Criteria on persons who may file a complaint
Data subjects who are affected by a privacy violation or data breach may file complaints with the NPC.1
In the case of a minor or a person alleged to be incompetent, proof of the relationship with the complainant must be presented to the NPC as an attachment to the complaint.2 In case the minor is represented by a parent, his or her birth certificate shall be considered as sufficient proof.3 On the other hand, for a guardian, a court order designating such person as his or her guardian is sufficient.4
The Circular provides that one or more data subjects may be represented by a single juridical person.5 The juridical person must be authorized by the data subjects to appear and act on behalf of their behalf through a special power of attorney (SPA).6 Further, the person representing the juridical person must be authorized through a Board Resolution contained in a duly notarized Secretary’s Certificate or its equivalent in case of government agencies.7
In case the complainant is a non-resident citizen who has no authorized representative in the Philippines or is unable to appoint such a representative, such person may still submit a complaint in accordance with the NPC Rules of Procedure.8 However, the complaint should be notarized by the Philippine Embassy/Consulate, or with an apostille certificate from the country of origin.9
Service of judgments, orders, or resolutions through electronic systems and electronic mail
Judgments, orders, or resolutions may now be served by electronic systems which comprise of sending through user accounts and auto-generated notifications implemented by the NPC.10 At its discretion, the NPC may also serve judgments, orders, or resolutions: (1) personally; (2) by registered mail; (3) by courier; or (4) by other electronic mail.11
Joinder of parties and entities without juridical personality
All persons in whom or against whom any right to relief in respect to or arising out of the same transaction or series of transactions is alleged to exist, whether jointly, severally, or in the alternative, may join as complainants or be joined as respondents in one complaint, where any question of law or fact common to all such complainants or to all such respondents may arise in the action.12
For parties in interest without whom no final determination can be had of an action must be joined either as complainants or respondents.13 Further, whenever in any complaint or pleading in which a claim is asserted a necessary party is not joined, the pleader shall set forth the party’s name, if known, and shall state why the party is omitted.14 Should the NPC find the reason for the omission unmeritorious, it may order the inclusion of the omitted necessary party if jurisdiction over the person may be obtained.15 The failure to comply with the order for a necessary party’s inclusion, without justifiable cause, shall be deemed a waiver of the claim against such party.16
When two or more persons not organized as an entity with juridical personality enter into a transaction, they may be sued under the name by which they are generally or commonly known.17 Further, in the answer of such respondent, the names and addresses of the persons composing the entity must be accurately stated.18 The address to be used shall be the last known address of the respondent.19
Alternative dispute resolution through mediation proceedings
The Circular provides that parties, by mutual agreement, may signify their intent to explore the possibility of settling issues through mediation during the preliminary conference or at any stage of the proceedings but before the endorsement of the case for decision by the Legal and Enforcement Office (LEO) Director or the NPC, as the case may be.20
The Circular allows parties to apply for mediation through their representatives, provided that the latter are duly authorized by a SPA to appear, offer, negotiate, accept, decide, and enter into a mediated settlement agreement without additional consent or authority from the party.21 For a juridical person, the representative must be authorized by a Board Resolution contained in a duly notarized Secretary’s Certificate, or any equivalent written authority.22
In addition to the NPC premises, the Circular has now allowed video conferencing as an alternative venue for mediation proceedings, to enable the remote appearance and testimony of parties.23
Moreover, parties are now allowed to re-apply for mediation despite a prior failure to reach settlement provided that the application is filed before the endorsement of the case for decision by the NPC and subject to compliance with the Rules.24
Breach investigation and notification
The Circular provides that the CMD shall be the initial recipient of data breach notifications and shall immediately assign an Evaluating Officer to review the data breach notification.25 Upon receipt of the data breach notification, the Evaluating Officer shall recommend to resolve preliminary requests from the controller or processor for: (a) extensions to notify data subjects; or (b) extensions to file full breach report.26 The preliminary requests for extensions granted by the CMD shall be for a period of 20 calendar days counted from the date of the request.27
