Rights of Data Subject | R.A. No.10173 or the Data Privacy Act | OTHER SPECIAL LAWS AND RULES

Here is a meticulous summary of the "Rights of the Data Subject" under Republic Act No. 10173, known as the Data Privacy Act of 2012, within Philippine law.


Republic Act No. 10173 - Data Privacy Act of 2012

Section: Rights of the Data Subject

The Data Privacy Act (DPA) safeguards individual privacy rights by imposing standards on data processing and providing individuals (data subjects) with specific rights. These rights are enshrined in Chapter IV of the Act, ensuring that individuals have control and recourse concerning their personal data.

1. The Right to Be Informed

  • Overview: The data subject has the right to know when their personal data is being processed.
  • Scope: This includes knowing the purpose of the data collection, the manner of collection, processing, storage, and sharing.
  • Specific Requirements:
    • Data subjects must be informed of the identity and contact details of the entity controlling data (Data Controller).
    • They should understand the nature, extent, and purpose of data collection and processing.
    • Information on automated processes that may make decisions affecting them must be disclosed, as well as the rights available to the data subject.

2. The Right to Access

  • Overview: Data subjects have the right to access their personal data held by any personal information controller.
  • Scope: They may request a copy of any data being processed or held about them.
  • Limitations: Access may be restricted if it infringes on the privacy rights of others or on public policy or safety considerations.
  • Documentation: Data subjects are entitled to request details on how their data is processed, including sources of the data, data recipients, and the reasoning behind any automated data processing.

3. The Right to Object

  • Overview: This right allows data subjects to refuse data processing under certain conditions.
  • Scope: The data subject can object to the processing of their personal data, especially if the processing is done for marketing, profiling, or other forms of data processing not authorized under specific laws or contracts.
  • Implications: Once an objection is raised, further processing is limited and may only continue under specific, lawful conditions, such as a court order or explicit legal obligation.

4. The Right to Erasure or Blocking

  • Overview: Also known as the "right to be forgotten," this allows data subjects to demand the deletion or blocking of their data.
  • Conditions: This applies under these conditions:
    • The data is no longer necessary for its original purpose.
    • Consent for data processing has been withdrawn.
    • Processing is unlawful, or the data subject objects to the processing.
  • Scope: Blocking restricts access to personal data while erasure removes it entirely.
  • Exceptions: In cases where data processing is essential for legal claims or law enforcement, erasure may not be allowed.

5. The Right to Damages

  • Overview: The data subject has a right to claim damages if they suffer harm due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of their personal data.
  • Types of Damages: The DPA recognizes moral, nominal, temperate, liquidated, or exemplary damages, depending on the nature of the harm suffered.
  • Process: The data subject may seek compensation through legal proceedings, proving the breach and the damage incurred.

6. The Right to Rectification

  • Overview: This right allows the data subject to request corrections to any incorrect or outdated personal data.
  • Scope: The data subject may request to rectify, complete, or update any inaccurate data maintained by the data controller.
  • Responsibility of Data Controller: Data controllers are required to take reasonable steps to verify the accuracy of data and amend it upon the data subject's request.

7. The Right to Data Portability

  • Overview: Data subjects are entitled to obtain and reuse their personal data across different services.
  • Scope: Data portability applies to personal data provided by the data subject, which is processed by automated means.
  • Requirements for Portability: Data must be in a structured, commonly used, and machine-readable format to facilitate portability.
  • Use Case: This is particularly applicable in cases where the data subject wants to switch service providers or move their data to another platform.

8. The Right to File a Complaint

  • Overview: If data subjects believe their rights have been violated, they have the right to file complaints with the National Privacy Commission (NPC).
  • Process: The complaint can be filed if there is a violation of any provision of the Data Privacy Act or its Implementing Rules and Regulations (IRR).
  • NPC's Role: The NPC conducts hearings, adjudicates complaints, and may impose penalties on violators.

9. The Right to Non-Discrimination

  • Overview: Data subjects should not face discrimination based on the exercise of their privacy rights.
  • Scope: This right ensures that exercising privacy rights (e.g., opting out of marketing) should not affect the provision of services or lead to any form of bias.

Summary of Enforcement and Compliance

The National Privacy Commission (NPC) is tasked with overseeing the implementation of the Data Privacy Act, including handling complaints, investigating data breaches, issuing orders, and ensuring organizations comply with data subject rights. Penalties for violations include fines, imprisonment for data privacy breaches, and administrative sanctions, emphasizing the importance of compliance and respect for individual rights in the processing of personal data in the Philippines.


These rights underscore the Data Privacy Act's commitment to empowering data subjects to protect their privacy and exercise control over their personal information. Organizations and individuals handling personal data must respect these rights, ensuring transparency, security, and accountability in their data processing practices.