A small business does not automatically need full registration with the National Privacy Commission (NPC) merely because it collects customer names, keeps employee records, or operates a website. But “small” is not a blanket exemption. Full registration becomes mandatory when the business meets any registration trigger under NPC Circular No. 2022-04—particularly workforce size, the volume of sensitive personal information processed, high-risk processing, or the use of automated decision-making or profiling.
When none of those triggers applies, the business may generally claim exemption from full registration. It must still file a notarized Sworn Declaration and Undertaking, commonly called the SDAU, through the NPC Registration System. Exemption from registration does not exempt the business from the Data Privacy Act of 2012 or from possible NPC compliance checks. (National Privacy Commission)
The Short Practical Answer
The proper filing depends on what the business does with personal data—not simply on its revenue, capitalization, or number of branches.
| Business situation | What the business generally needs to do |
|---|---|
| Any mandatory-registration trigger applies | Complete full NPC registration through the NPCRS |
| No mandatory trigger applies, but the business wants a Certificate of Registration | Register voluntarily |
| No mandatory trigger applies and the business will not register voluntarily | File a notarized SDAU through the NPCRS |
| The business later starts high-risk processing or crosses a threshold | Update its status and complete registration promptly |
The controlling rules appear in NPC Circular No. 2022-04 on the registration of personal data processing systems. The online filing platform is the NPC Registration System or NPCRS.
Why the Data Privacy Act Applies to Small Businesses
The Data Privacy Act of 2012, or Republic Act No. 10173, applies to the processing of personal information by individuals, companies, professionals, partnerships, associations, and other organizations.
“Processing” is broad. It includes collecting, recording, organizing, storing, using, sharing, retrieving, updating, blocking, deleting, or destroying personal data.
A business is usually a personal information controller, or PIC, when it decides:
- What personal data will be collected;
- Why the information is needed;
- How it will be used;
- Who may access or receive it; and
- How long it will be retained.
A business may be a personal information processor, or PIP, when it processes personal data on another organization’s instructions. Payroll providers, cloud-based accounting firms, outsourced customer-support teams, records-storage companies, and some marketing agencies commonly act as PIPs.
A business can be both. For example, an accounting firm is the controller of its employees’ records but may be a processor of payroll data received from clients.
Using Shopify, Google Workspace, a payroll application, a delivery platform, a cloud-storage service, or an outsourced bookkeeper does not transfer all privacy responsibility to the provider. A controller remains accountable for choosing appropriate service providers, setting contractual safeguards, and monitoring how outsourced data is handled. (National Privacy Commission)
When Is Full NPC Registration Mandatory?
A PIC or PIP must register its data processing systems when at least one of the following conditions applies.
1. The business employs 250 or more people
The 250-person threshold concerns the number of people employed by the organization. A business at or above this threshold must register even when it believes that the personal information it handles is routine.
Businesses close to the threshold should count their workforce carefully and document how they arrived at the number. The NPC rules refer to persons employed, so a business should not assume that only regular, permanent employees matter without examining its actual workforce arrangements.
2. The business processes sensitive personal information belonging to at least 1,000 individuals
This threshold is often misunderstood.
It is not simply “1,000 customers.” The rule concerns sensitive personal information of 1,000 or more individuals.
Sensitive personal information includes information about a person’s:
- Race, ethnic origin, marital status, age, color, or religious, philosophical, or political affiliation;
- Health, education, genetic information, or sexual life;
- Alleged or proven criminal offenses and related court proceedings;
- Government-issued identifiers and records, such as Social Security System numbers, tax records, health records, licences, and similar information; and
- Information specifically classified by law or executive issuance.
The count may include employees, former employees, applicants, customers, patients, students, suppliers, contractors, and other data subjects. It is not necessarily limited to active customers.
A retailer with 5,000 customer names, delivery addresses, and telephone numbers does not automatically cross this particular threshold because those details are generally personal information rather than sensitive personal information. However, another registration trigger—especially high-risk processing—may still apply. (National Privacy Commission)
3. The processing is likely to pose a risk to people’s rights and freedoms
A business may need to register even when it has only a few employees and fewer than 1,000 records.
