How to Register a Data Processing System or Data Protection Officer (DPO) in the National Privacy Commission Registration System (NPCRS) | A Step-by-Step Guide

In today’s digital age, protecting personal data is more crucial than ever. If you’re running a business, handling personal data like customer information or employee records, or working in a government institution in the Philippines, you need to comply with the Data Privacy Act of 2012. One key requirement under this law is registering your Data Processing System (DPS) and appointing a Data Protection Officer (DPO) through the National Privacy Commission Registration System (NPCRS).

This guide will help you understand what NPCRS is, why registration is necessary, and how to go through the process step-by-step. Whether you’re a business owner, an HR professional, or someone just starting your compliance journey, this guide simplifies the technical jargon to ensure a smooth registration process.

What Is the NPCRS and Why Do You Need to Register?

The National Privacy Commission Registration System (NPCRS) is an online platform managed by the National Privacy Commission (NPC) that serves as the official database for registering data controllers and processors. Data controllers are entities that collect personal information, while data processors manage and process that data on behalf of the controller.

Under the Data Privacy Act of 2012 (Republic Act No. 10173), all organizations or government agencies that collect or process personal data must register their Data Processing Systems and appoint a Data Protection Officer (DPO). This applies to organizations with at least 250 employees or those processing personal data of more than 1,000 individuals. Failure to register can result in penalties, including fines and imprisonment in serious cases of non-compliance.

What is a Data Protection Officer (DPO)?

A Data Protection Officer (DPO) is an individual within an organization responsible for overseeing data privacy compliance. The DPO ensures that the organization complies with the Data Privacy Act and related regulations, educates employees about their responsibilities, and serves as the point of contact for data subjects (e.g., customers or employees) and the National Privacy Commission. Every organization that processes personal data must appoint a DPO.

Now that you understand the basics, let’s walk through the step-by-step registration process.

Step-by-Step Guide to Register Your Data Processing System or DPO in NPCRS

1. Prepare the Necessary Information and Documents

Before you begin the registration process, make sure you have the following:

  • Company/Organization Name and Contact Information – Your business’s registered name, contact number, email address, and office address.
  • DPO Information – Name, email address, and contact number of the designated Data Protection Officer.
  • Types of Personal Data Collected – Whether you collect personal, sensitive, or privileged information.
  • Data Processing Activities – A description of how your organization collects, processes, stores, and disposes of personal data.
  • Data Processing Systems (DPS) – The software, systems, or processes you use for collecting and processing personal data.
Also, please prepare the following if you are a DPO of a company or corporation:
-Secretary Certificate (which must be notarized, please scroll down below to see a sample Secretary Certificate)
-Privacy Impact Assessment
-Privacy Notice or Privacy Policy or Privacy Statement of the Company
Note: I tried to capture the process and give a step-by-step guide in the video below.
 

Having these details on hand will ensure a faster and smoother registration process. 

2. Access the National Privacy Commission Registration System (NPCRS)

Go to the official National Privacy Commission website at www.privacy.gov.phh and navigate to the National Privacy Commission Registration System (NPCRS) portal. You can find this under the “E-Services” section.

Alternatively, you can access the NPCRS directly by visiting: https://npcrs.privacy.gov.ph

3. Create an Account

If you’re a first-time user, you’ll need to create an account in the NPCRS. Follow these steps:

  • Click the Register button on the NPCRS homepage.
  • Fill out the required fields, including your organization’s name, the Data Protection Officer’s details, and a valid email address.
  • Set a password for your NPCRS account. Ensure that the password is secure and follows NPC’s guidelines (at least 8 characters with a mix of letters, numbers, and symbols).

Once you’ve filled in the details, click Submit. You will receive a confirmation email from NPC. Follow the instructions in the email to activate your account.

4. Log In to NPCRS

After activating your account, go back to the NPCRS portal and log in using your registered email and password.

5. Complete the Organization’s Profile

Once logged in, you’ll need to complete your organization’s profile. This includes:

  • Organization Name and Contact Details
  • Nature of the Business (e.g., retail, healthcare, education)
  • Number of Employees – This helps NPC determine if your organization meets the registration threshold.
  • Description of Data Processing Activities – Briefly describe how your company handles personal data, including the types of data collected and processed.
  • Data Protection Officer’s Information – Input the details of your appointed DPO, including their email address, contact number, and role within the company.

6. Register the Data Processing System (DPS)

  • Types of Data Collected – Whether you collect personal information (name, address, etc.), sensitive information (health data, biometrics), or privileged information.
  • Purpose of Data Processing – Clearly state why your organization collects and processes personal data (e.g., for marketing, customer service, employment records, etc.).
  • Third-Party Processors – If you use third-party services (e.g., cloud storage or payroll processors), you’ll need to list these service providers and their roles in processing personal data.

Once you have completed all the required fields, click Save and Proceed.

When you have done this, you will then be able to download the DPO form. Download the DPO Form, print it (at least 2 copies) and then sign it. The head of your organization must also be able to sign it. After which, notarize the form. Do not forget to bring a copy of your ID and the copy of your head’s ID when you notarize the signed document.

7. Submit the Registration Form

After completing the registration form, you’ll have the option to review all the information before final submission. Double-check everything to ensure accuracy.

Once reviewed, click Submit. You will receive a notification from NPC confirming that your registration has been received.

8. Wait for Confirmation from NPC

After submitting your registration, the National Privacy Commission will review your application. The review process typically takes 15-30 days. During this period, the NPC may contact you for additional information or clarification.

Once your registration is approved, you’ll receive an official notification from the NPC. Congratulations! You’re now compliant with the Data Privacy Act of 2012.

Best Practices for Data Privacy Compliance

Registering your Data Processing System and DPO is just the first step. To ensure ongoing compliance, it’s important to adopt best practices for data privacy, including:

  • Conduct a Privacy Impact Assessment (PIA) – Regularly assess how your data processing activities affect privacy.
  • Develop a Data Privacy Policy – Create a transparent data privacy policy and communicate it to employees and clients.
  • Implement Security Measures – Use encryption, access controls, and regular security audits to protect personal data.
  • Provide Data Privacy Training – Educate your employees about the importance of data privacy and their role in protecting personal data.
  • Respond to Data Subject Requests – Make it easy for customers and employees to exercise their rights under the Data Privacy Act, such as the right to access or delete their personal data.
 
Sample Secretary Certificate:
Secretary Certificate for DPO Appointment NPC Registration
Secretary Certificate for DPO Appointment NPC Registration
 

Conclusion

Registering with the National Privacy Commission Registration System (NPCRS) is a critical step for organizations that handle personal data in the Philippines. By following this guide, you can ensure that your business or organization remains compliant with the Data Privacy Act of 2012 and avoids potential penalties. With your Data Processing System and Data Protection Officer registered, you can build trust with your customers and safeguard their personal information.

For further guidance, you can visit the National Privacy Commission’s official website at www.privacy.gov.ph or refer to the Data Privacy Act of 2012 for more detailed information about your obligations.

Sources:

  • Republic Act No. 10173 or the Data Privacy Act of 2012, NPC Website
  • National Privacy Commission Registration System, NPCRS Portal: https://npcregistration.privacy.gov.ph/login

You may also watch the video above to learn How to Register a Data Processing System or Data Protection Officer (DPO) in the National Privacy Commission Registration System (NPCRS) | A Step-by-Step Guide.

Leave a Comment

Your email address will not be published. Required fields are marked *

ATTYSTELA.COM

output-onlinepngtools

Newsletter

Subscribe now to get updates.


© Copyright 2024. by ATTYSTELA.COM

Scroll to Top