Search for:

In brief

Consent is not the only available lawful basis for processing personal information. Personal information controllers and other parties engaged in the processing of personal information may also use legitimate interest as a lawful basis for processing. However, these parties must be aware of the conditions and limitations for processing personal information based on legitimate interest. For this reason, the National Privacy Commission (“NPC”) recently issued NPC Circular No. 2023-07, which provides guidelines on the processing of personal information based on legitimate interest (“Guidelines“).

The Circular takes effect on 14 January 2024. It provides guidance on the factors to be considered when using legitimate interest as basis for processing. It also describes how a legitimate interest assessment may be conducted and documented. The Circular provides a period of 90 days from the effectivity of the Circular, or until 13 April 2024, for covered parties to comply with their obligations under the Guidelines.


In more detail

Scope and purpose

The Circular applies to all personal information controllers (“PIC”) and third parties engaged in the processing of personal information based on legitimate interest under Section 12 (f) of Republic Act No. 10173 or the Data Privacy Act of 2012 (“DPA”).1

General considerations

The following should be considered when legitimate interest is used as the lawful basis for processing personal information.2

  1. Legitimate interest refers to any actual and real interest, benefit, or gain that a PIC or third party may have in or may derive from the processing of specific personal information.3
  2. Processing based on a legitimate interest may only be relied on for the processing of personal information. It cannot be used as basis for processing sensitive personal information nor privileged information.
  3. A third party refers to any natural or juridical person to whom personal information is disclosed and who is not the PIC, the personal information processor (“PIP”), or the data subject of the specific processing activity.
  4. The fundamental rights and freedoms of data subjects protected under the Philippine Constitution and the effect and impact of the specific processing activity on such rights and freedoms shall be assessed and weighed against the legitimate interest of the PIC or third party through a legitimate interest assessment.

Requisites for processing based on legitimate interest

A PIC intending to rely on legitimate interest must conduct its own assessment of the propriety of relying on legitimate interest as a lawful basis for processing personal information. In this regard, legitimate interest may be relied upon as a lawful basis for processing personal information only when all of the following requisites are fulfilled:

The legitimate interest is established (“Purpose Test“).

The means to fulfill the legal interest is both necessary and lawful (“Necessity Test“).

The interest is legitimate and lawful, and it does not override fundamental rights and freedoms of data subjects (“Balancing Test“).4

Purpose Test

The PIC should determine the existence of a clearly established legitimate interest, including a determination of the objective of the specific processing activity.5

  1. The purpose must be specific, such that it is clearly defined and not vague or overbroad.
  2. The purpose must not be contrary to laws, morals, or public policy.
  3. The interest established must also be declared to the data subject prior to the processing or at the next practical opportunity.

Necessity Test

The means or method chosen for the specific processing activity undertaken to accomplish the legitimate interest of the PIC or third party should be necessary and lawful.6

  1. The means to fulfill the legitimate interest must be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose.
  2. The means chosen to accomplish the legitimate interest is itself lawful.7

Balancing Test

The PIC or third party relying on legitimate interest must determine whether the processing undertaken does not override the data subject’s fundamental rights and freedoms.8

In doing so, the PIC or third party shall look at the effect or impact of accomplishing the legitimate interest and consider the purpose of processing the interest established and the means by which it is fulfilled.

Other factors that may be considered include but are not limited to:

  • Effect or impact of the specific processing activity on the data subject
  • Measures implemented to protect the personal information involved in the specific processing activity or to mitigate the effect or impact of the specific processing activity on the data subject (e.g., privacy-enhancing technologies)
  • Availability of other means or methods to fulfill the legitimate purpose
  • Reasonable expectation of the data subject on the specific processing of their personal information taking into consideration the surrounding circumstances of each case9

Documentation of legitimate interest assessment

A PIC is required to document the conduct and results of its legitimate interest assessment, which should sufficiently detail how the PIC fulfills the three requisites for processing personal information based on legitimate interest. There is, however, no prescribed form for the legitimate interest assessment.10

The following should also be observed in documenting the legitimate interest assessment:11

  • A PIC must regularly evaluate its compliance with the requisites for legitimate interest.
  • A PIC must keep the records of the legitimate interest assessment made as the basis for relying on legitimate interest to process personal information.
  • In case of an investigation or a compliance check, the NPC may require the submission of the records of the legitimate interest assessment.

