In more detail

Scope and purpose

The Circular applies to all personal information controllers ("PIC") and third parties engaged in the processing of personal information based on legitimate interest under Section 12 (f) of Republic Act No. 10173 or the Data Privacy Act of 2012 ("DPA").¹

General considerations

The following should be considered when legitimate interest is used as the lawful basis for processing personal information.²

1. Legitimate interest refers to any actual and real interest, benefit, or gain that a PIC or third party may have in or may derive from the processing of specific personal information.³
2. Processing based on a legitimate interest may only be relied on for the processing of personal information. It cannot be used as basis for processing sensitive personal information nor privileged information.
3. A third party refers to any natural or juridical person to whom personal information is disclosed and who is not the PIC, the personal information processor ("PIP"), or the data subject of the specific processing activity.
4. The fundamental rights and freedoms of data subjects protected under the Philippine Constitution and the effect and impact of the specific processing activity on such rights and freedoms shall be assessed and weighed against the legitimate interest of the PIC or third party through a legitimate interest assessment.

Requisites for processing based on legitimate interest

A PIC intending to rely on legitimate interest must conduct its own assessment of the propriety of relying on legitimate interest as a lawful basis for processing personal information. In this regard, legitimate interest may be relied upon as a lawful basis for processing personal information only when all of the following requisites are fulfilled:

The legitimate interest is established ("Purpose Test").

The means to fulfill the legal interest is both necessary and lawful ("Necessity Test").

The interest is legitimate and lawful, and it does not override fundamental rights and freedoms of data subjects ("Balancing Test").⁴

Purpose Test

The PIC should determine the existence of a clearly established legitimate interest, including a determination of the objective of the specific processing activity.⁵

1. The purpose must be specific, such that it is clearly defined and not vague or overbroad.
2. The purpose must not be contrary to laws, morals, or public policy.
3. The interest established must also be declared to the data subject prior to the processing or at the next practical opportunity.

Necessity Test

The means or method chosen for the specific processing activity undertaken to accomplish the legitimate interest of the PIC or third party should be necessary and lawful.⁶

1. The means to fulfill the legitimate interest must be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose.
2. The means chosen to accomplish the legitimate interest is itself lawful.⁷

Balancing Test

The PIC or third party relying on legitimate interest must determine whether the processing undertaken does not override the data subject's fundamental rights and freedoms.⁸

In doing so, the PIC or third party shall look at the effect or impact of accomplishing the legitimate interest and consider the purpose of processing the interest established and the means by which it is fulfilled.

Other factors that may be considered include but are not limited to:

• Effect or impact of the specific processing activity on the data subject
• Measures implemented to protect the personal information involved in the specific processing activity or to mitigate the effect or impact of the specific processing activity on the data subject (e.g., privacy-enhancing technologies)
• Availability of other means or methods to fulfill the legitimate purpose
• Reasonable expectation of the data subject on the specific processing of their personal information taking into consideration the surrounding circumstances of each case⁹

Documentation of legitimate interest assessment

A PIC is required to document the conduct and results of its legitimate interest assessment, which should sufficiently detail how the PIC fulfills the three requisites for processing personal information based on legitimate interest. There is, however, no prescribed form for the legitimate interest assessment.¹⁰

The following should also be observed in documenting the legitimate interest assessment:¹¹

• A PIC must regularly evaluate its compliance with the requisites for legitimate interest.
• A PIC must keep the records of the legitimate interest assessment made as the basis for relying on legitimate interest to process personal information.
• In case of an investigation or a compliance check, the NPC may require the submission of the records of the legitimate interest assessment.

Legitimate interest of third parties

The Circular clarifies that a PIC should verify the legitimate interest of a third party to whom personal information may be disclosed — either through its own legitimate interest assessment or on the basis of such third party's legitimate interest assessment.¹²

If a third party intends to process personal information from another PIC for its own legitimate interest, such third party shall be considered as the PIC.¹³

Sectoral determination

The NPC encourages industry sectors to determine common personal information processing activities within their respective industries that may be based on legitimate interest.¹⁴

Processing carried out by public authorities

As a general rule, legitimate interest does not apply to processing carried out by public authorities in the performance of their constitutional or statutory mandates.

However, legitimate interest may be considered the appropriate lawful basis for specific processing activities carried out by government agencies that (i) are not expressly provided in their mandate and (ii) do not fall squarely on any of the other criteria for processing under Section 12¹⁵ or as a special case under Section 4¹⁶ of the DPA. Legitimate interest may also apply as a lawful basis for ancillary processing activities performed in the ordinary course of business.

Effectivity

The Circular takes effect on 14 January 2024.

However, the Circular provides that affected PICs will be given a period of 90 days from the effectivity of the Circular, or until 13 April 2024, to comply with their obligation to document and keep records of legitimate interest assessments made.¹⁷

Recommended actions

Clients are advised to take note of the Guidelines. Clients relying on legitimate interest as a basis for processing personal information are also advised to document and maintain records of all legitimate interest assessments made, as compliance with this requirement becomes mandatory starting 13 April 2024.

For more information regarding the Guidelines, clients may check the NPC's responses to frequently asked questions, through this link: https://privacy.gov.ph/wp-content/uploads/2024/01/FAQ-Guidelines-on-Legitimate-Interest-as-of-28-December-2023.pdf.

1 Circular, Section 1.

2 Circular, Section 3.

3 Section 12 (f) of the DPA permits the processing of personal information when the processing is necessary for the legitimate interests pursued by the PIC or a third party to whom the personal information is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject that require protection under the Philippine Constitution.

4 Circular, Section 4.

5 Circular, Section 5.

6 Circular, Section 6.

7 The PIC should not violate any law in the process of accomplishing its legitimate interest.

8 Circular, Section 7.

9 The PIC shall consider what a reasonable person would find acceptable under the circumstances taking into consideration the interest established.

10 Circular, Section 4.

11 Circular, Section 8.

12 Circular, Section 10.

13 Circular, Section 10.

14 Circular, Section 11.

15 Aside from legitimate interest, the following are the other lawful bases for processing personal information:
(a) The data subject has given his or her consent.
(b) The processing of personal information is necessary and is related to the fulfillment of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract.
(c) The processing is necessary for compliance with a legal obligation to which the PIC is subject.
(d) The processing is necessary to protect vitally important interests of the data subject, including life and health.
(e) The processing is necessary in order to respond to a national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily include the processing of personal data for the fulfillment of its mandate.

16 The DPA applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing including those PICs and PIPs who, although not found or established in the Philippines:
(a) Use equipment that are located in the Philippines, or
(b) Maintain an office, branch or agency in the Philippines.

17 Circular, Section 15.

* * * * *

Please contact QTInfoDesk@quisumbingtorres.com for inquiries.

VISIT QUISUMBING TORRES SITE