From: http://www.scribd.com/doc/60963054/DTI-Department-Administrative-Order-Number-8-Prescribing-Guidelines-for-the-Protection-of-Personal-Data-in-Information-and-Communications-System-in
Section 4.
General principles for the protection of personal data
4.1 Personal data must be:
4.1.1 Collected for specified and legitimate purposes determined before collecting personal data and are later processed in a way compatible with those purposes;
4.1.2 Processed accurately, fairly and lawfully;
4.1.3 Accurate, and, where necessary for the processing of personal data, kept up to date; inaccurate or incomplete data must be rectified, supplemented, destroyed or their further processing must be restricted.
4.1.4 Identical, adequate and not excessive in relation to the purposes for which they are collected and processed;
4.1.5 Kept in a form, which permits identification of data subjects for, no longer than is necessary for the purposes for which the data were collected and processed.
 
4.2 Criteria for lawful processing of personal data. - Personal data processing is permitted only if not prescribed otherwise by law, and at least one of the following conditions exists:
4.2.1 The data subject has given his or her unambiguous consent;
4.2.2 The personal data processing results from contractual obligations of the data subject;
4.2.3 The data processing is necessary to a data controller for the performance of his or her lawful obligations but in such cases, the processing shall be permitted only to fulfill the intention of the parties; or
4.2.4 The data processing is necessary to protect vitally important interests of the data subject, including life and health.
 
4.3 Disclosure of Personal Data to Data processor
4.3.1 A data controller may entrust personal data processing to a personal data processor provided a written contract is entered into between them;
4.3.2 A personal data processor may process personal data entrusted to him or her only within the scope determined in the contract and in accordance with the purposes provided for therein;
4.3.3 Prior to commencing personal data processing, a personal data processor shall perform safety measures determined by the data controller for the protection of the system in accordance with the requirements in this“Guidelines” and the E-Commerce Law.
 
4.4 Storage of data - Personal data may be stored and used only for as long as it is necessary to achieve the purpose for which it was processed. Unless otherwise stipulated in acts on individual types of personal data, personal data shall either be deleted from a personal data or blocked once the purpose from the preceding paragraph has been achieved.
4.5 Rights of the data subject- The data subject is entitled-
4.5.1 To be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller.
4.5.1.1 If that is the case, to be given by the data controller a description of:
4.5.1.1.1 The personal data of which that individual is the data subject,
4.5.1.1.2 The purposes for which they are being or are to be processed, and
4.5.1.1.3 The recipients or classes of recipients to whom they are or may be disclosed.
4.5.2 To be notified -
4.5.2.1 The information constituting any personal data of which that individual is the data subject, and
4.5.2.2 Any information available to the data controller as to the source of those data, and
4.5.2.3 Where the processing by automatic means of personal data of which that individual is the data subject for the purpose of evaluating matters relating to him such as, for example, his performances at work, his credit worthiness, his reliability or his conduct, has constituted or is likely to constitute the sole basis for any decision significantly affecting him, to be informed by the data controller of the logic involved in that decision-making.
 
4.6 Rights to information - A data subject also has the right to request the following information:
4.6.1 The designation, or name and surname, and address of the data controller;
4.6.2 The purpose, scope and method of the personal data processing;
4.6.3 The date when the personal data concerning the data subject was last rectified;
4.6.4 The source from which the personal data were obtained unless the disclosure of such information is prohibited by law; and
4.6.5 The processing methods utilized for the automated processing systems, concerning the application of which individual automated decisions are taken.
 
4.7 Data subject’s right of access to his or her personal data. A data subject has the right, within a period of thirty(30) days from the date of submission of the relevant request, to receive from the data controller or data processor the information specified in the preceding Section in writing.
4.8 Data subject’s right to request rectification, destruction of his personal data or restriction of further processing of his personal data.
4.8.1 A data subject has the right to request that his or her personal data be supplemented or rectified, as well as that their processing be suspended or that the data be destroyed if the personal data are incomplete,outdated, false, unlawfully obtained or are no longer necessary for the purposes for which they were collected. If the data subject is able to substantiate that the personal data included in the personal data processing system are incomplete, outdated, false, unlawfully obtained or no longer necessary for the purposes for which they were collected, the data controller has an obligation to rectify this inaccuracy or violation without delay and notify third parties who have previously received the processed data of such.a) If information has been retracted, a data controller
shall ensure the accessibility of both the new and the retracted information, and recipients thereof receive that the information mentioned simultaneously.
4.9 Right to object. - A data subject has the right to object (in writing, orally or in any other form) to the processing of his or her personal data if such will be used for commercial purposes