NPC will require firms handling data to prove registration exemption

THE National Privacy Commission (NPC) said businesses processing data that do not meet the registration threshold must still submit a declaration of exemption or risk penalty.

NPC Data Security and Compliance Office Director Aubin Arn R. Nieva said in a statement on Monday that, in general, business owners processing the data of clients, customers, and employees must register with the NPC.

“If your business has 250 or more employees, 1,000 or more customers, or collects personal data that poses a risk to the rights and freedoms of data subjects, you are required to register with the NPC,” Mr. Nieva said.

“Even if your business does not meet these thresholds, you must submit a declaration of exemption. Non-compliance will result in corresponding sanctions and penalties,” he added.

According to Mr. Nieva, businesses that will not comply with NPC Circular No. 2022-04 could face fines of up to P5 million for violating the Data Privacy Act (DPA) of 2012.

Previously, the NPC said that personal information controllers (PICs) and personal information processors (PIPs) that remain unregistered will be issued show cause orders for non-compliance with the DPA and relevant NPC issuances.

“The public is strongly encouraged to report any business collecting personal data without the NPC Seal of Registration,” Mr. Nieva said.

According to Mr. Nieva, the NPC is adjudicating the cases of 50 PICs recommended by the Data Security and Compliance Office for administrative fines due to non-registration, including 28 from government entities,” he added.

Last month, the NPC held its first on-the-spot privacy sweep and compliance check at Ayala Malls Manila Bay, which resulted in the issuance of 65 show-cause orders to independent retail and service stores.

The regulator plans to replicate the on-the-spot sweep at other malls to ensure that PICs and PIPs are fully aware of their responsibilities under the DPA. — Justine Irish D. Tabile