The NPC’s exemption test identifies circumstances that can indicate higher risk, including processing involving:
- Minors, patients, elderly persons, asylum seekers, persons with mental-health conditions, and other vulnerable data subjects;
- Health or medical information;
- Criminal allegations or offenses;
- Legally privileged or confidential information;
- A significant imbalance between the business and the individual;
- Large-scale monitoring or systematic observation;
- Information that could affect public safety, public health, national security, or public order; and
- Automated decision-making or profiling.
This is why a small medical clinic, lending business, school, recruitment agency, or technology startup may have a stronger registration obligation than a much larger store that collects only basic contact details. (National Privacy Commission)
4. The business uses automated decision-making or profiling
A data processing system involving automated decision-making or profiling must be registered.
Automated decision-making means that a system makes or materially influences a decision about a person using automated processing. Profiling means evaluating or predicting aspects of a person, such as creditworthiness, work performance, preferences, behavior, reliability, health, or location.
Examples may include:
- Automated loan or credit scoring;
- Fraud-risk scoring that can block an account or transaction;
- Automated applicant ranking or rejection;
- Employee-performance scoring;
- Personalized pricing based on customer behavior;
- Behavioral advertising profiles;
- Facial-recognition attendance or access systems; and
- Systems that automatically determine eligibility for a service.
Using software does not automatically mean that automated decision-making exists. A spreadsheet used by a human to review applications is different from a system that independently scores and rejects applicants. The business should examine how the final decision is actually made.
Common Small-Business Scenarios
| Small-business activity | Likely filing position |
|---|---|
| Six-person neighborhood shop collecting customer names and delivery addresses | Usually eligible to file an SDAU if no high-risk activity exists |
| Online seller with 5,000 customers but only ordinary contact and order information | Customer count alone does not trigger the 1,000-sensitive-information rule; assess other risks |
| Dental clinic with 600 patient files | Full registration may be required because medical information and patients create elevated risk |
| Tutorial center or preschool processing children’s information | Full registration may be required because minors are vulnerable data subjects |
| Lending application using automated credit scoring | Full registration is mandatory because automated decision-making or profiling is involved |
| Recruitment agency screening applicants and retaining government IDs | Assess closely; sensitive information, power imbalance, and automated screening may trigger registration |
| Accounting or payroll provider handling data for several client companies | May be a PIP and may need registration based on the combined systems, data volume, and risks |
| Restaurant using an ordinary payroll system and reservation list | Often eligible for an SDAU, provided no other trigger exists |
| Employer using facial recognition for attendance | Likely high-risk and potentially profiling-based; full registration should be seriously considered |
| CCTV used only for ordinary premises security | Conduct a risk assessment; CCTV is not automatically exempt or automatically registrable in every case |
These are practical indicators, not substitutes for examining the business’s actual systems. Two businesses in the same industry may have different obligations because one uses manual review while the other uses automated scoring, or because one retains basic contact details while the other collects IDs, health records, or financial information.
How to Determine the Correct Filing
Before registering or claiming exemption, conduct a basic data inventory.
List all groups of people whose data you process. Include employees, applicants, former workers, customers, website visitors, patients, students, suppliers, contractors, delivery recipients, and CCTV subjects.
List the personal data collected from each group. Separate ordinary personal information from sensitive personal information. Government IDs, medical records, educational records, tax information, and criminal-history information require particular attention.
Identify every data processing system. A “system” is not limited to custom software. It may include an HR database, payroll platform, customer relationship management system, website, mobile application, CCTV system, electronic medical-record system, cloud drive, or structured paper-record system.
Count the individuals whose sensitive information is processed. Use a reasonable, supportable method. Consider active and retained historical records, not only newly collected information.
Check for automated decisions or profiling. Ask vendors what their software scores, predicts, recommends, flags, ranks, or rejects.
Assess the possible harm. Consider identity theft, financial loss, discrimination, embarrassment, physical danger, loss of employment, denial of services, or exposure of confidential information.
Record your conclusion. Keep a brief written assessment showing why the business registered or why it believed it qualified for the SDAU. This can be useful during a compliance check.
How to Register a Small Business with the NPC
Full registration is completed online through the NPCRS.
Step 1: Designate a Data Protection Officer
A Data Protection Officer, or DPO, oversees the organization’s privacy-compliance program and serves as a contact person for data subjects and the NPC.
