Automated Decision-Making Notification
Plain English Translation
Before initiating any wholly or partly automated processing operation — including passive data collection — organizations must notify the NPC, providing details on the processing methods, the logic used, and any automated decisions that could affect data subjects' rights. No legally significant decision may be made solely on the basis of automated processing without the data subject's explicit consent. This requirement ensures human oversight of automated systems that affect individuals.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Inventory all software applications to determine if any perform automated profiling, passive data collection, or autonomous decision-making.
Required Actions (scaleup)
- Include detailed descriptions of automated logic, data inputs, and retention limits within the Record of Processing Activities (RoPA) for NPC submission.
Required Actions (enterprise)
- Implement mandatory algorithmic impact assessments and build automated consent gateways into the architecture to pause legal decisions pending human review.
Automated decision-making refers to wholly or partly automatic processing operations, such as profiling or passive data collection, that use algorithms to make decisions affecting the data subject's rights.
The organization must notify the Commission prior to carrying out any wholly or partly automatic processing operations intended to serve a single or related purposes.
Yes, under NPC rules, automated processing systems must be declared and documented as part of the broader Data Processing System (DPS) registration requirements.
The notification must detail the purpose of processing, categories of data, recipients, storage duration, methods and logic used, and any automated decisions affecting data subject rights.
Yes, Circulars updating DPS registration encompass systems used for profiling and automated decision-making, ensuring regulatory visibility into these high-risk processing operations.
A Data Processing System is the structure and procedure by which personal data is collected and further processed in an information and communications system or relevant filing system.
Any personal information controller or processor operating in the country that employs 250 or more persons, or meets specific data volume thresholds, must register.
Yes, organizations processing sensitive personal information of 1,000 or more individuals, including government contractors, must register their processing systems.
Companies register by logging into the National Privacy Commission Registration System (NPCRS) portal and detailing their automated systems within their broader Record of Processing Activities submission.
Failing to register or notify the NPC is considered unauthorized processing, which can result in cease and desist orders, processing bans, and substantial administrative fines.
Automated decision-making obligations are hard to manage when teams do not know which applications, SaaS tools, cloud workflows, or identity-linked systems perform profiling or passive data collection. WatchDog Security's Asset Inventory can help maintain a centralized view of systems and ownership so privacy teams can flag candidates for NPC notification and DPS registration review.
DPS registration requires more than a one-time form submission; organizations need current evidence showing system purpose, processing logic, data categories, safeguards, and review history. WatchDog Security's Compliance Center can help map these artifacts to the Philippines Data Privacy Act control, assign evidence owners, track gaps, and maintain registration-ready documentation over time.
"The personal information controller shall notify the Commission before carrying out any wholly or partly automatic processing operations or set of such operations intended to serve a single purpose or several related purposes, including passive collection of data."
"The contents of notification should sufficiently detail the following information: ... Methods and logic utilized for automated processing; Any decisions relating to the data subject that would be made on the basis of processed data or that would affect adversely the rights and freedoms of data subject."
"No decision with legal effects concerning the data subject shall be made solely on the basis of automated processing, unless data subject consents."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-05-06 | Compliance Content Specialist | Initial publication |

