Since the promulgation of the Implementing Rules and Regulations for the Data Privacy Act (DPA) on Aug. 24, 2016, the National Privacy Commission (NPC) has always emphasized that one of the guiding principles of the DPA is the empowerment of individuals to have reasonable control over the flow of their personal data.
To address frequently recurring questions regarding the rights of data subjects under the DPA, the NPC issued Advisory No. 2021-01 on Jan. 29 this year. The Advisory now explicitly provides that Personal Information Controllers (PICs) are required to implement a clear, simple, straight-forward, and convenient procedure to allow data subjects to exercise their rights, including the use of request forms and measures to verify the identity of the requesting data subjects. PICs are also not allowed to charge any fee to fulfill the exercise of data subject rights, (except reasonable fees for requests for copies of personal information), and must comply with requests within a period not exceeding 30 working days.
The Advisory also clarifies that PICs may not retain personal data for the sole purpose of making it available for potential future requests for the right to access or data portability. Thus, once the purpose for which the data was obtained has been fulfilled, such data may no longer be retained. Where data subject rights are denied or limited, PICs must clearly and fully inform the data subject of the reason for the limitation or denial.
The Advisory also provided expanded guidelines on the exercise of specific data subject rights. Of significance are guidelines on:
• the right to be informed, where PICs must notify and furnish data subjects with the required information before their personal data is processed and where a privacy notice is required at all times in order for data subjects to be informed which is, however, not equivalent to consent;
• the right to object, where data subjects can object to the processing of personal data for direct marketing, profiling or where automated processing of the data is to be the sole basis for any decision that significantly affects the data subject, and which mandates PICs to cease the processing of personal data when a data subject objects or to inform the data subject if there are other grounds to continue processing;
• the right to access, where PICs may refuse to comply with repeated, identical, or similar requests for access when these have already been granted except in cases where a reasonable interval of time from the previous request or if the grant of the request would result in a disproportionate amount of effort or resources or may cause serious harm to the physical, mental, or emotional health of the data subject;
• the right to rectification, where in cases involving the correction of personal data, the PIC must ensure that the data subject has access to both the new and retracted information, and upon the request of the data subject, inform recipients or third parties of the said rectification;
• the right to erasure or blocking, where required substantial proof for the exercise of the right to erasure or blocking of personal information and the specific instances when such requests may be denied is outlined and where PICs are directed to grant the request for erasure or blocking if the request is based on unlawful processing, use for unauthorized purposes or violation of data subject rights,
• the right to data portability, where the processing must be based on consent or contract and the personal data is processed by electronic means and in a structured and commonly used format to enable data subjects to exercise the right and where PICs are directed to consider commonly used, machine-readable, interoperable, open formats such as XML, JSON, CSV, etc. for data portability requests; and,
• the right to damages which states that the NPC may award indemnity on the basis of applicable provisions of the New Civil Code.
While Filipinos have gradually become aware of their rights under the DPA, navigating and exercising these rights have resembled a tug-of-war between data subjects and personal information controllers and processors. Hopefully, NPC Advisory No. 2021-01 will provide sufficient guidance to ensure that data subjects are able to take hold of and effectively control their personal information.
The views and opinions expressed in this article are those of the author. This article is for general information and educational purposes, and not offered as, and does not constitute, legal advice or legal opinion.
Maria Isabel M. Llave is a Senior Associate of the Intellectual Property Department of the Angara Abello Concepcion Regala & Cruz Law Offices (ACCRALAW)