How to Request Deletion of Personal Data Under the Data Privacy Act

In the Philippines, a person may, in many situations, request the deletion, blocking, or removal of personal data under the Data Privacy Act of 2012 and its implementing rules. But the right is not absolute. That is the first and most important rule. A person does not have an unlimited power to force every company, school, employer, lender, hospital, app, or government office to erase all information on demand. The law gives data subjects real rights, but it also recognizes lawful grounds for retention.

So the proper legal question is not simply, “Can I force them to delete my data?” The better question is:

Do I have a valid ground to demand deletion, and does the personal information controller still have a lawful reason to keep it?

That is the heart of the issue under Philippine data privacy law.

The legal basis: the right to suspend, withdraw, or order the blocking, removal, or destruction of personal data

Under Philippine data privacy law, the data subject has a recognized right, in appropriate cases, to:

  • suspend,
  • withdraw,
  • or order the blocking, removal, or destruction of personal data

from the filing system of a personal information controller.

This is often discussed as the right to erasure or blocking, though Philippine law tends to use the language of blocking, removal, or destruction rather than relying only on the international shorthand “right to be forgotten.”

This right applies when legal grounds for deletion exist. But it operates within the limits of the law, not outside it.

The first distinction: deletion is not always literal total erasure everywhere

When people say “delete my data,” they often mean complete disappearance from all systems, backups, archives, printed records, email threads, and legal files. In practice, the law may produce different results depending on the context.

A valid request may lead to:

  • actual deletion from active systems;
  • blocking or suppression from active use;
  • removal from publicly visible or unnecessary processing;
  • destruction of records no longer lawfully needed;
  • or restricted retention only for lawful compliance purposes.

So a successful request does not always mean absolute total digital disappearance. Sometimes it means the organization must stop using the data for ordinary purposes and retain it only where the law still requires retention.

Who may request deletion

The person who may request deletion is generally the data subject—the individual whose personal data is being processed. In some cases, a lawful representative may act for the data subject, such as:

  • a parent for a minor child,
  • a legal guardian,
  • an attorney-in-fact,
  • or another properly authorized representative.

The requesting party should be prepared to prove identity and authority. A company or institution is not required to delete data merely because an unknown email sender demands it.

Against whom may the request be made

A deletion request is usually directed to the entity controlling the processing of the data, commonly called the personal information controller. This may include, depending on the case:

  • employers,
  • schools,
  • hospitals,
  • banks,
  • lenders,
  • e-commerce platforms,
  • telecommunications companies,
  • property managers,
  • online apps,
  • insurance companies,
  • membership organizations,
  • or government offices, though government processing can involve special legal retention duties.

In some situations, the request may also involve a personal information processor, but the usual direct legal relationship is with the controller deciding why and how the data is processed.

The basic grounds for requesting deletion

A data subject may have a valid basis to request blocking, removal, or destruction of personal data in situations such as these:

  • the personal data is incomplete, outdated, false, or unlawfully obtained;
  • the personal data is being used for a purpose not authorized by the data subject;
  • the data is no longer necessary for the purpose for which it was collected;
  • the data subject has withdrawn consent, where consent was the valid basis for the processing;
  • the processing is unlawful;
  • the rights of the data subject have been violated;
  • or retention is no longer justified under the law, contract, or legitimate purpose originally invoked.

These grounds matter because the request should ideally identify why deletion is being demanded, not merely insist on it emotionally.

Consent-based processing: one of the strongest deletion situations

If the organization is processing personal data mainly on the basis of the data subject’s consent, then withdrawal of that consent can be a powerful ground for requesting deletion or blocking.

This is common in situations like:

  • marketing databases,
  • optional promotional subscriptions,
  • app permissions not essential to the service,
  • mailing lists,
  • membership publicity,
  • optional profile display features,
  • and non-essential commercial processing.

Where consent is the true legal basis, and no other lawful basis remains, the organization’s continued use of the data becomes much harder to justify once consent is withdrawn.

