The Data Privacy Act of 2012 (R.A. 10173) is not just legalese but also a serious call to action for any organization, whether public or private, that handles personal data. Central to this is the appointment and registration of a Data Protection Officer (DPO)—a legal requirement based on the nature and scale of business operations.

While we’ve covered DPO registration and renewal in separate articles, this latest blog adds to the series by providing a practical guide on how to properly change your company’s DPO and update the registration details with the National Privacy Commission (NPC). 

What is a DPO?

A Data Protection Officer (DPO) is a person who is appointed and registered with the National Privacy Commission (NPC) to oversee data protection activities carried out by the Personal Information Controller (PIC) and Personal Information Processor (PIP) and ensure compliance with data privacy laws. 

Under NPC Circular 2022-02, DPO (and DPS) registration is mandatory for PICs and PIPs that employ at least 250 persons, process sensitive data of at least 1,000 individuals, and handle data that will likely pose a risk to the rights and freedoms of data subjects. 

In terms of qualifications, a Data Protection Officer (DPO) must be a full-time or organic employee with at least a two-year contract, possess strong knowledge of data privacy policies and practices, understand the organization’s data processing operations and systems, and be provided with sufficient time, resources, and training to effectively perform their duties.

When to Update Your Company’s DPO Registration

Changing the company’s DPO may be caused by the resignation or termination of the current DPO, organizational restructuring, acquisition, compliance issues or other NPC legal requirements.

According to Section 7 of the NPC Circular 2022-04, Personal Information Controllers (PICs) and Personal Information Processors (PIPs) may apply for amendments to their existing registration information through the NPC Registration System (NCPRS). All changes and amendments other than a change in the entity’s name or business address are considered minor.

Updating the existing Data Processing System (DPS) and changing the Data Protection Officer (DPO) details must be made within ten (10) days from the system update or the effectivity of the appointment of the new DPO.

Comprehensive, Efficient, and Compliant

Need Help with Your DPO/DPS Registration Amendments?

Leave the paperwork to us! We can handle your registration amendments and compliance, so you can concentrate on what drives your business forward.

Learn More
Contact Us

How to Change Your Company’s Data Protection Officer (DPO): A Step-By-Step Guide

Changing your Data Protection Officer (DPO) involves a clear, step-by-step process to ensure compliance and a smooth transition within your organization.

1. Appoint a New Qualified DPO.

Appoint a Data Protection Officer (DPO) who meets the legal qualifications—such as knowledge of data privacy laws and the organization’s data processing operations. Also, ensure that he or she is committed, properly trained, and has the necessary resources to fulfill the role.

2. Inform Internal Stakeholders.

Notify your company’s relevant departments, management, and staff about the change in DPO. Doing this ensures a smooth transition, maintains transparency, and helps everyone understand who the new point of contact for privacy matters is. Clear internal communication also allows your teams to realign responsibilities, update documentation, and support the new DPO in taking over the role effectively.

3. Notify the National Privacy Commission (NPC). 

To update the DPO registration with the NPC, log in to the NPC Registration System (NPCRS) portal and navigate to the registration or amendment section. Select the option for a minor amendment and update the new DPO’s details. Download, notarize, and upload supporting documents, as necessary. Take note that if you need to change your DPO within the renewal period, you must complete the renewal first before you proceed with the amendment. 

4. Update Your Public Records. 

Update your company’s privacy policy, website, and other public materials, as necessary, to include the new DPO’s contact information. Not only for compliance, this also demonstrates your company’s accountability and makes it easier for your data subjects to exercise their rights.  

5. Facilitate Smooth Transition of Tasks and Responsibilities.

Before your outgoing DPO leaves the company, ensure the proper transfers of responsibilities, files, and ongoing data privacy issues to the new DPO. With smooth transition, you can maintain continuity of operations and reduce the risk of compliance gaps.

Other Related Articles

For more information on Data Protection Officers (DPOs) and Data Processing Systems (DPS), you might also want to explore these in-depth guides on registration and renewal procedures with the National Privacy Commission (NPC).

Data Protection Officer (DPO) Appointment and Registration in the Philippines

This guide outlines the process for appointing and registering your Data Protection Officer (DPO) with the Philippine National Privacy Commission (NPC). Adhering to these guidelines ensures compliance with the Data Privacy Act of 2012 (RA 10173) and its Implementing Rules and Regulations (IRR).

How to Renew Your Data Protection Officer (DPO) and Data Processing System (DPS) Registrations

This guide details the procedures for you to renew your Data Protection Officer (DPO) and Data Processing System (DPS) registrations with the National Privacy Commission (NPC). Maintaining current registrations is vital for compliance with Philippine data privacy laws, protecting sensitive information, and avoiding penalties. 

… and you might just need our assistance.

Need help amending your DPO registration information with the NPC? Set up a consultation with FilePino today! Call us at (02) 8478-5826 (landline) and 0917 892 2337 (mobile) or send an email to info@filepino.com.