Académique Documents
Professionnel Documents
Culture Documents
I. General Provisions
B. Definition of Terms2.
1. Consent of the data subject refers to any freely given, specific, informed
indication of will, whereby the data subject agrees to the collection and
processing of personal information about and/or relating to him or her.
Consent shall be evidenced by written, electronic or recorded means. It
may also be given on behalf of the data subject by an agent specifically
authorized by the data subject to do so.
6. Privileged information refers to any and all forms of data which under the
Rules of Court and other pertinent laws constitute privileged
communication.
C. Scope3. – This Act applies to the processing of all types of personal information
and to any natural and juridical person involved in personal information
processing including those personal information controllers and processors
who, although not found or established in the Philippines, use equipment that
are located in the Philippines, or those who maintain an office, branch or
agency in the Philippines subject to the immediately succeeding paragraph:
6. Information necessary for banks and other financial institutions under the
jurisdiction of the independent, central monetary authority or Bangko
Sentral ng Pilipinas to comply with Republic Act No. 9510, and Republic Act
No. 9160, as amended, otherwise known as the Anti-Money Laundering Act
and other applicable laws; and
2. The entity has a link with the Philippines, and the entity is processing
personal information in the Philippines or even if the processing is outside
the Philippines as long as it is about Philippine citizens or residents such
as, but not limited to, the following:
3. The entity has other links in the Philippines such as, but not limited to:
d. Adequate and not excessive in relation to the purposes for which they are
collected and processed;
e. Retained only for as long as necessary for the fulfillment of the purposes
for which the data was obtained or for the establishment, exercise or
defense of legal claims, or for legitimate business purposes, or as provided
by law; and
1. The data subject has given his or her consent, specific to the purpose prior
to the processing, or in the case of privileged information, all parties to the
exchange have given their consent prior to processing;
2. The processing of the same is provided for by existing laws and regulations:
Provided, That such regulatory enactments guarantee the protection of the
3. The processing is necessary to protect the life and health of the data subject
or another person, and the data subject is not legally or physically able to
express his or her consent prior to the processing;
People whose personal information is collected, stored, and processed are called data
subjects. Organizations who deal with personal details, whereabouts, and preferences
are duty bound to observe and respect data privacy rights.
As a data subject, you have the right to be informed that your personal data will
be, are being, or were, collected and processed.
2. To protect your privacy, the Philippine data privacy law explicitly require
organizations to notify and furnish you the following information before
they enter your personal data into any processing system (or at the next
practical opportunity at least):
10 https://privacy.gov.ph/know-your-rights/
i. You also have to be informed of the existence of your rights as a data
subject.
Banks involved in phone banking tell their callers that the conversation
with their call center agent would be recorded, and that proceeding with
the call is indication of their consent. This practice is considered sufficient
notice.
A salesman may be collecting detailed personal data about you and your
family without your permission, under the pretext of targeting you as a
prospective customer to tailor-fit their offerings to your individual needs.
This, by itself, may be potentially beneficial to you. But since your personal
privacy and safety becomes potentially at risk, you have a right to be
informed if you are being individually targeted in a sales campaign like this.
Under the Data Privacy Act of 2012, you have a right to obtain from an
organization a copy of any information relating to you that they have on their
computer database and/or manual filing system. It should be provided in an
easy-to-access format, accompanied with a full explanation executed in plain
language.
2. How to exercise your right to access your personal data? You must
execute a written request to the organization, addressed to its Data
Protection Officer (DPO). In the letter, mention that your request is
being made in exercise of your right to access under the Data Privacy Act
of 2012. The DPO is required to respond to your written request. Be
prepared to provide evidence of your identity, which the DPO should
require of you to make sure that personal information is not given to the
wrong person.
If your request was not granted, or if you feel your request was not
sufficiently addressed, you may file a formal complaint with the
NPC. Before doing so, however, we recommend that you inform the
organization and its DPO of your intention to formally complain to the
NPC. They might be able to the opportunity to apologize, better explain
their position, or reconsider your request.
C. The right to object. - You can exercise your right to object if the personal data
processing involved is based on consent or on legitimate interest. When you
object or withhold your consent, the PIC should no longer process the
personal data, unless the processing is pursuant to a subppoena, for
obvious purposes (contract, employer-employee relationship, etc.) or a
result of a legal obligation.
2. How to exercise your right to object? Whenever you have the chance, you may
assert your right to object verbally, be it in person or via a phone call. To
have it formally documented, however, you must execute a written
request to the organization, addressed to its Data Protection Officer
(DPO), and have it received. In the letter, mention that your request is being
made in exercise of your right to object under the Data Privacy Act of 2012.
The DPO must act on your written request. In case you feel your request have
not been addressed satisfactorily, you may file a formal complaint before the
NPC, attached therewith your request letter to the DPO.
D. The right to erasure or blocking. - Under the law, you have the right to
suspend, withdraw or order the blocking, removal or destruction of your
personal data. You can exercise this right upon discovery and substantial proof
of the following:
Your personal data is incomplete, outdated, false, or unlawfully obtained.
It is being used for purposes you did not authorize.
The data is no longer necessary for the purposes for which they were
collected.
You decided to withdraw consent, or you object to its processing and there
is no overriding legal ground for its processing.
The data concerns information prejudicial to the data subject — unless
justified by freedom of speech, of expression, or of the press; or otherwise
authorized (by court of law)
The processing is unlawful.
The personal information controller, or the personal information
processor, violated your rights as data subject.
1. In several cases, the need to balance this right with the freedom of expression
and public interest has been highlighted as follows:
E. The right to damages. - You may claim compensation if you suffered damages
due to inaccurate, incomplete, outdated, false, unlawfully obtained or
unauthorized use of personal data, considering any violation of your rights and
freedoms as data subject.
