Rights of Data Subject (Rule VIII): Data Privacy Act

[Table of Contents] [Glossary]

Rule VIII. Rights of Data Subjects

Section 34. Rights of the Data Subject. The data subject is entitled to the following rights:

a. Right to be informed. 

  1. The data subject has a right to be informed whether personal data pertaining to him or her shall be, are being, or have been processed, including the existence of automated decision-making and profiling. 
  2. The data subject shall be notified and furnished with information indicated hereunder before the entry of his or her personal data into the processing system of the personal information controller, or at the next practical opportunity: 
  • (a) Description of the personal data to be entered into the system; 
  • (b)  Purposes for which they are being or will be processed, including processing for direct marketing, profiling or historical, statistical or scientific purpose; 
  • (c)  Basis of processing, when processing is not based on the consent of the data subject; 
  • (d)  Scope and method of the personal data processing; 
  • (e)  The recipients or classes of recipients to whom the personal data are or may be disclosed; 
  • (f)  Methods utilized for automated access, if the same is allowed by the data subject, and the extent to which such access is authorized, including meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject; 
  • (g)  The identity and contact details of the personal data controller or its representative; 
  • (h)  The period for which the information will be stored; and 
  • (i)  The existence of their rights as data subjects, including the right to access, correction, and object to the processing, as well as the right to lodge a complaint before the Commission. 

b. Right to object. The data subject shall have the right to object to the processing of his or her personal data, including processing for direct marketing, automated processing or profiling. The data subject shall also be notified and given an opportunity to withhold consent to the processing in case of changes or any amendment to the information supplied or declared to the data subject in the preceding paragraph. 

When a data subject objects or withholds consent, the personal information controller shall no longer process the personal data, unless: 

  1. The personal data is needed pursuant to a subpoena; 
  2. The collection and processing are for obvious purposes, including, when it is necessary for the performance of or in relation to a contract or service to which the data subject is a party, or when necessary or desirable in the context of an employer-employee relationship between the collector and the data subject; or 
  3. The information is being collected and processed as a result of a legal obligation. 

c. Right to Access. The data subject has the right to reasonable access to, upon demand, the following: 

  1. Contents of his or her personal data that were processed; 
  2. Sources from which personal data were obtained; 
  3. Names and addresses of recipients of the personal data; 
  4. Manner by which such data were processed; 
  5. Reasons for the disclosure of the personal data to recipients, if any; 
  6. Information on automated processes where the data will, or is likely to, be made as the sole basis for any decision that significantly affects or will affect the data subject; 
  7. Date when his or her personal data concerning the data subject were last accessed and modified; and 
  8. The designation, name or identity, and address of the personal information controller. 

d. Right to rectification. The data subject has the right to dispute the inaccuracy or error in the personal data and have the personal information controller correct it immediately and accordingly, unless the request is vexatious or otherwise unreasonable. If the personal data has been corrected, the personal information controller shall ensure the accessibility of both the new and the retracted information and the simultaneous receipt of the new and the retracted information by the intended recipients thereof: Provided, That receipients or third parties who have previously received such processed personal data shall be informed of its inaccuracy and its rectification, upon reasonable request of the data subject. 

e. Right to Erasure or Blocking. The data subject shall have the right to suspend, withdraw or order the blocking, removal or destruction of his or her personal data from the personal information controller’s filing system. 

  1. This right may be exercised upon discovery and substantial proof of any of the following: 
  • (a)  The personal data is incomplete, outdated, false, or unlawfully obtained; 
  • (b)  The personal data is being used for purpose not authorized by the data subject; 
  • (c)  The personal data is no longer necessary for the purposes for which they were collected; 
  • (d)  The data subject withdraws consent or objects to the processing, and there is no other legal ground or overriding legitimate interest for the processing; 
  • (e)  The personal data concerns private information that is prejudicial to data subject, unless justified by freedom of speech, of expression, or of the press or otherwise authorized; 
  • (f)  The processing is unlawful; 
  • (g)  The personal information controller or personal information processor violated the rights of the data subject. 
  • 2. The personal information controller may notify third parties who have previously received such processed personal information. 

f. Right to damages. The data subject shall be indemnified for any damages sustained due to such inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal data, taking into account any violation of his or her rights and freedoms as data subject. 

Section 35. Transmissibility of Rights of the Data Subject. The lawful heirs and assigns of the data subject may invoke the rights of the data subject to which he or she is an heir or an assignee, at any time after the death of the data subject, or when the data subject is incapacitated or incapable of exercising the rights as enumerated in the immediately preceding section. 

Section 36. Right to Data Portability. Where his or her personal data is processed by electronic means and in a structured and commonly used format, the data subject shall have the right to obtain from the personal information controller a copy of such data in an electronic or structured format that is commonly used and allows for further use by the data subject. The exercise of this right shall primarily take into account the right of data subject to have control over his or her personal data being processed based on consent or contract, for commercial purpose, or through automated means. The Commission may specify the electronic format referred to above, as well as the technical standards, modalities, procedures and other rules for their transfer. 

Section 37. Limitation on Rights. The immediately preceding sections shall not be applicable if the processed personal data are used only for the needs of scientific and statistical research and, on the basis of such, no activities are carried out and no decisions are taken regarding the data subject: Provided, that the personal data shall be held under strict confidentiality and shall be used only for the declared purpose. The said sections are also not applicable to the processing of personal data gathered for the purpose of investigations in relation to any criminal, administrative or tax liabilities of a data subject. Any limitations on the rights of the data subject shall only be to the minimum extent necessary to achieve the purpose of said research or investigation. 

P&L Law

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.