What is the Data Privacy Act?

Republic Act No. 10173, otherwise known as the Data Privacy Act is a law that seeks to protect all forms of information, be it private, personal, or
sensitive. It is meant to cover both natural and juridical persons involved in the processing of personal information.

What is the scope of the Data Privacy Act?

As mentioned earlier, the Data Privacy Act applies to any natural or juridical persons involved in the processing of personal information. It also
covers those who, although not found or established in the Philippines, use equipment located in the Philippines, or those who maintain an office,
branch, or agency in the Philippines.

What is processing of personal information?

Under Sec. 3(j) of the Data Privacy Act, “[p]rocessing refers to any operation or any set of operations performed upon personal information
including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation,
blocking, erasure or destruction of data.”

In other words, processing of personal information is any operation where personal information is involved. Whenever your information is, among
other things, collected, modified, or used for some purpose, processing already takes place.

What is personal information?

Under Sec. 3(g) of the Data Privacy Act, “[p]ersonal information refers to any information whether recorded in a material form or not, from which
the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together
with other information would directly and certainly identify an individual.”

In other words, personal information is any information which can be linked to your identity, thus making you readily identifiable.

What is privileged information?

Under Sec. 3(k) of the Data Privacy Act, “[p]rivileged information refers to any and all forms of data which under the Rules of Court and other
pertinent laws constitute privileged communication.” One such example would be any information given by a client to his lawyer. Such
information would fall under attorney-client privilege and would, therefore, be considered privileged information.

Does the difference between personal information and sensitive personal information matter?

Yes. The law treats both kinds of personal information differently. Personal information may be processed, provided that the requirements of the
Data Privacy Act are complied with. On the other hand, the processing of sensitive personal information is, in general, prohibited. The Data
Privacy Act provides the specific cases where processing of sensitive personal information is allowed.

Is there a difference between personal information and sensitive personal information?

Yes. While personal information refers to information that makes you readily identifiable, sensitive personal information, as defined in Sec. 3(l) of
the Data Privacy Act, refers to personal information:

(1) About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
(2) About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have
been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
(3) Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or cm-rent health
records, licenses or its denials, suspension or revocation, and tax returns; and
(4) Specifically established by an executive order or an act of Congress to be kept classified.
Therefore, any information that can be categorized under any of the enumerated items are considered sensitive personal information.
Are there any exceptions to the application of the Data Privacy Act?

The Data Privacy Act explicitly states that its provisions are not applicable in the following cases:
(a) Information about any individual who is or was an officer or employee of a government institution that relates to the position or functions of
the individual, including:
(1) The fact that the individual is or was an officer or employee of the government institution;
(2) The title, business address and office telephone number of the individual;
(3) The classification, salary range and responsibilities of the position held by the individual; and
(4) The name of the individual on a document prepared by the individual in the course of employment with the government;
(b) Information about an individual who is or was performing service under contract for a government institution that relates to the services
performed, including the terms of the contract, and the name of the individual given in the course of the performance of those services;
(c) Information relating to any discretionary benefit of a financial nature such as the granting of a license or permit given by the government to an
individual, including the name of the individual and the exact nature of the benefit;
(d) Personal information processed for journalistic, artistic, literary or research purposes;
(e) Information necessary in order to carry out the functions of public authority which includes the processing of personal data for the
performance by the independent, central monetary authority and law enforcement and regulatory agencies of their constitutionally and
statutorily mandated functions. Nothing in this Act shall be construed as to have amended or repealed Republic Act No. 1405, otherwise known as
the Secrecy of Bank Deposits Act; Republic Act No. 6426, otherwise known as the Foreign Currency Deposit Act; and Republic Act No. 9510,
otherwise known as the Credit Information System Act (CISA);
(f) Information necessary for banks and other financial institutions under the jurisdiction of the independent, central monetary authority or
Bangko Sentral ng Pilipinas to comply with Republic Act No. 9510, and Republic Act No. 9160, as amended, otherwise known as the Anti-Money
Laundering Act and other applicable laws; and
(g) Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions,
including any applicable data privacy laws, which is being processed in the Philippines.

Are companies required to appoint someone who should be responsible for ensuring compliance with the Data Privacy Act?

Yes. Under the Implementing Rules and Regulations of the Data Privacy Act, all organizations are required to appoint a Data Protection Officer
(“DPO”). The Data Protection Officer shall be accountable for ensuring compliance with the appropriate data protection laws and regulations.

Can there be more than one person who shall perform the functions of a Data Protection Officer in a organization?

Yes. The Implementing Rules and Regulations of the Data Privacy Act speaks of an individual or individuals who shall perform the functions of a
Data Protection Officer or a Compliance Officer.

How is privileged information treated by the Data Privacy Act?

