Data Protection in the Philippines

Enforcement in the Philippines

The NPC is responsible for ensuring compliance of the PIC with the Act. It has the power to receive complaints, institute investigations, facilitate or enable settlement of complaints through the use of alternative dispute resolution processes, adjudicate, award indemnity on matters affecting any Personal Information, prepare reports on disposition of complaints and resolution of any investigation it initiates, and, in cases it deems appropriate, publicize any such report. Additionally, the NPC can issue cease and desist orders, impose a temporary or permanent ban on the processing of Personal Information, upon finding that the processing will be detrimental to national security and public interest.

The NPC, however, cannot prosecute violators for breach of the Act for which criminal penalties can be imposed. The Department of Justice is tasked with the prosecution for violations of the Act that are punishable with criminal sanctions.

The following actions are punishable by the Act with imprisonment in varying duration plus a monetary penalty:

  • processing of Personal Information or Sensitive Personal Information:
    • without the consent of the data subject or without being authorized by the Act or any existing law; or
    • for purposes not authorized by the data subject or otherwise authorized under the Act or under existing laws;
  • providing access to Personal Information or Sensitive Personal Information due to negligence and without being authorized under this Act or any existing law;
  • knowingly or negligently disposing, discarding or abandoning the Personal Information or Sensitive Personal Information of an individual in an area accessible to the public or has otherwise placed the Personal Information of an individual in its container for trash collection;
  • knowingly and unlawfully, or violating data confidentiality and security data systems, breaking in any way into any system where Personal and Sensitive Personal Information is stored;
  • concealing the fact of such security breach, whether intentionally or by omission, after having knowledge of a security breach and of the obligation to notify the NPC pursuant to Section 20(f) of the Act;
  • disclosing by any PIC or PIP or any of its officials, employees or agents, to a third party Personal Information or Sensitive Personal Information without the consent of the data subject and without malice or bad faith; and
  • disclosing, with malice or in bad faith, by any PIC or PIP or any of its officials, employees or agents of unwarranted or false information relative to any Personal Information or Sensitive Personal Information obtained by him or her.

In August 2022, the NPC issued a Circular on Administrative Fines for data privacy infractions committed by PICs and PIPs.

In January 2024, the NPC amended certain provisions of its 2021 Rules of Procedure including:

  • clarifying the criteria for filing a complaint, introducing specific provisions for minors, individuals alleged to be incompetent, and non-resident citizens;
  • recognizing the service of judgments, orders, or resolutions issued by the NPC through electronic systems;
  • allowing for multiple parties to join or be joined as either complainants or respondents in one complaint;
  • institutionalizing videoconferencing technology as an alternative venue for mediation proceedings, enabling the remote appearance and testimony of parties beyond NPC premises;
  • introducing rules on compliance checks. These checks ascertain whether the activities by PICs and PIPs that involve the processing of personal data are carried out in accordance with the standards provided under the DPA, its implementing rules and regulations, and related issuances.

Continue reading

  • no results

Previous topic
Back to top