NPC amends Circular on the processing of personal data for loan-related transactions

The National Privacy Commission (NPC) has amended certain provisions of its NPC
Circular No. 2020-01 providing for the guidelines on the processing of personal data for loanrelated transactions which was published on September 14, 2020.

Under NPC Circular No. 2022-02, the amendments cover the processing of personal data
for evaluating loan applications, granting loans, collection of loans, and closure of loan accounts;
character references; and a newly added provision for guarantors. Privacy Commissioner John
Henry D. Naga said that the amended Circular further addresses the data privacy concerns due
to the prevalence of online lending.

“NPC Circular No. 2022–02 provides amendments that will serve as an added protection
to both borrowers and lending companies. The NPC aims for smooth transactions between the
two parties, where borrowers are afforded their data privacy rights and lending companies are
given the opportunity to ethically conduct their business and establish trust among their
customers,” Commissioner Naga said.

Updated guidelines on processing personal data

Under Section 3(A)(5) of the amended Circular, a lending company, financing company,
and other persons acting as such should provide just-in-time notices before obtaining the consent
of the data subjects in loan-related transactions. The just-in-time notice provides data subjects
with information on how a particular piece of information they are asked to provide will be
processed.

When providing details of processing to data subjects, the lending company, financing
company, or other persons acting as such must consider the accessibility of the information and
convenience of the borrowers. For example, if the loan transaction is being facilitated through a
mobile application, the details of processing shall be readily accessible and easily located within
the mobile application.

In loan processing activities, Section 3(D) of the amended Circular provides that a lending
company, financing company, or other persons acting as such are prohibited from conducting
unnecessary processing including requiring unnecessary permissions that involve personal and
sensitive personal information. It specifically states that “when the purpose for accessing an
application permission has already been achieved and there are no other applicable lawful criteria
for such access, such online applications shall prompt the data subject to turn off, disallow these
permissions, or inform the data subject that access to the relevant application permissions may
already be revoked.”

Protecting character references and guarantors

The amended Circular allows the processing of a borrower’s contact information for
identity verification and to check the truthfulness of the information provided by borrowers.
However, the processing must not be unbridled or unconstrained, excessive, and disproportional
to its purpose. This includes processing that leads to harassment; processing for collection of debt
outside of the guarantors provided by the borrower; and processing that results in unfair
collection practices.

The amended Circular also protects the data privacy rights of a borrower’s character
reference and guarantor. Under Section 4, it provides that a character reference is a person whose
contact information is provided for verification of the identity and veracity of the information
provided by the borrower for the grant of a loan. Furthermore, a character reference shall not be
automatically treated as a guarantor, who is an individual who expressly binds himself or herself
to the creditor to fulfill the obligation of the individual borrower in case the latter defaults on
payment as provided under Section 5.

For those who were chosen as character references, Section 4(C) of the amended Circular
provides that a lending company, financing company, or other persons acting as such shall
adequately inform the concerned individuals that they were chosen as character reference of the
loan applicant and how their contact details were obtained. They must also provide the character
reference with the option of having their personal data removed as a character reference.
Furthermore, contacting character references for purposes outside of the loan transaction (e.g.,
marketing, cross-selling, or sharing to third parties for purposes of offering other products or
services) is strictly prohibited.

On the other hand, Section 5 of the amended Circular provides that a guarantor is “one
who expressly binds himself or herself to the creditor to fulfill the obligation of the individual
borrower in case the latter should fail to do so”. Further, Section 5(A) of the amended Circular
provides that the guarantor’s separate consent must be obtained by a lending company, financing
company, or other persons acting as such. For purposes of debt collection, Section 5(B) of the
amended Circular expressly prohibits a lending company, financing company, or other persons
acting as such to contact persons in the borrower’s contact list other than those who were declared
as guarantors.

A lending company, financing company, or other persons acting as such are required to
register with the NPC and submit a complete list of the names of all publicly available
applications that they own and operate. Violators of the amended Circular will be subject to
penalties, fines, and other disciplinary measures as provided in the DPA, its implementing rules
and regulations, and other issuances of the NPC

Access the Circular here: link

###