NPC Releases Updated Guidelines on the Processing of Personal Data for Loan-Related Transactions

The National Privacy Commission (“NPC”) issued NPC Circular No. 2022-02 (“Circular 22-02”) on 1 December 2022, amending certain provisions of NPC Circular No. 2020-01 (“Circular 20-01”) on the Guidelines on the Processing of Personal Data for Loan-Related Transactions.

On 14 September 2020, NPC issued Circular No. 20-01 which regulated online lending entities’, such as Lending Companies, Financing Companies, and other persons acting as such, (collectively referred hereinafter as “Lending Entities”) access to their clients’ phone contact lists, cameras, location, and storage, among others. Under this circular, all entities engaged in the processing of personal data for purposes of granting loan facilities are personal information controllers (“PICs”) making them obligated to uphold the rights of data subjects and to implement reasonable and appropriate organization, physical, and technical security measures for the protection of personal data. 

Upon the issuance of Circular 22-02, certain key provisions on the guidelines for processing personal data and protection of character references were amended. A new provision on guarantors was also added. 

Amended Guidelines on Processing Personal Data

Lending Entities are now required to provide just-in-time notices before obtaining the consent of the data subjects. A just-in-time notice provides data subjects with information on how a particular piece of information he or she is asked to provide will be processed. 

When providing details of processing to data subjects, Lending Entities must also take into account the accessibility of the information and convenience of the borrowers. For example, as provided by the Circular, if the loan transaction is being facilitated through a mobile application, the aforementioned information, shall be readily accessible and easily located within the mobile application. 

Meanwhile, where online applications are used for loan processing activities, Lending Entities shall be prohibited from conducting unnecessary processing that requires unnecessary permissions involving personal and sensitive information. Only appropriate, necessary, and reasonable requests for personal data access through permissions or protected resources from users of mobile applications may be made for debt collection and other lawful purposes. If the information is provided by data subjects but was not collected through application authorization, such information should still be processed in a manner that is not excessive to the legitimate purpose. It is important to note that when the purpose for accessing application permission has already been achieved and there are no other applicable lawful criteria for such access, such online applications must prompt the data subject to turn off, disallow these permissions, or inform the data subject that access to the relevant application permissions may already be revoked.

Circular 22-02 also provides guidelines on the processing of a borrower’s contract information for identity verification and to check the truthfulness of the information provided by borrowers, through access to the borrower’s phone camera or the photo gallery, and access to and processing of contact lists. The processing must not be excessive, out of proportion to its intended use, or unrestrained or unfettered. Access to contact details, in whatever form, for the purpose of harassment, collection of debt from sources other than the guarantors the borrower provided, and unethical collection methods, among others, is prohibited.

Finally, as part of their registration with the NPC, Lending Entities are now required to submit a complete list of the names of all publicly available applications owned or operated by such entities including all publicly available online applications used for loan processing activities, in accordance with the applicable Rules on Registration of Data Processing Systems and Notifications regarding Automated Decision-Making. Violating this rule will cause the revocation of the registration of the PIC or personal information processor upon due notice and after providing the same an opportunity to explain pursuant to NPC’s existing rules on the revocation of registration. They shall also be subject to penalties and disciplinary measures as provided in the Data Privacy Act, its Implementing Rules and Regulations, and other issuances of the NPC. 

Protection of Character References and Guarantors

Circular 2022-02 also protects the data privacy rights of a borrower’s character reference and guarantor.

A character reference is a person whose contact information is provided for verification of the identity and veracity of the information provided by the borrower for the grant of a loan. A character reference shall not be automatically treated as a guarantor. Meanwhile, a guarantor is one who expressly binds himself or herself to the creditor to fulfill the obligation of the individual borrower in case the latter should fail to do so. 

Lending Entities must properly advise persons who are selected as character references of the loan applicant that they were chosen as character references and how their contact information was collected. Additionally, they must give the character reference the choice to have their personal data removed as a character reference. It is completely forbidden to get in touch with character references for reasons unrelated to the loan transaction (such as marketing, cross-selling, or sharing with third parties to promote other goods or services).

Meanwhile, for guarantors, the Lending Entities must also obtain their separate consent with regard to processing of their personal data. Circular 22-02 further prohibits Lending Entities from getting in touch with anyone on the borrower’s contact list who has not been declared a guarantor to collect a debt.

Registration 

Circular 22-02 requires Lending Entities to register all online applications used for loan processing activities with the NPC in accordance with the applicable Rules on Registration of Data Processing Systems and Notifications regarding Automated Decision-Making within 15 days after the effectivity of Circular 22-02 or within 30 days from the availability of the NPC’s registration system, whichever comes later.