Principles of Processing
Plain English Translation
RA 10173 requires all personal data processing to comply with three core principles: transparency, legitimate purpose, and proportionality. Transparency means data subjects must be fully informed about how their data is collected and used; legitimate purpose means the declared reason must be lawful and specific; proportionality means only the data strictly necessary for that purpose may be collected. Together these principles form the legal foundation for every data processing activity in the organization.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Draft and publish a clear privacy notice informing users of exactly what data is collected, why it is needed, and how it is processed.
Required Actions (scaleup)
- Implement data minimization checks in the software development lifecycle to ensure applications do not collect excessive data beyond the declared purpose.
Required Actions (enterprise)
- Deploy automated data mapping and consent management platforms that dynamically track adherence to proportionality and transparency across all integrated business systems.
Under Rule IV, Section 18, the general data privacy principles that must govern all processing of personal data are transparency, legitimate purpose, and proportionality.
Transparency means the data subject must be fully informed about the nature, purpose, method, and extent of data processing, their rights, and the data controller's identity.
Legitimate purpose requires that all data processing is compatible with a specifically declared business or operational purpose that is not contrary to law, morals, or public policy.
Proportionality dictates that the processing of personal information must be adequate, relevant, suitable, necessary, and strictly not excessive in relation to the originally declared purpose.
Organizations comply by publishing transparent, accessible privacy notices, strictly defining lawful business purposes for all data collection, and enforcing rigid data minimization practices.
Lawful processing requires a valid basis, such as informed consent or contract fulfillment, combined with absolute adherence to the core principles of transparency, legitimate purpose, and proportionality.
A privacy notice must clearly declare the specific reasons for collecting data (purpose), detail exactly how it will be processed (transparency), and explain why the specific data points are strictly necessary (proportionality).
Evidence demonstrating compliance includes an updated public privacy policy, a comprehensive Record of Processing Activities (RoPA), documented Privacy Impact Assessments, and implemented system-level data minimization controls.
The NPC assesses compliance by reviewing published privacy notices, inspecting internal data flow maps, and evaluating whether the volume and type of data collected are demonstrably necessary for the stated functions.
Legitimate purpose ensures the underlying reason for processing is legally and ethically valid, whereas proportionality ensures the amount and type of data collected is not excessive for achieving that valid reason.
These principles are difficult to prove if privacy notices, processing purposes, and review records are scattered across teams. Tools like WatchDog Security's Compliance Center can centralize control requirements, map evidence to RA 10173 obligations, and track gaps when privacy documentation or review records are missing.
Transparency depends on keeping privacy notices, internal privacy policies, and employee acknowledgements current as processing activities change. Tools like WatchDog Security's Policy Management can help maintain version-controlled policy documents, route updates for review, and track acceptance across relevant personnel.
"The processing of personal data shall adhere to the principles of transparency, legitimate purpose and proportionality. a. Transparency. Processing of personal data shall be known to the data subject... b. Legitimate purpose. The processing of information shall be compatible with a declared and specified purpose... c. Proportionality. The processing of information shall be adequate, relevant, suitable, necessary and not excessive..."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-05-06 | Compliance Content Specialist | Initial publication |

