Published 10 May 2019, The Daily Tribune

We continue with our discussion on your rights under the Data Privacy Act.

The right to damages
The data subject shall be indemnified for any damages sustained due to such inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal data, taking into account any violation of his or her rights and freedoms as data subject (Section 34f, IRR).

The right to file a complaint
The complainant must have first informed, in writing, the personal information controller or concerned entity of the privacy violation or personal data breach to allow for appropriate action on the same; and,

The personal information controller or concerned entity did not take timely or appropriate action on the claimed privacy violation or personal data breach, or there is no response from the personal information controller within 15 days from receipt of information from the complaint; and,

The complaint is filed within six months from the occurrence of the claimed privacy violation or personal data breach, or 30 days from the last communiqué with the personal information controller or concerned entity, whichever is earlier.

Note that this right is subject to exhaustion of the afore-mentioned remedies. Otherwise, the complaint is dismissible.

The right to rectify
The data subject has the right to dispute the inaccuracy or error in the personal data and have the personal information controller correct it immediately and accordingly, unless the request is vexatious or otherwise unreasonable. If the personal data has been corrected, the personal information controller shall ensure the accessibility of both the new and the retracted information and the simultaneous receipt of the new and the retracted information by the intended recipients thereof:

Provided, that recipients or third parties who have previously received such processed personal data shall be informed of its inaccuracy and its rectification, upon reasonable request of the data subject (Section 34d, IRR).

The right to data portability
This right gives data subjects the mechanism to obtain their personal data in an electronic or structured format from personal information controllers if such personal data is being processed through electronic means, and enables the further use of such personal data by the data subjects (Section 36, IRR; Section 18, DPA).

Incidentally, Congress recently enacted the Mobile Number Portability Act (RA 11202) which allows a mobile or prepaid subscriber of mobile phone services to retain their existing mobile number even if they move from one service provider to another and even if they change their subscription from postpaid to prepaid, or vice versa, provided the subscriber has no existing financial obligations to his/her current service provider.

The right to be forgotten

What is the right to be forgotten? Is this right recognized under the DPA?

The right to be forgotten is a right recognized by the Court of Justice of the European Union (CJEU) allowing a data subject to request a search engine operator (such as Google), as a data controller, to have the particular information about him (which appears when his name is searched via the search engine) “no longer be linked to his name by a list of results displayed following a search made on the basis of his name”  on the ground “that information appears, having regard to all the circumstances of the case, to be inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes of the processing at issue carried out by the operator of the search engine, the information and links concerned in the list of results must be erased.” (Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD), Mario Costeja González, 2014)

The website that published or has the information sought to be removed is, however, NOT covered by the right to be forgotten because to them, the freedom of expression applies (Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD), Mario Costeja González, 2014)

The right to be forgotten is recognized in the form of “right of erasure or blocking” under the DPA in that the data subject may ‘suspend, withdraw or order the blocking, removal or destruction of his or her personal information from the personal information controller’s filing system upon discovery and substantial proof that the personal information are incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes or are no longer necessary for the purposes for which they were collected.”

May you not forget your rights under the law.

For comments and questions, please send an email to