The business should provide the DPO with a dedicated, organization-controlled email address, such as dpo@businessname.ph or privacy@businessname.com. The NPC requires a unique DPO email for each registered entity. A common DPO may serve related companies, but each entity requires its own registration and dedicated email address. (National Privacy Commission)
Step 2: Create an NPCRS account
Create an account at the NPC Registration System. Enter the organization’s legal name, address, business details, head of organization, DPO, and contact information.
Use the exact registered business name appearing in the DTI or SEC records. Differences involving trade names, punctuation, suffixes, or corporate names can lead to deficiencies.
Step 3: Encode all active data processing systems
The registration should cover the organization’s active systems, including publicly accessible websites, mobile applications, online platforms, outsourced systems, and other systems through which personal data is processed.
The requested information may include:
- The system’s name and purpose;
- Categories of data subjects;
- Types of personal information collected;
- Recipients or persons given access;
- Outsourced service providers;
- Security measures;
- Retention and disposal arrangements;
- Data-sharing activities; and
- Transfers of personal data outside the Philippines.
Do not register only the customer database while forgetting payroll, recruitment, CCTV, website forms, loyalty systems, or other active systems.
Step 4: Upload the required supporting documents
The documents depend on the organization’s legal form.
| Type of business | Common supporting documents |
|---|---|
| Sole proprietorship | DTI Certificate of Business Name Registration, valid business permit, and a notarized DPO appointment document when another person is designated |
| Corporation | SEC Certificate of Registration, certified true copy of the latest General Information Sheet, valid business permit, and notarized Secretary’s Certificate or equivalent DPO appointment authority |
| One Person Corporation | SEC Certificate, valid business permit, and DPO appointment document signed by the sole director |
| Partnership | SEC Certificate, valid business permit, and notarized partnership resolution, special power of attorney, or equivalent appointment document |
| Foreign private entity | Authenticated or apostilled registration and appointment documents, English translations when necessary, and applicable Philippine permit or equivalent evidence |
The NPCRS generates an official DPO registration form after the information is encoded. The DPO and head of organization must sign the system-generated form, have it notarized, and upload the scanned copy. Using a self-created substitute instead of the generated form may result in a deficiency. (National Privacy Commission)
Step 5: Correct any deficiencies promptly
The NPC reviews the application after submission. When a deficiency notice is issued, the applicant generally has five days to make the correction. Failure to cure the deficiency can result in the application being archived or treated as unregistered.
Common deficiencies include:
- An inconsistent business name;
- An expired permit;
- An unsigned or improperly notarized form;
- Missing authority for the person appointing the DPO;
- A personal or reused DPO email address;
- An incomplete list of processing systems; and
- Illegible scans.
Step 6: Pay the applicable fee
Payment becomes available through the NPCRS after the application is validated.
| Registration category | Initial registration fee | Renewal fee |
|---|---|---|
| Individual or professional | ₱500 | ₱350 |
| Multinational, national organization, or foreign branch | ₱2,500 | ₱1,000 |
| Regional, provincial, Metro Manila, or city-level organization | ₱1,000 | ₱500 |
| Municipality-level organization | ₱500 | ₱350 |
The correct category depends on the organization’s nature and operational coverage. The NPC may also charge separate fees for certain major amendments, certified copies, validation, or account-recovery services.
Step 7: Download the Certificate of Registration and NPC Seal
After approval and payment, the business can download its Certificate of Registration and NPC Seal through the NPCRS.
The certificate is normally valid for one year. Renewal is available within the 30-day period before expiration. A certificate proves that the registration requirement was completed; it does not mean that the NPC has audited or approved every privacy practice described in the application. (National Privacy Commission)
The seal should be displayed as required at the establishment and, where applicable, on the organization’s online platforms.
How to Claim Exemption Through the SDAU
A business that does not meet any mandatory-registration trigger may claim exemption through the NPCRS.
The current procedure is:
- Log in to the NPCRS.
- Select the appropriate registration type.
- Indicate that the organization is applying for exemption.
- Download the system-generated SDAU.
- Complete and print the form.
- Have the declaration notarized.
- Scan and upload the notarized SDAU.
- Retain the confirmation and a copy of the filed document.
