Lawful Processing as a Privacy Requirement
The Constitution protects the privacy of communication and correspondence, and the Data Privacy Act gives statutory protection to informational privacy by regulating how personal data may be collected, used, stored, disclosed, retained, and destroyed. A lawful basis is therefore not a technical formality; it is the legal permission that must exist before a controller may interfere with a data subject's control over personal information.
Processing is broadly understood as any operation performed on personal information, whether automated or manual. It includes collection, recording, organization, storage, updating, retrieval, consultation, use, consolidation, blocking, erasure, destruction, disclosure, and sharing. Because disclosure and retention are themselves processing, a controller must justify not only the initial collection of data but also later uses, transfers, and continued storage.
The Data Privacy Act applies to information about natural persons. It does not protect juridical persons as data subjects, but records about corporations may still contain personal information of officers, employees, shareholders, customers, or representatives. Data that has been truly anonymized so that a natural person can no longer be reasonably identified is outside the concept of personal information, while coded, masked, or pseudonymized data remains regulated if re-identification is reasonably possible.
Personal Information, Sensitive Personal Information, and Privileged Information
The lawful basis depends first on the category of data being processed. Ordinary personal information is governed by a broader set of statutory grounds. Sensitive personal information and privileged information are subject to a stricter rule: processing is generally prohibited unless a specific statutory exception applies.
| Category | Meaning | Effect on lawful basis |
|---|---|---|
| Personal information | Information from which the identity of an individual is apparent, can reasonably and directly be ascertained, or can be directly and certainly identified when combined with other information. | Processing is allowed only if not otherwise prohibited by law and at least one lawful basis exists. |
| Sensitive personal information | Information involving matters such as race, ethnic origin, marital status, age, color, religious, philosophical or political affiliation, health, education, genetic or sexual life, offenses or proceedings, government-issued identifiers, licenses, tax returns, and other information classified by law as sensitive. | Processing is prohibited unless one of the special exceptions for sensitive data applies. |
| Privileged information | Information that falls within legally protected privileged communications, including those recognized by the Rules of Court and special laws. | Processing follows the strict regime for sensitive personal information and does not by itself waive the privilege. |
The distinction matters because a lawful basis for ordinary personal information does not automatically authorize the processing of sensitive personal information. For example, a contract may justify processing a customer's name and delivery address, but not automatically the customer's medical condition, religious affiliation, or government-issued identifiers unless a special ground for sensitive data is also present.
General Principles That Limit Every Lawful Basis
Even when a statutory ground exists, processing must still comply with the principles of transparency, legitimate purpose, and proportionality. These principles operate as continuing limits on the controller's authority and prevent the lawful basis from becoming a blanket permission for unrelated or excessive processing.
- Transparency requires the data subject to know the nature, purpose, extent, risks, recipients, retention period, rights, and identity of the controller. Hidden processing is inconsistent with data privacy even if the controller later identifies a plausible basis.
- Legitimate purpose requires the purpose to be declared, specified, lawful, and not contrary to morals, public policy, or law. A vague purpose such as "business use" or "administration" is weak because it does not confine the processing activity.
- Proportionality requires the data to be adequate, relevant, suitable, necessary, and not excessive in relation to the declared purpose. A controller may not collect an entire identification record when a limited verification field is enough.
- Purpose limitation prevents later use for a new and incompatible purpose without a fresh lawful basis and adequate notice. Data collected for delivery, payroll, medical treatment, or a public service cannot be casually repurposed for profiling, marketing, or disclosure.
- Retention limitation requires personal data to be kept only for as long as necessary for the declared purpose, a legal obligation, or the establishment, exercise, or defense of claims. Indefinite retention must be justified by something more than convenience.
