Does HR data processing require registration under data protection laws?
Data protection laws sometimes include conformity assessments, which help to ensure businesses follow regulations. Requirements can include registration before the Data Protection Authority and random audits.
In the Philippines, Personal Information Processors and Personal Information Controllers, such as employers, must register their data processing system with the National Privacy Commission if :
- processing personal data in the Philippines involves accessing or requiring sensitive personal information of at least 1,000 individuals;
- employing at least 250 employees;
- the processing is likely to pose a risk to the rights and freedoms of data subjects;
- processing is not occasional.
When registering, employers will need to include:
- the name and address of the employer (as the personal information controller) or personal information processor, and the contact information for any representatives;
- the reason for the processing and whether any processing is being completed by an outsourcing or subcontracting agreement;
- a description of the categories of data subjects and the data or categories of data being processed about them;
- the data recipients or categories of recipients who might have this data disclosed to them;
- proposed international data transfers;
- a description of privacy and security measures for data protection;
- short description of the data processing system;
- copy of data policies, including data privacy, information security and data governance;
- attestation of certifications relating to information and communications processing; and, the
- name and contact information for the compliance or data protection officer.
Employers can register via the National Privacy Commission data registration page:
HR Best Practices: Employers should register with the National Privacy Commission prior to processing employee data. In the event that the Data Protection Officer within your organization changes, make sure to proactively notify the Commission with the new contact’s details.