NPC Conducts On-Site Compliance Checks to Determine Compliance with the DPA

On 5 May 2022, the National Privacy Commission (“NPC”) announced that it has been conducting on-site compliance check visits to personal information controllers (“PICs”) and personal information processors (“PIPs”) since March 2022. The on-site visits are being conducted in different industries and sectors such as, but not limited to, media entities, hotels, courier services, schools, government entities, and local government units. 

The conduct of the visits is pursuant to NPC Circular No. 18-02, to determine compliance with the submission of required documents, to check on the capabilities of the PICs or PIPs, and whether there are substantial findings of non-compliance with the Data Privacy Act (“DPA”) and NPC issuances. 

Under NPC Circular No. 18-02, the NPC may employ any of the following modes of compliance checks:

1. Privacy Sweep – the NPC shall review a PICs or PIPs compliance with its obligations under the DPA and its related issuances based on publicly available or accessible information;
2. Documents Submission – the NPC may require submission of documents and additional information from a PIC or PIP that has undergone a privacy sweep to clarify its findings; or
3. On-site Visit – done if there are persistent and substantial findings of non-compliance with the obligations in the DPA and its related issuances.

In the performance of compliance checks, the NPC consider the following:

1. Level of risk to the rights and freedoms of data subjects posed by personal data processing by a PIC or PIP;
2. Reports received by the NPC against the PIC or PIP, or its sector;
3. Non-registration of a PIC or PIP that is subject to the mandatory registration requirement;
4. Unsecured or publicly available personal data found on the internet that may be traced to a PIC or PIP; and
5. Other considerations that indicate non-compliance with the DPA or the issuances of the NPC.

If in the conduct of an On-Site Visit, a PIC or PIP is found to be non-compliant with the DPA, its implementing rules, and other NPC issuances, a Notice of Deficiencies shall be issued, which includes the period of time within which to correct the deficiencies that were identified. In case no action is taken by the PIC or PIP, or the identified deficiencies persist, the NPC shall issue a Compliance Order. Failure to comply with such order may result in criminal, civil or administrative penalties, without prejudice to other remedies available under the law.

In case no substantial deficiencies are found or once the deficiencies identified in the Notice of Deficiencies have already been addressed, the NPC shall issue a Certificate of No Significant Findings.