Registration and compliance requirements, Data Privacy Law

1. Enforcement of the Data Privacy Act

Pursuant to the mandate of the Commission to administer and implement the Act, and to ensure the compliance of personal information controllers with its obligations under the law, the Commission requires the following:

a. Registration of personal data processing systems operating in the country that involves accessing or requiring sensitive personal information of at least one thousand (1,000) individuals, including the personal data processing system of contractors, and their personnel, entering into contracts with government agencies;

b. Notification of automated processing operations where the processing becomes the sole basis of making decisions that would significantly affect the data subject;

c. Annual report of the summary of documented security incidents and personal data breaches;

d. Compliance with other requirements that may be provided in other issuances of the Commission. (Section 46, Rule XI, IRR of the Data Privacy Act)

2. Registration of Personal Data Processing Systems

The personal information controller or personal information processor that employs fewer than two hundred fifty (250) persons shall not be required to register unless the processing it carries out is likely to pose a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes sensitive personal information of at least one thousand (1,000) individuals. (Section 47, Rule XI, Ibid.)

a. contents of registration

The contents of registration shall include:

1) The name and address of the personal information controller or personal information processor, and of its representative, if any, including their contact details;

2) The purpose or purposes of the processing, and whether processing is being done under an outsourcing or subcontracting agreement;

3) A description of the category or categories of data subjects, and of the data or categories of data relating to them;

4) The recipients or categories of recipients to whom the data might be disclosed;

5) Proposed transfers of personal data outside the Philippines;

6) A general description of privacy and security measures for data protection;

7) Brief description of the data processing system;

8) Copy of all policies relating to data governance, data privacy, and information security;

9) Attestation to all certifications attained that are related to information and communications processing; and

10) Name and contact details of the compliance or data protection officer, which shall immediately be updated in case of changes. (Section 47[a], Rule XI, Ibid.)

The procedure for registration shall be in accordance with these Rules and other issuances of the Commission. (Section 47[b], Rule XI, Ibid.)

3. Notification of Automated Processing Operations

The personal information controller carrying out any wholly or partly automated processing operations or set of such operations intended to serve a single purpose or several related purposes shall notify the Commission when the automated processing becomes the sole basis for making decisions about a data subject, and when the decision would significantly affect the data subject. (Section 48, Rule XI, Ibid.)

a. Contents of notice

The notification shall include the following information:

1) Purpose of processing;

2) Categories of personal data to undergo processing;

3) Category or categories of data subject;

4) Consent forms or manner of obtaining consent;

5) The recipients or categories of recipients to whom the data are to be disclosed;

6) The length of time the data are to be stored;

7) Methods and logic utilized for automated processing;

8) Decisions relating to the data subject that would be made on the basis of processed data or that would significantly affect the rights and freedoms of data subject; and

9) Names and contact details of the compliance or data protection officer. (Section 48[a], Rule XI, Ibid.)

No decision with legal effects concerning a data subject shall be made solely on the basis of automated processing without the consent of the data subject. (Section 48[b], Rule XI, Ibid.)

4. Review by the NPC

The following are subject to the review of the Commission, upon its own initiative or upon the filing of a complaint by a data subject:

1) Compliance by a personal information controller or personal information processor with the Act, these Rules, and other issuances of the Commission;

2) Compliance by a personal information controller or personal information processor with the requirement of establishing adequate safeguards for data privacy and security;

3) Any data sharing agreement, outsourcing contract, and similar contracts involving the processing of personal data, and its implementation;

4) Any off-site or online access to sensitive personal data in government allowed by a head of agency;

5) Processing of personal data for research purposes, public functions, or commercial activities;

6) Any reported violation of the rights and freedoms of data subjects;

7) Other matters necessary to ensure the effective implementation and administration of the Act, these Rules, and other issuances of the Commission. (Section 49, Rule XI, Ibid.)

References

Republic Act No. 10173, Data Privacy Act of 2012

2016 IRR of the Data Privacy Act

Similar Posts