But this point has an important limit: if the organization has another lawful basis besides consent—such as legal obligation, contract necessity, or legitimate interest—withdrawal of consent may not erase all retention rights.

When deletion is strongest: data is no longer necessary

One of the clearest grounds for deletion is that the data is no longer necessary for the purpose for which it was collected.

Examples may include:

  • an online account long closed where no legal retention duty remains;
  • job applicant records retained long after the hiring process ended, without lawful basis;
  • visitor logs kept far beyond reasonable necessity;
  • photos or promotional materials used after consent was withdrawn and no lawful purpose remains;
  • customer records held for unnecessary secondary uses after the transaction ended.

In these situations, the request should emphasize that the original purpose has ended and there is no longer a lawful need to continue keeping or using the data.

When the data is inaccurate or unlawfully obtained

Deletion may also be sought where the personal data is:

  • false,
  • inaccurate,
  • unlawfully gathered,
  • or processed in violation of privacy rules.

For example, a person may ask that data be removed if:

  • the organization scraped it without proper basis;
  • a lender harvested it from unauthorized phone contact access;
  • a platform is displaying incorrect personal information;
  • or a third party is keeping data obtained through deception or unlawful disclosure.

In these cases, the request should clearly explain the nature of the inaccuracy or unlawful acquisition.

The major limit: deletion is not allowed where retention is required by law

This is one of the most important exceptions. A person cannot always compel deletion if the organization is required by law to keep the records.

Common examples include records kept for:

  • tax compliance,
  • anti-money laundering obligations,
  • employment and payroll retention,
  • accounting and audit purposes,
  • corporate recordkeeping,
  • school records,
  • medical records,
  • litigation hold or legal defense,
  • court or regulatory compliance,
  • and government-mandated archival duties.

If a company still has a legal obligation to retain certain data, it may lawfully refuse total deletion—even if the person wants it erased. However, the organization may still have to:

  • stop using the data for unnecessary purposes,
  • limit processing,
  • block access beyond what is legally needed,
  • or explain clearly why retention continues.

So the correct answer is often not full deletion, but lawful limited retention only.

Contract-related retention: another major exception

Deletion is also weaker where the data is still needed for performance, completion, or defense of a contract.

For example, a person cannot necessarily demand immediate deletion of all data while:

  • a loan remains outstanding,
  • a service dispute is pending,
  • a warranty period is open,
  • an employment claim is being handled,
  • or a commercial transaction remains unresolved.

An organization may need to retain personal data to:

  • perform contractual obligations,
  • prove performance,
  • respond to legal claims,
  • and protect its lawful interests.

Again, this does not always justify unlimited use. But it may justify continued retention.

Government records are especially difficult to erase

Requests directed at government offices require particular caution. Government agencies often hold data not merely by consent, but because of legal duty, public function, records law, or administrative obligation. This means a request for deletion may be harder to enforce against government-held records than against commercial marketing databases.

A citizen may still assert privacy rights against unlawful or excessive government processing. But many government records cannot simply be erased on demand where the law requires retention or where the records form part of official public or administrative files.

Deletion from marketing versus deletion from core records

A very useful practical distinction is this:

Easier to delete or suppress

  • marketing lists,
  • optional newsletters,
  • promotional contact databases,
  • public-facing profile displays,
  • non-essential app permissions,
  • and non-mandatory publicity materials.

Harder to delete completely

  • transaction records,
  • tax-related data,
  • employment records,
  • medical records,
  • school records,
  • loan files,
  • legal case files,
  • government compliance records.

So a deletion request is usually strongest where the data is being used for secondary, optional, or no-longer-necessary purposes rather than core legal compliance.

The right to object and the right to erasure often work together

Sometimes the better strategy is not to demand deletion in the abstract, but to combine:

  • a request to stop processing for certain purposes,
  • a withdrawal of consent,
  • and a request for deletion or blocking of data no longer needed.

For example, if a company lawfully retains your transaction records for accounting, you may still demand that it:

  • stop sending marketing materials,
  • remove your name from promotional databases,
  • and block unnecessary sharing.

