NPC Circular 16-04 – Rules of Procedure

PDF VERSION npc-circular-16-04-rules-of-procedure

DATE

 :

15 December 2016

SUBJECT

 :

RULES OF PROCEDURE OF THE NATIONAL PRIVACY

COMMISSION
  1. PRELIMINARY PROVISIONS
    1. General Principles
    2. Scope and Coverage
  2. COMPLAINTS FOR VIOLATIONS OF THE DATA PRIVACY ACT
    1. Who may file complaints
    2. Exhaustion of remedies
    3. Filing Fees
    4. Printed Copies
    5. Where to file
    6. Electronic Filing
    7. Parties to the Complaint
    8. Form and Contents of the Complaint
  3. PROCEDURE IN COMPLAINTS
    1. Evaluation 
    2. Outright Dismissal
    3. Order to Confer for Discovery
    4. Discovery
    5. Order to Submit Comment
    6. Investigation; Examination of Systems and Procedures
    7. Failure to Submit Comment
    8. Recommendation of the Investigating Officer
    9. Temporary Ban on Processing Personal Data
    10. Permanent Ban on Processing Personal Data
    11. Action on the Recommendations of the Investigating Officer
    12. Rendition of decision
  4. COMPLAINTS OF THE NATIONAL PRIVACY COMMISSION
    1. Own initiative
    2. Uniform procedure
  5. ALTERNATIVE MODES OF DISPUTE RESOLUTION
    1. Alternative modes of dispute resolution
    2. Mediation officer
    3. Failure to reach settlement
  6. REQUESTS FOR ADVISORY OPINIONS
    1. Advisory Opinions
    2. Uniform procedure
  7. APPEALS
    1. Appeal
  8. GENERAL PROVISIONS
    1. Confidentiality
    2. Application of Rules of Court
    3. Interpretation
    4. Separability Clause
    5. Effectivity
  9. A Guide for the Data Subject


Pursuant to the authority vested in the National Privacy Commission through Section 7 of Republic Act No. 10173, otherwise known as “The Data Privacy Act of 2012”, the following Rules of Procedure of the National Privacy Commission are hereby prescribed and promulgated:  

RULE I. PRELIMINARY PROVISIONS

SECTION 1. General Principles. – The National Privacy Commission is an independent body mandated to administer and implement provisions of the Data Privacy Act, and to monitor and ensure compliance of the country with international standards set for data protection. The Commission shall uphold the right to information privacy while supporting free flow of information. In the exercise of its quasi-judicial function, the Commission is authorized to receive complaints and institute investigations. In order to fulfill its mandate, it may compel any entity, government agency or instrumentality to abide by its orders or take action on a matter affecting data privacy, and impose sanctions as may be appropriate.

SECTION 2. Scope and Coverage. – These rules shall apply to all complaints filed before the National Privacy Commission or such other grievances, requests for assistance or advisory opinions, and other matters cognizable by the National Privacy Commission.  

Back to Top

RULE II. COMPLAINTS FOR VIOLATIONS OF THE

DATA PRIVACY ACT

SECTION 3. Who may file complaints. – The National Privacy Commission, sua sponte, or persons who are the subject of a privacy violation or personal data breach, or who are otherwise personally affected by a violation of the Data Privacy Act, may file complaints for violations of the Act. The person who is the subject of the privacy violation or personal data breach, or his or her duly authorized representative may file the complaint, Provided, that the circumstances of the authority must be established. Any person who is not personally affected by the privacy violation or personal data breach may: (a) request for an advisory opinion on matters affecting protection of personal data; or (b) inform the National Privacy Commission of the data protection concern, which may in its discretion, conduct monitoring activities on the organization or take such further action as may be necessary.

SECTION 4. Exhaustion of remedies. – No complaint shall be entertained unless:
  1. the complainant has informed, in writing, the personal information controller or concerned entity of the privacy violation or personal data breach to allow for appropriate action on the same;
  2. the personal information controller or concerned entity did not take timely or appropriate action on the claimed privacy violation or personal data breach, or there is no response from the personal information controller within fifteen (15) days from receipt of information from the complaint ; and
  3. the complaint is filed within six (6) months from the occurrence of the claimed privacy violation or personal data breach, or thirty (30) days from the last communiqué with the personal information controller or concerned entity, whichever is earlier.
The failure to comply with the requirements of this Section shall cause the matter to be evaluated as a request to the National Privacy Commission for an advisory opinion, and for the National Privacy Commission to take such further action, as necessary. The National Privacy Commission may waive any or all of the requirements of this Section, at its discretion, upon good cause shown, or if the complaint involves a serious violation or breach of the Data Privacy Act, taking into account the risk of harm to the affected data subject.

