Republic of the Philippines

NATIONAL PRIVACY COMMISSION

1 NPC Circular No. 2022 - ___

2
DATE : ____________________

SUBJECT : GUIDELINES FOR PRIVATE SECURITY AGENCIES ON

THE PROPER HANDLING OF CUSTOMER AND
VISITOR INFORMATION
3
4 WHEREAS, the National Privacy Commission (NPC) recognizes the vital role of Private
5 Security Agencies (PSAs) and Security Guards in ensuring the safety and security of persons
6 and properties;
7
8 WHEREAS, entities classified as personal information controllers (PICs) under Republic Act
9 No. 10173 or the Data Privacy Act of 2012 (DPA), generally engage PSAs and Security Guards
10 to secure and control access to identified areas or properties, among others;
11
12 WHEREAS, the NPC received reports concerning the apparent disregard by some Security
13 Guards of the data privacy rights of customers, visitors, and other data subjects;
14
15 WHEREAS, there is a need to inform and acquaint PSAs and Security Guards with the proper
16 processing of personal data during the performance of their duties to avoid violating the
17 rights of data subjects under the DPA;
18
19 WHEREAS, Section 11 of the DPA allows the processing of personal information subject to
20 compliance with the requirements of the DPA and other laws allowing disclosure of
21 information to the public, and adherence to the general principles of transparency, legitimate
22 purpose, and proportionality;
23
24 WHEREAS, Section 14 of the DPA states that a PIC may subcontract the processing of
25 personal information: provided, that the PIC shall be responsible for ensuring that proper
26 safeguards are in place to ensure the confidentiality of the personal information processed,
27 prevent its use for unauthorized purposes, and generally, comply with the requirements of
28 the DPA and other laws for processing of personal information;
29
30 WHEREAS, Section 21 (a) of the DPA further states that a PIC is accountable for complying
31 with the requirements of the law and shall use contractual or other reasonable means to
32 provide a comparable level of protection while the information are being processed by a third
33 party;
34
35 WHEREAS, PSAs and Security Guards engaged by a PIC are considered personal information
36 processors (PIPs) and are also bound to observe the requirements of the DPA and other
37 applicable laws;
38
Ref No.: PDD-21-0069 NPC_PPO_ PDD _CIRC-V1.0,R0.0,05May 2021
______________________________________________________________________________________________________________________________________________________
5 Floor, Philippine International Convention Center, Vicente Sotto Avenue, Pasay City, Metro Manila 1308
th

URL: https://www.privacy.gov.ph Email Add: info@privacy.gov.ph Tel No. 8234-2228

39 WHEREAS, pursuant to Section 7 of the DPA, the NPC is charged with the administration
40 and implementation of the provisions of the law, which includes ensuring the compliance by
41 PICs with the provisions of the DPA, and carrying out efforts to formulate and implement
42 plans and policies that strengthen the protection of personal information in the country, in
43 coordination with other government agencies and the private sector;
44
45 WHEREAS, Section 9 of the Implementing Rules and Regulations of the DPA (IRR) provides
46 that the Commission shall, among its other functions, develop, promulgate, review or amend
47 rules and regulations for the effective implementation of the law;
48
49 WHEREFORE, in consideration of the foregoing premises, and without prejudice to the
50 application of other pertinent laws and regulations on the matter, the NPC hereby issues this
51 Circular that prescribes the guidelines for PICs as well as PSAs and Security Guards acting as
52 PIPs, on the proper handling of data subjects’ personal data.
53
54
55 SECTION 1. Scope. — This Circular shall apply to all PICs, and to PSAs and Security Guards
56 acting as PIPs, in the processing of personal data of customers, visitors, and other data subjects
57 as part of their security services.
58
59 SECTION 2. Definition of Terms. — The definition of terms in the DPA and its IRR, as
60 amended, are adopted herein. In addition, whenever used in this Circular, the following terms
61 shall mean or be understood as follows:
62
63 A. “Private Security Agency” or “PSA” refers to any person or entity engaged in
64 contracting, recruitment, training, furnishing, or posting of Security Guards and other
65 private security personnel to individuals, corporation, offices, and organizations,
66 whether private or public, for their security needs as the Philippine National Police
67 (PNP) may approve;1
68
69 B. “Security Guard” refers to any person who offers or renders personal service to watch
70 or secure either a residence, business establishment, or buildings, compounds, areas,
71 or property, inspects, monitors, or performs bodily checks or searches of individuals
72 or baggage, and other forms of security inspection;2
73
74 C. “Service Agreement” refers to the contract between the PIC and the PSA acting as a
75 PIP containing the terms and conditions governing the performance or completion of
76 security service, jobs, or work being farmed out for a definite or predetermined
77 period;3
78
79 D. “Subcontracting” refers to the outsourcing, assignment, or delegation of the
80 processing of personal data by a PIC to a PIP. In this arrangement, the PIC retains
81 control over the processing;
82

