GDPR Data Protection + Teeth PDF

GDPR General Data Protection Regulation:
Data Protection + Teeth
A Written Report
BABAN, Neil
CAGAS, James Adrian
CALIO, Lope III
DINGAL, Johanna
ESCOBIDO, Hanna
IGBALIC, Anna Lou
SANTIAGO, Reginald Matt
TALON, Francris
III-MANRESA 2019-2020
Ateneo de Davao College of Law
General Data Protection Regulation 2
TABLE OF CONTENTS
I. INTRODUCTION .................................................................................. 3
A. What is GDPR? ................................................................................... 3
B. Historical Background of the GDPR........................................................ 3
C. Data Protection Principles .................................................................... 4
D. Material and Territorial Jurisdiction ....................................................... 4
II. RIGHTS OF THE DATA SUBJECT ....................................................... 12
A. Individual Rights of a Data Subject under GDPR ................................... 12
1. Right to be Informed ..................................................................................................... 13
2. Right of Access ................................................................................................................ 15
3. Right to Rectification ..................................................................................................... 17
4. Right to Erasure or the ‘Right to be Forgotten’ ................................................... 18
5. Right to Restriction of Processing ............................................................................. 19
6. Right to Data Portability ............................................................................................... 21
7. Right to Object ................................................................................................................ 23
8. Rights Related to Automated Decision-Making .................................................... 25
B. Restrictions ..................................................................................... 26
III. ACCOUNTABILITY AND GOVERNANCE ............................................ 29
A. Obligations for Data Controllers and Processors .................................... 29
1. Privacy by Design and Default ................................................................................... 30
2. Data Protection Impact Assessment ........................................................................ 31
3. Designation of the Data Protection Officers .......................................................... 35
4. Codes of Conduct ............................................................................................................ 36
B. Personal Data Breach ........................................................................ 36
IV. PROVISIONS FOR REDRESS ............................................................ 40
A. GDPR as Data Privacy Regulation with Teeth ........................................ 40
B. Remedies, Liabilities and Penalties ...................................................... 41
1. Overview of Procedure.................................................................................................. 41
2. Penalties............................................................................................................................. 43
3. Applications of GDPR ..................................................................................................... 45
V. CONCLUSION ................................................................................... 47
I. INTRODUCTION
A. What is GDPR?
General Data Protection Regulation or the GDPR is a law which is
concerned about the privacy and security of the residents of the European
Union. It regulates the gathering and collecting of data by another person
or entity. It will provide knowledge on the part of the data subject on what
kind of data that the company will use and for what purpose will their data
be used. It also gives the data subject the right to erasure on their personal
data obtained from them.
The data that is regulated by the law are those personal data which
can identify a person, including but not limited to; name, address, phone
number, IP address, sexual orientation, and political opinion. It also covers
persons or entities outside the European Union who collects or gathers data
from the subjects of the EU regardless of their citizenship. Most of it are
those who provide goods and services to the people of Europe.
The person or entities who collects data must show lawful cause on
why the data is obtained and its purpose. The entities who gathers data
from the people of the EU without justifiable cause will be subjected to a
fine or penalty of 20 million euros or more. It does not prohibit these
entities from obtaining data from the people of EU for as long as it was with
the consent of the person or it must be in accordance with the law
B. Historical Background of the GDPR

The European Union (EU) adopted the General Data Protection
Regulation (GDPR) in 2016. It is one of its greatest achievements in recent
years. It replaces the 1995 Data Protection Directive which was adopted
when the internet was in its infancy. The GDPR is now recognized as law
across the EU. Member states have two years to ensure that it is fully
implementable in their countries by May 20181.
What pushed the creation of the GDPR was that the old law was
written before the birth of smartphones which collected massive
1
The history of the General Data Protection Regulation (GDPR). European Data Protection Supervisor. Retrieved
March 04, 2020 from https://edps.europa.eu/data-protection/data-protection/legislation/history-general-data-
protection-regulation_en.
information from persons like google and Facebook. In order to regulate

this the General Data Protection Regulation was enacted. It seeks to
enforce the right to privacy of the people in the EU as enshrined in the
1950 European Convention on Human Rights.
C. Data Protection Principles

The GDPR has seven data protection principles for to carry out the
lawful purpose of processing data. These 7 principles serve as a guideline
to the data controllers who are accountable in complying with the
processing of data collection. The processing includes the collection,
alteration, organization, storage, use communication, combination,
restriction or destruction of personal data.
The seven principles are:

a.) Lawfulness, fairness and transparency – the data must
be processed lawfully, fairly, and in transparent manner
in relation to an individual.
b.) Purpose Limitation – collected for specified and legitimate
purpose.
c.) Data Minimization – it must be limited to what is
necessary in relation to its purpose.
d.) Accuracy – it must be kept up to date and every
reasonable step must be taken
e.) Storage limitation – it may be stored insofar as necessary
for archiving purposes in the public interest.
f.) Integrity and confidentiality – it must be processed in a
manner that ensures appropriate security of personal
data
g.) Accountability – that the data controller is responsible in
complying with all these principles.
D. Material and Territorial Jurisdiction

The scope of European Union’s (EU) General Data Protection
Regulation is two-pronged: material and territorial.
Material Jurisdiction
Article 2 of the Regulation outlines its material scope. It provides:
1. This Regulation applies to the processing of personal data wholly or

partly by automated means and to the processing other than by
automated means of personal data which form part of a filing system
or are intended to form part of a filing system.
2. This Regulation does not apply to the processing of personal data:
(a) in the course of an activity which falls outside the scope of

Union law;
(b) by the Member States when carrying out activities which fall
within the scope of Chapter 2 of Title V of the TEU;
(c) by a natural person in the course of a purely personal or

household activity;
(d) by competent authorities for the purposes of the prevention,

investigation, detection or prosecution of criminal offences or the
execution of criminal penalties, including the safeguarding
against and the prevention of threats to public security.
3. For the processing of personal data by the Union institutions, bodies,

offices and agencies, Regulation (EC) No 45/2001 applies. 2Regulation
(EC) No 45/2001 and other Union legal acts applicable to such
processing of personal data shall be adapted to the principles and
rules of this Regulation in accordance with Article 98.
4. This Regulation shall be without prejudice to the application of

Directive 2000/31/EC, in particular of the liability rules of intermediary
service providers in Articles 12 to 15 of that Directive.
As can be deduced from the foregoing, the Regulation applies to the

processing of “personal data” which is defined to mean any information
relating to an identified or identifiable natural person 2 (a “data subject”).
Further, the Regulation includes special categories of “sensitive data” which
include both biometric and genetic data. All “data processing,” which is
2
An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to
an identifier such as a name, an identification number, location data, an online identifier or to one or more
factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural
person. (Article 4, Regulation)
broadly defined to cover any operation or set of operations which is

performed on personal data or on sets of personal data, whether or not by
automated means is also covered. Examples include collection, recording,
organization, structuring, storage, adaptation or alteration, retrieval,
consultation, use, disclosure, erasure, or destruction.
It is important to note however that the GDPR provides for

exemptions. Clearly, it does not apply to activities outside the scope of the
Union law. The General Data Protection Regulation apply to processing of
the personal data that is carried out as part of activities that are not
covered by Union law, for example activities relating to national security.
Such personal data processing is instead governed by national regulations.
Further, natural persons' processing of personal data that is carried

out as part of an activity of a purely private nature or that has a connection
with his or her household is not subject to the rules stipulated in the
regulation. This is thus a matter of processing that is entirely private and
without any connection to professional or business activities.
Nor does the General Data Protection Regulation apply when

someone processes personal data in conjunction with the exercise of their
right to freedom of expression or freedom of information. Under the
regulation, exemptions for freedom of information and freedom of
expression are to be made in national law.
The personal data processing that is necessary for the authorities'

law enforcement activities is defined in a special directive from the EU and
in national law. The Regulation is therefore not applicable to processing of
personal data that is carried out with the purpose of preventing, averting,
investigating, detecting or prosecuting crimes or executing sentences. This
includes protecting against and preventing threats to public security.
However, the Regulation does not prevent authorities and other bodies
from disclosing official documents under the principle of public access to
official records. The obligation to disclose official documents does not
however include electronic disclosure and the General Data Protection
Regulation therefore applies to such disclosure via, for example, e-mail or
the Internet.
Territorial Jurisdiction
The territorial scope of General Data Protection Regulation is

determined by Article 3 of the Regulation.
Article 3 of the GDPR defines the territorial scope of the Regulation

on the basis of two main criteria: the “establishment” criterion, as per
Article 3(1), and the “targeting” criterion as per Article 3(2). Where one
of these two criteria are met, the relevant provisions of the GDPR will apply
to the processing of personal data by the controller or processor concerned.
In addition, Article 3(3) confirms the application of the GDPR to the
processing where Member State law applies by virtue of public international
law.3 Pursuant to Articles 3(1) and 3(2), the GDPR applies to businesses
established in the EU, as well as to businesses based outside the EU that
offer goods and services to, or that monitor, individuals in the EU. Article
3(3) adds that the GDPR also applies in places where EU Member State law
applies by virtue of public international law.
Article 3(1) of the GDPR provides that:
“Regulation applies to the processing of personal data in the context of the

