Registration and Compliance Requirements (Rule XI): Data Privacy Act

Section 46. Enforcement of the Data Privacy Act. Pursuant to the mandate of the Commission to administer and implement the Act, and to ensure the compliance of personal information controllers with its obligations under the law, the Commission requires the following:

a. Registration of personal data processing systems operating in the country that involves accessing or requiring sensitive personal information of at least one thousand (1,000) individuals, including the personal data processing system of contractors, and their personnel, entering into contracts with government agencies;

b. Notification of automated processing operations where the processing becomes the sole basis of making decisions that would significantly affect the data subject;

c. Annual report of the summary of documented security incidents and personal data breaches;

e. Compliance with other requirements that may be provided in other issuances of the Commission.

Section 47. Registration of Personal Data Processing Systems. The personal information controller or personal information processor that employs fewer than two hundred fifty (250) persons shall not be required to register unless the processing it carries out is likely to pose a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes sensitive personal information of at least one thousand (1,000) individuals.

a. The contents of registration shall include:

1. The name and address of the personal information controller or personal information processor, and of its representative, if any, including their contact details;
2. The purpose or purposes of the processing, and whether processing is being done under an outsourcing or subcontracting agreement;
3. A description of the category or categories of data subjects, and of the data or categories of data relating to them;
4. The recipients or categories of recipients to whom the data might be disclosed;
5. Proposed transfers of personal data outside the Philippines;
6. A general description of privacy and security measures for data protection;
7. Brief description of the data processing system;
8. Copy of all policies relating to data governance, data privacy, and information security;
9. Attestation to all certifications attained that are related to information and communications processing; and
10. Name and contact details of the compliance or data protection officer, which shall immediately be updated in case of changes.

b. The procedure for registration shall be in accordance with these Rules and other issuances of the Commission.

Section 48. Notification of Automated Processing Operations. The personal information controller carrying out any wholly or partly automated processing operations or set of such operations intended to serve a single purpose or several related purposes shall notify the Commission when the automated processing becomes the sole basis for making decisions about a data subject, and when the decision would significantly affect the data subject.

a. The notification shall include the following information:

1. Purpose of processing;
2. Categories of personal data to undergo processing;
3. Category or categories of data subject;
4. Consent forms or manner of obtaining consent;
5. The recipients or categories of recipients to whom the data are to be disclosed;
6. The length of time the data are to be stored;
7. Methods and logic utilized for automated processing;
8. Decisions relating to the data subject that would be made on the basis of processed data or that would significantly affect the rights and freedoms of data subject; and
9. Names and contact details of the compliance or data protection officer.

b. No decision with legal effects concerning a data subject shall be made solely on the basis of automated processing without the consent of the data subject.

Section 49. Review by the Commission. The following are subject to the review of the Commission, upon its own initiative or upon the filing of a complaint by a data subject:

a. Compliance by a personal information controller or personal information processor with the Act, these Rules, and other issuances of the Commission;

b. Compliance by a personal information controller or personal information processor with the requirement of establishing adequate safeguards for data privacy and security;

c. Any data sharing agreement, outsourcing contract, and similar contracts involving the processing of personal data, and its implementation;

d. Any off-site or online access to sensitive personal data in government allowed by a head of agency;

e. Processing of personal data for research purposes, public functions, or commercial activities;

f. Any reported violation of the rights and freedoms of data subjects;

g. Other matters necessary to ensure the effective implementation and administration of the Act, these Rules, and other issuances of the Commission.

Pamaos & Labao Law Firm (P&L Law) is a full-service professional legal firm, located in Metro Manila, Philippines | Telephone: (+632) 7799-0589 | Email: info@pnl-law.com | Website: http://pnl-law.com

• Extension of Filing Periods and Suspension of Hearings for March 29 to April 4, 2021: SC Administrative Circular No. 14-2021 (Full Text) - March 28, 2021
• ECQ Bubble for NCR, Bulacan, Cavite, Laguna and Rizal: Resolution No. 106-A (Full Text) - March 27, 2021
• Guidelines on the Administration of COVID-19 Vaccines in the Workplaces (Labor Advisory No. 3) - March 12, 2021