Republic of the Philippines

NATIONAL PRIVACY COMMISSION

PRIVACY POLICY OFFICE

26 November 2020

'''''''''''' '''''''''''''''''''
''''''''''''' ''''''''''
'''''''' '''''' ''''''''''''''' '' '''' ''''''''''''''
'''''' '''''''''' ''' ''''''''' ''''''''''
'''''''' ''''''

Re: DISCLOSURE BY FINTECH, DIGITAL PAYMENT

Dear ''''''''' '''''''''''''''''''

We write in response to your letter received by the National Privacy Commission (NPC)
which sought to clarify whether the disclosure of personal information provided to financial
technology companies, digital payment platforms and telecommunications entities to the
credit card issuers for purposes of fraud investigation is allowed under the Data Privacy Act
of 20122 (DPA).

In your letter, you disclosed that the credit card industry has been experiencing high volumes
of fraudulent transactions which were carried out using various digital payment platforms,
which has already caused financial detriment not only to the credit card holders but to the
credit card issuers as well. Credit card issuers are compelled to absorb the amount involved
in such fraudulent transactions.

You know inquire on whether there is basis for the digital payment platform companies and
other related entities, such as the telecommunications companies, to disclose personal
information with credit card issuers to prevent financial fraud.

NPC Advisory Opinion No. 2019-041

We reiterate our position in NPC Advisory Opinion No. 2019-041 on the disclosure of personal
information provided to online merchants, such as the name, address, delivery address,
email address, and mobile or other contact number, to credit card issuers for purposes of
fraud investigation.
1
Tags: personal information; credit card information; fraud investigation; legitimate interests.
2An Act Protecting Individual Personal Information in Information and Communications Systems in the Government and the Private Sector,
Creating for this Purpose a National Privacy Commission, and for Other Purposes [Data Privacy Act of 2012], Republic Act No. 10173 (2012).
5th Floor Delegation Building, PICC Complex, Vicente Sotto St., Pasay City
URL: https://privacy.gov.ph Email Add: [email protected]
In particular, such disclosure finds legal basis under Section 12 (f) of the DPA wherein
processing is “necessary for the purposes of the legitimate interests pursued by the personal
information controller (PIC) or by a third party or parties to whom the data is disclosed, except
where such interests are overridden by fundamental rights and freedoms of the data subject
which require protection under the Philippine Constitution.”3

In the determination of legitimate interest, the PIC must consider the following:4

1. Purpose test – The existence of a legitimate interest must be clearly established, including a
determination of what the particular processing operation seeks to achieve;
2. Necessity test – The processing of personal information must be necessary for the purpose of
the legitimate interest pursued by the PIC or third party to whom personal information is
disclosed, where such purpose could not be reasonably fulfilled by other means; and
3. Balancing test – The fundamental rights and freedoms of data subjects must not be overridden
by the legitimate interests of the PIC or third party, considering the likely impact of the
processing on the data subjects.

The foregoing conditions must be established by a PIC in using legitimate interest as lawful
basis in the processing of personal information.

Although the DPA does not particularly identify matters to be considered in the PIC’s
determination of its legitimate interests, the EU General Data Protection Regulation (GDPR),
the successor of the EU Data Protection Directive (Directive 95/46/EC) which highly
influenced the DPA, provides some guidance, whereby the processing of personal
information strictly necessary for fraud prevention purposes constitutes a legitimate interest.5

Hence, the PIC must establish that the disclosure of personal information will strictly be for
the resolution of previously committed frauds and the prevention of potential frauds. Further,
the PIC must ensure that only personal information which are necessary and proportionate to
the declared legitimate interest may be processed.

It is also necessary to establish that the processing of personal information pursuant to the
PIC’s legitimate interests will not adversely affect the rights of data subjects. In determining
the balancing of rights and interests, it is important to identify whether the data subject had
reasonable expectation at the time and in the context of collection of personal information that
processing for fraud investigation may occur.6 Transparency during the collection of personal
information and the relationship between the PIC and the data subject are just some of the
factors which may be taken into consideration in evaluating reasonableness.7

We also recognize the provisions of the Philippine Credit Card Industry Regulation Law, the
governing law of the credit card industry. Under such law, the disclosure of credit card

3
See, NPC Advisory Opinion No. 2019-041.
4
See generally, Data Privacy Act of 2012, § 12 (f); United Kingdom Information Commissioner’s Office (ICO), What is the ‘Legitimate
Interests’ basis?, available at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/legitimate-
interests/what-is-the-legitimate-interests-basis/ [last accessed on 9 November 2020].
5
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard
to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection
Regulation) Official Journal of the European Union, Vol. L119, Recital 47 (2016).
6
EU GDPR, Recital 47
7
See also, National Privacy Commission, NPC Case No. 17-047, pages 7-9, available at https://www.privacy.gov.ph/wp-
content/uploads/2020/10/CID-17-047-JV-v.-JR-Decision-PSD-10Aug2020.pdf.

2
information to third parties is allowed, provided it is for the purpose of fraud investigation,
unauthorized activities or mitigating the risks involving card issuance, use and acquisition.8

Under these circumstances, the data subjects who made online payments through the
financial technology companies, digital payment platforms and telecommunications entities
may reasonably expect that such entities to whom they have provided their credit card
information must guarantee the authenticity of their credit cards and the validity of said
transactions. In this context, credit card information may be disclosed to credit card issuers,
provided such disclosure is strictly for fraud investigation purposes only.

General data privacy principles;

While there is lawful basis in the processing of personal information in the matter at hand, the
financial technology companies, digital payment platforms and telecommunications entities
still have the obligation to observe the general data privacy principles of transparency,
legitimate purpose and proportionality and to take the necessary measures to uphold the
rights of the data subjects.

To reiterate, PICs shall only process personal information for a declared purpose which is
made known to the data subjects. Further, the processing of personal information shall be
limited only to those that are necessary for the declared purpose which is fraud investigation.

As PICs, the above entities are also responsible for the implementation of reasonable and
appropriate physical, organizational, and technical security measures to uphold the privacy
of personal information within their custody. Among others, PICs are required under the DPA
to regularly monitor for security breaches and take the appropriate and necessary preventive,
corrective and mitigating measures against potential security breaches.9

We also take note of your concern for NPC to intervene or take action regarding the “rampant
financial fraud taking place with the fraudsters hiding behind the Data Privacy Act”. We
constantly remind all PICs that the DPA should not be seen as an obstacle in obtaining the
necessary information for fraud prevention since such processing is recognized under the law.
We likewise cooperate with the pertinent government agencies who are involved in
investigating financial fraud and other related offenses.

This opinion is based solely on the limited information you have provided. Additional
information may change the context of the inquiry and the appreciation of facts. This opinion
does not adjudicate issues between parties nor impose any sanctions or award damages.

For your reference.

Very truly yours,

(Sgd.) RAYMUND ENRIQUEZ LIBORO

8
An Act Regulating the Philippine Credit Card Industry [Philippine Credit Card Industry Law], Republic Act No. 10870, § 16 (f) (2016).
9
Data Privacy Act of 2012, § 20 (c) (4) (2012).