Every organization that processes personal data in the Philippines has compliance obligations under the Data Privacy Act of 2012 (Republic Act No. 10173). These obligations exist regardless of company size, industry, or how much personal data the organization handles. Registration with the National Privacy Commission (NPC) is one of those obligations โ but it is not the same requirement for everyone. This guide explains exactly what applies to your organization, walks through the registration process step by step, and covers every ongoing compliance obligation you need to track after registration.
The Data Privacy Act of 2012, signed into law on August 15, 2012, is the primary legislation governing the collection, handling, use, and protection of personal data in the Philippines. It applies to any natural or juridical person in the government or private sector that processes personal information. If your organization collects names, contact details, health records, financial data, or any other information that identifies or could identify a person, the DPA applies to you.
The National Privacy Commission is the independent body created under the DPA to administer and implement the law. The NPC issues circulars, advisories, and orders that give the DPA its operational detail. For registration purposes, the governing instrument is NPC Circular No. 2022-04, issued on December 5, 2022 and effective January 11, 2023, which supersedes the earlier NPC Circular No. 17-01 in its entirety. All registration under the current framework is done through the NPC's online platform, the NPC Registration System (NPCRS).
https://privacy.gov.ph โ main portal for NPC announcements, circulars, and resources
https://npcregistration.privacy.gov.ph โ the only platform for registration of DPOs and Data Processing Systems
https://privacy.gov.ph/wp-content/uploads/2023/05/Circular-2022-04-1.pdf โ the governing circular for DPO and Data Processing System registration
NPC Circular No. 2022-04 establishes three tracks depending on the nature of your organization's data processing activities. Your track determines whether you register through the NPCRS, register voluntarily, or file a notarized sworn declaration. The first step in any compliance process is identifying which track applies to you.
Track 3 does not exempt an organization from the Data Privacy Act. The DPA applies to all organizations processing personal data. Track 3 only means you are not required to register through the NPCRS. You are still required to designate a DPO, implement security measures, uphold data subject rights, and submit the Annual Security Incident Report. The sworn declaration is not a substitute for compliance โ it is a declaration that you are below the registration threshold.
For most new consulting firms, NGOs, and small corporations in the Philippines โ including organizations below 250 employees and processing fewer than 1,000 individuals' sensitive personal information โ Track 3 applies at the start. However, voluntary registration under Track 2 is strongly recommended for any organization that handles client health data, processes project beneficiary information, or works with government agencies and international development funders. Demonstrating NPC compliance is increasingly expected by donors and government counterparts as part of due diligence.
Before proceeding with registration, these definitions from the DPA and NPC Circular No. 2022-04 are essential:
| Term | Definition |
|---|---|
| Personal Information Controller (PIC) | An entity that controls the collection, use, and processing of personal data. Decides what data is collected and why. Most organizations that collect client, employee, or beneficiary data are PICs. |
| Personal Information Processor (PIP) | An entity that processes personal data on behalf of a PIC, following the PIC's instructions. Examples: payroll service providers, cloud storage vendors, third-party M&E firms processing beneficiary data for a PIC. |
| Sensitive Personal Information | Data about race or ethnic origin, political opinions, religious beliefs, health, education, genetic or sexual data, social security or government ID numbers, and financial records. Requires a higher standard of protection. |
| Data Processing System (DPS) | The structure and procedure by which personal data is collected, organized, stored, used, or otherwise processed. Includes both manual and automated systems. Every separate system must be registered. |
| Data Protection Officer (DPO) | The individual designated by an organization to ensure compliance with the DPA. Must be an organic employee (not an external consultant) except where the NPC allows otherwise. Only one DPO may be registered per entity. |
| NPCRS | NPC Registration System โ the official online platform at npcregistration.privacy.gov.ph where all DPO and DPS registrations are filed. |
| DBNMS | Data Breach Notification Management System โ the NPC's platform for submitting personal data breach notifications and Annual Security Incident Reports. |
If your organization falls under mandatory registration (Track 1) or chooses voluntary registration (Track 2), the process is conducted entirely through the NPCRS. Physical submissions are no longer accepted. All registrations done manually before the NPCRS was operational must be migrated to the NPCRS โ prior manual registration is not considered sufficient.
Organizations that do not meet the mandatory threshold and do not elect voluntary registration must file a notarized Sworn Declaration and Undertaking for Exemption from Registration of Data Processing Systems. This is Annex 1 of NPC Circular No. 2022-04.
Direct download: https://privacy.gov.ph/wp-content/uploads/2023/05/Circular-2022-04-Annex-1-1.pdf
Beginning October 1, 2024, all PICs and PIPs are required to pay corresponding fees to register their DPS or renew their registration through the NPCRS. Registration was previously free. The NPC has not published a fixed public fee schedule in a single document โ current fees are reflected within the NPCRS platform at the time of filing. Check the NPCRS and the NPC website at privacy.gov.ph for the current fee schedule before beginning your registration.
Filing the Sworn Declaration under Track 3 does not require payment of registration fees. Fees apply only to registration and renewal of DPS through the NPCRS under Tracks 1 and 2.
Registration is not the end of the compliance process. The DPA imposes a set of continuing obligations that all PICs and PIPs must fulfill regardless of their registration track.
For organizations registered under Track 1 or Track 2, the Certificate of Registration is valid for one year from its date of issuance. Renewal must be completed within the 30-day period before expiration. The NPCRS sends renewal notifications 30 days before expiration. Organizations that allow their registration to lapse face erasure of prior registration details from the system and must re-register from the beginning. Monitor the NPCRS dashboard regularly and do not wait for the notification email before initiating renewal.
