2019 Notes on Data Privacy Act

Data Privacy Act of 2012

RA 10173
Right to Privacy ➢ The right to be let alone - the most comprehensive of rights and the right
most valued by civilized men

Right to Information Privacy ➢ The individual’s ability to control the flow of information
concerning or describing him, which however must be overbalanced by legitimate public
concerns. To deprive an individual of his power to control or determine whom to share
information of his personal details would deny him of his right to his own personhood

National Privacy Commission ➢ The Regulatory Body task “to administer and implement the
provisions of [the Data Privacy Act], and to monitor and ensure compliance of the country with
international standards set for data protection”

State Policy on Data Privacy ➢ “It is the policy of the State to protect the fundamental human
right of privacy, of communication while ensuring the free flow of information to promote
innovation and growth.”

Extraterritorial Application ➢ The [Data Privacy Act] applies to an act done or practice
engaged in and outside of the Philippines by an entity if:

(a) The act, practice or processing relates to personal information about a Philippine citizen or a
resident;

(b) The entity has a link with the Philippines, and the entity is processing personal information in
the Philippines or even if the processing is outside the Philippines as long as it is about
Philippine citizens or residents such as, but not limited to, the following:

(1) A contract is entered in the Philippines;

(2) A juridical entity unincorporated in the Philippines but has central management and
control in the country; and
(3) An entity that has a branch, agency, office or subsidiary in the Philippines and the
parent or affiliate of the Philippine entity has access to personal information; and

(c) The entity has other links in the Philippines such as, but not limited to:
(1) The entity carries on business in the Philippines; and
(2) The personal information was collected or held by an entity in the Philippines.

A. Personal vs. Sensitive Personal Information

Personal Information
➢ refers to any information whether recorded in a material form or not, from which the
identity of an individual is apparent or can be reasonably and directly ascertained by the
entity holding the information, or when put together with other information would
directly and certainly identify an individual.
1
 Example of Personal Information –
 Name
 Home Address
 Business Address
 Email Address
 Telephone Number - Work
 Telephone Number – Home

Sensitive Personal Information ➢ refers to personal information:

(1) About an individual’s race, ethnic origin, marital status, age, color, and
religious, philosophical or political affiliations;
(2) About an individual’s health, education, genetic or sexual life of a person, or
to any proceeding for any offense committed or alleged to have been committed
by such person, the disposal of such proceedings, or the sentence of any court in
such proceedings;
(3) Issued by government agencies peculiar to an individual which includes, but
not limited to, social security numbers, previous or current health records, licenses
or its denials, suspension or revocation, and tax returns; and
(4) Specifically established by an executive order or an act of Congress to be kept
classified.

Examples of Sensitive Personal Information –

 Date of Birth
 Marital Status
 Color, Race or Ethnic Origin
 Religion (Religious beliefs or affiliations)
 Education
 Photo
 Biometrics
Political Association
Philosophical Beliefs/Orientation
Health
Sexual life/preference/practice
Offence committed or alleged to have been committed, the disposal of such proceedings, or the
sentence of any court in such proceedings
Issued by government agencies peculiar to an individual
• Unique identifiers
• Previous or current health records
• Licenses or its denials, suspension or revocation
• Tax returns

Privilege Information ➢ refers to any and all forms of data which under the Rules of Court and
other pertinent laws constitute privileged communication. (*not included on the Bar syllabus)

2
B. Scope [The Data Privacy Act of 2012]
- applies to the processing of all types of personal information and to any natural and juridical
person involved in personal information processing including those personal information
controllers and processors who, although not found or established in the Philippines, use
equipment that are located in the Philippines, or those who maintain an office, branch or agency
in the Philippines.

Personal Information Controller (PIC) ➢ refers to a person or organization who controls the
collection, holding, processing or use of personal information, including a person or organization
who instructs another person or organization to collect, hold, process, use, transfer or disclose
personal information on his or her behalf.

