NPC conducts on-site compliance checks to determine level of compliance with the DPA

May 5, 2022 | 1:21 PM GMT+0800 Last Edit: May 5, 2022

The National Privacy Commission (NPC) is conducting on-site compliance check visits to personal information controllers (PICs) and personal information processors (PIPs), to verify compliance documents submitted and determine whether there are substantial findings of non-compliance with the Data Privacy Act of 2012 and NPC’s issuances.

On-site visits are being conducted by the NPC’s Compliance and Monitoring Division, to determine whether a PIC or PIP can demonstrate organizational commitment, program controls, and review mechanisms intended to assure privacy and personal data protection of their data processing systems.

The privacy body’s on-site visits began in March, with the different industries and sectors, such as, but not limited to, media entities, hotels, courier services, schools, government entities, and local government units. On-site visits, along with privacy sweeps and the submission of relevant documents, are aligned with NPC Circular No. 18-02 providing the guidelines on the conduct of compliance checks.

Privacy Commissioner John Henry D. Naga said that these on-site visits are an opportunity for the NPC to help and guide PICs and PIPs to comply with the Data Privacy Act (DPA) of 2012.

“Personal information controllers and processors should view these on-site visits as one of the opportunities for the Commission to guide them with their effective compliance with the DPA and prevent any mishandling of personal data to the detriment of data subjects. We, at the NPC, firmly believes that PICs and PIPs should not only comply and submit documents in accordance with the DPA, but must also recognize their vital role in upholding and protecting data subject rights,” Naga said.

In an on-site visit, duly authorized NPC personnel will conduct a targeted inspection within the PIC or PIP’s premises. These include, but not limited to, the presentation of relevant documents or records, organizational inspection to its selected departments wherein processing of personal information are undertaken, and an interview with relevant personnel tasked to manage personal information.

Upon the conclusion of the on-site visit, the NPC personnel will present their findings and determine whether the PIC or PIP has deficiencies that needed to be addressed. In such cases, they will submit a commitment letter to the Commission expressing their intention to comply within a particular timeline. If such deficiencies had been adequately addressed or if the findings exhibit no substantial deficiencies, the NPC shall issue a Certificate of No Significant Findings in favor of the PIC or PIP.

###