The NPC has yet to issue formal guidelines regarding the eRehistro system and announce its official launch. In the meantime, we continue to encourage personal information controllers (PICs) and personal information processors (PIPs) to begin preparing, reviewing and updating their compliance and registration information. Specific to Phase 2: DPS registration, clients are advised to commence preparing the pieces of information required for the registration process, as discussed below.
We also recommend that clients keep themselves updated of further developments from the NPC, either through the commission's website or its social media channels, regarding the eRehistro system. Our firm is also closely monitoring this compliance matter and we will provide more updates as they arise.
In more detail
NPC registration requirement
Registration with the NPC is required for PICs and PIPs processing personal data and operating in the Philippines under any of the following conditions:
- processing the sensitive personal information of at least 1,000 individuals
- employing at least 250 individuals
- belonging to a business/industry sector identified by the NPC (NPC Circular No. 17-01) as subject to mandatory registration
According to the NPC, both new and existing PICs and PIPs that fall within the foregoing registration criteria are required to create an eRehistro account and register their DPS with the NPC.
eRehistro account creation process
In order to create an eRehistro account, PICs and PIPs are required to fill out the eRehistro application form, which will require the following information:
- For organizations: Name of its head, email address and contact number of the organization
- For individuals: Name, email address, contact number and government-issued ID number
- Name, email address, contact number, and gender of the DPO
Once the foregoing information have been encoded, the completed eRehistro application form must be printed, signed and notarized.
Aside from the information listed above, the following documents must also be uploaded unto the eRehistro system during the account creation process:
- board resolution or secretary’s certificate regarding the appointment of the DPO
- Securities and Exchange Commission (SEC) or Department of Trade and Industry (DTI) or other related document proving the existence of the organization
- notarized eRehistro application form
The following information must be encoded in the eRehistro system for DPS registration purposes:
- name of the DPS
- type of DPS (i.e., paper-based, manual, electronic/automatic, or both)
- purpose(s) of the DPS
- whether the person is a PIC or PIP
- whether the DPS involves automated decision-making
- whether data processing is outsourced or subcontracted
- categories of the data subject and personal data involved
- number of staff in the PIC or PIP’s data protection office
- number of recipients to whom the personal data will be or may be disclosed
- whether personal data will be transferred outside the Philippines
Effects of non-registration
Failure of the PIC or PIP to register all of its DPS with the NPC will result in the non-issuance of its certificate of registration. The NPC will consider an organization's failure to completely register its DPS when it conducts compliance checks or investigations in connection with privacy complaints or security incidents.
*Authored by Quisumbing Torres, a member firm of Baker & McKenzie International, a Swiss Verein. Please contact QTInfoDesk@quisumbingtorres.com for inquiries.