Search for:

In brief

The National Privacy Commission (NPC) recently issued NPC Circular No. 2024-01 (“Circular“), which amends certain provisions of the 2021 Rules of Procedure (“NPC Rules of Procedure“). The Circular aims to further streamline the process of receiving complaints and instituting investigations on matters affecting any personal information. The amendments impose certain requirements in case of privacy violation complaints by minors or persons alleged to be incompetent. There are likewise new rules on service of judgments and other resolutions through electronic mail, joinder of parties, and alternative dispute resolution through mediation. The Circular also provides for the procedure to be adopted in case of breach notification and data breach investigations and covers the procedures for various compliance checks that may be performed by the NPC like privacy sweeps, warning letters, notice of documents submission, and onsite visits.

The Circular took effect on 10 February 2024.


Contents

  1. Criteria on persons who may file a complaint
  2. Service of judgments, orders, or resolutions through electronic systems and electronic mail
  3. Joinder of parties and entities without juridical personality
  4. Alternative dispute resolution through mediation proceedings
  5. Breach investigation and notification
  6. Compliance checks
  7. Recommended actions

Criteria on persons who may file a complaint

Data subjects who are affected by a privacy violation or data breach may file complaints with the NPC.1

In the case of a minor or a person alleged to be incompetent, proof of the relationship with the complainant must be presented to the NPC as an attachment to the complaint.2 In case the minor is represented by a parent, his or her birth certificate shall be considered as sufficient proof.3 On the other hand, for a guardian, a court order designating such person as his or her guardian is sufficient.4

The Circular provides that one or more data subjects may be represented by a single juridical person.5 The juridical person must be authorized by the data subjects to appear and act on behalf of their behalf through a special power of attorney (SPA).6 Further, the person representing the juridical person must be authorized through a Board Resolution contained in a duly notarized Secretary’s Certificate or its equivalent in case of government agencies.7

In case the complainant is a non-resident citizen who has no authorized representative in the Philippines or is unable to appoint such a representative, such person may still submit a complaint in accordance with the NPC Rules of Procedure.8 However, the complaint should be notarized by the Philippine Embassy/Consulate, or with an apostille certificate from the country of origin.9

Service of judgments, orders, or resolutions through electronic systems and electronic mail

Judgments, orders, or resolutions may now be served by electronic systems which comprise of sending through user accounts and auto-generated notifications implemented by the NPC.10 At its discretion, the NPC may also serve judgments, orders, or resolutions: (1) personally; (2) by registered mail; (3) by courier; or (4) by other electronic mail.11

Joinder of parties and entities without juridical personality

All persons in whom or against whom any right to relief in respect to or arising out of the same transaction or series of transactions is alleged to exist, whether jointly, severally, or in the alternative, may join as complainants or be joined as respondents in one complaint, where any question of law or fact common to all such complainants or to all such respondents may arise in the action.12

For parties in interest without whom no final determination can be had of an action must be joined either as complainants or respondents.13 Further, whenever in any complaint or pleading in which a claim is asserted a necessary party is not joined, the pleader shall set forth the party’s name, if known, and shall state why the party is omitted.14 Should the NPC find the reason for the omission unmeritorious, it may order the inclusion of the omitted necessary party if jurisdiction over the person may be obtained.15 The failure to comply with the order for a necessary party’s inclusion, without justifiable cause, shall be deemed a waiver of the claim against such party.16

When two or more persons not organized as an entity with juridical personality enter into a transaction, they may be sued under the name by which they are generally or commonly known.17 Further, in the answer of such respondent, the names and addresses of the persons composing the entity must be accurately stated.18 The address to be used shall be the last known address of the respondent.19

Alternative dispute resolution through mediation proceedings

The Circular provides that parties, by mutual agreement, may signify their intent to explore the possibility of settling issues through mediation during the preliminary conference or at any stage of the proceedings but before the endorsement of the case for decision by the Legal and Enforcement Office (LEO) Director or the NPC, as the case may be.20

