Lawful Basis
Definition
A lawful basis is the documented reason an organization relies on to collect, use, disclose, retain, or otherwise process personal information. Under the Philippines Data Privacy Act of 2012 and its Implementing Rules and Regulations, this aligns with the criteria for lawful processing of personal information and the separate conditions for processing sensitive personal information and privileged information. Similar concepts appear in other privacy frameworks as legal bases, permissible purposes, consent requirements, or controller accountability obligations. In practice, lawful basis analysis helps teams explain why personal information is needed, whether the purpose is legitimate, what individuals should be told, and what controls should apply throughout the data lifecycle. It is not just a privacy concept; it supports broader Information Security and GRC activities such as data inventories, access control, retention schedules, vendor assessments, consent management, incident response, and audit evidence. Organizations should identify the lawful basis before processing begins, document the decision, review it when purposes change, and ensure notices, contracts, records, and technical controls remain aligned. A well-managed lawful basis process reduces compliance risk by preventing unnecessary data collection, unclear data use, and unsupported secondary processing.
Real-World Examples
Customer Account Creation
A SaaS company documents why it collects a customer's name, business email, billing details, and login information to create and maintain an account.
Employee Access Management
A scaleup records the lawful basis for processing employee identity and role information so it can provision systems, enforce access controls, and meet workplace obligations.
Marketing Preference Review
A startup reviews whether it can send product updates to contacts and checks that its basis, notice, unsubscribe process, and records are aligned.
Vendor Data Processing
An enterprise confirms the lawful basis for sharing limited personal information with a payroll, support, or analytics provider and documents related safeguards.
A lawful basis is the reason an organization can justify processing personal information for a specific purpose. Under the Philippines Data Privacy Act, organizations commonly document this as the applicable criterion for lawful processing. It should be identified before processing starts, documented in internal records, and reflected in privacy notices, contracts, controls, and retention decisions.
Organizations need a lawful basis to show that personal information is not being collected or used arbitrarily. It helps demonstrate accountability, supports audit readiness, guides data minimization, and ensures business teams understand why each type of personal information is needed.
Under the Philippines Data Privacy Act, criteria for lawful processing of personal information include consent, contract-related necessity, compliance with legal obligations, protection of life and health, public order and public safety, and legitimate interests that are not overridden by fundamental rights and freedoms. Sensitive personal information and privileged information are subject to separate, more restrictive conditions.
Choose the lawful basis by reviewing the purpose of processing, the type of personal information involved, the relationship with the individual, business necessity, applicable obligations, and potential impact on individuals. For Philippines DPA compliance, organizations should also distinguish ordinary personal information from sensitive personal information or privileged information before selecting the applicable criterion.
Consent relies on an individual's clear permission for a defined activity, while legitimate interest relies on a documented organizational purpose that is necessary and balanced against individual expectations and potential harm. Under the Philippines DPA, legitimate interest is a lawful basis for processing personal information, but organizations should carefully confirm whether it applies to the specific data category and purpose. Consent usually requires a practical way for individuals to withdraw permission.
Changing a lawful basis after collection can be difficult because the original purpose, notice, and individual expectations matter. If the processing purpose changes, the organization should reassess the basis, update documentation, revise notices where needed, and confirm that continued processing is still appropriate.
Documentation should include the processing purpose, data categories, affected individuals, selected basis, rationale, related notices, retention period, systems involved, vendors involved, approvals, and review dates. This record helps privacy, security, legal, and audit teams verify that processing remains controlled.
Employee data processing often depends on the purpose, such as payroll, benefits, access management, security monitoring, workplace administration, or legal obligations. Organizations should avoid assuming one basis covers all employee data and should document each major processing activity separately.
The lawful basis for marketing emails depends on how the contact was obtained, the relationship with the recipient, the message type, notice provided, preferences captured, and opt-out controls. Marketing teams should coordinate with privacy and compliance teams before launching campaigns.
Lawful basis supports Information Security & GRC by linking personal data processing to governance records, control ownership, risk assessments, vendor reviews, retention rules, and audit evidence. It helps ensure that security controls protect data that the organization is actually justified in processing.
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-05-10 | WatchDog GRC Team | Initial publication |