1 See: Department of Labor and Employment, Revised Guidelines Governing the Employment and Working Conditions of
Security Guards and other Private Security Personnel in the Private Security Industry, Department Order No. 150-16, series
of 2016 [DOLE DO No. 150-16], § 2 (i) (Feb. 9. 2016).
2 See: DOLE DO No. 150-16, § 2 (h).
3 Id. § 2 (j).

Ref No.: PDD-21-0069 NPC_PPO_ PDD _CIRC-V1.0,R0.0,05May 2021

______________________________________________________________________________________________________________________________________________________
5th Floor, Philippine International Convention Center, Vicente Sotto Avenue, Pasay City, Metro Manila 1308
URL: https://www.privacy.gov.ph Email Add: info@privacy.gov.ph Tel No. 8234-2228
2
 83 E. “Subcontracting Agreement” refers to a contract, agreement, or any similar document
84 which sets out the obligations, responsibilities, and liabilities of the parties to a
85 subcontracting arrangement. It shall contain mandatory stipulations prescribed by the
86 IRR.
87
88 SECTION 3. General Obligations of PICs engaging the services of PSAs. — All PICs engaging
89 the services of PSAs shall have the following obligations:
90
91 A. Transparency. PICs, in coordination with the PSAs, shall be responsible for developing
92 a privacy notice in clear and plain language which shall explain to all customers,
93 visitors, and other data subjects:
94
95 1. The purpose of collecting personal data, e.g., monitoring or controlling access to
96 premises for the security, safety, and protection of persons and properties,
97 pursuant to legitimate interests (for private sector PICs) or laws and regulations
98 (for government PICs);
99 2. The security measures implemented to safeguard personal data;
100 3. The fact that the personal data collected, whether manually or through electronic
101 systems, shall be turned over to the pertinent PIC who engaged the PSA or the
102 Security Guard;
103 4. The retention period of personal data; and
104 5. Their rights as a data subject and mechanisms on how to exercise the same;
105
106 B. Proportionality. PICs shall observe proportionality in all personal data processing
107 activities including those outsourced or subcontracted to PSAs. They shall not require
108 PSAs acting as PIPs as well as the Security Guards to access, record, copy, or otherwise
109 collect any sensitive personal information for purposes of ascertaining the identity of
110 an individual, nor shall they direct them to keep ID cards containing sensitive personal
111 information.
112
113 However, PICs may instruct PSAs and authorized Security Guards to examine a
114 government-issued ID within a reasonable time and only in extraordinary
115 circumstances where such processing is necessary to ascertain the identity of an
116 individual, as may be provided by law or regulation: provided, that there is prior
117 sufficient explanation to the data subject of the necessity of processing sensitive
118 personal information for that purpose: provided further, that the government-issued ID
119 shall not be kept by the PSA or authorized Security Guards.
120
121 C. Accountability. PICs shall use contractual or other reasonable means to ensure that
122 proper safeguards are in place to ensure the confidentiality, integrity, availability of
123 the personal data processed, and to prevent its use for unauthorized purposes. PICs
124 shall ensure that a Subcontracting Agreement or Service Agreement is executed with
125 PSAs prior to any personal data processing activity. Such agreement shall contain the
126 following:
127
128 1. The subject-matter and duration of the processing;
129 2. The nature and purpose of the processing;
130 3. The type/s of personal data that will be processed;
131 4. The categories of data subjects;
132 5. The geographic location of the processing under the agreement;
Ref No.: PDD-21-0069 NPC_PPO_ PDD _CIRC-V1.0,R0.0,05May 2021
