The National Privacy Commission ("NPC") has issued NPC Circular No. 2022-01 dated 8 August 2022 regarding the Guidelines on Administrative Fines for data privacy infractions committed by personal information controllers ("PICs") and personal information processors ("PIPs"). NPC Circular No. 2022-01 encourages PICs and PIPs to promote organisational accountability by initiating measures to enhance their compliance with the Data Privacy Act of 2012 ("DPA") to protect the rights of their data subjects.
Any PIC or PIP who violates the provisions of the DPA, its implementing rules and regulations, and relevant issuances of NPC shall be liable for an administrative fine for each infraction. The amount of fine for each infraction shall fall within the ranges from 0.5% to 3% and 0.25% to 2%, respectively, of the annual gross income of the PIC or PIP that committed the infraction. The fine shall be determined by the total number of affected data subjects and the frequency of the commission of the infraction.
The PIC or PIP shall be subject to an administrative fine of not less than PhP 50,000 but not exceeding PhP 200,000 for either of the following: (i) failure to register the true identity or contact details of the PIC, the data processing system, or information on automated decision making; or (ii) failure to provide updated information as to the identity or contact details of the PIC, the data processing system, or information on automated decision making.
PICs or PIPs who refuse to pay the administrative fine under the circular may be subject to a Cease and Desist Order, or other processes or reliefs as NPC may be authorised to initiate pursuant to Section 7 of the DPA, and appropriate contempt proceedings under the Rules of Court.