This approach is often more legally realistic and more likely to succeed.

What the request should contain

A strong deletion request should be in writing and should identify:

  • your full name and contact details;
  • the personal data involved;
  • the organization holding the data;
  • the specific request: blocking, deletion, removal, destruction, or limited retention only;
  • the legal basis for the request, such as withdrawal of consent, no longer necessary, unlawful processing, or inaccurate data;
  • the exact systems or uses you want stopped if known;
  • and a request for confirmation of action taken.

The request should be clear, factual, and specific. A vague message saying “remove everything about me” is weaker than a structured demand.

Proof of identity is usually required

Organizations are generally allowed—and often required—to verify the identity of the requesting person before acting. This protects against fraudulent deletion requests. A company should not delete or disclose records just because someone sends a bare email with a name.

So a requester should expect to provide:

  • valid ID,
  • account details,
  • or other reasonable verification.

But the organization should also handle that verification process lawfully and proportionately.

The role of the Data Protection Officer

Many organizations subject to Philippine data privacy law have a Data Protection Officer (DPO) or at least a designated privacy contact point. In practice, the deletion request should usually be sent to:

  • the DPO,
  • the privacy team,
  • the official privacy email,
  • or the unit identified in the company’s privacy notice.

Sending the request to the wrong office can cause delay. If the organization has a privacy notice or data privacy portal, use the channel it identifies.

A privacy notice matters

Before making the request, it is often helpful to read the organization’s privacy notice. This document may reveal:

  • what data they collect;
  • why they collect it;
  • how long they retain it;
  • who they share it with;
  • and how data subject rights requests may be submitted.

The privacy notice does not override the law, but it helps identify the organization’s claimed legal basis. That, in turn, helps you frame the deletion request properly.

When organizations may lawfully refuse deletion

A controller may lawfully refuse total deletion where:

  • retention is required by law;
  • the data is needed for an ongoing contract;
  • the data is needed for legal claims or defense;
  • retention is required for public authority functions;
  • the request is unfounded, excessive, or unverifiable;
  • or the legal basis for deletion is not established.

But even where deletion is refused, the organization should not simply ignore the request. It should explain the reason for refusal and the extent to which it can at least block, restrict, or limit the data instead.

Deletion does not always mean destruction of all backups immediately

A practical issue arises with backups, archived systems, and disaster recovery copies. A valid deletion request may not always require instant purging of every backup tape or system image, especially where the organization has lawful retention and technical integrity obligations. But it should still lead to:

  • removal from active use where proper,
  • restriction of ordinary processing,
  • and compliance with the law’s limits on further use.

So technical backup existence does not automatically defeat a deletion request, but it may affect how deletion is implemented.

If the organization ignores the request

If the organization ignores, rejects, or mishandles the request, the data subject may escalate the matter. The first step is often to send a follow-up and ask for a written explanation. If the refusal remains unlawful or the organization clearly violates data subject rights, the matter may be raised before the appropriate privacy enforcement channel, especially the National Privacy Commission (NPC).

At that stage, documentation matters greatly. Keep:

  • your original request,
  • proof of receipt,
  • follow-up messages,
  • the organization’s response,
  • and screenshots or copies showing continued unlawful processing.

If the data has already been publicly posted or disclosed

When personal data is publicly exposed online, the deletion request should be more urgent and more specific. The requester should ask for:

  • takedown of the public content,
  • removal from public access,
  • deletion from searchable display where applicable,
  • cessation of unauthorized sharing,
  • and confirmation of action taken.

Public exposure cases often involve stronger urgency because the privacy harm is ongoing and visible.

If the request involves a lender or online lending app

This is a major Philippine issue. If a lender or online lending app processed personal data unlawfully—especially by:

  • scraping contacts,
  • messaging third parties,
  • posting names,
  • using photos without basis,
  • or retaining unnecessary personal information after the transaction—

the data subject may have strong grounds to request deletion or blocking of unlawfully processed data, especially for non-essential and abusive uses.