activities of an establishment of a controller or a processor in the Union, regardless of
whether the processing takes place in the Union or not.”
The GDPR applies to businesses “established” in the EU, where

personal data is processed “in the context of the activities” of such an
establishment. Establishment “implies the effective and real exercise of
activity through stable arrangements. The legal form of such
arrangements, whether through a branch or a subsidiary with a legal
personality, is not the determining factor in that respect.” Once this test is
met, the GDPR applies whether the actual data processing takes place in
the EU or not. Thus, the Regulation is applicable to the processing of
personal data by controllers and processors with an establishment in the
European Union. In this regard, it does not matter whether the actual
processing is carried out in the Union or outside. 4
3
Jelinek, A. (2018, November 16). Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) - Version
for public consultation. Retrieved March 11, 2020, from
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_3_2018_territorial_scope_en.pdf
4
The GDPR's Reach: Material and Territorial Scope Under Articles 2 and 3. (n.d.). Retrieved from
https://www.wiley.law/newsletter-May_2017_PIF-The_GDPRs_Reach-
Material_and_Territorial_Scope_Under_Articles_2_and_3
Article 3(2) provides that:
“this Regulation applies to the processing of personal data of data subjects who
are in the Union by a controller or processor not established in the Union, where the
processing activities are related to: (a) the offering of goods or services, irrespective of
whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the
Union.”
The GDPR expressly extends the reach of EU data protection laws to

businesses based outside the EU. Non-EU established businesses are
subject to the GDPR where they process personal data of data subjects in
the EU in connection with (i) the offering of goods or services or (ii)
monitoring the behavior of individuals in the EU.
Example: French company has developed a car-sharing application

exclusively addressed to customers in Morocco, Algeria and Tunisia. The
service is only available in those three countries, but all personal data
processing activities carried out by controller in France (An EU Member).
While the collection of personal data takes place in non-EU countries,

the subsequent processing of personal data in this case is carried out in the
context of the activities of an establishment of a data controller in the
Union. Therefore, even though processing relates to personal data of data
subjects who are not in the Union, the provisions of the GDPR will apply to
the processing carried out by the French company, as per Article 3(1).5
Under the first prong, the GDPR explains that having a commerce-
oriented website that is accessible to EU residents does not by itself
constitute offering goods or services in the EU.
Rather, a business must show intent to draw EU customers, for

example, by using a local language or currency.
Under the second prong of Article 3(2), businesses monitoring the

behavior of individuals in the EU also are subject to the GDPR’s
requirements.
5
Example: a start-up established in the USA, without any business

presence or establishment in the EU, provides a city-mapping application
for tourists. The application processes personal data concerning the
location of customers using the app (the data subjects) once they start
using the application in the city they visit, in order to offer targeted
advertisement for places to visits, restaurant, bars and hotels. The
application is available for tourists while they visit New York, San
Francisco, Toronto, London, Paris and Rome.
The US start-up, via its city mapping application, is offering services

to individuals in the Union (specifically in London, Paris and Rome). The
processing of the EU-located data subjects’ personal data in
connection with the offering of the service falls within the scope of the
GDPR as per Article 3(2).6
Thus, there has to be a determination first that the processing relates

to personal data of data subjects who are in the Union, and second whether
it relates to the offering of goods or services or to the monitoring of data
subjects’ behavior in the Union.
The GDPR also applies wherever EU Member State law applies by

virtue of public international law. As Article 3(3) provides that “[t]his
Regulation applies to the processing of personal data by a
controller not established in the Union, but in a place where
Member State law applies by virtue of public international law”.
This provision is expanded upon in Recital 25 which states that
“[w]here Member State law applies by virtue of public international law,
this Regulation should also apply to a controller not established in the
Union, such as in a Member State's diplomatic mission or consular post.”
The GDPR applies to personal data processing carried out by EU

Member States’ embassies and consulates, insofar as such processing falls
within the material scope of the GDPR, as defined in its Article 2. A Member
State’s diplomatic or consular post, as a data controller or processor, would
then be subject to all relevant provisions of the GDPR, including when it
comes to the rights of the data subject, the general obligations related to
6
controller and processor and the transfers of personal data to third

countries or international organizations.7
For example, the Dutch consulate in Kingston, Jamaica, opens an

online application process for the recruitment of local staff in order to
support its administration. While the Dutch consulate in Kingston, Jamaica,
is not established in the Union, the fact that it is a consular post of an EU
country where Member State law applies by virtue of public international
law renders the GDPR applicable to its processing of personal data, as per
Article 3(3).8
Another example would be when, a German cruise ship travelling in

international waters is processing data of the guests on board for the
purpose of tailoring the in-cruise entertainment offer. While the ship is
located outside the Union, in international waters, the fact that it is
German- registered cruise ship means that by virtue of public international
law the GDPR shall be applicable to its processing of personal data, as per
Article 3(3).
Comparison with Philippine Data Privacy Act
RA 10173 GDPR
Material Scope The law applies to the Applies to the
processing of all types processing of personal
of personal data wholly or partly
information and to by automated means,
any natural person or within the scope of
legal entity involved Union law.
in personal
information
processing.
7
The GDPR's Reach: Material and Territorial Scope Under Articles 2 and 3. (n.d.). Retrieved from
https://www.wiley.law/newsletter-May_2017_PIF-The_GDPRs_Reach-
Material_and_Territorial_Scope_Under_Articles_2_and_3
8
Territorial Scope Applies to data Applies to processing

controllers and that takes place in the
processors who are Union or by a
located in the processor who has an
Philippines, use establishment in the
equipment that is Union within the
located in the context of activities in
Philippines or who the Union or to
maintain an office, processing activities
branch or agency in that are related to the
the Philippines. Also offering of goods and
applies to actions services to (or
outside of the behavioral monitoring
territory of the of) data subjects in the
Philippines where the Union.
act, practice or
processing relates to
personal data about a
Philippine citizen or
resident, or where the
entity carries on
business in the
Philippines and
information is
collected or held by
an entity.
II. RIGHTS OF THE DATA SUBJECT

A. Individual Rights of a Data Subject under GDPR
The General Data Protection Regulation (GDPR) grants entities, in
their capacities as consumers, citizens and so forth a range of specific data
subject rights they can exercise under particular conditions, as per usual
always with a few exceptions. GDPR compliance among others means
enabling the exercise of these rights. The rights of data subjects under
GDPR are detailed in Chapter 3 – Articles 12 to 23. There are eight
fundamental rights under GDPR, to wit:
1. Right to Access Personal Data. - Under GDPR, data subjects have the
right to access the data collected on them by a data controller. The data
controller must respond to that request within 30 days (Article 15);
2. Right to Rectification. - Data subjects have the right to request

modification of their data, including the correction or errors and the
updating of incomplete information (Article 16);
3. Right to Erasure. - also referred to as the right to deletion or the right

to be forgotten, allows a data subject to stop all processing of their data
and request their personal data be erased (Article 17);
4. Right to Restrict Data Processing. - Data subjects, under certain

circumstances, can request that all processing of their personal data be
stopped (Article 18);
5. Right to be Notified. - Data subjects must be informed about the uses

of their personal data in a clear manner and be told the actions that can be
taken if they feel their rights are being impeded. Data subjects must also
be informed of any rectification or erasure of their personal data under
articles 16, 17, and 18 (Article 19);
6. Right to Data Portability. - A data subject can request that their

personal data file be sent electronically to a third party. Data must be
provided in a commonly used, machine readable format, if doing so is
technically feasible (Article 20);
7. Right to Object. - If a request to stop data processing is rejected by a

data controller, the data subject has the right to object to their Article 18
right being denied (Article 21); and
8. Right to Reject Automated Individual Decision-Making. - Data

subjects have the right to refuse the automated processing of their
personal data to make decisions about them if that significantly affects the
data subject or produces legal effects – profiling for example (Article 22).
1. Right to be Informed
There is a need for transparency regarding the gathering and use of
data in order to allow EU citizens to exercise their right to the protection of
personal data. Therefore, the General Data Protection Regulation (GDPR)
gives individuals a right to be informed about the collection and use of their
personal data, which leads to a variety of information obligations by the
controller. The law differentiates between two cases: On the one hand, if
personal data is directly obtained from the data subject (Art. 13 of the
GDPR) and, on the other hand, if this is not the case (Art. 14 of the GDPR).
Where data is obtained directly, the person must be immediately

informed, meaning at the time the data is obtained. In terms of content,
the controller’s obligation to inform includes his identity, the contact data
of the Data Protection Officer (if available), the processing purposes and
the legal basis, any legitimate interests pursued, the recipients when
transmitting personal data, and any intention to transfer personal data to
third countries. In addition, the right to be informed also includes
information about the duration of storage, the rights of the data subject,
the ability to withdraw consent, the right to lodge a complaint with the
authorities and whether the provision of personal data is a statutory or
contractual requirement. In addition, the data subject must be informed of
any automated decision-making activities, including profiling. Only if the
data subject is already aware of the above information it is not necessary
to provide these.9
9
Right to be Informed. (n.d.). Retrieved from https://gdpr-info.eu/issues/right-to-be-informed/
If personal data is not obtained from the data subject, he or

she must be provided the information within a reasonable period of time,
but at latest after a month. In cases where the gathered information is
used to directly contact the data subject, he or she has the right to be
informed immediately upon being approached. As far as content is
concerned, the controller has to provide the same specific information as if
the personal data would have been directly obtained from the data subject.
The only exception is the information about any obligations to provide the
personal data, as the controller does not have the decision-making
authority in this case. In addition, the controller has the obligation to inform
from what sources the personal data originated, and whether it was publicly
available. The data subject has a right to be informed in a precise,
transparent, comprehensible and easily accessible form. The obligation to
inform can be fulfilled in writing or electronic form. It is explicitly stated
that so-called ‘standardised image symbols’ can also be used in order to
convey a meaningful overview of the intended processing in an easily
comprehended, understandable and clear form. 10
In the case that the personal data is not gathered from the data
subject, in exceptional cases there is no obligation to inform. This applies,
if providing the information is either impossible or unreasonably expensive,
the gathering and/or transmission is required by law, or if the data must
remain confidential due to professional secrecy or other statutory secrecy
obligations.
In comparison to Republic Act 10173 or Philippine Personal Data