SECTION 5. Filing Fees. – No complaint or request for advisory opinion shall be entertained unless the appropriate filing fees have been shown to have been paid, unless: (a) the complainant is the government, or any agency or instrumentality thereof, including government-owned and controlled corporations organized and existing under their own charter, and excluding government-owned and controlled corporations organized and incorporated under the Corporation Code; (b) the complainant qualifies as an indigent or pauper litigant as defined under the Rules of Court; or (c) the National Privacy Commission, in its proper discretion and for good cause shown, waives this requirement.

Back to Top

SECTION 6. Printed Copies. – The complaint, together with the documentary evidence and affidavits of witnesses, if any, shall be filed in such number as there are respondents, plus two (2) copies for the file.

SECTION 7. Where to file. – A complaint may be filed at any office of the Commission.

SECTION 8. Electronic filing. – The complaint and its supporting evidence, as well as any subsequent filings may be filed as electronic documents, pursuant to the provisions of Republic Act No. 8792, and subject to the right of the Commission to request for hard copies, or charge fees for the printing thereof, either by e-mail or by submitting the same contained in a portable electronic data storage device at any office of the Commission. Whenever practicable, electronic submissions shall be made and digitally signed in .PDF format, on page sizes compliant with the Efficient Use of Paper Rule. When submissions are made through portable electronic data storage devices, the provisions of Section 6 of these Rules shall apply, with one portable data storage device equivalent to one printed copy, provided, that documents made on such portable data storage devices, if either the device or any file found therein is detected to be infected with any form of malware, all the electronic documents on that portable electronic data storage device shall not be considered as having been filed. When submissions are made through e-mail, all electronic documents must be submitted to [email protected], copy furnished any and all other parties to the complaint.

SECTION 9. Parties to the Complaint. – – The Complaint must specify the identity of the individual claiming to be subject of a privacy violation or the person so damaged or injured by a data breach, who shall be referred to as the complainant. The complainant shall include in his complaint his contact information, and where the complainant or duly authorized representative may be served with orders, issuances or communications, including a secure electronic mail address when available. The complaint must identify the person or organization complained against, who shall be referred to as the respondent; the mere provision of the means to trace the identity of the party complained against shall be considered as insufficient identification. The complainant shall also provide in the complaint: (a) the respondent’s contact information, where practicable; and (b) where the respondent may be served with orders, issuances or communications from the National Privacy Commission.

SECTION 10. Form and Contents of the Complaint. – The complaint shall comply with the requirements of the Efficient Use of Paper Rule (A.M. No. 11-9-4-SC) and other such rules of formatting as may be provided for by the Supreme Court for use in quasi-judicial agencies. The form of the complaint must be in writing, verified and under oath, or contained in a sworn affidavit. A complaint that does not comply with this requirement shall be acted upon only, at the discretion of the National Privacy Commission, if it merits appropriate consideration on its face, or is of such notoriety that it necessarily contains sufficient leads or particulars to enable the taking of further action. The complaint shall include a brief narration of the material facts and supporting documentary and testimonial evidence, all of which show: (a) the violation of the Data Privacy Act or related issuances; or (b) the acts or omissions allegedly committed by the respondent amounting to a privacy violation or personal data breach. The complaint must include any and all reliefs sought by the complainant. The supporting documents shall consist of original or certified true copies of any documentary evidence, and the affidavits of witnesses, if any, including those affidavits necessary to identify the documents and to substantiate the complaint. The complainant shall attach any and all correspondence with the respondent on the matter complained, and include a statement of the action taken by the respondent to address the complaint, if any. The failure to comply with the requirements of this Section shall cause the matter to be evaluated as a request to the National Privacy Commission for an advisory opinion, and for the National Privacy Commission to take such further action, as necessary.