Lawful Bases for Ordinary Personal Information
For ordinary personal information, processing is lawful only when it is not otherwise prohibited by law and one of the recognized grounds exists. The basis must be tied to the particular purpose, type of data, and processing operation; it is not enough that the controller has a general relationship with the data subject.
| Basis | Core rule | Limits |
|---|---|---|
| Consent | The data subject gives a freely given, specific, informed indication of will for the particular processing. | Consent must be real, prior or properly obtained, documented, and capable of withdrawal for future processing unless another lawful basis applies. |
| Contract | Processing is necessary and related to the fulfillment of a contract with the data subject or to take steps at the data subject's request before entering into a contract. | The data must be necessary for the contract, not merely useful for the controller's broader business objectives. |
| Legal obligation | Processing is necessary for compliance with a legal obligation to which the controller is subject. | The obligation must be imposed by law or regulation, not by internal policy alone. |
| Vital interests | Processing is necessary to protect vitally important interests of the data subject, including life and health. | This basis is narrow and is most compelling when delay would endanger the person. |
| National emergency, public order, public safety, or public authority | Processing is necessary to respond to a national emergency, comply with public order or safety requirements, or fulfill functions of public authority. | Government processing must be connected to a lawful mandate and must still observe constitutional limits and proportionality. |
| Legitimate interests | Processing is necessary for the legitimate interests pursued by the controller or a third party to whom data is disclosed. | The interest must be lawful and real, the processing must be necessary, and the interest must not be overridden by the data subject's fundamental rights and freedoms. |
Consent is only one lawful basis, not the universal basis for all processing. A controller may process without consent when another statutory ground squarely applies, such as payroll processing required by law, emergency medical contact use, or data use necessary to deliver a contracted service. However, the absence of a consent requirement does not remove the duties of notice, security, proportionality, and respect for data subject rights.
The contract basis is limited to processing that is objectively necessary to create, perform, or administer the contract with the data subject. It covers such matters as identity verification for contracting, billing details, delivery information, account administration, and service communications directly connected with performance. It does not justify unrelated advertising, profiling, sale of data, or sharing with affiliates when those activities are not necessary to the contract itself.
The legal obligation basis applies when a law or regulation requires the controller to process or retain data, such as tax, labor, corporate, banking, anti-money laundering, public health, or regulatory reporting obligations. The controller should identify the obligation with reasonable specificity because "compliance" cannot be used as a general label for data collection that the law does not actually require.
The vital interests basis protects urgent interests involving life and health. It may justify the disclosure of contact, location, or health-related information to responders or medical personnel when necessary to prevent serious harm. When the situation permits ordinary notice or consent without endangering the person, the controller should not stretch this basis beyond its emergency character.
The public authority basis is especially important for government agencies because many public functions necessarily involve personal data. Licensing, social services, taxation, immigration, law enforcement, health programs, and disaster response may require processing, but the agency must act within its legal mandate and may not invoke public authority to support arbitrary surveillance, indiscriminate disclosure, or collection unrelated to the public function.
Legitimate interests require a balancing exercise. The controller must identify a definite interest, show that processing is necessary for that interest, and weigh the impact on the data subject. The basis becomes weak when the data subject would not reasonably expect the processing, when sensitive effects are involved, when the controller uses intrusive profiling, or when less privacy-invasive means are available.
Consent as a Lawful Basis
Consent must be freely given, specific, informed, and evidenced by written, electronic, or recorded means. It must identify the purpose of processing, the categories of data involved, the recipients or classes of recipients, the retention period when practicable, and the rights of the data subject. Silence, pre-ticked boxes, vague acceptance of broad terms, or consent obtained through deception does not satisfy the standard.
Consent is defective when the data subject has no genuine choice, when refusal produces an unjustified detriment, or when consent to unnecessary processing is bundled with an essential service. Consent to one purpose is not consent to all future purposes. Separate purposes that materially affect privacy, such as marketing, profiling, disclosure to unrelated third parties, or processing of sensitive data, require separate and intelligible consent.
Withdrawal of consent generally affects future processing. It does not automatically invalidate processing already lawfully completed, nor does it defeat processing that must continue because of a legal obligation, a pending claim, or another lawful basis. After withdrawal, however, the controller must stop processing based solely on that consent and must delete, block, or retain the data only as another lawful ground permits.
For minors or persons who cannot validly act for themselves, consent must come from the lawful representative when required by law and the circumstances. Even when a representative consents, the processing must still serve a legitimate purpose and be proportionate to the data subject's situation.
