Data Privacy Act of 2012

Republic Act No. 10173

I. General Provisions

A. Declaration of Policy1. – It is the policy of the State to protect the fundamental

human right of privacy, of communication while ensuring free flow of
information to promote innovation and growth. The State recognizes the vital
role of information and communications technology in nation-building and its
inherent obligation to ensure that personal information in information and
communications systems in the government and in the private sector are
secured and protected.

B. Definition of Terms2.

1. Consent of the data subject refers to any freely given, specific, informed
indication of will, whereby the data subject agrees to the collection and
processing of personal information about and/or relating to him or her.
Consent shall be evidenced by written, electronic or recorded means. It
may also be given on behalf of the data subject by an agent specifically
authorized by the data subject to do so.

2. Data subject refers to an individual whose personal information is

processed.

3. Personal information refers to any information whether recorded in a

material form or not, from which the identity of an individual is apparent
or can be reasonably and directly ascertained by the entity holding the
information, or when put together with other information would directly
and certainly identify an individual.

4. Personal information controller refers to a person or organization who

controls the collection, holding, processing or use of personal information,
including a person or organization who instructs another person or
organization to collect, hold, process, use, transfer or disclose personal
information on his or her behalf. The term excludes:

a. A person or organization who performs such functions as instructed

by another person or organization; and

b. An individual who collects, holds, processes or uses personal

information in connection with the individual’s personal, family or
household affairs.

5. Processing refers to any operation or any set of operations performed upon

personal information including, but not limited to, the collection,
recording, organization, storage, updating or modification, retrieval,
consultation, use, consolidation, blocking, erasure or destruction of data.

6. Privileged information refers to any and all forms of data which under the
Rules of Court and other pertinent laws constitute privileged
communication.

7. Sensitive personal information refers to personal information:

1 Section 2, Data Privacy Act of 2012.

2 Section 3, Data Privacy Act of 2012.
 a. About an individual’s race, ethnic origin, marital status, age, color, and
religious, philosophical or political affiliations;

b. About an individual’s health, education, genetic or sexual life of a

person, or to any proceeding for any offense committed or alleged to
have been committed by such person, the disposal of such
proceedings, or the sentence of any court in such proceedings;

c. Issued by government agencies peculiar to an individual which

includes, but not limited to, social security numbers, previous or cm-
rent health records, licenses or its denials, suspension or revocation,
and tax returns; and

d. Specifically established by an executive order or an act of Congress to

be kept classified.

C. Scope3. – This Act applies to the processing of all types of personal information
and to any natural and juridical person involved in personal information
processing including those personal information controllers and processors
who, although not found or established in the Philippines, use equipment that
are located in the Philippines, or those who maintain an office, branch or
agency in the Philippines subject to the immediately succeeding paragraph:

This Act does not apply to the following:

1. Information about any individual who is or was an officer or employee of a

government institution that relates to the position or functions of the
individual, including:

a. The fact that the individual is or was an officer or employee of the

government institution;
b. The title, business address and office telephone number of the
individual;
c. The classification, salary range and responsibilities of the position held
by the individual; and
d. The name of the individual on a document prepared by the individual
in the course of employment with the government;

2. Information about an individual who is or was performing service under

contract for a government institution that relates to the services performed,
including the terms of the contract, and the name of the individual given in
the course of the performance of those services;

3. Information relating to any discretionary benefit of a financial nature such

as the granting of a license or permit given by the government to an
individual, including the name of the individual and the exact nature of the
benefit;

4. Personal information processed for journalistic, artistic, literary or research

purposes;

5. Information necessary in order to carry out the functions of public authority

which includes the processing of personal data for the performance by the
independent, central monetary authority and law enforcement and
regulatory agencies of their constitutionally and statutorily mandated
functions. Nothing in this Act shall be construed as to have amended or
repealed Republic Act No. 1405, otherwise known as the Secrecy of Bank

3 Section 4, Data Privacy Act of 2012.

 Deposits Act; Republic Act No. 6426, otherwise known as the Foreign
Currency Deposit Act; and Republic Act No. 9510, otherwise known as the
Credit Information System Act (CISA);

6. Information necessary for banks and other financial institutions under the
jurisdiction of the independent, central monetary authority or Bangko
Sentral ng Pilipinas to comply with Republic Act No. 9510, and Republic Act
No. 9160, as amended, otherwise known as the Anti-Money Laundering Act
and other applicable laws; and

7. Personal information originally collected from residents of foreign

jurisdictions in accordance with the laws of those foreign jurisdictions,
including any applicable data privacy laws, which is being processed in the
Philippines.