The NPC has no role in dealing with compensation claims. But you may
request NPC to assess if the organization mishandled your personal data and
broke the DPA. You can give a copy of the NPC’s letter to the court along with
the evidence to prove your claim. This, however, does not guarantee that the
judge will fully agree with NPC’s view. You may also require someone from
the NPC to give expert evidence which will only be allowed if the judge orders
it.
F. The right to file a complaint with the National Privacy Commission. - If you
feel that your personal information has been misused, maliciously disclosed, or
improperly disposed, or that any of your data privacy rights have been violated,
you have a right to file a complaint with the NPC.
G. The right to rectify. - You have the right to dispute and have corrected any
inaccuracy or error in the data a personal information controller (PIC)
hold about you. The PIC should act on it immediately and accordingly, unless
the request is vexatious or unreasonable. Once corrected, the PIC should ensure
that your access and receipt of both new and retracted information. PICs should
also furnish third parties with said information, should you request it.
2. How to exercise your right to rectify? If the organization does not yet have a
system or form for data rectification, you must execute a written request to
the organization, addressed to its Data Protection Officer (DPO), and have it
received. In the letter, mention that your request is being made in exercise of
your right to object under the Data Privacy Act of 2012. Documents to support
your request must be attached. The DPO must act on your written request.
In case you feel your request have not been addressed satisfactorily, you may
file a formal complaint before the NPC, attached therewith your request
letter to the DPO.
Some organizations already have their system or form for data rectification.
For instance, the Social Security System (SSS) only requires their members to
accomplish SSS Form E-4 or the Member Data Change Request Form and
submit with it the supporting documents. The needed supporting documents
vary depending on the personal data that you want corrected (i.e. for
correction of name and birthdate – PSA/NSO-authenticated birth certificate
or valid passport, for correction of name due to naturalization – Certificate
of Naturalization issued by the Philippine Department of Foreign Affairs,
identification certificate issued by the Philippine Bureau of Immigration, and
any foreign government- issued ID cards and/or documents showing the new
name).
H. The right to data portability. - This right assures that YOU remain in full
control of YOUR data. Data portability allows you to obtain and
electronically move, copy or transfer your data in a secure manner, for
further use. It enables the free flow of your personal information across the
internet and organizations, according to your preference. This is important
especially now that several organizations and services can reuse the same data.
Data portability allows you to manage your personal data in your private
device, and to transmit your data from one personal information
controller to another. As such, it promotes competition that fosters better
services for the public.
1. Example: In case you want to close your Facebook account and leave the
service, or simply feel like you’ve shared a lot of information about your life
and want a backup of all your Facebook data, you may exercise your right to
data portability.
You may also exercise this right if you intend to get a usable copy of your
personal health records for the use of other doctors you may like to consult.
In banking, the right to data portability may be used to reduce the risks of
being locked-in with one single service provider, thereby expanding
customers’ options and improving customer experience.
2. How to exercise your right to data portability? Various online platforms have
been making data portability an available and instant option for its users. For
instance, Facebook enabled its users to readily download all their personal
content and information, including wall posts, status updates, photos, videos,
and conversation threads. Currently, users will just have to click at the top
right of any Facebook page and select “Settings”, then click “Download a copy
of your Facebook data” at the bottom of “General Account Settings”, and click
“Start My Archive”. Google has a similar feature that readily allows its users to
create an archive to keep for their personal record or for use in another service.
In case the personal information controller concerned does not yet have an
online data portability feature, you must execute a written request to the
organization, addressed to its Data Protection Officer (DPO), and have it
received. In the letter, mention that your request is being made in exercise of
your right to data portability under the Data Privacy Act of 2012. Documents
to support your request must be attached. The DPO must act on your written
request. In case you feel your request have not been addressed satisfactorily,
you may file a formal complaint before the NPC, attached therewith your
request letter to the DPO.
I. Transmissibility of Data Subject Rights. - Just like any physical property, such
as real estate, you can assign your rights as a data subject to your legal
assignee or lawful heir. Similarly, you may assert another person’s rights as a
data subject, provided he or she authorized you as a “legal assignee”.
You may also invoke another person’s data privacy rights after his or her
death if you are his or her legal heir. This same principle applies to parents of
minors, or their legal guardian, who are responsible for asserting their rights on
their behalf.
This right, however, is not applicable in case the processed personal data
being contested are used only for scientific and statistical research.
2. How to execute? Data subjects who are alive but incapacitated, for some
reason unable to assert their own personal privacy rights and wish to
authorize a “legal assignee” to act as their proxy may do so by executing a
legal notice to the effect, such as through a Special Power of Attorney.
In case of a deceased data subject, the legal heir must be prepared to show
legal evidence to back their claim. Parents or guardians automatically
assume the responsibility of protecting the privacy rights of minors under
their care.
J. Limitation on Rights
The immediately preceding sections are not applicable if the processed personal
information are used only for the needs of scientific and statistical research and,
on the basis of such, no activities are carried out and no decisions are taken regarding
the data subject: Provided, That the personal information shall be held under
strict confidentiality and shall be used only for the declared purpose. Likewise,
the immediately preceding sections are not applicable to processing of personal
information gathered for the purpose of investigations in relation to any
criminal, administrative or tax liabilities of a data subject.11
(a) The personal information controller is accountable for complying with the
requirements of this Act and shall use contractual or other reasonable means to
provide a comparable level of protection while the information are being
processed by a third party.
11
Section 19, Data Privacy Act of 2012.
12
Section 21, Data Privacy Act of 2012.