How to Register with the National Privacy Commission: A Step by Step Guide

By Edwin Concepcion, Philippine Country Manager, Straits Interactive

In the Philippines, the National Privacy Commission (NPC) mandates the registration of the Organization, its Data Protection Officers (DPO) and Data Processing Systems (DPS). This step-by-step guide aims to provide a simple step by step registration process, supplying all the necessary information and visual aids to ensure a smooth experience. 

What needs to be registered?

The Organisation, Data Protection Officer and Data Processing Systems need to be registered.

A data processing system refers to the structure and procedure by which personal data is collected and processed in an information and communications system.

Step-by-step Guide to Register

Step 1: Account Creation

Access the National Privacy Commission Registration System [NPCRS] at https://npcregistration.privacy.gov.ph

If your organisation already has an account, you can log in. Otherwise, click sign up.

Upon clicking “sign up”, input the name and contact details of your organization’s Data Protection Officer (DPO) together with a unique and dedicated email address, specific to the position of DPO. 

Remember to input your official DPO email address, not personally identified with the person appointed DPO but with the position of DPO (i.e. use dpo@straitsinteractive.com, NOT juandelacruz@straitsinteractive.com)

Some reminders:

1. The DPO email address should be unique per organisation.

2. The email address and Philippine cellphone number you provide will be treated as your official contact channels.

Step 2: Encode Your Information

Upon logging in, you will see the following welcome screen.

Encode the following details about your organisation:

1.Organisation name

2. Website URL (Optional)

3. Company address

4. Region, Province, City / Municipality, Zip Code

5. Area of Coverage

6. Contact No. and Email 

7. Sector

8. Name, contact, and email address of the Head of the Organisation 

9. Name, contact, and email address of the Data Protection Officer 

Step 3a: Encode Your Data Processing System(s)

Make sure to include ALL data processing systems at the time of initial registration.

Encode the following details about each data processing system in your organization:

1. Type of DPS

2. Name of DPS

3. Basis of processing personal information

4. Basis of processing sensitive personal information (if applicable)

5. Description of the category / categories of data subjects

6. Description of data or categories of data relating to data subjects

7. Recipients or categories of recipients to whom the data might be disclosed

8. Details of the Personal Information Processor, in the case where processing is subcontracted

9. Description of when the personal data is collected

10. Retention period of the personal data involved in the DPS

11. Disposal / Destruction procedure for personal data

12. Organisational, physical, and technical security measures implemented to safeguard personal data (whichever applies)

13. Indicate whether any automated decision making operation or profiling is being done by the DPS (includes artificial intelligence or AI applications)

Step 3b: Encode the Details of Your Compliance Officer(s) for Privacy

If you are the sole DPO and do not have any Compliance Officers for Privacy (COPs), you may skip this step.

Step 4: Upload the Prescribed Supporting Documents

You are required to upload the following documents. Each file must not exceed 2MB.

1. Duly notarised Secretary’s Certificate authorizing the appointment or designation of the DPO

2. SEC Certificate of Registration

3. Certified True Copy of your organization’s current General Information Sheet

4. Valid business permit

Should there be a change in the Data Protection Officer, you must upload a duly notarized Secretary’s Certificate authorising the appointment or designation of the DPO.

Step 5: Notarise Documents 

Export the DPO Form (PDF format) automatically created during DPS registration. 

Print and Sign the downloaded form (both DPO and Head of the Organization or Agency) and have the completely filled-out form notarised.

Scan, upload and submit the notarised DPO Form.

Your submissions will then undergo review and validation by the NPC. In case of any deficiency, the NPC will inform your organization and will give you five (5) days to submit the necessary requirements.

Step 6: Click “Save Registration”

Step 7: Payment of Registration Fees and Download Certificate and Seal

Once your registration application has been submitted and validated, your registration status will change to “For Payment”. You may then click the “Pay Now” button to proceed with the payment process. See the table below for the fees to be collected.

Make sure to complete the payment within the specified period.

Step 8: Download Certificate of Registration and NPC Seal of Registration

Once payment has been processed, you will be able to download your Certificate of Registration and the NPC Seal of Registration.

Congratulations, you have now successfully registered with the National Privacy Commission of the Philippines!

Updating your Information

Upon completing your registration, remember that you will need to update your information with the NPC, should there be any changes. Should you decide to employ another data processing system after registration, you will also have to update and “add” your new data processing system to NPC’s registration portal. 

Privacy is not a One-time Project

Registration is just the first step to complying with the Data Privacy Act of the Philippines. Complying with the DPA involves implementing and sustaining a Privacy Management Program, which tackles all aspects of the data lifecycle – the collection, use, disclosure, and storage of personal data. 

If you need help getting started on your Privacy Management Program, or if you are having trouble maintaining your PMP, platforms like DPOinBOX.ai can help you automate many of the key tasks and reports.

We also offer specialized consulting services where we can do an initial assessment or gap analysis of your Privacy Management Program.

Get in touch with us at philippines.sales@straitsinteractive.com.