Back to Top

RULE III. PROCEDURE IN COMPLAINTS

SECTION 11. Evaluation. – Upon receipt of the complaint, the National Privacy Commission shall assign an investigating officer who shall conduct the proceedings. The investigating officer shall evaluate the complaint to determine whether its allegations involve a violation of the Data Privacy Act or related issuances and if based on its allegations, there is reason to believe that there is a privacy violation or personal data breach. The investigating officer shall then recommend to the Commission whether the complaint shall be:
  1. dismissed outright for want of palpable merit;
  2. referred to the respondent for comment;
  3. subject to further monitoring or investigation;
  4. treated as a request for an advisory opinion; or
  5. indorsed to the proper government agency with jurisdiction over the complaint.
SECTION 12. Outright Dismissal. – The Commission may dismiss outright any complaint on the following grounds:
  1. The complainant did not give the respondent an opportunity to address the complaint, unless failure to do so is justified;
  2. The complaint is not a violation of the Data Privacy Act or does not involve a privacy violation or personal data breach;
  3. The complaint is filed beyond the period for filing; or
  4. There is insufficient information to substantiate the allegations in the complaint or the parties cannot be identified or traced.
SECTION 13. Order to Confer for Discovery. – If, on the face of the complaint, the allegations are deemed to be sufficient in form and substance, the investigating officer shall issue an Order for all parties to confer, not later than ten (10) days from receipt of the said Order, whether discovery of information and of electronically stored information is reasonably likely to be sought in the proceeding. A copy of the complaint, together with its supporting evidence, shall be included with the Order to Confer for Discovery. If discovery of electronically stored information is reasonably likely to be sought, the parties shall discuss:
  1. any issues relating to the preservation of the information;
  2. the form in which each type of the information will be produced;
  3. the period within which the information will be produced;
  4. the method for asserting or preserving claims of privilege or of protection of the information;
  5. the method for asserting or preserving confidentiality and proprietary status of information relating to a party or person not a party to the proceeding;
  6. whether allocation among the parties of the expense of production is appropriate; and
  7. any other issue relating thereto.
The agreement will be reduced into a Discovery Conference Report to be signed and submitted by all parties to the Commission within five (5) days of the conclusion of the conference.

Back to Top

SECTION 14. Discovery.
  1. The National Privacy Commission may issue an Order governing the discovery of electronically stored information pursuant to:
    1. a motion by a party seeking discovery of the information or from which discovery of the information is sought; or
    2. a stipulation of the parties and of any person not a party from which discovery of the information is sought.
    The Order governing the discovery will cover the same matter a discovery conference report is to address. Absent exceptional circumstances, the National Privacy Commission may not impose sanctions on a party for failure to provide electronically stored information lost as a result of the routine, good-faith operation of an electronic information system.
  1. A party may serve on any other party a request for production of electronically stored information and for permission to inspect, copy, test, or sample the information, copy furnished the National Privacy Commission. The party on which the said request is served must serve a response within three (3) working days, or in such timely manner as to preserve the integrity of the electronically stored information. The response must state, with respect to every item or category in the request that inspection, copying, testing, or sampling of the information will be permitted as requested; or any objection to the request and the reasons for the objection.The party requesting the production may specify the form in which the electronically stored information is to be produced. The responding party must state in its response that form in which it intends to produce each type of the information. Unless the parties otherwise agree or the investigating officer otherwise orders: (1) If a request for production does not specify a form for producing a type of electronically stored information, the responding party shall produce the information in a form in which it is ordinarily maintained or in a form that is reasonably usable; and (2) a party need not produce the same electronically stored information in more than one form.
  1. A party may object to discovery of electronically stored information from sources that the party identifies as not reasonably accessible because of undue burden or expense. In its objection the party shall identify the reason for the undue burden or expense.On motion to compel discovery or for a protective order relating to the discovery of electronically stored information, a party objecting to discovery under the next preceding paragraph bears the burden of showing that the information is from a source that is not reasonably accessible because of undue burden or expense.
  1. The National Privacy Commission may order discovery of electronically stored information that is from a source that is not reasonably accessible because of undue burden or expense if the party requesting discovery shows that the likely benefit of the proposed discovery outweighs the likely burden or expense, taking into account the amount in controversy, the resources of the parties, the importance of the issues, and the importance of the requested discovery in resolving the issues.If the National Privacy Commission orders discovery of electronically stored information under the next preceding paragraph, it may set conditions for discovery of the information, including allocation of the expense of discovery.
  1. The National Privacy Commission shall limit the frequency or extent of discovery of electronically stored information, even from a source that is reasonably accessible, if the Commission determines that:
    1. It is possible to obtain the information from some other source that is more convenient, less burdensome, or less expensive;
    2. The discovery sought is unreasonably cumulative or duplicative;
    3. The party seeking discovery has had ample opportunity by discovery in the proceeding to obtain the information sought; or
    4. The likely burden or expense of the proposed discovery outweighs the likely benefit, taking into account the amount in controversy, the resources of the parties, the importance of the issues, and the importance of the requested discovery in resolving the issues.
SECTION 15. Order to Submit Comment. – Following the receipt of the Discovery Conference Report, the investigating officer shall issue an Order directing the respondent or respondents, as the case may be, to submit within ten (10) days from receipt thereof, a responsive Comment to the Complaint, together with any supporting documents the respondent or respondents may have, including the affidavits of any of the respondents’ witnesses, if any. The investigating officer, upon his or her discretion, may require the complainant to file a Reply within ten (10) days after receipt of the Order requiring the filing of a Reply. Such an Order may also require the respondent to file a Rejoinder within ten (10) days after receipt of the Reply.

