The National Privacy Commission (NPC) reminded the public on Monday that registration with the commission does not constitute or imply an endorsement, clearance or confirmation that an organization’s data processing activities are lawful.
Registration is only one of several obligations under the Data Privacy Act of 2012 (DPA) and its implementing rules and regulations (IRR), which are meant to promote transparency and accountability, NPC said in a statement.
Organizations remain responsible for ensuring lawful data processing, upholding the rights of data subjects, and implementing appropriate organizational, physical and technical safeguards, it said.
The NPC said that under the DPA, it is the sole government authority empowered to determine the lawfulness of personal data processing activities.
While the commission cooperates with other government agencies on matters of shared concern, its jurisdiction over the collection, use, storage and protection of personal information remains exclusive and independent.
The commission’s official position on matters involving data processing activities is expressed only through formal issuances, such as decisions or orders, duly approved by the commission en banc after proper deliberation.
The NPC exercises its mandate with full autonomy as provided by law, and any assertions made outside these official issuances should not be construed as the commission’s official position.
