NPC registration of data processing systems and DPOs: a clear, fact-based explanation for Philippine businesses, with osFoundry as the example and dgm as an independent partner.

dgm is an independent osFoundry implementation partner — not affiliated with osFoundry’s developer (the company OS LLC), and it has not yet completed any client integrations.

The Data Privacy Act requires many organizations to register their Data Protection Officer and data processing systems with the National Privacy Commission — and to declare automated decision-making or profiling.

What registration involves

NPC Circular 2022-04 sets the framework for registering Data Protection Officers (DPOs) and Data Processing Systems (DPS) through the NPC Registration System. Registration fees took effect 1 October 2024, alongside a Sworn Declaration and Undertaking for entities exempt from DPS registration. Crucially for AI, controllers carrying out automated decision-making or profiling must indicate this in the registration record and identify the system involved.

What it means for AI

If your AI performs profiling or automated decisions about people, that must be declared at registration. Map which systems do so, document the logic and safeguards, and keep human oversight where decisions significantly affect people.

Keeping data in the Philippines

osFoundry pins the data region to the United States, the EU or Japan, runs models locally on your own hardware, and supports self-hosting (BYO Cloud) on a cloud account you control. There is no dedicated managed Philippines region inside osFoundry, and — importantly — no hyperscaler operates a generally available full cloud region inside the Philippines as of 2026: Amazon Web Services runs a Local Zone in Manila (an extension of its Singapore region, not a full region), while Microsoft Azure and Google Cloud serve the country from Singapore. The honest implication is straightforward. The Data Privacy Act of 2012 does not impose a general private-sector data-localization requirement; cross-border transfer runs on an accountability model, so a deployment in the nearest Singapore region can be compliant provided your business stays accountable for the data. Where you need strict in-country control, the honest path is self-hosting on infrastructure you run in the Philippines, or running open-weight models locally (local-first). One further point worth weighing: data held by a United States-headquartered provider can fall within the reach of the US CLOUD Act regardless of where it physically sits, so pinning to a US provider’s Singapore region does not by itself remove US legal jurisdiction — a reason some businesses prefer EU or self-hosted open-weight options. Always confirm the current position with the National Privacy Commission or qualified counsel.

Important note

This article is general information and is not legal, tax or grant advice. Tax incentives, grants, rules and rates change, and only the relevant authorities (among them the National Privacy Commission, the Bureau of Internal Revenue, PEZA, the Board of Investments, the Bangko Sentral ng Pilipinas and the SEC) decide eligibility and awards. dgm is not a registered business enterprise, accredited incentive provider or intermediary. Always confirm the current terms with the official source or a qualified tax or legal adviser.

How dgm helps

dgm is an independent implementation partner that helps businesses in the Philippines adopt osFoundry — from identifying the first practical use case, through building it, to connecting AI to the systems you already use. dgm works independently of osFoundry’s developer (the company OS LLC) and has not yet completed any client integrations; everything above is therefore a description of the service offered, not a delivered result. If you would like to look at a sensible first step, dgm is happy to think it through with you. Arrange a no-obligation conversation with dgm.