SECTION 16. Investigation; Examination of Systems and Procedures. – The investigating officer shall investigate the circumstances surrounding the privacy violation or personal data breach. Investigations may include on-site examination of systems and procedures. In the course of the investigation, the complainant and/or respondent may be required to furnish additional information, document or evidence, or to produce additional witnesses. The parties shall have the right to examine the evidence submitted, which he or she may not have been furnished, and to copy them at his expense.

Back to Top

SECTION 17. Failure to Submit Comment. – If the respondent does not file a Comment, the investigating officer may consider the complaint as submitted for resolution. The respondent shall, in any event, have access to the evidence on record.

SECTION 18. Recommendation of the Investigating Officer. – Upon the termination of the investigation, the investigating officer shall produce a fact-finding report, which shall include the results of the investigation, the evidence gathered, and any recommendations. The report shall be submitted to the Office of the Commissioner.

SECTION 19. Temporary Ban on Processing Personal Data – At the commencement of the complaint or at any time before the decision of the National Privacy Commission becomes final, a complainant or any proper party may have the National Privacy Commission, acting through the investigating officer, impose a temporary ban on the processing of personal data, if on the basis of the evidence on record, such a ban is necessary in order to preserve the rights of the complainant or to protect national security or public interest.
  1. A temporary ban on processing personal data may be granted only when: (1) the application in the complaint is verified and shows facts entitling the complainant to the relief demanded, or the respondent or respondents fail to appear or submit a responsive pleading within the time specified for within these Rules; and (2) unless exempted from the payment of filing fees as provided for in these Rules, the complainant files with the National Privacy Commission a bond executed to the party or person so banned from processing personal data in an amount to be fixed by the investigating officer. Upon approval of the requisite bond, the temporary ban on processing personal data shall be issued.
  2. When an application for a temporary ban on processing personal data is included in a complaint, the investigating officer shall issue a Notice of Hearing, together with a copy of the complainant’s affidavit, the annexes thereto, and receipt of the bond, when applicable. When an application for a temporary ban on processing personal data is made by motion, the investigating officer shall issue a Notice of Hearing, together with a copy of the receipt of the bond, when applicable. The Notice of Hearing shall indicate the scheduled date and venue for the hearing, and that the respondent or respondents, as the case may be, may appoint a representative to appear at the hearing in order to protect their interests. The complainant shall shoulder the cost to ensure that this Notice of Hearing is delivered to the respondent or respondents, as the case may be, within the next business day, by personal or substituted service, and if personal or substituted service is impossible, by private courier. Upon service, the complainant shall file an affidavit of service attesting that service was properly made upon the respondent or respondents, as the case may be.
  3. The temporary ban on processing personal data shall be acted upon only after all the parties are heard in a summary hearing. If all the parties can be found in the Philippines, or if service upon a non-resident is made by substituted service, the summary hearing shall be conducted within the next business day following the actual receipt of the Notice, as indicated in the affidavit of service. If the respondent is a non-resident of the Philippines and only direct service or service by courier is possible, then the hearing shall be conducted one (1) week after actual receipt of the Notice.
  4. If so issued, the temporary ban on processing personal data shall remain in effect until the final resolution of the case or upon orders of the Commission or lawful authority.
Back to Top

SECTION 20. Permanent Ban on Processing Personal Data. – If after the termination of the proceedings it appears that the complainant is entitled to have a permanent ban on processing personal data, the investigating officer shall recommend that the Commission issue an Order granting a permanent ban on processing personal data.

