The National Privacy Commission (NPC) released the amendments in a circular issued in 2020 with regard to the the processing of customer data for loan-related transactions.
Under Section 3(A) of NPC’s amended circular, financial companies (FC), lending companies (LC) and other persons acting are required to first obtain consent or just-in-time notices from the data subjects before they can proceed with the processing of data.
Data subjects should be notified on how the the information asked of them would be processed. The Commission said the FCs and LCs should consider the convenience of the borrowers or clients when processing their information.
When borrowers are using mobile application, the information shall be readily accessible and easily located within the mobile application. The NPC circular also prohibits FCs and LCs from obtaining information that are deemed not of use to the transaction. It said that mobile apps shall only require data subjects to provide access to personal data through permissions or protected resources.
The amended circular also enables data subjects to revoke this permission when necessary. The companies are mandated to notify data subjects to turn off, or inform them that access to the relevant application permissions may already be revoked.
However, the circular allows access to contact lists (phone, emails, or social media) only “for the purpose of deriving proportional metadata about such contact lists.” In previous reports, some FCs and LCs have harassed borrowers who still owe them through their contacts.
“Unbridled processing (or abuse) use of contact list is prohibited,” the NPC said. “Online lending applications must have separate interfaces where borrowers can provide character references and guarantors of their own choosing.”