I.

Commit to Comply:
Appoint a Data
Protection Officer
NPC Advisory No. 2017-01

KMN
General Flow
• Mandatory Designation
• General Qualifications
• Independence, Autonomy and Conflict of Interest
• Duties and Responsibilities of DPO and COP
• General Obligations of the PIC and PIP relative to the DPO and
COP
• Weight of Opinion and Accountability

KMN
Mandatory Designation

KMN
Mandatory Designation
DPA Section 21. (b).
“The personal information controller shall designate
an individual who are accountable for the
organization’s compliance with this Act…”

DPA IRR Section 26 (a).

“Compliance Officer. Any natural or juridical person
or other body involved in the processing of personal
data shall designate an individual or individuals who
RA 10173 Data Privacy shall function as data protection officer…”
Act of 2012 (DPA) and
DPA IRR Section 50 (b).
its Implementing Rules
and Regulations (IRR) “A personal information controller shall designate an
individual or individuals who are accountable for its
compliance with the Act…”
KMN
Mandatory Designation

First Pillar of Data Privacy Accountability and

Compliance. I. Commit to Comply: Appoint a Data
Protection Officer

NPC Advisory No. 2016-01, Section 4. Government

agency engaged in the processing of personal data
shall, through its head of agency, designate a DPO.
NPC Pillars and
Issuances NPC Advisory No. 2017-01. Designation of Data Protection
Officers

KMN
Mandatory Designation
A PIC or PIP shall designate an individual or individuals who shall
function as DPO. The DPO shall be accountable for ensuring the
compliance by the PIC or PIP with the DPA, its IRR, issuances by
the NPC, and other applicable laws and regulations relating to
privacy and data protection.
In certain cases, a PIC or PIP is allowed to designate a
Compliance Officer for Privacy (COP).

KMN
 Local
Other
Government Government Private
Analogous
Units Agencies Sectors
Cases
(LGUs)

Each shall Each shall Each shall designate May seek approval
designate a DPO. designate a DPO. a DPO. May also of the NPC for the
designate a COP appointment or
Designate a COP Designate a COP per branch, sub-
for regional, designation of a
for component office, etc.
COP, in lieu of a
city, municipality provincial, or *Subject to approval
of the NPC, a group COP.
or barangay, other similar sub-
units, provided of related companies
provided that the may appoint the
COP is under the that the COP is DPO of one of its
supervision of the under the members to be
DPO. supervision of the primarily
DPO. accountable.

An Individual PIC or PIP KMN

shall be a de facto DPO.
General Qualifications

KMN
General Qualifications
Possess specialized knowledge and demonstrate reliability
necessary to perform the duties and responsibilities.
Have an expertise in relevant privacy and data protection policies
and practices.
Have sufficient understanding of the processing activities carried
out by controllers and processors, including information systems
used, data security, and data protection needed.

KMN
Independence, Autonomy and
Conflict of Interest

KMN
Independence, Autonomy
Must be independent in the performance of his functions, and be
given a significant degree of autonomy by the controller or
processor.

KMN
Conflict of Interest
May perform or be assigned other tasks, and take on other
functions, as long as these do not give rise to any conflict of
interest.

KMN
Duties and responsibilities of
DPO and COP

KMN
 Duties and Responsibilities of DPO
MONITOR THE
Ensure the conduct of
COMPLIANCE with the
PRIVACY IMPACT ADVICE the PIC or PIP
DPA, IRR, NPC issuances
ASSESSMENT
and applicable laws
• Maintain record of • Relative to PIC or PIP’s: • Regarding data subjects’:
processing operations; o Activities o Complaints
• Analyze and check the o Measures o Rights (e.g. Request
compliance; o Projects for Information,
• Inform, advise and issue o Programs Clarifications,
recommendations to the o Systems Rectification or
PIC or PIP; Deletion of Personal
• Ascertain renewal of
Data)
accreditations or
certifications;
• Advice regarding the
necessity of executing a
Data Sharing Agreement
with third-parties. KMN
 Ensure PROPER
DATA BREACH
and SECURITY • DPO and COP must have
INCIDENT due regard for the risks
MANAGE- associated with the
PERFORM MENT Inform and processing operations of
other duties cultivate the PIC or PIP, taking into
and tasks that AWARENESS account the nature,
will further the on Privacy and
scope, context and
interest of data Data
privacy Protection purposes of processing.
Duties and
Responsibilities • DPO and COP must
of the DPO prioritize accordingly his
or her activities and focus
and COP ADVOCATE for on his or her efforts on
COOPERATE,
the
COORDINATE issues that present higher
development,
and SEEK protection risks.
review, and
ADVICE of the
revision of
NPC Serve as
policies, etc.
CONTACT
PERSON in all
matters
concerning
data privacy
and security KMN
General Obligations of the
PIC or PIP Relative to the
DPO or COP

KMN
General Obligations of PIC or PIP
• The PIC or PIP should:
1. Effectively communicate to its personnel, the designation of the DPO or COP,
and his or her functions;
2. Allow the DPO or COP to be involved from the earliest possible in all issues
relating to privacy and data protection;
3. Provide sufficient time and resources necessary for the DPO or COP to keep
himself or herself updated with the developments in data privacy and
security and to carry out his or her tasks effectively and efficiently;
4. Grant the DPO or COP appropriate access to the personal data it is
processing, including the processing systems;
5. Where applicable, invite the DPO or COP to participate in meetings of
senior and middle management to represent the interest of privacy and data
protection;
6. Promptly consult the DPO or COP in the event of a personal data breach or
security incident; and,
7. Ensure that the DPO or COP is made a part of all relevant working groups
that deal with the personal data processing activities conducted inside the
organization, or with other organizations.
KMN
Other Obligations of PIC or PIP
• PIC or PIP must publish the DPO’s or COP’s contact details in, at least, the
following materials:
o Website;
o Privacy Notice;
o Privacy Policy; and,
o Privacy Manual or Privacy Guide
• Contact details of the DPO or COP should include the following information:
o Title or designation
o Postal address
o A dedicated telephone number
o A dedicated email address
• The name or names of the DPO or COP need not to be published. However, it
should be made available upon request by a data subject or the NPC.
KMN
Outsourcing or Subcontracting
of Functions

KMN
Outsourcing or Subcontracting Functions
The PIC or PIP may outsource DPO functions.

However, the DPO must still oversee the performance of its

functions by third-party service provider.

The DPO shall remain as the contact person of NPC to the

organization

KMN
Protections

KMN
Protections
The PIC or PIP should not directly or indirectly penalize or dismiss
the DPO from performing its tasks, to further emphasize his
autonomy and independence.

Even a simple threat is disallowed if it has the effect of preventing

the DPO to perform its role.

KMN
Weight of Opinion and
Accountability

KMN
Weight of Opinion
The opinion of the DPO or COP must be given due weight. In
case of disagreement, and should the PIC or PIP choose not to
follow the advice of the DPO and COP, it is recommended, as
good practice, to document the reasons therefor.

KMN
Accountability
While the responsibility of complying with the DPA, its IRR,
issuances by the NPC, and other applicable laws remains with
the PIC or PIP, malfeasance, misfeasance, or nonfeasance on the
part of the DPO or COP relative to his designated functions may
still be a ground for administrative, civil, or criminal liability, in
accordance with all applicable laws.

KMN