Lawful processing of personal data

1. Criteria for Lawful Processing of Personal Information.

Processing of personal information is allowed, unless prohibited by law.

For processing to be lawful, any of the following conditions must be complied with:

1) The data subject must have given his or her consent prior to the collection, or as soon as practicable and reasonable;

2) The processing involves the personal information of a data subject who is a party to a contractual agreement, in order to fulfill obligations under the contract or to take steps at the request of the data subject prior to entering the said agreement;

3) The processing is necessary for compliance with a legal obligation to which the personal information controller is subject;

4) The processing is necessary to protect vitally important interests of the data subject, including his or her life and health;

5) The processing of personal information is necessary to respond to national emergency or to comply with the requirements of public order and safety, as prescribed by law;

6) The processing of personal information is necessary for the fulfillment of the constitutional or statutory mandate of a public authority; or

7) The processing is necessary to pursue the legitimate interests of the personal information controller, or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject, which require protection under the Philippine Constitution. (Section 21, Rule V, IRR of the Data Privacy Act)

2. Sensitive personal information and privileged information

The processing of sensitive personal and privileged information is prohibited, except in any of the following cases:

1) Consent is given by data subject, or by the parties to the exchange of privileged information, prior to the processing of the sensitive personal information or privileged information, which shall be undertaken pursuant to a declared, specified, and legitimate purpose;

2) The processing of the sensitive personal information or privileged information is provided for by existing laws and regulations: Provided, that said laws and regulations do not require the consent of the data subject for the processing, and guarantee the protection of personal data;

3) The processing is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his or her consent prior to the processing;

4) The processing is necessary to achieve the lawful and noncommercial objectives of public organizations and their associations provided that:

(a) Processing is confined and related to the bona fide members of these organizations or their associations;

(b) The sensitive personal information are not transferred to third parties; and

(c) Consent of the data subject was obtained prior to processing;

5) The processing is necessary for the purpose of medical treatment: Provided, that it is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal data is ensured; or

6) The processing concerns sensitive personal information or privileged information necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise, or defense of legal claims, or when provided to government or public authority pursuant to a constitutional or statutory mandate. (Section 22, Rule V, Ibid.)

3. Extension of privileged communication

Personal information controllers may invoke the principle of privileged communication over privileged information that they lawfully control or process. Subject to existing laws and regulations, any evidence gathered from privileged information is inadmissible.

When the Commission inquires upon communication claimed to be privileged, the personal information controller concerned shall prove the nature of the communication in an executive session. Should the communication be determined as privileged, it shall be excluded from evidence, and the contents thereof shall not form part of the records of the case: Provided, that where the privileged communication itself is the subject of a breach, or a privacy concern or investigation, it may be disclosed to the Commission but only to the extent necessary for the purpose of investigation, without including the contents thereof in the records. (Section 23, Rule V, Ibid.)

4. Surveillance of suspects and interception of recording of communications

Section 7 of Republic Act No. 9372, otherwise known as the “Human Security Act of 2007”, is hereby amended to include the condition that the processing of personal data for the purpose of surveillance, interception, or recording of communications shall comply with the Data Privacy Act, including adherence to the principles of transparency, proportionality, and legitimate purpose. (Section 24, Rule V, Ibid.)


Republic Act No. 10173, Data Privacy Act of 2012

2016 IRR of the Data Privacy Act

Similar Posts