The Philippines’ National Privacy Commission issued an advisory mandating all PH companies, private and public to designate a Data Protection Officer.
“Pursuant to Section 26(a) of the IRR, any natural or juridical person or other body involved in the processing of personal data shall designate an individual or individuals who shall function as data protection officer (DPO), compliance officer, or shall otherwise be accountable for ensuring compliance with applicable laws and regulations for the protection of data privacy and security”
The Data Protection Officer shall be accountable for ensuring the compliance by the Personal Information Controller (PIC) or Personal Information Processor (PIP) with the Data Privacy Act, its Implementing Rules and Regulations, issuances by the National Privacy Commission, and other applicable laws and regulations relating to privacy
and data protection.
In certain cases, a PIC or PIP is allowed to designate a compliance officer for privacy (COP):
a. Local Government Units (LGUs). Each LGU shall designate a DPO. However, a component city, municipality, or barangay is allowed to designate a COP, provided that the latter shall be under the supervision of the DPO of the corresponding province, city, or municipality that that component city, municipality or barangay
forms part of.
b. Government Agencies. Each government agency shall designate a DPO. Where a government agency has regional, provincial, district, city, municipal offices, or any other similar sub-units, it may designate or appoint a COP for each sub-unit. The COPs shall be under the supervision of the DPO.
c. Private Sector. Where a private entity has branches, sub-offices, or any other component units, it may also appoint or designate a COP for each component unit. Subject to the approval of the NPC, a group of related companies may appoint or designate the DPO of one of its members to be primarily accountable for ensuring the compliance of the entire group with all data protection policies. Where such common DPO is allowed by the NPC, the other members of the group must still have a COP, as defined in this Advisory.
d. Other Analogous Cases. PICs or PIPs that are under similar or analogous circumstances may also seek the approval of the NPC for the appointment or designation of a COP, in lieu of a DPO
Data Protection Officer General Qualifications
The DPO should possess specialized knowledge and demonstrate reliability necessary for the performance of his or her duties and responsibilities. As such, the DPO should have expertise in relevant privacy or data protection policies and practices. He or she should have sufficient understanding of the processing operations being carried out by the PIC or PIP, including the latter’s information systems, data security and/or data protection needs. Knowledge by the DPO of the sector or field of the PIC or PIP, and the latter’s internal structure, policies, and processes is also useful.
For complete information, please check the National Privacy Commission’s Advisory No. 2017-01 – Designation of Data Protection Officers