Protection Act, the GDPR is significantly aligned as to the right to
information. One important note however, is that under RA 10173, the
requirement to notify affected data subjects of a breach is predicated
upon an assessment of whether the unauthorized acquisition is likely to
give rise to a real risk of serious harm to any affected data subject while in
the Regulation, its protection from harm principle is encouched in a more
general expression: Protects fundamental rights and freedoms of natural
persons and in particular their right to the protection of personal data.
Relevant to the right to information is the principle of transparency. The
principle of transparency requires that any information addressed to the
public or to the data subject be concise, easily accessible and easy to
10
Right to be Informed. (n.d.). Retrieved from https://gdpr-info.eu/issues/right-to-be-informed/
understand, and that clear and plain language and, additionally, where
appropriate, visualization be used. Such information could be provided in
electronic form, for example, when addressed to the public, through a
website. This is of particular relevance in situations where the proliferation
of actors and the technological complexity of practice make it difficult for
the data subject to know and understand whether, by whom and for what
purpose personal data relating to him or her are being collected, such as
in the case of online advertising. Given that children merit specific
protection, any information and communication, where processing is
addressed to a child, should be in such a clear and plain language that the
child can easily understand.11
Further, the principles of fair and transparent processing require that

the data subject be informed of the existence of the processing operation
and its purposes. The controller should provide the data subject with any
further information necessary to ensure fair and transparent processing
taking into account the specific circumstances and context in which the
personal data are processed. Furthermore, the data subject should be
informed of the existence of profiling and the consequences of such
profiling. Where the personal data are collected from the data subject, the
data subject should also be informed whether he or she is obliged to
provide the personal data and of the consequences, where he or she does
not provide such data. That information may be provided in combination
with standardised icons in order to give in an easily visible, intelligible and
clearly legible manner, a meaningful overview of the intended processing.
Where the icons are presented electronically, they should be machine-
readable.12
2. Right of Access
Commonly referred to as subject access, it gives individuals the right
to obtain a copy of their personal data as well as other supplementary
information. The GDPR includes a best practice recommendation that,
where possible, organizations should be able to provide remote access to
a secure self-service system which would provide the individual with direct
access to his or her information13.
11
Recital 58, GDPR
12
Recital 60, GDPR
13
Recital 63
The GDPR does not specify how to make a valid request. Therefore,
an individual can make a subject access request verbally or in writing.
Standard forms can make it easier for a subject access request and for the
individual to include all the details that an entity need to locate the
information they want. The GDPR requires that the information provided to
an individual is in a concise, transparent, intelligible and easily accessible
form, using clear and plain language14.
In most cases, a fee is not required to comply with a subject access

request. However, a “reasonable fee” for the administrative costs of
complying with the request is encouraged when (1) it is manifestly
unfounded or excessive; or (2) an individual requests further copies of their
data following a request. The request must be complied without undue
delay and at the latest within one month of the request. If there are doubts
as to the identity of the person making the request, the entity can ask for
more information. If large amount of information is requested, the
individual may be asked to specify the information or processing activities
their request before responding to the request.
If an exemption applies, a subject access request (wholly or partly)

may be refused. The following are some of exemptions:
1. Crime and Taxation
2. Information required to be disclosed by law or in connection with
legal proceedings
3. Legal professional privilege
4. Self-incrimination
5. Disclosure prohibited or restricted by law
6. Immigration
7. Functions designed to protect the public
8. Audit functions
9. Banking functions
10. Regulatory functions relating to legal services, the health service and
children’s services
11. Other regulatory functions
Furthermore, a refusal to comply is also possible if the subject access

request in manifestly unfounded or excessive. A request may be manifestly
unfounded if the individual clearly has no intention to exercise their right
14
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-
regulation-gdpr/individual-rights/right-of-access/
of access or the request is malicious in intent and is being used to harass

an organization with no real purposes other than to cause disruption. A
request may be excessive if it repeats the substance of previous requests
and a reasonable interval has not elapsed or it overlaps with other
requests.
In the Philippines
Under Sec. 16(c), RA No. 10173, people whose personal information

is collected, stored, and processed are called data subjects. Organizations
who deal with your personal details, whereabouts, and preferences are
dutybound to observe and respect individuals’ data privacy rights.
3. Right to Rectification
Under Article 16 of the GDPR individuals have the right to have
inaccurate personal data rectified. This may involve providing a
supplementary statement to the incomplete data. The GDPR does not give
a definition of the term accuracy. However, the Data Protection Act 2018
(DPA 2018) states that personal data is inaccurate if it is incorrect or
misleading as to any matter of fact. Determining whether personal data is
inaccurate can be more complex if the data refers to a mistake that has
subsequently been resolved. It is also complex if the data in question
records an opinion. Opinions are, by their very nature, subjective, and it
can be difficult to conclude that the record of an opinion is inaccurate15.
Under Article 18 an individual has the right to request restriction of

the processing of their personal data where they contest its accuracy. As a
matter of good practice, an entity should restrict the processing of the
personal data in question whilst it is are verifying its accuracy, whether or
not the individual has exercised their right to restriction.
an individual can make a request for rectification verbally or in writing. In
most cases an entity cannot charge a fee to comply with a request for
rectification. However, it can charge a “reasonable fee” for the
15
regulation-gdpr/individual-rights/right-to-rectification/
administrative costs of complying with the request if it is manifestly

unfounded or excessive. If there are doubts as to the identity of the person
making the request, the entity can ask for more information. In most cases,
a fee is not required to comply with a subject access request. If an
exemption applies, a subject access request (wholly or partly) may be
refused. Furthermore, a refusal to comply is also possible if the subject
access request in manifestly unfounded or excessive.
In the Philippines
Under Sec. 16(d) of RA No. 10173, an individual has the right to

dispute and have corrected any inaccuracy or error in the data a personal
information controller (PIC) hold about him.
4. Right to Erasure or the ‘Right to be Forgotten’

Under Article 17 of the GDPR individuals have the right to have
personal data erased. This is also known as the ‘right to be forgotten’. The
right is not absolute and only applies in certain circumstances as stated in
the law above.
If a valid erasure request is received and no exemption applies, then

an entity will have to take steps to ensure erasure from backup systems as
well as live systems. It may be that the erasure request can be instantly
fulfilled in respect of live systems, but that the data will remain within the
backup environment for a certain period of time until it is overwritten16.
an individual can make a request for rectification verbally or in writing. In
most cases an entity cannot charge a fee to comply with a request for
rectification. However, it can charge a “reasonable fee” for the
administrative costs of complying with the request if it is manifestly
unfounded or excessive. If there are doubts as to the identity of the person
making the request, the entity can ask for more information. In most cases,
a fee is not required to comply with a subject access request.
16
regulation-gdpr/individual-rights/right-to-erasure/
If an exemption applies, a subject access request (wholly or partly)

may be refused. Furthermore, a refusal to comply is also possible if the
subject access request in manifestly unfounded or excessive.
In the case of Google Spain vs. AEPD & Mario Gonzales17, the
Court of Spain recognized that the activity of search engines plays a
decisive role in the overall dissemination of those data in that it renders
the latter accessible to any internet user making a search on the basis of
the data subject’s name, including to internet users who otherwise would
not have found the web page on which those data are published. The fact
that publishers of websites have the option of indicating to operators of
search engines, by means in particular of exclusion protocols such as
‘robot.txt’ or codes such as ‘noindex’ or ‘noarchive’, that they wish specific
information published on their site to be wholly or partially excluded from
the search engines’ automatic indexes does not mean that, if publishers of
websites do not so indicate, the operator of a search engine is released
from its responsibility for the processing of personal data that it carries out
in the context of the engine’s activity.
In the Philippines
Under Sec. 16(e) RA No. 10173 an individual has the right to

suspend, withdraw or order the blocking, removal or destruction of his/her
personal data. They can exercise this right upon discovery and substantial
proof of those mentioned in that section.
5. Right to Restriction of Processing

Article 4(3) defines ‘restriction of processing’ as the means the
marking of stored personal data with the aim of limiting their processing in
the future; This right to restrict processing can be exercised by individuals
with regard to their personal data. When they do, other parties will only be
allowed to store it.18 Unless the following conditions exist:
1. The data holder has the individual’s consent;

