-V1.0,R0.0,22 June 2022

5th Floor, Philippine International Convention Center, Vicente Sotto Avenue, Pasay City, Metro Manila 1307
URL: https//www.privacy.gov.ph Email Add: info@privacy.gov.ph Tel No. 8234-2228
the grounds provided for under Section 35 of this Circular and upon service of a Notice of
Revocation to the PIC or PIP.

SECTION 15. Verification. The Commission may, at any time, verify any or all registration
information provided by a PIC or PIP through its compliance check function. Through a
privacy sweep of publicly available information, notices of document submission or during
on-site examination of the Data Processing System, all relevant documents shall be made
available to the Commission.

SECTION 16. Amendments or Updates. Subject to reasonable fees that may be prescribed by
the Commission, major amendments to registration information shall be made within thirty
(30) days from the date such changes take into effect. Major amendments are the changes to
the following:

(a) Name of the PIC or PIP; and

(b) the Office Address of the PIC or PIP.

Minor updates shall be made within ten (10) days from the date such changes take into effect.
Updates shall include all other information other than those covered as a major amendment.

The PIC or PIP shall fill-up the necessary form and submit accompanying supporting
documents when required.

SECTION 17. Non-Registration. A PIC or PIP shall be considered as unregistered under the
following circumstances:

A. failure to register with the Commission in accordance with Section 7 of this Circular;

B. expiration and non-renewal of Certificate of Registration;

C. non-submission of any deficiency in supporting documents within five (5) days from
notice;

D. rejection or disapproval of an application for registration, or an application for renewal

of registration; or

E. revocation of the Certificate of Registration.

SECTION 18. Renewal. A PIC or PIP may only renew its registration thirty (30) days before
the expiration of the one-year validity of its Certificate of Registration.

SECTION 19. Reasonable Fees. To recover administrative costs, the Commission may require
the payment of reasonable fees for registration, renewal, and other purposes in accordance
with a schedule that shall be provided in a separate issuance.

SECTION 20. Imposition of Administrative Fines. A PIC or PIP covered by Mandatory

Registration who shall be in violation of the same, shall be subject to the corresponding fine
in accordance with the Guidelines on Administrative Fines.
NPC_DIT_CRLR-V1.0,R0.0,22 June 2022

5th Floor, Philippine International Convention Center, Vicente Sotto Avenue, Pasay City, Metro Manila 1307
URL: https//www.privacy.gov.ph Email Add: info@privacy.gov.ph Tel No. 8234-2228
A PIC or PIP who failed to comply with an Order of the Commission to submit documents in
relation to Section 5(A) and the last paragraph of Section 8 shall be liable for failure to register
and failure to comply with an Order of the Commission.

SECTION 21. Inaccessible DPO Accounts. In case a DPO account was not properly
transferred, or in cases of inaccessibility to the registration platform due to lost credentials, or
upon failure of a prior DPO to properly turn over the accountability to the registration
platform, the PIC or PIP shall submit a notarized letter of explanation or any similar document
as justification as to why the DPO account was lost or not properly transferred without
prejudice to any administrative finding of failure to register or to update registration.

Subject to reasonable fees that may be prescribed by the Commission, the Head of Agency or
Head of Organization may request the retrieval of the account.

SECTION 22. Withdrawal of Registration. Withdrawal of registration of information due to

cessation of business, or in cases when personal data processing is no longer done or for other
similar reasons, shall be made in writing and accompanied by supporting documents such as
certified photocopy of SEC Certificates of Dissolution of corporation, or board resolutions,
within two (2) months from the date such cessation takes effect which shall be submitted
electronically via email. It shall be presumed that the PIC or PIP is still processing personal
information or is still operating its business in the absence of an application for the withdrawal
of registration. Verily, a PIC or PIP may still be a subject of a compliance check absent any
showing that such withdrawal has been applied for.

In case of death of an Individual Professional registrant, withdrawal may be done by the next
of kin through written notification with a copy of the death certificate attached as proof which
shall be submitted electronically via email.

REGISTRY OF DATA PROCESSING SYSTEM

SECTION 23. Maintenance of Registry. The Commission shall maintain a registry of PICs
and PIPs, and of the Data Processing Systems, and designated or appointed Data Protection
Officers in electronic format.

