Registration of Data Processing Systems (NPC Circular 17-01)

The National Privacy Commission recently issued NPC Circular 17-01 on the registration of data processing systems and notifications regarding automated decision-making.

Under the Circular, covered Personal Information Controllers and Personal Infromation Processors should complete Phase 1 of the process for the registration of data processing systems by September 9, 2017 and Phase 2 by March 8, 2018.

A copy of the circular can be downloaded here.

FAQ on the NPC Rules of Procedure

Who may file a complaint?

1. The person claiming to be the subject of the privacy breach/violation;
2. His or her authorized representative; or
3. the National Privacy Commission (NPC), on its own initiative
(Sec. 3, NPC Rules)
Can someone not personally affected, and likewise not an authorized representative, file a complaint?

No. However, he or she may opt for either of the following:
1. Request for an advisory opinion; or
2. Inform the NPC on the data privacy concern
(Sec. 3, NPC Rules)
Will filing a complaint or requesting an advisory opinion require the payment of fees?
Yes. Otherwise, it will not be entertained. (Sec. 5, NPC Rules)
Is the rule on filing fees absolute?
No. The following instances are the exceptions to the rule on filing fees:
1. The complainant is the government, or any agency or instrumentality thereof, including government-owned and controlled corporations (excluding, however, GOCCS incorporated under the Corporation Code);
2. The complainant is an indigent or pauper litigant under the Rules of Court, i.e. one who has no money or property sufficient and available for food, shelter, and basic necessities for himself and his family (Sec. 21, Rule 3, Rules of Court); or one whose gross income and that of his immediate family do not exceed an amount double the monthly minimum wage of an employee (Sec. 19, Rule 141, Rules of Court) and do not own real property with fair market value exceeding PhP 300,000.00.
3. NPC waives the requirement for good cause shown.
Where should the complaint be filed?
The complaint can be filed with any office of the NPC (Sec. 7, NPC Rules). Note that the Rules are permissive as to which office the same can be filed and does not limit the filing of the same to the
office located in the same locality/region as that of the residence of the complainant. Note, also, that while “any office” is mentioned, at present, the NPC has only one existing office, located in Quezon City. Nonetheless, electronic filing is allowed via e-mail to, with a copy furnished to all other parties to the complaint (Sec. 8, NPC Rules).
What shall be the form and contents of the complaint?
It shall be in writing, verified and under oath, or contained in a sworn affidavit. The Efficient Use of Paper Rule must be complied with. In addition, the following shall be included:
* a brief narration of the material facts;
* supporting documents (original or certified true copy) and testimonial evidence;
* specific violation of the Data Privacy Act or related issuances;
* particular acts or omissions amounting to the alleged data privacy violations; and
* any and all correspondence with the respondent on the matter complained of, including a statement of the action taken by the latter to address
the matter, if any. 
(Sec. 10, NPC Rules)
What will happen next upon filing the complaint?
The case will be assigned by the NPC to an investigating officer for evaluation. Said officer will then recommend any of the following:
1. outright dismissal,
2. referral to the respondent for comment,
3. further monitoring,
4. that the complaint be treated as a request for an advisory opinion, or
5. indorsement to the proper government agency.
(Sec. 11, NPC Rules)
If the allegations are deemed to be sufficient, the investigating officer shall issue an Order to Confer for Discovery within 10 days from receipt of said Order. Whatever is agreed upon during such conference shall then be reduced into a Discovery Conference Report to be submitted to the NPC within five days from conclusion of the conference. (Sec. 13, NPC Rules)
Thereafter, the respondent/s will be directed, via an Order, to submit a Comment to the Complaint within 10 days from receipt of said Order. (Sec. 15, NPC Rules)
If the investigating officer deems it necessary, he or she may then require the complainant to file a Reply within 10 days, and the respondent, a Rejoinder, also within 10 days. (Sec. 15, NPC Rules)
The investigating officer will then proceed to investigate the circumstances surrounding the alleged privacy violation (Sec. 16, NPC Rules) and, thereafter, submit a fact-finding report, with corresponding recommendations, to the Office of the Commissioner (Sec. 18, NPC Rules).
The NPC will review the evidence presented, together with the fact-finding report. It may either:
1. promulgate a Decision; or
2. order the conduct of a clarificatory hearing.
The Decision may include enforcement orders. (Sec. 21 & 22, NPC Rules)
Is the Decision of the NPC appealable?
Yes. The party adversely affected may file an appeal within 15 days from receipt of a copy of the Decision. Otherwise, the same will become final and executory. (Sec. 30, NPC Rules)

Data Privacy in the Time of Leaks and Hackers

#Comeleak became a trending topic early in 2016 when hackers exposed the data of over 55 million registered voters. The wealth of information leaked included crucial data that could enable identity theft – including full names, birthdays, addresses, height, weight, and passport details, among others.
Roughly a year after, the National Privacy Commission (NPC) released a press statement singling out Chairman Andres Bautista of the Commission on Elections (COMELEC) as the lone officio personally liable for the leak. The NPC posits that Bautista is liable under the Data Privacy Act of 2012 for failing to put data privacy policies in place. Specifically, NPC recommends the filing of criminal charges against Bautista based on Section 26, which provides for a penalty of imprisonment for one to three years and a fine ranging from Php500,000 to Php2,000,000.00 for accessing of personal information due to negligence, and a penalty of imprisonment for three to six years and a fine ranging from Php500,000 to Php4,000,000.00 for accessing sensitive personal information due to negligence.
COMELEC, for its part, issued a statement maintaining that data breach is not a new phenomenon, and that it has been following generally accepted standards and international best practices regarding technology-related activities. In his personal Facebook page, Bautista shared a December 2016 news article pertaining to Yahoo! data security issues, wherein the international tech-giant admitted that over one billion user accounts have been hacked. Indeed, “Comeleak” is just one of the many “leaks” surfacing in the political arena – with a number of otherwise privileged information/communication being exposed via “WikiLeaks”, among others.
At present, there is yet no landmark Supreme Court decision tackling the Data Privacy Act. To what extent can individuals be protected? What measures are expected to be taken? If even tech giants are vulnerable to hackers, is anyone really safe? Where do we draw the line in establishing liability? It would be interesting to monitor the jurisprudential development of data privacy laws as this case progresses.


After years of languishing in Congress without any progress, President Rodrigo Duterte breathes life to Freedom of Information (FOI) by issuing Executive Order No. 2, which mandates disclosure of information of all offices under the executive branch. 


Contact Us

Betita Cabilao Casuela Sarmiento
Suite 1104, Page One Building
1215 Acacia Avenue
Madrigal Business Park, Ayala Alabang
Muntinlupa City 1780
Metro Manila, Philippines

Tel No. +63 2 555 1750