Privacy Commissioner Naga warns establishments that non-compliance with DPA may result in fines

PARAÑAQUE CITY, 15 May 2024 – The National Privacy Commission (NPC) conducted an on-the-spot privacy sweep and compliance check at independent retail or service stores, boutiques, pop-up booths, kiosks, or stalls within Ayala Malls Manila Bay and the surrounding area to assess their compliance with the Data Privacy Act of 2012 (DPA) and other issuances of the Commission.

Under Section 3, Rule XII of NPC Circular No. 2024-01, the on-the-spot privacy sweep will verify whether personal information controllers (PICs) or personal information processors (PIPs) operating in public areas, comply with their obligations under the DPA, its Implementing Rules and Regulations (IRR), and NPC issuances. During the privacy sweep in Ayala Malls Manila, the Commission examined all its physical and digital forms, including its data processing systems, logbooks, raffle coupons, brochures, and posters used in their operations.

Privacy Commissioner Atty. John Henry Naga led the privacy sweep and compliance check together with Data Security and Compliance Office Director Atty. Aubin Arn Nieva and Compliance and Monitoring Division Chief Atty. Rainier Anthony Milanes.

Privacy Commissioner Naga stated that on-the-spot privacy sweeps and compliance checks allow the NPC to directly engage with PICs and PIPs and guide them in their implementation of reasonable and appropriate organizational, physical, and technical measures.

“Malls and retail stores collect significant amounts of personal data from customers daily. Hence, these entities must comply with the DPA and NPC issuances to protect the rights of their data subjects and maintain consumer trust. This on-the-spot privacy sweep and compliance check would also serve as a warning to all non-compliant and erring PICs and PIPs that the NPC will not hesitate to impose administrative fines for violations of the DPA, its IRR, and the issuances of the National Privacy Commission,” the Privacy Commissioner added.

“Our primary goal is to ensure that PICs and PIPs are fully aware of their responsibilities under the DPA,” said Director Nieva. "If we find areas of non-compliance or potential vulnerabilities in their data handling practices, we can offer personalized recommendations and support to help them address these gaps and improve their data protection measures,” he added.

After completing the privacy sweep and compliance check, the NPC will present its findings and assess whether the PIC or PIP has any deficiencies that need to be addressed. If deficiencies are identified, the entity will be requested to submit the necessary documents. Once the identified deficiencies are adequately addressed or if the findings show no significant issues, the Commission will issue a Certificate of No Significant Findings to the PIC or PIP.

The NPC also set up a booth at Ayala Malls Manila Bay to raise awareness about data privacy, offer guidance for compliance with the DPA and NPC issuances, and provide resources to individuals seeking to protect their personal data.

For registration and compliance concerns, you may contact us at [email protected] and [email protected]. For other information or inquiries, please visit our official website or contact our Public Information and Assistance Division at [email protected].