But if the person still has an outstanding loan, the lender may still argue for lawful retention of core account records. So the stronger demand may be:

  • stop unlawful use,
  • stop disclosure,
  • remove third-party contact harassment,
  • and delete unnecessary or unlawfully obtained data.

If the request involves an employer

A current or former employee may request deletion of some personal data, but employer records are not all equally deletable. An employer usually has lawful retention reasons for records such as:

  • payroll,
  • tax,
  • attendance,
  • disciplinary records,
  • contracts,
  • and government compliance files.

But the employee may still have valid grounds to request deletion of:

  • unnecessary profile data,
  • expired application materials,
  • non-essential internal publicity items,
  • old access credentials,
  • and optional processing based only on consent.

So employment-related deletion requests must be carefully targeted.

If the request involves schools or hospitals

Schools and hospitals usually have strong legal grounds to retain many records because of legal, professional, educational, and public-interest duties. A student or patient may still assert privacy rights, but complete erasure is often harder where the records form part of core institutional records.

The request may still succeed for:

  • unnecessary publication,
  • unauthorized disclosure,
  • outdated portal access,
  • or non-essential processing not required by law.

But not every school or medical record is erasable on demand.

If the request involves social media platforms or apps

For online platforms, the issue often turns on:

  • account deletion tools,
  • consent withdrawal,
  • profile removal,
  • public visibility,
  • and whether the platform is still lawfully retaining backend records for legal and security reasons.

A user may often demand closure and removal of public-facing data, but the platform may still retain some records for lawful compliance and defense purposes. Again, deletion is often partial and purpose-limited rather than absolute annihilation of all traces.

A written request is usually better than a phone call

A deletion request should ideally be made in a durable written form such as:

  • email,
  • webform with screenshot proof,
  • formal letter,
  • or official privacy portal submission.

Phone calls are weak because they are hard to prove later. Written requests create a record of:

  • date,
  • content,
  • legal basis,
  • and response.

What a good request sounds like

A strong request is usually calm, specific, and legal in tone. It identifies:

  • the data,
  • the purpose that should stop,
  • the legal basis,
  • the action requested,
  • and the expectation of written response.

Threatening or emotional language is less effective than precise privacy reasoning.

Keep your expectations realistic

A person should not expect that every valid request will lead to total deletion of all records immediately. In many lawful situations, the realistic result is:

  • deletion from active systems where no longer needed;
  • withdrawal from marketing or optional processing;
  • blocking from public visibility;
  • or retention only for legally required purposes.

That still matters. Limited lawful retention is very different from unrestricted continued use.

Common mistakes people make

Several mistakes repeatedly weaken deletion requests:

  • failing to identify the exact data or purpose involved;
  • demanding total deletion where the law clearly allows retention;
  • not withdrawing consent expressly when consent was the basis;
  • sending the request to the wrong office;
  • failing to prove identity;
  • relying only on phone calls;
  • and not preserving evidence of the request and response.

A good request is structured, realistic, and documented.

The most useful practical sequence

A sound sequence usually looks like this:

First, identify the organization holding the data.

Second, identify the legal basis for your request:

  • withdrawal of consent,
  • no longer necessary,
  • unlawful processing,
  • inaccurate data,
  • or rights violation.

Third, read the privacy notice and locate the DPO or privacy contact.

Fourth, send a written request for deletion, blocking, or removal.

Fifth, ask for written confirmation of action taken or reason for refusal.

Sixth, if the response is unlawful or inadequate, preserve all records and consider formal escalation through the proper privacy enforcement channels.

Bottom line

In the Philippines, you may request deletion, blocking, removal, or destruction of personal data under the Data Privacy Act, but the right is not absolute. It is strongest where the data is no longer necessary, was processed on the basis of consent that has now been withdrawn, was unlawfully obtained or unlawfully used, or is inaccurate or excessive. But organizations may lawfully refuse total deletion where the data must still be retained for legal, contractual, regulatory, or public-interest reasons.

The most important legal principle is simple: you can demand deletion only to the extent that the organization no longer has a lawful basis to keep or use your data.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login