NPC tightens data processing by lending firms


The National Privacy Commission (NPC) has amended certain provisions of its Circular No. 2020-01, tightening the guidelines in the processing of personal data for loan-related transactions by lending firms and protecting references and guarantors used in loan applications.

The new NPC Circular No. 2022-02 issued on Dec. 1, 2021, which amended circular No. 2020-01 published on Sept. 14, 2020, covers the processing of personal data for evaluating loan applications, granting loans, collection of loans, and closure of loan accounts; character references; and a newly added provision for guarantors.

Privacy Commissioner John Henry D. Naga said the amended Circular further addresses the data privacy concerns due to the prevalence of online lending.

“NPC Circular No. 2022–02 provides amendments that will serve as an added protection to both borrowers and lending companies. The NPC aims for smooth transactions between the two parties, where borrowers are afforded their data privacy rights and lending companies are given the opportunity to ethically conduct their business and establish trust among their customers,” Commissioner Naga said.

Updated guidelines on processing personal data Under Section 3(A)(5) of the amended Circular, a lending company, financing company, and other persons acting as such should provide just-in-time notices before obtaining the consent of the data subjects in loan-related transactions. The just-in-time notice provides data subjects with information on how a particular piece of information they are asked to provide will be processed.

When providing details of processing to data subjects, the lending company, financing company, or other persons acting as such must consider the accessibility of the information and convenience of the borrowers. For example, if the loan transaction is being facilitated through a mobile application, the details of processing shall be readily accessible and easily located within the mobile application.

In loan processing activities, Section 3(D) of the amended Circular provides that a lending company, financing company, or other persons acting as such are prohibited from conducting unnecessary processing including requiring unnecessary permissions that involve personal and sensitive personal information.

It specifically states that “when the purpose for accessing an application permission has already been achieved and there are no other applicable lawful criteria for such access, such online applications shall prompt the data subject to turn off, disallow these permissions, or inform the data subject that access to the relevant application permissions may already be revoked.”

On character references and guarantors, the amended Circular allows the processing of a borrower’s contact information for identity verification and to check the truthfulness of the information provided by borrowers.

However, the processing must not be unbridled or unconstrained, excessive, and disproportional to its purpose. This includes processing that leads to harassment; processing for collection of debt outside of the guarantors provided by the borrower; and processing that results in unfair collection practices.

The amended Circular also protects the data privacy rights of a borrower’s character reference and guarantor.

Section 4 provides that a character reference is a person whose contact information is provided for verification of the identity and veracity of the information provided by the borrower for the grant of a loan. Furthermore, a character reference shall not be automatically treated as a guarantor, who is an individual who expressly binds himself or herself to the creditor to fulfill the obligation of the individual borrower in case the latter defaults on payment as provided under Section 5.

For those who were chosen as character references, Section 4(C) of the amended Circular provides that a lending company, financing company, or other persons acting as such shall adequately inform the concerned individuals that they were chosen as character reference of the loan applicant and how their contact details were obtained. They must also provide the character reference with the option of having their personal data removed as a character reference.

Furthermore, contacting character references for purposes outside of the loan transaction (e.g., marketing, cross-selling, or sharing to third parties for purposes of offering other products or services) is strictly prohibited.

On the other hand, Section 5 of the amended Circular provides that a guarantor is “one who expressly binds himself or herself to the creditor to fulfill the obligation of the individual borrower in case the latter should fail to do so.”

Further, Section 5(A) of the amended Circular provides that the guarantor’s separate consent must be obtained by a lending company, financing company, or other persons acting as such. For purposes of debt collection, Section 5(B) of the amended Circular expressly prohibits a lending company, financing company, or other persons acting as such to contact persons in the borrower’s contact list other than those who were declared as guarantors.

A lending company, financing company, or other persons acting as such are required to register with the NPC and submit a complete list of the names of all publicly available applications that they own and operate.

Violators of the amended Circular will be subject to penalties, fines, and other disciplinary measures as provided in the DPA, its implementing rules and regulations, and other issuances of the NPC.