WikiFrameworksPhilippines DPA (2012)Right to Erasure/Blocking

Right to Erasure/Blocking

Plain English Translation

Data subjects may demand the suspension, blocking, removal, or destruction of their personal data where it is incomplete, outdated, false, unlawfully obtained, or being used for an unauthorized purpose. This right of erasure and blocking must be supported by a documented process for reviewing and acting on valid requests. Controllers must notify relevant third parties of any blocking or erasure that has taken place.

Executive Takeaway

Organizations must facilitate the blocking, removal, or destruction of personal data upon receiving a valid request demonstrating the data is obsolete, unlawful, or unauthorized.

ImpactHigh
ComplexityHigh

Why This Matters

  • Failing to honor valid erasure requests violates core provisions of the Philippines Data Privacy Act, inviting severe administrative fines.
  • Retaining unnecessary or unlawfully obtained personal data unnecessarily expands the organization's attack surface in the event of a security breach.
  • Demonstrating compliance with data deletion requests builds consumer trust and reinforces strong data governance.

What “Good” Looks Like

  • A streamlined, verifiable process is in place to intake and handle data subject deletion and blocking requests effectively; tools like WatchDog Security's Compliance Center can help centralize request evidence, ownership, and resolution status.
  • Data architecture explicitly supports both 'soft deletes' (blocking) and 'hard deletes' (destruction) across all primary databases and backups.
  • Automated scripts or structured internal procedures notify third-party recipients to similarly erase the subject's data when required; tools like WatchDog Security's Vendor Risk Management can help track which processors or vendors require follow-up.

Put Philippines DPA (2012) compliance + 19 others on autopilot

Starting at $99/admin/mo — includes all frameworks, evidence automation, and AI-powered gap analysis.

Start Free Trial No credit card required

It is the right of a data subject to suspend, withdraw, or order the blocking, removal, or destruction of their personal data from a personal information controller's filing system.

A data subject can request deletion upon discovery and substantial proof that their data is incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes, or no longer necessary.

Any personal data that is proven to be incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes, or no longer necessary for its original declared purpose.

The company must verify the requestor's identity, evaluate the provided proof, and upon validation, promptly block or destroy the data across all systems, while logging the actions taken.

The data subject must present substantial proof demonstrating that the data falls under the specific statutory conditions, such as evidence that it is outdated, false, or unlawfully obtained.

While the statute does not explicitly use the term 'right to be forgotten,' the right to erasure, removal, or destruction of personal data provides a very similar protective mechanism.

Yes, a company can legitimately refuse if the data is still strictly necessary for the performance of a contract, a legal obligation, dispute resolution, or if the request is deemed vexatious.

While the DPA does not always state a specific day count for every request type, organizations are required to act immediately or within a reasonable timeframe as defined by general NPC guidelines.

Blocking restricts further processing without deleting the data, removal takes it out of active systems, and destruction permanently obliterates the data so it cannot be recovered.

Organizations should maintain a comprehensive Data Subject Request Log detailing the request date, identity verification, technical actions taken, and notifications sent to third parties. Tools like WatchDog Security's Compliance Center can help retain evidence of request handling, approvals, and completion status for audit review.

Erasure requests often fail when teams cannot prove intake, review, approval, deletion actions, and third-party notices were handled consistently. Tools like WatchDog Security's Compliance Center can centralize control ownership, request evidence, action logs, and framework mappings so the organization can demonstrate a repeatable process.

Approved erasure or blocking requests may require notifying processors, vendors, or other recipients that previously received the data. Tools like WatchDog Security's Vendor Risk Management can maintain a vendor catalog, processor relationships, and follow-up records so third-party notification obligations are easier to track.

PHILIPPINES-DPA IRR Section 34(e)

"The data subject shall have the right to suspend, withdraw or order the blocking, removal or destruction of his or her personal data from the personal information controller’s filing system."

PHILIPPINES-DPA IRR Section 34(e)(1)

"This right may be exercised upon discovery and substantial proof that: (a) The personal data is incomplete, outdated, false, or unlawfully obtained; (b) The personal data is being used for purpose not authorized..."

VersionDateAuthorDescription
1.0.02026-05-06Compliance Content TeamInitial publication