What are the penalties for non-compliance with any applicable data protection laws?
Noncompliance with data privacy laws and data breaches may lead to sanctions, fines, and penalties. The amounts are usually calculated according to the risk to which personal rights were exposed and the preventive measures taken by the data controllers, processors and sub-processors in relation to their respective role in the chain of personal data processing.
Penalties for violating the Philippine Data Privacy Act of 2012 may include fines and imprisonment. Unauthorized processing of personal information can include a penalty of imprisonment of up to 3 years and fines up to 2,000,000 pesos. Unauthorized processing of sensitive personal information can result in imprisonment of up to 6 years plus a fine of up to 4,000,000 pesos. Similar fines and imprisonment will be imposed in cases where access to personal information or sensitive personal information is provided due to negligence.
Improper disposal of personal information can result in up to 2 years of imprisonment and a fine of up to 500,000 pesos. Improper disposal of sensitive personal information can result in up to a 3-year prison term and a fine of up to 1,000,000 pesos.
Processing personal information or sensitive personal information for unauthorized purposes can result in fines of up to 1,000,000 or 2,000,000 pesos, respectively a prison term of up to 5 or 7 years, respectively.
Intentional breaches, concealment of breaches and malicious disclosure also carry fines and prison terms. Combinations of multiple violations can make an individual subject to imprisonment of up to 6 years and fine of up to 5,000,000 pesos.
When the employer is an offender, penalties will be imposed upon responsible officers, who participated in the illegal acts directly or through gross negligence. Aliens may also be deported after their prison terms.
When data protection offenses impact the data of 100 or more individuals, the maximum penalties will be applied.
HR Best Practices: Before processing personal data, make sure to be in line with the security measures necessary to ensure employee data security within your organization. Furthermore, ensure you have data breach response plans in place to inform potentially impacted individuals as well as the National Privacy Commission.