What you need to know when appointing a Data Protection Officer

What you need to know when appointing a Data Protection Officer

Companies that engage in processing personal data of individuals living within or outside the Philippines should have Personal Information Controllers (PIC) and/or Personal Information Processors (PIP). The PIP and PIC are the ones responsible for collecting and processing data. PIPs more specifically are those to whom a PIC would outsource data processing. Both are then required to appoint a Data Protection Officer (DPO), in accordance with the Data Privacy Act (DPA) of 2012 or RA 10173.

One of the main responsibilities of the DPO is to make sure the PIC or PIP is in compliance with the rules and regulations of the DPA, the National Privacy Commission (NPA), and other laws and regulations that relate to data privacy and security.

Why is a Data Protection Officer important?

Aside from being a requirement of the DPA, having a DPO means that an organization is better equipped to compete in the aspect of data protection. The DPO can improve customer service, as well as enhance response and increase public awareness relating to personal data protection.


What requirements must a Data Protection Officer have?

  • A full-time employee or an organic employee of the PIC or PIP
  • Expertise in relevant privacy or data protection policies and practices
  • Adequate knowledge and understanding of the processing operations being carried out by the PIC or PIP, including information systems, data security and/or data protection needs of the PIP
  • Comprehends the sector or field the PIC or PIP uses
  • Understands the PIP’s internal structure, policies, and processes

When appointing a DPO on a contractual basis, it is preferred that the duration of the contract be at least two years to guarantee stability.

What are the full responsibilities of a Data Protection Officer? 

To properly carry out their function of ensuring the organization’s compliance with the DPA and other applicable laws, the DPO is expected to:

  • Monitor the PIC’s or PIP’s personal data processing operations, activities, measures, projects or systems
  • Analyze and check any accreditations or certifications
  • Provide advice and recommendations on legal requirements
  • Ensure the execution of Privacy Impact Assessments
  • Give advice to the PIC or PIP about complaints and/or actions of users regarding their rights, including users’ right to information, clarifications, corrections, or deletion of personal data
  • Make sure the PIC and PIP conduct proper data breach and security management
  • Create awareness of privacy and data protection
  • Adopt a privacy-by-design approach while advocating for changing, reviewing, revising, and/or creating policies, guidelines, and/or programs about privacy and data security
  • Be a contact person of the PIC or PIP in relation to users, the National Privacy Commission (NPC), and other authorities concerning data privacy and security
  • Coordinate, cooperate, or seek the advice of the NPC

Perform duties and tasks that are assigned by the PIC or PIP in relation to furthering the interest of data privacy and security, and the right of data subjects.

The DPO should be accessible to users and their contact details should be included in the organization’s website, privacy notice, privacy policy, and privacy manual.

The DPO’s name is not required to be made public but should be made available to users if they request it. The name of the DPO is also a requirement when registering the data processing systems.

If you want to know more about appointing a DPO, just call FilePino at +1.806.553.6552 (USA) or +63.917.8922337 (Philippines). You can also browse the website for more information on DPA and other helpful articles.