______________________________________________________________________________________________________________________________________________________
5th Floor, Philippine International Convention Center, Vicente Sotto Avenue, Pasay City, Metro Manila 1308
URL: https://www.privacy.gov.ph Email Add: info@privacy.gov.ph Tel No. 8234-2228
3
133 6. The obligations and rights of PICs;
134 7. The specific obligations of PSAs taking into consideration the mandatory
135 stipulations under Section 44 (b) of the IRR of DPA; and
136 8. The duty of PSAs to comply with the requirements of the DPA and its IRR, other
137 relevant issuances of the Commission, other applicable laws, and any other
138 obligations with the PICs.
139
140 D. Safeguards. PICs shall ensure that reasonable and appropriate safeguards are in place
141 for the processing of personal data by PSAs and their Security Guards which includes,
142 but is not limited to:
143
144 1. Appropriate data protection policies that provide for organizational, physical, and
145 technical security measures, taking into account the nature, scope, context and
146 purpose of the processing, as well as the risks posed to the rights and freedoms of
147 data subjects;
148 2. Clear and adequate instructions on the processing of personal data, whether in
149 paper-based or electronic systems, including the strict protocols to be observed by
150 Security Guards in the processing of sensitive personal information, where
151 justified, as provided under Section 3(B) of this Circular;
152 3. Retention period of personal data as well as the method to be adopted for the
153 secure return, destruction, or disposal of the same and the timeline therefor, taking
154 into account the purpose for which the personal data was obtained and the
155 provisions of the applicable Subcontracting Agreement or Service Agreement.
156
157 SECTION 4. Obligations of PSAs acting as PICs. — All PSAs acting as PICs shall have the
158 following obligations:
159
160 A. Registration. All PSAs acting as PICs shall register with the Commission in accordance
161 with the applicable Rules on the Registration of Data Processing Systems and
162 Notifications regarding Automated Decision-Making;
163
164 B. Training. PSAs shall provide trainings on the DPA, its IRR, and other relevant
165 issuances of the Commission to all Security Guards prior to their assignment or
166 deployment.
167
168 1. The orientation shall include an overview on the proper handling of personal data
169 that comes to their knowledge and possession in the course of providing security
170 services, the requirement to maintain confidentiality, integrity, and availability of
171 personal data, and the corresponding sanctions for any unauthorized processing
172 of personal data;
173 2. The conduct of the training shall be properly documented at all times. The
174 Commission may require the submission of the same in accordance with the
175 applicable provisions of the DPA, its IRR, and other issuances on the matter;
176
177 C. Inspection. All PSAs shall ensure that all Security Guards assigned or deployed are
178 complying with the requirements of the DPA. For this purpose, PSAs shall conduct
179 regular onsite visits in establishments where its Security Guards are assigned or
180 deployed.
181
182 SECTION 5. Obligations of PSAs acting as PIPs. — All PSAs acting as PIPs shall have the
Ref No.: PDD-21-0069 NPC_PPO_ PDD _CIRC-V1.0,R0.0,05May 2021
______________________________________________________________________________________________________________________________________________________
5th Floor, Philippine International Convention Center, Vicente Sotto Avenue, Pasay City, Metro Manila 1308
URL: https://www.privacy.gov.ph Email Add: info@privacy.gov.ph Tel No. 8234-2228
4
183 following obligations:
184
185 A. Privacy Notice. PSAs shall make reasonable efforts to notify the data subjects of the
186 relevant information about the processing of their personal data through a privacy
187 notice developed by the PIC in coordination with the PSAs.
188
189 B. Proportionality. For purposes of ascertaining the identity of an individual, PSAs and
