NPC begins on-site compliance checks to ensure data privacy

By Raymond Carl Dela Cruz

May 5, 2022, 9:31 am

MANILA – The National Privacy Commission (NPC) have begun “on-set compliance check visits” on establishments in both private and public sectors to ensure their compliance with the Data Privacy Act of 2012 (DPA).

In a statement Wednesday, the NPC said the on-site visits began in March to determine whether personal information controllers (PIC) and personal information processors (PIP) “can demonstrate organizational commitment, program controls, and review mechanisms” to assure privacy and data protection.

These PICs and PIPs include establishments in different industries and sectors including media entities, hotels, courier services, schools, government entities, and local government units.

“On-site visits, along with privacy sweeps and the submission of relevant documents, are aligned with NPC Circular No. 18-02 providing the guidelines on the conduct of compliance checks,” the NPC said.

During an on-site visit, authorized NPC personnel will conduct a targeted inspection of the PIC or PIP’s premises such as presentation of relevant documents or records, organization inspection to selected relevant departments, and interview.

“Upon the conclusion of the on-site visit, the NPC personnel will present their findings and determine whether the PIC or PIP has deficiencies that needed to be addressed,” the NPC said.

In case of a deficiency, the PICs or PIPs will send a commitment letter to the NPC expressing their intention to comply within a timeline.

“If such deficiencies had been adequately addressed or if the findings exhibit no substantial deficiencies, the NPC shall issue a Certificate of No Significant Findings in favor of the PIC or PIP,” the NPC said.

Privacy Commissioner John Henry Naga said these on-site visits are opportunities for PICs and PIPs to have the NPC guide them with “effective compliance with the DPA and prevent mishandling of personal data.”

“We, at the NPC, firmly believe that PICs and PIPs should not only comply and submit documents in accordance with the DPA but must also recognize their vital role in upholding and protecting data subject rights,” Naga said. (PNA)