Right to be Informed

Plain English Translation

Data subjects have the right to request and receive confirmation of what personal data an organization holds about them, the sources of that data, the recipients with whom it has been shared, and how it has been processed. Organizations must respond to access requests within a reasonable timeframe and without charge for standard requests. This right ensures individuals can meaningfully monitor and verify how their personal data is being used.

Executive Takeaway

Organizations must provide comprehensive privacy notices detailing data processing activities before or immediately after collecting personal data.

ImpactHigh
ComplexityMedium

Why This Matters

  • Failing to provide adequate privacy notices violates fundamental data subject rights, inviting severe regulatory scrutiny and penalties.
  • Clear communication builds consumer trust and demonstrates a proactive commitment to data privacy and security.
  • Automated decision-making and profiling without proper prior disclosure can lead to immediate operational blocks by the National Privacy Commission.

What “Good” Looks Like

  • Public-facing privacy policies clearly articulate the nature, scope, and purpose of all data processing operations.
  • Consent flows and data capture forms include just-in-time notices linking to full privacy disclosures.
  • Internal data governance tracks exactly which version of a privacy notice a user acknowledged at the time of data collection, and tools like WatchDog Security's Policy Management can support version control and acceptance tracking.

Put Philippines DPA (2012) compliance + 19 others on autopilot

Starting at $99/admin/mo — includes all frameworks, evidence automation, and AI-powered gap analysis.

Start Free Trial No credit card required

Under the DPA, the right to be informed ensures data subjects know whether their personal data shall be, are being, or have been processed, including any automated processing.

Organizations must describe the personal data to be entered, the purposes of processing, the scope and method, recipients, automated access methods, controller identity, storage period, and the data subject's rights.

A privacy notice must include the data description, processing purposes, recipients, automated processing methods, the controller's contact details, data retention period, and a list of data subject rights.

The data subject must be notified before the entry of his or her personal data into the processing system of the personal information controller, or at the next practical opportunity.

Yes, the law requires notification to the data subject before the entry of their personal data into the processing system, especially when data is collected over a period of time.

Organizations must disclose the purpose in clear and simple language, specifying if the processing is for direct marketing, historical, statistical, scientific, or automated decision-making purposes.

It refers to providing a comprehensive description of what data is collected, why it is being used, how it will be processed (scope and method), and who will receive or have access to it.

Yes, if processing is partly or wholly automatic, organizations must inform the data subject about the methods utilized for automated access and the extent to which such access is authorized.

Companies comply by presenting a clear, simply written privacy notice at the point of data collection that outlines all legally required disclosures regarding data handling and subject rights.

Compliance evidence includes published privacy policies, consent forms with explicit privacy notices, just-in-time collection notices, and logs tracking user acknowledgment of the privacy policy.

Privacy notices often become inaccurate when new systems, vendors, or data uses are introduced without updating disclosures. Tools like WatchDog Security's Compliance Center can help teams track this control, collect supporting evidence, and identify gaps between documented privacy notices and actual compliance obligations.

Version history and acknowledgment records are important because regulators may ask what information was presented at the time of collection. Tools like WatchDog Security's Policy Management can support version control and acceptance tracking so teams can show which notice version was active and acknowledged.

PHILIPPINES-DPA IRR Section 34(a)

"The data subject has a right to know whether personal data pertaining to him or her shall be, are being or have been processed, and whether the processing is partly or wholly automatic. The data subject shall be notified and furnished the information indicated hereunder before the entry of his or her personal data into the processing system..."

VersionDateAuthorDescription
1.0.02026-05-06Compliance Content TeamInitial publication