The term excludes:

(1) A person or organization who performs such functions as instructed by another person or
organization; and
(2) An individual who collects, holds, processes or uses personal information in connection with
the individual’s personal, family or household affairs. {

Examples of PICs processing personal data needed for their day to day activities
- Mercury Drugs through their Suki Card,
SM through SM Advantage Card,
Jollibee Group through Happy Plus Card,
All Banks,
All Insurance Companies,
Travel Agencies, Hospitals, and All Government entities.}

Personal Information Processor (PIP) ➢ refers to any natural or juridical person qualified to
act as such under this Act to whom a personal information controller may outsource the
processing of personal data pertaining to a data subject.

{Examples of PIPs
Mail Service Providers,
Outsource Companies for purposes as needed by the Principal Company,
IT Service Provider etc.}

Processing Exempt from the Coverage of the Data Privacy Act ➢ This Act does not apply to
the following:

(a) Information about any individual who is or was an officer or employee of a government
institution that relates to the position or functions of the individual, including:
(1) The fact that the individual is or was an officer or employee of the government
institution;
(2) The title, business address and office telephone number of the individual;
(3) The classification, salary range and responsibilities of the position held by the
individual; and

3
 (4) The name of the individual on a document prepared by the individual in the course of
employment with the government;
(b) Information about an individual who is or was performing service under contract for a
government institution that relates to the services performed, including the terms of the contract,
and the name of the individual given in the course of the performance of those services;

(c) Information relating to any discretionary benefit of a financial nature such as the granting of a
license or permit given by the government to an individual, including the name of the individual
and the exact nature of the benefit;

(d) Personal information processed for journalistic, artistic, literary or research purposes;

(e) Information necessary in order to carry out the functions of public authority which includes
the processing of personal data for the performance by the independent, central monetary
authority and law enforcement and regulatory agencies of their constitutionally and statutorily
mandated functions. Nothing in this Act shall be construed as to have amended or repealed
Republic Act No. 1405, otherwise known as the Secrecy of Bank Deposits Act; Republic Act
No. 6426, otherwise known as the Foreign Currency Deposit Act; and Republic Act No. 9510,
otherwise known as the Credit Information System Act (CISA);

(f) Information necessary for banks and other financial institutions under the jurisdiction of the
independent, central monetary authority or Bangko Sentral ng Pilipinas to comply with Republic
Act No. 9510, and Republic Act No. 9160, as amended, otherwise known as the Anti-Money
Laundering Act and other applicable laws; and

(g) Personal information originally collected from residents of foreign jurisdictions in

accordance with the laws of those foreign jurisdictions, including any applicable data privacy
laws, which is being processed in the Philippines.

B. Processing of Personal Information

➢ The processing of personal information shall be allowed, subject to compliance with the
requirements of this Act and other laws allowing disclosure of information to the public and
adherence to the principles of transparency, legitimate purpose and proportionality.

❖Transparency
➢ The data subject must be aware of the nature, purpose and extent of the processing of his or
her personal data.
➢ Including the risks and safeguards involved the identity of personal information controller, his
or her rights as a data subject, and how these can be exercised. Any information and
communication relating to the processing of personal data should be easy to access and
understand, using clear and plain language.

❖ Legitimate Purpose
➢ Processing of information shall be compatible with a declared and specified purpose which
must not be contrary to law, morals or public policy.

4
❖ Proportionality
➢ The processing of information shall be adequate, relevant, suitable, necessary and not
excessive in relation to a declared and specified purpose. Personal data shall be processed only if
the purpose of the processing could not reasonably be fulfilled by other means.

Criteria for Lawful Processing of Personal Information

The processing of personal information shall be permitted only if not otherwise prohibited by
law, and when at least one of the following conditions exists:

(a) The data subject has given his or her consent;

(b) The processing of personal information is necessary and is related to the fulfillment of a
contract with the data subject or in order to take steps at the request of the data subject prior to
entering into a contract;
(c) The processing is necessary for compliance with a legal obligation to which the personal
information controller is subject;
(d) The processing is necessary to protect vitally important interests of the data subject, including
life and health;
(e) The processing is necessary in order to respond to national emergency, to comply with the
requirements of public order and safety, or to fulfill functions of public authority which
necessarily includes the processing of personal data for the fulfillment of its mandate; or
(f) The processing is necessary for the purposes of the legitimate interests pursued by the
personal information controller or by a third party or parties to whom the data is disclosed,
except where such interests are overridden by fundamental rights and freedoms of the data
subject which require protection under the Philippine Constitution.