D. Extraterritorial Application4. – This Act applies to an act done or practice

engaged in and outside of the Philippines by an entity if:

1. The act, practice or processing relates to personal information about a

Philippine citizen or a resident;

2. The entity has a link with the Philippines, and the entity is processing
personal information in the Philippines or even if the processing is outside
the Philippines as long as it is about Philippine citizens or residents such
as, but not limited to, the following:

a. A contract is entered in the Philippines;

b. A juridical entity unincorporated in the Philippines but has central
management and control in the country; and
c. An entity that has a branch, agency, office or subsidiary in the
Philippines and the parent or affiliate of the Philippine entity has
access to personal information; and

3. The entity has other links in the Philippines such as, but not limited to:

a. The entity carries on business in the Philippines; and

b. The personal information was collected or held by an entity in the
Philippines.

II. Processing of Personal Information

A. General Data Privacy Principles5. – The processing of personal information

shall be allowed, subject to compliance with the requirements of this Act and
other laws allowing disclosure of information to the public and adherence to
the principles of transparency, legitimate purpose and proportionality.

Personal information must, be:

a. Collected for specified and legitimate purposes determined and declared

before, or as soon as reasonably practicable after collection, and later
processed in a way compatible with such declared, specified and legitimate
purposes only;

b. Processed fairly and lawfully;

4 Section 6, Data Privacy Act of 2012.

5 Section 11, Data Privacy Act of 2012.
 c. Accurate, relevant and, where necessary for purposes for which it is to be
used the processing of personal information, kept up to date; inaccurate or
incomplete data must be rectified, supplemented, destroyed or their
further processing restricted;

d. Adequate and not excessive in relation to the purposes for which they are
collected and processed;

e. Retained only for as long as necessary for the fulfillment of the purposes
for which the data was obtained or for the establishment, exercise or
defense of legal claims, or for legitimate business purposes, or as provided
by law; and

f. Kept in a form which permits identification of data subjects for no longer

than is necessary for the purposes for which the data were collected and
processed: Provided, That personal information collected for other
purposes may lie processed for historical, statistical or scientific purposes,
and in cases laid down in law may be stored for longer periods: Provided,
further, That adequate safeguards are guaranteed by said laws authorizing
their processing.

The personal information controller must ensure implementation of personal

information processing principles set out herein.

B. Criteria for Lawful Processing of Personal Information6. – The processing

of personal information shall be permitted only if not otherwise prohibited by
law, and when at least one of the following conditions exists:

1. The data subject has given his or her consent;

2. The processing of personal information is necessary and is related to the
fulfillment of a contract with the data subject or in order to take steps at
the request of the data subject prior to entering into a contract;
3. The processing is necessary for compliance with a legal obligation to which
the personal information controller is subject;
4. The processing is necessary to protect vitally important interests of the
data subject, including life and health;
5. The processing is necessary in order to respond to national emergency, to
comply with the requirements of public order and safety, or to fulfill
functions of public authority which necessarily includes the processing of
personal data for the fulfillment of its mandate; or
6. The processing is necessary for the purposes of the legitimate interests
pursued by the personal information controller or by a third party or
parties to whom the data is disclosed, except where such interests are
overridden by fundamental rights and freedoms of the data subject which
require protection under the Philippine Constitution.

