External Service Providers Can Serve as Data Protection Officers under Philippines Data Privacy Act
Key Takeaways (TL; DR)
- Data Protection Officers (DPOs) are data protection experts who must perform their duties independently and with no conflicts of interest.
- While some laws, like the GDPR, expressly permit a DPO to be a company employee or an external third-party service provider, the data privacy law in the Philippines is less clear on this issue.
- VeraSafe recently obtained confirmation from the Philippines National Privacy Commission (NPC) that an external service provider may serve as a DPO in the Philippines.
What Is a DPO?
Generally, a DPO is an independent data protection expert appointed by an organization to ensure privacy law compliance. Typically, the DPO is responsible for: (a) monitoring an organization’s compliance with applicable privacy laws; (b) informing and advising the organization on its data protection obligations; and (c) serving as the main point of contact for data subjects and relevant supervisory authorities.
Under some laws, like the GDPR, certain organizations are required to appoint a DPO. In such cases, DPOs can either be internal to the organization (i.e., employees) or they can be external (e.g., third-party service providers). Appointing an internal DPO can present certain challenges because they must have the necessary skills and are required to perform their duties independently and with no conflicts of interest. This means that (a) the organization cannot instruct the DPO in terms of how they perform their duties; and (b) any other responsibilities the DPO may have within the organization (e.g., CEO, COO, etc.) cannot conflict with their DPO duties.
VeraSafe’s Data Protection Officer Service offers a solution to this quagmire by providing a team of in-house American and European privacy attorneys and IT security experts who are uniquely equipped to serve as a company’s external DPO team. The VeraSafe DPO team has the ability to bring an impartial perspective to a company’s privacy compliance program allowing it to operate independently and with no conflicts of interest.
Philippine Data Privacy Laws Do Not Clearly State Whether DPOs Can Be External
In this context, VeraSafe was recently presented with the question of whether it could serve as a foreign, external DPO in the Philippines under that country’s law.
The Philippines Data Privacy Act of 2012 (DPA) and its Implementing Rules and Regulations issued by the NPC require all personal information controllers (PICs) and personal information processors (PIPs) to appoint a DPO.1 Similar to the GDPR, Philippine law requires DPOs to be experts in data privacy and data protection and they must perform their duties independently and with no conflicts of interest. However, the guidance provided by the NPC on whether DPOs can be external has been less clear.
Initially, the NPC stated that the DPO “should be a full-time or organic employee of the PIC or PIP.”2 Subsequently, the NPC seemingly opened the door to possible exceptions to this rule when it issued guidance noting that a DPO must be an organic employee “except where allowed otherwise by law or the [NPC]…”3 The NPC then reinforced this position in its website FAQ section indicating that PICs and PIPs “may outsource or subcontract the functions of [the] DPO…”4
Despite the NPC’s additional guidance, questions still remained concerning the potential use of external DPOs in the Philippines, such as (a) whether an external DPO could be located outside the Philippines; and (b) whether the geographic establishment of the PIC or PIP impacts the determination.
Clarification Obtained from the NPC
Consequently, VeraSafe recently sought clarification from the NPC on whether a PIC or PIP, whether established in the Philippines or otherwise subject to the Philippine data privacy laws, could appoint a foreign (i.e., not located in the Philippines) external third-party service provider to act as its DPO.
The NPC responded affirmatively – foreign, external third-party DPOs are permitted under the Philippine data privacy laws, provided that there is no exclusivity in the contract between the PIC or PIP and the third-party DPO and the applicable contract contains a term of not less than two years.
In sum, external DPOs like VeraSafe provide companies with a solution that avoids the dissonance and challenges that can be associated with appointing an internal DPO. Determining whether your company requires a DPO and understanding the legal requirements associated with appointing a DPO can be a complex and time consuming process. VeraSafe has the experience and resources to guide you and help your business do this correctly.
Learn more about VeraSafe’s Outsourced DPO Services.
You may also like:
China’s Personal Information Protection Law (PIPL) Raises the Bar Even Higher
The Brazilian Data Protection Regulation – What Does It Mean For Me?
Related topics: Compliance Tools and Advice, Other Privacy Laws, Privacy News