There is no filing fee for the SDAU. The declaration is legally binding and may be used in place of a Certificate of Registration and NPC Seal when proof of the organization’s filing status is requested. (National Privacy Commission)
The SDAU is not a “certificate of exemption”
The NPC does not issue a separate certificate declaring that it independently verified the business’s exemption. The SDAU is the organization’s sworn representation that it meets the exemption conditions.
The NPC may later examine the declaration. A business that understates its workforce, ignores high-risk activities, or fails to disclose automated profiling may face compliance and enforcement consequences.
The SDAU does not require annual renewal when the organization’s circumstances remain unchanged. However, the business must update its filing or proceed with full registration when a material change causes a mandatory trigger to apply. (National Privacy Commission)
What an Exempt Small Business Must Still Do
Exemption concerns the registration requirement. It does not remove the business’s substantive duties under the Data Privacy Act.
An exempt business should still:
- Designate a DPO or accountable privacy person;
- Publish or provide a clear privacy notice;
- Identify a lawful basis for collecting and using personal data;
- Collect only information that is necessary for a legitimate purpose;
- Keep personal data accurate and updated where necessary;
- Limit employee and contractor access;
- Use passwords, access controls, backups, encryption, and other safeguards appropriate to the risk;
- Set retention periods and securely dispose of obsolete records;
- Execute appropriate agreements with processors and service providers;
- Establish procedures for access, correction, objection, deletion, and other data-subject requests;
- Maintain a process for investigating security incidents and personal data breaches;
- Train employees who handle personal information; and
- Document major processing activities and privacy decisions.
The core privacy principles are transparency, legitimate purpose, and proportionality. In practical terms, people should understand what the business is doing with their information; the purpose must be lawful and specific; and the business should not collect or retain more information than it genuinely needs. (National Privacy Commission)
Registration Deadlines and Updates
A mandatorily covered business should register a newly implemented data processing system or its inaugural DPO within 20 days from the relevant event.
Minor amendments, including updates to system information or the appointment of a new DPO, generally need to be submitted within 10 days. Changes to the organization’s name or principal address are treated as major amendments and should generally be reported within 30 days. (National Privacy Commission)
A business should not wait for the annual renewal period to report an important change.
Events that may require action include:
- Replacing the DPO;
- Adding a mobile application;
- Launching automated credit scoring;
- Starting facial-recognition attendance;
- Opening a patient or student portal;
- Acquiring another business’s customer database;
- Beginning large-scale processing of government IDs;
- Changing the legal business name; or
- Moving the principal office.
Common Mistakes Small Businesses Make
Assuming that fewer than 250 employees means automatic exemption
The employee threshold is only one of several triggers. A ten-person clinic or lending company may still need full registration because of high-risk information or automated decisions.
Counting only active customers
Historical files, former employees, applicants, inactive patients, students, and archived accounts may still be part of the processing operation while the information remains retained and accessible.
Treating all personal information as sensitive personal information
Names and ordinary contact details are personal information, but they are not automatically sensitive personal information. The 1,000-person threshold must be applied to the correct legal category.
Ignoring the risks created by software vendors
A vendor may use algorithms, behavioral scoring, facial recognition, fraud scoring, or profiling even when the business describes the product as merely a “platform.” Ask the vendor for a clear explanation of the processing.
Believing outsourcing removes accountability
Hiring a payroll company, cloud host, marketing agency, or records-storage provider does not eliminate the controller’s duties. Contracts should specify permitted processing, confidentiality, security, breach reporting, return or deletion of data, and audit or monitoring arrangements.
Filing an SDAU without conducting an assessment
Because the SDAU is sworn and notarized, it should not be treated as a routine checkbox. The person signing it should understand the business’s systems and have a defensible basis for every declaration.
Allowing the registration to expire
An expired or unrenewed certificate may cause the organization to be treated as unregistered. Calendar the renewal window and keep the NPCRS account, DPO email, and authorized contact information accessible.
Penalties and NPC Enforcement
Under NPC Circular No. 2022-01 on administrative fines, failure to register required information or failure to update registered information may result in an administrative fine ranging from ₱50,000 to ₱200,000.
