Continuing compliance requirements for the Data Privacy Act of 2012
Entities and individuals covered by Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012 (“DPA”) were required to register with the National Privacy Commission (“NPC”) in two (2) phases: (1) the appointment of a Data Protection Officer by last 09 September 2017; and (2) the registration of Data Processing Systems by last 08 March 2018.
Under NPC Circular No. 17-01, the NPC shall issue a certificate of registration to a personal information controller or processor who has successfully completed the registration. This certificate will be valid until the 8th day of March of the next following year. To renew its registration, a personal information controller or processor may file an application for the renewal of its certificate of registration within two (2) months prior to, but not later than the 8th day of March every year.
According to the same circular, registrations where no applications for renewal have been filed are deemed revoked. However, a personal information controller or processor may be allowed to file an application for renewal beyond the prescribed period upon approval of the NPC and only for good cause shown. In this regard, it shall notify the NPC of its intention to renew its registration and the reason for its delay.
Another yearly requirement to be complied with by personal information controllers or processors, regardless of whether they are mandated to register their Data Protection Officer and Data Processing Systems, is the submission of the Annual Security Incident Report. Under Rule IX, Section 41 of the DPA Implementing Rules and Regulations (“DPA-IRR”), security incidents and personal data breaches must be documented through written reports, a general summary of which shall be submitted to the NPC annually. The NPC had set the deadline for each annual security incident report to at the end of the first quarter of every year. Thus, for all security incidents between the period from January to December 2017, the deadline for the submission of the report was originally on 31 March 2018. However, this deadline was extended to 30 June 2018 to allow more entities and individuals to comply with the requirement. In view of this, the NPC issued Advisory No. 18-02 which provided specific and updated templates for the submission of the annual security incident report and personal data breach notifications.
As regards personal data breach notifications, Chapter III, Section 20 of the DPA and Rule IX, Section 38 of the DPA-IRR provide that a personal information controller shall, within seventy-two (72) hours upon knowledge, or reasonable
This article is for general informational and educational purposes only and not offered as and does not constitute legal advice or legal opinion.