Data Privacy Act Lawful Bases For Processing Personal Data For Fraud Prevention And Legal Purposes

1) Why “lawful basis” matters under the Data Privacy Act

The Philippine Data Privacy Act of 2012 (Republic Act No. 10173) and its Implementing Rules and Regulations (IRR) require that personal data be processed only when it is lawful, fair, and proportionate. “Lawful basis” answers the threshold question: On what legal ground may an organization collect, use, store, share, or otherwise process personal data?

Fraud prevention and legal purposes (e.g., compliance, enforcement, defense of claims, responding to subpoenas) often involve high-impact processing—investigations, monitoring, watchlists, identity verification, and disclosures to authorities—so selecting and documenting the correct lawful basis is critical.

2) Key definitions that shape fraud- and legal-related processing

Personal information vs. sensitive personal information vs. privileged information

Personal information is any information that identifies an individual, alone or combined with other data (e.g., names, IDs, account numbers, device identifiers when linkable to a person).

Sensitive personal information includes, among others:

  • Government-issued identifiers (in many contexts), tax/SSS/GSIS numbers
  • Health, education, genetic/biometric data
  • Information about an individual’s alleged or established criminal offense or proceedings
  • Data concerning race, ethnic origin, marital status, religious/philosophical/political affiliations (as defined by law/IRR)

Privileged information is information covered by recognized privileges (e.g., attorney–client), and generally has stricter limits.

Fraud prevention commonly touches sensitive data (IDs, biometrics for verification, potential criminal allegations), which raises the compliance bar.

Processing

“Processing” is broad: collection, recording, organization, storage, updating, retrieval, consultation, use, disclosure, combination, erasure, destruction, etc. Fraud detection analytics, KYC, watchlist screening, and case management are all processing.

3) The core lawful bases for processing personal information

Under Philippine rules, processing of personal information is permitted when any of the following grounds applies (the phrasing varies slightly between the Act and IRR, but the practical categories are consistent):

A. Consent (when it is truly voluntary and informed)

Processing is lawful if the data subject gives consent—freely given, specific, informed, and evidenced (and for sensitive personal information, often requiring written or similarly strong form, subject to IRR conditions).

Fraud context: Consent can support optional anti-fraud features (e.g., device binding, enhanced security), but it is often a weak foundation for core fraud prevention because:

  • Consent must be freely given—power imbalances (bank/customer, employer/employee) can undermine validity.
  • Data subjects can withdraw consent; core fraud controls usually must continue.

Use consent where it makes sense, but don’t force-fit it for essential anti-fraud controls.

B. Contractual necessity (necessary to fulfill a contract or to take steps at the data subject’s request)

Processing is lawful if necessary for:

  • The performance of a contract to which the data subject is a party; or
  • Steps requested by the data subject before entering into a contract

Fraud context examples:

  • Verifying identity to open an account the customer requests
  • Transaction monitoring directly tied to delivering secure payment services
  • Authenticating users to provide online access they requested

Limit: “Necessary” is narrower than “useful.” If the fraud-control processing goes beyond what’s needed to provide the service (e.g., extensive data enrichment unrelated to the requested product), you may need another basis (often legitimate interests or legal obligation).

C. Legal obligation (necessary for compliance with a legal obligation)

Processing is lawful when needed to comply with a lawful obligation of the organization.

Fraud context examples:

  • Recordkeeping obligations imposed by financial, tax, labor, consumer, securities, anti-money laundering, and related regulations
  • Mandatory reporting to competent authorities when a law requires it (e.g., suspicious transaction reporting regimes in regulated sectors)

This basis is powerful when a statute/regulation clearly requires the processing, retention, or disclosure.

D. Vital interests (to protect life and health)

Processing may be lawful when necessary to protect the data subject’s life/health or that of another person.

Fraud context: Usually rare, but may apply in emergency disclosures (e.g., imminent harm scams).

E. Public authority (necessary to carry out functions of public authority)

Processing is lawful when necessary to fulfill functions of public authority (typically relevant to government agencies or private entities performing delegated public functions).

Fraud context: Government fraud investigations, enforcement actions, and related information systems may rely on this; private entities may use it only if they are legitimately acting under a delegated mandate.

F. Legitimate interests (necessary for legitimate interests, balanced against rights and freedoms)

Processing is lawful when necessary for the legitimate interests pursued by the personal information controller or a third party, except where overridden by the fundamental rights and freedoms of the data subject.

