In case a DPO account was not properly transferred, or in cases of inaccessibility to the registration platform due to lost credentials, or upon failure of a prior DPO to properly turn over the accountability to the registration platform, the PIC or PIP shall submit a notarized letter of explanation or any similar document as justification as to why the DPO account was lost or not properly transferred without prejudice to any administrative finding of failure to register or to update registration.
Note that a PIC or PIP shall be considered as unregistered upon failure to comply with the new guidelines, if approved, and may be subjected to penalties; upon expiration and non-renewal of Certificate of Registration; non-submission of any deficiency in supporting documents within five days from notice; rejection or disapproval of an application for registration, or an application for renewal of registration; or revocation of the Certificate of Registration.
Another key feature of the draft circular has to do with notification of automated decision-making or profiling. “Automated Decision-making” refers to a wholly or partially automated processing operation that can make decisions using technological means totally independent of human intervention; automated decision-making often involves profiling.
“Profiling”, on the other hand, refers to any form of automated processing of data consisting of the use of Personal Data, such as an individual’s economic situation, political or religious beliefs, behavioral or marketing activities, personal preferences, electronic communication data, location data, and financial data, among others, to evaluate, analyze, or predict his or her performance, qualities, and behavior, among others. Considering the impact that such types of processes may have on the data owner’s information and data privacy rights, the draft circular requires PIC and PIP to include in its registration statement the identification of its Data Processing System involved in the automated decision-making or profiling operation. The report must include the:
A. Lawful basis for processing personal data. If consent is used as the basis for processing, it must submit the consent form or any other document or manner by which consent was obtained;
B. The retention period for the processed data;
C. Methods and logic utilized for automated processing; and
D. Possible decisions relating to the data subject based on the processed data, particularly if the decisions would significantly affect the data subject’s rights and freedoms.
As can be gleaned from the process enumerated, it appears the NPC is seeking an end-to-end process that is aligned with the digitalization initiatives adopted by most government agencies and even private entities. With the lesson taught by the pandemic, digitalization and leveraging of online tools and processes allows for easier, more efficient systems that are more aligned with the business continuity protocols of most organizations.
Indeed, an easier, more efficient registration system leveraging automated processes vital to ensure that PICs and PIPs keep a record of their personal data processing activities. It also makes information about personal data processing systems operating in the country accessible to both the NPC, for compliance monitoring, and data subjects, to facilitate the exercise of their rights under the DPA. An efficient registration system promotes transparency and accountability in the processing of personal data and lowers the risks of personal data breaches in terms of availability, integrity, and confidentiality of the personal information of data subjects.
In this day and age, information is power. Data privacy has never been more of a consideration than now where data can be shared, accessed, and processed with a simple click of a button or a keystroke. It behooves relevant government agencies and the private sector to work hand in hand to ensure the rights of data owners while implementing practical solutions to make information sharing secure and purpose-oriented.
***
For more of Dean Nilo Divina’s legal tidbits, please visit www.divinalaw.com. For comments and questions, please send an email to cabdo@divinalaw.com.