The National Privacy Commission (NPC) will sanction violators of data privacy, spelled out in a circular released by the Commission.
In a statement, Privacy Commissioner John Henry Naga said the circular recognizes that it is essential for the public interest to impose administrative fines that are proportionate and dissuasive of data privacy infractions.
With this, he said the NPC encourages organizational accountability among personal information controllers (PIC) and personal information processors (PIP) by initiating measures to enhance compliance with the Data Privacy Act of 2012 as stewards of personal data.
“The National Privacy Commission is intensifying its efforts for personal information controllers and processors to adopt optimal data protection and security levels. The Circular on Administrative Fines is vital to NPC in effectively executing its mandate to administer and implement the data privacy law. We hope that PIC or PIP will not view the administrative fines as adversarial. Still, as a motivation to protect and safeguard the personal data they collect and process,” Naga said.
Infractions are subject to administrative fines depending on whether the violation is severe or not. The NPC will impose administrative penalties ranging from 0.5 percent to 3 percent and 0.25 percent to 2 percent, respectively, of the annual gross income of the PIC or PIP that committed the infraction.
The NPC added that as for other violations, the PIC or PIP should be subject to an administrative fine of not less than P50,000 but not exceeding P200,000 for either failure to register the true identity or contact details of the PIC, the data processing system, or information on automated decision making; or failure to provide updated information as to the identity or contact details of the PIC, the data processing system, or information on automated decision making.
Failure to comply with any Order, Resolution, or Decision of the Commission or its duly authorized officers will result in an administrative fine not exceeding P50,000 on top of the fine imposed for the original infraction.
The Circular also enumerated the circumstances that will be considered in computing the fine.
To determine the annual gross income of the PIC or PIP that committed the infraction, the NPC may evaluate and require the submission of the PIC’s or PIP’s audited financial statements filed with the appropriate tax authorities for the preceding year when the infraction occurred. The last regularly prepared balance sheet or annual information of income and expenses and such other financial documents deemed relevant and appropriate.
If a PIC or PIP has not been operating for more than one year, the base for computing administrative fines will be the entity’s total gross income at the time the violation was committed.
PIC or PIP that refuse to pay the administrative fine under the Circular may be subject to a Cease-and-Desist Order, other processes, or reliefs as the Commission may be authorized to initiate under Section 7 of the Data Privacy Act, and appropriate contempt proceedings under the Rules of Court.
The NPC said the circular should take effect 15 days following its publication in a general circulation newspaper.