icon-angleicon-facebookicon-hatebuicon-instagramicon-lineicon-linked_inicon-pinteresticon-twittericon-youtubelogo-not
SCROLL
TOP
Publications
Newsletters

Data Privacy – Guidelines on Data Processing Based on Legitimate Interest (Philippines)

NO&T Asia Legal Review

Author
Patricia O. Ko
Publisher
Nagashima Ohno & Tsunematsu
Journal /
Book
NO&T Asia Legal Review No.78 (March, 2024)
Reference
Practice Areas
*Please note that this newsletter is for informational purposes only and does not constitute legal advice. In addition, it is based on information as of its date of publication and does not reflect information after such date. In particular, please also note that preliminary reports in this newsletter may differ from current interpretations and practice depending on the nature of the report.

Background

On 13 December 2023, the National Privacy Commission (“NPC”) issued NPC Circular No. 2023-07 on the Guidelines on Legitimate Interest (the “Guidelines”) which clarify how a personal information controller (“PIC”) may establish the existence of legitimate interest as a lawful basis for the processing of personal information under Republic Act No. 10173 or the Data Privacy Act of 2012 (the “DPA”).

The Guidelines are significant since Section 12(f) of the DPA allows processing of personal information (without the consent of the data subject) if necessary to pursue the legitimate interest of the PIC or by any third party to whom data is disclosed, except where such interest is overridden by the constitutional rights and freedoms of the data subject.

Overview of the Guidelines

1. Applicability to processing of personal information

It should be noted that processing based on legitimate interest may be relied on for processing a specific category of personal data only, which is the processing of personal information, and not for purposes of processing sensitive personal information or privileged information.

Personal information refers to any information (by itself or when put together with other information) from which the identity of an individual is apparent or can be reasonably and directly ascertained. On the other hand, sensitive personal information refers to information about an individual’s race, ethnic origin, marital status, age, color, health, education, or information issued by government agencies peculiar to an individual, among others. When processing sensitive personal information, the other lawful basis for processing (aside from consent) is more limited in nature.

2. Definition of “legitimate interest” and “third party”

Prior to the Guidelines, there was no definition of the terms “legitimate interest” and “third party” as used in Section 12(f) of the DPA. The Guidelines now clarify both concepts and state that “legitimate interest” refers to any actual and real interest, benefit, or gain that a PIC or third party may have or may derive from the processing of specific personal information, while “third party” refers to any natural or juridical person to whom the personal information is disclosed who is not a PIC, personal information processor, or data subject of the specific processing activity.

3. Conditions for processing based on legitimate interest

The following conditions must be fulfilled to process personal information based on legitimate interest under the Guidelines:

  • (a) Existence of a clearly established legitimate interest (purpose test);
  • (b) The means or method of processing the personal information to accomplish the legitimate interest is necessary and lawful (necessity test); and
  • (c) The legitimate and lawful interest does not override the data subject’s fundamental rights and freedoms (balancing test)
  • (a)  Existence of a clearly established legitimate interest (purpose test);
  • (b)  The means or method of processing the personal information to accomplish the legitimate interest is necessary and lawful (necessity test); and
  • (c)  The legitimate and lawful interest does not override the data subject’s fundamental rights and freedoms (balancing test)

To satisfy the purpose test, the processing activity must be pursued for a lawful and specific purpose (not vague or overbroad), and the data subject must be informed of the legitimate interest established prior to the processing or at the next practical opportunity. As for the necessity test, the means and method chosen for the specific processing activity should be proportionate (adequate, relevant, and suitable) to fulfill the legitimate interest. Finally, for the balancing test, among the factors to be considered are the impact of the processing activity on the data subject, measures implemented to protect the personal information, and the data subject’s reasonable expectation of privacy, depending on the circumstances of each case.

We note that the three tests above have already been mentioned by the NPC in some of its earlier advisory opinions. For example, the NPC applied the three tests to limit the manner of processing of personal information based on legitimate interest in NPC Advisory Opinion No. 2018-080, which involved a query on whether the joint viewing and releasing of closed-circuit television (“CCTV”) camera footage by a restaurant to its customer to assist the customer in pursuing the individuals liable for the loss of her cellphone may be justified relying on the legitimate interest clause.

While the NPC confirmed in said advisory opinion that the viewing and disclosure of the CCTV footage to the customer and her legal counsel can be considered necessary to pursue a legitimate interest, the viewing or disclosure should be limited to (i) the specific date of the incident, and the particular time and duration of stay of the data subject in the establishment, and (ii) the viewing of the camera posted at the precise location of the data subject during the incident (and not other cameras operated), among others.

As such, even when relying on the legitimate interest clause of the DPA, PICs should still ensure that only necessary information is processed and that the processing is done in a fair, lawful and transparent manner, and take necessary steps to protect and uphold the rights of the data subject.

4. Legitimate interest assessment

A PIC is expected to conduct a legitimate interest assessment (i.e., applying the tests above) or verify the legitimate interest of a third party to whom personal information may be disclosed before proceeding. Further, a PIC is required under the Guidelines to keep records or documentation of the evaluation process and results of its assessment, since the NPC may require the submission of records during an investigation or compliance check.

Processing of personal information in violation of the Guidelines may be subject to penalties under the DPA and other related issuances of the NPC.

Conclusion

The Guidelines provide a clear framework to determine whether a legitimate interest exists that can be used as the basis for PICs to process personal information. However, it should be noted that the NPC has emphasized that legitimate interest is not intended to be a broad justification for processing personal information, and PICs should still balance their legitimate interest with the rights and interests of the data subject. PICs should therefore carefully evaluate whether applying other lawful criteria for processing may be better suited under the circumstances, taking into consideration the general principles of transparency, legitimate purpose, and proportionality.

This newsletter is given as general information for reference purposes only and therefore does not constitute our firm’s legal advice. Any opinion stated in this newsletter is a personal view of the author(s) and not our firm’s official view. For any specific matter or legal issue, please do not rely on this newsletter but make sure to consult a legal adviser. We would be delighted to answer your questions, if any.

Download full text(PDF)

Lawyers

Data Protection and Privacy Related Publications

Global Practice Related Publications

Asia and Oceania Related Publications

Philippines Related Publications

Apply Select Practice Areas
Apply