Criteria for Lawful Processing of Sensitive Personal Information (and Privileged

Information)
The processing of sensitive personal information and privileged information shall be prohibited,
except in the following cases:

(a) The data subject has given his or her consent, specific to the purpose prior to the processing,
or in the case of privileged information, all parties to the exchange have given their consent prior
to processing;
(b) The processing of the same is provided for by existing laws and regulations: Provided, That
such regulatory enactments guarantee the protection of the sensitive personal information and the
privileged information: Provided, further, That the consent of the data subjects are not required
by law or regulation permitting the processing of the sensitive personal information or the
privileged information;
(c) The processing is necessary to protect the life and health of the data subject or another
person, and the data subject is not legally or physically able to express his or her consent prior to
the processing;
(d) The processing is necessary to achieve the lawful and non-commercial objectives of public
organizations and their associations: Provided, That such processing is only confined and related
to the bona fide members of these organizations or their associations: Provided, further, That the

5
sensitive personal information are not transferred to third parties: Provided, finally, That consent
of the data subject was obtained prior to processing;
(e) The processing is necessary for purposes of medical treatment, is carried out by a medical
practitioner or a medical treatment institution, and an adequate level of protection of personal
information is ensured; or
(f) The processing concerns such personal information as is necessary for the protection of
lawful rights and interests of natural or legal persons in court proceedings, or the establishment,
exercise or defense of legal claims, or when provided to government or public authority.

Consent of the Data Subject

➢ Refers to any freely given, specific, informed indication of will, whereby the data subject
agrees to the collection and processing of personal information about and/or relating to him or
her.
➢ Consent shall be evidenced by written, electronic or recorded means.
➢ It may also be given on behalf of the data subject by an agent specifically authorized by the
data subject to do so.

Principle of Accountability
➢ Each personal information controller is responsible for personal information under its control
or custody, including information that have been transferred to a third party for processing,
whether domestically or internationally, subject to cross-border arrangement and cooperation.

C. Rights of Data Subject Data Subject

➢ Refers to an individual whose personal information is processed.

Rights of Data Subject

The data subject is entitled to:

Right to Information/Right To be Informed

Under R.A. 10173, your personal data is treated almost literally in the same way as your
own personal property. Thus, it should never be collected, processed and stored by any
organization without your explicit consent, unless otherwise provided by law.
Information controllers usually solicit your consent through a consent form. Aside from
protecting you against unfair means of personal data collection, this right also requires
personal information controllers (PICs) to notify you if your data have been
compromised, in a timely manner.

As a data subject, you have the right to be informed that your personal data will be, are
being, or were, collected and processed.

The Right to be Informed is a most basic right as it empowers you as a data subject to
consider other actions to protect your data privacy and assert your other privacy rights.

6
➢ Be informed whether personal information pertaining to him or her shall be, are being or have
been processed;

Example:
A medical doctor in a private hospital in Manila recorded a conversation with his lady patient
without the patient’s knowledge and prior consent. Upon realizing what was happening, the
patient immediately confronted the doctor and expressed her strong dismay, pointing out the
physician’s lack of professionalism in recognizing his personal right to privacy. She said she
could have given her consent anyway if only she was asked politely. The doctor apologized and
explained that his action was just meant to aid his recall, especially when he later examined the
case, saying he just wanted to provide the best possible service, which the patient deserves. The
patient, however, demanded the doctor to delete the recorded conversation and canceled on the
medical consultation. She said if the doctor does not even know the basic courtesy of asking for
consent, then how can he expect to win the patients’ confidence in his competence as a medical
practitioner.