Much like sensitive personal information, the processing of privileged information is prohibited by the law.

What are the cases where the processing of sensitive personal information and privileged information is allowed?

Section 22 of the Data Privacy Act enumerates the cases where sensitive personal information and privileged information may be processed.
These are the following:
(a) The data subject has given his or her consent, specific to the purpose prior to the processing, or in the case of privileged information, all parties
to the exchange have given their consent prior to processing;
(b) The processing of the same is provided for by existing laws and regulations: Provided, That such regulatory enactments guarantee the
protection of the sensitive personal information and the privileged information: Provided, further, That the consent of the data subjects are not
required by law or regulation permitting the processing of the sensitive personal information or the privileged information;
(c) The processing is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically
able to express his or her consent prior to the processing;
(d) The processing is necessary to achieve the lawful and noncommercial objectives of public organizations and their associations: Provided, That
such processing is only confined and related to the bona fide members of these organizations or their associations: Provided, further, That the
sensitive personal information are not transferred to third parties: Provided, finally, That consent of the data subject was obtained prior to
processing;
(e) The processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical treatment institution, and
an adequate level of protection of personal information is ensured; or
(f) The processing concerns such personal information as is necessary for the protection of lawful rights and interests of natural or legal persons in
court proceedings, or the establishment, exercise or defense of legal claims, or when provided to government or public authority.
2ND LINK

NPC PHE Bulletin No. 15: Guidelines for Establishments on the

Proper Handling of Customer and Visitor Information for Contact
Tracing

Pursuant to DTI Memorandum Circular 20-28, s. 2020 (Guidelines to Follow on Minimum Health Protocols for Barbershops and Salons) and
DTI Memorandum Circular 20-37, s. 2020 (Guidelines to Follow on Minimum Health Protocols for Dine-in Restaurants and Fastfood
Establishments), establishments are required to implement contact tracing measures as one of the mandatory minimum requirements for
operation. The National Privacy Commission (NPC) issues this Bulletin to guide establishments on the proper handling and protection of
personal data collected from their customers and visitors.

Collect only what is necessary

Establishments should ensure that the processing of personal data is proportional to the purpose of contact tracing. Collect only such
information as required under existing government issuances. Establishments may adopt sample health checklist forms issued by
government agencies but should not collect beyond what is required and necessary.

Be transparent
Establishments should inform their customers and visitors of the collection of their personal data and the reasons for such collection. This
can be done by posting a privacy notice which is readily visible within the establishment’s premises, such as points of entry, and other
conspicuous areas. If the establishment opts to use electronic means, the notice must be posted in the platform prior to collection.

For further information on the processing activity, establishments may direct their customers and visitors to their official websites or social
media pages, as well as official websites of pertinent government agencies to provide them with information on the possible uses of their
personal data for contact-tracing purposes.
Establishments must ensure that the privacy notice is easy to access, understandable, and uses clear and plain language.

Use information only for the declared purpose

All establishments should use only the personal data collected through health checklists or other similar forms for the purpose of contact-
tracing measures. Repurposing the use of data other than contact tracing and storing data for speculative use is not allowed.

Establishments are responsible for reminding their employees and third-party service providers, such as security personnel, that using the
collected personal data of customers or visitors for any other purpose is punishable under the Data Privacy Act of 2012 (DPA).

Implement security measures

All establishments that collect personal information, whether through physical or electronic means, have the obligation to implement
reasonable and appropriate safeguards (organizational, physical, and/or technical security measures) to protect the personal data of their
customers and visitors against any accidental or unlawful processing, alteration, disclosure, and destruction.

Keep the data only for a limited period

All personal data collected for the purpose of contact tracing shall be retained only for a period allowed by existing government issuances.
After which, all personal data should be disposed of in a secure manner that would prevent further processing and/or unauthorized access
or disclosure.

For further information, we may be reached at info@privacy.gov.ph.

3RD LINK

DATA PRIVACY ACT is not a hindrance in contact tracing

 Hospitals have the duty to disclose the necessary COVID patient details to LGU contact tracers following the DOH guidelines.
 COVID patients should be truthful in providing accurate personal details.
 In this pandemic, public health and data privacy are on the same side.

The National Privacy Commission (NPC) reiterates that the Data Privacy Act (DPA) is not a hindrance to contact tracing initiatives, saying that
it seeks to protect individuals from discrimination, harassment, and acts of social vigilantism amid the COVID-19 pandemic.

“We want to clarify that the DPA does not prevent hospitals from sharing a COVID-19 patient’s data to proper authorities . The law
recognizes the guidelines set by DOH on contact tracing procedures that hospitals, LGUs, and contact tracers must follow. In this pandemic,
public health and data privacy are on the same side,” Privacy Commissioner Raymund E. Liboro said.

