NPC issues Circular on Administrative Fines for data privacy infractions

August 12, 2022 | 11:01 AM GMT+0800 Last Edit: August 17, 2022

PASAY CITY, August 12, 2022 — The National Privacy Commission (NPC) issues the Circular on Administrative Fines for data privacy infractions committed by personal information controllers (PICs) and personal information processors (PIPs). NPC Circular No. 2022-01 (Circular) on the Guidelines on Administrative Fines recognizes that it is essential for the public interest to impose administrative fines that are proportionate and dissuasive of data privacy infractions.

Privacy Commissioner John Henry D. Naga said that through the Circular, the NPC encourages organizational accountability among PICs and PIPs by initiating measures to enhance their compliance with the Data Privacy Act of 2012 as stewards of personal data.

“The National Privacy Commission is intensifying its efforts in order for personal information controllers and processors to adopt optimal levels of data protection and security. The Circular on Administrative Fines is vital to NPC in effectively executing its mandate to administer and implement the data privacy law. We hope that PICs and PIPs would not view the administrative fines as adversarial, but as a motivation to protect and safeguard the personal data they collect and process,” the privacy chief said.

Infractions subject to administrative fine

Depending on whether the violation is grave or major, the NPC will impose administrative fines ranging from 0.5% to 3% and 0.25% to 2%, respectively, of the annual gross income of the PIC or PIP that committed the infraction.

As for other violations, the PIC or PIP shall be subject to an administrative fine of not less than Fifty Thousand Pesos (Php 50,000.00) but not exceeding Two Hundred Thousand Pesos (Php 200,000.00) for either of the following: (1) failure to register the true identity or contact details of the PIC, the data processing system, or information on automated decision making; or (2) failure to provide updated information as to the identity or contact details of the PIC, the data processing system, or information on automated decision making.

The failure to comply with any Order, Resolution, or Decision of the Commission, or of any of its duly authorized officers, will result to an administrative fine not exceeding Fifty Thousand Pesos (Php 50,000.00) on top of the fine imposed for the original infraction.

The Circular also enumerated the circumstances that will be taken into consideration in computing the fine. To determine the annual gross income of the PIC or PIP that committed the infraction, the NPC may evaluate and require submission of the PIC’s or PIP’s audited financial statements filed with the appropriate tax authorities for the immediately preceding year when the infraction occurred, the last regularly prepared balance sheet or annual statement of income and expenses, and such other financial documents deemed relevant and appropriate.

If a PIC or PIP has not been operating for more than one year, the base for computing administrative fines will be the entity’s total gross income at the time the violation was committed.

PICs or PIPs that refuse to pay the administrative fine under the circular may be subject to a Cease and Desist Order, other processes or reliefs as the Commission may be authorized to initiate pursuant to Section 7 of the Data Privacy Act, and appropriate contempt proceedings under the Rules of Court.

The Guidelines on Administrative Fines will apply prospectively. Complaints already filed to the NPC are not affected by the issuance.

For more information, read the guidelines on administrative fines here

###