NPC Guidelines On Compliance Checks

The National Privacy Commission (“NPC”) issued NPC Circular No. 18-02 dated 20 September 2018, providing Guidelines for the conduct of Compliance Checks.

Compliance Checks are the systematic and impartial evaluation of a Personal
Information Controller (PIC) or Personal Information Processor (PIP) to determine whether the entity’s processing of personal data are carried out in accordance with the standards mandated by the Data Privacy Act and other issuances of the NPC.

Under the Circular, the NPC may employ any of the following three (3) modes of Compliance Checks: (i) a Privacy Sweep wherein the NPC reviews publicly available and/or accessible information (i.e. websites, brochures, etc.); (ii) Documents Submission, under which the NPC may require the PIC or PIP that has undergone a Privacy Sweep to submit documents and additional Information to clarify certain findings or to determine compliance; and (iii) an On- Site Visit, if there are persistent or substantial findings of non-compliance. The NPC may, in its discretion, directly employ this last mode if the totality of the circumstances warrant such action.

Rules on when to conduct the checks as well as the prescribed manner and timelines for sending out the Notice of Compliance Checks, are also set forth in the Circular.

The NPC may issue a Notice of Deficiencies, a Compliance Order, or a Certificate of No Significant Findings, whichever is applicable. Failure to comply with Compliance Orders may subject the PIC or PIP to criminal, civil or administrative penalties.