C. Sensitive Personal Information and Privileged Information7. – The

processing of sensitive personal information and privileged information shall
be prohibited, except in the following cases:

1. The data subject has given his or her consent, specific to the purpose prior
to the processing, or in the case of privileged information, all parties to the
exchange have given their consent prior to processing;

2. The processing of the same is provided for by existing laws and regulations:
Provided, That such regulatory enactments guarantee the protection of the

6 Section 12, Data Privacy Act of 2012.

7 Section 13, Data Privacy Act of 2012.
 sensitive personal information and the privileged information: Provided,
further, That the consent of the data subjects are not required by law or
regulation permitting the processing of the sensitive personal information
or the privileged information;

3. The processing is necessary to protect the life and health of the data subject
or another person, and the data subject is not legally or physically able to
express his or her consent prior to the processing;

4. The processing is necessary to achieve the lawful and noncommercial

objectives of public organizations and their associations: Provided, That
such processing is only confined and related to the bona fide members of
these organizations or their associations: Provided, further, That the
sensitive personal information are not transferred to third parties:
Provided, finally, That consent of the data subject was obtained prior to
processing;

5. The processing is necessary for purposes of medical treatment, is carried

out by a medical practitioner or a medical treatment institution, and an
adequate level of protection of personal information is ensured; or

6. The processing concerns such personal information as is necessary for the

protection of lawful rights and interests of natural or legal persons in court
proceedings, or the establishment, exercise or defense of legal claims, or
when provided to government or public authority.

D. Subcontract of Personal Information8. – A personal information controller

may subcontract the processing of personal information: Provided, That the
personal information controller shall be responsible for ensuring that proper
safeguards are in place to ensure the confidentiality of the personal information
processed, prevent its use for unauthorized purposes, and generally, comply
with the requirements of this Act and other laws for processing of personal
information. The personal information processor shall comply with all the
requirements of this Act and other applicable laws.

E. Extension of Privileged Communication9. – Personal information

controllers may invoke the principle of privileged communication over
privileged information that they lawfully control or process. Subject to existing
laws and regulations, any evidence gathered on privileged information is
inadmissible.

8 Section 14, Data Privacy Act of 2012.

9 Section 15, Data Privacy Act of 2012.
III. Rights of the Data Subject10

People whose personal information is collected, stored, and processed are called data
subjects. Organizations who deal with personal details, whereabouts, and preferences
are duty bound to observe and respect data privacy rights.

If personal data has been misused, maliciously disclosed, or improperly disposed, or

if any of the rights discussed here have been violated, the data subject has a right to
file a complaint with the National Privacy Commission.

A. Right to be informed. - Your personal data is treated almost literally in the

same way as your own personal property. Thus, it should never be collected,
processed and stored by any organization without your explicit consent,
unless otherwise provided by law. Information controllers usually solicit
your consent through a privacy notice. Aside from protecting you against
unfair means of personal data collection, this right also requires personal
information controllers (PICs) to notify you if your data have been
compromised, in a timely manner.

As a data subject, you have the right to be informed that your personal data will
be, are being, or were, collected and processed.

The Right to be Informed is a most basic right as it empowers you as a

data subject to consider other actions to protect your data privacy and
assert your other privacy rights.

1. Example: A medical doctor in a private hospital in Manila recorded a

conversation with his lady patient without the patient’s knowledge and
prior consent. Upon realizing what was happening, the patient
immediately confronted the doctor and expressed her strong dismay,
pointing out the physician’s lack of professionalism in recognizing his
personal right to privacy. She said she could have given her consent anyway
if only she was asked politely. The doctor apologized and explained that
his action was just meant to aid his recall, especially when he later
examined the case, saying he just wanted to provide the best possible
service, which the patient deserves. The patient, however, demanded the
doctor to delete the recorded conversation and canceled on the medical
consultation. She said if the doctor does not even know the basic courtesy
of asking for consent, then how can he expect to win the patients’
confidence in his competence as a medical practitioner.

2. To protect your privacy, the Philippine data privacy law explicitly require
organizations to notify and furnish you the following information before
they enter your personal data into any processing system (or at the next
practical opportunity at least):

a. Description of the personal data to be entered into the system

b. Exact Purposes for which they will be processed (such as for direct
marketing, statistical, scientific etc.)
c. Basis for processing, especially when it is not based on your consent
d. Scope and method of the personal data processing
e. Recipients, to whom your data may be disclosed
f. Methods used for automated access by the recipient, and its expected
consequences for you as a data subject
g. Identity and contact details of the personal information controller
h. The duration for which your data will be kept

10 https://privacy.gov.ph/know-your-rights/
 i. You also have to be informed of the existence of your rights as a data
subject.

