Breach Notification

How does the CID deal with breach notifications?

Upon the finding of a possible data privacy violation that needs further investigation, the CMD shall transmit the Breach Notification Evaluation Report (BNER) to the CID.

Upon receipt of the BNER, an investigating officer shall be assigned by the CID to determine if there is a necessity to conduct an on-site or technical investigation.

The investigating officer shall request a proper authority from the NPC before conducting any on-site or technical investigation. The investigating officer may also request assistance from technical personnel of the NPC.

In the course of the investigation, the complainant and/or respondent may be required to furnish additional information, document or evidence, or to produce additional witnesses.4

The investigating officer shall submit to the Commission a Fact-Finding Report after the termination of the on-site or technical investigation or receipt of the BNER, whichever is applicable.5 The Fact-Finding Report shall then be endorsed to the Commission en Banc for adjudication.

Upon receipt by the Commission en Banc of the Fact-Finding Report, the respondent shall be provided a copy of such report and given an opportunity to submit a comment. In cases where the respondent or respondents fail without justification to submit a comment or appear before the NPC when so ordered, the Commission shall render its decision on the basis of available information under Rule VIII of these Rules.

When can I expect a resolution of the breach notification?

The entire process, up to final adjudication, should take about ten to twelve months.