Right to Access
Plain English Translation
Data subjects may access the personal data held about them, including information on its sources, recipients, and how it has been processed. Controllers must provide this information upon demand, subject to limitations for data used in research, legal investigations, or tax proceedings. This right of access enables individuals to verify accuracy and identify unlawful use of their data.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Create a standardized web form and dedicated email address for users to request access to their data.
- Manually verify the requestor's identity and query primary databases to gather their information.
Required Actions (scaleup)
- Implement a centralized ticketing system specifically for handling Data Subject Access Requests (DSARs) within statutory deadlines.
- Develop internal scripts or tools to quickly retrieve user data, sources, and recipient logs across multiple databases.
Required Actions (enterprise)
- Deploy an automated self-service portal where verified users can securely download their data in a structured format without manual intervention.
- Integrate data mapping tools that automatically trace and compile the lineage (sources) and sharing history (recipients) of the individual's data.
Under RA 10173, the right to access entitles a data subject to obtain, upon demand, reasonable access to the contents of their processed personal data and details about its processing.
A data subject can request the contents of their data, sources, names of recipients, manner of processing, reasons for disclosure, details on automated decisions, date of last access/modification, and the controller's identity.
The organization must verify the requestor's identity, gather the required personal data and processing details, and provide it in a comprehensible format within a reasonable timeframe.
Reasonable access means providing the requested personal data and processing details in a timely, secure, and accessible manner without creating undue burdens on the data subject, unless the request is vexatious.
Yes, the Data Privacy Act explicitly grants data subjects the right to demand access to the sources from which their personal data were obtained.
Yes, the law requires personal information controllers to provide the names and addresses of recipients to whom the personal data was disclosed.
Organizations must explain the specific purposes and justifications for sharing the data subject's personal information with any third-party recipients.
The personal information controller, typically overseen by the designated Data Protection Officer (DPO), is responsible for managing and fulfilling access requests.
Yes, an organization can deny a request if it is vexatious, otherwise unreasonable, or if an exception applies, such as data processed strictly for scientific research or ongoing criminal investigations.
Companies should maintain a Data Subject Request Log detailing the receipt, evaluation, and resolution of all access requests, along with written DSAR policies and identity verification records. WatchDog Security's Compliance Center can help organize these artifacts against the RA 10173 control so compliance teams can show request handling evidence during reviews.
Right-to-access requests can fail when ownership, deadlines, evidence, and approvals are tracked across email threads or spreadsheets. WatchDog Security's Compliance Center can help centralize DSAR-related control tasks, evidence collection, gap tracking, and audit-ready records so teams can demonstrate that access requests are handled consistently.
Providing access to personal data creates a security risk if files are sent through unencrypted email or shared with the wrong person. WatchDog Security's Secure File Sharing can support encrypted delivery, TOTP verification, and audit logs so organizations can document how requested data was shared securely.
"The data subject has the right to reasonable access to, upon demand, of the following: 1. Contents of his or her personal data that were processed; 2. Sources from which personal data were obtained; 3. Names and addresses of recipients of the personal data; 4. Manner by which such data were processed..."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-05-06 | Compliance Content Team | Initial publication |

