Republic Act No. 10173 or the “Data Privacy Act of 2012” (“DPA”) aims to protect the personal information1 of data subjects2 collected and processed whether in the government or private sector. Under the DPA, data subjects are accorded certain rights, which they may invoke and enforce against entities that collect and process their personal information. Individuals and organizations who deal with the personal information of data subjects are duty-bound to observe and respect their data privacy rights.
Right to be informed
The data subject has a right to be informed whether personal data pertaining to him or her shall be, are being, or have been processed, including the existence of automated decision-making and profiling.
The right to be informed is the most basic right as it empowers the data subject to consider other actions to protect his or her data privacy and assert other privacy rights.
The data subject shall be notified and furnished with relevant information before the entry of his or her personal data into the processing system or at the next practical opportunity.
This right also requires personal information controllers3 to notify the data subject in a timely manner if his or her personal data has been compromised.
Right to access
The data subject also has the right to find out whether an organization holds any personal data about him or her on its computer database and/or manual filing system and, if so, gain reasonable access to them. Through this right, the data subject may also ask the organization to provide him or her with a written description of the kind of information it has about the data subject as well as its purpose/s for retaining them.
Right to object
The data subject has the right to object to the processing of his or her personal data, including processing for direct marketing, automated processing or profiling.
The data subject shall be notified and given an opportunity to withhold consent to the processing in case of changes or any amendment to the information supplied to the data subject regarding the processing of his or her personal information.
When a data subject objects or withholds consent, the personal information controller shall no longer process the personal data unless the processing is pursuant to a subpoena, for obvious purposes (contract, employer-employee relationship, etc.) or a consequence of a legal obligation.
Right to rectification
To preserve the integrity of his or her personal data, the data subject has the right to dispute the inaccuracy or error in his or her personal data and have the personal information controller correct it immediately and accordingly, unless the request is vexatious or otherwise unreasonable.
If the personal data has been corrected, the personal information controller shall ensure the accessibility of both the new and the retracted information and the simultaneous receipt of the new and the retracted information by the intended recipients thereof.
Right to erasure or blocking
The data subject has the right to suspend, withdraw or order the blocking, removal or destruction of his or her personal data. This right may be exercised upon discovery and substantial proof of any of the following:
- The personal data is incomplete, outdated, false, or unlawfully obtained;
- The personal data is being used for a purpose not authorized by the data subject;
- The personal data is no longer necessary for the purposes for which they were collected;
- The data subject withdraws consent or objects to the processing of his or her information, and there is no other legal ground or overriding legitimate interest for the processing;
- The personal data concerns private information that is prejudicial to data subject, unless justified by freedom of speech, of expression, or of the press or otherwise authorized;
- The processing is unlawful; or
- The personal information controller or personal information processor violated the rights of the data subject.
Right to file a complaint
The data subject whose personal information has been misused, maliciously disclosed, or improperly disposed, or whose data privacy rights have been violated, has the right to file a complaint with the National Privacy Commission.
Right to damages
The data subject has the right to claim compensation for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use or disclosure of his or her personal data, taking into account any violation of his or her rights and freedoms as data subject.
Right to data portability
This right assures the data subject that he or she remains in full control of his or her personal data. Data portability allows the data subject to obtain and electronically move, copy or transfer his or her personal data in a secure manner for further use. It enables the free flow of personal information across the internet and organizations, according to the data subject’s preference. This is important especially now that several organizations and services can reuse the same data.
Data portability allows the data subject to manage his or her personal data in a private device, and to transmit such data from one personal information controller to another. As such, it promotes competition that fosters better services for the public.
Prepared: December 2018
(1) “Personal data” refers to all types of personal information. “Personal information” refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual; Section 3, Rule 1 of Implementing Rules and Regulations of Republic Act 10173 (“Data Privacy Act of 2012”).
(2) “Data subject” refers to an individual whose personal, sensitive personal, or privileged information is processed; Section 3, Rule 1 of Implementing Rules and Regulations of Republic Act 10173 (“Data Privacy Act of 2012”).
(3) “Personal information controller” refers to a natural or juridical person, or any other body who controls the processing of personal data, or instructs another to process personal data on its behalf. The term excludes: (1) a natural or juridical person, or any other body, who performs such functions as instructed by another person or organization; or (2) a natural person who processes personal data in connection with his or her personal, family, or household affairs. There is control if the natural or juridical person or any other body decides on what information is collected, or the purpose or extent of its processing.