The Circular allows parties to apply for mediation through their representatives, provided that the latter are duly authorized by a SPA to appear, offer, negotiate, accept, decide, and enter into a mediated settlement agreement without additional consent or authority from the party.21 For a juridical person, the representative must be authorized by a Board Resolution contained in a duly notarized Secretary’s Certificate, or any equivalent written authority.22

In addition to the NPC premises, the Circular has now allowed video conferencing as an alternative venue for mediation proceedings, to enable the remote appearance and testimony of parties.23

Moreover, parties are now allowed to re-apply for mediation despite a prior failure to reach settlement provided that the application is filed before the endorsement of the case for decision by the NPC and subject to compliance with the Rules.24

Breach investigation and notification

The Circular provides that the CMD shall be the initial recipient of data breach notifications and shall immediately assign an Evaluating Officer to review the data breach notification.25 Upon receipt of the data breach notification, the Evaluating Officer shall recommend to resolve preliminary requests from the controller or processor for: (a) extensions to notify data subjects; or (b) extensions to file full breach report.26 The preliminary requests for extensions granted by the CMD shall be for a period of 20 calendar days counted from the date of the request.27

The Circular has added that the breach notification evaluation report may contain a recommendation for: (1) a possible violation of the DPA arising from the breach matter; and (2) the imposition of administrative fines on other infractions.28 Moreover, upon the finding of a possible data privacy violation that requires further investigation, the CMD shall: (1) endorse the final breach notification evaluation report to the NPC for the resolution of the breach case; and (2) endorse the matter to the CID for further investigation for a possible data privacy violation.29

The Circular also clarifies that the CID may use this information to initiate a sua sponte investigation if the NPC receives information that a possible data breach occurred but the controller or processor did not submit any notification to the NPC.30

Compliance checks

The Circular provides that a compliance check may be conducted based on any of the following considerations below.31

  1. Level of risk to the rights and freedoms of data subjects posed by personal data processing by a controller or processor
  2. Reports received by the NPC against the controller or processor, or its sector
  3. Non-registration of a controller or processor that is subject to the mandatory registration requirement
  4. Unsecured or publicly available personal data found on the premises and on the internet that may be traced to a controller or processor
  5. Other considerations that indicate non-compliance with the DPA, its implementing rules and regulations (IRR), or NPC issuances
  6. In the discretion of the CMD, there is an urgent need to ensure the protection of voluminous personal data records and such can only be done by actual physical inspection of said records within the controller or processor’s office premises

privacy sweep shall refer to the initial mode of compliance check where the NPC shall review a controller of processor’s compliance with respect to its obligations under the DPA, IRR, and NPC issuances, based on publicly available or accessible information, including but not limited to, websites, mobile applications, raffle coupons, brochures, privacy notices, social media pages or accounts, and other physical or digital forms.32 The CMD may also conduct an on-the-spot privacy sweep on the premises, pop-up stores, kiosks, or stalls where personal data is processed.33

Pursuant to the privacy sweep, the CMD shall issue a warning letter in any of these instances: (1) CMD discovers data privacy issues involving a controller or processor who has not yet registered or whose registration has expired; or (2) CMD determines that a risk to the rights and freedoms of a data subject is present and requires the controller or processor’s urgent and immediate action.34

The CMD shall issue a notice of document submission based on the instances: (1) the CMD discovers that the controller or processor has failed to demonstrate substantial compliance with the DPA, IRR, and other NPC issuances; (2) if the CMD requires additional information to fully determine the controller or processor’s level of compliance; or (3) if the CMD requires further verification to determine if the controller or processor has embedded data privacy policies and data protection measures in its operations.35

The CMD shall conduct an on-site visit (OSV) to: (1) the principal place of business of the controller or processor; or (2) where personal data is processed in cases where there are persistent issues or substantial findings of non-compliance with the obligations indicated in the DPA and NPC issuances.36

The CMD shall issue a deficiency report based on the OSV that there are existing gaps in the controller or processor’s compliance with the DPA, IRR, and NPC issuances.37 If the controller or processor fails to address the issues raised in a deficiency report or is determined to be non-compliant with the DPA, IRR, and other issuances of the NPC after being subjected to any of the modes of compliance checks, the CMD shall issue the notice of deficiencies indicating the period of time within which to correct the identified deficiencies, which shall not be less than 10 days from receipt of the notice.38