“The DPA should not be used as an excuse for not providing COVID patient data necessary for LGU contact tracing that we need to combat
the pandemic,” Liboro noted that hospitals were mandated to collect information from patients and provide it to the authorities under the
guidelines set by the Department of Health (DOH). “Likewise, we call on the individuals affected by COVID to be truthful when providing
accurate health information,” he added.

Department Memorandum 2020 – 0189 of the DOH, or the Updated Guidelines on Contact Tracing of Close Contacts of Confirmed
Coronavirus Disease Cases, says that “health facilities, public and private, shall cooperate fully with the DOH – Epidemiology Bureau and its
regional and local counterparts by ensuring that Local Contact Tracing Teams (LCTTs) are provided access to medical records, facilitating
case interviews, and conducting other case investigation and contact tracing activities.” When providing training to LCTTS, local government
units must include the secure handling of personal data that was collected.

Liboro emphasized that public and private health institutions, companies, and individuals involved in the COVID response must “collect and
process what is necessary and disclose data only to the proper authorities.”
“The NPC has provided public health emergency bulletins, advisory opinions as guidance for personal information controllers, especially
healthcare providers. Our Commission has been coordinating closely with the Department of Health to ensure that the DPA will not be an
obstruction in the proper conduct of contact tracing,” the NPC chief said.

In Advisory Opinion 2020 – 022, a response to the request of the Private Hospitals Association of the Philippines, Inc. for clarification of
contact tracing protocols, the Commission cited as bases DOH’s Updated Guidelines on Contact Tracing, which limits the disclosure of
COVID-19 personal data, and the DOH-NPC Joint Memorandum Circular (JMC) on the Privacy Guidelines on the Processing and Disclosure of
COVID-19 Related Data for Disease Surveillance and Response.

The guidelines provide that disclosure of patient identifiers or data is allowed but limited only to authorized entities, officers, and personnel.

Any disclosure must serve “a public purpose or function” that would allow relevant authorities to reach those who may have come into
close contact with a COVID-19 positive individual so they may be promptly alerted and provided preventive counseling or care.

The guidelines prohibit disclosure of names and other personal identifiers that can single out a patient to the public, the media, or any other
public-facing platforms without the patient’s written consent or his/her authorized representative or next of kin.

Risks of publicly naming infected individuals

The DOH and NPC advise against publicly naming data subjects suspected of having contracted COVID-19 or confirmed positive for the
disease connected with contact tracing efforts.

“Publicly naming an infected individual is equivalent to putting a person’s life at risk, given the physical assaults and discrimination which
suspected or confirmed individuals had experienced. Fearing possible harassment and stigma, people may hide their true conditions,
leading to lost opportunities in tracking the disease and contact tracing. The policy is counterproductive, will not result to better contact
tracing, and will put more lives of front liners at risk,” Liboro said.

The latest NPC advisory opinion on contact tracing reiterated that collection and processing of data must be fully aware of the principles laid
out by the DPA and that secure disposal of personal data from records, whether manually or digitally obtained, must be done once the
purpose of their collection had been achieved.

Liboro also reasserted the points in NPC Bulletin No. 3 issued in March.
“Again, the DPA is not a hindrance to contact tracing efforts and the guidance it provides is necessary, especially in these unfamiliar times,
to preserve the basic right of people to data privacy and protection, and build trust,” he said.
4TH LINK

Managing Mobile App Permissions

Whenever Valentine’s Day comes around, there is a surge in usage of dating apps 1. In 2017, a dating app recorded a 20%2 usage increase at this time of year and
it is expectd to rise again in 20203.

To create an account, most apps require a user to fill out an online form or to connect through an existing social media account (e.g. Facebook or Twitter) to
verify one’s identity. This way, dating apps gain access to and control of the user’s personal data.

In recent years, vulnerabilities that would put users’ personal data at risk have been uncovered. Though subscribing to a dating app may seem harmless, it is
important to remember that it may adversely affect the users’ reputation and privacy.

According to the Open Web Application Security Project (OWASP)4, mobile applications are more susceptible to attacks than regular web applications. By
downloading these applications, users unknowingly expose themselves to privacy risks.

In most cases, users are forced to accept permissions through an all-or-nothing approach (i.e. they cannot authorize just a subset of the requested permissions
or cancel the installation of the selected application). Likewise, mobile app permissions are not well-defined to users (e.g. the permission SEND SMS allows an
app to send SMS messages both to normal and premium numbers – not giving any options to users), making authorization decisions more difficult.