SECTION 24. Removal from Registry. The registration information of a PIC or PIP may be
removed from the registry, upon prior notice by the Commission, on any of the following
grounds:

A. Incomplete registration;

B. Expiration and non-renewal of registration;

C. Revocation of Certificate of Registration;

D. Expired and void registration; or

NPC_DIT_CRLR-V1.0,R0.0,22 June 2022

5th Floor, Philippine International Convention Center, Vicente Sotto Avenue, Pasay City, Metro Manila 1307
URL: https//www.privacy.gov.ph Email Add: info@privacy.gov.ph Tel No. 8234-2228
 E. Withdrawal of registration by the PIC due to cessation of business, cessation of
personal data processing, or death of the Individual Professional registrant.

Except for Section 24(E), the PIC or PIP is given fifteen (15) days from notice to answer and
explain why its removal should not be effected.

SECTION 25. Non-inclusion of Confidential Information. Information classified by the

Constitution or any statute as confidential shall not be included in the registry.

NOTIFICATION REGARDING
AUTOMATED DECISION-MAKING OR PROFILING

SECTION 26. Notification of Automated Decision-Making or Profiling. A PIC or PIP that

carries out any automated decision-making operation or profiling shall indicate in its
registration record and identify the Data Processing System involved in the automated
decision-making or profiling operation.

The PIC or PIP shall also include information on the following:

A. lawful basis for processing personal data;

1. Other relevant information pertaining to the specified lawful basis specifying the
specific law or regulation among others.

If consent is used as the basis for processing, submission of the following:

i. consent form used; or

ii. other manner of obtaining consent.

B. retention period for the processed data;

C. methods and logic utilized for automated processing; and

D. possible decisions relating to the data subject based on the processed data, particularly
if the decisions would significantly affect the data subject’s rights and freedoms.

SECTION 27. When to Notify. Notification regarding automated decision-making and

profiling shall be included in the registration information that will be provided by a PIC or
PIP, as indicated in Section 12 of this Circular, or through amendments or updates to such
registration information, as per Section 16 of this Circular, within the prescribed periods.

SECTION 28. Availability of Additional Information. Upon request by the Commission, a

PIC or PIP shall make available additional information and supporting documents pertaining
to its automated decision-making or profiling operation.

NPC_DIT_CRLR-V1.0,R0.0,22 June 2022

5th Floor, Philippine International Convention Center, Vicente Sotto Avenue, Pasay City, Metro Manila 1307
URL: https//www.privacy.gov.ph Email Add: info@privacy.gov.ph Tel No. 8234-2228
 NATIONAL PRIVACY COMMISSION
SEAL OF REGISTRATION

SECTION 29. Issuance of Seal of Registration. The Seal of Registration shall be issued
simultaneously with the Certificate of Registration which will also be available for download.

SECTION 30. Standard Information. The Seal of Registration shall contain the following
information:

A. The word “Registered” indicating that the PIC or PIP has registered its DPS and DPO
with the Commission;

B. The validity period of the registration;

C. A unique QR code for easy verification of registration indicating the following:

1. Name of the PIC or PIP;

2. Registered DPO email; and
3. Validity of registration

SECTION 31. Validity. The Seal of Registration shall be valid for one (1) year from the date
of issuance thereof.

SECTION 32. Mandatory Display of Seal of Registration. The Seal of Registration must be
displayed at the main entrance of the place of business, office or at the most conspicuous place
to ensure visibility to all data subjects.

A PIC or PIP is also required to display the Seal of Registration in its main website, or at least
the webpage specifically pertaining to the Philippines for global websites, and only as either:

(1) a clickable link leading to the privacy notice; or

(2) displayed directly on the privacy notice page.

SECTION 33. Use of Seal of Registration. The Seal of Registration shall be exclusively used
by the registered PIC or PIP.

The use of the Seal of Registration by any person other than the PIC or PIP for whatever
purpose is prohibited.

SECTION 34. Automatic Revocation or Withdrawal. In all instances wherein the Certificate
of Registration has been revoked, or the registration of the PIC or PIP has been validly
withdrawn, the Seal of Registration shall automatically be revoked or otherwise invalidated.