Take note of this:

To protect your privacy, the Philippine data privacy law explicitly require
organizations to notify and furnish you the following information before they
enter your personal data into any processing system (or at the next practical
opportunity at least):

 Description of the personal data to be entered into the system

 Exact Purposes for which they will be processed (such as for direct
marketing, statistical, scientific etc.)
 Basis for processing, especially when it is not based on your consent
 Scope and method of the personal data processing
 Recipients, to whom your data may be disclosed
 Methods used for automated access by the recipient, and its expected
consequences for you as a data subject
 Identity and contact details of the personal information controller
 The duration for which your data will be kept
 You also have to be informed of the existence of your rights as a data
subject.

Additional notes:

In recording a conversation or interview with someone, it is enough to

verbally ask for a direct consent from an individual data subject. If the
subject yields, it would be useful to also mention as part of the recorded
conversation that the subject knows the conversation is being recorded and
that you asked and were given the consent. It would even be better if you
could get the subject to verbally confirm his consent.

7
Banks involved in phone banking tell their callers that the conversation with
their call center agent would be recorded, and that proceeding with the call
is indication of their consent. This practice is considered sufficient notice.

Websites resort to publishing a Privacy Notice page, which essentially

accomplishes the same thing. Similar privacy notices should be made in
public establishments equipped with security CCTVs.

Whenever anyone is making an audio or video recording of you, or even just

taking your pictures, you have a right to know, and you must always be
given the chance to opt out when you don’t feel comfortable.

A salesman may be collecting detailed personal data about you and your
family without your permission, under the pretext of targeting you as a
prospective customer to tailor-fit their offerings to your individual needs.
This, by itself, may be potentially beneficial to you. But since your personal
privacy and safety becomes potentially at risk, you have a right to be
informed if you are being individually targeted in a sales campaign like this.

➢ Be furnished the information indicated hereunder before the entry of his or her personal
information into the processing system of the personal information controller, or at the next
practical opportunity:
(1) Description of the personal information to be entered into the system;
(2) Purposes for which they are being or are to be processed;
(3) Scope and method of the personal information processing;
(4) The recipients or classes of recipients to whom they are or may be disclosed;
(5) Methods utilized for automated access, if the same is allowed by the data subject, and
the extent to which such access is authorized;
(6) The identity and contact details of the personal information controller or its
representative;
(7) The period for which the information will be stored; and
(8) The existence of their rights, i.e., to access, correction, as well as the right to lodge a
complaint before the Commission.

Any information supplied or declaration made to the data subject on these matters shall
not be amended without prior notification of data subject: Provided, That the notification
under subsection (b) shall not apply should the personal information be needed pursuant
to a subpoena or when the collection and processing are for obvious purposes, including
when it is necessary for the performance of or in relation to a contract or service or when
necessary or desirable in the context of an employer-employee relationship, between the
collector and the data subject, or when the information is being collected and processed
as a result of legal obligation;

The Right to Access

8
 This is your right to find out whether an organization holds any personal data about you
and if so, gain “reasonable access” to them. Through this right, you may also ask them to
provide you with a written description of the kind of information they have about you as
well as their purpose/s for holding them.

Under the Data Privacy Act of 2012, you have a right to obtain from an organization a
copy of any information relating to you that they have on their computer database and/or
manual filing system. It should be provided in an easy-to-access format, accompanied
with a full explanation executed in plain language.

You may demand to access the following:

The contents of your personal data that were processed.

The sources from which they were obtained.
Names and addresses of the recipients of your data.
Manner by which they were processed.
Reasons for disclosure to recipients, if there were any.
Information on automated systems where your data is or may be available, and how it
may affect you.
Date when your data was last accessed and modified
The identity and address of the personal information controller

➢ Reasonable access to, upon demand, the following:

(1) Contents of his or her personal information that were processed;
(2) Sources from which personal information were obtained;
(3) Names and addresses of recipients of the personal information;
(4) Manner by which such data were processed;
(5) Reasons for the disclosure of the personal information to recipients;
(6) Information on automated processes where the data will or likely to be made
as the sole basis for any decision significantly affecting or will affect the data
subject; (7) Date when his or her personal information concerning the data subject
were last accessed and modified; and
(8) The designation, or name or identity and address of the personal information
controller;