190 authorized Security Guards shall not access, record, copy, or otherwise collect any
191 sensitive personal information such as date of birth, government-issued ID numbers,
192 images of government-issued IDs, nor shall they keep ID cards containing sensitive
193 personal information.
194
195 However, PSAs and authorized Security Guards may be allowed to examine a
196 government-issued ID within a reasonable time and only in extraordinary
197 circumstances where such processing is necessary to ascertain the identity of an
198 individual, as may be provided by law or regulation: provided, that there is prior
199 sufficient explanation to the data subject of the necessity of processing sensitive
200 personal information for that purpose: provided further, that the government-issued ID
201 shall not be kept by the PSA or authorized Security Guards.
202
203 C. Security measures. PSAs and their Security Guards shall, in coordination with the PIC,
204 implement appropriate security measures that:
205
206 1. Aim to maintain the availability, integrity, and confidentiality of personal data
207 processed;
208 2. Provide adequate protection against any accidental or unlawful destruction,
209 alteration, disclosure, and unlawful processing, as well as against natural and
210 human dangers such as unlawful access, fraudulent misuse, unlawful destruction,
211 alteration and contamination.
212
213 PSAs and Security Guards shall, at all times, ensure that personal data in the logbooks,
214 health forms, and other records are not visible to or accessible by unauthorized
215 persons, employees, or other data subjects to prevent unlawful processing of personal
216 data.
217
218 D. Assistance. A PSA acting as PIP and its Security Guards shall cooperate with the
219 relevant PIC in addressing any requests for the exercise of data subject rights. PSAs
220 shall not engage another PIP without prior instruction from the PIC and shall allow
221 audits and inspections conducted by the PIC or another auditor mandated by such
222 PIC.
223
224 SECTION 6. Penalties. — The processing of personal data in violation of this Circular shall
225 carry criminal, civil, and administrative liability pursuant to the provisions of the DPA and
226 related issuances of the Commission. This is without prejudice to the administrative penalties
227 that may be imposed under Republic Act No. 5487 or “An Act to Regulate the Organization
228 and Operation of Private Detective, Watchmen or Security Guards Agencies.”
229
230 SECTION 7. Interpretation. —Any doubt in the interpretation of any provision of this
231 Circular shall be liberally interpreted in a manner mindful of the rights and interests of the
232 data subjects.
Ref No.: PDD-21-0069 NPC_PPO_ PDD _CIRC-V1.0,R0.0,05May 2021
______________________________________________________________________________________________________________________________________________________
5th Floor, Philippine International Convention Center, Vicente Sotto Avenue, Pasay City, Metro Manila 1308
URL: https://www.privacy.gov.ph Email Add: info@privacy.gov.ph Tel No. 8234-2228
5
233
234 SECTION 8. Transitory Provisions. — PICs and PSAs acting as PIPs shall be given a period
235 of thirty (30) days from the effectivity of these Guidelines to comply with the requirements
236 provided herein.
237
238 SECTION 9. Separability Clause. — If any portion or provision of this Circular is declared
239 null and void, or unconstitutional, the other provisions not affected thereby shall continue to
240 be in force and effect.
241
242 SECTION 10. Repealing Clause. — All other rules, regulations, and issuances contrary to or
243 inconsistent with the provisions of this Circular are deemed repealed or modified accordingly.
244
245 SECTION 11. Effectivity. — This Circular shall take effect fifteen (15) days after its
246 publication in the Official Gazette or a newspaper of general circulation.
247
248
249 Approved:
250
251
252
JOHN HENRY D. NAGA
Privacy Commissioner

