Summary of NPC Circular No. 2023-07 Guidelines on Legitimate Interest

Posted byrolandhomeresPosted inCompliance, Privacy PrincipleTags:, , , ,

Brief Background

On December 13, 2023 the National Privacy Commission (NPC), through of its quasi-legislative powers by virtue of R.A. 10173 or the Data Privacy Act of 2012 (DPA), issued NPC Circular No. 2023-07 or the Guidelines on Legitimate Interest. The NPC deemed it necessary to issue this guidelines so as to clarify how a Personal Information Controller (PIC) may establish the existence of legitimate interest, the necessity of personal information processing for such interest, and the assessment of such interest in relation to a data subject’s fundamental rights and freedoms.

The Circular aims to provide guidelines for PICs and third parties relying on legitimate interest as lawful basis to process personal information for a specific processing activity.

The General Considerations

The DPA permits the processing of personal information when the processing is necessary for the legitimate interests pursued by the PIC or a third party to whom the personal information is disclosed. The following are the general considerations in using legitimate interest as the lawful basis for the processing of personal data:

  1. Legitimate interest refers to any actual and real interest, benefit, or gain that a PIC or third party may have in or may derive from the processing of specific personal information.
  2. The processing based on legitimate interest may only be relied on for the processing of personal information. It cannot be relied upon when the processing involves sensitive personal information and privileged information.
  3. The third party in Sec. 12 (f) of the DPA refers to any natural or juridical person to whom the personal information is disclosed and who is not the PIC, the personal information processor (PIP), or the data subject of the specific processing activity.
  4. The fundamental rights and freedoms of the data subject protected under the Philippine Constitution and the effect and impact of the specific processing activity on such rights and freedoms shall be assessed and weighed against the legitimate interest of the PIC or third party through a legitimate interest assessment.

It is worthy to note that in this Circular, the legitimate interest of the PIC and third parties are the ones considered. Also, although it is not explicitly stated in the Circular, providing the data subjects a Privacy Notice that their personal data is being processed based on legitimate interest is still required.

Processing based on Legitimate Interest

Requisites:

  1. Legitimate interest is established; (Purpose Test)
  2. The means to fulfill the legitimate interest is both necessary and lawful; (Necessity Test)
  3. The interest is legitimate and lawful, and it does not override the fundamental rights and freedoms of the data subjects. (Balancing Test)

In the absence of one of these requisites, the PIC should not proceed with the processing of the personal data with legitimate interest as its basis. To demonstrate a PIC cannot have a situation where the purpose of the processing is specific but contrary to law. Thus, all elements must concur.

The Purpose Test

To determine if a processing based on legitimate interest is compliant with the first requirement, we utilize the purpose test. To pass this test, the processing activity must be able to satisfy the following:

  1. The purpose of the specific processing activity must be specific, such that it is clearly defined and not vague or overboard;
  2. The purpose of the specific processing activity must not be contrary to laws, morals or public policy following the principle of legitimate purpose; and
  3. The interest established must be declared to the data subject prior to the processing or at the next practical opportunity, following the principle of transparency and the right of the data subject to be informed.

To simplify, this test asks the question “what is the PIC’s purpose?”

The Necessity Test

The necessity test entails that the means or method chosen for the specific processing activity to accomplish the legitimate interest should be necessary and lawful. To pass this test the following should concur:

  1. The means to fulfill the legitimate interest must be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose, in accordance with the principle of proportionality; and
  2. The means chosen to accomplish the legitimate interest is itself lawful.

To simplify, this test asks the question “how is the PIC achieving that purpose?”

The Balancing Test

A PIC relying on legitimate interest shall determine whether the processing undertaken does not override the data subject’s fundamental rights and freedoms. Using this test the PIC or third party must look at the effect or impact of the processing the interest established and the means by which it is fulfilled.

The factors may include but is not limited to the following:

  1. Effect or impact of the specific processing activity on the data subject;
  2. Security measures in place to protect the personal information involved in the specific processing activity or to mitigate the effect or impact of the specific processing activity on the data subject.
  3. Availability of other means or methods to fulfill the legitimate purpose; and
  4. Reasonable expectation of the data subject on the processing of their personal information taking into consideration the surrounding circumstances of each case. A PIC shall consider what a reasonable person would find acceptable under the circumstance taking into consideration the interest established.

As opposed to the Purpose and Necessity Test the Balancing Test takes into consideration factors and not requisites.

Obligations of the PIC

Documentation

The PIC should document the conduct and result of the Legitimate Interest Assessment.

  • A PIC must regularly evaluate its compliance with the requisites for legitimate interest as part of their regular processes.
  • A PIC must keep records of the Legitimate Interest Assessment made as the basis for relying on Sec. 12(f)  of the DPA to process personal information.
  • In case of investigation or compliance check, the NPC may require the submission of records of the legitimate interest assessment.

Further processing of Personal Information based on legitimate interest

If consent was the original basis for the processing, further processing for additional purposes that constitute legitimate interest may be allowed in accordance with the Section 6(b) of the Guidelines for Consent.

Legitimate Interest of Third Parties

A PIC shall verify the legitimate interest of third parties to whom personal information may be disclosed either through its own Legitimate Interest Assessment or the third party’s own Legitimate Interest Assessment.

Processing by Public Authorities

The general rule is that legitimate interest shall not apply to the processing carried out by public authorities in the performance of their constitutional or statutory mandates.

Legitimate interest may be considered appropriate basis for specific processing carried out by government agencies that are not expressly provided in their mandate and do not fall squarely on any other criteria as provided for in Section 12 of the DPA or as a special case under Section 4 of the DPA. Legitimate interest may only apply as ancillary processing activities performed in the ordinary course of business.

Leave a comment