The National Privacy Commission (NPC), the data privacy watchdog of the Philippines, commenced its evaluation of organizations from the public and private sectors to determine their respective compliance with the requirements of the Data Privacy Act of 2012 (DPA). The first batch of organizations which have been randomly selected by the Commission was directed to prepare their respective documentation, offices, facilities, and personnel for the examination by members of the NPC's Compliance and Monitoring Division (CMD). The compliance checks focused on the evaluation of the organization's compliance with the NPC's 32-point Data Privacy Accountability and Compliance Checklist ("32-Point Compliance Checklist"), covering areas on Establishment of Data Privacy Governance, Risk Assessment, Preparation of the Organization's Data Privacy Rules, Privacy in Day-to-Day Information Life Cycle Operations (To Be Included in the Privacy Manual), Management of Personal Data Security Risks, Data Breach Management, Management of Third Party Risks, Management of Human Resources, Continuing Assessment and Development, and Privacy Ecosystem Management.

Compliance Check Requirements and Procedure

The CMD requested the subject organizations to accommodate at least four (4) to six (6) NPC personnel who will conduct a scheduled 3-day (which may be extended by the CMD to a maximum of 5 days) thorough and onsite compliance check by: (1) preparing hard copies of records of data processing activities, privacy notices, manual, policies, contracts with third parties, and other relevant documents which have to be labeled to correspond to the items listed in the 32-Point Compliance Checklist; (2) providing the NPC personnel with a meeting room and other office necessities for the examination of documents and interview of employees during the course of the compliance check; (3) making key personnel of the organization, such as the Data Protection Officer (DPO) and those who are involved in the personal data processing, available upon request of the NPC team; and (5) providing the services of an employee of the organization, preferably its DPO, who will serve as the contact person or coordinator for the compliance check.

The CMD has extended its assurance that the objective of the compliance checks is not punitive in nature. The organization will therefore be apprised of any deficiencies found by the NPC personnel at the end of the exercise. The NPC team will then communicate its findings to the Commission which will then issue a Certificate of Completion of Compliance Check or if necessary, provide the organization with sufficient information and adequate time to mediate items in its personal data processing activities which are found to be non-compliant with the DPA, the Implementing Rules and Regulations, and other issuances of the NPC.

The CMD, in lieu of a thorough and onsite compliance check visit, has also been issuing notices to randomly selected companies for a partial compliance check. The notice requires the organization to submit to the CMD the data privacy-related documents listed in the notice such as personal data inventory and process flows, consent forms, sample agreements with third parties, privacy and data protection-related policies and procedures, among others.

NPC Guidelines on Compliance Checks

The NPC intends to issue by next year its official guidelines on the conduct of compliance checks. Based on the draft guidelines, the NPC will be guided by the following considerations in determining which agencies and companies will be subject to compliance checks:

  • Number of complaints received by the NPC against the personal information controller (PIC) or personal information processor (PIP), or its history of compliance or cooperation with the NPC;
  • Failure to register by a PIC or PIP which is covered by the mandatory registration of data processing systems; and
  • Personal data processing that poses a risk to the rights and freedoms of data subjects.

PICs and PIPs whose processing of sensitive personal information is a core activity or who are covered by the mandatory registration requirement may also be subject to an annual compliance check.

Failure to submit to a compliance check may subject the organization to administrative penalties which may be imposed by the NPC, including the issuance of compliance and enforcement orders, cease-and-desist orders, temporary or permanent ban on personal information processing, and payment of fines. In proper cases, the NPC may also recommend the criminal prosecution of an organization's officers and/or employees for violation of the DPA.

Actions to Consider

The NPC is set to continue its conduct of compliance checks of all PICs and PIPs in the Philippines. Clients are therefore urged to evaluate their organization's compliance with the requirements of the DPA, its Implementing Rules and Regulations, NPC issuances, and more particularly, the 32-Point Compliance Checklist. Each organization should be able to demonstrate to the NPC that its personal data processing operations fully and continuously comply with the requirements of the law, both on paper and in practice.