Fraud prevention is a classic legitimate interest—protecting customers, preventing financial loss, securing systems, maintaining trust, and preventing crime.

However, this basis requires a balancing approach:

  • Identify the legitimate interest (e.g., fraud prevention, network security, credit risk integrity)
  • Demonstrate necessity (no less intrusive means reasonably available)
  • Balance against rights/expectations of the data subject (transparency, proportionality, safeguards)

Strong safeguards typically expected in fraud-prevention legitimate-interest processing:

  • Purpose limitation (anti-fraud only, no unrelated marketing piggybacking)
  • Minimization (only what’s needed for detection/investigation)
  • Access controls and audit trails
  • Clear retention limits
  • Due process protections for adverse actions (see automated decisions/profiling discussion below)

4) Lawful bases for processing sensitive personal information (often implicated in fraud cases)

Fraud prevention frequently uses or generates sensitive data:

  • Government IDs and numbers
  • Biometrics (face/fingerprint) for verification
  • Suspicion indicators that may relate to alleged offenses

For sensitive personal information, the law imposes stricter conditions. Processing is generally allowed when one of the following applies (conceptually grouped):

A. Explicit/written consent (subject to IRR requirements)

Often the cleanest basis when the processing is optional or truly choice-based (e.g., biometric login). But it must still be freely given.

B. Provided by law and necessary to protect lawful rights and interests, including in legal claims

Sensitive data may be processed when authorized by law and subject to safeguards, or when necessary to establish, exercise, or defend legal claims, or to protect lawful rights and interests in court/tribunal proceedings.

Fraud/legal context examples:

  • Using evidence (including sensitive data) to pursue civil recovery or defend against a claim
  • Submitting documentation in court cases, arbitration, or administrative proceedings
  • Internal investigations preparatory to litigation, when tightly controlled and purpose-bound

C. Necessary for the protection of life and health

Again, less common for fraud, but possible for emergency cases.

D. Necessary for medical treatment / public health / social protection (sector-specific)

Usually not central to fraud prevention except in health insurance, HMO, or benefits fraud investigations—where additional sector rules and confidentiality obligations may apply.

Practical point: Because sensitive-data handling is scrutinized, fraud programs should explicitly classify data elements and ensure each sensitive element is tied to a recognized basis, with heightened safeguards.

5) Fraud prevention: mapping common activities to lawful bases

Below is a practical mapping. In real deployments, a single fraud program may rely on multiple bases depending on the activity.

5.1 Identity verification (KYC, account opening, customer onboarding)

  • Contractual necessity: to open/maintain the account the customer requests
  • Legal obligation: if sector rules mandate KYC/verification steps
  • Legitimate interests: to prevent identity fraud and account takeover
  • Consent: for optional verification methods (e.g., biometrics), where feasible and voluntary

5.2 Transaction monitoring and anomaly detection

  • Contractual necessity: to provide secure transaction services
  • Legal obligation: when monitoring/reporting is mandated
  • Legitimate interests: preventing fraud loss and protecting customers

5.3 Device fingerprinting, behavioral analytics, risk scoring

  • Typically legitimate interests, sometimes contractual necessity (security as integral to service)
  • Use minimization and transparency: explain categories of data used (device identifiers, login patterns), not necessarily investigative “rules,” but enough for fair processing.

5.4 Watchlists, blocklists, internal fraud databases

  • Legitimate interests: preventing repeat fraud, securing systems
  • Legal obligation: where mandated lists exist in regulated contexts
  • For sensitive elements (e.g., alleged offense), ensure a sensitive-data ground (often “authorized by law/necessary to protect lawful rights/interests” + safeguards).

5.5 Sharing with payment networks, banks, insurers, merchants, platforms

  • Contractual necessity: if sharing is needed to complete transactions or deliver contracted services
  • Legitimate interests: network fraud prevention, subject to balancing and safeguards
  • Data sharing agreements are crucial: define purpose, roles, security, retention, and breach cooperation.

5.6 Disclosures to law enforcement or regulators

  • Legal obligation: when disclosure is legally required
  • Compliance with lawful processes: subpoenas, court orders, lawful requests (ensure authority, scope, and proportionality)
  • When discretionary, evaluate legitimate interests and data subject rights; document why disclosure is necessary and lawful.

6) “Legal purposes”: what they usually mean and the lawful bases that support them

“Legal purposes” often include:

A. Compliance and regulatory governance

Examples: mandatory retention, reporting, audits, responding to supervisory examinations.

