WikiFrameworksPhilippines DPA (2012)Automated Decision-Making Notification

Automated Decision-Making Notification

Plain English Translation

Before initiating any wholly or partly automated processing operation — including passive data collection — organizations must notify the NPC, providing details on the processing methods, the logic used, and any automated decisions that could affect data subjects' rights. No legally significant decision may be made solely on the basis of automated processing without the data subject's explicit consent. This requirement ensures human oversight of automated systems that affect individuals.

Executive Takeaway

Organizations must formally notify the National Privacy Commission about systems utilizing automated decision-making or profiling to ensure algorithmic transparency and prevent unauthorized automated legal decisions.

ImpactHigh
ComplexityMedium

Why This Matters

  • Fulfills a mandatory RA 10173 requirement to declare automated systems to the regulator, avoiding processing bans and fines.
  • Prevents the organization from making unlawful automated decisions with legal impacts by requiring explicit consent mechanisms.
  • Builds data subject trust by ensuring transparency regarding how algorithms process personal data and profile individuals.

What “Good” Looks Like

  • Automated processing systems are thoroughly documented within the Record of Processing Activities and submitted via NPCRS; tools like WatchDog Security's Asset Inventory can help maintain system ownership, application inventory, and processing context for review.
  • Public privacy policies clearly disclose the use of automated decision-making, profiling, and the underlying logic used; tools like WatchDog Security's Policy Management can help manage version control, review cycles, and approval evidence for these notices.
  • Systems processing decisions with legal effects are configured to require and capture explicit user consent before execution.

Put Philippines DPA (2012) compliance + 19 others on autopilot

Starting at $99/admin/mo — includes all frameworks, evidence automation, and AI-powered gap analysis.

Start Free Trial No credit card required

Automated decision-making refers to wholly or partly automatic processing operations, such as profiling or passive data collection, that use algorithms to make decisions affecting the data subject's rights.

The organization must notify the Commission prior to carrying out any wholly or partly automatic processing operations intended to serve a single or related purposes.

Yes, under NPC rules, automated processing systems must be declared and documented as part of the broader Data Processing System (DPS) registration requirements.

The notification must detail the purpose of processing, categories of data, recipients, storage duration, methods and logic used, and any automated decisions affecting data subject rights.

Yes, Circulars updating DPS registration encompass systems used for profiling and automated decision-making, ensuring regulatory visibility into these high-risk processing operations.

A Data Processing System is the structure and procedure by which personal data is collected and further processed in an information and communications system or relevant filing system.

Any personal information controller or processor operating in the country that employs 250 or more persons, or meets specific data volume thresholds, must register.

Yes, organizations processing sensitive personal information of 1,000 or more individuals, including government contractors, must register their processing systems.

Companies register by logging into the National Privacy Commission Registration System (NPCRS) portal and detailing their automated systems within their broader Record of Processing Activities submission.

Failing to register or notify the NPC is considered unauthorized processing, which can result in cease and desist orders, processing bans, and substantial administrative fines.

Automated decision-making obligations are hard to manage when teams do not know which applications, SaaS tools, cloud workflows, or identity-linked systems perform profiling or passive data collection. WatchDog Security's Asset Inventory can help maintain a centralized view of systems and ownership so privacy teams can flag candidates for NPC notification and DPS registration review.

DPS registration requires more than a one-time form submission; organizations need current evidence showing system purpose, processing logic, data categories, safeguards, and review history. WatchDog Security's Compliance Center can help map these artifacts to the Philippines Data Privacy Act control, assign evidence owners, track gaps, and maintain registration-ready documentation over time.

PHILIPPINES-DPA Rule XI, Section 48

"The personal information controller shall notify the Commission before carrying out any wholly or partly automatic processing operations or set of such operations intended to serve a single purpose or several related purposes, including passive collection of data."

PHILIPPINES-DPA Rule XI, Section 48(a)

"The contents of notification should sufficiently detail the following information: ... Methods and logic utilized for automated processing; Any decisions relating to the data subject that would be made on the basis of processed data or that would affect adversely the rights and freedoms of data subject."

PHILIPPINES-DPA Rule XI, Section 48(c)

"No decision with legal effects concerning the data subject shall be made solely on the basis of automated processing, unless data subject consents."

VersionDateAuthorDescription
1.0.02026-05-06Compliance Content SpecialistInitial publication