Does a Small Business Need to Register With the National Privacy Commission?

A small business does not automatically have to complete full registration with the National Privacy Commission simply because it collects customer names, phone numbers, delivery addresses, or employee records. However, business size is only one part of the test. A small clinic, lending company, tutorial center, recruitment firm, or online platform may still be required to register because of the kind of information it handles, the people affected, or the risks created by its processing activities.

If full registration is not mandatory and the business chooses not to register voluntarily, it must generally submit a notarized Sworn Declaration and Undertaking for Exemption through the NPC Registration System. Exemption from registration also does not exempt the business from the Data Privacy Act.

When a Small Business Must Register With the NPC

Under Section 5 of NPC Circular No. 2022-04, a personal information controller or personal information processor must register its data processing systems when any one of the following conditions exists:

  1. It employs 250 or more persons.
  2. It processes sensitive personal information belonging to 1,000 or more individuals.
  3. Its processing is likely to pose a risk to the rights and freedoms of data subjects.
  4. Its system involves automated decision-making or profiling.

These are alternative tests. The business does not have to meet all of them before registration becomes mandatory. (National Privacy Commission)

Quick Registration Test

Business situation Likely result
Fewer than 250 workers, fewer than 1,000 people with sensitive data, and low-risk processing May claim exemption by filing the required sworn declaration
250 or more workers Mandatory registration
Sensitive personal information of at least 1,000 individuals Mandatory registration
Processing involving vulnerable persons, confidential records, or significant privacy risks Mandatory registration may apply even below the numerical thresholds
Automated credit scoring, behavioral profiling, or decisions made independently by a system Mandatory registration
Business does not meet the mandatory tests but wants an NPC Certificate and Seal Voluntary registration is available

The safest approach is to examine the business’s actual data activities rather than relying on labels such as “micro,” “small,” “home-based,” or “online-only.”

What Counts as Personal and Sensitive Personal Information?

The governing law is Republic Act No. 10173, known as the Data Privacy Act of 2012, together with its Implementing Rules and Regulations.

Personal information is information that identifies a person, either by itself or when combined with other information. Common examples include:

  • Name
  • Home or delivery address
  • Telephone number
  • Email address
  • Customer account details
  • Photograph
  • CCTV footage showing an identifiable person
  • Device or online identifiers connected to a person

Sensitive personal information receives greater legal protection. Under Section 3(l) of the Data Privacy Act, it includes information about a person’s:

  • Age and marital status
  • Race, ethnic origin, or religious and political affiliations
  • Health, education, genetic information, or sexual life
  • Criminal cases, alleged offenses, and court sentences
  • Government-issued identifiers and records, such as SSS, GSIS, PhilHealth, tax, licence, and certain health information
  • Information classified as confidential by law

This definition is broader than many business owners expect. An ordinary employee file may contain age, marital status, health information, government numbers, and tax records—all of which may be sensitive personal information. (National Privacy Commission)

Does Having 1,000 Customers Automatically Require Registration?

Not necessarily.

The wording of NPC Circular No. 2022-04 and the NPC’s updated registration FAQ refers to sensitive personal information of 1,000 or more individuals, not merely to having 1,000 customer names or transactions. A store with 2,000 customers whose records contain only names, contact details, and delivery addresses does not automatically meet that particular numerical threshold.

Registration may still be mandatory if the processing creates substantial risk, involves profiling, or includes sensitive information such as dates of birth, government ID details, health information, financial assessments, or criminal records. (National Privacy Commission)

When counting individuals, businesses should review all active records—not only paying customers. Depending on the system, the relevant people may include:

  • Employees and former employees
  • Job applicants
  • Customers and prospective customers
  • Patients, students, borrowers, or tenants
  • Suppliers and individual contractors
  • Website and mobile-app users
  • Persons appearing in CCTV records

What Does “Likely to Pose a Risk” Mean?

A small business may have only five employees and a few hundred customers but still be covered by mandatory registration because of the nature of its processing.

