Administrative Fines of PIC and PICs in the Philippines
We published a newsletter regarding Administrative Fines of PIC and PICs in the Philippines. To view the PDF version, please click the following link.
→Administrative Fines of PIC and PICs in the Philippines
Administrative Fines of PIC and PICs in the Philippines
September 2022
1.Introduction
For several years, the number of spam text messages have worsened in the Philippines. Personalized spam messages containing one’s name are causing concerns on possible identity theft and data privacy breach.
Hence, the National Privacy Commission (NPC) issued NPC Circular No. 2022-01, in light of this situation.
This NPC Circular establishes administrative penalties to be imposed on Personal Information Controllers (“PICs”) and Personal Information Processors (“PIPs”) for violations of the Data Privacy Act of 2012 (Republic Act No. 10173, hereinafter “DPA”) and its implementing rules and regulations, as well as other notices of the NPC.
The NPC sets forth administrative penalties to be imposed on PICs and PIPs for violations of the DPA, its implementing regulations, and other notices of the NPC.
The details of this NPC circular are explained below.
2.Guidelines on Administrative Fines of PICs and PIPs
1 Scope – Who are considered as PICs and PIP?
The circular applies to PICs and PIPs as defined in the DPA.
Under the DPA a PIC refers to a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf. The term does not include:
ーA person or organization who performs such functions as instructed by another person or organization; and
ーAn individual who collects, holds, processes or uses personal information in connection with the individual’s personal, family or household affairs.[1]
On the other hand, PIP refers to any natural or juridical person qualified to act as such under the DPA to whom a PIC may outsource the processing of personal data pertaining to a data subject.[2]
Since personal information here includes that of its employees, basically all companies may be a PIC or PIP.
Therefore, this NPC Circular is relevant to all companies.
2 Administrative fine
In the event that a PIC or PIP violates the DPA, its implementing rules and regulations, as well as the issuances of the NPC, etc., an administrative penalty will be imposed for each violation, in accordance with the categories set forth below, which will depend on the provisions violated. However, if a single act constitutes multiple violations, the maximum penalty will be Five Million Pesos (PHP5,000,000).
|
Gravity of Infraction |
Administrative Fine |
Offense |
|
Grave Infractions -total number of affected data subject exceeds one thousand (1,001 or more)
|
0.5% to 3% of the annual gross income of the immediately preceding year when the infraction occurred |
– Infraction of any of the general privacy principles in the processing of personal data pursuant to section 11 of the DPA – Infraction of any of the data subject rights under section 16 of the DPA – Any repetition of the same infraction penalized under this Circular, regardless of the classification as Major Infractions or Other infractions, shall be automatically considered as a Grave Infraction |
|
Major Infractions – total number of affected data subjects is one thousand or below (1 to 1,000) |
0.25% to 2% of the annual gross income of the immediately preceding year when the infraction occurred |
– Infraction of any of the general privacy principles in the processing of personal data pursuant to section 11 of the DPA – Infraction of any of the data subject rights under section 16 of the DPA – Any failure by a PIC to implement reasonable and appropriate measures to protect the security of personal information pursuant to Section 20 (a), (b), (c), or (e) of the DPA – Any failure by a PIC to ensure that third parties processing personal information on its behalf shall implement security measures pursuant to Section 20 (c) or (d) of the DPA; or – Any failure by a PIC to notify the NPC and affected data subjects of personal data breaches pursuant to Section 20 (f) of the DPA, unless otherwise punishable by Section 30 of the DPA. |
|
Other Infractions |
Fifty thousand pesos to Two hundred thousand pesos (50,000 to 200,000) |
– failure to register the true identity or contact details of the PIC, the data processing system, or information on automated decision making, pursuant to Section 7(a), Section 16, and Section 24 of the DPA – failure to provide updated information as to the identity or contact details of the PIC, the data processing system, or information on automated decision making under Section 7(a), Section 16, and Section 24 of the DPA |
|
Not exceeding Fifty thousand pesos (50,000) |
-failure to comply with any Order, Resolution, or Decision of the NPC, or any of its duly authorized officers, pursuant to Section 7 of the DPA and its corresponding implementing issuances. * The fine to be imposed as a result of this infraction shall be in addition to the fine imposed for the original infraction subject of the Order, Resolution, or Decision of the NPC |
3 Factors Affecting Fines
The factors to be considered in determining the specific amount of the administrative penalty within the above categories are as follows:
ーWhether the infraction occurred due to negligence or through intentional infraction on the part of the PIC or PIP
ーWhether the infraction resulted in damage to the data subject, taking into account the degree of damage to the data subject if any;
ーThe nature or duration of the infraction, in relation to the nature, scope, and purpose of the processing;
ーThe action or measure taken prior to the infraction to protect the personal data being processed as well as the rights of the data subject under Section 16 of the DPA;
ーAny previous infractions determined by the Commission as contained in its Orders, Resolutions or Decisions, whether these infractions have led to the imposition of fines, and the length of time that passed since those infractions.
ーThe categories of personal data affected
ーThe manner in which the PIC or PIP discovered the infraction, and whether it informed the NPC
ーAny mitigating action adopted by the PIC or PIP to reduce the harm to the data subject; and
ーAny other aggravating or mitigating circumstances as appreciated by the NPC, including financial benefits incurred or losses avoided by the PIC or PIP.
3.Conclusion
Many companies collect or handle personal information without being aware that they may be considered as PICs or PIPs. It is advised that collection of personal information be made in accordance with the provision of the DPA for covered transactions or when the data subject involved is covered by the DPA. Otherwise, they shall be imposed with the above discussed administrative fines and other penalties applicable.
We are pleased to announce that our firm published “Personal Data Protection Regulations and Practices in Asia and Oceania” which provides a comprehensive overview of personal information protection regulations in Southeast Asia, South Asia, and Oceania, including the Philippines. If you are interested in learning more about the compliance requirements imposed by the PIC and PIP in the Philippines and the privacy laws of other countries, you may secure your copy once it becomes available online and in bookstores.
[1] DPA, Sec. 3 (h)
[2] DPA, Section 3(i)
