The National Privacy Commission (NPC) has issued a circular on administrative fines for data privacy infractions committed by personal information controllers (PICs) and personal information processors (PIPs).
NPC Circular No. 2022-01 on the Guidelines on Administrative Fines recognizes that it is essential for the public interest to impose administrative fines that are proportionate and dissuasive of data privacy infractions, the privacy body said.
Privacy commissioner John Henry D. Naga said that through the circular, the NPC is encouraging organizational accountability among PICs and PIPs by initiating measures to enhance their compliance with the Data Privacy Act of 2012 as stewards of personal data.
“The National Privacy Commission is intensifying its efforts in order for personal information controllers and processors to adopt optimal levels of data protection and security. The Circular on Administrative Fines is vital to NPC in effectively executing its mandate to administer and implement the data privacy law. We hope that PICs and PIPs would not view the administrative fines as adversarial, but as a motivation to protect and safeguard the personal data they collect and process,” Naga said.
Depending on whether the violation is grave or major, the NPC will impose administrative fines ranging from 0.5% to 3% and 0.25% to 2%, respectively, of the annual gross income of the PIC or PIP that committed the infraction.
As for other violations, the PIC or PIP shall be subject to an administrative fine of not less than P50,000 but not P200,000 for either of the following:
(1) Failure to register the true identity or contact details of the PIC, the data processing system, or information on automated decision making; or
(2) Failure to provide updated information as to the identity or contact details of the PIC, the data processing system, or information on automated decision making.
The failure to comply with any order, resolution, or decision of the NPC will result to an administrative fine not exceeding P50,000) on top of the fine imposed for the original infraction.
The circular also enumerated the circumstances that will be taken into consideration in computing the fine.
To determine the annual gross income of the PIC or PIP that committed the infraction, the NPC may evaluate and require submission of the PIC’s or PIP’s audited financial statements filed with the appropriate tax authorities for the immediately preceding year when the infraction occurred, the last regularly prepared balance sheet or annual statement of income and expenses, and such other financial documents deemed relevant and appropriate.
If a PIC or PIP has not been operating for more than one year, the base for computing administrative fines will be the entity’s total gross income at the time the violation was committed.
PICs or PIPs that refuse to pay the administrative fine under the circular may be subject to a cease-and- desist order, other processes, or reliefs as the NPC may be authorized to initiate pursuant to the Data Privacy Act, and appropriate contempt proceedings under the Rules of Court.
The guidelines on administrative Fines will apply prospectively, the NPC said, adding that complaints already filed to the NPC are not affected by the issuance.
