The National Privacy Commission (Commission) has updated its draft Circular on administrative fines following public consultation held earlier this year on the first draft. Under the updated Draft Guidelines, the infractions are now tiered based on the applicable range of fines. The maximum fine for Tier 2 infractions has been lowered to 3% of annual gross income of the immediately preceding year of the violation.
The proposed penalties for each tiered infraction under the updated Draft Circular are, as follows:
- TIER 1: Proposed fine is between 1% to 5% of the annual gross income of the immediately preceding year of the violation
- Violation of any of the general privacy principles in the processing of personal data, pursuant to Section 11 of the DPA;
- Failure to comply with the conditions for consent, pursuant to Section 3 (b) of the DPA;
- Violation of any of the data subject rights pursuant to Section 16 of the DPA;
- TIER 2: Proposed fine is between 0.5% to 3% of the annual gross income
- Failure to implement reasonable and appropriate measures to protect the security of personal information, pursuant to Section 20 (a) (b) (c) (e) of the DPA;
- Failure to ensure that third parties processing personal information on their behalf shall implement security measures, pursuant to Section 20 (c) (d) of the DPA;
- Failure to notify the Commission and affected data subjects of personal data breaches pursuant to Section 20 (f) of the DPA, unless otherwise punishable by Section 30 of the DPA.
- TIER 3: Proposed fine is at least Php 50,000.00 and maximum of Php 100,000.00.
- Failure to register true and updated information with the Commission the identity and contact details of the personal information controller, the data processing system, and information on automated decision making.
- TIER 4: Proposed fine is an amount not exceeding Php 50,000.00, in addition to the fine imposed for the infraction subject of the Order of the Commission.
- Failure to comply with any order by the Commission, or of any of its duly authorized officers, pursuant to Section 7 of the DPA.
In the event that multiple data subjects sustain damage for a single violation by the PIC or PIP, the Commission has the option to consolidate the penalties and impose a higher penalty, taking into account the number of the affected data subjects, or impose multiple fines for each and every count corresponding to each data subject affected. Provided however that in doing so, the Commission will indicate in the required notice to the PIC or PIP on whether the violation is considered as a single violation or for multiple counts.
Image by Pete Linforth from Pixabay