The NPC identifies higher-risk situations as including information involving:

  • Minors
  • Patients
  • Elderly persons
  • Persons with mental illness
  • Asylum seekers
  • Criminal offenses
  • Public health, public safety, or national security
  • Information required by law to remain confidential
  • A strong imbalance between the business and the individual
  • Automated decision-making or profiling

These are not merely theoretical examples. A dental clinic, diagnostic laboratory, preschool, online lending company, psychological service, recruitment agency, or business using biometric and behavioral analysis may present greater privacy risks than a much larger business that keeps only basic contact information. (National Privacy Commission)

Examples of Small Businesses That May Need to Register

Business Why registration may be required
Medical or dental clinic Processes patient and health information
Tutorial center, daycare, or small school Processes information about minors and educational records
Lending or financing business Handles financial information and may conduct credit profiling
Recruitment agency Processes employment history, government IDs, medical results, and background checks
Counseling or psychological practice Handles highly sensitive health information
Online platform using algorithms to approve or reject users Involves automated decision-making
Business using facial recognition Processes biometric information and may involve profiling
Security or investigation service May process criminal allegations and surveillance information

A conventional CCTV system does not automatically mean that every small shop must complete full NPC registration. The business should assess the number of cameras, areas monitored, retention period, use of facial recognition, persons recorded, access arrangements, and consequences of misuse. CCTV processing must also comply with NPC Circular No. 2024-02.

Automated Decision-Making and Profiling

A data processing system involving automated decision-making or profiling must be registered regardless of the business’s employee count.

NPC Circular No. 2022-04 defines automated decision-making as processing that can make decisions through technological means independently of human intervention. Profiling includes automated use of personal data to evaluate or predict a person’s behavior, preferences, financial position, performance, or qualities. (National Privacy Commission)

Examples include systems that automatically:

  • Approve or reject a loan application
  • Assign a customer credit or fraud-risk score
  • Reject job applicants based on programmed criteria
  • Adjust prices according to a person’s behavior
  • Rank workers based on location or productivity data
  • Target customers using detailed behavioral profiles
  • Suspend accounts based on algorithmic findings

Using ordinary bookkeeping software or manually reviewing a spreadsheet does not necessarily amount to automated decision-making. The important question is whether the system independently evaluates people or produces decisions that affect them.

Registration Is Different From Data Privacy Compliance

NPC registration is one compliance requirement. It is not the entirety of the Data Privacy Act, and an NPC Certificate of Registration is not a government declaration that every business practice is lawful.

Even an exempt small business must still:

  • Process personal data for a lawful and declared purpose
  • Collect only information that is relevant and necessary
  • Provide an understandable privacy notice
  • Respect requests for access, correction, deletion, blocking, or objection when legally applicable
  • Use reasonable organizational, physical, and technical security measures
  • Restrict employee access to personal data
  • Establish appropriate retention and secure disposal procedures
  • Manage service providers through proper contracts
  • Maintain procedures for handling security incidents and personal data breaches

Sections 11, 12, 13, 16, 20, and 21 of the Data Privacy Act cover lawful processing, data-subject rights, security, and accountability. The level of security may take account of the size and complexity of the organization, but being small does not remove the obligation to protect personal data. (National Privacy Commission)

Does an Exempt Small Business Still Need a Data Protection Officer?

A business involved in processing personal data should designate an accountable privacy officer or Data Protection Officer (DPO).

Section 26 of the Data Privacy Act’s Implementing Rules and Regulations requires persons and organizations involved in personal-data processing to designate one or more individuals responsible for privacy compliance. The NPC likewise describes DPO appointment as a legal requirement for personal information controllers and processors. (National Privacy Commission)

For a small business:

  • The owner may serve as DPO when appropriate.
  • A qualified employee may be designated.
  • A sole professional is generally considered the de facto DPO.
  • A common or external DPO arrangement may be used where permitted.
  • Each registered entity must have its own official DPO email address, even when several related companies share the same individual as DPO.