Legitimate interest of third parties

The Circular clarifies that a PIC should verify the legitimate interest of a third party to whom personal information may be disclosed — either through its own legitimate interest assessment or on the basis of such third party’s legitimate interest assessment.12

If a third party intends to process personal information from another PIC for its own legitimate interest, such third party shall be considered as the PIC.13

Sectoral determination

The NPC encourages industry sectors to determine common personal information processing activities within their respective industries that may be based on legitimate interest.14

Processing carried out by public authorities

As a general rule, legitimate interest does not apply to processing carried out by public authorities in the performance of their constitutional or statutory mandates.

However, legitimate interest may be considered the appropriate lawful basis for specific processing activities carried out by government agencies that (i) are not expressly provided in their mandate and (ii) do not fall squarely on any of the other criteria for processing under Section 1215 or as a special case under Section 416 of the DPA. Legitimate interest may also apply as a lawful basis for ancillary processing activities performed in the ordinary course of business.

Effectivity

The Circular takes effect on 14 January 2024.

However, the Circular provides that affected PICs will be given a period of 90 days from the effectivity of the Circular, or until 13 April 2024, to comply with their obligation to document and keep records of legitimate interest assessments made.17

Recommended actions

Clients are advised to take note of the Guidelines. Clients relying on legitimate interest as a basis for processing personal information are also advised to document and maintain records of all legitimate interest assessments made, as compliance with this requirement becomes mandatory starting 13 April 2024.

For more information regarding the Guidelines, clients may check the NPC’s responses to frequently asked questions, through this link: https://privacy.gov.ph/wp-content/uploads/2024/01/FAQ-Guidelines-on-Legitimate-Interest-as-of-28-December-2023.pdf.


1 Circular, Section 1.

2 Circular, Section 3.

3 Section 12 (f) of the DPA permits the processing of personal information when the processing is necessary for the legitimate interests pursued by the PIC or a third party to whom the personal information is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject that require protection under the Philippine Constitution.

4 Circular, Section 4.

5 Circular, Section 5.

6 Circular, Section 6.

7 The PIC should not violate any law in the process of accomplishing its legitimate interest.

8 Circular, Section 7.

9 The PIC shall consider what a reasonable person would find acceptable under the circumstances taking into consideration the interest established.

10 Circular, Section 4.

11 Circular, Section 8.

12 Circular, Section 10.

13 Circular, Section 10.

14 Circular, Section 11.

15 Aside from legitimate interest, the following are the other lawful bases for processing personal information:
(a) The data subject has given his or her consent.
(b) The processing of personal information is necessary and is related to the fulfillment of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract.
(c) The processing is necessary for compliance with a legal obligation to which the PIC is subject.
(d) The processing is necessary to protect vitally important interests of the data subject, including life and health.
(e) The processing is necessary in order to respond to a national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily include the processing of personal data for the fulfillment of its mandate.

16 The DPA applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing including those PICs and PIPs who, although not found or established in the Philippines:
(a) Use equipment that are located in the Philippines, or
(b) Maintain an office, branch or agency in the Philippines.

17 Circular, Section 15.

* * * * *

LOGO Philippines_QuisumbingTorres_Manila

Please contact QTInfoDesk@quisumbingtorres.com for inquiries.

