Data Privacy Philippines | Data Subjects and Their Rights (2024)

The Data Privacy Act of 2012 was passed to extend protection to people and their data in this modern age. It provides a regime for regulating the processing and storage of particularly personal and sensitive information, given the new avenues of information exchange that have opened up and continue to open up in this era. This regulation is achieved through the recognition of rights accorded to data subjects and through the imposition of obligations upon entities that deal with the information of such data subjects. In order to understand how the Data Privacy Act provides protection—and more importantly, in order for any individual to be able to benefit from its protections—it is important to understand the concept of a data subject, as well as his rights.

What is a data subject

Under the law, a data subject is defined as “an individual whose personal information is processed.”[1] Corollarily, personal information is defined as “any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.”[2] In addition to this, the law also defines sensitive personal information, such as one’s ethnic origin or education, and privileged personal information. Lastly, processing refers to “any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.”[3]

These definitions show that the coverage of the law is comprehensive and broad, as it protects any individual or entity whose identity-related information is collected, recorded, or used. At a time when social media continues to flourish and expand their presence in the daily lives of people and businesses, it is not unlikely that information relating to their identities is disclosed. This puts a lot of information and individuals at risk of illegitimate divulgence. Hence, the Data Privacy Act accords data subjects several rights enforceable against offending entities. These rights are guided by the principles of transparency, legitimate purpose, and proportionality.[4]

Rights of a Data Subject[5]

Under Chapter IV of the Act, there are eight (8) rights that belong to data subjects, namely: the right to be informed; the right to access; the right to object; the right to erasure and blocking; the right to rectify; the right to file a complaint; the right to damages; and the right to data portability.

First, the right to be informed means that the data subject has the right to know when his or her personal data shall be, are being, or have been processed. Collection and processing of data without the data subject’s knowledge and explicit consent is made unlawful, and entities in possession of personal data is obligated to inform the data subject of any breaches or compromises in their data.

Second, the right to access involves being able to compel any entity possessing any personal data to provide the data subject with a description of such data in its possession, as well as the purposes for which they are to be or are being processed. Furthermore, other details regarding the processing of their information may be obtained, such as the period for which the information will be stored, and the recipients to whom the information may be disclosed. This must be complied with in an easy-to-access format, accompanied by a description in plain language.

Thirdly, the right to object requires that the consent of the data subject be secured in the collecting and processing of his or her data. It grants the data subject the choice of refusing to consent, as well as the choice to withdraw consent, as regards collection and processing. As earlier stated, any activity involving a data subject’s personal data without his or her consent is deemed illegal.

The right to erasure or blocking allows the data subject to suspend, withdraw or order the blocking, removal, destruction of his or her personal information from the personal information controller’s filing system upon discovery and substantial proof that the personal information are incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes or are no longer necessary for the purposes for which they were collected.[6] This is akin to the recognized right to be forgotten.

Corollarily, the right to rectify, allows the data subject to dispute any inaccuracy or error in the personal information processed, and to have the personal information controller correct it immediately. In line with this, the personal information controller must ensure that the new and the retracted information will be accessible, and that third parties who received the erroneous data will be informed, upon the request of the data subject.

In line with the control given to the data subject, the right to data portability enables the data subject to obtain and electronically move, copy, or transfer personal data for further use.[7] This also carries out another policy behind the law–ensuring the free flow of personal information.

The last two rights are related to the enforcement of the above-discussed rights. First, the right to file a complaint with the National Privacy Commission affords a remedy to any data subject who “[feels] that [his or her] personal information has been misused, maliciously disclosed, or improperly disposed,”[8] or in case of any violation of his or her data privacy rights. Secondly, the right to damages entitles the aggrieved data subject to be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of his or her personal information.

As can be gleaned from these rights, the Data Privacy Act of 2012 is comprehensive in its protection to the data subject. This is even strengthened by the fact that these rights can also be invoked by the data subject’s lawful heirs and assigns in the event of his or her incapacity and[9] even after his or her death.

[1] Rep. Act No. 10173 (2012), Sec. 3(c).

[2] Ibid., Sec. 3(g).

[3] Ibid., Sec. 3(j).

[4] Ibid., Sec. 11.

[5] Ibid., Sec. 16.

[6] Ibid., Sec. 16(e).

[7] Ibid., Sec. 18.

[8] Know Your Data Privacy Rights. National Privacy Commission, <https://privacy.gov.ph/know-your-rights/#topic7_part7>

[9] Ibid., Sec. 17.