The National Privacy Commission is an independent body mandated to administer and implement the Act, and to monitor and ensure compliance of the country with international standards set for personal data protection.
The National Privacy Commission shall have the following functions:
a. Rule Making. The Commission shall develop, promulgate, review or amend rules and regulations for the effective implementation of the Act. This includes:
- Recommending organizational, physical and technical security measures for personal data protection, encryption, and access to sensitive personal information maintained by government agencies, considering the most appropriate standard recognized by the information and communications technology industry, as may be necessary;
- Specifying electronic format and technical standards, modalities and procedures for data portability, as may be necessary;
- Issuing guidelines for organizational, physical, and technical security measures for personal data protection, taking into account the nature of the personal data to be protected, the risks presented by the processing, the size of the organization and complexity of its operations, current data privacy best practices, cost of security implementation, and the most appropriate standard recognized by the information and communications technology industry, as may be necessary;
- Consulting with relevant regulatory agencies in the formulation, review, amendment, and administration of privacy codes, applying the standards set out in the Act, with respect to the persons, entities, business activities, and business sectors that said regulatory bodies are authorized to principally regulate pursuant to law;
- Proposing legislation, amendments or modifications to Philippine laws on privacy or data protection, as may be necessary;
- Ensuring proper and effective coordination with data privacy regulators in other countries and private accountability agents;
- Participating in international and regional initiatives for data privacy protection.
b. Advisory. The Commission shall be the advisory body on matters affecting protection of personal data. This includes:
- Commenting on the implication on data privacy of proposed national or local statutes, regulations or procedures, issuing advisory opinions, and interpreting the provisions of the Act and other data privacy laws;
- Reviewing, approving, rejecting, or requiring modification of privacy codes voluntarily adhered to by personal information controllers, which may include private dispute resolution mechanisms for complaints against any participating personal information controller, and which adhere to the underlying data privacy principles embodied in the Act and these Rules;
- Providing assistance on matters relating to privacy or data protection at the request of a national or local agency, a private entity or any person, including the enforcement of rights of data subjects;
- Assisting Philippine companies doing business abroad to respond to data protection laws and regulations.
c. Public Education. The Commission shall undertake necessary or appropriate efforts to inform and educate the public of data privacy, data protection, and fair information rights and responsibilities. This includes:
- Publishing, on a regular basis, a guide to all laws relating to data protection;
- Publishing a compilation of agency system of records and notices, including index and other finding aids;
- Coordinating with other government agencies and the private sector on efforts to formulate and implement plans and policies to strengthen the protection of personal data in the country;
d. Compliance and Monitoring. The Commission shall perform compliance and monitoring functions to ensure effective implementation of the Act, these Rules, and other issuances. This includes:
- Ensuring compliance by personal information controllers with the provisions of the Act;
- Monitoring the compliance of all government agencies or instrumentalities as regards their security and technical measures, and recommending the necessary action in order to meet minimum standards for protection of personal data pursuant to the Act;
- Negotiating and contracting with other data privacy authorities of other countries for cross-border application and implementation of respective privacy laws;
- Generally performing such acts as may be necessary to facilitate cross-border enforcement of data privacy protection;
- Managing the registration of personal data processing systems in the country, including the personal data processing system of contractors and their employees entering into contracts with government agencies that involves accessing or requiring sensitive personal information of at least one thousand (1,000) individuals.
e. Complaints and Investigations. The Commission shall adjudicate on complaints and investigations on matters affecting personal data: Provided, that In resolving any complaint or investigation, except where amicable settlement is reached by the parties, the Commission shall act as a collegial body. This includes:
- Receiving complaints and instituting investigations regarding violations of the Act, these Rules, and other issuances of the Commission, including violations of the rights of data subjects and other matters affecting personal data;
- Summoning witnesses, and requiring the production of evidence by a subpoena duces tecum for the purpose of collecting the information necessary to perform its functions under the Act: Provided, that the Commission may be given access to personal data that is subject of any complaint;
- Facilitating or enabling settlement of complaints through the use of alternative dispute resolution processes, and adjudicating on matters affecting any personal data;
- Preparing reports on the disposition of complaints and the resolution of any investigation it initiates, and, in cases it deems appropriate, publicizing such reports;
f. Enforcement. The Commission shall perform all acts as may be necessary to effectively implement the Act, these Rules, and its other issuances, and to enforce its Orders, Resolutions or Decisions, including the imposition of administrative sanctions, fines, or penalties. This includes:
- Issuing compliance or enforcement orders;
- Awarding indemnity on matters affecting any personal data, or rights of data subjects;
- Issuing cease and desist orders, or imposing a temporary or permanent ban on the processing of personal data, upon finding that the processing will be detrimental to national security or public interest, or if it is necessary to preserve and protect the rights of data subjects;
- Recommending to the Department of Justice (DOJ) the prosecution of crimes and imposition of penalties specified in the Act;
- Compelling or petitioning any entity, government agency, or instrumentality, to abide by its orders or take action on a matter affecting data privacy;
- Imposing administrative fines for violations of the Act, these Rules, and other issuances of the Commission.
g. Other functions. The Commission shall exercise such other functions as may be necessary to fulfill its mandate under the Act.
The Commission shall publish or issue official directives and administrative issuances, orders, and circulars, which include:
- Rules of procedure in the exercise of its quasi-judicial functions, subject to the suppletory application of the Rules of Court;
- Schedule of administrative fines and penalties for violations of the Act, these Rules, and issuances or Orders of the Commission, including the applicable fees for its administrative services and filing fees;
- Procedure for registration of data processing systems, and notification;
- Other administrative issuances consistent with its mandate and other functions.