It should be noted that the inclusion of application permissions in privacy notices does not equate to transparency. In some cases, an application’s declared
permissions are not consistent with those required.

 https://www.gmanetwork.com/news/video/ijuander/421595/ijuander-may-forever-sa-tinder/video/
1

 https://www.abc.net.au/news/2018-02-13/valentines-day-heats-up-online-dating-activity/9424450
2

 https://technology.inquirer.net/46586/loveless-filipinos-turn-to-dating-apps-for-action
3

 https://owasp.org/www-project-vulnerable-web-application/
4

Security Measures/Risk Mitigation:

Mobile applications bring convenience to users, improve how organizations provide services to customers and maximize smartphone technology. But these
benefits must not come at the expense of users’ data privacy rights.
The following are things to consider when using apps:

 Read privacy notices. A privacy notice will give you insights into how your data will be processed, the nature and extent of processing, your rights as
data subjects and how you may exercise these rights.
 Be mindful of the data you provide: Blank fields are enticing to accomplish but not all fields are meant to be filled out. Provide data that are only
necessary to the application’s function.
 Always check your privacy settings: Immediately after installation, take advantage of the applications’ privacy settings. This allows you to control who
sees any information about you. Tweak the settings to improve your privacy and security.
 Check the permissions: The majority of these applications collect excessive permissions – permissions that are not necessary for the applications to
perform their functions. Excessive permissions may result in potential risks. You must disable all unnecessary and suspicious permissions before using
an application.
 Be careful of the people you meet: These days, it is easy to meet people online. You must be vigilant when using these applications and avoid sharing
too much personal information.

There is a lack of transparency when explaining purpose of processing and final disposal of personal data collected by mobile apps. Privacy notices are not easy
to read. Some are legal in nature and too long. Others refer to the blanket privacy notice of the entire organization, making it difficult for data subjects to read
through it. In addition, certain mobile applications seek permissions that are not relevant to their functions.

Moreover, a majority of the applications do not provide a privacy notice before users sign up or create an account. Also, there are no standards for mobile
application development which result in a developer’s tendency to seek excessive permissions.

In summary, the convenience that comes with using a mobile application may be the most unrecognized threat to privacy. Users often enjoy the convenience at
the expense of their data privacy. People easily grant permissions to an Android app without carefully reading the terms and conditions.

Share this:

5th LINK
UPDATED: PRESS STATEMENT OF PRIVACY COMMISSIONER
RAYMUND ENRIQUEZ LIBORO ON FACEBOOK’S LATEST BREACH
1. At around 12:49 AM of September 28, we received informal notice from Facebook representatives that they had found a vulnerability in
their app that was exploited by malicious attackers.

2. Facebook claims that the vulnerability affected around fifty million users, exposing personal data stored in their Facebook profiles.

3. The vulnerability was attributed to a combination of several programming errors in updates made in July 2017. As a result, malicious
intruders were able to generate access tokens.

4. These access tokens allowed the intruders to log into affected FB profiles as if they were the actual profile holders. This means they had
the ability to access data reserved for account holders even without having to enter the user’s password.

5. As a remediation measure, FB terminated the sessions of persons it identified as having been affected and had them enter their login
credentials again. This morning, the company has notified affected users of the incident. We have informed Facebook, however, that the
notification it sent to individuals leaves much to be desired.

6. According to the company’s representatives, the investigation is still in its early stages. They have not determined yet how many Filipinos
are affected and whether misuse of personal information had resulted from this breach.
7. The NPC has prescribed breach management procedures in place and we expect Facebook to abide by these rules.

8. The NPC shall notify the public about developments and its actions on this matter. To protect themselves, all Facebook users must enable
multi-factor authentication on all platforms, employ strong passwords, and practice good digital hygiene. For more information on how to
love yourself online, see https://www.privacy.gov.ph/30-ways/

Privacy Commissioner Raymund Enriquez Liboro

KNOW YOUR RIGHTS

The right to be informed

Under R.A. 10173, your personal data is treated almost literally in the same way as your own personal property. Thus, it should never be
collected, processed and stored by any organization without your explicit consent, unless otherwise provided by law. Information
controllers usually solicit your consent through a consent form. Aside from protecting you against unfair means of personal data collection,
this right also requires personal information controllers (PICs) to notify you if your data have been compromised, in a timely manner.

As a data subject, you have the right to be informed that your personal data will be, are being, or were, collected and processed.