Failure to comply with an NPC order may result in an additional fine of up to ₱50,000. More serious violations involving privacy principles, security obligations, or substantial numbers of affected individuals can lead to significantly larger administrative fines, separate civil liability, and—when the elements of an offense under RA 10173 are present—possible criminal proceedings. (National Privacy Commission)
Nonregistration by itself should be distinguished from unlawful processing or a security breach. A business may be registered and still violate the law, while an unregistered business may have both a registration problem and separate deficiencies in consent, security, retention, transparency, or breach response.
The NPC conducts compliance checks and privacy sweeps and may issue notices or show-cause orders when an organization appears to be operating without the required registration, seal, privacy notice, or DPO contact information. (National Privacy Commission)
Special Considerations for Foreign Businesses
A foreign company may be covered by the Data Privacy Act even when its servers or head office are outside the Philippines. Coverage can arise when the company:
- Has an office, branch, subsidiary, representative, or other link to the Philippines;
- Processes personal data in the Philippines;
- Offers goods or services to Philippine residents;
- Collects personal information from individuals in the Philippines; or
- Processes information relating to Philippine citizens or residents in circumstances covered by the Act.
A foreign private entity registering with the NPC may need apostilled or otherwise authenticated corporate and DPO appointment documents. Documents written in another language should be accompanied by an English translation acceptable for filing. (National Privacy Commission)
Foreign ownership does not create a separate exemption. A foreign-owned Philippine corporation, Philippine branch, or overseas online business covered by the Act must apply the same registration triggers and privacy obligations.
Frequently Asked Questions
Does a sole proprietor need to register with the NPC?
Possibly. A sole proprietorship must complete full registration when any mandatory trigger applies. Otherwise, it may file an SDAU. The owner may act as the DPO, although another qualified person can be formally designated.
Is a business with fewer than 250 employees automatically exempt?
No. It may still need registration if it processes sensitive personal information of at least 1,000 individuals, conducts high-risk processing, or uses automated decision-making or profiling.
Do I have to register because I have more than 1,000 customers?
Not necessarily. The numerical trigger concerns sensitive personal information belonging to at least 1,000 individuals—not merely 1,000 customer names. You must still assess high-risk processing and automated profiling.
Does a small online seller need NPC registration?
A typical online seller collecting names, contact numbers, delivery addresses, and order details may qualify for an SDAU. Full registration may be required if the seller uses behavioral profiling, automated eligibility decisions, extensive identity verification, high-risk financial information, or another mandatory trigger.
Does a small clinic need to register even with fewer than 1,000 patients?
It may. Patient and health information is sensitive, and patients are specifically recognized as potentially vulnerable data subjects. The clinic should assess whether the nature and consequences of the processing make it likely to pose a risk to patients’ rights and freedoms.
Can the owner also be the Data Protection Officer?
Yes, particularly in a sole proprietorship or small professional practice, provided the owner can perform the role properly and manage conflicts of interest. The DPO should have enough authority, access, and understanding of the organization’s systems to address privacy issues.
Is the SDAU the same as a Certificate of Exemption?
No. It is a sworn declaration by the organization that it qualifies for exemption. The NPC does not issue a separate certificate confirming that it has independently verified the claim.
Does the SDAU need to be renewed every year?
Generally, no, when the organization’s circumstances remain unchanged. The business should update its filing or register fully when its processing changes materially or a mandatory-registration trigger arises.
How often must a Certificate of Registration be renewed?
The certificate is generally valid for one year. Renewal should be completed through the NPCRS during the 30-day period before expiration.
What happens if my business becomes registrable later?
Reassess the business immediately, update the NPCRS information, and complete full registration. Do not continue relying on an old SDAU after adopting profiling, expanding into high-risk data, or crossing a mandatory threshold.
Key Takeaways
- A small business is not automatically exempt from NPC registration.
- Full registration is mandatory when any trigger under NPC Circular No. 2022-04 applies.
- The key triggers are 250 or more employees, sensitive personal information of at least 1,000 individuals, high-risk processing, and automated decision-making or profiling.
- A qualified business that does not register voluntarily must file a notarized SDAU through the NPCRS.
- The SDAU is a sworn claim of exemption, not an NPC-issued certificate confirming exemption.
- Exemption from registration does not exempt the business from the Data Privacy Act.
- Every business should inventory its data, systems, vendors, risks, and automated processes before deciding how to file.
- Registration must be renewed and material changes must be reported within the applicable period.
- Failure to register or update required information can result in administrative fines and NPC enforcement.