3. In recording a conversation or interview with someone, it is enough

to verbally ask for a direct consent from an individual data subject.
If the subject yields, it would be useful to also mention as part of the
recorded conversation that the subject knows the conversation is
being recorded and that you asked and were given the consent. It
would even be better if you could get the subject to verbally confirm his
consent.

Banks involved in phone banking tell their callers that the conversation
with their call center agent would be recorded, and that proceeding with
the call is indication of their consent. This practice is considered sufficient
notice.

Websites resort to publishing a Privacy Notice page, which

essentially accomplishes the same thing. Similar privacy notices
should be made in public establishments equipped with security
CCTVs.

Whenever anyone is making an audio or video recording of you, or even

just taking your pictures, you have a right to know, and you must always
be given the chance to opt out when you don’t feel comfortable.

A salesman may be collecting detailed personal data about you and your
family without your permission, under the pretext of targeting you as a
prospective customer to tailor-fit their offerings to your individual needs.
This, by itself, may be potentially beneficial to you. But since your personal
privacy and safety becomes potentially at risk, you have a right to be
informed if you are being individually targeted in a sales campaign like this.

B. The right to access. - This is your right to find out whether an

organization holds any personal data about you and if so, gain
“reasonable access” to them. Through this right, you may also ask them
to provide you with a written description of the kind of information they
have about you as well as their purpose/s for holding them.

Under the Data Privacy Act of 2012, you have a right to obtain from an
organization a copy of any information relating to you that they have on their
computer database and/or manual filing system. It should be provided in an
easy-to-access format, accompanied with a full explanation executed in plain
language.

You may demand to access the following:

 The contents of your personal data that were processed.

 The sources from which they were obtained.
 Names and addresses of the recipients of your data.
 Manner by which they were processed.
 Reasons for disclosure to recipients, if there were any.
 Information on automated systems where your data is or may be
available, and how it may affect you.
 Date when your data was last accessed and modified.
 The identity and address of the personal information controller.

1. Example: An individual had been involved in an incident inside and outside

a Manila restaurant where his wallet was stolen. He also suffered minor
 injuries in the incident. He requested access to the restaurant CCTV
footage relating to himself, saying he wants to see all details surrounding
the incident and possibly figure out a way to recover his wallet. He tried to
personally speak to the manager but was referred to the security guard.
After a few days of following up on his request, he was finally informed that
the establishment would not provide him any data. This infuriated him
and, upon going back to the restaurant, he demanded his right to view the
footage or else he would create a scene. He was told that, as per their
security policy, no “outsider” is allowed to enter areas in their
establishment designated only as “for employees only”. As a compromise,
the manager said they will give him a record of the footage using the
customer’s handheld gadget.

2. How to exercise your right to access your personal data? You must
execute a written request to the organization, addressed to its Data
Protection Officer (DPO). In the letter, mention that your request is
being made in exercise of your right to access under the Data Privacy Act
of 2012. The DPO is required to respond to your written request. Be
prepared to provide evidence of your identity, which the DPO should
require of you to make sure that personal information is not given to the
wrong person.

If your request was not granted, or if you feel your request was not
sufficiently addressed, you may file a formal complaint with the
NPC. Before doing so, however, we recommend that you inform the
organization and its DPO of your intention to formally complain to the
NPC. They might be able to the opportunity to apologize, better explain
their position, or reconsider your request.

3. Some exceptions may disallow the exercise of an individual’s right to

access. This is to balance the right to privacy of an individual versus the
needs of civil society. Here are some examples:

a. A criminal suspect is not allowed access to the personal data held

about him by law enforcement agencies as it may impede
investigation.

b. You are not allowed access to information about you as contained in

communications between a lawyer and his or her client, if such
communication is subject to legal privilege in court.

c. Your right to access your own medical and psychological data

may be denied you in the rare instance where is is deemed that your
health and well-being might be negatively affected.