The NPC shall issue a compliance order in any of the following instances: (1) after the lapse of the period provided in the notice of deficiencies and no action was taken by the controller or processor to correct the identified deficiencies; (2) after the lapse of the period provided in the notice of deficiencies and such identified deficiencies persist;39 (3) in the course of the conduct of an OSV, the controller or processor refuses or fails to provide access to premises, records or prevents the conduct of the inspection; or (4) in the course of the conduct of the on-the-spot privacy sweep, the controller or processor refuses or prevents the conduct of the inspection on otherwise publicly available areas or information.

The CMD shall issue a certificate of no significant findings to a controller or processor: (1) that has undergone document submission or an OSV; (2) where no substantial deficiencies were found; or (3) the deficiencies identified in the deficiency report or notice of deficiencies have already been addressed to the satisfaction of the NPC.40 

Recommended actions

Clients are advised to take note of the amendments to the NPC Rules of Procedure that seek to streamline efficiency in the case resolution process. Clients who process personal data must continue to ensure compliance with the requirements under the DPA, IRR, and other NPC issuances.

For more information, the full Circular may be accessed through this link.


1 Rule II, Section 1, NPC Rules of Procedure.

2 Rule II, Section 1, NPC Rules of Procedure.

3 Rule II, Section 1, NPC Rules of Procedure.

4 Rule II, Section 1, NPC Rules of Procedure.

5 A juridical person refers to: (1) the State and its political subdivisions; (2) corporations, institutions, and entities that are created by law for public interest or purpose; and (3) corporations, partnerships, and associations for private interest or purpose to which the law grants a juridical personality, separate and distinct from that of each shareholder, partner, or member.

6 Rule II, Section 1, NPC Rules of Procedure.

7 Rule II, Section 1, NPC Rules of Procedure.

8 Rule II, Section 1, NPC Rules of Procedure.

9 Rule II, Section 1, NPC Rules of Procedure.

10 Rule III, Section 6, NPC Rules of Procedure.

11 Rule II, Section 1, NPC Rules of Procedure.

12 Rule IV, Section 3, NPC Rules of Procedure, on permissive joinder of parties.

However, the NPC may make such orders as may be just to prevent any complainant or respondent from being embarrassed or put to expense in connection with any proceedings in which the party has no interest

13 Rule IV, Section 4, NPC Rules of Procedure, on compulsory joinder of necessary parties.

14 Rule IV, Section 6, NPC Rules of Procedure.

A necessary party is one who is not indispensable but who ought to be joined as a party if complete relief is to be accorded as to those already parties, or for a complete determination or settlement of the claim subject of the action.