NPC_DIT_CRLR-V1.0,R0.0,22 June 2022

5th Floor, Philippine International Convention Center, Vicente Sotto Avenue, Pasay City, Metro Manila 1307
URL: https//www.privacy.gov.ph Email Add: info@privacy.gov.ph Tel No. 8234-2228
 SANCTIONS AND PENALTIES

SECTION 35. Revocation of Certificate of Registration. The Commission may revoke the
registration of a PIC or PIP on any of the following grounds:

A. failure to comply with any of the provisions of the DPA, its IRR, or any relevant issuances
of the Commission;

B. motu proprio revocation upon failure to comply with any order, condition, or restriction
imposed by the Commission;

C. loss of authority to operate or conduct business, due to the revocation of its license, permit,
franchise, or any other similar requirement provided by law;

D. cessation of operations or of personal data processing;

E. lack of capacity or inability to securely process personal data in accordance with the DPA
as determined by the Commission thru its compliance check function;

F. issuance by the Commission of a temporary or permanent ban on data processing against

the PIC or PIP: Provided, that in the case of a temporary ban, such prohibition is still in effect
at the time of filing of the application for renewal of registration;

G. motu proprio revocation for providing false information in the registration or

misrepresenting material information in the registration.

Provided, that, prior to revocation, the Commission shall give the PIC or PIP an opportunity
to explain why its Certificate of Registration should not be revoked.

In cases of motu proprio revocation in Sections B or G, it shall be operative upon the

administrative finding of liability for the infraction.

SECTION 36. Notice of Revocation. Where the registration of a PIC or PIP is revoked, the
Commission shall issue a Notice of Revocation of Registration, which shall be served upon
the PIC or PIP.

SECTION 37. Penalties and Fines. A PIC or PIP whose Certificate of Registration has been
revoked or that is determined to have violated the registration requirements provided in this
Circular may, upon notice and hearing, be subject to compliance and enforcement orders,
cease and desist orders, temporary or permanent bans on the processing of personal data, or
payment of administrative fines. For this purpose, the registration requirements shall pertain
to the provisions on mandatory registration, amendments and updates, and renewal of
registration.

SECTION 38. Cease and Desist Order. When the Commission, upon notice and hearing, has
determined that a PIC or PIP violated this Circular, such as the failure to disclose its
automated decision-making or profiling operation through the appropriate notification
processes set out in this Circular and noncompliance on the mandatory display of the seal of
NPC_DIT_CRLR-V1.0,R0.0,22 June 2022

5th Floor, Philippine International Convention Center, Vicente Sotto Avenue, Pasay City, Metro Manila 1307
URL: https//www.privacy.gov.ph Email Add: info@privacy.gov.ph Tel No. 8234-2228
registration, the Commission may cause upon the PIC or PIP the service of a Cease and Desist
Order on the processing of personal data: Provided, that this is without prejudice to other
processes or reliefs as the Commission may be authorized to initiate pursuant to Section 7 of
the DPA and any other administrative, civil, or criminal penalties that the PIC or PIP may
incur under the DPA and other applicable laws.

MISCELLANEOUS PROVISIONS

SECTION 39. Transitory Period. Notwithstanding the period in the first paragraph of Section
7 of this Circular; all covered PICs, and PIPs shall complete their Data Processing System and
DPO registration within one hundred eighty (180) days from the effectivity of this Circular.

SECTION 40. Repealing Clause. This Circular supersedes in its entirety NPC Circular No. 17-
01. The provisions of the IRR and all other issuances contrary to or inconsistent with the
provisions of this Circular are deemed repealed or modified accordingly.

SECTION 41. Separability Clause. If any portion or provision of this Circular is declared null
and void, or unconstitutional, the other provisions not affected thereby shall continue to be in
force and effect.

SECTION 42. Publication and Effectivity. This Circular shall take effect fifteen (15) days after
its publication in the Official Gazette or two newspapers of general circulation and the
submission of a copy hereof to the Office of the National Administrative Register of the
University of the Philippines.

Approved:

Sgd.
JOHN HENRY D. NAGA
Privacy Commissioner

Sgd.
LEANDRO ANGELO Y. AGUIRRE
Deputy Privacy Commissioner

NPC_DIT_CRLR-V1.0,R0.0,22 June 2022

5th Floor, Philippine International Convention Center, Vicente Sotto Avenue, Pasay City, Metro Manila 1307
URL: https//www.privacy.gov.ph Email Add: info@privacy.gov.ph Tel No. 8234-2228