Example:

An individual had been involved in an incident inside and outside a Manila

restaurant where his wallet was stolen. He also suffered minor injuries in the
incident. He requested access to the restaurant CCTV footage relating to
himself, saying he wants to see all details surrounding the incident and
possibly figure out a way to recover his wallet. He tried to personally speak
to the manager but was referred to the security guard. After a few days of
following up on his request, he was finally informed that the establishment
would not provide him any data. This infuriated him and, upon going back to

9
the restaurant, he demanded his right to view the footage or else he would
create a scene. He was told that, as per their security policy, no “outsider” is
allowed to enter areas in their establishment designated only as “for
employees only”. As a compromise, the manager said they will give him a
record of the footage using the customer’s handheld gadget.

How to exercise your right to access your personal data

You must execute a written request to the organization, addressed to its

Data Protection Officer (DPO). In the letter, mention that your request is
being made in exercise of your right to access under the Data Privacy Act of
2012. The DPO is required to respond to your written request. Be prepared to
provide evidence of your identity, which the DPO should require of you to
make sure that personal information is not given to the wrong person.

If your request was not granted, or if you feel your request was not
sufficiently addressed, you may file a formal complaint with the NPC. Before
doing so, however, we recommend that you inform the organization and its
DPO of your intention to formally complain to the NPC. They might be able to
the opportunity to apologize, better explain their position, or reconsider your
request.

Additional notes:

Some exceptions may disallow the exercise of an individual’s right to access.

This is to balance the right to privacy of an individual versus the needs of
civil society. Here are some examples:

 A criminal suspect is not allowed access to the personal data held

about him by law enforcement agencies as it may impede
investigation.
 You are not allowed access to information about you as contained in
communications between a lawyer and his or her client, if such
communication is subject to legal privilege in court.
 Your right to access your own medical and psychological data may be
denied you in the rare instance where is is deemed that your health
and well-being might be negatively affected.

Right to Object

You can exercise your right to object if the personal data processing involved is
based on consent or on legitimate interest. When you object or withhold your
consent, the PIC should no longer process the personal data, unless the processing
is pursuant to a subppoena, for obvious purposes (contract, employer-employee
relationship, etc.) or a result of a legal obligation.

10
 In case there is any change or amendment to the information previously given to
you, you should be notified and given an opportunity to withhold consent.

Example

The right to object is most specifically applicable when organizations or

personal information controllers are processing your data without your
consent for the following purposes:

 Direct marketing purposes. When business organizations give you

sales materials about products and services, they must explicitly
inform or remind you of your right to object. If you feel uncomfortable
to being target of a direct marketing campaign, you must be able to
easily invoke your right to object. If you previously acceded but wishes
to opt-out, you must be given an easy way to opt-out. In asserting your
right to object being included in a direct marketing campaign,
businesses have no recourse but to accede as there are no exemptions
or grounds for refusal in this case.
 Profiling purposes. Businesses customarily resort to profiling, or the
creation of profiles of individual customers and clients without their
consent. This is done either for marketing or customer care purposes.
The cross-referencing of customer information to product marketing
brings about practical advantages to both the buyer and seller in any
potential business transaction. Under RA 10173, however, profiling of
this requires your consent as customer, or else you are justified in
invoking your right to object. The right of state agents to do profiling
for law enforcement purposes, however, may override your right to
object.
 Automated processing purposes. In technology-driven industries,
such as banking and finance, many decisions affecting individuals are
arrived at electronically via automatic data processing systems based
on personal information stored in computerized data files. This reduces
the business transaction process down to a few seconds and facilitates
a speedy exchange of economic value. Potentially, however, it may
also inadvertently arrive at decisions prejudicial to your interests and
lead to the weakening of your position as a transacting party. As such,
organizations are required to notify you whether your personal data
will undergo automatic processing, and inform you that you have a
right to object.

