A CEO’s Guide to Registration of Data Processing System with the National Privacy Commission (Part 4: Automated Decision-Making, Lawful Basis of Processing, and the Seal of Registration)
As artificial intelligence and data analytics dominate modern business strategies, executive leadership—including business owners, Chief Executive Officers (CEOs), Chief Financial Officers (CFOs), Data Protection Officers (DPOs), and General Counsels—must closely scrutinize how their technological systems legally process information. The National Privacy Commission (NPC) strictly regulates advanced data processing operations to protect citizens from discriminatory or opaque algorithmic decisions. This final guide focuses on the stringent requirements surrounding automated decision-making, the necessity of demonstrating a lawful basis for processing, and the mandatory display of the NPC Seal of Registration.
Doctrinal Foundations: Automated Decision-Making and Profiling
A primary focus of recent NPC regulations is the oversight of automated processing. “Automated Decision-making” refers to wholly or partially automated operations that make decisions using technological means totally independent of human intervention, which often includes profiling (Section 2 of NPC Circular No. 2022-04). If a Personal Information Controller (PIC) carries out automated decision-making or profiling, it is legally mandated to register the specific Data Processing System involved, regardless of the company’s size (Section 5 of NPC Circular No. 2022-04).
When registering these advanced systems, the DPO must explicitly notify the NPC by providing detailed operational information. This includes the lawful basis for the processing, the retention period for the processed data, the methods and logic utilized by the algorithms, and the possible decisions relating to the data subject that are generated by the system (Section 26 of NPC Circular No. 2022-04). The NPC has the authority to issue orders requiring the PIC or PIP to submit additional supporting documents pertaining to how their algorithms function and how they impact individuals’ rights (Section 28 of NPC Circular No. 2022-04).
Establishing a Valid Lawful Basis for Processing
During registration, a company cannot simply claim a vague business need; it must declare a strict statutory basis for processing personal data. The collection and processing of personal information must be anchored to a legitimate purpose permitted by law, such as the data subject’s explicit consent, the fulfillment of a contract, or compliance with a legal obligation (Section 12 of the Data Privacy Act of 2012). If the system processes sensitive personal information—such as an individual’s race, health status, or financial data—the legal threshold is even higher, strictly prohibiting processing unless explicit consent is given or another narrow statutory exception applies (Section 13 of the Data Privacy Act of 2012). Notably, the NPC explicitly rejects invalid justifications; for example, a business cannot claim that “renewal of business license” or “registration of DPO” is a valid legal purpose to process the personal data of its clients.
The Mandatory NPC Seal of Registration
Compliance is not solely a backend legal exercise; it requires public transparency. Upon successful registration, the NPC issues a Certificate of Registration alongside a Seal of Registration, both valid for one (1) year (Sections 14 and 31 of NPC Circular No. 2022-04). The Seal contains the word “Registered”, its validity period, and a unique QR code that allows the public to easily verify the entity’s name, DPO email, and registration status (Section 30 of NPC Circular No. 2022-04).
To ensure visibility to all data subjects, organizations are legally mandated to prominently display this Seal at the main entrance of their physical place of business (Section 32 of NPC Circular No. 2022-04). Furthermore, businesses must display the Seal on their main website, either as a clickable link leading directly to their privacy notice or displayed directly on the privacy notice page itself (Section 32 of NPC Circular No. 2022-04).
Typical Scenarios and Practical Implications
Scenario 1: The Fintech Algorithmic Lender. A financial technology firm uses machine learning to analyze the mobile phone usage, location data, and spending habits of its app users to automatically approve or deny micro-loans. Because this system relies entirely on automated decision-making and profiling that significantly affects the users, the General Counsel and DPO must notify the NPC during registration, explicitly disclosing the logic and methods utilized by the lending algorithm (Section 26 of NPC Circular No. 2022-04).
Scenario 2: The E-Commerce Platform. An online retailer successfully completes its registration. The CEO instructs the web development team to embed the NPC Seal of Registration into the footer of their e-commerce website. By linking the unique QR code on the Seal directly to their public privacy notice, the retailer strictly complies with the mandatory digital display rule, fostering consumer trust (Section 32 of NPC Circular No. 2022-04).
Practical Advice for Affected Individuals
CEOs and business owners must demand transparency from their own IT and software development teams; if an organization uses AI or automated profiling, leadership must understand the basic logic of the algorithm to ensure it complies with the law. General Counsels should rigorously audit the “lawful basis” claims made by the marketing and operational departments to ensure they strictly align with statutory requirements before the DPO submits the application (Section 12 of the Data Privacy Act of 2012). CFOs must invest in robust digital infrastructure to secure this data, as the financial penalties for algorithmic discrimination or data breaches are immense. Finally, DPOs should coordinate directly with facilities management and website administrators to ensure the physical and digital Seal of Registration is permanently displayed and updated annually to prevent administrative sanctions (Section 32 of NPC Circular No. 2022-04).
18 March 2026
About Nicolas and De Vega Law Offices
Nicolas and de Vega Law Offices is a full-service law firm in the Philippines. You may visit us at the 16th Flr., Suite 1607 AIC Burgundy Empire Tower, ADB Ave., Ortigas Center, 1605 Pasig City, Metro Manila, Philippines. You may also call us at +632 84706126, +632 84706130, +632 84016392 or e-mail us at [email protected]. Visit our website https://ndvlaw.com.

