NPC to issue show cause orders to unregistered businesses handling personal data

The National Privacy Commission (NPC) sternly warns all businesses, which process personal data of their clients and/or employees yet remain unregistered with the NPC. Show cause orders shall be issued for non-compliance with the Data Privacy Act of 2012 (DPA) and relevant NPC issuances.

NPC Circular No. 2022-04 mandates the registration of data processing systems (DPS) and data protection officers (DPOs) for all businesses that process personal data of two hundred fifty (250) or more employees, or one thousand (1,000) or more customers, or those processing data that will likely pose a risk to the rights and freedoms of data subjects. Businesses that do not reach specified thresholds must still submit a declaration and undertaking for exemption.

The Commission reminds personal information controllers (PICs) and personal information processors (PIPs) of their obligations under the DPA, its IRR, and the issuances of the NPC, including compliance with the registration requirements. Further, the Commission, through its Data Security and Compliance Office (DASCO) will also continue to issue mission orders on the conduct of compliance checks to businesses throughout the country to ensure compliance of PICs and PIPs covered by the mandatory registration requirements.

The NPC already conducted an on-the-spot privacy sweep at a certain mall establishment last 15 May 2024, and found 65 mall tenants unregistered with the NPC.

The NPC will relentlessly enforce the law by issuing show cause orders to unregistered businesses throughout this year, and those who fail to register despite the notice may be subjected to administrative fines, as provided under NPC Circular 2022-01 or the Guidelines on Administrative Fines.

For registration and compliance concerns, you may contact us at [email protected] and [email protected].


Director IV, Data Security and Compliance Office