On 14 September 2020, the National Privacy Commission (“NPC”) issued Circular No. 20-01 setting forth the guidelines on the processing of personal data for loan-related transactions. On December 1, 2022, the NPC also issued an amendatory circular, Circular No. 2022-02, further expounding Circular No. 20-01 in order to respond to exigencies in the processing of personal data (collectively, the “Guidelines”).
1. Who are covered by the guidelines?
The Guidelines apply to lending or financing companies which process personal information for the purposes of loan processing activities, as well as any natural or juridical person who acts as such whether or not they are granted authority to do so by the Securities and Exchange Commission (“SEC”) (collectively, “Covered Persons”). The Guidelines also apply to any personal information processor (“PIP”) or third-party service providers engaged by them. However, the following are expressly excluded from the definition of lending and financing companies: banks, investment houses, savings and loan associations, pawnshops, insurance companies, cooperatives, credit institutions regulated by law, and other financial institutions organized or operating under special laws.
2. Are there information, in addition to those provided for by Republic Act No. 10173 or the Data Privacy Act (“DPA”) and its implementing rules and regulations (“IRR”), that must be provided to borrowers? Are there additional requirements for obtaining consent from the borrowers?
Yes, the Guidelines provide that the following information shall be provided to borrowers:
a. all information concerning all phases of the loan processing activity;
b. information regarding the use of profiling, automated processing, automated decision-making, or credit rating or scoring before the use of such or at the next practical opportunity, if applicable; and
c. categories of data considered in deciding whether or not to approve loan applications subject to reasonable policies on minimum information and manner of disclosure that may be maintained to avoid manipulation or exploitation of the evaluation process.
In providing the required information under the Guidelines, the DPA, and its IRR, Covered Persons are required to format the information in a way that considers the accessibility of the information and convenience of the borrowers. The Guidelines also require that policies and procedures be adopted in order to adequately address inquiries and clarifications by borrowers.
The Guidelines reiterate the DPA and its IRR such that consent for the processing of personal data should be obtained from data subjects when necessary and that the data subject, prior to the giving of consent, should be provided details as to how the information will be processed. With regards to credit data of a borrower, when required to be disclosed or submitted pursuant to law or regulation, the DPA shall apply. This includes instances wherein Covered Persons share credit data to a third party or obtain personal data from other entities that may help determine creditworthiness.
3. What kind of data may be collected by Covered Persons and are there limitations as to the purposes for collection and processing?
Yes, the Guidelines provide limits on the kind of personal data to be collected and the purposes for the processing of such information.
Under the Guidelines, Covered Persons are mandated to limit the collection of the borrowers’ data only to those which are adequate, relevant, suitable, necessary, and not excessive in relation to their know your customer (“KYC”) policies and those necessary to determine creditworthiness and prevent fraud.
The processing of information is limited to the primary purpose for its collection. Processing of information for compatible purposes may be allowed, provided there is a direct and objective link between the primary purpose and the other compatible purpose. The Guidelines enumerate examples of compatible purposes such as customer behavior analysis, system administration, service maintenance, and customer service or support. Compatible purposes, however, do not include marketing, cross-selling, or sharing of data with third parties for purposes of offering products and services not related to loans. For these purposes, Covered Persons must have a separate lawful criterion for such processing, in accordance with the DPA. The Guidelines emphasize that the retention in perpetuity of personal data of those borrowers who were denied loan applications or those who have fully settled their loans is not allowed and violators will be subject to applicable penalties as provided under the DPA.
4. What are the specific regulations when online applications are used for loan processing activities?
Registration with the NPC
As part of their registration with the NPC, Covered Persons are required to submit a complete list of the names of all publicly available applications owned or operated by them. With regards to PIPs or third-party service providers, the Guidelines also provide for certain requirements: (a) if operating in the Philippines, they shall be required to register with the NPC, and (b) if operating outside the Philippines, the Covered Persons hiring them shall ensure that proper technical and contractual controls are in place to ensure appropriate protection in the processing of personal data, in line with the provisions of the DPA and its IRR. The registration of the Covered Persons and/or PIPs may be revoked upon determination by the NPC that they have violated the Guidelines and shall be subject to penalties and disciplinary measures as provided in the DPA, its IRR, and other NPC issuances.
Processing of Information
Under the Guidelines, Covered Persons are prohibited from conducting “unnecessary” processing. This includes requiring unnecessary permissions that involve personal and sensitive personal information. The Guidelines provide that mobile applications shall only require data subjects to provide access to personal data when suitable, necessary, and not excessive to legitimate purposes.
The processing of personal data from application permissions which include accessing contact lists and cameras, should only commence when the information to be collected is necessary for legitimate purposes. Additionally, when the legitimate purposes have already been achieved, the application must be able to prompt the data subject to turn off or disallow the permissions granted. This includes access given to the borrower’s phone camera or photo gallery for purposes of KYC. The processing of contact lists is allowed, provided that the processing is not unconstrained, excessive, and disproportional to its purpose. When access to contact lists is given for purposes of contacting character references or guarantors, such access must be limited and only to the extent necessary to allow the borrowers to choose from their phone contact list their character reference or guarantor.
5. What is a character reference and what are the regulations with regards to the processing of information of character references?
A character reference is a person whose contact information is provided by the borrower for the verification of their identity and the information they have provided for the grant of a loan.
Covered Persons are required to adopt policies and procedures in handling the personal data of character references. Although primarily it is the responsibility of the borrower to inform their character reference regarding their inclusion as such, Covered Persons are also required to adequately inform the character reference of the loan applicant and how their contact details were obtained. In this connection, the character references shall have the option of having their personal information removed as a character reference. The Guidelines make it clear that contacting character references for purposes other than the verification of identity and information provided by the borrower shall be prohibited.
6. What is a guarantor and what are the regulations with regards to the processing of information of guarantors?
Guarantors are persons that have agreed with the creditor that they will fulfill the obligations of the individual borrower in case the latter fails to do so. In order to be considered a guarantor, the person should have given their consent in accordance with the provisions of the Civil Code.
Whenever a guarantor is involved in a loan transaction, Covered Persons are required to obtain their separate consent in accordance with the provisions of the DPA. Additionally, Covered Persons may only contact the guarantor for the purposes of debt collection.
7. May Covered Persons outsource the processing of personal data?
Yes, Covered Persons are allowed to outsource any personal data processing activity. However, the details of the PIPs or third-party service providers should be made available to the borrowers. These arrangements shall also be governed by the DPA and its IRR, particularly the provisions on Outsourcing and Subcontracting Arrangements. It shall be the duty of Covered Persons to ensure that PIPs and third-party service providers are aware of their obligations under the DPA, its IRR, and other NPC issuances.
8. What are the rights of the data subject?
The data subject is accorded the same rights as provided for under the DPA. To this end, Covered Persons are mandated to adopt policies and procedures which enable borrowers to exercise their rights under the DPA.