Data privacy is a relatively new regulation in the Philippines. Nonetheless, the Philippine National Privacy Commission (“NPC”) is exerting its best efforts in order to enforce data privacy laws in the Philippines. In its stage of infancy, the NPC has taken on a stance of educating and enabling controllers and processors to comply with data privacy laws. Its efforts have gained the NPC local and international recognition, respect and credibility notwithstanding being a new and young agency.
Further to the NPC’s mandate of monitoring compliance of natural or juridical person or other body involved in processing personal data, specifically their security measures, on 20 September 2018, it issued NPC Circular No. 18-02, which lays out guidelines regarding the conduct of data privacy compliance checks. .
The Compliance checks will be performed for the following purposes:
For the key highlights of the circular, please see below:
Modes of Compliance Checks
The NPC may employ any of the following modes of compliance checks:
The circular also provides considerations that the NPC will consider in conducting a compliance check against a PIC or PIP:
It is important to note that based on any of the foregoing considerations, the NPC may, in its discretion, directly employ an on-site visit if the totality of circumstances warrant such action.
The NPC shall send a Notice of Compliance Check, accompanied with a Privacy Compliance Questionnaire, to a PIC or PIP regarding the conduct of a compliance check through the e-mail address used at the time they registered with the NPC. Such notice shall be deemed received on the next business day. A Notice of Compliance Check will be sent in the following instances:
Notice of Deficiency, Compliance Order, Certificate of No Significant Findings
If the PIC or PIP is found to be non-compliant with data privacy laws, the NPC shall issue a Notice of Deficiencies indicating the period of time within which to correct the identified deficiencies, which shall not be less than 10 days. If after the lapse of this period, the PIC or PIP did not take any action or that such identified deficiencies persist, the NPC will issue a Compliance Order. Compliance Orders shall state the deficiencies remaining or actions to be taken, the period within which to undertake the corrections ordered by the NPC, and the period to report such actions.
On the other hand, the NPC shall issue a Certificate of No Significant Findings to a PIC or PIP that has undergone Document Submission or an On-site Visit, where no substantial deficiencies were found or the deficiencies identified in the Notice of Deficiencies have been addressed to the satisfaction of the NPC. This Certificate is without prejudice to any other recommendation being made by the NPC for the improvement of the PIC or PIP’s compliance with data privacy laws. The issuance of this Certificate also does not bar an investigation for any possible liability arising from complaints and/or personal data breaches filed before the NPC.
Refusal to Undergo Compliance Check or Failure to Comply with Compliance Order
A PIC or PIP who, without good reason and despite due notice, refuses or prevents the NPC from performing a compliance check may be subject to appropriate sanctions as may be allowed by law, such as fines and penalties as may be appropriate. Furthermore, deficiencies that are not corrected by the PIC or PIP within the prescribed period stated in the Compliance Order may subject the PIC or PIP to criminal, civil or administrative penalties, without prejudice to other remedies available under the law.
This alert is for general information only and is not a substitute for legal advice.