The Right to be Informed is a most basic right as it empowers you as a data subject to consider other actions to protect your data privacy
and assert your other privacy rights.
Example:
A medical doctor in a private hospital in Manila recorded a conversation with his lady patient without the patient’s knowledge and prior
consent. Upon realizing what was happening, the patient immediately confronted the doctor and expressed her strong dismay, pointing out
the physician’s lack of professionalism in recognizing his personal right to privacy. She said she could have given her consent anyway if only
she was asked politely. The doctor apologized and explained that his action was just meant to aid his recall, especially when he later
examined the case, saying he just wanted to provide the best possible service, which the patient deserves. The patient, however, demanded
the doctor to delete the recorded conversation and canceled on the medical consultation. She said if the doctor does not even know the
basic courtesy of asking for consent, then how can he expect to win the patients’ confidence in his competence as a medical practitioner.
Take note of this:
To protect your privacy, the Philippine data privacy law explicitly require organizations to notify and furnish you the following information
before they enter your personal data into any processing system (or at the next practical opportunity at least):

 Description of the personal data to be entered into the system

 Exact Purposes for which they will be processed (such as for direct marketing, statistical, scientific etc.)
 Basis for processing, especially when it is not based on your consent
 Scope and method of the personal data processing
 Recipients, to whom your data may be disclosed
 Methods used for automated access by the recipient, and its expected consequences for you as a data subject
 Identity and contact details of the personal information controller
 The duration for which your data will be kept
 You also have to be informed of the existence of your rights as a data subject.
Additional notes:
In recording a conversation or interview with someone, it is enough to verbally ask for a direct consent from an individual data subject. If
the subject yields, it would be useful to also mention as part of the recorded conversation that the subject knows the conversation is being
recorded and that you asked and were given the consent. It would even be better if you could get the subject to verbally confirm his
consent.

Banks involved in phone banking tell their callers that the conversation with their call center agent would be recorded, and that proceeding
with the call is indication of their consent. This practice is considered sufficient notice.

Websites resort to publishing a Privacy Notice page, which essentially accomplishes the same thing. Similar privacy notices should be made
in public establishments equipped with security CCTVs.

Whenever anyone is making an audio or video recording of you, or even just taking your pictures, you have a right to know, and you must
always be given the chance to opt out when you don’t feel comfortable.

A salesman may be collecting detailed personal data about you and your family without your permission, under the pretext of targeting you
as a prospective customer to tailor-fit their offerings to your individual needs. This, by itself, may be potentially beneficial to you. But since
your personal privacy and safety becomes potentially at risk, you have a right to be informed if you are being individually targeted in a sales
campaign like this.

BACK TO TOP

The right to access

This is your right to find out whether an organization holds any personal data about you and if so, gain “reasonable access” to them.
Through this right, you may also ask them to provide you with a written description of the kind of information they have about you as well
as their purpose/s for holding them.
Under the Data Privacy Act of 2012, you have a right to obtain from an organization a copy of any information relating to you that they have
on their computer database and/or manual filing system. It should be provided in an easy-to-access format, accompanied with a full
explanation executed in plain language.

You may demand to access the following:

 The contents of your personal data that were processed.

 The sources from which they were obtained.
 Names and addresses of the recipients of your data.
 Manner by which they were processed.
 Reasons for disclosure to recipients, if there were any.
 Information on automated systems where your data is or may be available, and how it may affect you.
 Date when your data was last accessed and modified
 The identity and address of the personal information controller.
Example:
An individual had been involved in an incident inside and outside a Manila restaurant where his wallet was stolen. He also suffered minor
injuries in the incident. He requested access to the restaurant CCTV footage relating to himself, saying he wants to see all details
surrounding the incident and possibly figure out a way to recover his wallet. He tried to personally speak to the manager but was referred
to the security guard. After a few days of following up on his request, he was finally informed that the establishment would not provide him
any data. This infuriated him and, upon going back to the restaurant, he demanded his right to view the footage or else he would create a
scene. He was told that, as per their security policy, no “outsider” is allowed to enter areas in their establishment designated only as “for
employees only”. As a compromise, the manager said they will give him a record of the footage using the customer’s handheld gadget.

How to exercise your right to access your personal data

You must execute a written request to the organization, addressed to its Data Protection Officer (DPO). In the letter, mention that your
request is being made in exercise of your right to access under the Data Privacy Act of 2012. The DPO is required to respond to your written
request. Be prepared to provide evidence of your identity, which the DPO should require of you to make sure that personal information is
not given to the wrong person.
If your request was not granted, or if you feel your request was not sufficiently addressed, you may file a formal complaint with the NPC.
Before doing so, however, we recommend that you inform the organization and its DPO of your intention to formally complain to the NPC.
They might be able to the opportunity to apologize, better explain their position, or reconsider your request.

Additional notes:
Some exceptions may disallow the exercise of an individual’s right to access. This is to balance the right to privacy of an individual versus the
needs of civil society. Here are some examples:

 A criminal suspect is not allowed access to the personal data held about him by law enforcement agencies as it may impede investigation.
 You are not allowed access to information about you as contained in communications between a lawyer and his or her client, if such
communication is subject to legal privilege in court.
 Your right to access your own medical and psychological data may be denied you in the rare instance where is is deemed that your health and
well-being might be negatively affected.
BACK TO TOP

The right to object

You can exercise your right to object if the personal data processing involved is based on consent or on legitimate interest. When you object
or withhold your consent, the PIC should no longer process the personal data, unless the processing is pursuant to a subppoena, for obvious
purposes (contract, employer-employee relationship, etc.) or a result of a legal obligation.