2. It is for the establishment, exercise or defense of legal claims;
17
C‑131/12, May 13, 2014
18
Vegh, L. (30 January 2017), When can the right to restrict data processing be applied? Retrieved March 11,
2020 from https://eugdprcompliant.com/knowledgebase/the-right-to-restrict-processing/
3. It is for the protection of rights of another person (natural or legal);

4. It is for reasons of important public interest.
Individuals have the right to restrict the processing of their personal

data where they have a particular reason for wanting the restriction. This
may be because they have issues with the content of the information the
other party holds or how they have processed their data. Often, other
parties or data controllers will not be required to restrict an individual’s
personal data indefinitely but will need to have the restriction in place for
a certain period of time. 19
Under the GDPR individuals have the right to request other parties to
restrict the processing of their personal data in the following situations:20
1. The individual contests the accuracy of their personal data and you
are verifying the accuracy of the data;
2. The data has been unlawfully processed (i.e. in breach of the
lawfulness requirement of the first principle of the GDPR) and the
individual opposes erasure and requests restriction instead;
3. When the data is no longer needed, but the individual needs you to
keep it in order to establish, exercise or defend a legal claim; or
4. The individual has objected to you processing their data under Article
21(1), and you are considering whether your legitimate grounds
override those of the individual.
Although this is different from the right to rectification and the right to
object, those rights and the right to restrict processing are closely related.
As a matter good practice, an individual should restrict processing while
considering the legitimate grounds for processing the personal data in
question illustrated as follows:21
19
Information Commissioner’s Office, Right to restrict processing. Retrieved March 11, 2020 from
regulation-gdpr/individual-rights/right-to-restrict-processing/
20
Ibid.
21
Ibid.
1. If an individual has challenged the accuracy of their data and asked

for you to rectify it (Article 16), they also have a right to request you
restrict processing while you consider their rectification request; or
2. If an individual exercises their right to object under Article 21(1),
they also have a right to request you restrict processing while you
consider their objection request.
Methods by which to restrict the processing of personal data could

include, inter alia, temporarily moving the selected data to another
processing system, making the selected personal data unavailable to users,
or temporarily removing published data from a website. In automated filing
systems, the restriction of processing should in principle be ensured by
technical means in such a manner that the personal data are not subject
to further processing operations and cannot be changed. The fact that the
processing of personal data is restricted should be clearly indicated in the
system.22
6. Right to Data Portability
The right to data portability allows data subjects to obtain and reuse
personal data about them for their own purposes across different services.23
In other words, an individual can demand from his or her service provider to
download his or her data or to transfer said data to another service provider.
Example of this is when a person wants to stop using an online service provider
but still wants to keep his or her data or transfer it to another service provider,
usually a download button would come in handy. Article 20 of the GDPR
specifies the following rights for the right to data portability:
1. The data subject shall have the right to receive the personal data concerning
him or her, which he or she has provided to a controller, in a structured,
commonly used and machine-readable format and have the right to transmit
those data to another controller without hindrance from the controller to
which the personal data have been provided, where:
22
Recital 67
23
Dela Torre, L. (23 February 2019) The right to data portability under EU data protection law. Retrieved
March 11, 2020 from https://medium.com/golden-data/what-is-the-right-to-data-portability-under-eu-data-
protection-law-8efa509fc788
(a) the processing is based on consent pursuant to point (a) of Article 6(1) or
point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1);
and
(b) the processing is carried out by automated means.
2. In exercising his or her right to data portability pursuant to paragraph 1, the

data subject shall have the right to have the personal data transmitted directly
from one controller to another, where technically feasible.
3. The exercise of the right referred to in paragraph 1 of this Article shall be

without prejudice to Article 17. That right shall not apply to processing necessary
for the performance of a task carried out in the public interest or in the exercise
of official authority vested in the controller.
4. The right referred to in paragraph 1 shall not adversely affect the rights and
freedoms of others.
As provided above, the right to data portability is not absolute. It

applies to specific situations:24 First, the information’s lawful basis is the
consent of the individual or in pursuant of a contract. Second, the data
processing is automated. Such automated data processing must be
transmitted to the data subject in a structured, commonly used, machine-
readable and interoperable format, and to transmit it to another
controller.25 Third, the personal data in question has been ‘provided to’ the
controller by the data subject. The term ‘provided to’ includes both the data
proactively furnished by the data subject (e.g. mailing address, username,
age) and personal data gathered by observation of an individual’s activities
(e.g. using a device or service) which may include traffic and location data.
Under the Data Privacy Act of 2012, the right to data portability is
included in Chapter 4 which contains the rights of the data subject.
According to Section 18:
The data subject shall have the right, where personal information is processed by
electronic means and in a structured and commonly used format, to obtain from the
personal information controller a copy of data undergoing processing in an electronic
or structured format, which is commonly used and allows for further use by the data
subject. The Commission may specify the electronic format referred to above, as well as
the technical standards, modalities and procedures for their transfer.
24
Ibid.
25
Recital 68.
While it is emphasized in the GDPR that the right to data portability

is not absolute it did not create specific occasions on its non-applicability
only conditions to it such as that it does not violate any other rights or that
its non-applicability is to yield to public interest. The Data Privacy Act on
the other hand provided for specific situations in addition to the conditions
of the non-applicability of the rights of the data subject as follows:
SEC. 19. Non-Applicability. – The immediately preceding sections are not

applicable if the processed personal information are used only for the needs of scientific
and statistical research and, on the basis of such, no activities are carried out and no
decisions are taken regarding the data subject: Provided, That the personal information
shall be held under strict confidentiality and shall be used only for the declared purpose.
Likewise, the immediately preceding sections are not applicable to processing of personal
information gathered for the purpose of investigations in relation to any criminal,
administrative or tax liabilities of a data subject.
According to Duncan Riley, veteran Web developer and the b5media

blog network's founder, Data portability will allow a person to take his or
her data with him or her, increasing competition [among sites] and creating
a better environment for everyone using the Web.26 In an ideal set-up this
would basically mean that the information is owned and controlled by the
individual and not the service provider that he or she uses.
7. Right to Object
Article 21 gives individuals the right to object to the processing of
their personal data at any time. This effectively prevents other parties from
processing the personal data of an individual. Individuals have the absolute
right to object to the processing of their personal data if it is for direct
marketing purposes.27 An example of this is when an individual receives
promotional calls or messages from his or her phone provider, that
individual has the right to make such promotional calls stop. Under the
GDPR, the right to object is emphasized on the following points: 28
26
K. Hayman, (April 2008) The Move to Make Social Data Portable in Computer. Retrieved March 11, 2020
from https://ieeexplore.ieee.org/document/4488241
27
Information Commissioner’s Office, Right to restrict processing. Retrieved March 11, 2020 from
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-
gdpr/individual-rights/right-to-object/
28
Dataguise, (2018) Right to object. Retrieved March 11, 2020 from http://dataguise.com/gdpr-knowledge-
center/right-to-object/
• Right to object allows data subjects to send organizations

requests to stop processing their personal data in certain
circumstances
• Data subjects must give specific reasons why they are
objecting to the processing of their data. These reasons should
be based upon their particular situation
• Organizations must disclose to data subjects their right to
object processing; often communicated within their privacy
notice
• Right to object requests can be made to an organization
verbally or in writing
• Objection requests must be handled, by an organization (data
controller), without undue delay and within one month after
receiving the request
• Exceptions apply to extend an organization’s response by an
additional two months.
Under the Data Privacy Act the data subject has the right to object
to the processing of his or her personal data, including processing for direct
marketing, automated processing or profiling. He or she should be given
an opportunity to withhold consent in case of any amendment to the
information supplied to the data subject under the right to be informed.29
The personal information controller should not process the personal

data without consent unless:30
a. The personal data is needed pursuant to a subpoena;

b. The collection and processing are for obvious purposes, including,
when it is necessary for the performance of or in relation to a contract or
service to which the data subject is a party, or when necessary or desirable
in the context of an employer-employee relationship between the collector
and the data subject; or
c. The information is being collected and processed because of a legal
obligation.
29
National Privacy Commission. Rights of a data subject. Retrieved March 11, 2020 from
https://www.privacy.gov.ph/wp-content/uploads/07-Rights-of-a-Data-Subject.pdf
30
Ibid.
Under Philippine law, it is important to have the objection formally

documented, the person must execute a written request to the
organization, addressed to its Data Protection Officer (DPO), and have it
received. In the letter, mention that the request is being made in exercise
of the right to object under the Data Privacy Act of 2012. The DPO must
act on your written request. In case that the request have not been
addressed satisfactorily, the person may file a formal complaint before the
National Privacy Commission, with the attached request letter to the DPO. 31
8. Rights Related to Automated Decision-Making

The GDPR has provisions on automated individual decision-making
(making a decision solely by automated means without any human
involvement) and profiling (automated processing of personal data to
evaluate certain things about an individual). Profiling can be part of an
automated decision-making process.
The GDPR applies to all automated individual decision-making and

profiling. Article 22 of the GDPR has additional rules to protect individuals
if you are carrying out solely automated decision-making that has legal or
similarly significant effects on them.32
What is automated individual decision-making and profiling?