LEANDRO ANGELO Y. AGUIRRE

Deputy Privacy Commissioner
253

Ref No.: PDD-21-0069 NPC_PPO_ PDD _CIRC-V1.0,R0.0,05May 2021

______________________________________________________________________________________________________________________________________________________
5th Floor, Philippine International Convention Center, Vicente Sotto Avenue, Pasay City, Metro Manila 1308
URL: https://www.privacy.gov.ph Email Add: info@privacy.gov.ph Tel No. 8234-2228
6
 Republic of the Philippines
NATIONAL PRIVACY COMMISSION

1 NPC Circular No. 2022 – __

2
DATE : __ October 2022

SUBJECT : AMENDING CERTAIN PROVISIONS OF NPC CIRCULAR NO.

20-01 ON THE GUIDELINES ON THE PROCESSING OF
PERSONAL DATA FOR LOAN-RELATED TRANSACTIONS
3
4 SECTION 1. Objective. — This Circular aims to expound on NPC Circular No. 20-01 to
5 respond to exigencies in the processing of personal data for loan-related transactions by
6 lending and financing companies and other persons acting as such.
7
8 SECTION 2. Amendments. — The following provisions of NPC Circular No. 20–01 are hereby
9 amended as stated below:
10
11 A. In Section 3(A), fifth and sixth paragraphs shall be inserted to read:
12
13 5. LCs, FCs and other persons acting as such shall obtain consent for the
14 processing of personal data at the point where the personal data is necessary.
15 They should provide just-in-time notices before obtaining the consent of the
16 data subjects.
17
18 A just-in-time notice provides data subjects with information how a
19 particular piece of information he or she is asked to provide will be
20 processed. This information is provided at the point in time where the LCs,
21 FCs, or other persons acting as such is about to process or processes such
22 personal data of the data subject.
23
24 6. The most appropriate format in providing details of processing to borrowers,
25 as required by Section 16(b) of the DPA and Section 34(a)(2) of its IRR, shall
26 be the format which is aligned with the business processes of the LCs, FCs,
27 or other persons acting as such, with utmost consideration to the accessibility
28 of the information and convenience of the borrowers [e.g., if the loan
29 transaction is being facilitated through a mobile application, the
30 aforementioned information, shall be readily accessible and easily located
31 within the mobile application].
32
33 B. Section 3 (D), is hereby amended to read as follows:
34
35 D. Where online applications are used for loan processing activities, LCs, FCs, or
36 other persons acting as such shall be prohibited from conducting unnecessary
37 processing including requiring unnecessary permissions that involve
38 personal and sensitive personal information.
Ref No.: PDD-21-0112 NPC_PPO_ PDD _CIRC-V1.0,R0.0,05May 2021

5th Floor, Philippine International Convention Center, Vicente Sotto Avenue, Pasay City, Metro Manila 1308
URL: https://www.privacy.gov.ph Email Add: info@privacy.gov.ph Tel No. 8234-2228
39
40 1. Application permissions shall only be allowed when suitable, necessary,
41 and not excessive to the legitimate purposes provided in Section 3(B)(1)
42 and Section 3(C) of this Circular, and debt collection, subject to the
43 limitations provided by law and in accordance with applicable provisions
44 of law.
45
46 Unnecessary processing should not be performed upon installation of an
47 online application. Processing, such as but not limited to accessing
48 contact lists and cameras of data subjects, may only be requested at the
49 point where the information is necessary for the purposes provided for in
50 the preceding paragraph.
51
52 In cases where the data subjects provide information that was not
53 obtained through application permissions, such information should still
54 be processed in a manner that is not excessive to the legitimate purpose.
55
56 xxx
57
58 3. Where an online application requires access to the borrower’s phone
59 camera, or access to the photo gallery to choose a photo for the legitimate
60 purposes of KYC and preventing fraud at the beginning of the loan
61 application, permissions for such access may be allowed during that stage
62 in the loan application process and must be turned-off after the
63 fulfillment of such purposes.
64
65 Likewise, permissions for access to the borrower's phone camera, or
66 photo gallery to choose a photo for the legitimate purpose of payment
67 verification and other similar legitimate purposes may be allowed:
68 provided, that, permissions for such access must be turned-off after the
69 fulfillment of such purposes.
70
71 Where the photo has already been taken and saved in the application, the
72 application should already turn off such permission by default, or at the
73 very least, prompt the borrower through appropriate means (e.g., just-in
74 time, pop-up notices) that he or she may already turn off or disallow such
75 permission as the same is no longer necessary for the operation of the
76 application. In no way shall the borrower’s photo be used to harass or
77 embarrass the borrower in order to collect a delinquent loan.
78
79 4. Access to and processing of contact lists may be allowed for the purpose
80 of deriving limited descriptive metadata1 about such contact lists subject
81 to Section 3 (D) (1) and the requirements of Section 4.
82
83 “Contact list” refers to any compilation or list of information maintained
84 by the data subject that enables him or her to communicate with other
85 individuals. This includes the data subject’s phone contact lists, email
86 lists, or social media contacts.

1 Descriptive metadata as used in this Circular is understood to be any information that may define or describe contact lists.