In case there is any change or amendment to the information previously given to you, you should be notified and given an opportunity to
withhold consent.
Example
The right to object is most specifically applicable when organizations or personal information controllers are processing your data without
your consent for the following purposes:

 Direct marketing purposes. When business organizations give you sales materials about products and services, they must explicitly inform or
remind you of your right to object. If you feel uncomfortable to being target of a direct marketing campaign, you must be able to easily invoke
your right to object. If you previously acceded but wishes to opt-out, you must be given an easy way to opt-out. In asserting your right to object
being included in a direct marketing campaign, businesses have no recourse but to accede as there are no exemptions or grounds for refusal in
this case.
 Profiling purposes. Businesses customarily resort to profiling, or the creation of profiles of individual customers and clients without their
consent. This is done either for marketing or customer care purposes. The cross-referencing of customer information to product marketing
brings about practical advantages to both the buyer and seller in any potential business transaction. Under RA 10173, however, profiling of this
requires your consent as customer, or else you are justified in invoking your right to object. The right of state agents to do profiling for law
enforcement purposes, however, may override your right to object.
 Automated processing purposes. In technology-driven industries, such as banking and finance, many decisions affecting individuals are arrived
at electronically via automatic data processing systems based on personal information stored in computerized data files. This reduces the
business transaction process down to a few seconds and facilitates a speedy exchange of economic value. Potentially, however, it may also
 inadvertently arrive at decisions prejudicial to your interests and lead to the weakening of your position as a transacting party. As such,
organizations are required to notify you whether your personal data will undergo automatic processing, and inform you that you have a right to
object.

How to exercise your right to object

Whenever you have the chance, you may assert your right to object verbally, be it in person or via a phone call. To have it formally
documented, however, you must execute a written request to the organization, addressed to its Data Protection Officer (DPO), and have it
received. In the letter, mention that your request is being made in exercise of your right to object under the Data Privacy Act of 2012. The
DPO must act on your written request. In case you feel your request have not been addressed satisfactorily, you may file a formal complaint
before the NPC, attached therewith your request letter to the DPO.

BACK TO TOP
The right to erasure or blocking

Under the law, you have the right to suspend, withdraw or order the blocking, removal or destruction of your personal data. You can
exercise this right upon discovery and substantial proof of the following:

1. Your personal data is incomplete, outdated, false, or unlawfully obtained.

2. It is being used for purposes you did not authorize.
3. The data is no longer necessary for the purposes for which they were collected.
4. You decided to withdraw consent, or you object to its processing and there is no overriding legal ground for its processing.
5. The data concerns information prejudicial to the data subject — unless justified by freedom of speech, of expression, or of the press; or
otherwise authorized (by court of law)
6. The processing is unlawful.
7. The personal information controller, or the personal information processor, violated your rights as data subject.
Example
In several cases, the need to balance this right with the freedom of expression and public interest has been highlighted as follows:

 Melvin v. Reid (as published in http://scholarship.law.berkeley.edu/cgi/viewcontent.cgi?article=1429&context=bjil)

“In Melvin v. Reid, 34 decided in 1931, for example, a homemaker, who had once worked as a prostitute and who had been wrongly
accused of murder, became the subject of a feature film (“The Red Kimono”) seven years after her acquittal, based on the facts of
her trial. Although not specifically referencing a right to be forgotten, the court, permitting suit against the film-maker, noted: “One
of the major objectives of society as it is now constituted, and of the administration of our penal system, is the rehabilitation of the
fallen and the reformation of the criminal.” The court held that the unnecessary use of the plaintiff’s real name inhibited her right to
obtain rehabilitation.”

 Sidis v. F-R Publishing Corp. (http://communication.oxfordre.com/view/10.1093/acrefore/9780190228613.001.0001/acrefore-

9780190228613-e-189?rskey=Mr5AR5&result=1)

“Newsworthiness, or public interest, generally trumps privacy in the United States. This fact was recognized as early as 1890, by
Samuel Warren and Louis Brandeis in their famous Harvard Law Review article, “The Right to Privacy.” The principle was further
 reinforced in 1940, when the U.S. Court of Appeals for the Second Circuit held that former child prodigy William James Sidis, who
had made great efforts to become a private citizen again after having received extensive news coverage as a young boy, could not
prevail in a privacy action against a magazine that featured him in a “Where Are They Now?” section. The court held that the public
retained a legitimate interest in knowing whether Sidis had lived up to the intellectual promise of his youth.”

