What are the penalties for non-compliance with any applicable data protection laws?
Non-compliance with data privacy laws and data breaches may lead to sanctions, fines, and penalties. The amounts are usually calculated according to the risk to which personal rights were exposed and the preventive measures taken by the data controllers, processors and sub-processors in relation to their respective role in the chain of personal data processing.
Penalties for violating the Philippine Data Privacy Act (2012) may include fines and imprisonment. Unauthorized processing of personal information can include a penalty of imprisonment of up to 3 years and fines up to 2,000,000 pesos. Unauthorized processing of sensitive personal information can result in imprisonment of up to 6 years plus a fine of up to 4,000,000 pesos. Similar fines and imprisonment will be imposed in cases where access to personal information or sensitive personal information is provided due to negligence.
Improper disposal of personal information can result in up to 2 years of imprisonment and a fine of up to 500,000 pesos. Improper disposal of sensitive personal information can result in up to a 3-year prison term and a fine of up to 1,000,000 pesos.
Processing personal information or sensitive personal information for unauthorized purposes can result in fines of up to 1,000,000 or 2,000,000 pesos, respectively a prison term of up to 5 or 7 years, respectively.
Intentional breaches, concealment of breaches and malicious disclosure also carry fines and prison terms. Combinations of multiple violations can make an individual subject to imprisonment of up to 6 years and fine of up to 5,000,000 pesos.
When the employer is an offender, penalties will be imposed upon responsible officers, who participated in the illegal acts directly or through gross negligence. Resident aliens may also be deported after their prison terms.
When data protection offenses impact the data of 100 or more individuals, the maximum penalties will be applied.
HR Best Practices: Before processing personal data, make sure to be in line with the security measures necessary to ensure employee data security within your organization. Furthermore, ensure you have data breach response plans in place to inform potentially impacted individuals as well as the National Privacy Commission.
Led by PeopleDoc’s Chief Legal & Compliance Officer, the HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers, including the global law firm Morgan Lewis, to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where PeopleDoc’s customers have employees. HR Compliance Assist is a service exclusively available to PeopleDoc customers.