Our data privacy compliance services cover National Privacy Commission (NPC) registration and renewal, as well as required updates for amendments in the Data Protection Officer (DPO) and/or Data Processing Systems (DPS), ensuring your compliance with the Data Privacy Act of 2012.
Why Data Privacy Compliance Matters
In the Philippines, entities that qualify as Personal Information Controllers (PICs) and/or Personal Information Processors (PIPs) are legally mandated to register with the National Privacy Commission (NPC), including their Data Protection Officer (DPO) and Data Processing Systems (DPS) and to implement lawful, secure, and accountable data processing practices in compliance with the Data Privacy Act of 202 (R.A. 10173).
Noncompliance may result in administrative fines, suspension of data processing activities, and civil actions for damages. Certain violations may even give rise to criminal liability, subject to penalties prescribed by law.
What Duran & Duran-Schulze Law Does
Duran & Duran-Schulze Law offers expert data privacy compliance services in the Philippines that guide businesses in aligning their operations with the landmark legislation on personal information protection, the Data Privacy Act of 2012. Primarily, we ensure initial compliance through proper registration with the National Privacy Commission (NPC) and timely updates to maintain accurate records.
Our Data Privacy Compliance Services
As a trusted law firm, we provide data privacy compliance services that help businesses manage regulatory obligations and maintain lawful personal data processing.
DPO/DPS Registration
We guide businesses in the formal registration of their Data Protection Officer (DPO) and Data Processing Systems (DPS) with the National Privacy Commission (NPC), ensuring strict documentation compliance with the obligations imposed under the Data Privacy Act.
DPO/DPS Renewal
We manage the timely renewal of DPO and DPS registrations to ensure continuous regulatory compliance and mitigate the risk of administrative, civil, or criminal exposure for the organization.
DPO/DPS Amendments
We assist clients in effecting lawful updates to the National Privacy Commission (NPC) records in the event of a change in the Data Protection Officer (DPO) or any other amendments to the Data Processing Systems (DPS), maintaining accuracy and adherence to statutory compliance requirements.
How to Get Started
For inquiries on requirements, processes, and fees, contact Duran & Duran-Schulze Law at (+632) 8478 5826, (+63) 917 194 0482, or info@duranschulze.com, or simply complete the form on this page. Our office is located at 1210 High Street South Corporate Plaza Tower 2, 26th Street, Bonifacio Global City, Taguig, Metro Manila, Philippines.
Need to Consult a Lawyer?
You can book an online or in-person consultation with Atty. March. Choose a 30-minute or 1-hour session, fill out the form with your information and preferred schedule, pay the fee via PayPal, and meet with the attorney at the scheduled time.
Atty. Marie Christine Duran-Schulze
Managing Partner [Read Profile]
Business and Corporate Law, Family Law, Litigation, Immigration Laws, Real Estate, Labor Management, and HR Services
Data Privacy Compliance FAQs
For your reference and guidance, here are some frequently asked questions about data privacy compliance in the Philippines:
A Data Protection Officer (DPO) is an individual appointed by a Personal Information Controller (PIC) or Personal Information Processor (PIP) to oversee data protection activities and ensure compliance with applicable data privacy laws. A Data Processing System (DPS), on the other hand, is the technological infrastructure—including hardware, software, workflows, and security measures—used by the PIC or PIP to facilitate lawful and secure processing of personal data.
A Data Protection Officer (DPO) should be a full-time or long-term employee of the organization, possess comprehensive knowledge of privacy and data protection policies, and have a clear understanding of the entity’s processing operations, including information systems and security requirements. He or she must also be allocated sufficient time, resources, and training to effectively perform the responsibilities and ensure ongoing compliance with the Data Privacy Act.
No. The registration may either be mandatory or voluntary depending on the nature, scale, and sensitivity of the data processed.
As NPC Circular 2022-04 (effective January 2023) provides, DPO/DPS registration is mandatory for PICs and PIPs that: (a) employ two hundred fifty (250) or more persons; (b) process sensitive personal information of one thousand (1,000) or more individuals; or (c) process data that will likely pose a risk to the rights and freedoms of data subjects.
Pursuant to Section 7 of NPC Circular 2022-04, covered Personal Information Controllers (PICs) or Personal Information Processors (PIPs) are required to register a newly implemented Data Processing System (DPS) or a newly appointed Data Protection Officer (DPO) in the NPC Registration System (NPCRS) within 20 calendar days from the commencement of the system or the effectivity date of the appointment.
For minor amendments, including updates to an existing Data Processing System (DPS) or a change in Data Protection Officer (DPO), you must update the NPC Registration System (NPCRS) within 10 calendar days from the DPS update or the DPO appointment’s effectivity. For major amendments, such as changes to your entity’s name or address, the updates must be filed within 30 calendar days from the effective date of the change.
Your NPC Certificate of Registration (COR) is valid for one (1) year from its issuance date. You must renew your registration 30 days before its expiration.
Law firms, like Duran & Duran-Schulze Law, provide authoritative legal expertise in data privacy laws, ensure statutory compliance, manage NPC interactions, reduce regulatory risk, and help implement a robust data protection framework.