The email should belong to the position, such as dpo@businessname.ph or privacy@businessname.com, rather than being the personal email of the individual currently assigned. Only one DPO is registered per entity, although the business may appoint additional compliance officers internally.

How to Determine Whether Your Business Must Register

1. Make an Inventory of Your Data Processing Systems

List every system in which personal data is collected, used, stored, disclosed, transferred, or deleted. Do not limit the review to sophisticated software.

Common systems include:

  • Employee records and payroll
  • Recruitment and applicant records
  • Customer databases
  • Point-of-sale loyalty records
  • Online order and delivery systems
  • Websites and mobile applications
  • Email marketing lists
  • CCTV systems
  • Biometric attendance systems
  • Patient, student, borrower, or tenant records
  • Paper files arranged by person
  • Cloud storage, spreadsheets, messaging apps, and customer relationship software

2. Identify the People and Data in Each System

For each system, record:

  • Categories of people whose information is processed
  • Types of personal and sensitive personal information
  • Purpose and legal basis for processing
  • Number of affected individuals
  • Persons inside the business who can access the information
  • Outside recipients and service providers
  • Retention period
  • Storage location
  • Whether information is sent outside the Philippines
  • Security measures
  • Whether the system performs profiling or automated decisions

These are substantially the same details required during NPC registration. (National Privacy Commission)

3. Apply Each Mandatory Registration Test

Ask the following questions separately:

  1. Does the business employ at least 250 persons?
  2. Does any system process sensitive personal information of at least 1,000 individuals?
  3. Does the processing involve vulnerable persons, confidential information, surveillance, financial evaluation, health information, criminal records, or another significant risk?
  4. Does any system perform automated decision-making or profiling?

A “yes” answer to any question normally points to mandatory registration.

4. Choose Mandatory Registration, Voluntary Registration, or Exemption

The available paths are:

Path When used Result
Mandatory registration At least one mandatory test applies Certificate and NPC Seal after successful registration
Voluntary registration Mandatory tests do not apply, but the business chooses to register Certificate and NPC Seal after successful registration
Exemption filing Mandatory tests do not apply and the business does not register voluntarily Notarized Sworn Declaration and Undertaking filed through NPCRS

An exemption filing is not simply an internal memo. The NPC requires the sworn declaration to be submitted through its online registration system.

How to File for Exemption From NPC Registration

A business claiming exemption should use the NPC Registration System and follow the NPC’s official exemption procedure.

  1. Create or access the NPCRS account using the business’s official DPO credentials.
  2. Select the applicable registration type.
  3. Choose the option for exemption from data processing system registration.
  4. Download the Sworn Declaration and Undertaking.
  5. Complete the form accurately.
  6. Print and sign it before a notary public.
  7. Upload the notarized document through NPCRS.
  8. Keep the email confirmation and a complete copy of the notarized filing.

To qualify, the business must be able to truthfully declare that it:

  • Employs fewer than 250 persons;
  • Does not process sensitive personal information of at least 1,000 individuals;
  • Does not conduct processing likely to pose a risk to data subjects; and
  • Is not a government agency or instrumentality.

The declaration is legally binding. Filing it without first conducting a reliable data inventory can expose the business to problems during an NPC compliance check. (National Privacy Commission)

How to Complete Full NPC Registration

The NPC registration guide provides the current online process.

1. Designate the DPO

Prepare a valid document appointing the DPO. Create a unique email address dedicated to the DPO position.

2. Create the NPCRS Account

Enter the business details, DPO information, Philippine mobile number, and official communication channels.

3. Encode All Active Data Processing Systems

The initial registration must include all active systems. Businesses commonly overlook payroll, applicant records, CCTV, website forms, messaging-based orders, and cloud services.