Processing Sensitive Personal Information and Privileged Information
Sensitive personal information and privileged information receive higher protection because misuse may expose a person to discrimination, stigma, surveillance, identity theft, coercion, or loss of legal confidentiality. The starting rule is prohibition, and the controller bears the burden of fitting the processing within a recognized exception.
| Exception | Rule | Important limit |
|---|---|---|
| Specific consent | The data subject gives consent specific to the purpose before processing; for privileged information, all parties to the privileged exchange must consent. | General consent to process ordinary data is insufficient for sensitive or privileged information. |
| Existing law or regulation | Processing is provided for by law or regulation that does not require consent and that guarantees protection of the sensitive or privileged information. | The law must authorize the processing; institutional convenience is not enough. |
| Life and health | Processing is necessary to protect the life and health of the data subject or another person, and the data subject is legally or physically unable to express consent beforehand. | The inability to consent and the urgent protective purpose are central to the exception. |
| Lawful noncommercial objectives of organizations | Processing is necessary for lawful and noncommercial objectives of qualifying organizations or associations and is confined to bona fide members or related contacts. | The processing must remain connected to the organization, and third-party transfer requires proper consent and protection. |
| Medical treatment | Processing is necessary for medical treatment and is carried out by a medical practitioner or medical treatment institution. | Adequate protection must exist, and the purpose must remain medical treatment, not unrelated employment, insurance, or commercial use. |
| Claims, rights, and public authority | Processing is necessary for court proceedings, the establishment, exercise, or defense of legal claims, the protection of lawful rights and interests, or provision to government or public authority. | The data processed must be necessary for the claim, right, proceeding, or lawful public authority purpose. |
The law-or-regulation exception for sensitive information is stricter than the ordinary legal-obligation basis. It requires that the processing be provided for by law or regulation and that the regulatory basis contain protection for the information. A controller cannot transform a general statutory function into authority to collect every sensitive detail that might be useful.
The medical treatment exception is confined to treatment and related clinical functions. It supports processing by hospitals, clinics, physicians, and treatment institutions for diagnosis, care, referral, and medical records management. It does not automatically authorize disclosure of medical data to employers, schools, insurers, marketers, or unrelated entities without another applicable ground.
The claims and rights exception recognizes that litigation, administrative proceedings, investigations, and legal advice may require processing sensitive or privileged information. The exception does not erase evidentiary privilege or professional secrecy; it only supplies a data privacy basis when processing is necessary to establish, exercise, or defend a lawful claim or right.
Disclosure, Data Sharing, and Outsourcing
Disclosure to another person or entity is a separate processing operation. A controller that lawfully collects data for one purpose must still identify a lawful basis for sharing it with affiliates, service providers, government agencies, courts, insurers, employers, platforms, or contractors. Data sharing agreements, confidentiality clauses, and outsourcing contracts allocate duties, but they do not replace the need for a lawful basis.
A personal information controller determines the purpose and means of processing and remains accountable for compliance. A personal information processor acts on the controller's instructions and must process only as authorized by contract, law, and the controller's documented directions. Outsourcing storage, cloud hosting, payroll administration, analytics, or customer support does not transfer the controller's responsibility to justify the processing.
Cross-border transfer is not prohibited merely because data leaves the Philippines, but the controller remains responsible for ensuring lawful processing, adequate safeguards, enforceable obligations, and respect for data subject rights. The transfer must be compatible with the declared purpose and supported by an applicable lawful basis for both the disclosure and the foreign recipient's processing.
Effect of an Absent or Defective Lawful Basis
Processing without a lawful basis is unauthorized processing even if the data is accurate, securely stored, or useful to the controller. Security protects data against breach; it does not cure an unlawful purpose, excessive collection, or unjustified disclosure.
A defective lawful basis may require the controller to stop the processing, block or delete the data, notify affected data subjects where required, correct privacy notices, revise contracts, discipline responsible personnel, and implement measures to prevent recurrence. The data subject may invoke rights to information, access, objection, correction, erasure or blocking, damages, and complaint before the proper authority, subject to lawful limitations.
Unlawful processing may also trigger administrative, civil, and criminal consequences under the Data Privacy Act, especially when the processing involves sensitive personal information, unauthorized disclosure, malicious disclosure, improper disposal, concealment of a security breach, or processing for unauthorized purposes. Liability may attach to responsible officers, employees, processors, and other persons who participated in or benefited from the unlawful act according to their role and degree of fault.
The central rule is that personal data may be processed only for a lawful, specific, transparent, and proportionate purpose supported by the correct statutory basis for the correct category of data. Consent, contract, law, emergency, public authority, and legitimate interest are not interchangeable labels; each has its own conditions, limits, and consequences.