NPC Releases Guidelines on Administrative Fines

The National Privacy Commission (“NPC”) issued Circular No. 2022-01 (the “Circular”) which provides the Guidelines on Administrative Fines, which is consistent with its mandate to ensure compliance with the provisions of Republic Act 10173 or the Data Privacy Act (“DPA”). 

Under the Circular, any Personal Information Controller (“PIC”) or Personal Information Processors (“PIP”) who shall violate specific provisions of the DPA, its implementing rules and regulations, and the issuances of the NPC shall be liable for an administrative fine for each infraction. The amount of the fine for each infraction shall fall within the ranges identified by the NPC and shall be determined in accordance with the factors enumerated in the Circular. In any case, the total imposable fine for a single act of a PIC or PIP whether resulting in single or multiple infractions shall not exceed Five Million Pesos (PHP5,000,000.00).

The Circular classified the violations into grave infractions, major infractions, and other infractions.

Grave infractions

Grave infractions are those committed by any natural or juridical person processing personal data that violates:

1. Any of the general privacy principles in the processing of personal data pursuant to Section 11 of the DPA, where the total number of affected data subjects exceeds one thousand;

2. Any of the data subject rights pursuant to Section 16 of the DPA, where the total number of affected data subjects exceeds one thousand; or

3. Any repetition of the same infraction penalized under this Circular, regardless of classification, shall be automatically considered as a grave infraction.

The administrative fine for grave infractions shall range from 0.5% to 3% of the annual gross income of the immediately preceding year when the infraction occurred.

Major infractions

Any natural or juridical person processing personal data that commits any of the following infractions shall be subject to an administrative fine amounting to 0.25% to 2% of the annual gross income of the immediately preceding year when the infraction occurred:

1. Infraction of any of the general privacy principles in the processing of personal data pursuant to Section 11 of the DPA, where the total number of affected data subjects is one thousand or below;

2. Infraction of any of the data subject rights pursuant to Section 16 of the DPA, where the total number of affected data subjects is one thousand or below;

3. Failure of a PIC to implement reasonable and appropriate measures to protect the security of personal information pursuant to Section 20 (a), (b), (c), or (e) of the DPA;

4. Failure of a PIC to ensure that third parties processing personal information on its behalf shall implement security measures pursuant to Section 20 (c) or (d) of the DPA; or

5. Failure by a PIC to notify the NPC and affected data subjects of personal data breaches pursuant to Section 20 (f) of the DPA, unless otherwise punishable by Section 30 of the DPA.

Other infractions

As for other infractions, the PIC or PIP shall be subject to an administrative fine of not less than Fifty Thousand Pesos (PHP 50,000.00) but not exceeding Two Hundred Thousand Pesos (PHP 200,000.00) for either of the following:

1. Failure to register the true identity or contact details of the PIC, the data processing system, or information on automated decision making, pursuant to Section 7(a), Section 16, and Section 24 of the DPA and its corresponding implementing issuances; or 

2. Failure to provide updated information as to the identity or contact details of the PIC, the data processing system, or information on automated decision making.

The failure to comply with any Order, Resolution, or Decision of the NPC, or of any of its duly authorized officers, will result in the imposition of an administrative fine not exceeding Fifty Thousand Pesos (PHP 50,000.00), on top of the fine imposed for the original infraction.

Factors affecting fines

The NPC will consider the following factors in computing the fine to be imposed:

1. Whether the infraction occurred due to negligence or intentional infraction on the part of the PIC or PIP;
2. Whether the infraction resulted in damage to the data subject, considering the degree of damage to the data subject, if any;
3. The nature or duration of the infraction, in relation to the nature, scope, and purpose of the processing;
4. The action or measure taken prior to the infraction to protect the personal data being processed and the rights of the data subject under the DPA;
5. Any previous infractions determined by the NPC, as contained in its Orders, Resolutions, or Decisions, whether these infractions have led to the imposition of fines and the length of time that has passed since those infractions;
6. The categories of personal data affected;
7. The manner in which the PIC or PIP discovered the infraction, and whether it informed the NPC;
8. Any mitigating action adopted by the PIC or PIP to reduce the harm to the data subject; and
9. Any other aggravating or mitigating circumstances as appreciated by the NPC, including financial benefits incurred or losses avoided by the PIC or PIP.

To determine the annual gross income of the PIC or PIP that committed the infraction, the NPC may evaluate and require submission of the PIC’s or PIP’s audited financial statements filed with the appropriate tax authorities for the immediately preceding year when the infraction occurred, the last regularly prepared balance sheet or annual statement of income and expenses, and such other financial documents deemed relevant and appropriate.

If a PIC or PIP has not been operating for more than one year, the base for computing administrative fines will be the entity’s total gross income at the time the violation was committed.

PICs or PIPs that refuse to pay the administrative fine under the circular may be subject to a Cease-and-Desist Order, and other processes or reliefs as the NPC may be authorized to initiate pursuant to Section 7 of the DPA, and appropriate contempt proceedings under the Rules of Court.

The administrative fine shall only be imposed after notice and hearing afforded to the PICs or PIPs, in accordance with the NPC Rules of Procedure. In case the PIC or PIP fails to appear or submit its comment or pleading, despite due notice, the NPC shall decide on the alleged infraction based on the evidence on record.

It must also be noted that the Decision or Resolution of the NPC shall be immediately executory unless otherwise restrained by the Court of Appeals or the Supreme Court.