by: Attys. Divina P.V. Ilas-Panganiban, Reena C. Mitra-Ventanilla, & Berenice Joanna G. Dela Cruz, Quisumbing Torres, Law Offices Manila
In Brief
The National Privacy Commission (NPC) recently issued NPC Circular No. 2024-01 ("Circular"), which amends certain provisions of the 2021 Rules of Procedure ("NPC Rules of Procedure"). The Circular aims to further streamline the process of receiving complaints and instituting investigations on matters affecting any personal information. The amendments impose certain requirements in case of privacy violation complaints by minors or persons alleged to be incompetent. There are likewise new rules on service of judgments and other resolutions through electronic mail, joinder of parties, and alternative dispute resolution through mediation. The Circular also provides for the procedure to be adopted in case of breach notification and data breach investigations and covers the procedures for various compliance checks that may be performed by the NPC like privacy sweeps, warning letters, notice of documents submission, and onsite visits.
The Circular took effect on 10 February 2024.
Criteria on persons who may file a complaint
Data subjects who are affected by a privacy violation or data breach may file complaints with the NPC.
In the case of a minor or a person alleged to be incompetent, proof of the relationship with the complainant must be presented to the NPC as an attachment to the complaint. In case the minor is represented by a parent, his or her birth certificate shall be considered as sufficient proof. On the other hand, for a guardian, a court order designating such person as his or her guardian is sufficient.
The Circular provides that one or more data subjects may be represented by a single juridical person. The juridical person must be authorized by the data subjects to appear and act on behalf of their behalf through a special power of attorney (SPA). Further, the person representing the juridical person must be authorized through a Board Resolution contained in a duly notarized Secretary’s Certificate or its equivalent in case of government agencies.
In case the complainant is a non-resident citizen who has no authorized representative in the Philippines or is unable to appoint such a representative, such person may still submit a complaint in accordance with the NPC Rules of Procedure. However, the complaint should be notarized by the Philippine Embassy/Consulate, or with an apostille certificate from the country of origin.
Service of judgements, orders, or resolutions through electronic systems and electronic mail
Judgments, orders, or resolutions may now be served by electronic systems which comprise of sending through user accounts and auto-generated notifications implemented by the NPC. At its discretion, the NPC may also serve judgments, orders, or resolutions: (1) personally; (2) by registered mail; (3) by courier; or (4) by other electronic mail.
Joinder of parties and entities without judicial personality
All persons in whom or against whom any right to relief in respect to or arising out of the same transaction or series of transactions is alleged to exist, whether jointly, severally, or in the alternative, may join as complainants or be joined as respondents in one complaint, where any question of law or fact common to all such complainants or to all such respondents may arise in the action.
For parties in interest without whom no final determination can be had of an action must be joined either as complainants or respondents. Further, whenever in any complaint or pleading in which a claim is asserted a necessary party is not joined, the pleader shall set forth the party’s name, if known, and shall state why the party is omitted. Should the NPC find the reason for the omission unmeritorious, it may order the inclusion of the omitted necessary party if jurisdiction over the person may be obtained.15 The failure to comply with the order for a necessary party’s inclusion, without justifiable cause, shall be deemed a waiver of the claim against such party.
When two or more persons not organized as an entity with juridical personality enter into a transaction, they may be sued under the name by which they are generally or commonly known. Further, in the answer of such respondent, the names and addresses of the persons composing the entity must be accurately stated. The address to be used shall be the last known address of the respondent.
Alternative dispute resolution through mediation proceedings
The Circular provides that parties, by mutual agreement, may signify their intent to explore the possibility of settling issues through mediation during the preliminary conference or at any stage of the proceedings but before the endorsement of the case for decision by the Legal and Enforcement Office (LEO) Director or the NPC, as the case may be.
The Circular allows parties to apply for mediation through their representatives, provided that the latter are duly authorized by a SPA to appear, offer, negotiate, accept, decide, and enter into a mediated settlement agreement without additional consent or authority from the party. For a juridical person, the representative must be authorized by a Board Resolution contained in a duly notarized Secretary’s Certificate, or any equivalent written authority.
In addition to the NPC premises, the Circular has now allowed video conferencing as an alternative venue for mediation proceedings, to enable the remote appearance and testimony of parties.
Moreover, parties are now allowed to re-apply for mediation despite a prior failure to reach settlement provided that the application is filed before the endorsement of the case for decision by the NPC and subject to compliance with the Rules.
