NPC issues Circular governing the conduct of Compliance Checks

The National Privacy Commission (NPC) issued on 20 September 2018 NPC Circular No. 18-02 governing the conduct of Compliance Checks, which shall apply to any Personal Information Controller (PIC) or Personal Information Processor (PIP) in the government or private sector processing personal data in the Philippines.

The Circular defines “Compliance Check” as “the systematic and impartial evaluation of a PIC or PIP, in whole or any part, process or aspect thereof, to determine whether activities that involve the processing of personal data are carried out in accordance with the standards mandated by the Data Privacy Act and other issuances of the Commission.”

Under the Circular, NPC may employ any of the modes of Compliance Checks, which include Privacy Sweeps, Documents Submissions and On-Site Visits to determine whether a PIC or PIP is able to demonstrate organizational commitment, program controls and review mechanisms intended to assure privacy and personal data protection in data processing systems.

The NPC shall issue either Notice of Deficiencies and Compliance Order if the PIC or PIP is found to be non-compliant with the Data Privacy Act (DPA), its IRR and other issuances of the Commission, or a Certificate of No Significant Findings where no substantial deficiencies were found or the deficiencies identified in the Notice of Deficiencies have already been addressed to the satisfaction of the Commission.

The considerations for the conduct of Compliance Checks include the level of risk to the rights and freedoms of data subjects posed by personal data processing, reports received by the Commission, non-registration of a PIC or PIC subject to mandatory registration as provided under NPC Circular No. 17-01, unsecured or publicly available personal data and other considerations that indicate non-compliance with the Data Privacy Act or the issuances of the Commission.

Earlier, the NPC has expressed that PICs or PIPs subject to mandatory registration who failed to comply within one (1) year after the effectivity of the IRR on 09 September 2016 or until 09 September 2017 or those considered as “late registrants”, shall be included in the list of priority organizations for a data privacy compliance check.

Refusal to undergo Compliance Check and failure to comply with Compliance Order shall be subject to fines and penalties, as may be allowed by law.

Pursuant to Section 17 thereof, the Circular took effect immediately after its publication on 31 October 2018.