The National Privacy Commission (NPC) reminded owners, especially inside the malls, to ensure their businesses are registered and compliant with the Commission's regulations.
NPC conducted an on-the-spot privacy sweep and compliance check at independent retail or service stores, boutiques, pop-up booths, kiosks, or stalls within Ayala Malls Manila Bay on May 15.
In a press briefing, Privacy Commissioner John Henry Naga emphasized that the administrative fine for not following orders from the NPC ranges from P20,000 to P50,000, with a maximum limit of P5 million per violation.
"Administrative fines for not following an order from the NPC range from P20,000 to P50,000. But if it escalates, because in some cases, we have a rate, a lesser rate, and it's from P20,000 to P50,000. So, it depends on where it falls," Naga said in a mix of English and Filipino.
Compliance and Monitoring Division Chief Rainier Anthony Milanes explained that the initiative is to check or verify if the business owners in that mall are registered with the NPC or not and if they are complying with the regulations of the Data Privacy Act (DPA) of 2012.
"For example, do they have a privacy notice, a CCTV (closed-circuit television) notice, and how do they protect the data collected by their CCTV cameras?" Milanes said.
"Do they have sufficient cybersecurity measures to prevent breaches or hacking? These are the kinds of things we checked earlier," the official added.
Under Section 3, Rule XII of NPC Circular No. 2024-01, the on-the-spot privacy sweep will verify whether personal information controllers (PICs) or personal information processors (PIPs) operating in public areas comply with their obligations under the DPA, its Implementing Rules and Regulations (IRR), and NPC issuances.
During the privacy sweep at Ayala Malls Manila, the Commission examined all physical and digital forms, including data processing systems, logbooks, raffle coupons, brochures, and posters used in their operations.
Naga then explained that the measure protects the data privacy rights of consumers, as malls and retail stores collect significant amounts of personal data from them.
"Hence, these entities must comply with the DPA (data privacy act) and NPC issuances to protect the rights of their data subjects and maintain consumer trust," Naga said.
"This on-the-spot privacy sweep and compliance check would also serve as a warning to all non-compliant and erring PICs and PIPs that the NPC will not hesitate to impose administrative fines for violations of the DPA, its IRR (Implementing Rules and Regulations), and the issuances of the National Privacy Commission,” the commissioner added.
Upon inspection, the NPC served show cause orders (SCO) to 65 establishments: 56 were not registered, and nine were registered with citations.
After conducting the privacy sweep and compliance check, the NPC will present its findings and assess whether the PIC or PIP has any deficiencies that need to be addressed.
"If deficiencies are identified, the entity will be requested to submit the necessary documents," NPC said.
"Once the identified deficiencies are adequately addressed or if the findings show no significant issues, the Commission will issue a Certificate of No Significant Findings to the PIC or PIP," it added.
The NPC also set up a booth at Ayala Malls Manila Bay to raise awareness about data privacy, offer guidance for compliance with the DPA and NPC issuances, and provide resources to individuals looking to protect their personal data.