All PICs and PIPs subject to the DPA โ regardless of registration track โ must submit an Annual Security Incident Report every year. The deadline is March 31 of each year, covering the prior calendar year. The 2025 ASIR deadline is March 31, 2026, as confirmed on the NPC's official website. The ASIR must be filed exclusively through the NPC's Data Breach Notification Management System (DBNMS).
The ASIR covers the total number of security incidents categorized by type โ including theft, identity fraud, hardware or software failure, hacking, natural disaster, and user error โ and the number of personal data breaches classified by notification type. Organizations with zero security incidents must still file, entering "0" in the relevant fields. Once submitted, the ASIR cannot be edited. Use the Save as Draft option if you are unsure of information before final submission.
Access through the NPC website at: https://privacy.gov.ph โ navigate to the DBNMS section for ASIR submission and personal data breach notifications
If a personal data breach occurs that is likely to give rise to a real risk of serious harm to any affected data subject, the PIC must notify the NPC and affected data subjects within 72 hours of the organization becoming aware of the breach. Notification is made through the DBNMS. The NPC's DBNMS includes an assessment aid to help organizations determine whether a breach triggers the mandatory notification obligation. A breach that does not pose a risk of serious harm is still reportable โ it is captured in the ASIR as a voluntary notification.
Minor amendments to existing registration โ including updates to an existing DPS or a change in DPO โ must be updated in the NPCRS within 10 days from the effective date of the change. Only one DPO may be registered per entity at any time. If the DPO changes, the incoming DPO must complete the update process in the NPCRS using their own credentials.
NPC Circular No. 2023-06, issued on April 1, 2024 and effective March 30, 2024, sets the updated minimum requirements for the security of personal data in both the government and private sector. It enumerates the general obligations of a PIC or PIP, which include the designation and registration of a DPO, registration of DPS, conduct of a Privacy Impact Assessment, implementation of a Privacy Management Program, periodic training of personnel on privacy and data protection, and compliance with NPC orders. The transitory period for compliance expired on March 30, 2025, meaning all organizations must now be fully compliant with its provisions.
Available through the NPC website at: https://privacy.gov.ph โ navigate to Issuances and Circulars
The NPC synthesizes DPA compliance into five pillars. Understanding these pillars is essential because they represent what the NPC looks for during compliance audits and what funders and government partners increasingly expect from implementing organizations.
The organization's top leadership formally commits to data privacy compliance. This is demonstrated through a board resolution or management order designating the DPO, approving the Privacy Manual, and authorizing the implementation of the organization's Privacy Management Program.
The organization conducts a thorough inventory of all personal data it processes โ what data is collected, from whom, for what purpose, how it is stored, who has access, how long it is retained, and how it is disposed of. This inventory is the basis for the DPS registration and for the Privacy Impact Assessment.
The organization develops and implements a Privacy Management Program โ a documented, organization-wide framework covering privacy policies, procedures for upholding data subject rights, security measures, breach response procedures, staff training, and a schedule for regular review and updating. The Privacy Manual is the primary document embodying this program.
The program is not a one-time document. It must be reviewed and updated regularly to reflect changes in the organization's data processing activities, staff changes, technology changes, and new NPC issuances. Annual staff training on data privacy, regular internal privacy audits, and updating DPS registrations when systems change are all part of this pillar.
The organization can show evidence of compliance โ registration records, the Certificate of Registration, training records, PIA reports, the Privacy Manual, and ASIR submissions. This documented evidence is what the NPC examines during audits and what government and donor partners request during due diligence reviews.
For health consulting firms, NGOs, and implementing organizations operating in the Philippines, NPC compliance is not only a legal obligation โ it is increasingly a prerequisite for engaging with government agencies and international development partners.
DOH-funded programs, UNICEF implementing partner agreements, and UNFPA-funded projects all involve the processing of personal data โ beneficiary health records, community survey data, patient tracking data, and program participant information. The HACT micro-assessment that UN agencies conduct before transferring cash to implementing partners evaluates data management systems as part of its scope. An organization that cannot demonstrate basic data privacy compliance is at a disadvantage during this assessment.
Under the Universal Health Care Act, primary care facilities and health programs generate and process patient data that qualifies as sensitive personal information. Organizations providing technical assistance to DOH programs that involve beneficiary data are functioning as PIPs at minimum, and often as PICs in their own right when they design and operate the data collection systems.
KOICA, JICA, and World Bank-funded programs in the Philippines also increasingly include data governance provisions in their implementing partner agreements. Having a registered DPO, a functional Privacy Management Program, and a current Certificate of Registration from the NPC demonstrates institutional maturity that strengthens an organization's credibility in competitive procurement processes.
| Resource | URL / Reference |
|---|---|
| NPC Official Website | https://privacy.gov.ph |
| NPC Registration System (NPCRS) | https://npcregistration.privacy.gov.ph |
| NPC Circular No. 2022-04 (Full Text) | privacy.gov.ph โ Circular 2022-04 |
| NPC FAQs for PICs and PIPs | https://privacy.gov.ph/pips-and-pics/faqs/ |
| Data Breach Notification Management System (DBNMS) | Accessible via https://privacy.gov.ph โ DBNMS section |
| Republic Act No. 10173 (Data Privacy Act of 2012) | https://privacy.gov.ph/data-privacy-act/ |
| NPC Circular No. 2023-06 (Security of Personal Data) | Available under Issuances at https://privacy.gov.ph |
| NPC Contact | info@privacy.gov.ph ยท 25th-27th Floors, The Upper Class Tower, Quezon Avenue corner Scout Reyes St., Quezon City |
Need Help with NPC Compliance?
SPHERES, Inc. provides technical assistance in data privacy compliance for health organizations โ including DPO designation support, Privacy Manual development, DPS inventory, and NPC registration guidance.
Get in Touch