Automated individual decision-making is a decision made by automated
means without any human involvement. Automated individual decision-
making does not have to involve profiling, although it often will do.
The GDPR says that profiling is:
“Any form of automated processing of personal data consisting of the use

of personal data to evaluate certain personal aspects relating to a natural
person, in particular to analyse or predict aspects concerning that natural
person’s performance at work, economic situation, health, personal
preferences, interests, reliability, behaviour, location or movements.”
[Article 4(4)]
31
National Privacy Commission. Rights of a data subject. Retrieved March 11, 2020 from
https://www.privacy.gov.ph/know-your-rights/#topic7_part4
32
regulation-gdpr/individual-rights/rights-related-to-automated-decision-making-including-profiling/
Information is analysed to classify people into different groups or

sectors, using algorithms and machine-learning. This analysis identifies
links between different behaviours and characteristics to create profiles for
individuals. There is more information about algorithms and machine-
learning in our paper on big data, artificial intelligence, machine learning
and data protection. The GDPR restricts you from making solely automated
decisions, including those based on profiling, that have a legal or similarly
significant effect on individuals.
“The data subject shall have the right not to be subject to a decision based solely
on automated processing, including profiling, which produces legal effects concerning
him or her or similarly significantly affects him or her.” [Article 22(1)]
For something to be solely automated there must be no human

involvement in the decision-making process. The restriction only covers
solely automated individual decision-making that produces legal or
similarly significant effects. These types of effect are not defined in the
GDPR, but the decision must have a serious negative impact on an
individual to be caught by this provision.
A legal effect is something that adversely affects someone’s legal

rights. Similarly significant effects are more difficult to define but would
include, for example, automatic refusal of an online credit application, and
e-recruiting practices without human intervention.
__________________
B. Restrictions
The exemptions in the DPA 2018 can relieve one of some of their
obligations for things such as:
• the right to be informed;

• the right of access;
• dealing with other individual rights;
• reporting personal data breaches; and
• complying with the principles.
Whether or not one can rely on an exemption generally depends on

your purposes for processing personal data. Some exemptions apply simply
because you have a particular purpose. But others only apply to the extent
that complying with the GDPR would:
• be likely to prejudice one’s purpose (e.g. have a damaging or

detrimental effect on what one is doing); or
• prevent or seriously impair a person from processing personal
data in a way that is required or necessary for the purpose.
Exemptions should not routinely be relied upon or applied in a blanket

fashion. One must consider each exemption on a case-by-case basis. If an
exemption does apply, sometimes one will be obliged to rely on it (for
instance, if complying with GDPR would break another law), but sometimes
you can choose whether or not to rely on it.
In line with the accountability principle, one should justify and

document the reasons for relying on an exemption to demonstrate
compliance. If one cannot identify an exemption that covers what one is
doing with personal data, one must comply with the GDPR as normal.
Information required to be disclosed by law or in connection with

legal proceedings
This exemption has three parts. The first part can apply if one is
are required by law to make personal data available to the public.
It exempts one from the GDPR’s provisions on:

• all the other individual rights, except rights related to automated
individual decision-making including profiling;
• the lawfulness, fairness and transparency principle, except the
requirement for processing to be lawful;
• the purpose limitation principle; and
• all the other principles, but only so far as they relate to the right to
be informed and the other individual rights.
But the exemption only applies to the extent that complying with these
provisions would prevent one from meeting the legal obligation to make
personal data publicly available.
The second part of this exemption can apply if one is required by law,
or court order, to disclose personal data to a third party. It exempts a
person from same provisions, but only to the extent that complying with
those provisions would prevent you disclosing the personal data.
The third part of this exemption can apply if it is necessary for one to
disclose personal data for the purposes of, or in connection with:
• legal proceedings, including prospective legal proceedings;

• obtaining legal advice; or
• establishing, exercising or defending legal rights.
Self-incrimination
This exemption can apply if complying with the GDPR provisions

below would reveal evidence that you have committed an offence.
It exempts you from the GDPR’s provisions on:

• the right of access; and
• all the principles, but only so far as they relate to the right to be
informed and the right of access.
But the exemption only applies to the extent that complying with
these provisions would expose a person to proceedings for the offence. This
exemption does not apply to an offence under the DPA 2018 or an offence
regarding false statements made otherwise than on oath. But any
information one does provide to an individual in response to a subject
access request is not admissible against that person in proceedings for an
offence under the DPA 2018.
III. ACCOUNTABILITY AND GOVERNANCE

A. Obligations for Data Controllers and Processors
The obligations under the GDPR will vary depending on whether one
is a controller, joint controller or processor. Organizations that determine
the purposes and means of processing will be controllers regardless of how
they are described in any contract about processing services.
Controllers have new data protection obligations under the GDPR.

Also, in a change from previous legislation, processors now have statutory
obligations in their own right under the GDPR.
What is a controller? Controllers are the main decision-

makers – they exercise overall control over the purposes and means of the
processing of personal data. If two or more controllers jointly determine
the purposes and means of the processing of the same personal data, they
are joint controllers. However, they are not joint controllers if they are
processing the same data for different purposes. If one exercises overall
control of the purpose and means of the processing of personal data – i.e.,
you decide what data to process and why – you are a controller.
Controllers shoulder the highest level of compliance responsibility –

you must comply with, and demonstrate compliance with, all the data
protection principles as well as the other GDPR requirements. One is also
responsible for the compliance of your processor(s).
Supervisory authorities (such as the ICO) and individuals may take

action against a controller regarding a breach of its obligations. Controllers
in the UK must pay the data protection fee, unless they are exempt 33.
What is a processor? Processors act on behalf of, and only on the

instructions of, the relevant controller. If you don’t have any purpose of
your own for processing the data and you only act on a client’s instructions,
you are likely to be a processor – even if you make some technical decisions
about how you process the data.
33
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-
protection-regulation-gdpr/accountability-and-governance/
Processors do not have the same obligations as controllers under the

GDPR and do not have to pay a data protection fee. However, if you are a
processor, you do have a number of direct obligations of your own under
the GDPR. Both supervisory authorities (such as the ICO) and individuals
may take action against a processor regarding such breach.
1. Privacy by Design and Default
The GDPR introduces new obligations that require you to integrate

data protection concerns into every aspect of your processing activities.
This approach is ‘data protection by design and by default’. These are key
elements of the GDPR’s risk-based approach and its focus on
accountability, i.e. you are able to demonstrate how you are complying
with its requirements.
What is data protection by design?
Data protection by design is ultimately an approach that ensures you

consider privacy and data protection issues at the design phase of any
system, service, product or process and then throughout the lifecycle.
Data protection by design is about considering data protection and

privacy issues upfront in everything you do. It can help you ensure that
you comply with the GDPR’s fundamental principles and requirements, and
forms part of the focus on accountability.
As expressed by the GDPR, it requires you to:
• put in place appropriate technical and organizational measures

designed to implement the data protection principles; and
• integrate safeguards into your processing so that you meet the
GDPR's requirements and protect the individual rights.
In essence this means you have to integrate or ‘bake in’ data

protection into your processing activities and business practices. An
example of Data protection by design is the use of pseudonymisation
(replacing personally identifiable material with artificial identifiers) and
encryption (encoding messages so only those authorised can read them).
What is data protection by default?
Data protection by default requires you to ensure that you only

process the data that is necessary to achieve your specific purpose. It links
to the fundamental data protection principles of data
minimization and purpose limitation.
You have to process some personal data to achieve your purpose(s).

Data protection by default means you need to specify this data before the
processing starts, appropriately inform individuals and only process the
data you need for your purpose. It does not require you to adopt a ‘default
to off’ solution. What you need to do depends on the circumstances of your
processing and the risks posed to individuals.
An example of Data protection by default is when social media

platform should be encouraged to set users’ profile settings in the most
privacy-friendly setting by, for example, limiting from the start the
accessibility of the users’ profile so that it isn’t accessible by default to an
indefinite number of persons (Article 25, GDPR).
2. Data Protection Impact Assessment
Where a type of processing, in particular using new

technologies and taking into account the nature, scope, context and
purposes of the processing, is likely to result in a high risk to the rights and
freedoms of natural persons, the controller shall, prior to the processing,
carry out an assessment of the impact of the envisaged processing
operations on the protection of personal data.34 The Data Protection Impact
Assessment (DPIA) is a process to help you identify and minimize the data
protection risks of a project.35 In brief terms, data protection impact
assessment is a test of protection against the impact, a certain processing
operation has over personal data. In such assessment, while data is
primarily in the hands of a controller, the latter shall seek the advice of the
data protection officer in carrying out the manner of assessment. This
assessment is particularly required in cases of:
34
General Data Protection Regulation (2018), Article 35(1).
35
Data protection impact assessments. Information Commissioner’s Office. Retrieved March 04, 2020 from
gdpr/accountability-and-governance/data-protection-impact-assessments/
1. Systematic and extensive profiling with significant effects;

2. Processing of a special category or criminal offence data on a large
scale; or
3. Systematically monitor publicly accessible places on a large scale.
The assessment shall contain at least:
1. A systematic description of the envisaged processing operations and

the purposes of the processing, including, where applicable, the
legitimate interest pursued by the controller;
2. An assessment of the necessity and proportionality of the processing
operations in relation to the purposes;
3. An assessment of the risks to the rights and freedoms of data
subjects; and
4. The measures envisaged to address the risks, including safeguards,
security measures and mechanisms to ensure the protection of
personal data and to demonstrate compliance with this Regulation
taking into account the rights and legitimate interests of data
subjects and other persons concerned.
Key Points in Data Protection Impact Assessment
A description of the processing operation is first made to guide the

pathway of the assessment and to make sure the assessment is limited to
the data to be processed as to limit the results of the assessment and not
to include other matters outside the processing operations nor exclude data
related to such that would cause the overstatement or understatement of
the identified risks.
After the description, the necessity of the assessment should be

established in relation to the processing operations to determine if the need
for such assessment is in proportion to the purpose of the processing
operations. If the description of the processing operations is put into form,
and when the need to assess is proportionate to its purpose, only then will
the identification and assessment of related risks shall commence.
To assess the level of risk, you must consider both the likelihood and
the severity of any impact on individuals.36 High risk could result from
either a high probability of some harm, or a lower possibility of serious
harm. The identified risks will then be met by specific counter-measures
and standards for purposes of mitigating such risks or to totally prevent it
from affecting the processing operation intended. The illustration below
summarizes the carrying out of a DPIA:
Figure 1. DPIA Process.
A DPIA necessarily begins before the start of a processing operation.

