On 22 May 2019, the Personal Data Protection Commission (PDPC) published a Guide on Active Enforcement (Guide) that represents a change in the way that the PDPC handles enforcement actions going forward.
Under the current approach set out in the Advisory Guidelines on the Enforcement of the Data Protection Provisions (Guidelines), there are three main enforcement approaches. Where appropriate, PDPC could utilize alternative dispute resolution mechanisms, such as mediation and facilitated negotiations, to resolve what is perceived to primarily be a dispute between the parties. In the alternative, the PDPC could commence investigations that could involve the PDPC exercising the extent of its statutory powers of investigation under the Personal Data Protection Act (PDPA) to uncover facts and reach a decision. Lastly, where the organisation has made a decision involving the access and/or correction or personal data, the PDPC may review that decision.
The Guide sets out two other intermediate enforcement options - Voluntary undertakings and expedited decisions, that may be pursued in lieu of a full investigation. These were previously not expressly provided in the Guidelines or in the PDPA. The Guide provides information on the scope of these new options and the circumstances under which the PDPC will apply either enforcement option when investigating a breach.
This update is relevant to organisations who wish to better understand the new enforcement options that have become available and the preparatory steps that should be taken ahead of time to preserve the option for an organisation to seek an undertaking.
For more information, you can download the full alert below.