Data Privacy Act

 The right to be alone 

the most comprehensive of rights and the right most valued by civilized men.

[Brandeis J, dissenting in Olmstead v. United States, 277 U.S. 438 (1928)]

 The Data Privacy Act of 2012 / 

Republic Act 10173

“ An act Protecting Individual Personal Information in Information and Communications Systems in the Government and Private Sector, creating for this purpose a National Privacy Commission and for other purposes” the DPA aims to protect the fundamental human right of privacy, of communication while ensuring the free flow of information to promote innovation and growth."

CARD Bank, Data Privacy Statement

OUR PRIVACY PRACTICES 

The privacy practices described in this Statement are primarily intended for individuals in the Philippines and are designed to comply with the provisions of the DPA. When accessing our websites and/or availing of our services through our branches, you acknowledge and agree that your information may be collected, processed, and transferred within the Philippines following legal and regulatory standards for data protection that may differ from your current or home jurisdictions. 

WHAT DATA DO WE COLLECT FROM YOU 

CARD Bank shall collect personal information from the client which may include, but are not limited to: 

• Name, Age, Date/Place of Birth, Gender, Civil Status, Nationality 

• Address and Contact Details (Home/Business) 

• Educational Background; Employment History 

• Financial Information (such as income, expenses, balances, investments, tax, insurance, financial and transaction history, etc.) 

• Specimen Signature; Permits, Licenses & Registrations 

• Telephone conversation recordings through our Customer Service Representative 

• CCTV footage for security purposes 

• Religion; Health/Disability 

• Regulatory Numbers (HDMF/SSS/TIN) 

• Housewife/Husband, Information (Name/Occupation) 

• Valid ID & Photos; Mother’s Maiden Name 

• Status of Pending Civil/Criminal Cases (if any) 

• Mugshots or Identification photos (contains full name, customer information file (CIF), birthdate, mobile number, source of fund, educational attainment, and signature) 

HOW WE USE YOUR INFORMATION 

CARD Bank uses your personal information to provide the services and products that you have availed or intend to avail from CARD Bank, including and together with following purposes: 

• Opening, maintaining, and/or terminations of accounts; Ease of contacting/communicating with clients. 

• Evaluate, approve, provide, or manage applications, financial products and services, and other transactions that the client has requested. 

• Comply with know-your-customer (KYC) information requirements as specified under the Manual of Regulations for Banks and other applicable regulations. 

• Perform amendment of client information as aligned to registration in konek2CARD system application. 

• Conduct of credit and background information checks and verification. 

• Evaluate client’s eligibility for CARD Bank’s products and services, such as loan inventory and loan validation. 

• Perform risk profile and risk assessment; Perform Loan Utilization Check (LUC). 

• For internal purposes, such as administrative, operational, audit, credit and risk management. 

• Offering and processing of insurance products as authorized by regulatory agencies. 

• Comply with legal and regulatory requirements such as submission of data to credit bureaus, credit information companies, the Credit Information Corporation (CIC), CISA. 

WHEN DO WE COLLECT PERSONAL INFORMATION 

CARD Bank collects personal information through, but not limited to, any of the following: 

• Face-to-face and/or telephone conversation with CARD Bank Customer Service Representative. 

• Accomplishment and/or signing of forms/documents (e.g., loan proposal, New Accounts Form, Insurance Products, Employment application and contracts and Client Information Form) 

• Registration through electronic banking channels and services (e.g., Mobile Banking Application-Konek2CARD, HCIS, MOB, LOS); and 

• Conducting Background and credit investigation and Loan Utilization Check; inquiries to the Credit Bureau 

RECIPIENTS OF INFORMATION 

We may share your personal information with our subsidiaries, affiliates and third parties, including members of CARD MRI, for the purposes above and with an obligation of confidentiality. Your personal information may similarly be disclosed to government agencies, supervisory bodies, tax authorities, or courts of competent jurisdictions for purposes of complying with banking regulations 

HOW WE SAFEGUARD PERSONAL INFORMATION 

CARD Bank, its employees, agents and representatives, shall handle personal information with utmost care and adhere to the implemented organizational, physical, and technical security measures to maintain the confidentiality, integrity, security, and availability of all personal information under its custody. 

HOW LONG DO WE KEEP YOUR INFORMATION 

Documents containing your personal information will be retained in the records and systems of CARD Bank for a period no longer than five years from the date of the termination of your account or of the specific transaction with CARD Bank, unless CARD Bank is required by law to retain the information for a longer period. 

YOUR RIGHTS AS DATA SUBJECT 

• To be informed

• To correct or rectify information or dispute accuracies 

• To object

• To erasure blocking, withdrawal, removal destruction of data 

• To access the information being retained 

• To be indemnified for damages 

HOW TO CONTACT US 

You may also visit the Customer Service Desk at any of CARD Bank’s branches or call the Customer Service Hotlines at the following numbers: 

Tel No. (049)-503-4156 

SMART 0909-233-6852 

GLOBE 0917-707-9819 

You may also e-mail us at cardbankcsr@cardmri.com or dpo@cardmri.com and visit our website www.cardbankph.com. 

KNOW YOUR RIGHT

RIGHT TO BE INFORMED

The data subject has a right to be informed whether personal data pertaining to him or her shall be, are being, or have been processed, including the existence of automated decision-making and profiling.

RIGHT TO OBJECT

When does the right apply?

• processing is based on consent (includes  direct marketing)

• processing is based on legitimate interest

If processing is for direct marketing purposes:

• PIC must stop processing upon receipt of data subject’s objection.

If a data subject objects/ withholds consent, the PIC shall no longer process the personal data, unless the processing is:

1. Pursuant to a subpoena;

2. For obvious purposes, i.e., contract, employer-employee relationship, etc.; or

3. Result of a legal obligation.

RIGHT TO ACCESS

Reasonable access to the following:

1.Contents of personal data;

2.Sources of personal data;

3.Names & addresses of recipients of the personal data;

4.Manner by which such data were processed;

5.Reasons for the disclosure of the personal data;

6.Information on automated processes (data will or likely to be made as the sole basis for decisions significantly affecting the data subject);

7.Date when personal data was last accessed/modified; and

8.Name/address of the PIC.

RIGHT TO ERASURE OR BLOCKING

The data subject shall have the right to suspend, withdraw or order the blocking, removal or destruction of his or her personal data from the personal information controller’s filing system.

When does the right apply?

a. When personal data is:

• incomplete, outdated, false, or unlawfully obtained

• used for unauthorized purpose

• no longer necessary for the purpose

b. Data subject withdraws consent/objects to the processing, and there is no other legal ground/legitimate interest for processing

c. Processing is unlawful

d.PIC or PIP violated the rights of the data subject.

RIGHT TO RECTIFICATION

• Right to dispute the inaccuracy or error in the personal data and have the PIC correct it immediately, unless the request is vexatious or otherwise unreasonable.

• If personal data was disclosed to third parties: PIC must inform them of the rectification upon reasonable request of the data subject. 

RIGHT TO DATA PORTABILITY

• Right to obtain from the PIC a copy of personal data in an electronic/ structured format that is commonly used/allows further use by the data subject.

• What are the conditions for this right to apply?

• personal data requested concerns the data subject making the request;

• personal data is processed electronically; and

• processing is based on consent or contract.

RIGHT TO DAMAGES

• The data subject shall be indemnified for any damages sustained due to such inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal data, taking into account any violation of his or her rights and freedoms as data subject.

• See: NPC Circular No. 16-04 – Rules of Procedure (https://www.privacy.gov.ph/memorandum-circulars/npc-circular-16-04-rules-of-procedure/)