 Karnataka High Court Judgement (http://lexinsider.com/a-high-court-gives-life-to-the-right-to-be-forgotten-right/)

“…the High Court of Karnataka after passing of the order on a criminal matter which was relating to a complaint given by the
Petitioner’s daughter and filing a case in the High Court that her marriage never happened with defendant. The petition was to annul
the marriage certificate and later the case was quashed on comprise between the parties. In the same case Petitioner’s daughter
name was requested to be removed from the digital records of the High Court and also from search engines including Google as it
affected her relationship with her husband and her reputation as well.The High Court ordered, “It should be the endeavor of the
Registry to ensure that any internet search made in the public domain ought not to reflect the petitioner’s daughter’s name in the
cause-title of the order or in the body of the order in the criminal petition.”, giving life to this right. However, the name of the
petitioner’s daughter would certainly be reflected in the order copy was made clear.”
How to exercise your right to erasure (or blocking)
Execute a written request to the organization, addressed to its Data Protection Officer (DPO), and have it received. In the letter, mention
that your request is being made in exercise of your right to erasure under the Data Privacy Act of 2012. Documents to support your request
must be attached. The DPO must act on your written request. In case you feel your request have not been addressed satisfactorily, you may
file a formal complaint before the NPC, attached therewith your request letter to the DPO.

BACK TO TOP

The right to damages

You may claim compensation if you suffered damages due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized
use of personal data, considering any violation of your rights and freedoms as data subject.
Example
This example is from the United Kingdom, as published at: http://www.nabarro.com/insight/briefings/2017/february/assessing-damages-
for-data-protection-and-data-privacy/

“In October 2013, the Home Office published quarterly statistics about the family returns process by which applicants who have children
but who have no right to remain in the UK are returned to their country of origin.

The Home Office uploaded anonymised statistics, but they also mistakenly uploaded a spreadsheet of raw data on which those statistics
were based. This spreadsheet contained personal data and private information of approximately 1,600 individuals, including their names,
ages, nationality, the fact of an asylum claim, the regional office which dealt with their case and their immigration removal status.

This data remained online for nearly two weeks before it was removed but during that time the webpage had been visited by IP addresses
across the UK and abroad. As a result, a small number of these individuals brought claims for misuse of private information and breaches of
the Data Protection Act 1998 (DPA).
The defendant accepted that their accidental publication of personal data amounted to a misuse of private and confidential information and
a breach of the DPA. It was not disputed that, subject to proof, damages were recoverable for distress at common law and section 13 of the
DPA, unless Google Inc v Vidal-Hall is overturned.

The six individuals who brought the claims were awarded between £2,500 and £12,500 in damages for misuse of their private information
and the distress suffered as a result of the data breach.”

How to exercise your right to damages

Write or speak to the organization which mishandled your personal information to see if you can reach an agreement and claim
compensation. If you feel that your concern has not been satisfactorily addressed, you should write to the organization and inform them of
your intent to take the matter to the court, before you start court proceedings. Talk to a legal adviser if you want to make a claim in court.

The NPC has no role in dealing with compensation claims. But you may request us to assess if the organization mishandled your personal
data and broke the DPA. You can give a copy of the NPC’s letter to the court along with the evidence to prove your claim. This, however,
does not guarantee that the judge will fully agree with NPC’s view. You may also require someone from the NPC to give expert evidence
which will only be allowed if the judge orders it. The party calling the witness will have to shoulder the corresponding cost.
BACK TO TOP

The right to file a complaint with the National Privacy Commission

If you feel that your personal information has been misused, maliciously disclosed, or improperly disposed, or that any of your data privacy
rights have been violated, you have a right to file a complaint with the NPC.

To know more about this, click here.

BACK TO TOP
The right to rectify

You have the right to dispute and have corrected any inaccuracy or error in the data a personal information controller (PIC) hold about you.
The PIC should act on it immediately and accordingly, unless the request is vexatious or unreasonable. Once corrected, the PIC should
ensure that your access and receipt of both new and retracted information. PICs should also furnish third parties with said information,
should you request it.
Example
A government employee resigned from her agency with a period with premium payments of 20.49 years. The employee’s birthdate
indicated in her Government Service Insurance System (GSIS) records is 30 June 1959. However, her National Statistics Office (NSO)
authenticated Certificate of Live Birth shows 30 June 1952 as her birthdate. Her birthdate will determine when she will start receiving her
monthly pension – in 2019 if based on the GSIS record, and in 2012 if based on her birth certificate. She, thus, invoked her right to rectify
her personal data under the Data Privacy Act of 2012.
How to exercise your right to rectify
If the organization does not yet have a system or form for data rectification, you must execute a written request to the organization,
addressed to its Data Protection Officer (DPO), and have it received. In the letter, mention that your request is being made in exercise of
your right to object under the Data Privacy Act of 2012. Documents to support your request must be attached. The DPO must act on your
written request. In case you feel your request have not been addressed satisfactorily, you may file a formal complaint before the NPC,
attached therewith your request letter to the DPO.

