Philippines: eRehistro updates from the National Privacy Commission

In brief

On 6 March 2021, the Philippine National Privacy Commission (NPC) posted on its official Facebook page its answers to some frequently asked questions involving eRehistro -- NPC’s newly announced online registration and renewal platform for both Phase 1: Data Protection Officer (DPO) and Phase 2: Data Processing System (DPS) registrations. Learn more about the eRehistro system from our earlier client alert here.


Contents

Recommended actions

The NPC has yet to issue formal guidelines regarding the eRehistro system and announce its official launch. In the meantime, we continue to encourage personal information controllers (PICs) and personal information processors (PIPs) to begin preparing, reviewing and updating their compliance and registration information. Specific to Phase 2: DPS registration, clients are advised to commence preparing the pieces of information required for the registration process, as discussed below.

We also recommend that clients keep themselves updated of further developments from the NPC, either through the commission's website or its social media channels, regarding the eRehistro system. Our firm is also closely monitoring this compliance matter and we will provide more updates as they arise.

In more detail

NPC registration requirement

Registration with the NPC is required for PICs and PIPs processing personal data and operating in the Philippines under any of the following conditions:

  • processing the sensitive personal information of at least 1,000 individuals
  • employing at least 250 individuals
  • belonging to a business/industry sector identified by the NPC (NPC Circular No. 17-01) as subject to mandatory registration

According to the NPC, both new and existing PICs and PIPs that fall within the foregoing registration criteria are required to create an eRehistro account and register their DPS with the NPC.

eRehistro account creation process

In order to create an eRehistro account, PICs and PIPs are required to fill out the eRehistro application form, which will require the following information:

  • For organizations: Name of its head, email address and contact number of the organization
  • For individuals: Name, email address, contact number and government-issued ID number
  • Name, email address, contact number, and gender of the DPO
  • Signature

Once the foregoing information have been encoded, the completed eRehistro application form must be printed, signed and notarized.

Documentary requirements

Aside from the information listed above, the following documents must also be uploaded unto the eRehistro system during the account creation process:

  • board resolution or secretary’s certificate regarding the appointment of the DPO
  • Securities and Exchange Commission (SEC) or Department of Trade and Industry (DTI) or other related document proving the existence of the organization
  • notarized eRehistro application form

DPS registration

The following information must be encoded in the eRehistro system for DPS registration purposes:

  • name of the DPS
  • type of DPS (i.e., paper-based, manual, electronic/automatic, or both)
  • purpose(s) of the DPS
  • whether the person is a PIC or PIP
  • whether the DPS involves automated decision-making
  • whether data processing is outsourced or subcontracted
  • categories of the data subject and personal data involved
  • number of staff in the PIC or PIP’s data protection office
  • number of recipients to whom the personal data will be or may be disclosed
  • whether personal data will be transferred outside the Philippines

Effects of non-registration

Failure of the PIC or PIP to register all of its DPS with the NPC will result in the non-issuance of its certificate of registration. The NPC will consider an organization's failure to completely register its DPS when it conducts compliance checks or investigations in connection with privacy complaints or security incidents.

LOGO Philippines_QuisumbingTorres_Manila

*Authored by Quisumbing Torres, a member firm of Baker & McKenzie International, a Swiss Verein. Please contact QTInfoDesk@quisumbingtorres.com for inquiries.

Contact Information

© 2021 Baker & McKenzie. Ownership: This site (Site) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms, including Baker & McKenzie LLP). Use of this site does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All information on this Site is of general comment and for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulation and practice are subject to change. The information on this Site is not offered as legal or any other advice on any particular matter, whether it be legal, procedural or otherwise. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any information provided in this Site. Baker McKenzie, the editors and the contributing authors do not guarantee the accuracy of the contents and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the contents of this Site. Attorney Advertising: This Site may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Site may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. All rights reserved. The content of the this Site is protected under international copyright conventions. Reproduction of the content of this Site without express written authorization is strictly prohibited.