NPC conducts on-site compliance checks to determine level of compliance with the DPA

The National Privacy Commission (NPC) is conducting on-site compliance check
visits to personal information controllers (PICs) and personal information processors
(PIPs), to verify compliance documents submitted and determine whether there are
substantial findings of non-compliance with the Data Privacy Act of 2012 and NPC’s

On-site visits are being conducted by the NPC’s Compliance and Monitoring
Division, to determine whether a PIC or PIP can demonstrate organizational
commitment, program controls, and review mechanisms intended to assure privacy and
personal data protection of their data processing systems.

The privacy body’s on-site visits began in March, with the different industries and
sectors, such as, but not limited to, media entities, hotels, courier services, schools,
government entities, and local government units. On-site visits, along with privacy
sweeps and the submission of relevant documents, are aligned with NPC Circular No.
providing the guidelines on the conduct of compliance checks.

Privacy Commissioner John Henry D. Naga said that these on-site visits are an
opportunity for the NPC to help and guide PICs and PIPs to comply with the Data
Privacy Act (DPA) of 2012.

“Personal information controllers and processors should view these on-site visits
as one of the opportunities for the Commission to guide them with their effective
compliance with the DPA and prevent any mishandling of personal data to the detriment
of data subjects. We, at the NPC, firmly believes that PICs and PIPs should not only
comply and submit documents in accordance with the DPA, but must also recognize their
vital role in upholding and protecting data subject rights,” Naga said.

In an on-site visit, duly authorized NPC personnel will conduct a targeted
inspection within the PIC or PIP’s premises. These include, but not limited to, the
presentation of relevant documents or records, organizational inspection to its selected
departments wherein processing of personal information are undertaken, and an
interview with relevant personnel tasked to manage personal information.

Upon the conclusion of the on-site visit, the NPC personnel will present their
findings and determine whether the PIC or PIP has deficiencies that needed to be
addressed. In such cases, they will submit a commitment letter to the Commission
expressing their intention to comply within a particular timeline. If such deficiencies had
been adequately addressed or if the findings exhibit no substantial deficiencies, the NPC
shall issue a Certificate of No Significant Findings in favor of the PIC or PIP.