Published 6 May 2019, The Daily Tribune

Time magazine article commented that data is now more valuable than gold. Data can be utilized to determine customer preference, analyze market behavior, monitor acts of competitor, appeal to voters during election, create false news, alter behavioral patterns and for a variety of other purposes, from noble to sinister.

Our personal data are like cherished possessions. We hold on to them tightly and only share with persons who enjoy our trust and confidence. We thus lament and complain if our personal data are collected, altered, removed, blocked or simply used for unintended purposes. Our Philippine Constitution guarantees, no less, the citizens’ right to privacy.

Special laws have been passed to further strengthen such right. One of them, and the most recent, is the Data Privacy Act (DPA). There are two types of privacy, decisional and informational. Decisional privacy involves the right to independence in making certain important decisions. Informational privacy refers to the interest in avoiding disclosure of personal matters. Data privacy is synonymous to informational privacy.

The DPA applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing (Section 4, DPA).

Processing is any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data (Section 3(j), DPA). Personal information, on the other hand, is any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual (Section 3(g), DPA). The image of a person recorded by a camera constitutes personal data (Rynes v. Urda, CJEU 11 December 2014). Another relevant term under DPA is Personal Information Controller — a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf.

Let me walk you through your rights as data subjects under the DPA.

1. The right to be informed:
a. on whether personal data pertaining to him or her shall be, are being, or have been processed, including the existence of automated decision-making and profiling;
b. and notified about the following information before the entry thereof into the processing system of the personal information controller, or at the next practical opportunity;
• Description of the personal data to be entered into the system;
• Purposes for which they are being or will be processed;
• Basis of processing, when processing is not based on the consent of data subject;
• Scope and method of the personal data processing; Recipients or classes of recipients to whom the personal data are or may be disclosed;
• Methods utilized for automated access, if the same is allowed by the data subject, and the extent to which such access is authorized, including meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;
• identity and contact details of the personal data controller or its representative;
• period for which the information will be stored, and
• existence of their rights as data subjects (Section 34a, IRR).

2. The right to access. This means reasonable access upon demand to the following:
• Contents of his or her personal data that were processed;
• Sources from which personal data were obtained;
• Names and addresses of recipients of the personal data;
• Manner by which such data were processed;
• Reasons for the disclosure of the personal data to recipients, if any;
• Information on automated processes where the data will, or is likely to, be made as the sole basis for any decision that significantly affects or will affect the data subject;
• Date when his or her personal data concerning the data subject were last accessed and modified;
• The designation, name or identity, and address of the personal information controller (Section 34c, IRR).
3. The right to object. The data subject shall have the right to object to the processing of his or her personal data, including processing for direct marketing, automated processing or profiling:
Rule: When a data subject objects or withholds consent, the personal information controller shall no longer process the personal data.

a. The personal data is needed pursuant to a subpoena;
b. The collection and processing are for obvious purposes, including, when it is necessary for the performance of or in relation to a contract or service to which the data subject is a party, or when necessary or desirable in the context of an employer-employee relationship between the collector and the data subject; or
c. The information is being collected and processed as a result of a legal obligation (Section 34b, IRR).

4. The right to erasure or blocking. The data subject shall have the right to suspend, withdraw or order the blocking, removal or destruction of his or her personal data from the personal information controller’s filing system, upon proof of any of the following grounds:
• The personal data is incomplete, outdated, false, or unlawfully obtained;
• The personal data is being used for purpose not authorized by the data subject;
• The personal data is no longer necessary for the purposes for which they were collected;
• The data subject withdraws consent or objects to the processing, and there is no other legal ground or overriding legitimate interest for the processing;
• The personal data concerns private information that is prejudicial to data subject, unless justified by freedom of speech, of expression, or of the press or otherwise authorized;
• The processing is unlawful;
• The personal information controller or personal information processor violated the rights of the data subject (Section 34e, IRR).

In the next article, I will cover the right to damages, to file a complaint and the right to be forgotten.

For comments and questions, please send an email to