SECTION 21. Action on the Recommendations of the Investigating Officer. – The Commission shall review the evidence presented, including the fact-finding report and supporting documents. On the basis of the said review, the National Privacy Commission may: (1) promulgate a Decision; or (2) order the conduct of a clarificatory hearing, if in its discretion, additional information is needed to make a Decision. No motion for clarificatory hearing shall be entertained. In case the Commission finds that a clarificatory hearing is necessary, the following shall be observed:
  1. The parties shall be notified of the schedule for clarificatory hearing at least five (5) days from schedule;
  2. The Commission may require additional information and/or compel attendance of any person involved in the complaint;
  3. The parties shall not directly question the individuals called to testify but may submit their questions to the Commission for their consideration;
  4. The parties may be required to submit their respective memoranda containing their arguments on the facts and issues for resolution.
SECTION 22. Rendition of decision. – The Decision of the Commission shall adjudicate the issues raised in the complaint on the basis of all the evidence presented and its own consideration of the law. The decision may include enforcement orders, including: (a) an award of indemnity on matters affecting personal data protection, or rights of the data subject, where the indemnity amount to be awarded shall be determined based on the provisions of the Civil Code; (b) cease and desist orders; (c) the imposition of a temporary or permanent ban on the processing of personal data, as provided for in these Rules; (d) a recommendation to the Department of Justice (DOJ) the prosecution and imposition of penalties specified in the Act; (e) those to compel or petition any entity, government agency or instrumentality to abide by its orders or take action on a matter affecting data privacy; (f) those to impose fines for violations of the Act or issuances of the Commission; or (g) any other order to enforce compliance with the Data Privacy Act. A copy of the decision shall be served upon the parties, for information and compliance with any directive contained therein.

Back to Top

RULE IV. COMPLAINTS OF THE NATIONAL PRIVACY COMMISSION

SECTION 23. Own initiative. – Depending on the nature of the incident, in cases of a possible serious privacy violation or personal data breach, taking into account the risks of harm to a data subject, the Commission may investigate on its own initiative the circumstances surrounding the possible violation. Investigations may include on-site examination of systems and procedures. If necessary, the Commission may use its enforcement powers to order cooperation of the personal information controller or other persons, with the investigation or to compel appropriate action to protect the interests of data subjects.

SECTION 24. Uniform procedure. – The investigation shall be in accordance with Rule III of these Rules, provided that the respondent shall be provided a copy of the fact-finding report and given an opportunity to submit an answer. In cases where the respondent or respondents fail without justification to submit an answer or appear before the National Privacy Commission when so ordered, the Commission shall render its decision on the basis of available information.

Back to Top

RULE V. ALTERNATIVE MODES OF DISPUTE RESOLUTION

SECTION 25. Alternative modes of dispute resolution. – The Commission shall facilitate or enable settlement through the use of alternative dispute resolution processes, provided that if the allegations are of a serious nature, taking into account the risks of harm to a data subject, the Commission may immediately conduct an investigation on its own initiative.

SECTION 26. Mediation officer. – The Commission shall assign a mediation officer to assist the complainant and respondent to reach a settlement agreement provided that no settlement is allowed for criminal acts. The mediation officer shall identify the issues for resolution and mediate in order for the parties to reach an amicable settlement. In case the parties reach an amicable settlement, the mediation officer shall issue a resolution on the agreement between parties.

SECTION 27. Failure to reach settlement. – In case the parties are unable to reach an amicable settlement, the procedure for the resolution of complaints shall be followed.

Back to Top

RULE VI. REQUESTS FOR ADVISORY OPINIONS

SECTION 28. Advisory Opinions. – An advisory opinion may be issued by the Commission on matters relating to data privacy or personal data protection, at the instance of any party, or on any complaint filed, which failed to comply with the requirements of Rule II herein. No request for an advisory opinion shall be entertained unless:
  1. the request provides sufficient facts to allow for evaluation of the matter relating to data privacy or personal data protection;
  2. the request relates to novel issues or legitimate concerns that merit further evaluation;
  3. the request is not related to any pending case before the National Privacy Commission, or on any matter that is subject of an ongoing investigation; and
  4. the request is not on an a matter that has previously been subject of an advisory opinion.
An advisory opinion shall be limited to discussion of the issues and applicable law or jurisprudence but shall not impose any sanctions or award damages.

SECTION 29. Uniform procedure. – Requests for the issuance of an advisory opinion must be in writing and addressed to the National Privacy Commission. Whenever applicable, the procedure for the filing of the advisory opinion shall be in accordance with Rule II of these Rules, provided that the Commission may request for additional information as may be necessary to evaluate the personal data protection concern. The requesting party must provide contact details, including a valid electronic mail address, where the Commission may send its orders or opinions. Advisory opinions issued by the Commission may be made available to the public.

