Registration and compliance requirements

1. Enforcement of the Data Privacy Act

Pursuant to the mandate of the Commission to administer and implement the Act, and to ensure the compliance of personal information controllers with its obligations under the law, the Commission requires the following:

a. Registration of personal data processing systems operating in the country that involves accessing or requiring sensitive personal information of at least one thousand (1,000) individuals, including the personal data processing system of contractors, and their personnel, entering into contracts with government agencies;

b. Notification of automated processing operations where the processing becomes the sole basis of making decisions that would significantly affect the data subject;

c. Annual report of the summary of documented security incidents and personal data breaches;

d. Compliance with other requirements that may be provided in other issuances of the Commission. (Section 46, Rule XI, IRR of the Data Privacy Act)

2. Registration of Personal Data Processing Systems

The personal information controller or personal information processor that employs fewer than two hundred fifty (250) persons shall not be required to register unless the processing it carries out is likely to pose a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes sensitive personal information of at least one thousand (1,000) individuals. (Section 47, Rule XI, Ibid.)

a...