Global Data and Cyber Handbook

Philippines

Select a Topic
Start Comparison
Legal Bases for Processing of Personal Data
Jump to
Legal Bases for Processing of Personal Data Start Comparison
Is an identified legal basis required in order to collect or process non-sensitive personal data?

Last review date: 7 January 2025

Yes.

The following are potential legal bases for processing personal data:

         the data subject has provided consent to the processing for the identified purposes

         the personal data is necessary to perform a contract with the data subject

         the personal data is necessary to comply with a legal obligation

         the personal data is necessary to protect the vital interests of a natural person

         the personal data is necessary for a public interest

         the personal data is necessary to fulfil a legitimate interest of the controller or third party (provided that the interest is not overridden by the data subject's privacy interests and the data subject has not made use of his/her right to object)

Is an identified legal basis required in order to collect or process sensitive personal data?

Last review date: 7 January 2025

Yes   

The Privacy Act does not make specific reference to "sensitive personal data." The same matters that apply to "non-sensitive data" will apply.

The following are potential legal bases for processing special categories of personal data:

         the data subject has given consent to the processing, where consent is measured to a higher standard than for non-sensitive personal data (for example, additional requirement for consent to be "explicit")

         processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent

         processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and further conditions

         processing is necessary for the establishment, exercise or defense of legal claims

         processing is necessary for the purposes of medicine, the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services

Are there special requirements that apply to the collection or processing of personal data from minors?

Last review date: 7 January 2025

Yes. If a Personal Information Controller (PIC) processes a minor’s personal data on the basis of consent, the PIC must obtain parental consent, as a minor is legally incapable of providing valid consent under Philippine data privacy regulations.

In what circumstances do these special requirements apply?

The requirement of parental consent only applies in case the PIC will rely on consent as its legal basis to process the minor’s personal data.

Last review date: 7 January 2025

         generally

         other

Minors are considered vulnerable data subjects. The processing of their information is considered likely to pose a risk to their rights and freedoms. Consequently, PICs that process the sensitive personal information or information that may enable identity fraud of minors are likely to be covered by personal data breach notification obligations in case of confidentiality breaches of such data.

 

What are the special requirements that apply to collecting or processing personal data from minors?

Last review date: 7 January 2025

         consent must be given or authorized by the parent/ guardian of the minor

         other

In case of a personal data breach involving minors, notification must be made to both the minor and their parents or guardians.

 

{{ $store.state.loadingScreen.message }} ...