C. The right to object. - You can exercise your right to object if the personal data
processing involved is based on consent or on legitimate interest. When you
object or withhold your consent, the PIC should no longer process the
personal data, unless the processing is pursuant to a subppoena, for
obvious purposes (contract, employer-employee relationship, etc.) or a
result of a legal obligation.

In case there is any change or amendment to the information previously given to

you, you should be notified and given an opportunity to withhold consent.

1. Example: The right to object is most specifically applicable when

organizations or personal information controllers are processing your data
without your consent for the following purposes:
 a. Direct marketing purposes. When business organizations give you
sales materials about products and services, they must explicitly inform
or remind you of your right to object. If you feel uncomfortable to
being target of a direct marketing campaign, you must be able to
easily invoke your right to object. If you previously acceded but wishes
to opt-out, you must be given an easy way to opt-out. In asserting your
right to object being included in a direct marketing campaign,
businesses have no recourse but to accede as there are no
exemptions or grounds for refusal in this case.

b. Profiling purposes. Businesses customarily resort to profiling, or the

creation of profiles of individual customers and clients without their
consent. This is done either for marketing or customer care purposes. The
cross-referencing of customer information to product marketing brings
about practical advantages to both the buyer and seller in any potential
business transaction. Under RA 10173, however, profiling of this
requires your consent as customer, or else you are justified in
invoking your right to object. The right of state agents to do profiling
for law enforcement purposes, however, may override your right to
object.

c. Automated processing purposes. In technology-driven industries,

such as banking and finance, many decisions affecting individuals are
arrived at electronically via automatic data processing systems based on
personal information stored in computerized data files. This reduces the
business transaction process down to a few seconds and facilitates a
speedy exchange of economic value. Potentially, however, it may also
inadvertently arrive at decisions prejudicial to your interests and lead to
the weakening of your position as a transacting party. As such,
organizations are required to notify you whether your personal
data will undergo automatic processing, and inform you that you
have a right to object.

2. How to exercise your right to object? Whenever you have the chance, you may
assert your right to object verbally, be it in person or via a phone call. To
have it formally documented, however, you must execute a written
request to the organization, addressed to its Data Protection Officer
(DPO), and have it received. In the letter, mention that your request is being
made in exercise of your right to object under the Data Privacy Act of 2012.
The DPO must act on your written request. In case you feel your request have
not been addressed satisfactorily, you may file a formal complaint before the
NPC, attached therewith your request letter to the DPO.

D. The right to erasure or blocking. - Under the law, you have the right to
suspend, withdraw or order the blocking, removal or destruction of your
personal data. You can exercise this right upon discovery and substantial proof
of the following:
 Your personal data is incomplete, outdated, false, or unlawfully obtained.
 It is being used for purposes you did not authorize.
 The data is no longer necessary for the purposes for which they were
collected.
 You decided to withdraw consent, or you object to its processing and there
is no overriding legal ground for its processing.
 The data concerns information prejudicial to the data subject — unless
justified by freedom of speech, of expression, or of the press; or otherwise
authorized (by court of law)
 The processing is unlawful.
  The personal information controller, or the personal information
processor, violated your rights as data subject.

1. In several cases, the need to balance this right with the freedom of expression
and public interest has been highlighted as follows:

a. In Melvin v. Reid, decided in 1931, for example, a homemaker, who had

once worked as a prostitute and who had been wrongly accused of
murder, became the subject of a feature film (“The Red Kimono”) seven
years after her acquittal, based on the facts of her trial. Although not
specifically referencing a right to be forgotten, the court, permitting suit
against the film-maker, noted: “One of the major objectives of society as
it is now constituted, and of the administration of our penal system, is
the rehabilitation of the fallen and the reformation of the criminal.” The
court held that the unnecessary use of the plaintiff’s real name
inhibited her right to obtain rehabilitation.

b. Karnataka High Court Judgement - The petition was to annul the

marriage certificate and later the case was quashed on comprise between
the parties. In the same case Petitioner’s daughter name was requested to
be removed from the digital records of the High Court and also from
search engines including Google as it affected her relationship with her
husband and her reputation as well. The High Court ordered, “It should
be the endeavor of the Registry to ensure that any internet search made
in the public domain ought not to reflect the petitioner’s daughter’s name
in the cause-title of the order or in the body of the order in the criminal
petition.”, giving life to this right. However, the name of the petitioner’s
daughter would certainly be reflected in the order copy was made clear.