Back to Top

RULE VII. APPEALS

SECTION 30. Appeal. – The decision of the National Privacy Commission shall become final and executory fifteen (15) days after the receipt of a copy thereof by the party adversely affected. One motion for reconsideration may be filed, which shall suspend the running of the said period. Any appeal from the Decision shall be to the proper courts, in accordance with law and rules.

Back to Top

RULE VIII. GENERAL PROVISIONS

SECTION 31. Confidentiality. – The Commission may ask for access to personal data that is subject of any complaint and to collect the information necessary to perform its functions. The Commission shall ensure confidentiality of any personal data that comes to its knowledge and possession, provided that any personal data submitted may be transferred to parties who will be contacted during the handling of the case and may be disclosed to agencies who are authorized to receive information relating to law enforcement, prosecution or review of the Commission’s decisions, subject to the Act and related issuances. Information about the case may also be used for policy development, public education, case reports and publications.

SECTION 32. Application of Rules of Court. – The Rules of Court shall apply in a suppletory character, and whenever practicable and convenient.

SECTION 33. Interpretation. – These rules shall be liberally interpreted in a manner mindful of the rights and interests of the person about whom personal data is processed.

SECTION 34. Separability Clause. – In the event that any provision or part of this Order is declared unauthorized or rendered invalid, those provisions not affected by such declaration shall remain valid and in force.

SECTION 35. Effectivity. – This Order shall take effect fifteen (15) days after publication in the Official Gazette or two newspapers of general circulation. They shall govern all cases brought after they take effect and to further proceedings in cases then pending, except to the extent that their application would not be feasible or cause injustice to any party.

Back to Top


Approved:  

(Sgd.) RAYMUND E. LIBORO

Privacy Commissioner

(Sgd.) IVY D. PATDU

Deputy Privacy Commissioner

(Sgd.) DAMIAN DOMINGO O. MAPA

Deputy Privacy Commissioner
  A Guide for the Data Subject
  1. Do you have a concern about a privacy violation, personal data breach or matters related to personal data protection, or any other violation the Data Privacy Act and other issuances of the National Privacy Commission?
    1. Yes. Proceed to the next section (No.2).
    2. No. The National Privacy Commission may have no power to act on your complaint. The Commission can only act on matters that relate to the Data Privacy Act.
    3. I am not sure. Request for an Advisory Opinion or request for information (No.5).
  2. Does your concern affect you personally or involve your personal data?
    1. Yes. If it is a matter affecting your own personal data, you may file a Complaint with the National Privacy Commission.
    2. No. If it is about another person, or is a matter of general concern, request instead for an Advisory Opinion.
  3. How do you file a complaint?
    1. First, give an opportunity to the individual or company to address your concerns. Send a written letter to the individual or company you believe has committed a privacy violation or personal data breach, and request the said company for appropriate action.
    2. If the company does not act on your letter within 15 days, or has failed to take appropriate action on your concern, you may file your complaint with the Commission. File the complaint within 30 days from last communication. If you have an important reason why you think it would be hard to write to the individual company, you may explain this to the Commission.
    3. The complaint should be in an affidavit form and should include:
      1. all information relevant to your concern, including any other evidence or affidavits of witnesses, if any;
      2. your communications with the individual or company;
      3. the relief you are demanding, whether you want specific action from the individual or company, or whether you want to claim for damages; and
      4. your contact details and contact details of the individual or company.
    4. You may file it with the office of the National Privacy Commission, where you may be asked to pay filing fees, depending on the relief you are asking. You may file it online through e-mail at [email protected] . In case of electronic mail, wait for instructions on how filing fees can be filed. If you qualify as an indigent, no filing fee is necessary.
    5. An investigating officer will evaluate your complaint and when sufficient in form and substance, the Commission may call on you to confer with the respondent on matters like discovery of evidence or schedules of the proceedings.
    6. Upon completion of the investigation, the investigating officer shall refer the case to the Office of the Commissioner for final decision.
  4. How do you request for Advisory Opinion?
    1. File your request for advisory opinion in the same manner as a complaint.
    2. You request should include all facts necessary for the Commission to evaluate your concern and render an opinion.
    3. Provide the National Privacy Commission a way to contact you.
    4. Remember that if your request is for an advisory opinion, the National Privacy Commission will not award damages.
  5. Can I get additional information on this circular? You may request for additional information on the procedure through [email protected]

Back to Top