For violating regulations of the Data Privacy Act, a total of 66 boutiques, independent retail or service stores, pop-up booths, kiosks, and stalls at Shangri-La Mall in Mandaluyong City were flagged by the National Privacy Commission.
This was after the NPC conducted an on-the-spot privacy sweep and compliance check at establishments collecting personal data within the said mall last Wednesday.
The sweep was to assess stalls’ compliance with the Data Privacy Act of 2012 (DPA) and other issuances of the Commission.
“The NPC’s Compliance and Monitoring Division found that the majority of the entities operating within the Mall were substantially compliant with NPC regulations. However, sixty-six (66) citation tickets had to be issued to some of the boutiques, independent retail or service stores, pop-up booths, kiosks, or stalls in the Mall,” the NPC said in a statement on Friday.
The NPC said the registered tenants were flagged as they lack compliance with the mandatory requirements of NPC such as displaying the NPC Seal of Registration, and privacy and CCTV notices at the main entrance of their respective place of business, office, or at the most conspicuous place to ensure visibility to all data subjects.
In response, the Shangri-La Plaza Mall Legal Team will mandate its tenants to either register their Data Processing System (DPS) with the NPC or submit a Notarized Sworn Declaration and Undertaking for Exemption from Registration to the NPC as a leasing requirement.
Privacy Commissioner, Atty. John Henry Naga, maintained that the on-the-spot privacy sweep aims to enhance data privacy awareness across the country, particularly in light of numerous data breaches.
“We emphasize that registration and compliance with NPC regulations are legal obligations. We hope that our next round of on-the-spot privacy sweeps and compliance checks nationwide will find even more compliant establishments. We strongly urge personal information controllers to register with the NPC to ensure the protection of personal data of your data subjects, thereby fostering trust and confidence in your business,” Naga stressed.
Under Section 3, Rule XII of NPC Circular No. 2024-01, the on-the-spot privacy sweep will verify whether personal information controllers or personal information processors operating in public areas, comply with their obligations under the DPA, its Implementing Rules and Regulations, and NPC issuances based on publicly available or accessible information, such as, but not limited to, websites, mobile applications, raffle coupons, brochures, and privacy notices.
Failure to register and comply with NPC directives may result in administrative fines reaching P5 million as provided in NPC Circular 2022-01 or Guidelines on Administrative Fines.