3. Data & Technology
  5. Philippines: Administrative fines for data privacy infractions to be imposed starting 27 August 2022

Philippines: Administrative fines for data privacy infractions to be imposed starting 27 August 2022

The National Privacy Commission recently issued Circular No. 2022-01, which outlines the administrative fines to be imposed for infractions committed by personal information controllers or personal information processors.
16 Aug 2022    6 minute read
DT Featured Content

In brief

The National Privacy Commission (NPC) issued Circular No. 2022-01 on 12 August 2022, entitled "Guidelines on Administrative Fines" ("Circular"). The Circular fixes the administrative fines to be imposed upon personal information controllers (PICs) or personal information processors (PIPs) for infractions of the Data Privacy Act of 2012 (DPA), its implementing rules and regulations, and the issuances of the NPC.

The Circular takes effect on 27 August 2022 and will apply prospectively. Thus, complaints that have already been filed with the NPC prior to the effectivity date are not covered by the Circular.

Contents

What the Circular provides

The Circular follows a tiered system, such that the amount of the administrative fine, which the NPC can impose to an erring PIC or PIP, will depend on the type of infraction committed, namely:

  • For grave infractions, the NPC can impose an administrative fine ranging from 0.5% to 3% of the PIC's or PIP's annual gross income. 
    A grave infraction is committed when: 
    1. There is an infraction of any of the general privacy principles in the processing of personal data pursuant to Section 11 of the DPA, where the total number of affected data subjects exceeds 1,000.
    2. There is an infraction of any of the data subject rights pursuant to Section 16 of the DPA, where the total number of affected data subjects exceeds 1,000.
    3. There is a repetition of the same infraction penalized under the Circular, regardless of whether the first infraction was classified as a major or other infraction.
  • For major infractions, the NPC can impose an administrative fine ranging from 0.25% to 2% of the PIC's or PIP's annual gross income. 
    A major infraction is committed when: 
    1. There is an infraction of any of the general privacy principles in the processing of personal data pursuant to Section 11 of the DPA, and where the total number of affected data subjects is 1,000 or below.
    2. There is an infraction of any of the data subject rights pursuant to Section 16 of the DPA, where the total number of affected data subjects is 1,000 or below.
    3. There is failure on the part of the PIC to implement reasonable and appropriate measures to protect the security of personal information pursuant to Section 20 (a), (b), (c), or (e) of the DPA.
    4. There is failure on the part of the PIC to ensure that third parties processing personal information on its behalf shall implement security measures pursuant to Section 20 (c) or (d) of the DPA.
    5. There is failure on the part of the PIC to notify the NPC and affected data subjects of a personal data breach pursuant to Section 20(f) of the DPA, unless otherwise punishable by Section 30 of the DPA.

In both cases, the computation shall be based on the PIC's or PIP's annual gross income of the immediately preceding year when the infraction occurred. Note that for purposes of said computation, the NPC may require the PIC or PIP to submit its audited financial statement filed with the appropriate tax authorities for the immediately preceding year when the infraction occurred, its last regularly prepared balance sheet or annual statement of income and expenses, and such other financial documents as the NPC may deem relevant and appropriate. However, where the PIC or PIP has not been operating for more than one year, the basis for the NPC's computation will be its gross income at the time the infraction was committed.

The NPC is also empowered to impose administrative fines for other infractions, including the failure to register the true identity or contact details of the PIC, the data processing system, or information on automated decision-making which can reach up to either PHP 200,0001 (approximately USD 4,000) or PHP 50,0002 (approximately USD 1,000), depending on the violation committed.

Notwithstanding the foregoing, please note that the total imposable administrative fine for a single act or omission of a PIC or PIP, whether resulting in a single or multiple infractions, shall not exceed PHP 5 million (approximately USD 100,000).

The Circular further sets out the factors that the NPC should consider, including the categories of data affected and any mitigating action adopted by the PIC or PIP to reduce the harm to the data subject, when determining the amount to be imposed, which must nevertheless be within the ranges mentioned in the Circular.3 Moreover, the Circular provides that no administrative fine shall be imposed by the NPC unless the PIC or PIP is afforded due process (i.e., notice and hearing) in accordance with its Rules of Procedure.

Finally, the Circular provides that PICs or PIPs who refuse to pay the imposed administrative fine may be subject to a cease and desist order, other processes or reliefs that the NPC may be authorized to initiate under the DPA, and appropriate contempt proceedings under the Rules of Court.
 

Recommended actions

Clients are advised to take the necessary steps to ensure compliance with the DPA, its implementing rules and regulations, and the issuances of the NPC, and to avoid committing any of the infractions mentioned in the Circular, which are subject to potential administrative fines imposed by the NPC.

The NPC can impose an administrative fine ranging from PHP 50,000 (approximately USD 1,000) to PHP 200,000 (approximately USD 4,000) for the following infractions:

(a) The failure to register the true identity or contact details of the PIC, the data processing system, or information on automated decision-making pursuant to Sections 7(a), 16, and 24 of the DPA and its corresponding issuances; or

(b) The failure to provide updated information as to the identity or contact details of the PIC, the data processing system, or information on automated decision-making pursuant to Sections 7(a), 16, and 24 of the DPA and its corresponding issuances.

The NPC can impose an administrative fine up to PHP 50,000 (approximately USD 1,000) for the following infractions: The failure to comply with any Order, Resolution or Decision of the NPC, or of any of its duly authorized officers, pursuant to Section 7 of the DPA and its corresponding issuances.

Note that this administrative fine shall be in addition to the fine imposed for the original infraction subject of the NPC's Order, Resolution or Decision, if any.

The NPC shall consider the following factors in determining the amount of administrative fine to be imposed, which must be within the ranges provided under the Circular:

(a) Whether the infraction occurred due to negligence or through intentional infraction on the part of the PIC or PIP
(b) Whether the infraction resulted in damage to the data subject, taking into account the degree of damage to the data subject, if any
(c) The nature or duration of the infraction, in relation to the nature, scope, and purpose of the processing
(d) The action or measure taken prior to the infraction to protect the personal data being processed, as well as the rights of the data subject under Section 16 of the DPA
(e) Any previous infractions determined by the NPC as contained in its Orders, Resolutions or Decisions, whether these infractions have led to the imposition of fines, and the length of time that has passed since those infractions
(f) The categories of personal data affected
(g) The manner in which the PIC or PIP discovered the infraction, and whether it informed the NPC
(h) Any mitigating action adopted by the PIC or PIP to reduce the harm to the data subject
(i) Any other aggravating or mitigating circumstances as appreciated by the NPC, including financial benefits incurred or losses avoided by the PIC or PIP

 

* * * * *

 

LOGO Philippines_QuisumbingTorres_Manila

Please contact QTInfoDesk@quisumbingtorres.com for inquiries.

VISIT QUISUMBING TORRES SITE

Contact Information
Bienvenido Marquez III
Partner at BakerMcKenzie
Quisumbing Torres, Manila
Read my Bio
bienvenido.marquez@quisumbingtorres.com
Divina Pastora Ilas-Panganiban
Partner
Quisumbing Torres, Manila
Read my Bio
divina.ilas-panganiban@quisumbingtorres.com
Alyanna Marie Manalang
Associate
Quisumbing Torres, Manila
alyannamarie.manalang@quisumbingtorres.com

Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.

HighQ
Copyright Baker McKenzie 2024 | Disclaimers | Supplemental Privacy Statement