The Circular has added that the breach notification evaluation report may contain a recommendation for: (1) a possible violation of the DPA arising from the breach matter; and (2) the imposition of administrative fines on other infractions.28 Moreover, upon the finding of a possible data privacy violation that requires further investigation, the CMD shall: (1) endorse the final breach notification evaluation report to the NPC for the resolution of the breach case; and (2) endorse the matter to the CID for further investigation for a possible data privacy violation.29
The Circular also clarifies that the CID may use this information to initiate a sua sponte investigation if the NPC receives information that a possible data breach occurred but the controller or processor did not submit any notification to the NPC.30
Compliance checks
The Circular provides that a compliance check may be conducted based on any of the following considerations below.31
- Level of risk to the rights and freedoms of data subjects posed by personal data processing by a controller or processor
- Reports received by the NPC against the controller or processor, or its sector
- Non-registration of a controller or processor that is subject to the mandatory registration requirement
- Unsecured or publicly available personal data found on the premises and on the internet that may be traced to a controller or processor
- Other considerations that indicate non-compliance with the DPA, its implementing rules and regulations (IRR), or NPC issuances
- In the discretion of the CMD, there is an urgent need to ensure the protection of voluminous personal data records and such can only be done by actual physical inspection of said records within the controller or processor’s office premises
A privacy sweep shall refer to the initial mode of compliance check where the NPC shall review a controller of processor’s compliance with respect to its obligations under the DPA, IRR, and NPC issuances, based on publicly available or accessible information, including but not limited to, websites, mobile applications, raffle coupons, brochures, privacy notices, social media pages or accounts, and other physical or digital forms.32 The CMD may also conduct an on-the-spot privacy sweep on the premises, pop-up stores, kiosks, or stalls where personal data is processed.33
Pursuant to the privacy sweep, the CMD shall issue a warning letter in any of these instances: (1) CMD discovers data privacy issues involving a controller or processor who has not yet registered or whose registration has expired; or (2) CMD determines that a risk to the rights and freedoms of a data subject is present and requires the controller or processor's urgent and immediate action.34
The CMD shall issue a notice of document submission based on the instances: (1) the CMD discovers that the controller or processor has failed to demonstrate substantial compliance with the DPA, IRR, and other NPC issuances; (2) if the CMD requires additional information to fully determine the controller or processor's level of compliance; or (3) if the CMD requires further verification to determine if the controller or processor has embedded data privacy policies and data protection measures in its operations.35
The CMD shall conduct an on-site visit (OSV) to: (1) the principal place of business of the controller or processor; or (2) where personal data is processed in cases where there are persistent issues or substantial findings of non-compliance with the obligations indicated in the DPA and NPC issuances.36
The CMD shall issue a deficiency report based on the OSV that there are existing gaps in the controller or processor's compliance with the DPA, IRR, and NPC issuances.37 If the controller or processor fails to address the issues raised in a deficiency report or is determined to be non-compliant with the DPA, IRR, and other issuances of the NPC after being subjected to any of the modes of compliance checks, the CMD shall issue the notice of deficiencies indicating the period of time within which to correct the identified deficiencies, which shall not be less than 10 days from receipt of the notice.38
The NPC shall issue a compliance order in any of the following instances: (1) after the lapse of the period provided in the notice of deficiencies and no action was taken by the controller or processor to correct the identified deficiencies; (2) after the lapse of the period provided in the notice of deficiencies and such identified deficiencies persist;39 (3) in the course of the conduct of an OSV, the controller or processor refuses or fails to provide access to premises, records or prevents the conduct of the inspection; or (4) in the course of the conduct of the on-the-spot privacy sweep, the controller or processor refuses or prevents the conduct of the inspection on otherwise publicly available areas or information.
The CMD shall issue a certificate of no significant findings to a controller or processor: (1) that has undergone document submission or an OSV; (2) where no substantial deficiencies were found; or (3) the deficiencies identified in the deficiency report or notice of deficiencies have already been addressed to the satisfaction of the NPC.40
Recommended actions
Clients are advised to take note of the amendments to the NPC Rules of Procedure that seek to streamline efficiency in the case resolution process. Clients who process personal data must continue to ensure compliance with the requirements under the DPA, IRR, and other NPC issuances.