How to exercise your right to object

Whenever you have the chance, you may assert your right to object verbally,
be it in person or via a phone call. To have it formally documented, however,
you must execute a written request to the organization, addressed to its
Data Protection Officer (DPO), and have it received. In the letter, mention

11
that your request is being made in exercise of your right to object under the
Data Privacy Act of 2012. The DPO must act on your written request. In case
you feel your request have not been addressed satisfactorily, you may file a
formal complaint before the NPC, attached therewith your request letter to
the DPO.

Right to Rectification or Correction

You have the right to dispute and have corrected any inaccuracy or error in the data a
personal information controller (PIC) hold about you. The PIC should act on it immediately and
accordingly, unless the request is vexatious or unreasonable. Once corrected, the PIC should
ensure that your access and receipt of both new and retracted information. PICs should also
furnish third parties with said information, should you request it.

➢ Dispute the inaccuracy or error in the personal information and have the
personal information controller correct it immediately and accordingly, unless the
request is vexatious or otherwise unreasonable.
➢ If the personal information have been corrected, the personal information
controller shall ensure the accessibility of both the new and the retracted
information and the simultaneous receipt of the new and the retracted information
by recipients thereof: Provided, That the third parties who have previously
received such processed personal information shall he informed of its inaccuracy
and its rectification upon reasonable request of the data subject;

Example

A government employee resigned from her agency with a period with

premium payments of 20.49 years. The employee’s birthdate indicated in
her Government Service Insurance System (GSIS) records is 30 June 1959.
However, her National Statistics Office (NSO) authenticated Certificate of
Live Birth shows 30 June 1952 as her birthdate. Her birthdate will determine
when she will start receiving her monthly pension – in 2019 if based on the
GSIS record, and in 2012 if based on her birth certificate. She, thus, invoked
her right to rectify her personal data under the Data Privacy Act of 2012.

How to exercise your right to rectify

If the organization does not yet have a system or form for data rectification,
you must execute a written request to the organization, addressed to its
Data Protection Officer (DPO), and have it received. In the letter, mention
that your request is being made in exercise of your right to object under the
Data Privacy Act of 2012. Documents to support your request must be
attached. The DPO must act on your written request. In case you feel your
request have not been addressed satisfactorily, you may file a formal
complaint before the NPC, attached therewith your request letter to the DPO.

12
Some organizations already have their system or form for data rectification.
For instance, the Social Security System (SSS) only requires their members
to accomplish SSS Form E-4 or the Member Data Change Request Form and
submit with it the supporting documents. The needed supporting documents
vary depending on the personal data that you want corrected (i.e. for
correction of name and birthdate – PSA/NSO-authenticated birth certificate or
valid passport, for correction of name due to naturalization – Certificate of
Naturalization issued by the Philippine Department of Foreign Affairs,
identification certificate issued by the Philippine Bureau of Immigration, and
any foreign government- issued ID cards and/or documents showing the new
name).

Right to Erasure or Blocking

➢ Suspend, withdraw or order the blocking, removal or destruction of his or her
personal information from the personal information controller’s filing system
upon discovery and substantial proof that the personal information are
incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes
or are no longer necessary for the purposes for which they were collected. In this
case, the personal information controller may notify third parties who have
previously received such processed personal information;

Under the law, you have the right to suspend, withdraw or order the blocking,
removal or destruction of your personal data. You can exercise this right upon
discovery and substantial proof of the following:

Your personal data is incomplete, outdated, false, or unlawfully obtained.

It is being used for purposes you did not authorize.
The data is no longer necessary for the purposes for which they were collected.
You decided to withdraw consent, or you object to its processing and there is no
overriding legal ground for its processing.
The data concerns information prejudicial to the data subject — unless justified
by freedom of speech, of expression, or of the press; or otherwise authorized (by
court of law)
The processing is unlawful.
The personal information controller, or the personal information processor,
violated your rights as data subject.