2. How to exercise your right to erasure (or blocking)? Execute a written

request to the organization, addressed to its Data Protection Officer (DPO),
and have it received. In the letter, mention that your request is being made
in exercise of your right to erasure under the Data Privacy Act of 2012.
Documents to support your request must be attached. The DPO must act on
your written request. In case you feel your request have not been addressed
satisfactorily, you may file a formal complaint before the NPC, attached
therewith your request letter to the DPO.

E. The right to damages. - You may claim compensation if you suffered damages
due to inaccurate, incomplete, outdated, false, unlawfully obtained or
unauthorized use of personal data, considering any violation of your rights and
freedoms as data subject.

1. How to exercise your right to damages? Write or speak to the organization

which mishandled your personal information to see if you can reach an
agreement and claim compensation. If you feel that your concern has not
been satisfactorily addressed, you should write to the organization and
inform them of your intent to take the matter to the court, before you
start court proceedings. Talk to a legal adviser if you want to make a claim in
court.

The NPC has no role in dealing with compensation claims. But you may
request NPC to assess if the organization mishandled your personal data and
broke the DPA. You can give a copy of the NPC’s letter to the court along with
the evidence to prove your claim. This, however, does not guarantee that the
judge will fully agree with NPC’s view. You may also require someone from
 the NPC to give expert evidence which will only be allowed if the judge orders
it.

F. The right to file a complaint with the National Privacy Commission. - If you
feel that your personal information has been misused, maliciously disclosed, or
improperly disposed, or that any of your data privacy rights have been violated,
you have a right to file a complaint with the NPC.

G. The right to rectify. - You have the right to dispute and have corrected any
inaccuracy or error in the data a personal information controller (PIC)
hold about you. The PIC should act on it immediately and accordingly, unless
the request is vexatious or unreasonable. Once corrected, the PIC should ensure
that your access and receipt of both new and retracted information. PICs should
also furnish third parties with said information, should you request it.

1. Example: A government employee resigned from her agency with a period

with premium payments of 20.49 years. The employee’s birthdate indicated
in her Government Service Insurance System (GSIS) records is 30 June 1959.
However, her National Statistics Office (NSO) authenticated Certificate of
Live Birth shows 30 June 1952 as her birthdate. Her birthdate will determine
when she will start receiving her monthly pension – in 2019 if based on the
GSIS record, and in 2012 if based on her birth certificate. She, thus, invoked
her right to rectify her personal data under the Data Privacy Act of 2012.

2. How to exercise your right to rectify? If the organization does not yet have a
system or form for data rectification, you must execute a written request to
the organization, addressed to its Data Protection Officer (DPO), and have it
received. In the letter, mention that your request is being made in exercise of
your right to object under the Data Privacy Act of 2012. Documents to support
your request must be attached. The DPO must act on your written request.
In case you feel your request have not been addressed satisfactorily, you may
file a formal complaint before the NPC, attached therewith your request
letter to the DPO.

Some organizations already have their system or form for data rectification.
For instance, the Social Security System (SSS) only requires their members to
accomplish SSS Form E-4 or the Member Data Change Request Form and
submit with it the supporting documents. The needed supporting documents
vary depending on the personal data that you want corrected (i.e. for
correction of name and birthdate – PSA/NSO-authenticated birth certificate
or valid passport, for correction of name due to naturalization – Certificate
of Naturalization issued by the Philippine Department of Foreign Affairs,
identification certificate issued by the Philippine Bureau of Immigration, and
any foreign government- issued ID cards and/or documents showing the new
name).

H. The right to data portability. - This right assures that YOU remain in full
control of YOUR data. Data portability allows you to obtain and
electronically move, copy or transfer your data in a secure manner, for
further use. It enables the free flow of your personal information across the
internet and organizations, according to your preference. This is important
especially now that several organizations and services can reuse the same data.