For more information, the full Circular may be accessed through this link.
1 Rule II, Section 1, NPC Rules of Procedure.
2 Rule II, Section 1, NPC Rules of Procedure.
3 Rule II, Section 1, NPC Rules of Procedure.
4 Rule II, Section 1, NPC Rules of Procedure.
5 A juridical person refers to: (1) the State and its political subdivisions; (2) corporations, institutions, and entities that are created by law for public interest or purpose; and (3) corporations, partnerships, and associations for private interest or purpose to which the law grants a juridical personality, separate and distinct from that of each shareholder, partner, or member.
6 Rule II, Section 1, NPC Rules of Procedure.
7 Rule II, Section 1, NPC Rules of Procedure.
8 Rule II, Section 1, NPC Rules of Procedure.
9 Rule II, Section 1, NPC Rules of Procedure.
10 Rule III, Section 6, NPC Rules of Procedure.
11 Rule II, Section 1, NPC Rules of Procedure.
12 Rule IV, Section 3, NPC Rules of Procedure, on permissive joinder of parties.
However, the NPC may make such orders as may be just to prevent any complainant or respondent from being embarrassed or put to expense in connection with any proceedings in which the party has no interest
13 Rule IV, Section 4, NPC Rules of Procedure, on compulsory joinder of necessary parties.
14 Rule IV, Section 6, NPC Rules of Procedure.
A necessary party is one who is not indispensable but who ought to be joined as a party if complete relief is to be accorded as to those already parties, or for a complete determination or settlement of the claim subject of the action.
15 Rule IV, Section 6, NPC Rules of Procedure, on non-joinder of parties.
16 Rule IV, Section 6, NPC Rules of Procedure.
17 Rule IV, Section 8, NPC Rules of Procedure.
18 Rule IV, Section 8, NPC Rules of Procedure.
19 Rule IV, Section 8, NPC Rules of Procedure.
20 Rule VI, Section 1, NPC Rules of Procedure.
21 Rule VI, Section 2 and 8, NPC Rules of Procedure.
22 Rule VI, Section 2 and 8, NPC Rules of Procedure.
23 Rule VI, Section 11, NPC Rules of Procedure.
24 Rule VI, Section 17, NPC Rules of Procedure.
25 Rule XI, Section 2, NPC Rules of Procedure.
26 Rule XI, Section 3, NPC Rules of Procedure.
27 Rule XI, Section 3, NPC Rules of Procedure.
28 Rule XI, Section 6, NPC Rules of Procedure.
29 Rule XI, Section 6, NPC Rules of Procedure.
30 Rule XI, Section 10, NPC Rules of Procedure.
31 Rule XII, Section 14, NPC Rules of Procedure
32 Rule XII, Section 2, NPC Rules of Procedure.
33 Rule XII, Section 3, NPC Rules of Procedure.
34 Rule XII, Section 4, NPC Rules of Procedure.
35 Rule XII, Section 4, NPC Rules of Procedure.
36 Rule XII, Section 10, NPC Rules of Procedure.
37 Rule XII, Section 14, NPC Rules of Procedure.
38 Rule XII, Section 15, NPC Rules of Procedure.
39 Rule XII, Section 16, NPC Rules of Procedure.
Moreover, compliance orders shall state the deficiencies remaining or actions to be taken, the period within which to undertake the corrections ordered by the NPC, and the period to report such actions.
40 Rule XII, Section 19, NPC Rules of Procedure.
The issuance of this certificate is without prejudice to any other recommendation being made by the CMD for the improvement of the controller or processor’s compliance with the DPA, IRR, and NPC issuances. The issuance of the certificate does not bar an investigation for any possible liability arising from complaints and/or personal data breaches filed before the NPC.
Please contact QTInfoDesk@quisumbingtorres.com for inquiries.
VISIT QUISUMBING TORRES SITE