Example

In several cases, the need to balance this right with the freedom of
expression and public interest has been highlighted as follows:

13
  Melvin v. Reid (as published in
http://scholarship.law.berkeley.edu/cgi/viewcontent.cgi?
article=1429&context=bjil)

“In Melvin v. Reid, 34 decided in 1931, for example, a homemaker,

who had once worked as a prostitute and who had been wrongly
accused of murder, became the subject of a feature film (“The Red
Kimono”) seven years after her acquittal, based on the facts of her
trial. Although not specifically referencing a right to be forgotten, the
court, permitting suit against the film-maker, noted: “One of the major
objectives of society as it is now constituted, and of the administration
of our penal system, is the rehabilitation of the fallen and the
reformation of the criminal.” The court held that the unnecessary use
of the plaintiff’s real name inhibited her right to obtain rehabilitation.”

 Sidis v. F-R Publishing Corp.

(http://communication.oxfordre.com/view/10.1093/acrefore/978
0190228613.001.0001/acrefore-9780190228613-e-189?
rskey=Mr5AR5&result=1)

“Newsworthiness, or public interest, generally trumps privacy in the

United States. This fact was recognized as early as 1890, by Samuel
Warren and Louis Brandeis in their famous Harvard Law Review article,
“The Right to Privacy.” The principle was further reinforced in 1940,
when the U.S. Court of Appeals for the Second Circuit held that former
child prodigy William James Sidis, who had made great efforts to
become a private citizen again after having received extensive news
coverage as a young boy, could not prevail in a privacy action against
a magazine that featured him in a “Where Are They Now?” section. The
court held that the public retained a legitimate interest in knowing
whether Sidis had lived up to the intellectual promise of his youth.”

 Karnataka High Court Judgement (http://lexinsider.com/a-high-

court-gives-life-to-the-right-to-be-forgotten-right/)

“…the High Court of Karnataka after passing of the order on a criminal

matter which was relating to a complaint given by the Petitioner’s
daughter and filing a case in the High Court that her marriage never
happened with defendant. The petition was to annul the marriage
certificate and later the case was quashed on comprise between the
parties. In the same case Petitioner’s daughter name was requested to
be removed from the digital records of the High Court and also from
search engines including Google as it affected her relationship with her
husband and her reputation as well.The High Court ordered, “It should
be the endeavor of the Registry to ensure that any internet search
made in the public domain ought not to reflect the petitioner’s

14
 daughter’s name in the cause-title of the order or in the body of the
order in the criminal petition.”, giving life to this right. However, the
name of the petitioner’s daughter would certainly be reflected in the
order copy was made clear.”

How to exercise your right to erasure (or blocking)

Execute a written request to the organization, addressed to its Data

Protection Officer (DPO), and have it received. In the letter, mention that
your request is being made in exercise of your right to erasure under the
Data Privacy Act of 2012. Documents to support your request must be
attached. The DPO must act on your written request. In case you feel your
request have not been addressed satisfactorily, you may file a formal
complaint before the NPC, attached therewith your request letter to the DPO.

Right to Damages
➢ Be indemnified for any damages sustained due to such inaccurate, incomplete,
outdated, false, unlawfully obtained or unauthorized use of personal information.

You may claim compensation if you suffered damages due to inaccurate,

incomplete, outdated, false, unlawfully obtained or unauthorized use of personal
data, considering any violation of your rights and freedoms as data subject.

Example

This example is from the United Kingdom, as published at:

http://www.nabarro.com/insight/briefings/2017/february/assessing-damages-
for-data-protection-and-data-privacy/

“In October 2013, the Home Office published quarterly statistics about the
family returns process by which applicants who have children but who have
no right to remain in the UK are returned to their country of origin.

The Home Office uploaded anonymised statistics, but they also mistakenly
uploaded a spreadsheet of raw data on which those statistics were based.
This spreadsheet contained personal data and private information of
approximately 1,600 individuals, including their names, ages, nationality, the
fact of an asylum claim, the regional office which dealt with their case and
their immigration removal status.

15
This data remained online for nearly two weeks before it was removed but
during that time the webpage had been visited by IP addresses across the
UK and abroad. As a result, a small number of these individuals brought
claims for misuse of private information and breaches of the Data Protection
Act 1998 (DPA).