Ref No.: PDD-21-0112 NPC_PPO_ PDD _CIRC-V1.0,R0.0,05May 2021

5th Floor, Philippine International Convention Center, Vicente Sotto Avenue, Pasay City, Metro Manila 1308
URL: https://www.privacy.gov.ph Email Add: info@privacy.gov.ph Tel No. 8234-2228
2
 87
88 Unbridled processing of contact list, in whatever form, is prohibited.
89 “Unbridled processing” refers to processing, that is unconstrained,
90 excessive, and disproportional to its purpose such as but is not limited
91 to:
92 a) Processing that leads to harassment;
93 b) Processing for collection of debt outside of the guarantors
94 provided by the borrower; and
95 c) Processing that results in unfair collection practices.2
96
97 5. Subject to the limitations of the immediately preceding paragraph, the
98 processing of contact lists for purposes of identifying and contacting the
99 character references or guarantors provided by the borrowers
100 themselves is allowed. Online lending applications must have separate
101 interfaces where borrowers can provide character references and
102 guarantors of their own choosing. LCs, FCs, and other persons acting as
103 such may only be provided limited access to and only to the minimum
104 extent necessary to allow the borrowers to choose from their phone
105 contact list their character references and guarantors, if any.
106
107 C. The following provisions shall be added to Section 3:
108
109 G. LCs, FCs, and other persons acting as such shall, as part of their registration
110 with the NPC, submit a complete list of the names of all publicly available
111 applications owned or operated by such entities;
112
113 H. In accordance with the applicable Rules on Registration of Data Processing
114 Systems and Notifications regarding Automated Decision-Making, LCs, FCs,
115 and other persons acting as such shall register with the NPC all publicly
116 available online applications used for loan processing activities;
117
118 I. PIPs or third-party service providers operating in the Philippines, engaged
119 by LCs, FCs, and other persons acting as such, shall likewise be required to
120 register with the NPC whenever they are engaged in the processing of
121 personal data under the instructions of the LCs, FCs, or other persons acting
122 as such;
123
124 J. For PIPs or third-party service providers outside the Philippines, LCs, FCs,
125 and other persons acting as such, shall ensure that appropriate technical and
126 contractual controls are in place to ensure appropriate protection in the
127 processing of personal data, taking into consideration Sections 28 to 29 and
128 43 to 45 of the Implementing Rules and Regulations (IRR) of the DPA;
129
130 K. Upon determination of any violation of this Circular, the NPC shall revoke
131 the registration of the PIC or PIP upon due notice and after providing the

2 Securities and Exchange Commission, “Prohibition on Unfair Debt Collection Practices of Financing Companies (FC) and
Lending Companies (LC),” SEC Memorandum Circular No. 18, series of 2019 [SEC MEMO. CIRC. 18, s. 2019], § 1 (19 August
2019): Unfair collection practices are as those which use or involve threats of use of violence or other criminal means to harm
the physical person, reputation or property of any person, as well as those which use threats to take any action that cannot be
legally taken.