This is to ascertain that before the start of operations, the controller is
already prepared to face risks in relation to the process and to make sure
that the process can fundamentally stand with minimal chances of personal
data breach or leakage, due to DPIA before the inception of the processing
operation.
Obligations of Secrecy
Member States may adopt specific rules to set out the powers of the
supervisory authorities in relation to controllers or processors that are
subject, under Union or Member State law or rules established by national
competent bodies, to an obligation of professional secrecy or other
equivalent obligations of secrecy where this is necessary and proportionate
36
What is a DPIA? Information Commissioner’s Office. Retrieved March 04, 2020 from https://ico.org.uk/for-
organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/data-protection-
impact-assessments-dpias/what-is-a-dpia/.
to reconcile the right of the protection of personal data with the obligation
of secrecy. Those rules shall apply only with regard to personal data which
the controller or processor has received as a result of or has obtained in an
activity covered by that obligation of secrecy.37 This provision of the
General Data Protection Regulation mandates the member states of the
European Union to adopt specific rules to execute the GDPR over controllers
and processors subject to the specific state’s jurisdiction. The specific rules,
however, should amplify the obligation of controllers and processors for the
professional secrecy as well as to the right of an individual citizen to the
protection of his or her personal data.
Presence in Philippine Setting
Republic Act 10173, otherwise known as the Data Privacy Act of

2012, contains specific provisions which seemingly supports the aim of the
GDPR to promote personal data protection and the confidentiality of
information. Section 20(a) of the said Act, provides for the following:
The personal information controller must implement reasonable and appropriate

organizational, physical and technical measures intended for the protection of
personal information against any accidental or unlawful destruction, alteration
and disclosure, as well as against any other unlawful processing.38
The above-cited provision lodges to the controller or processor the tasks of

formulating measures to protect personal information not only against
risks, but also in cases of willful leakage or data breach. This essentially
supplements the provisions of the GDPR and provides the country with its
own law to execute the mandate of data protection and secrecy. The said
law also provides for the requirement of safeguards to protect the network
of the controller or processor against breach and leakage. The Data Privacy
Act of 2012, also establishes the Principle of Accountability of the Controller
in the following provision:
SEC. 21. Principle of Accountability. – Each personal information controller is

responsible for personal information under its control or custody, including
information that have been transferred to a third party for processing, whether
domestically or internationally, subject to cross-border arrangement and
cooperation.39
37
General Data Protection Regulation (2018), Article 90.
38
Republic Act 10173 (2012), Section 20(a).
39
Republic Act 10173 (2012), Section 21.
The provision establishes accountability on the part of the controller

for the protection of data not only during storage but also in its transfers,
whether made domestically or internationally. Thus, the law impliedly
indicates in its provisions, the liability of the controller to provide standards
to ensure the identification and mitigation of risks against data breach and
leakage, but also the responsibility and accountability in the possession of
such data, as well as in its transfers, which is in consonance with the
provisions of the General Data Protection Regulation.
3. Designation of the Data Protection Officers
The GDPR requires the appointment of a Data Protection Officer. The

Data Protection Officer is charged with the responsibility of maintaining a
high standard of security for data protection and the one, indicated by the
GDPR, to advice the controller in developing measures for data security as
well as the necessity to perform data impact assessments when necessary.
The controller must appoint a DPO if:
a. The controller is a public authority or body (except for courts acting

in their judicial capacity);
b. The controller’s core activities require large scale, regular and
systematic monitoring of individuals (for example, online behaviour
tracking); or
c. The controller’s core activities consist of large-scale processing of
special categories of data or data relating to criminal convictions and
offences.40
Philippine Law Counterpart
Unfortunately, the Data Privacy act of 2012 does not require the
appointment of a data protection officer. In its provisions, however, the
data privacy act provides for the confidentiality rule of employees, agents,
and representatives of personal information controller, as follows:
Section 20(e). The employees, agents or representatives of a personal information

controller who are involved in the processing of personal information shall
operate and hold personal information under strict confidentiality if the personal
40
information are not intended for public disclosure. This obligation shall continue
even after leaving the public service, transfer to another position or upon
termination of employment or contractual relations.41
Thus, while the Philippine law is lacking on the requirement of a data

protection officers. It holds employees, agents, and representatives of the
controller charged with the obligation of confidentiality even after
termination of employment and contractual relations, a form of continuing
duty to secure personal data of individuals which compensates for the lack
of a data protection officer as opposed to the GDPR.
4. Codes of Conduct
Codes of Conduct
Codes of conduct are voluntary accountability tools, enabling sectors

to identify and resolve key data protection challenges in their sector with
assurance from ICO that the code, and its monitoring, is appropriate. 42
Necessarily, codes of Conduct are approved by the ICO to ensure that the
controllers or processors voluntarily submitted such codes, affirming
voluntary accountability. Under the GDPR, trade associations and other
representative bodies may draw up codes of conduct that identify and
address data protection issues that are important to their members, such
as fair and transparent processing, pseudonymization or the exercise of
people’s rights. They are a good way of developing sector-specific
guidelines to help with compliance with the GDPR. There is a real benefit
to developing a code of conduct as it can help to build public trust and
confidence in your sector’s ability to comply with data protection laws. 43
______________
B. Personal Data Breach

A personal data breach can be broadly defined as a security incident
that has affected the confidentiality, integrity or availability of personal
data. In short, there will be a personal data breach whenever any personal
41
Republic Act 10173 (2012), Section 20(e).
42
Codes of conduct. Information Commissioner’s Office. Retrieved March 04, 2020 from https://ico.org.uk/for-
organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-
and-governance/codes-of-conduct/.
43
Ibid.
data is lost, destroyed, corrupted or disclosed; if someone accesses the

data or passes it on without proper authorization; or if the data is made
unavailable, for example, when it has been encrypted by ransomware, or
accidentally lost or destroyed.44
The GDPR provides that in the case of a personal data breach, the
controller shall without undue delay and, where feasible, not later than 72
hours after having become aware of it, notify the personal data breach to
the supervisory authority, unless the personal data breach is unlikely to
result in a risk to the rights and freedoms of natural persons. Where the
notification to the supervisory authority is not made within 72 hours, it
shall be accompanied by reasons for the delay.45 Dissecting the provision,
the 72-hour requirement is limited to breaches that would result in a risk
to the rights and freedom of natural persons. It also provides for a
requirement of explanation to provide justifiable reasons for the delay of
notification.
A personal data breach may, if not addressed in an appropriate and

timely manner, result in physical, material or non-material damage to
natural persons such as loss of control over their personal data or limitation
of their rights, discrimination, identity theft or fraud, financial loss,
unauthorized reversal of pseudonymization, damage to reputation, loss of
confidentiality of personal data protected by professional secrecy or any
other significant economic or social disadvantage to the natural person
concerned.46
Thus, to prevent damage, the breach must be reported as soon as

practicable, justifying the 72-hour requirement provided by the GDPR.
When the personal data breach is likely to result in a high risk to the
rights and freedoms of natural persons, the controller shall
communicate the personal data breach to the data subject without
undue delay.47 The GDPR also provides not only for the notification
requirement to the proper supervising authority, but also notification
to the data subject. This is justifiable since the data is an extension
44
Personal data breaches. Information Commissioner’s Office. Retrieved March 04, 2020 from
gdpr/personal-data-breaches/.
45
46
Personal data breaches. Information Commissioner’s Office.
47
of the personality of an individual and is protected by the latter’s right

