NPC conducts on-the-spot privacy sweep at Shangri-La Plaza Mall tenants

On 03 July 2024, the National Privacy Commission (NPC) conducted an on-the-spot privacy sweep and compliance check at establishments collecting personal data within Shangri-La Plaza Mall (Mall) in Mandaluyong City, Metro Manila to assess their compliance with the Data Privacy Act of 2012 (DPA) and other issuances of the Commission.

The NPC's Compliance and Monitoring Division found that majority of the entities operating within the Mall were substantially compliant with NPC regulations. However, sixty-six (66) citation tickets had to be issued to some of the boutiques, independent retail or service stores, pop-up booths, kiosks, or stalls in the Mall. This is due to lack of compliance by some registered tenants with the mandatory requirements of NPC such as displaying of the NPC Seal of Registration, and privacy and CCTV notices at the main entrance of their respective place of business, office, or at the most conspicuous place to ensure visibility to all data subjects.

In response, the Shangri-La Plaza Mall Legal Team will mandate its tenants to either register their Data Processing System (DPS) with the NPC or submit a Notarized Sworn Declaration and Undertaking for Exemption from Registration to the NPC as a leasing requirement.

Privacy Commissioner Atty. John Henry D. Naga maintained that the on-the-spot privacy sweep aims to enhance data privacy awareness across the country, particularly in light of numerous data breaches. He stated that “We emphasize that registration and compliance with NPC regulations are legal obligations. We hope that our next round of on-the-spot privacy sweeps and compliance checks nationwide will find even more compliant establishments.” “We strongly urge personal information controllers to register with the NPC to ensure the protection of personal data of your data subjects, thereby fostering trust and confidence in your business,” the Privacy Commissioner added.

Under Section 3, Rule XII of NPC Circular No. 2024-01, the on-the-spot privacy sweep will verify whether personal information controllers (PICs) or personal information processors (PIPs) operating in public areas, comply with their obligations under the DPA, its Implementing Rules and Regulations (IRR), and NPC issuances based on publicly available or accessible information, such as, but not limited to, websites, mobile applications, raffle coupons, brochures, and privacy notices. Failure to register and comply with NPC directives may result in administrative fines as provided in NPC Circular 2022-01 or Guidelines on Administrative Fines.

For registration and compliance concerns, please contact and [email protected] and [email protected]. The public is encouraged to report non-compliant entities to [email protected].

For more information, please visit our website at