English
Cebuano
Chinese (Simplified)
Chinese (Traditional)
Filipino
Hawaiian
Japanese
Spanish
Published on November 16, 2025
Through Republic Act No. 10173, also known as the Data Privacy Act of 2012 (DPA). the National Privacy Commission (NPC) was established to be the office primarily responsible for the implementation and administration of the provisions of the DPA.
On 05 December 2022, the NPC issued NPC Circular No. 2022-04, which provides for the registration of personal data processing systems and the designation of data protection officers, among others.
PICs and PIPs
A personal information controller (“PIC”) or personal information processor (“PIP”) that meets any of the following criteria is mandated to register all their respective data processing systems:
- One who employs two hundred fifty (250) or more persons;
- One who processes sensitive personal information of one thousand (1,000) or more individuals; or
- One who processes data that will likely pose a risk to the rights and freedoms of data subjects.
These PICs or PIPs can either be natural or juridical persons who control the processing of personal data, or instruct another to process personal data on their behalf, or one who is instructed with the processing of personal data.
Processing under the DPA
Under the DPA and its implementing rules, “processing” is defined as any operation or any set of operations performed upon personal data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.
Sensitive personal information
Sensitive personal information refers to personal information:
- About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
- About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings;
- Issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
- Specifically established by an executive order or an act of Congress to be kept classified.
Designation of Data Protection Officer
Consequently, PIPs or PICs are mandated to designate a data protection officer (DPO) who will be responsible for the registration of the data processing system. The DPO will be responsible in ensuring compliance with the DPA, its IRR, and other issuances of the NPC. A DPO is usually an organic employee of the government agency or private entity, as the case may be.
References:
- NPC Circular No. 2022-04, dated 05 December 2022
- Implementing Rules and Regulations of Republic Act No. 10173, known as the “Data Privacy Act of 2012”, Promulgated on August 24, 2016
- Republic Act No. 10173, or the Data Privacy Act of 2012
Disclaimer:
The contents of this website are for general information and educational purposes only and do not constitute legal advice. No attorney-client relationship is formed by using this site. We strive for accuracy, but we cannot guarantee that the information is always up-to-date or error-free.
Use of this site and its contents is at your own risk. This website and its authors disclaim any liability for any loss or damage, whether direct, indirect, incidental, consequential, or otherwise, arising from the use or misuse of the information provided on this website.
For specific legal advice, please consult our law firm: CONTACT US
Personal information controllers or personal information processors are mandated to designate a data protection officer (DPO) who will be responsible for the registration of the data processing system.
Ricardo S. Servida, Jr.
ASSOCIATE LAWYER - ACCOUNTANT