For each system, the portal may require information about:

  • System name
  • Purpose and lawful basis
  • Categories of data subjects and information
  • Recipients
  • Outsourced processors
  • Security controls
  • Collection, retention, and disposal
  • Overseas transfers
  • Data-sharing arrangements
  • Automated decision-making or profiling

4. Upload the Supporting Documents

Business form Common supporting documents
Corporation Notarized Secretary’s Certificate or equivalent DPO authority, SEC Certificate of Registration, certified true copy of latest GIS, and valid business permit
One Person Corporation DPO appointment document signed or authorized by the sole director, SEC registration, and valid business permit
Partnership Notarized partnership resolution, SPA, or equivalent DPO appointment; SEC registration; and business permit
Sole proprietorship DTI Certificate of Business Name Registration, valid business permit, and notarized appointment if another person is designated as DPO
Foreign private entity Apostilled or authenticated DPO appointment and organizational documents, with English translations when necessary

Foreign documents coming from an Apostille Convention country are generally apostilled by the competent authority in the country of origin. Documents from a non-Apostille country may require authentication under the applicable Philippine procedure. (National Privacy Commission)

5. Export, Sign, Notarize, and Upload the DPO Form

After encoding the information:

  1. Export the system-generated DPO form.
  2. Have it signed by the DPO and the head of the organization.
  3. Have the completed form notarized.
  4. Scan and upload the notarized copy.

The NPC reviews the filing. When it identifies a deficiency, the registrant is ordinarily given five days to submit the missing or corrected requirement. Common avoidable issues include expired business permits, inconsistent company names, an outdated GIS, incomplete authority documents, and use of a personal rather than position-based DPO email. (National Privacy Commission)

6. Pay the Registration Fee

The NPC began integrating registration and renewal fees into NPCRS on October 1, 2024. The published schedule includes:

Registrant category Initial registration Renewal
Individual professional ₱500 ₱350
Organization operating at municipal level ₱500 ₱350
Regional, provincial, Metro Manila, or city-level organization ₱1,000 ₱500
National, multinational, or foreign branch ₱2,500 ₱1,000

Notarial costs and the cost of obtaining certified or apostilled documents are separate. The applicable category should be confirmed in NPCRS because the fee classification concerns the registrant’s organizational scope and status, not simply whether the enterprise is considered “small.” (National Privacy Commission)

7. Download and Display the Certificate and Seal

Once validated and paid, the Certificate of Registration and NPC Seal become available for download.

The seal must be displayed:

  • At the main entrance or another conspicuous place in the office or business premises; and
  • On the business’s main website, either as a link leading to the privacy notice or directly on the privacy-notice page.

The certificate and seal are valid for one year.

Deadlines, Renewals, and Updates

Action Deadline
Register a newly implemented covered system Within 20 days from commencement
Register an inaugural or newly appointed DPO Within 20 days from the appointment’s effectivity
Update ordinary or minor information, including a DPO change Within 10 days from the change
Report a change in registered business name or principal address Within 30 days from effectivity
Renew registration During the 30-day period before the certificate expires
Apply for withdrawal after cessation of business or processing Within two months from cessation

An expired and unrenewed certificate means the business is treated as unregistered. If a system is decommissioned, it should be tagged inactive through the amendment process rather than simply omitted from the next filing. (National Privacy Commission)

Common Mistakes Small Businesses Make

Assuming “Small” Means Automatically Exempt

A three-person clinic may process higher-risk information than a retail business with 100 employees. The type and consequences of processing matter as much as headcount.

Treating the 1,000-Person Threshold as the Only Test

Registration can be mandatory below 1,000 individuals when the processing poses a risk or involves automated decision-making or profiling.

Ignoring Employee and Applicant Records

Businesses frequently count customers but overlook years of payroll, medical, government-ID, tax, and recruitment records.

Believing Outsourcing Transfers All Responsibility

Using a cloud provider, payroll company, website developer, delivery platform, or external database does not automatically remove the business’s responsibility. A personal information controller remains accountable for processing carried out on its behalf.

Listing Only the Main Customer Database

Initial registration must cover all active data processing systems. Payroll, recruitment, CCTV, marketing, website forms, and physical filing systems may require separate treatment in the data inventory.

Using the DPO’s Personal Email

The NPC requires a unique, position-based email that remains with the business when the individual DPO changes.