Data portability allows you to manage your personal data in your private
device, and to transmit your data from one personal information
controller to another. As such, it promotes competition that fosters better
services for the public.
 1. Example: In case you want to close your Facebook account and leave the
service, or simply feel like you’ve shared a lot of information about your life
and want a backup of all your Facebook data, you may exercise your right to
data portability.

You may also exercise this right if you intend to get a usable copy of your
personal health records for the use of other doctors you may like to consult.
In banking, the right to data portability may be used to reduce the risks of
being locked-in with one single service provider, thereby expanding
customers’ options and improving customer experience.

2. How to exercise your right to data portability? Various online platforms have
been making data portability an available and instant option for its users. For
instance, Facebook enabled its users to readily download all their personal
content and information, including wall posts, status updates, photos, videos,
and conversation threads. Currently, users will just have to click at the top
right of any Facebook page and select “Settings”, then click “Download a copy
of your Facebook data” at the bottom of “General Account Settings”, and click
“Start My Archive”. Google has a similar feature that readily allows its users to
create an archive to keep for their personal record or for use in another service.

In case the personal information controller concerned does not yet have an
online data portability feature, you must execute a written request to the
organization, addressed to its Data Protection Officer (DPO), and have it
received. In the letter, mention that your request is being made in exercise of
your right to data portability under the Data Privacy Act of 2012. Documents
to support your request must be attached. The DPO must act on your written
request. In case you feel your request have not been addressed satisfactorily,
you may file a formal complaint before the NPC, attached therewith your
request letter to the DPO.

I. Transmissibility of Data Subject Rights. - Just like any physical property, such
as real estate, you can assign your rights as a data subject to your legal
assignee or lawful heir. Similarly, you may assert another person’s rights as a
data subject, provided he or she authorized you as a “legal assignee”.

You may also invoke another person’s data privacy rights after his or her
death if you are his or her legal heir. This same principle applies to parents of
minors, or their legal guardian, who are responsible for asserting their rights on
their behalf.

This right, however, is not applicable in case the processed personal data
being contested are used only for scientific and statistical research.

1. The practical need for transmissibility - An individual’s personal data

lives on even after his death. As such, they could still be subject to privacy
violations whether intentional or otherwise. The Data Privacy Act of 2012
included this provision to protect their privacy rights through a living
person willing to assume the responsibility on their behalf. The
transmissibility of data privacy rights has been extended to living
adults who are unable to protect their own rights and wish to assign
the responsibility to someone else.

2. How to execute? Data subjects who are alive but incapacitated, for some
reason unable to assert their own personal privacy rights and wish to
authorize a “legal assignee” to act as their proxy may do so by executing a
legal notice to the effect, such as through a Special Power of Attorney.
 In case of a deceased data subject, the legal heir must be prepared to show
legal evidence to back their claim. Parents or guardians automatically
assume the responsibility of protecting the privacy rights of minors under
their care.
J. Limitation on Rights

The immediately preceding sections are not applicable if the processed personal
information are used only for the needs of scientific and statistical research and,
on the basis of such, no activities are carried out and no decisions are taken regarding
the data subject: Provided, That the personal information shall be held under
strict confidentiality and shall be used only for the declared purpose. Likewise,
the immediately preceding sections are not applicable to processing of personal
information gathered for the purpose of investigations in relation to any
criminal, administrative or tax liabilities of a data subject.11

IV. ACCOUNTABILITY FOR TRANSFER OF PERSONAL INFORMATION

Principle of Accountability. 12– Each personal information controller is responsible

for personal information under its control or custody, including information that
have been transferred to a third party for processing, whether domestically or
internationally, subject to cross-border arrangement and cooperation.

(a) The personal information controller is accountable for complying with the
requirements of this Act and shall use contractual or other reasonable means to
provide a comparable level of protection while the information are being
processed by a third party.

(b) The personal information controller shall designate an individual or

individuals who are accountable for the organization’s compliance with this
Act. The identity of the individual(s) so designated shall be made known to
any data subject upon request.

11
Section 19, Data Privacy Act of 2012.
12
Section 21, Data Privacy Act of 2012.