to privacy and was only shared to the controller or processor through
consent. Thus, since a breach is considered as an unauthorized
access to data, it is deemed without consent and therefore is
prejudicial to the rights of the data owner. This justifies the
requirement of notification without undue delay.
Applicability in Philippine setting
The Data Privacy Act of 2012 is also equipped in handling personal data
breach. The law, in its Section 20 (f) provides:
The personal information controller shall promptly notify the Commission and
affected data subjects when sensitive personal information or other information
that may, under the circumstances, be used to enable identity fraud are
reasonably believed to have been acquired by an unauthorized person, and the
personal information controller or the Commission believes (but such
unauthorized acquisition is likely to give rise to a real risk of serious harm to any
affected data subject. The notification shall at least describe the nature of the
breach, the sensitive personal information possibly involved, and the measures
taken by the entity to address the breach. Notification may be delayed only to the
extent necessary to determine the scope of the breach, to prevent further
disclosures, or to restore reasonable integrity to the information and
communications system.48
The provision not only provides notification to both the Commission

and the data subject in cases of actually breach but also in cases of
reasonable belief of breach. Moreover, the provision also provides for the
matter that should be indicated in the notification requirement such as the
nature of the breach, the information involved and the steps taken.
Furthermore, the same section of the Data Privacy Act also provides that:
(2) The Commission may exempt a personal information controller from

notification where, in its reasonable judgment, such notification would not be in
the public interest or in the interests of the affected data subjects.
(3) The Commission may authorize postponement of notification where it may

hinder the progress of a criminal investigation related to a serious breach.49
This means that not only should the Commission exempt a controller
from notification in cases where, in its reasonable judgement, such
48
Republic Act 10173 (2012), Section 20(f).
49
Ibid.
notification would not be in the public interests or interests of the data

subjects, but also in cases where the notification requirement may hinder
a criminal investigation related to a serious breach. Finally, the Data
Privacy act also imposes criminal penalties for Unauthorized access of data,
malicious disclosure as well as its improper disposal, and also criminalizes
concealment of breach in order to ensure compliance of the law and provide
hesitation, to commit such crimes, for offenders and other malicious
individuals prying in the sensitive information of others.
IV. PROVISIONS FOR REDRESS

A. GDPR as Data Privacy Regulation with Teeth
The General Data Protection Regulation (GDPR) in superseding
the Data Protection Directive (DPD) aims primarily to give control to
individuals over their personal data and to simplify the regulatory
environment for international business by unifying the regulation within
the EU. In particular, GDPR makes possible the following50:
1. Make it easy for consumers to manage and control for their data for
direct marketing purposes, as well as to retrieve and sell them;
2. Banning of the collection of data on children under the age of 16
without parental approval.
As the GDPR is a regulation, not a directive, it is directly binding and

applicable, but does provide flexibility for certain aspects of the regulation
to be adjusted by individual member states.51 The following summarizes
and contrasts the nature of a European law as a regulation and a
directive52.
Basis As a Regulation As a Directive

Immediately applicable in Require individual
Applicability each Member State application in each
Member State
Implemented by the
Manner of Requires no local laws in creation of national laws
Implementation its implementation approved by the
parliaments of each
Member State
50
Bloomberg (25 May 2018). GDPR: Why Privacy Is Now Stronger in EU Than U.S. Retrieved March 11, 2020
from https://fortune.com/2018/05/25/what-is-gdpr-compliance/
51
Wikipedia. General Data Protection Regulation. Retrieved March 11, 2020 from
https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
52
IT Governance Ltd. The GDPR and NIS Directive Risk-Based Security Measures and Incident Notification
Requirements. Retrieved March 11, 2020 from https://www.slideshare.net/ITGovernanceLtd/the-gdpr-and-nis-
directive-riskbased-security-measures-and-incident-notification-requirements
B. Remedies, Liabilities and Penalties

1. Overview of Procedure
1. Right to lodge a complaint with a supervisory authority (Art. 77);

2. Right to an effective judicial remedy against such (Art. 78);
3. Effective judicial remedy against controller or processor (79).
Right to lodge a complaint with a supervisory authority

Every data subject shall have the right to lodge a complaint with a
supervisory authority, in particular in the Member State of his or her
habitual residence, place of work or place of the alleged infringement if the
data subject considers that the processing of personal data relating to him
or her infringes this Regulation. The supervisory authority with which the
complaint has been lodged shall inform the complainant on the progress
and the outcome of complaint including the possibility of a judicial remedy.
Right to an effective judicial remedy against a supervisory authority

Without prejudice to any other administrative or judicial remedy, each
natural or legal person shall have the right to an effective judicial remedy
against a legally binding decision of a supervisory authority concerning
them should the latter does not handle a complaint or does not inform the
data subject within three months on the progress or outcome of the
complaint. Proceedings against a supervisory authority shall be brought
before the courts of the Member State where the supervisory authority is
established. Where proceedings are brought against a decision of a
supervisory authority it shall forward that opinion or decision to the court.
Right to an effective judicial remedy against controller or processor

Each data subject shall have the right to an effective judicial remedy
against a controller or a processor should he or she considers that his or
her rights under this Regulation have been infringed. Proceedings against
them shall be brought before the courts of the Member State where the
controller or processor has establishment.
Lead supervisory authorities

The GDPR also creates a “lead supervisory authority” for every
organization established in the EU where the organization has its main
establishment. They have the option of ruling, or delegating to the non-

lead authority where the complaint was filed. This gives companies a “one-
stop shop” for data protection issues, while giving the citizens the option
to file their complaints in their home country. The figure in the succeeding
page summarizes the procedures for initiating and resolving a complaint
arising from the infringement of this Regulation.
Figure 1: An overview of the GDPR complaint process53
53
McGregor and Zylberberg (7 March 2018). Understanding the General Data Protection Regulation: A primer
for global publishers. Retrieved 10 March 2019 from https://www.cjr.org/tow_center_reports/understanding-
general-data-protection-regulation.php
2. Penalties
In the imposition of the penalties meted out by GDPR, Member States are
empowered to:
1. Lay down its own rules as to the infringements of this Regulation, in
particular for infringements which are not subject to administrative
fines pursuant to Article 83;
2. Notify the Commission the provisions of its law which it adopts by 25
May 2018 and, without delay, any subsequent amendment thereto;
3. Take all measures necessary to ensure that they are implemented;
4. Consider that penalties shall be effective, proportionate and
dissuasive.54
Conditions for imposition of administrative fines and its classifications
The GDPR also creates two categories of administrative fines,

depending on the following factors55:
1. The nature, gravity and duration of the infringement;
2. Its intentional or negligent character;
3. Any action taken by the controller or processor to mitigate the
damage suffered;
4. The “degree of cooperation with the supervisory authority; and
5. Whether notification was done properly.
The first tier can be subject to fines up to €10 million (Php. 570
million), or, in the case of an undertaking, 2% of annual global turnover –
whichever is greater. This category includes infringements of the following
provisions by the controller and the processor:
1. Child’s consent
2. Data protection by design and by default
3. The responsibilities of the Data Protection Officer
4. The obligations of organizations related to certification schemes
The second tier can be subject to fines up to Up to €20 million (Php.1

billion), or, in the case of an undertaking, 4% of annual global turnover –
54
Article 84, General Data Privacy Regulation
55
whichever is greater. This category includes infringements of the following

provisions by the controller and the processor:
1. The basic principles for lawful processing of personal data;
2. The rights of the data subject, as defined in the Regulation;
3. The obligations in the case of an international transfer of personal
data;
4. In the case of non-compliance with an order by a Data Protection
Authority (DPA) to suspend processings of personal data or data
flows, as well as a failure to provide access to all information required
by the DPA, including access to the premises and equipments. 56
While the GDPR imposes data protection and breach fines, they are
discretionary rather than mandatory. It also authorizes supervisory
authorities such as the UK’s ICO (Information Commissioner’s Office) to
take a range of other actions, including:
1. Issuing warnings and reprimands;
2. Imposing a temporary or permanent ban on data processing;
3. Ordering the rectification, restriction or erasure of data; and
4. Suspending data transfers to third countries. 57
Compensation and liability

The GDPR gives any person who has suffered material or non-
material damage as a result of an infringement of this Regulation the right
to receive compensation from the controller or processor for the damage
suffered, under the following conditions:
1. Any controller involved in processing shall be liable for the damage
caused by processing which infringes this Regulation;
2. A processor shall be liable for the damage caused by processing only
where it has not complied with obligations of this Regulation
specifically directed to processors or where it has acted outside or
contrary to lawful instructions of the controller58.
56
McGregor and Zylberberg (7 March 2018). Understanding the General Data Protection Regulation: A primer
for global publishers. Retrieved 10 March 2019 from https://www.cjr.org/tow_center_reports/understanding-
general-data-protection-regulation.php
57
IT Governance UK. GDPR Penalties and Fines. Retrieved 10 March 2019 from
https://www.itgovernance.co.uk/dpa-and-gdpr-penalties
58
3. Applications of GDPR
The GDPR is a fairly new regulation that is being effected not only in
the European Union, but also around the globe. The GDPR is deemed one
of the most, if not, the strongest, data privacy law in effect around the
world. The GDPR has been applied since, and companies, especially in the
EU, are making the necessary adjustments to meet GDPR compliance. It is
deemed to have ‘teeth’ because of its enforcement measures. The best
evidence of the enforcement of this ‘teeth’ is through actual cases.
British Airways Data Breach. Considered one of the record fines

that was imposed under GDPR, British Airways was fined £183.39 Million
or $230 Million (roughly P11.5 Billion) because of a data breach that had
compromised the data of around 500,000 customers59. Actually, the
GDPR’s maximum penalty was 4% turnover, but the amount fined against
BA was only 1.5% of its worldwide turnover 2017 which is far from the
maximum 4%. The British Airways case is holds the record fine. Compare
this with the Facebook case involving the Cambridge Analytica scandal. This
was because the Facebook case operated under the Data Protection Act of
1998 which had only a maximum fine of £500,000 which was fined against
Facebook60.
What happened basically was the British Airways was hacked.