Treating the NPC Seal as Proof of Complete Compliance

The certificate proves registration, not the accuracy or legality of every practice described in the filing. The NPC may later verify information through document requests, privacy sweeps, or on-site compliance checks. (National Privacy Commission)

What Happens If a Business Fails to Register?

A covered business that fails to register may receive a show-cause order, compliance order, cease-and-desist order, temporary or permanent processing ban, or administrative fine. Failure to renew, update required information, disclose automated processing, or display the registration seal can also lead to enforcement action. (National Privacy Commission)

Mere non-registration is distinct from criminal offenses under the Data Privacy Act. However, the underlying conduct may create separate criminal exposure when it involves unauthorized processing, negligent access, improper disposal, malicious disclosure, unauthorized disclosure, intentional breach, or concealment of a reportable breach.

A serious personal data breach may also require notification to the NPC and affected individuals within 72 hours from knowledge or reasonable belief that the breach occurred, subject to the legal conditions for mandatory notification. (National Privacy Commission)

Frequently Asked Questions

Does a sari-sari store need to register with the NPC?

Usually not through full registration if it has few workers, keeps only basic customer or supplier information, does not process sensitive information at scale, and conducts no risky or automated processing. It should still evaluate its activities and file the notarized exemption declaration if it chooses not to register voluntarily.

Does an online seller need NPC registration?

Not automatically. Review the number and type of records, payment or ID information collected, marketing practices, profiling tools, fraud-detection systems, and third-party platforms used. An ordinary contact and delivery database may qualify for exemption, while automated profiling or high-risk processing may require registration.

I have fewer than 250 employees. Am I automatically exempt?

No. Registration is still mandatory if the business processes sensitive personal information of at least 1,000 individuals, conducts risky processing, or uses automated decision-making or profiling.

Do 1,000 customer names trigger mandatory registration?

Not by themselves. The specific numerical test concerns sensitive personal information of 1,000 individuals. A large basic contact list may still require registration when other risk factors exist.

Is the Sworn Declaration and Undertaking optional?

It is required when a personal information controller or processor does not fall under mandatory registration and chooses not to register voluntarily. It must be notarized and submitted through NPCRS.

Can the owner act as the DPO?

Yes, this may be practical for a small business when the owner can competently perform the function. An individual professional is treated as the de facto DPO. The person should have sufficient authority, access, and knowledge to oversee compliance rather than holding the title only on paper.

Can one person serve as DPO for several related businesses?

Yes, a common DPO arrangement is allowed, but each legal entity must complete its own filing and use a separate official DPO email address.

Does using CCTV require NPC registration?

CCTV involves personal-data processing when people can be identified. Full registration depends on the mandatory-registration tests and the risks of the particular system. Facial recognition, extensive monitoring, surveillance of vulnerable persons, or other high-risk uses require closer assessment.

Does a foreign company serving Philippine customers have obligations under the Data Privacy Act?

Potentially. The Data Privacy Act can apply to processing outside the Philippines when it concerns Philippine citizens or residents and the foreign entity has relevant links to the Philippines, such as carrying on business here, entering contracts here, maintaining a local office or subsidiary, or collecting or holding information in the country. Foreign registration documents may need apostille or authentication and English translation. (National Privacy Commission)

Does NPC registration have to be renewed every year?

Yes. The Certificate and Seal are valid for one year, and renewal may be completed during the 30-day period before expiration.

Key Takeaways

  • A small business is not automatically exempt from NPC registration.
  • Full registration is mandatory if any applicable threshold or risk condition is present.
  • Automated decision-making or profiling requires registration regardless of business size.
  • The 1,000-person test concerns sensitive personal information, not merely ordinary customer names.
  • An exempt business must generally submit a notarized Sworn Declaration and Undertaking through NPCRS.
  • Exemption from registration does not remove obligations under the Data Privacy Act.
  • Businesses should appoint a responsible DPO, maintain a complete data inventory, provide privacy notices, secure personal data, and establish incident-response procedures.
  • Registered businesses must renew annually, update changes promptly, and display the NPC Seal at their premises and on their website.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.