Breach investigation and notification
The Circular provides that the CMD shall be the initial recipient of data breach notifications and shall immediately assign an Evaluating Officer to review the data breach notification. Upon receipt of the data breach notification, the Evaluating Officer shall recommend to resolve preliminary requests from the controller or processor for: (a) extensions to notify data subjects; or (b) extensions to file full breach report. The preliminary requests for extensions granted by the CMD shall be for a period of 20 calendar days counted from the date of the request.
The Circular has added that the breach notification evaluation report may contain a recommendation for: (1) a possible violation of the DPA arising from the breach matter; and (2) the imposition of administrative fines on other infractions. Moreover, upon the finding of a possible data privacy violation that requires further investigation, the CMD shall: (1) endorse the final breach notification evaluation report to the NPC for the resolution of the breach case; and (2) endorse the matter to the CID for further investigation for a possible data privacy violation.
The Circular also clarifies that the CID may use this information to initiate a sua sponte investigation if the NPC receives information that a possible data breach occurred but the controller or processor did not submit any notification to the NPC.
Compliance checks
The Circular provides that a compliance check may be conducted based on any of the following considerations below.
- Level of risk to the rights and freedoms of data subjects posed by personal data processing by a controller or processor
- Reports received by the NPC against the controller or processor, or its sector
- Non-registration of a controller or processor that is subject to the mandatory registration requirement
- Unsecured or publicly available personal data found on the premises and on the internet that may be traced to a controller or processor
- Other considerations that indicate non-compliance with the DPA, its implementing rules and regulations (IRR), or NPC issuances
- In the discretion of the CMD, there is an urgent need to ensure the protection of voluminous personal data records and such can only be done by actual physical inspection of said records within the controller or processor’s office premises
A privacy sweep shall refer to the initial mode of compliance check where the NPC shall review a controller of processor’s compliance with respect to its obligations under the DPA, IRR, and NPC issuances, based on publicly available or accessible information, including but not limited to, websites, mobile applications, raffle coupons, brochures, privacy notices, social media pages or accounts, and other physical or digital forms. The CMD may also conduct an on-the-spot privacy sweep on the premises, pop-up stores, kiosks, or stalls where personal data is processed.
Pursuant to the privacy sweep, the CMD shall issue a warning letter in any of these instances: (1) CMD discovers data privacy issues involving a controller or processor who has not yet registered or whose registration has expired; or (2) CMD determines that a risk to the rights and freedoms of a data subject is present and requires the controller or processor's urgent and immediate action.
The CMD shall issue a notice of document submission based on the instances: (1) the CMD discovers that the controller or processor has failed to demonstrate substantial compliance with the DPA, IRR, and other NPC issuances; (2) if the CMD requires additional information to fully determine the controller or processor's level of compliance; or (3) if the CMD requires further verification to determine if the controller or processor has embedded data privacy policies and data protection measures in its operations.
The CMD shall conduct an on-site visit (OSV) to: (1) the principal place of business of the controller or processor; or (2) where personal data is processed in cases where there are persistent issues or substantial findings of non-compliance with the obligations indicated in the DPA and NPC issuances.
The CMD shall issue a deficiency report based on the OSV that there are existing gaps in the controller or processor's compliance with the DPA, IRR, and NPC issuances. If the controller or processor fails to address the issues raised in a deficiency report or is determined to be non-compliant with the DPA, IRR, and other issuances of the NPC after being subjected to any of the modes of compliance checks, the CMD shall issue the notice of deficiencies indicating the period of time within which to correct the identified deficiencies, which shall not be less than 10 days from receipt of the notice.
The NPC shall issue a compliance order in any of the following instances: (1) after the lapse of the period provided in the notice of deficiencies and no action was taken by the controller or processor to correct the identified deficiencies; (2) after the lapse of the period provided in the notice of deficiencies and such identified deficiencies persist; (3) in the course of the conduct of an OSV, the controller or processor refuses or fails to provide access to premises, records or prevents the conduct of the inspection; or (4) in the course of the conduct of the on-the-spot privacy sweep, the controller or processor refuses or prevents the conduct of the inspection on otherwise publicly available areas or information.
The CMD shall issue a certificate of no significant findings to a controller or processor: (1) that has undergone document submission or an OSV; (2) where no substantial deficiencies were found; or (3) the deficiencies identified in the deficiency report or notice of deficiencies have already been addressed to the satisfaction of the NPC.
Disclaimer: The views and opinions expressed in the articles are those of the authors and do not necessarily reflect the official policy or position of IPAP.