Right to Access

Plain English Translation

Data subjects may access the personal data held about them, including information on its sources, recipients, and how it has been processed. Controllers must provide this information upon demand, subject to limitations for data used in research, legal investigations, or tax proceedings. This right of access enables individuals to verify accuracy and identify unlawful use of their data.

Executive Takeaway

Organizations must grant individuals reasonable access to their personal data, including its sources, recipients, and the reasons for any disclosure.

ImpactHigh
ComplexityMedium

Why This Matters

  • Failing to honor access requests violates core data privacy rights and invites regulatory penalties from the NPC.
  • Transparency regarding data sources and recipients builds customer trust and reduces the risk of privacy complaints.
  • A formal access mechanism prevents operational bottlenecks when responding to a high volume of consumer inquiries.

What “Good” Looks Like

  • A dedicated, easy-to-use portal exists for individuals to submit data subject access requests.
  • The organization maintains a comprehensive Data Subject Request Log to track response timelines and outcomes; tools like WatchDog Security's Compliance Center can help link those records to control evidence and remediation tasks.
  • Identity verification processes are in place to ensure data is only disclosed to the verified data subject, and tools like WatchDog Security's Secure File Sharing can provide encrypted delivery, verification, and audit logs for sensitive responses.

Put Philippines DPA (2012) compliance + 19 others on autopilot

Starting at $99/admin/mo — includes all frameworks, evidence automation, and AI-powered gap analysis.

Start Free Trial No credit card required

Under RA 10173, the right to access entitles a data subject to obtain, upon demand, reasonable access to the contents of their processed personal data and details about its processing.

A data subject can request the contents of their data, sources, names of recipients, manner of processing, reasons for disclosure, details on automated decisions, date of last access/modification, and the controller's identity.

The organization must verify the requestor's identity, gather the required personal data and processing details, and provide it in a comprehensible format within a reasonable timeframe.

Reasonable access means providing the requested personal data and processing details in a timely, secure, and accessible manner without creating undue burdens on the data subject, unless the request is vexatious.

Yes, the Data Privacy Act explicitly grants data subjects the right to demand access to the sources from which their personal data were obtained.

Yes, the law requires personal information controllers to provide the names and addresses of recipients to whom the personal data was disclosed.

Organizations must explain the specific purposes and justifications for sharing the data subject's personal information with any third-party recipients.

The personal information controller, typically overseen by the designated Data Protection Officer (DPO), is responsible for managing and fulfilling access requests.

Yes, an organization can deny a request if it is vexatious, otherwise unreasonable, or if an exception applies, such as data processed strictly for scientific research or ongoing criminal investigations.

Companies should maintain a Data Subject Request Log detailing the receipt, evaluation, and resolution of all access requests, along with written DSAR policies and identity verification records. WatchDog Security's Compliance Center can help organize these artifacts against the RA 10173 control so compliance teams can show request handling evidence during reviews.

Right-to-access requests can fail when ownership, deadlines, evidence, and approvals are tracked across email threads or spreadsheets. WatchDog Security's Compliance Center can help centralize DSAR-related control tasks, evidence collection, gap tracking, and audit-ready records so teams can demonstrate that access requests are handled consistently.

Providing access to personal data creates a security risk if files are sent through unencrypted email or shared with the wrong person. WatchDog Security's Secure File Sharing can support encrypted delivery, TOTP verification, and audit logs so organizations can document how requested data was shared securely.

PHILIPPINES-DPA IRR Section 34(c)

"The data subject has the right to reasonable access to, upon demand, of the following: 1. Contents of his or her personal data that were processed; 2. Sources from which personal data were obtained; 3. Names and addresses of recipients of the personal data; 4. Manner by which such data were processed..."

VersionDateAuthorDescription
1.0.02026-05-06Compliance Content TeamInitial publication