The Data Privacy Act of 2012 (DPA) or Republic Act 10173 is the law which seeks to protect personal data of individuals and imposes upon the government and the private sector the obligation to safeguard said data.
The data subject refers to an individual whose personal, sensitive personal, or privileged information is processed.
Under the DPA and its Implementing Rules and Regulations (IRR), the data subject is entitled to privacy rights which must be respected by anyone who will process his personal data. Aside from the data subject, the lawful heirs and assigns of the data subject may invoke the rights of the data subject for which he or she is an heir or assignee at any time after the death of the data subject or when the data subject is incapacitated or incapable of exercising the privacy rights.
The rights of data subject are as follows:
a. Right to be informed;
b. Right to object;
c. Right to access;
d. Right to rectification;
e. Right to erasure or blocking;
f. Right to damages;
g. Right to file a complaint; and
h. Right to data portability.
The rights above are discussed with details below:
a. Right to be informed.
1. The data subject has a right to be informed whether personal data pertaining to him or her shall be, are being, or have been processed, including the existence of automated decision-making and profiling.
2. The data subject shall be notified and furnished with information indicated hereunder before the entry of his or her personal data into the processing system of the personal information controller, or at the next practical opportunity:
(a) Description of the personal data to be entered into the system;
(b) Purposes for which they are being or will be processed, including processing for direct marketing, profiling or historical, statistical or scientific purpose;
(c) Basis of processing, when processing is not based on the consent of the data subject;
(d) Scope and method of the personal data processing;
(e) The recipients or classes of recipients to whom the personal data are or may be disclosed;
(f) Methods utilized for automated access, if the same is allowed by the data subject, and the extent to which such access is authorized, including meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;
(g) The identity and contact details of the personal data controller or its representative;
(h) The period for which the information will be stored; and
(i) The existence of their rights as data subjects, including the right to access, correction, and object to the processing, as well as the right to lodge a complaint before the Commission.
b. Right to object.The data subject shall have the right to object to the processing of his or her personal data, including processing for direct marketing, automated processing or profiling. The data subject shall also be notified and given an opportunity to withhold consent to the processing in case of changes or any amendment to the information supplied or declared to the data subject in the preceding paragraph.
When a data subject objects or withholds consent, the personal information controller shall no longer process the personal data, unless:
1. The personal data is needed pursuant to a subpoena;
2. The collection and processing are for obvious purposes, including, when it is necessary for the performance of or in relation to a contract or service to which the data subject is a party, or when necessary or desirable in the context of an employer-employee relationship between the collector and the data subject; or
3. The information is being collected and processed as a result of a legal obligation.
c. Right to Access. The data subject has the right to reasonable access to, upon demand, the following:
1. Contents of his or her personal data that were processed;
2. Sources from which personal data were obtained;
3. Names and addresses of recipients of the personal data;
4. Manner by which such data were processed;
5. Reasons for the disclosure of the personal data to recipients, if any;
6. Information on automated processes where the data will, or is likely to, be made as the sole basis for any decision that significantly affects or will affect the data subject;
7. Date when his or her personal data concerning the data subject were last accessed and modified; and
8. The designation, name or identity, and address of the personal information controller.
d. Right to rectification.The data subject has the right to dispute the inaccuracy or error in the personal data and have the personal information controller correct it immediately and accordingly, unless the request is vexatious or otherwise unreasonable. If the personal data has been corrected, the personal information controller shall ensure the accessibility of both the new and the retracted information and the simultaneous receipt of the new and the retracted information by the intended recipients thereof: Provided, That recipients or third parties who have previously received such processed personal data shall be informed of its inaccuracy and its rectification, upon reasonable request of the data subject.
e. Right to Erasure or Blocking. The data subject shall have the right to suspend, withdraw or order the blocking, removal or destruction of his or her personal data from the personal information controller’s filing system.
This right may be exercised upon discovery and substantial proof of any of the following:
(a) The personal data is incomplete, outdated, false, or unlawfully obtained;
(b) The personal data is being used for purpose not authorized by the data subject;
(c) The personal data is no longer necessary for the purposes for which they were collected;
(d) The data subject withdraws consent or objects to the processing, and there is no other legal ground or overriding legitimate interest for the processing;
(e) The personal data concerns private information that is prejudicial to data subject, unless justified by freedom of speech, of expression, or of the press or otherwise authorized;
(f) The processing is unlawful;
(g) The personal information controller or personal information processor violated the rights of the data subject.
f. Right to damages. The data subject shall be indemnified for any damages sustained due to such inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal data, taking into account any violation of his or her rights and freedoms as data subject.
g. Right to file a complaint. In case of violation of his right, the data subject may exhaust remedies by raising his concern to the concerned personal information controller. If not satisfied with the handling of his concern, the data subject can go to the National Privacy Commission to file a complaint. The data subject also has the right to file a criminal complaint before the courts.
h. Right to Data Portability.– The data subject shall have the right, where personal information is processed by electronic means and in a structured and commonly used format, to obtain from the personal information controller a copy of data undergoing processing in an electronic or structured format, which is commonly used and allows for further use by the data subject. The Commission may specify the electronic format referred to above, as well as the technical standards, modalities and procedures for their transfer.