Ref No.: PDD-21-0112 NPC_PPO_ PDD _CIRC-V1.0,R0.0,05May 2021

5th Floor, Philippine International Convention Center, Vicente Sotto Avenue, Pasay City, Metro Manila 1308
URL: https://www.privacy.gov.ph Email Add: info@privacy.gov.ph Tel No. 8234-2228
3
132 PIC or PIP an opportunity to explain pursuant to the NPC’s existing rules on
133 revocation of registration; and
134
135 L. LCs, FCs, and other persons acting as such or PIPs or third-party service
136 providers whose Certificate of Registration has been revoked by the NPC or
137 those determined to have violated the registration requirements, shall be
138 subject to penalties and disciplinary measures as provided in the DPA, its
139 IRR and other issuances of the NPC.
140
141 D. Section 4 is hereby amended to read as follows:
142
143 SECTION 4. Character references. — A character reference is a person whose
144 contact information is provided for verification of the identity and veracity of the
145 information provided by the borrower for the grant of a loan.
146
147 A. A borrower may be required to provide names and contact numbers of
148 character references to support the evaluation of the loan application and the
149 loan collection process. To this end, it shall be the responsibility of the
150 borrower to inform his or her character reference regarding the latter’s
151 inclusion as such.
152
153 B. LCs, FCs, and other persons acting as such shall adopt policies and
154 procedures in handling the personal data of such character references, which
155 may include policies on handling calls.
156
157 C. LCs, FCs, and other persons acting as such shall adequately inform the
158 concerned individuals that they were chosen as character reference of the
159 loan applicant and how their contact details were obtained. LCs, FCs and
160 other persons acting as such shall also provide the character reference with
161 the option of having his or her personal data removed as a character
162 reference.
163
164 D. Contacting character references for purposes other than for the verification
165 of identity and veracity of the information provided by the borrower, such as
166 but not limited to, marketing, cross-selling, or sharing to third parties for
167 purposes of offering other products or services, is prohibited.
168
169 E. A character reference shall not be automatically treated as a guarantor.
170
171 E. A new Section 5 is hereby added to read as follows:
172
173 SECTION 5. Guarantors. — A guarantor is one who expressly binds himself or
174 herself to the creditor to fulfill the obligation of the individual borrower in case
175 the latter should fail to do so. For a person to be considered a guarantor, he or
176 she should have given his or her consent to be a guarantor in accordance with
177 the provisions of the Civil Code on guaranty.
178
179 A. The guarantor’s separate consent must be obtained by the LC, FC or other
180 persons acting as such, in accordance with the applicable provisions of the
181 DPA, particularly those on transparency, the right of data subjects to be

Ref No.: PDD-21-0112 NPC_PPO_ PDD _CIRC-V1.0,R0.0,05May 2021

5th Floor, Philippine International Convention Center, Vicente Sotto Avenue, Pasay City, Metro Manila 1308
URL: https://www.privacy.gov.ph Email Add: info@privacy.gov.ph Tel No. 8234-2228
4
182 informed, and consent as a lawful basis for processing personal data.
183
184 B. For purposes of debt collection, LCs, FCs or persons acting as such may only
185 contact the guarantor. Contacting persons in the borrower's contact list other
186 than those who were named as guarantors is prohibited in accordance with
187 this Circular and the applicable issuances of the Securities and Exchange
188 Commission on unfair debt collection practices.3
189
190 F. The succeeding Sections on Credit Data, Outsourcing, Rights of the data subject are
191 hereby renumbered accordingly:
192
193 SECTION 6. Credit Data. — x x x
194 SECTION 7. Outsourcing. — x x x
195 SECTION 8. Rights of the data subjects. — x x x
196
197 SECTION 3. Transitory Provisions. — Within fifteen (15) days after the effectivity of this
198 Circular, all LCs, FCs, and other persons acting as such shall register all online applications
199 used for loan processing activities with the NPC in accordance with the applicable Rules on
200 Registration of Data Processing Systems and Notifications regarding Automated Decision-
201 Making.
202
203 All online applications which will be made publicly available after the effectivity of this
204 Circular shall be registered with the Commission in accordance with Section 2 (C) of this
205 Circular.
206
207 SECTION 4. Separability Clause. — If any portion or provision of this Circular is declared
208 null and void, or unconstitutional, the other provisions not affected thereby shall continue to
209 be in force and effect.
210
211 SECTION 5. Repealing Clause. — All other rules, regulations, and issuances contrary to or
212 inconsistent with the provisions of this Circular are deemed repealed or modified accordingly.
213
214 SECTION 6. Effectivity. — This Circular shall take effect fifteen (15) days after its publication
215 in the Official Gazette or a newspaper of general circulation.
216
217 Approved:

JOHN HENRY D. NAGA

Privacy Commissioner

LEANDRO ANGELO Y. AGUIRRE

Deputy Privacy Commissioner
218

3See: Securities and Exchange Commission, “Prohibition on Unfair Debt Collection Practices of Financing Companies (FC)
and Lending Companies (LC),” SEC Memorandum Circular No. 18, series of 2019 [SEC MEMO. CIRC. 18, s. 2019], § 1 (19
August 2019).

Ref No.: PDD-21-0112 NPC_PPO_ PDD _CIRC-V1.0,R0.0,05May 2021

5th Floor, Philippine International Convention Center, Vicente Sotto Avenue, Pasay City, Metro Manila 1308
URL: https://www.privacy.gov.ph Email Add: info@privacy.gov.ph Tel No. 8234-2228
5