I.

Commit to Comply:
Appoint a Data
Protection Officer
NPC Advisory No. 2017-01
General Flow
• Mandatory Designation
• General Qualifications
• Independence, Autonomy and Conflict of Interest
• Duties and Responsibilities of DPO and COP
• General Obligations of the PIC and PIP relative to the DPO and
COP
• Weight of Opinion and Accountability
Mandatory Designation
Mandatory Designation
DPA Section 21. (b).
“The personal information controller shall designate
an individual who are accountable for the
organization’s compliance with this Act…”

DPA IRR Section 26 (a).

“Compliance Officer. Any natural or juridical person
or other body involved in the processing of personal
data shall designate an individual or individuals
RA 10173 Data who shall function as data protection officer…”
Privacy Act of 2012
DPA IRR Section 50 (b).
(DPA) and its
Implementing Rules “A personal information controller shall designate an
and Regulations (IRR) individual or individuals who are accountable
for its compliance with the Act…”
Mandatory Designation

First Pillar of Data Privacy Accountability and

Compliance. I. Commit to Comply: Appoint a Data
Protection Officer

NPC Advisory No. 2016-01, Section 4. Government

agency engaged in the processing of personal data
shall, through its head of agency, designate a DPO.
NPC Pillars and
Issuances NPC Advisory No. 2017-01. Designation of Data
Protection Officers
Mandatory Designation
A PIC or PIP shall designate an individual or individuals who shall
function as DPO. The DPO shall be accountable for ensuring the
compliance by the PIC or PIP with the DPA, its IRR, issuances
by the NPC, and other applicable laws and regulations
relating to privacy and data protection.
In certain cases, a PIC or PIP is allowed to designate a
Compliance Officer for Privacy (COP).
 Local
Other
Government Government Private
Analogous
Units Agencies Sectors
Cases
(LGUs))

Each shall Each shall Each shall designate May seek approval
designate a DPO. designate a DPO. a DPO. May also of the NPC for the
designate a COP appointment or
Designate a COP Designate a COP per branch, sub-
for regional, designation of a
for component office, etc.
COP, in lieu of a
city, municipality provincial, or *Subject to approval
of the NPC, a group COP.
or barangay, other similar sub-
units, provided of related companies
provided that the may appoint the
COP is under the that the COP is DPO of one of its
supervision of the under the members to be
DPO. supervision of the primarily
DPO. accountable.

An Individual PIC or PIP shall be a de facto DPO.

General Qualifications
General Qualifications
Possess specialized knowledge and demonstrate reliability
necessary to perform the duties and responsibilities.
Have an expertise in relevant privacy and data protection policies
and practices.
Have sufficient understanding of the processing activities carried
out by controllers and processors, including information systems
used, data security, and data protection needed.
Independence, Autonomy and
Conflict of Interest
Independence, Autonomy
Must be independent in the performance of his functions, and be
given a significant degree of autonomy by the controller or
processor.
Conflict of Interest
May perform or be assigned other tasks, and take on other
functions, as long as these do not give rise to any conflict of
interest.
Duties and responsibilities of
DPO and COP
 Duties and Responsibilities of DPO
MONITOR THE
Ensure the conduct of
COMPLIANCE with the
PRIVACY IMPACT ADVICE the PIC or PIP
DPA, IRR, NPC issuances
ASSESSMENT
and applicable laws
• Maintain record of • Relative to PIC or PIP’s: • Regarding data subjects’:
processing operations; o Activities o Complaints
• Analyze and check the o Measures o Rights (e.g. Request
compliance; o Projects for Information,
• Inform, advise and issue o Programs Clarifications,
recommendations to the o Systems Rectification or
PIC or PIP; Deletion of Personal
• Ascertain renewal of
Data)
accreditations or
certifications;
• Advice regarding the
necessity of executing a
Data Sharing Agreement
with third-parties.
 Ensure
PROPER DATA
BREACH and • DPO and COP must have
SECURITY due regard for the risks
INCIDENT
associated with the
PERFORM MANAGE-
Inform and processing operations
other duties MENT
cultivate of the PIC or PIP, taking
and tasks that AWARENESS into account the nature,
will further the on Privacy and
scope, context and
interest of data Data
privacy Protection purposes of processing.
Duties and
Responsibilities • DPO and COP must
of the DPO prioritize accordingly
his or her activities and
and COP ADVOCATE focus on his or her
COOPERATE,
for the
COORDINATE efforts on issues that
development,
and SEEK present higher
review, and
ADVICE of protection risks.
revision of
the NPC Serve as
policies, etc.
CONTACT
PERSON in all
matters
concerning
data privacy
and security
General Obligations of the PIC
or PIP Relative to the DPO or
COP
General Obligations of PIC or PIP
• The PIC or PIP should:
1. Effectively communicate to its personnel, the designation of the DPO or
COP, and his or her functions;
2. Allow the DPO or COP to be involved from the earliest possible in all
issues relating to privacy and data protection;
3. Provide sufficient time and resources necessary for the DPO or COP to
keep himself or herself updated with the developments in data privacy and
security and to carry out his or her tasks effectively and efficiently;
4. Grant the DPO or COP appropriate access to the personal data it is
processing, including the processing systems;
5. Where applicable, invite the DPO or COP to participate in meetings of
senior and middle management to represent the interest of privacy and data
protection;
6. Promptly consult the DPO or COP in the event of a personal data breach
or security incident; and,
7. Ensure that the DPO or COP is made a part of all relevant working
groups that deal with the personal data processing activities conducted
inside the organization, or with other organizations.
Other Obligations of PIC or PIP
• PIC or PIP must publish the DPO’s or COP’s contact details in, at least, the
following materials:
o Website;
o Privacy Notice;
o Privacy Policy; and,
o Privacy Manual or Privacy Guide
• Contact details of the DPO or COP should include the following information:
o Title or designation
o Postal address
o A dedicated telephone number
o A dedicated email address
• The name or names of the DPO or COP need not to be published. However, it
should be made available upon request by a data subject or the NPC.
Outsourcing or
Subcontracting of Functions
Outsourcing or Subcontracting Functions
The PIC or PIP may outsource DPO functions.

However, the DPO must still oversee the performance of its

functions by third-party service provider.

The DPO shall remain as the contact person of NPC to the

organization
Protections
Protections
The PIC or PIP should not directly or indirectly penalize or
dismiss the DPO from performing its tasks, to further
emphasize his autonomy and independence.

Even a simple threat is disallowed if it has the effect of preventing

the DPO to perform its role.
Weight of Opinion and
Accountability
Weight of Opinion
The opinion of the DPO or COP must be given due weight. In
case of disagreement, and should the PIC or PIP choose not to
follow the advice of the DPO and COP, it is recommended, as
good practice, to document the reasons therefor.
Accountability
While the responsibility of complying with the DPA, its IRR,
issuances by the NPC, and other applicable laws remains with
the PIC or PIP, malfeasance, misfeasance, or nonfeasance on
the part of the DPO or COP relative to his designated
functions may still be a ground for administrative, civil, or
criminal liability, in accordance with all applicable laws.