Ana Monica V.

Ramos

Honor Pledge for Assignments

“I affirm that I shall not give or receive any unauthorized help on this assignment and that all work shall be my own.”

What are the rights of the data subject? Give an example for each right.

1. The right to be Informed

Individuals have the right to be informed about the collection and use of their personal data;
you must inform individuals about your processing purposes, retention periods for that personal data,
and who it will be shared with.

Example: Without the patient's knowledge or consent, a medical doctor in a private hospital in
Manila recorded a conversation with his lady patient. When the patient realized what was going on, she
confronted the doctor and expressed her outrage, pointing out the doctor's lack of professionalism in
recognizing his personal right to privacy. She claimed that if she had been asked politely, she would have
given her consent anyway. The doctor apologized and explained that his actions were simply intended to
aid his recall, particularly when he later examined the case, and that he simply wanted to provide the best
possible service, which the patient deserves. The patient, on the other hand, demanded that the doctor
delete the recorded conversation and that the medical consultation be canceled. She claimed that if a
doctor does not know how to ask for consent, how can he expect patients to trust him as a medical
professional

2. The right to Access

This is your right to learn if an organization has any personal information about you and, if so,
to obtain "reasonable access" to that information. You can also use this right to request a written
description of the types of information they have about you, as well as their reason(s) for keeping it.

Example: His wallet was stolen during an incident that occurred both inside and outside a Manila
restaurant. He also sustained minor injuries as a result of the incident. He asked for access to the
restaurant's CCTV footage relating to himself, stating that he wants to see all of the details surrounding the
incident and possibly figure out how to get his wallet back. He attempted to speak with the manager directly
but was directed to the security guard. He was finally told that the establishment would not provide him with
any data after a few days of following up on his request. This enraged him, and when he returned to the
restaurant, he demanded his right to see the footage or he would cause a commotion. According to their
security policy, no "outsider" is permitted to enter areas of their facility designated as "for employees only."
As a compromise, the manager agreed to provide him with a recording of the footage taken with the
customer's handheld device.
 3. The right to Object

If the processing of your personal data is based on consent or legitimate interest, you have the
right to object. When you object or refuse to give your consent, the PIC should no longer process your
personal data unless you have a subpoena, the processing is for obvious reasons (contract, employer-
employee relationship, etc.), or the processing is required by law.

Example: Many decisions affecting individuals are made electronically in technology-driven

industries, such as banking and finance, using automated data processing systems based on personal
information stored in computerized data files. This speeds up the exchange of economic value by reducing
the business transaction process to a few seconds. However, it is possible that it will make decisions that
are detrimental to your interests and weaken your position as a transacting party inadvertently. As a result,
organizations must inform you if your personal data will be subject to automated processing and that you
have the right to object.

4. The right to Erasure or Blocking

You have the legal right to request the blocking, removal, or destruction of your personal data,
as well as to suspend, withdraw, or order the blocking, removal, or destruction of your personal data.
This right is yours to exercise upon discovery and substantial proof of the following: Your personal
information is incomplete, outdated, false, or obtained illegally.

Example: If you receive a request on June30, the time limit will begin on July 1 and end on August
1. If this is not possible due to the following month being shorter (and there being no corresponding
calendar date), the response deadline is the last day of the following month. You will have until the next
working day to respond if the corresponding date falls on a weekend or a public holiday. If a consistent
number of days is needed (for example, for a computer system), you should use a 28-day period to ensure
that compliance is always within a calendar month.

5. The right to Damages

You may be entitled to compensation if you have been harmed as a result of inaccurate,
incomplete, outdated, false, unlawfully obtained, or unauthorized use of personal data, or if your rights
and freedoms as a data subject have been violated.

Example: Assume your car is damaged and you are injured as a result of a traffic collision. You
may be awarded damages to compensate you for the cost of restoring the vehicle to its previous condition
and paying your medical bills as a result of the injury. While you're recovering, you might be able to recover
damages for lost wages or business income.

6. The right to file a complaint with the National Privacy Commission

 You have the right to file a complaint with the NPC if you believe your personal data has been
misused, maliciously disclosed, or improperly disposed of, or if any of your data privacy rights have
been violated.

Example: If a patient information was misused by another person and her data privacy was violated
therefore the patient have the right to file a complaint with NPC.

7. The right to Rectify

Individuals have the right to have inaccurate personal information corrected. If your personal
data is incorrect or incomplete, you can correct it. You must correct any inaccuracies in the individual's
personal data without delay and in any case within one month.

Example: If a patient is diagnosed by a GP with a specific illness or condition, but it is later proven
that this is not the case, it is likely that both the initial diagnosis (even if it was later proven to be incorrect)
and the final findings should be recorded in their medical records. Despite the misdiagnosis, the medical
record is an accurate record of the patient's medical treatment. It would be difficult to argue that the medical
record is inaccurate and should be corrected as long as it contains the most recent findings and this is
made clear in the record.

8. The right to Data Portability

Allows individuals to obtain and reuse their personal data across multiple services for their own
purposes. It enables them to move, copy, or transfer personal data safely and securely from one IT
environment to another without affecting its usability.

Example: A patient from a private Belgian clinic is transferring to a clinic in Germany. The individual
requests that the Belgian clinic, which has electronic files on them, provide them with their personal data in
a structured machine-readable format so that they can send it to the appropriate German health
professionals. The Belgian clinic should provide them with personal information in an open format that is
widely used (e.g. XML, JSON, CSV, etc.). When choosing a data format, the organization should think
about how it will affect or obstruct the individual's ability to reuse the data. Providing a person with PDF
versions of their records, for example, may not be enough to ensure that personal data is easily re-used.