Data Subject Rights
Definition
Data subject rights are the rights individuals have over personal information that an organization collects, uses, stores, shares, or deletes. Under the Philippines Data Privacy Act of 2012 and related National Privacy Commission guidance, these rights include being informed, objecting to processing, accessing personal information, correcting inaccuracies, requesting erasure or blocking where applicable, data portability, and seeking damages when privacy rights are violated. Equivalent concepts appear in many other privacy frameworks, although the scope, exceptions, and response timelines may differ. In an information security and GRC context, data subject rights are not only a privacy obligation; they also require reliable identity verification, clear request intake, documented workflows, secure data discovery, approval controls, response tracking, and evidence retention. Organizations should define who receives requests, how requests are validated, how relevant systems are searched, how exceptions are reviewed, and how responses are delivered securely. A mature process reduces legal, operational, and reputational risk by making privacy rights requests consistent, auditable, and aligned with applicable regulations, contracts, and internal governance requirements.
Real-World Examples
Access Request Workflow
A SaaS startup receives a request from a user asking for a copy of personal information associated with their account and coordinates identity verification, system search, review, and secure response delivery.
Correction of Personal Data
A fintech SMB updates inaccurate customer profile details after validating the requester and confirming that downstream systems and audit records reflect the corrected information.
Deletion Request Review
A manufacturer receives a deletion or blocking request from a former customer and reviews retention obligations before deleting eligible records and documenting any information that must be retained.
Enterprise Request Register
A large organization maintains a central register of privacy rights requests, response dates, owners, verification steps, exceptions, and evidence for internal review.
Data subject rights are rights individuals have over personal information held by an organization. Under the Philippines Data Privacy Act, they include rights such as being informed, objecting to processing, accessing information, correcting inaccuracies, erasure or blocking where applicable, data portability, and damages for privacy violations.
A data subject access request is a request from an individual asking an organization to confirm whether it holds their personal information and provide access to relevant information. Organizations typically need a defined process for verification, search, review, and secure response.
Under the Philippines Data Privacy Act, individuals may exercise rights such as the right to be informed, object, access, correct, erase or block personal information where applicable, obtain data portability, and claim damages. The exact handling of each right depends on the request, applicable exceptions, and organizational obligations.
An organization should log the request, verify the requester’s identity, determine the applicable right, locate relevant personal information, review exceptions, prepare a clear response, and deliver the response securely. Each step should be documented for accountability.
A DSAR response should usually include the personal information in scope, relevant context about how it is used, and any required explanations about retention, sharing, or limitations. Sensitive information about other individuals should be reviewed and protected before disclosure.
Response timelines depend on the Philippines Data Privacy Act, National Privacy Commission rules or guidance, contract obligations, and internal policy. GRC teams should maintain a documented deadline tracker, escalation process, and evidence trail so requests are handled consistently and within required timeframes.
An organization may be able to refuse or limit a request when an exception applies, such as inability to verify identity, conflict with retention obligations, excessive or unfounded requests, or protection of another person’s rights. The decision should be reviewed and documented.
Data subject rights and consumer privacy rights are closely related concepts. Data subject rights are used in the Philippines Data Privacy Act and many privacy programs, while consumer privacy rights may refer to rights granted to individuals in customer or consumer contexts under other privacy laws.
Data subject rights affect security and GRC because organizations need reliable identity verification, access controls, data inventory, retention rules, workflow ownership, and evidence records. Poorly managed requests can create privacy, security, legal, and reputational risk.
Organizations should retain records of the request date, requester identity verification, request type, systems searched, decision rationale, response date, exceptions applied, approvers, and evidence of secure fulfillment. Retention should follow internal policy and applicable requirements.
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-05-10 | WatchDog GRC Team | Initial publication |