Some organizations already have their system or form for data rectification. For instance, the Social Security System (SSS) only requires their
members to accomplish SSS Form E-4 or the Member Data Change Request Form and submit with it the supporting documents. The needed
supporting documents vary depending on the personal data that you want corrected (i.e. for correction of name and birthdate – PSA/NSO-
authenticated birth certificate or valid passport, for correction of name due to naturalization – Certificate of Naturalization issued by the
Philippine Department of Foreign Affairs, identification certificate issued by the Philippine Bureau of Immigration, and any foreign
government- issued ID cards and/or documents showing the new name).
Additional notes
For organizations, click here to view a sample of a personal data rectification form.

BACK TO TOP
The right to data portability

This right assures that YOU remain in full control of YOUR data. Data portability allows you to obtain and electronically move, copy or
transfer your data in a secure manner, for further use. It enables the free flow of your personal information across the internet and
organizations, according to your preference. This is important especially now that several organizations and services can reuse the same
data.

Data portability allows you to manage your personal data in your private device, and to transmit your data from one personal information
controller to another. As such, it promotes competition that fosters better services for the public.
Example
In case you want to close your Facebook account and leave the service, or simply feel like you’ve shared a lot of information about your life
and want a backup of all your Facebook data, you may exercise your right to data portability.

You may also exercise this right if you intend to get a usable copy of your personal health records for the use of other doctors you may like
to consult. In banking, the right to data portability may be used to reduce the risks of being locked-in with one single service provider,
thereby expanding customers’ options and improving customer experience.
How to exercise your right to data portability
Various online platforms have been making data portability an available and instant option for its users. For instance, Facebook enabled its
users to readily download all their personal content and information, including wall posts, status updates, photos, videos, and conversation
threads. Currently, users will just have to click at the top right of any Facebook page and select “Settings”, then click “Download a copy of
your Facebook data” at the bottom of “General Account Settings”, and click “Start My Archive”. Google has a similar feature that readily
allows its users to create an archive to keep for their personal record or for use in another service.

In case the personal information controller concerned does not yet have an online data portability feature, you must execute a written
request to the organization, addressed to its Data Protection Officer (DPO), and have it received. In the letter, mention that your request is
being made in exercise of your right to data portability under the Data Privacy Act of 2012. Documents to support your request must be
attached. The DPO must act on your written request. In case you feel your request have not been addressed satisfactorily, you may file a
formal complaint before the NPC, attached therewith your request letter to the DPO.
BACK TO TOP

Transmissibility of Data Subject Rights

Just like any physical property, such as real estate, you can assign your rights as a data subject to your legal assignee or lawful heir. Similarly,
you may assert another person’s rights as a data subject, provided he or she authorized you as a “legal assignee”.

You may also invoke another person’s data privacy rights after his or her death if you are his or her legal heir. This same principle applies to
parents of minors, or their legal guardian, who are responsible for asserting their rights on their behalf.

This right, however, is not applicable in case the processed personal data being contested are used only for scientific and statistical
research.

The practical need for transmissibility

An individual’s personal data lives on even after his death. As such, they could still be subject to privacy violations whether intentional or
otherwise. The Data Privacy Act of 2012 included this provision to protect their privacy rights through a living person willing to assume the
responsibility on their behalf. The transmissibility of data privacy rights has been extended to living adults who are unable to protect their
own rights and wish to assign the responsibility to someone else.
How to execute
Data subjects who are alive but incapacitated, for some reason unable to to assert their own personal privacy rights and wish to authorize a
“legal assignee” to act as their proxy may do so by executing a legal notice to the effect, such as through a Special Power of Attorney.

In case of a deceased data subject, the legal heir must be prepared to show legal evidence to back their claim. Parents or guardians
automatically assume the responsibility of protecting the privacy rights of minors under their care.

Limitations on Rights

The provisions of the law regarding transmissibility of rights and the right to data portability will not apply if the processed personal data
are used only for the needs of scientific and statistical research and, based on such, no activities are carried out and no decisions are taken
regarding the data subject. There should also be an assurance that the personal data will be held under strict confidentiality and used only
for the declared purpose.

They will not also apply to the processing of personal data gathered for investigations in relation to any criminal, administrative or tax
liabilities of a data subject. Any limitations on the rights of the data subject should only be to the minimum extent necessary to achieve the
purpose of said research or investigation.