  • Legal obligation is the primary basis.
  • Legitimate interests may support internal compliance monitoring not strictly mandated but necessary for risk management.

B. Establishing, exercising, or defending legal claims

Includes litigation holds, evidence collection, internal investigations, and coordination with counsel.

  • For personal information: typically legitimate interests (defense of claims) and/or legal obligation (when required by procedure/law).
  • For sensitive personal information: rely on the legal claims / protection of lawful rights and interests condition (with safeguards), and disclose only what is necessary.

C. Responding to compulsory legal process (subpoena, court order, warrant)

  • Legal obligation (or compliance with lawful order) is typically the basis.

  • Always validate:

    • The issuing authority
    • The scope (data categories, time period, individuals)
    • The legal limits on disclosure and confidentiality

D. Contract enforcement and fraud recovery

Civil recovery (chargebacks, collection, restitution), termination for cause, blacklisting within lawful bounds.

  • Contractual necessity (enforcement-related processing)
  • Legitimate interests (protecting assets, preventing losses)
  • For sensitive aspects (e.g., allegations), apply the stricter sensitive-data conditions and due process controls.

7) The “non-negotiables”: principles that apply regardless of lawful basis

Even with a lawful basis, processing must comply with core data protection principles:

Transparency

Provide a clear privacy notice describing:

  • What data is collected
  • Purposes (including fraud prevention, security, compliance, legal claims)
  • Sharing categories (processors, affiliates, authorities where lawful)
  • Retention periods or criteria
  • Data subject rights and how to exercise them

Fraud programs often want secrecy; the standard approach is transparency about categories and purposes, without revealing detection thresholds or playbooks that would enable evasion.

Proportionality and data minimization

Collect and use only what is relevant and necessary. Fraud justification does not permit limitless data hoarding.

Purpose limitation

Anti-fraud data should not be repurposed for unrelated objectives (e.g., marketing) without a separate lawful basis and proper notice.

Accuracy

Fraud flags can be wrong; implement correction mechanisms, review workflows, and escalation paths.

Security (organizational, physical, technical)

Fraud data is high-value and sensitive. Expect strong controls:

  • Role-based access and least privilege
  • Logging and audit trails
  • Encryption in transit and at rest (as appropriate)
  • Segregation of duties
  • Secure case management
  • Vendor risk management for outsourced fraud operations

Retention limitation

Keep data only as long as necessary for fraud prevention/legal purposes and any statutory retention requirements; then securely dispose.

Accountability

Organizations should be able to prove compliance through:

  • Documented lawful basis per processing activity
  • Policies and procedures
  • Training
  • Contracts with processors
  • Incident response plans

8) Data subject rights and how they interact with fraud prevention

Data subjects have rights such as:

  • Be informed
  • Access
  • Correct
  • Object (in certain cases)
  • Erasure/blocking (subject to lawful limits)
  • Damages (where applicable)

Fraud prevention can lawfully limit certain disclosures in narrow circumstances (e.g., when disclosure would prejudice an ongoing investigation or violate legal restrictions), but organizations should:

  • Provide responses that are as complete as lawfully possible
  • Document the justification for any restriction
  • Offer review channels (e.g., appeal of account actions)

9) Automated decision-making, profiling, and adverse actions (a practical fraud risk area)

Philippine law does not mirror the GDPR’s highly specific automated decision-making regime verbatim, but fraud systems often involve:

  • Automated risk scoring
  • Automated blocking/declines
  • Automated watchlisting

To align with fairness and proportionality:

  • Avoid purely automated irreversible adverse actions for borderline cases; use human review where feasible.
  • Maintain explainability at a reasonable level (why a transaction was declined in general terms, not “your velocity rule exceeded 3.7σ”).
  • Provide avenues for correction (false positives) and reassessment.

10) Sharing, outsourcing, and cross-border transfers in fraud programs

A. Controller vs. processor roles

  • If a vendor processes data on your instructions, it’s typically a processor relationship requiring a processing agreement with strong privacy and security clauses.
  • If parties determine purposes jointly (e.g., a consortium fraud network), roles can be more complex; define responsibilities clearly.

