Privacy Matters: The National Privacy Commission (NPC) issued NPC Circular No. 2024-01 dated January 26, 2024 amending certain provisions of its 2021 Rules of Procedure
The Circular includes Rule XII on Compliance Checks subjecting a Personal Information Controller (PIC) or a Personal Information Processor (PIP) to a Compliance Check based on any of the following considerations:
1. Level of risk to the rights and freedoms of data subjects posed by personal data processing by a PIC or PIP;
2. Reports received by the NPC against the PIC or PIP, or its sector;
3. Non-registration of a PIC or PIP that is subject to the mandatory registration requirement as provided under NPC Circular on Registration of Data Processing System;
4. Unsecured or publicly available personal data found on the premises and on the internet that may be traced to a PIC or PIP;
5. Other considerations that indicate non-compliance with the Data Privacy Act of 2012 (DPA), Implementing Rules and Regulations (IRR), or NPC issuances; and
6. When, in the discretion of the Compliance and Monitoring Division (CMD), there is an urgent need to ensure the protection of voluminous personal data records and the same can only be done by actual physical inspection of said records within the PIC’s or PIP’s office premises.
The CMD of the NPC shall send an order to a PIC or PIP on the conduct of a Compliance Check through the electronic mail address used at the time it registered with the NPC. Such order shall be deemed received on the next business day. The CMD shall then conduct a Privacy Sweep of all publicly available or accessible information of a PIC or PIP.
The CMD may also conduct an on-the-spot Privacy Sweep on the premises, pop-up stores, kiosks, or stalls of a PIC or PIP where personal data is processed. The Privacy Sweep shall be limited to public areas and publicly available or accessible information. The CMD may verify the PIC or PIP’s compliance by examining all physical or digital forms, including, but not limited to data processing systems, logbooks, raffle coupons, brochures, and posters used in the PIC or PIP’s operations.
The CMD shall then issue a Warning Letter or a Notice of Document Submission, whichever is applicable to the PIC or PIP requiring the latter to comply and/or submit pertinent documents which shall then be reviewed and assessed by Evaluating Officer. Failure of the PIC or PIP to comply with the Warning Letter within seven (7) calendar days, or with the Notice of Documents Submission within fifteen (15) days, shall subject it to an order to show valid cause why it should not be subject to the NPC’s issuance on administrative fines and other actions the Commission may deem proper to ensure compliance with the law.
The NPC, through the CMD may also conduct an On-Site Visit (OSV) to the PIC or PIP’s principal place of business or where personal data is processed in cases where there are persistent issues or substantial findings of non-compliance with the obligations indicated in the DPA and NPC issuances. A notice of OSV shall be issued by the CMD to the PIC or PIP at least five (5) days before such visit. The notice shall include a list of required documents to be submitted by the PIC or PIP at least three (3) days prior to the OSV.
Based on the determination from the OSV, the CMD shall issue:
(a) A Notice of Deficiencies indicating the period of time within which to correct the identified deficiencies, which shall not be less than ten (10) days from receipt of the Notice; or
(b) Compliance Order which shall state the deficiencies remaining or actions to be taken, including the period within which to undertake the corrections ordered by the Commission, and the period to report such actions; or
(c) Other pertinent orders in connection with the conduct or furtherance of a Compliance Check or the assessment of any PIC or PIP’s compliance with any orders in relation thereto.
Alternatively, the CMD shall issue a Certificate of No Significant Findings to a PIC or PIP that has undergone document submission or an OSV, where no substantial deficiencies were found, or the deficiencies identified in the Deficiency Report or Notice of Deficiencies have already been addressed to the satisfaction of the NPC. The issuance of the Certificate shall be without prejudice to any other recommendation being made by the CMD for the improvement of the PIC or PIP’s compliance with the DPA, IRR, and NPC issuances, and does not bar an investigation for any possible liability arising from complaints and/or personal data breaches filed before the NPC.
By Atty. Graham Ragsac
In need of urgent legal help?
Contact us at +639063731095 or email us at info@narplaw.com