Skip to main content


The Data Privacy Privacy Act of 2012 (DPA) prescribes specific registration and internal review requirements on entities that process personal data. Failure to comply with those requirements may result in imprisonment and/or fine. The significant responsibilities of personal data processors are discussed below.

Registration of Data Processing Systems

A Personal Information Controller (PIC), defined as a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf, or a Personal Information Processor (PIP), defined as any natural or juridical person qualified to act as such under this DPA  to whom a PIC may outsource the processing of personal data pertaining to a data subject shall register with the National Privacy Commission (NPC) if it is processing personal data and operating in the country under any of the following conditions: 

  1. the PIC or PIP employs at least two hundred fifty (250) employees;
  2. the processing includes sensitive personal information of at least one thousand (1,000) individuals;
  3. the processing is likely to pose a risk to the rights and freedoms of data subjects. Processing operations that pose a risk to data subjects include those that involve:
    1. Information that would likely affect national security, public safety, public order, or public health; 
    2. Information required by applicable laws or rules to be confidential; 
    3. Vulnerable data subjects like minors, the mentally ill, asylum seekers, the elderly, patients, those involving criminal offenses, or in any other case where an imbalance exists in the relationship between a data subject and a PIC or PIP; 
    4. Automated decision-making; or
    5. Profiling
  4. the processing is not occasional and constitutes a core activity of a PIC or PIP, or is integral thereto. Data processing systems that involve automated decision-making shall, in all instances, be registered with the NPC.

Appointment of Data Protection Officer

The regulations provide that any natural or juridical person or other body involved in the processing of personal data shall designate an individual or individuals who shall function as data protection officer (DPO), compliance officer, or shall otherwise be accountable for ensuring compliance with applicable laws and regulations for the protection of data privacy and security

Notification of Automated Processing Operations

A PIC carrying out any wholly or partly automated processing operations or set of such operations intended to serve a single purpose or several related purposes shall notify the NPC when the automated processing becomes the sole basis for making decisions about a data subject, and when the decision would significantly affect the data subject.

Privacy Management Program and Privacy Manual

Entities involved in the processing of personal information should have a Privacy Management Program, which refers to a process intended to embed privacy and data protection in the strategic framework and daily operations of a personal information controller or personal information processor, maintained through organizational commitment and oversight of coordinated projects and activities.

The Privacy Management Program should then be codified into a Privacy Manual. A sample form of the privacy manual following the template provided by the NPC can be downloaded at this link.

Privacy Impact Assessment

A Privacy Impact Assessment is a process undertaken and used to evaluate and manage impacts on privacy of a particular program, project, process, measure, system or technology product of a PIC or PIP program, project, process, measure, system or technology product of a PIC or PIP. It takes into account the nature of the personal data to be protected, the personal data flow, the risks to privacy and security posed by the processing, current data privacy best practices, the cost of security implementation, and, where applicable, the size of the organization, its resources, and the complexity of its operations.

Copyright 2018. All rights reserved.

We can assist you

For help in complying with data privacy regulations, contact us at