The National Privacy Commission (NPC) yesterday reminded establishments to register with the agency their privacy compliance to avoid being slapped with fines and/or imprisonment that take effect this month.
In a press conference following the first on-the-spot privacy sweep and compliance check at independent retail or service stores, boutiques, pop-up booths, kiosks, or stalls in Ayala Malls Manila Bay yesterday, NPC Commissioner John Henry Naga said establishments with 250 employees or are processing data of more than a thousand individuals are covered by the requirement.
Naga said those not covered are required to submit an undertaking in lieu of registration.
He said establishments are checked if they comply with the provisions of the Data Privacy Act in handling information collected from their employees or their clients.
This will ensure consumers are safeguarded against phishing, smashing and other scams.
Establishments are also mandated to have a privacy notice and CCTV notice displayed in their establishments.
They could face up to P5 million per violation, and/or imprisonment.
At the sweep, NPC issued 47 show-cause orders to erring establishments which are given five days to respond.
Naga also advised data subjects not to arbitrarily give out data especially sensitive information such as those contained in their identification cards and passports as well as birthdates.
Under Section 3, Rule XII of NPC Circular No. 2024-01, the on-the-spot privacy sweep will verify whether personal information controllers or personal information processors operating in public areas, comply with their obligations under the DPA, its Implementing Rules and Regulations (IRR), and NPC issuances.
During the privacy sweep in Ayala Malls Manila, the Commission examined all its physical and digital forms, including its data processing systems, logbooks, raffle coupons, brochures, and posters used in their operations.
“Malls and retail stores collect significant amounts of personal data from customers daily.
Hence, these entities must comply with the DPA and NPC issuances to protect the rights of their data subjects and maintain consumer trust.
“If we find areas of non-compliance or potential vulnerabilities in their data handling practices, we can offer personalized recommendations and support to help them address these gaps and improve their data protection measures,” he added.
