The National Privacy Commission (NPC) has issued a warning to businesses processing personal data of clients and employees, urging them to comply with the Data Privacy Act of 2012 (DPA). This move comes amid heightened efforts to enforce data protection standards and ensure compliance with regulations.
According to an NPC circular, all businesses that process personal data of 250 or more employees or 1,000 or more customers must register their data processing systems (DPS) and designate a data protection officer (DPO). Even businesses that do not meet these thresholds must submit a declaration and undertaking for exemption to the NPC. This requirement aims to safeguard the rights and freedoms of individuals whose data is processed.
The Commission reiterated the obligations of personal information controllers (PICs) and personal information processors (PIPs) under the DPA, its Implementing Rules and Regulations (IRR), and various NPC directives. These include compliance with mandatory registration requirements. The NPC’s Data Security and Compliance Office (DASCO) will continue to carry out compliance checks nationwide to ensure adherence to these regulations.
In a recent operation on May 15, 2024, the NPC conducted an on-the-spot privacy sweep at a major mall. This inspection revealed that 65 tenants were not registered with the Commission, highlighting the widespread issue of non-compliance.
The NPC plans to escalate its enforcement efforts by issuing show cause orders to businesses that remain unregistered. Companies that fail to register after receiving notice risk facing administrative fines as outlined in NPC Circular 2022-01, the Guidelines on Administrative Fines.