Hackers were able to infiltrate the data held by British Airways, and names,
email addresses, credit card details and even the expiry dates were stolen.
It was said that what happened was a ‘supply chain attack’ where details
were stolen at the point of entry. To put simply, what happened is that as
one enters details using the BA website or app, these details are also being
extracted and being sent to someone else other than BA61. The penalty was
given by the UK Information Commissioner’s Office, citing that one of the
reasons for the data breach are the “poor security arrangements” which
allowed a false website to receive details being entered in BA website. The
British Airways case is an illustration how data privacy laws are being
59
Sawers, P. (8 July 2019). British Airways faces record $230 million GDPR fine over data breach. Venture
Beat. Accessed March 10, 2020 retrieved from https://venturebeat.com/2019/07/08/british-airways-faces-
record-230-million-gdpr-fine-over-data-breach/
60
BBC News. (8 July 2019). British Airways faces record £183m fine for data breach. Accessed March 10, 2020
retrieved from https://www.bbc.com/news/business-48905907
61
BBC News (7 September 2018). British Airways breach: How did hackers get in? Accessed March 10, 2020
retrieved from https://www.bbc.com/news/technology-45446529
imposed on large-scale corporations which has a large market. The GDPR

was also applied in school settings as shown in the following case:
Biometrics and Lunch Payments. In February 18, 2020, the GDPR

was used as basis to impose a fine against a primary school in Poland for
processing students’ fingerprints to verify the payment of the students’
lunch payments. This was decided by Poland’s Personal Data Protection
Office (UODO) through its President Jan Nowak. The decision 62 stated that
a school in Gdansk, in norther Poland, had processed fingerprints of
hundreds of children having no legal basis despite having other alternative
options for managing school meals. It was shown that those students who
had biometrics were allowed to get their lunch first and those who did not
have biometric identification had to stand at the end of the line to get their
school lunches.
Interestingly, the decision noted that while parental consent was

obtained for this biometric ID program, the UODO found that there were
still other alternative methods of identification that would not interfere in
the privacy of the child. The school could possibly use other services such
as electronic cards or contact numbers. The school was fined €4,600 or
$5,200 (roughly PhP260,000). The decision, among numerous GDPR
provisions, cited Recital 38 which refers to specific provisions made for
the data protection of children63 64.
These cases65 show that GDPR is indeed a strong piece of regulation.

It covers both small and large settings, and covers a wide range of fine,
from thousands of euros to millions.
62
Poland UODO Decision ZSZZS.440.769.2018. 18 February 2020. Access original text (in Polish)
https://uodo.gov.pl/decyzje/ZSZZS.440.768.2018
63
Sawers, P. (6 March 2020). Polish school hit with GDPR fine for using fingerprints to verify students’ lunch
payments. Venture Beat. Accessed March 10, 2020, retrieved from
https://venturebeat.com/2020/03/06/polish-school-hit-with-gdpr-fine-for-using-fingerprints-to-verify-
students-lunch-payments/
64
European Data Protection Board (5 March 2020). Fine for processing student’s fingerprints imposed on a
school. Accessed March 10, 2020, retrieved from https://edpb.europa.eu/news/national-news/2020/fine-
processing-students-fingerprints-imposed-school_en
65
Another GDPR case involved a Swedish case, its first GDPR fine (€20,000), against a school for conducting a
pilot using facial recognition to keep track of students’ attendance. Accessed through the European Data
Protection Board Website. Accessed March 10, 2020 retrieved from https://edpb.europa.eu/news/national-
news/2019/facial-recognition-school-renders-swedens-first-gdpr-fine_en
V. CONCLUSION
The GDPR, as extensively discussed, is an evolutionary response to
the pervasive effect of technology in the lives of global citizens. The GDPR
is by no means an overnight legislation, in fact, it took years of unfortunate
experiences in order to craft such strong legislation. The GDPR is an
example how legislation should always be evolving and ever adaptive. This
begs the question, why do we value data privacy so much?
Privacy, including data privacy, is like freedom. Flaherty66 a professor

of law in University of Western Ontario, stated that “Privacy is like freedom:
we do not recognize its importance until it is taken away. In that sense, it
is a personal right that we assume we have yet taken for granted – until
something or someone infringes on it.” Flaherty was able to point out that
the emergence of surveillance societies poses a fundamental challenge to
the privacy interests of individuals.
Considering the speed on how technology becomes more complicated

and more invasive, the possibility that personal, confidential and vital
information such as those involving national security, to be subjected to
unwanted breach is what GDPR was made for. GDPR despite it being a
legislation of the European Union has universal and significant impact. As
succinctly put by Li, Yu & He67, “Although many Chinese and American
companies are not necessarily required to follow GDPR strictly, considering
that privacy protection is an inevitable requirement for future development
and an important way to maintain competitiveness, we believe that all
organizations should take GDPR as a benchmark to gradually improve
privacy protection awareness and capabilities.”
As suggested by the cited authors, the GDPR is a legislation that

should be emulated, while it is true that the Philippines has the Data Privacy
Act, there are certain provisions that can be adopted in order to fortify
protection against data breach – in a way, putting teeth into such laws.
66
David H. Flaherty, On the Utility of Constitutional Rights to Privacy and Data Protection, 41 Case W. Res. L.
Rev. 831 (1991) Available at: https://scholarlycommons.law.case.edu/caselrev/vol41/iss3/14
67
He Li, Lu Yu & Wu He (2019) The Impact of GDPR on Global Technology Development, Journal of Global
Information Technology Management, 22:1, 1-6, DOI: 10.1080/1097198X.2019.1569186

GDPR Data Protection + Teeth PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

GDPR Data Protection + Teeth PDF

Uploaded by

Copyright:

Available Formats

GDPR General Data Protection Regulation:

Data Protection + Teeth

B. Historical Background of the GDPR

information from persons like google and Facebook. In order to regulate

C. Data Protection Principles

The seven principles are:

D. Material and Territorial Jurisdiction

Article 2 of the Regulation outlines its material scope. It provides:

1. This Regulation applies to the processing of personal data wholly or

2. This Regulation does not apply to the processing of personal data:

(a) in the course of an activity which falls outside the scope of

(c) by a natural person in the course of a purely personal or

(d) by competent authorities for the purposes of the prevention,

3. For the processing of personal data by the Union institutions, bodies,

4. This Regulation shall be without prejudice to the application of

As can be deduced from the foregoing, the Regulation applies to the

broadly defined to cover any operation or set of operations which is

It is important to note however that the GDPR provides for

Further, natural persons' processing of personal data that is carried

Nor does the General Data Protection Regulation apply when

The personal data processing that is necessary for the authorities'

The territorial scope of General Data Protection Regulation is

Article 3 of the GDPR defines the territorial scope of the Regulation

Article 3(1) of the GDPR provides that:

“Regulation applies to the processing of personal data in the context of the

The GDPR applies to businesses “established” in the EU, where

Article 3(2) provides that:

The GDPR expressly extends the reach of EU data protection laws to

Example: French company has developed a car-sharing application

While the collection of personal data takes place in non-EU countries,

Rather, a business must show intent to draw EU customers, for

Under the second prong of Article 3(2), businesses monitoring the

Example: a start-up established in the USA, without any business

The US start-up, via its city mapping application, is offering services

Thus, there has to be a determination first that the processing relates

The GDPR also applies wherever EU Member State law applies by

The GDPR applies to personal data processing carried out by EU

controller and processor and the transfers of personal data to third

For example, the Dutch consulate in Kingston, Jamaica, opens an

Another example would be when, a German cruise ship travelling in

Comparison with Philippine Data Privacy Act

Territorial Scope Applies to data Applies to processing

II. RIGHTS OF THE DATA SUBJECT

2. Right to Rectification. - Data subjects have the right to request

3. Right to Erasure. - also referred to as the right to deletion or the right

4. Right to Restrict Data Processing. - Data subjects, under certain

5. Right to be Notified. - Data subjects must be informed about the uses

6. Right to Data Portability. - A data subject can request that their

7. Right to Object. - If a request to stop data processing is rejected by a

8. Right to Reject Automated Individual Decision-Making. - Data

Where data is obtained directly, the person must be immediately

If personal data is not obtained from the data subject, he or

In comparison to Republic Act 10173 or Philippine Personal Data

Further, the principles of fair and transparent processing require that

In most cases, a fee is not required to comply with a subject access

If an exemption applies, a subject access request (wholly or partly)

Furthermore, a refusal to comply is also possible if the subject access

of access or the request is malicious in intent and is being used to harass

Under Sec. 16(c), RA No. 10173, people whose personal information

Under Article 18 an individual has the right to request restriction of

administrative costs of complying with the request if it is manifestly

Under Sec. 16(d) of RA No. 10173, an individual has the right to

4. Right to Erasure or the ‘Right to be Forgotten’