The defendant accepted that their accidental publication of personal data

amounted to a misuse of private and confidential information and a breach
of the DPA. It was not disputed that, subject to proof, damages were
recoverable for distress at common law and section 13 of the DPA, unless
Google Inc v Vidal-Hall is overturned.

The six individuals who brought the claims were awarded between £2,500
and £12,500 in damages for misuse of their private information and the
distress suffered as a result of the data breach.”

How to exercise your right to damages

Write or speak to the organization which mishandled your personal

information to see if you can reach an agreement and claim compensation. If
you feel that your concern has not been satisfactorily addressed, you should
write to the organization and inform them of your intent to take the matter
to the court, before you start court proceedings. Talk to a legal adviser if you
want to make a claim in court.

The NPC has no role in dealing with compensation claims. But you may
request us to assess if the organization mishandled your personal data and
broke the DPA. You can give a copy of the NPC’s letter to the court along
with the evidence to prove your claim. This, however, does not guarantee
that the judge will fully agree with NPC’s view. You may also require
someone from the NPC to give expert evidence which will only be allowed if
the judge orders it. The party calling the witness will have to shoulder the
corresponding cost.

Right to Data Portability

➢ The data subject shall have the right, where personal information is processed
by electronic means and in a structured and commonly used format, to obtain
from the personal information controller a copy of data undergoing processing in
an electronic or structured format, which is commonly used and allows for further
use by the data subject.
➢ The Commission may specify the electronic format referred to above, as well
as the technical standards, modalities and procedures for their transfer.

16
 This right assures that YOU remain in full control of YOUR data. Data portability
allows you to obtain and electronically move, copy or transfer your data in a
secure manner, for further use. It enables the free flow of your personal
information across the internet and organizations, according to your preference.
This is important especially now that several organizations and services can reuse
the same data.

Data portability allows you to manage your personal data in your private device,
and to transmit your data from one personal information controller to another. As
such, it promotes competition that fosters better services for the public.

Example

In case you want to close your Facebook account and leave the service, or
simply feel like you’ve shared a lot of information about your life and want a
backup of all your Facebook data, you may exercise your right to data
portability.

You may also exercise this right if you intend to get a usable copy of your
personal health records for the use of other doctors you may like to consult.
In banking, the right to data portability may be used to reduce the risks of
being locked-in with one single service provider, thereby expanding
customers’ options and improving customer experience.

How to exercise your right to data portability

Various online platforms have been making data portability an available and
instant option for its users. For instance, Facebook enabled its users to
readily download all their personal content and information, including wall
posts, status updates, photos, videos, and conversation threads. Currently,
users will just have to click at the top right of any Facebook page and select
“Settings”, then click “Download a copy of your Facebook data” at the
bottom of “General Account Settings”, and click “Start My Archive”. Google
has a similar feature that readily allows its users to create an archive to keep
for their personal record or for use in another service.

In case the personal information controller concerned does not yet have an
online data portability feature, you must execute a written request to the
organization, addressed to its Data Protection Officer (DPO), and have it
received. In the letter, mention that your request is being made in exercise
of your right to data portability under the Data Privacy Act of 2012.
Documents to support your request must be attached. The DPO must act on
your written request. In case you feel your request have not been addressed
satisfactorily, you may file a formal complaint before the NPC, attached
therewith your request letter to the DPO.

17
 The right to file a complaint with the National Privacy
Commission

If you feel that your personal information has been misused, maliciously
disclosed, or improperly disposed, or that any of your data privacy rights
have been violated, you have a right to file a complaint with the NPC.

Transmissibility of Rights of the Data Subject

➢ The lawful heirs and assigns of the data subject may invoke the rights of the
data subject for, which he or she is an heir or assignee at any time after the death
of the data subject or when the data subject is incapacitated or incapable of
exercising the rights as enumerated in the immediately preceding section.

Non Applicability of the Rights of Data Subject

1. Processed personal information are used only for the needs of scientific and
statistical research and, on the basis of such, no activities are carried out and no
decisions are taken regarding the data subject.
2. Processing of personal information gathered for the purpose of investigations in
relation to any criminal, administrative or tax liabilities of a data subject.

18