Data privacy and the right to inspect corporate records
By: Atty. Elaisha Nelle C. Espinosa on March 27,2025
DATA privacy is a key pillar of corporate governance. As companies store personal data in their business activities, harmonizing corporate and data privacy laws becomes more important not only to ensure proper compliance, but also to build trust among stakeholders.
Section 73 of the Revised Corporation Code (RCC) grants any director, trustee, stockholder, or member of the corporation the right to inspect corporate records, provided the following safeguards are met: the inspection is done during reasonable business hours; it is done at the expense of the requesting party; and it is subject to other applicable rules.
Specifically, the RCC requires that the exercise of such right be “bound by confidentiality rules under prevailing laws,” including Republic Act (RA) 10173 or the Data Privacy Act of 2012.
This is aligned with Section 73’s requirement for a corporation to “keep and carefully preserve at its principal office” all corporate information, including its list of stockholders, the names and addresses of all members of the board of directors or trustees and the executive officers, and all records of its business transactions.
In Gokongwei, Jr. v. Securities and Exchange Commission, the Supreme Court ruled that the right to inspection must only be exercised for a lawful purpose germane to the stockholder’s interest and not detrimental to the corporation. (GR No. L-45911, April 11, 1979)
Generally, the DPA applies to the “processing of all types of personal information” by both natural and juridical persons. Such processing includes, among others, the collection, recording, organization and even destruction of data.
The DPA distinguishes between several types of information. Section 1 defines Personal Information (PI) as any information “from which the identity of an individual is apparent or can be reasonably and directly ascertained,” or which would “directly and certainly identify an individual” when combined with other information.
Sensitive personal information (SPI) includes information concerning a person’s race, health, marital status, and religious or political affiliations, among others (both PI and SPI are collectively called “personal data”).
Section 12 of the DPA allows personal information controllers (PICs) to process PI, provided it is not prohibited by law and only when it meets specific legal conditions (e.g., to comply with a legal obligation to which the PIC is subject).
Meanwhile, Section 13 of the DPA generally prohibits the processing of SPI, except when, for one, the processing is required under existing laws and regulations. The individual whose personal information is being processed is referred to as the data subject.
The responsible parties under the DPA are the PIC and the personal information processor (PIP). Section 1 of the DPA defines a PIC as a person or organization that controls the processing of personal data, excluding individuals acting under instruction and those processing data for personal, family, or household affairs.
Meanwhile, a PIP is any qualified natural or juridical person to whom a controller outsources data processing.
How does the right to privacy under the DPA impact the right to inspection under the RCC?
In its Advisory Opinion (AO) 2024-012, the National Privacy Commission (NPC) addressed whether a domestic corporation must permit its stockholders’ representative to inspect a statement of account of the corporation that details the names, dates, and amount of stockholder advances, as these constitute PI.
Lawful
The NPC deemed such a request for inspection lawful and explained that, under Section 73 of the RCC and Sections 12 and 13 of the DPA, corporations are authorized to lawfully process personal data relevant to the corporation and as specifically required under other existing laws and regulations.
Necessarily, there is no need for the other stockholders to consent to the inspection.
The NPC posits that while the DPA aims to protect the right to privacy, it cannot be “conveniently invoked” to restrict stockholder rights expressly provided in the RCC. Nonetheless, a corporation acting as a PIC must abide by the general data privacy principles in disclosing personal data.
Thus, while it must assent to the stockholders’ right to inspection, it can still review the propriety of the request for inspection. In this regard, NPC Advisory Opinion 2019-011 emphasizes that any disclosure by the corporation must involve informing the data subject of such a request and examining the demand, ensuring that the personal data requested are necessary, relevant and adequate only to fulfill a legitimate purpose.
Additionally, a corporation acting as a PIC is also required to establish security measures in the processing of personal data. This includes designating a Data Privacy Officer (DPO) with the NPC, conducting a Privacy Impact Assessment (PIA), and periodically training employees on privacy and data protection policies.
Elaisha Nelle C. Espinosa is an Associate of Mata-Perez, Tamayo & Francisco (MTF Counsel). This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. If you have any question or comment regarding this article, you may email the author at info@mtfcounsel.com or visit MTF website at www.mtfcounsel.com