In this case, Respondent Paymaya Philippines, Inc is hereby ORDERED to furnish the Complainant MGLB the name of the recipient of her personal information in compliance with Section 16 (c) (3) of the Data Privacy Act, and pay the Complainant the amount of Forty Thousand (P40,000) Pesos as nominal damages to vindicate Complainant’s right to access, which was violated by Respondent.
In the instant case, in the exercise of her right to access, Complainant merely seeks to obtain the information of the recipient of her personal information.
Complainant, as data subject, should be entitled to access the information of the recipient of her personal information considering that the money transfer receipts of Respondent only contains a transaction number and does not contain the name of the recipient of Complainant’s personal information to enable her to identify as to whom a criminal case should be filed against.
Respondent’s excessive or stringent requirement to complainant, with regard to the Complainant’s request for the information of the account holder of the Respondent involved in the subject incident of alleged scam, violated the latter’s right to access. Its requirement of compelling Complainant to produce a court order prior to the release of the requested information creates a high barrier that effectively impedes the rights vested by the DPA to the latter as a data subject.
In order for Complainant to secure a court order, there must necessarily first be a court proceeding. However, before there can be any court proceeding or in order for Complainant to initiate a criminal case against the Seller, the Complainant needs the information as to whom her personal data was disclosed in order to know against whom she should file a criminal case against.
In the case of NPC 17-018 dated 15 July 2019, this Commission held that “processing as necessary for the establishment of legal claims” does not require an existing court proceeding. To require a court proceeding for the application of Section 13(f) to this instance would not only be to disregard the distinction provided in the law but the clear letter of the law as well. After all, the very idea of “establishment … of legal claims” presupposes that there is still no pending case since a case will only be filed once the required legal claims have already been established.”
Based on the foregoing, the disclosure to be made by the Respondent of the information of the recipient of Complainant’s personal information, for purposes of identification of the person liable for the alleged fraud, sans the latter’s consent, is necessary for the protection of the lawful rights and interests of the Complainant as contemplated by Section 13 (f) of the DPA.
It should be stressed, however, that having a legitimate purpose or some other lawful criteria to process does not result in the PIC granting all request to access by the data subjects. Such requests should be evaluated on a case to case basis and must always be subject to the PIC’s guidelines for the release of such information.
Aside from legitimate purpose, the qualifier “necessary” also pertains to the general privacy principle of proportionality. Under the IRR, the processing of information shall be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose. Personal data shall be processed only if the purpose of the processing could not reasonably be fulfilled by other means.