Your Data Privacy Rights as an Employee Under RA 10173

Republic Act 10173, the Data Privacy Act of 2012 (DPA), protects the personal information of all individuals in the Philippines, including employees. The law is enforced by the National Privacy Commission (NPC), an independent body that investigates complaints and issues guidance on data protection. As an employee, you are a "data subject" under the law, meaning you have specific rights regarding how your employer collects, stores, uses, and shares your personal information. This applies to everything from your resume and government IDs to your biometric data and medical records.

Your rights as a data subject

The Data Privacy Act grants you several important rights. The right to be informed means your employer must tell you what data they collect, why they collect it, and how it will be used. The right to access means you can request a copy of your personal data held by your employer. The right to object means you can refuse certain types of data processing, especially if it goes beyond what is necessary for your employment. The right to erasure means you can request deletion of your data when it is no longer needed. The right to data portability means you can obtain your data in a format that allows you to transfer it elsewhere.

Consent in the employment context

Your employer generally needs a lawful basis to process your personal information. In employment, legitimate purposes include payroll processing, government benefit remittances, and compliance with labor laws. However, your employer cannot use your employment contract to authorize blanket data collection that goes beyond what is reasonably necessary. For example, a clause that says "the employee consents to any and all data collection by the employer" is overly broad and may not hold up under the DPA. Consent must be specific, informed, and freely given.

Employer obligations

Under the DPA, your employer is considered a "personal information controller" and has several obligations. They must implement reasonable security measures to protect your data from unauthorized access, loss, or destruction. They must have a written privacy policy that explains their data handling practices. They must appoint a Data Protection Officer (DPO) if they process sensitive personal information on a large scale. They must report data breaches to the NPC and affected employees within 72 hours of discovery. Failure to comply can result in administrative fines, criminal penalties, or both.

Workplace monitoring and surveillance

Many employment contracts include provisions for workplace monitoring, such as CCTV cameras, computer activity tracking, biometric attendance systems, and sometimes social media monitoring. While employers have legitimate interests in security and productivity, the DPA requires that any monitoring be proportionate to the purpose and that employees are clearly informed about what is being monitored and why. Hidden surveillance without notice, blanket monitoring of personal communications, or collecting biometric data without a clear policy may violate the law. If your contract includes monitoring clauses, they should be specific about the scope, purpose, and limitations.

What to do if your rights are violated

If you believe your employer has violated your data privacy rights, you have several options. Start by raising the issue with your company's Data Protection Officer, if one has been designated. If that does not resolve the matter, you can file a complaint directly with the National Privacy Commission through their online complaints portal. The NPC can investigate, mediate, and impose penalties. You may also seek damages through the courts if you suffered harm due to unauthorized processing, negligent handling, or a data breach involving your personal information.

Review your contract's data clauses with PlainDoc

Employment contracts increasingly include data collection, monitoring, and consent clauses that may affect your privacy rights. Upload your contract to PlainDoc and our AI will identify data privacy provisions, flag overly broad consent language, and check whether monitoring clauses comply with RA 10173 standards. Understand what you are agreeing to before you sign.