B. Data sharing agreements

When sharing fraud-related data with other entities (banks, merchants, affiliates, platforms), agreements should cover:

  • Specific purpose (fraud prevention, compliance, investigations)
  • Data categories and minimization
  • Security standards
  • Retention and deletion
  • Incident/breach cooperation
  • Audit rights
  • Restrictions on onward disclosure

C. Cross-border transfers

Permitted when safeguards are in place and the transfer is consistent with the lawful basis and transparency commitments. In practice, implement:

  • Contractual protections
  • Security controls
  • Vendor due diligence
  • Clear retention and access restrictions

11) Government requests and law enforcement cooperation: safe handling framework

When receiving a request for fraud-related personal data:

  1. Verify authority and legal basis (is there a subpoena, court order, statutory power, or other lawful mechanism?)
  2. Assess scope and necessity (limit to what’s requested and necessary)
  3. Document the disclosure (what, when, to whom, under what authority)
  4. Apply security (secure transmission, chain of custody)
  5. Consider notice (if legally permitted and consistent with investigation needs; sometimes notice is restricted)

12) Compliance program essentials for fraud-and-legal processing

For a robust posture, organizations typically implement:

A. Records of processing / data inventory

List fraud-related processing activities and for each:

  • Purpose
  • Data categories (including sensitive)
  • Data subjects
  • Recipients/sharing
  • Retention
  • Security measures
  • Lawful basis and justification

B. Legitimate Interest Assessment (where used)

A written assessment that captures:

  • Interest pursued
  • Necessity test
  • Balancing test
  • Safeguards to reduce impact

C. Privacy Impact Assessment (PIA) / risk assessment

Especially for:

  • Large-scale monitoring
  • Biometrics
  • Cross-entity fraud consortium sharing
  • High-risk profiling

D. Incident response and breach readiness

Fraud datasets are prime breach targets; ensure incident handling, containment, and notification protocols align with legal requirements.

E. Training and access governance

Fraud investigators and legal teams often need broad access; strict role definitions and audit logs are essential.

13) Common pitfalls (and how to avoid them)

  1. Treating fraud prevention as a blanket excuse Fix: tie each activity to a lawful basis; apply minimization and retention limits.

  2. Over-reliance on consent for mandatory controls Fix: use contractual necessity/legal obligation/legitimate interests for essential controls; reserve consent for optional features.

  3. Repurposing fraud data for unrelated analytics/marketing Fix: enforce purpose limitation; obtain a separate lawful basis if needed.

  4. Poor handling of sensitive personal information Fix: classify data; ensure sensitive-data conditions are met; apply heightened safeguards.

  5. Opaque adverse actions with no remediation path Fix: implement review processes and correction mechanisms for false positives.

  6. Weak data sharing governance Fix: formalize sharing arrangements; define roles; require security and retention terms.

14) Sector notes (where fraud and legal purposes are especially regulated)

  • Financial institutions / payments: monitoring, KYC, and reporting often have strong legal obligation foundations; consortium and interbank sharing should be carefully structured and documented.
  • Insurance: claims investigation can be legitimate interest and contract-based; medical data in fraud investigations triggers sensitive-data rules and confidentiality expectations.
  • E-commerce / platforms: legitimate interests is common for anti-fraud analytics; transparency and minimization are key, especially with device and behavioral tracking.
  • Employers: internal investigations may rely on legitimate interests and legal obligation; be careful with power imbalance and the limited validity of “consent” in employment.

15) Penalties and enforcement exposure (why getting lawful basis wrong is costly)

Misaligned lawful basis, excessive processing, poor security, or unlawful disclosure can lead to:

  • Regulatory enforcement and compliance orders by National Privacy Commission
  • Civil liability for damages in appropriate cases
  • Criminal penalties for certain unlawful acts under the Data Privacy Act (depending on the violation and circumstances)
  • Reputational harm and operational disruption (especially in fraud programs where trust is central)

16) Bottom-line framework: choosing the right lawful basis for fraud prevention and legal purposes

A defensible approach typically looks like this:

  • Use legal obligation where a statute/regulation requires KYC, monitoring, retention, or disclosure.
  • Use contractual necessity for processing essential to deliver the secure service the individual requested.
  • Use legitimate interests for broader fraud prevention, network security, internal investigations, and risk controls—paired with documented balancing and safeguards.
  • Use consent sparingly, mainly for optional anti-fraud features or enhanced verification methods (e.g., biometrics), ensuring it is genuinely voluntary.
  • For sensitive personal information, ensure you meet the stricter conditions (often explicit consent or legally authorized processing tied to protecting lawful rights/interests, including legal claims), and apply elevated protections.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login