VISIT QUISUMBING TORRES SITE

Author

Bienvenido Marquez III is a partner in Quisumbing Torres' Intellectual Property, Data and Technology Practice Group. He also co-heads the Consumer Goods & Retail Industry Group and is a member of the Technology, Media & Telecommunications Group. He participates in initiatives of Baker & McKenzie International of which Quisumbing Torres is a member firm. He is a member of Baker McKenzie's Asia Pacific Intellectual Property Business Unit for Brand Enforcement. He is immediate Past President of the Philippine Chapter of the Licensing Executives Society International (2019-2021), and is currently co-chair of the LESI Asia Pacific. He is also a member of the Anti-Counterfeiting Committee of the International Trademarks Association (INTA). He has been appointed as member of the INTA Asia Global Advisory Council (GAC) for 2022 to 2023, making him the only Philippine representative on the council.

Bien has vast experience in handling IP enforcement litigation, trademark and patent prosecution and maintenance, copyright, data privacy, information security, IT, telecommunications, e-commerce, electronic transactions, cyber security and cybercrime. He has been consistently ranked as a leading individual for Intellectual Property and TMT in Legal 500 Asia Pacific, Chambers Asia Pacific, asialaw Leading Lawyers, Managing IP Stars, Asia IP, and World Trademark Review. He was also recognized as a Volunteer Service Awardee by INTA in 2018.

Author

Divina Ilas-Panganiban, CIPM is a partner and the head of Quisumbing Torres’ Intellectual Property, Data and Technology Practice Group and co-heads the Technology, Media & Telecommunications (TMT) Industry Group. She participates in initiatives of Baker & McKenzie International of which Quisumbing Torres is a member firm. She is a member of Baker & McKenzie International's Asia Pacific TMT, and the Asia Pacific Intellectual Property Steering Committees.
Divina is a Certified Information Privacy Manager by the International Association of Privacy Professionals (IAPP). She currently serves as the Vice-President and Director of the Philippine Chapter of the Licensing Executives Society International, the Regional Vice-chair of the LESI's Education Committee, the Co-chairperson of the Committee on Intellectual Property Rights of The American Chamber of Commerce of the Philippines, and the Chairperson of the IAPP KnowledgeNet Chapter for the Philippines.
Divina was recently appointed to be a member of the Advisory Council for Intellectual Property (ACIP) of the Intellectual Property Office of the Philippines (IPOPHL). The ACIP is an advisory board composed of a select group of people from different sector to which IP is of great value. She was recently recognized in the Hall of Fame for Best External Lecturers by the IP Academy of the IPOPHL.
Divina just finished her stint as the chair the Unreal Campaign of the International Trademarks Association (INTA) for East Asia and the Pacific and continues to organize anti-counterfeiting activities in schools and universities around the country, educating the youth about the importance of intellectual property protection.
Divina is a multi-awarded lawyer with a stellar track record in the IP, data and technology fields. She has garnered numerous awards and accolades, including the Woman Lawyer of the Year by the ALB Philippine Law Awards 2023. She has been cited as leading lawyer for intellectual Property and TMT by The Legal 500 Asia Pacific, Chambers Asia Pacific, Managing IP, World Trademark, Asialaw and IAM Patent 1000, among others. Known for her exceptional legal expertise and unwavering commitment to her clients, Divina has established herself as a leader in her profession.

Author

Felicisimo F. Agas III is an associate working in Quisumbing Torres’ Intellectual Property, Data and Technology Practice Group and a member of the Technology, Media & Telecommunications Industry Group. Prior to taking up law, he also worked as a logistics specialist in the Philippine subsidiary of a Swiss multinational food and beverage company. He graduated with honors, salutatorian in his class at the Ateneo de Manila Law School, and currently teaches in the same university.

Author

Jonathan Peter A. Gregorio is an associate with the Intellectual Property, Data and Technology Practice at Quisumbing Torres, a member firm of Baker & McKenzie International. He obtained his Juris Doctor degree from the Ateneo Professional Schools - School of Law in 2021 and was admitted to the Philippine bar in 2022.

Write A Comment