15 Rule IV, Section 6, NPC Rules of Procedure, on non-joinder of parties.

16 Rule IV, Section 6, NPC Rules of Procedure.

17 Rule IV, Section 8, NPC Rules of Procedure.

18 Rule IV, Section 8, NPC Rules of Procedure.

19 Rule IV, Section 8, NPC Rules of Procedure.

20 Rule VI, Section 1, NPC Rules of Procedure.

21 Rule VI, Section 2 and 8, NPC Rules of Procedure.

22 Rule VI, Section 2 and 8, NPC Rules of Procedure.

23 Rule VI, Section 11, NPC Rules of Procedure.

24 Rule VI, Section 17, NPC Rules of Procedure.

25 Rule XI, Section 2, NPC Rules of Procedure.

26 Rule XI, Section 3, NPC Rules of Procedure.

27 Rule XI, Section 3, NPC Rules of Procedure.

28 Rule XI, Section 6, NPC Rules of Procedure.

29 Rule XI, Section 6, NPC Rules of Procedure.

30 Rule XI, Section 10, NPC Rules of Procedure.

31 Rule XII, Section 14, NPC Rules of Procedure

32 Rule XII, Section 2, NPC Rules of Procedure.

33 Rule XII, Section 3, NPC Rules of Procedure.

34 Rule XII, Section 4, NPC Rules of Procedure.

35 Rule XII, Section 4, NPC Rules of Procedure.

36 Rule XII, Section 10, NPC Rules of Procedure.

37 Rule XII, Section 14, NPC Rules of Procedure.

38 Rule XII, Section 15, NPC Rules of Procedure.

39 Rule XII, Section 16, NPC Rules of Procedure.

Moreover, compliance orders shall state the deficiencies remaining or actions to be taken, the period within which to undertake the corrections ordered by the NPC, and the period to report such actions.

40 Rule XII, Section 19, NPC Rules of Procedure.

The issuance of this certificate is without prejudice to any other recommendation being made by the CMD for the improvement of the controller or processor’s compliance with the DPA, IRR, and NPC issuances. The issuance of the certificate does not bar an investigation for any possible liability arising from complaints and/or personal data breaches filed before the NPC.


LOGO Philippines_QuisumbingTorres_Manila

Please contact QTInfoDesk@quisumbingtorres.com for inquiries.

VISIT QUISUMBING TORRES SITE

Author

Divina Ilas-Panganiban, CIPM is a partner and the head of Quisumbing Torres’ Intellectual Property, Data and Technology Practice Group and co-heads the Technology, Media & Telecommunications (TMT) Industry Group. She participates in initiatives of Baker & McKenzie International of which Quisumbing Torres is a member firm. She is a member of Baker & McKenzie International's Asia Pacific TMT, and the Asia Pacific Intellectual Property Steering Committees.
Divina is a Certified Information Privacy Manager by the International Association of Privacy Professionals (IAPP). She currently serves as the Vice-President and Director of the Philippine Chapter of the Licensing Executives Society International, the Regional Vice-chair of the LESI's Education Committee, the Co-chairperson of the Committee on Intellectual Property Rights of The American Chamber of Commerce of the Philippines, and the Chairperson of the IAPP KnowledgeNet Chapter for the Philippines.
Divina was recently appointed to be a member of the Advisory Council for Intellectual Property (ACIP) of the Intellectual Property Office of the Philippines (IPOPHL). The ACIP is an advisory board composed of a select group of people from different sector to which IP is of great value. She was recently recognized in the Hall of Fame for Best External Lecturers by the IP Academy of the IPOPHL.
Divina just finished her stint as the chair the Unreal Campaign of the International Trademarks Association (INTA) for East Asia and the Pacific and continues to organize anti-counterfeiting activities in schools and universities around the country, educating the youth about the importance of intellectual property protection.
Divina is a multi-awarded lawyer with a stellar track record in the IP, data and technology fields. She has garnered numerous awards and accolades, including the Woman Lawyer of the Year by the ALB Philippine Law Awards 2023. She has been cited as leading lawyer for intellectual Property and TMT by The Legal 500 Asia Pacific, Chambers Asia Pacific, Managing IP, World Trademark, Asialaw and IAM Patent 1000, among others. Known for her exceptional legal expertise and unwavering commitment to her clients, Divina has established herself as a leader in her profession.

Author

Frederick August Jose is a partner in Quisumbing Torres’ Intellectual Property, Data and Technology Practice Group and Technology, Media & Telecommunications. He has 12 years of experience in a wide range of IP and IT corporate and litigation matters.
Frederick is a Certified Information Privacy Professional for Europe by the International Association of Privacy Professionals (IAPP). He has been appointed as a member of the Co-Existence Agreement Sub-Committee of the International Trademark Association (INTA) for the term 2022 to 2023. He actively participates as a speaker in various regional and local seminars and trainings on IP, IT and data privacy in the Philippines. He also teaches summer law courses, and Intellectual Property Law.

Author

Jonathan Peter A. Gregorio is an associate with the Intellectual Property, Data and Technology Practice at Quisumbing Torres, a member firm of Baker & McKenzie International. He obtained his Juris Doctor degree from the Ateneo Professional Schools - School of Law in 2021 and was admitted to the Philippine bar in 2022.