GENERAL STATEMENT
Republic Act No. 9510 or the Credit Information System Act of 2008 (“CISA”) created the Credit Information Corporation (“CIC”) to become the central registry or central repository of credit information in the Philippines by receiving and consolidating basic credit data of borrowers provided by Submitting Entities.1
In line with this commitment, the CIC acknowledges the fundamental right to privacy of our stakeholders. Thus, we are committed to protecting and safeguarding the sensitive and personal data of our stakeholders.
Your personal data and right to privacy are essential as the central repository of credit data in the Philippines, which is why we at the CIC would like our stakeholders such as Data subjects, Borrowers, Submitting Entities, Accessing Entities, Non-Accessing Entities, Special Accessing Entities, Outsource Entities, and Other Participating Entities to know how the CIC handles and protects the sensitive and personal information given to us.
Please read this privacy notice carefully before using the CIC’s website, services, social media accounts, and other forms of communication with us because it will help you understand what data are being collected, how the data are used, stored, shared, retained, rectified, and disposed in accordance with Republic Act No. 9510 or the Credit Information System Act of 2008 (“CISA”) and Republic Act No. 10173 or the Data Privacy Act of 2012, and its Implementing Rules and Regulations.
SCOPE OF PRIVACY NOTICE
This Privacy Notice addresses the CIC’s mandated procedures under CISA and outlines the general terms for collecting, using, storing, sharing, handling, and disposing of your sensitive and personal data. Further specific details on our privacy processes are provided in the specific Privacy Notices issued for particular personal data processing activities related to our products and services.
INFORMATION COLLECTED
For general inquiries
The CIC uses Google Analytics, a third-party service to analyze the web traffic data. This website does not use cookies. Data generated is not shared with any other party. The following web traffic data are analyzed:
The CIC collects personal information of the stakeholders for the purpose of addressing their inquiries and concerns.
We use Google Analytics, a third-party service, to analyze the web traffic data. This website does not use cookies. Data generated is not shared with any other party. The following web traffic data are analyzed:
Demographics
- Language
- Country
- City
- Age
- Gender
- Interests
System
- Browser
- Operating System
- Service Provider
Mobile
- Devices
- User Explorer (it contains the Client IDs that Google designates to each visitor of the website)
When using the “Contact Us” portion of the CIC Website, the following personal information will be collected:
- Name
- Email Address
For Human Resources of the CIC
The CIC’s Human Resources Unit (“HRU”) acquires the personal information of all CIC personnel for records purposes as well as those who are applying for a vacant position in the CIC to determine if they are qualified for the said position. The personal information collected are as follows:
- Personnel or applicant’s personal information, contact details, employment history, performance, and other relevant documents on the qualifications of the personnel or applicant;
- Academic qualifications and other educational attainments of the personnel or applicant;
- Medical certificates, examinations, clearances, and/or health related information of the personnel or applicant;
- Tax information in relation to the personnel or applicant;
- Any information related to the personnel or applicant’s training and development; and
- Other related documents in relation to the qualification of the personnel or applicant.
For Borrowers
Under CISA, the borrowers have the following rights:
- Right to have ready and immediate access to credit information pertinent to him subject to the payment of a prescribed fee.
- Right to dispute erroneous, incomplete or misleading credit information.
- Right to a simplified dispute resolution process to fast track the settlement or resolution of disputed credit information.
- Right to be notified by a submitting entity of the latter’s obligation to submit and disclose basic credit data to the Corporation; and
- Right to know the causes of refusal of an application for credit facilities or services from a financial institution that uses credit data as basis or ground for such refusal.
The CIC collects the basic credit data of the borrowers through Submitting Entities for the following purposes:
- Address the need for reliable credit information concerning the credit standing and track record of borrowers;
- Greatly improve the overall availability of credit especially to micro, small and medium-scale enterprises;
- Provide mechanisms to make credit more cost-effective;
- Reduce the excessive dependence on collateral to secure credit facilities;
- Ensure the protection of consumer rights and the existence of fair competition in the industry at all times;
- Reduce the overall credit risk of financial institutions, contributing to a healthier and more stable financial system
Under CISA, "Basic Credit Data" refers to positive and negative information provided by a borrower to a submitting entity in connection with the application for and availment of a credit facility and any information on the borrower’s creditworthiness in the possession of the submitting entity and other factual and objective information related or relevant thereto in the submitting entity’s data files or that of other sources of information: Provided, that in the absence of a written waiver duly accomplished by the borrower, basic credit data shall exclude confidential information on bank deposits and/or clients funds under Republic Act No. 1405 (Law on Secrecy of Bank Deposits), Republic Act No. 6426 (The Foreign Currency Deposit Act), Republic Act No. 8791 (The General Banking Law of 2000), Republic Act No. 9160 (Anti-Money Laundering Law) and their amendatory laws.
The CIC’s mandate to collect the basic credit data and other relevant information of borrowers is exempted from the implementation of RA 10173 or the Data Privacy Act of 2012.2 On the other hand, express consent is required by any other entities from the owner of the sensitive and personal information before accessing the same.
The CIC, the submitting entities, the accessing entities, the outsource entities, the special accessing entities and the duly authorized non-accessing entities shall hold the credit information under strict confidentiality and shall use the same only for the declared purpose of establishing the creditworthiness of the borrower. Outsource entities which may process and consolidate basic credit data are absolutely prohibited from releasing such data received from the Corporation other than to the Corporation.3
For Submitting Entities, Participating Entities, and Accessing Entities
The CIC is mandated to onboard Submitting Entities that offers credit facilities5 to borrowers. To onboard a Submitting Entity, the CIC requires the submission of its registration documents which compose of, but not limited, to the following:
- The applicable Certificate of Registration or license which may be issued either by the Bangko Sentral ng Pilipinas ("BSP"), Securities and Exchange Commission ("SEC"), or the Cooperative Development Authority ("CDA");
- Articles of Incorporation from SEC or Articles of Cooperation from CDA, whichever is applicable;
- Secretary's Certificate providing their Authorized Representative;
- Completed Submitting Entity Information Sheet;
The CIC may require the submission of other relevant and/or necessary documents whenever circumstances warrant and in accordance with the relevant CIC issuances and guidelines.
The above information on the entities are acquired by the CIC to evaluate and assess if they are mandated by CISA to become Submitting Entities in Production and as a prerequisite in becoming Accessing Entities of the CIC.
Moreover, the basic credit data of borrowers are to be submitted to the CIC by Submitting Entities in compliance with CISA and other CIC guidelines.
For Special Accessing Entities
The CIC collects information of entities relevant to their qualifications and track record taking into account its financial resources, technical expertise, and reputation to operate as or form an SAE. This is to ensure that they are reliable in establishing creditworthiness of borrowers, by also being a source of accurate credit reports, ratings, and other similar credit information products and services.
For Outsource Entities
The CIC collects relevant information of outsource entities such as but not limited to their registration documents, credentials, certifications, portfolio, organizational structure, and other relevant documents to determine if they are qualified to become outsource entities of the CIC.
Use of Information
The basic credit data and other personal information collected by the CIC are being used for documentation and processing purposes within the CIC to address all kinds of concerns as well as to:
- Receive and consolidate basic credit data;
- Act as a central registry or central repository of credit information; and
- Provide access to reliable, standardized information on credit history and financial condition of borrowers.
Moreover, the CIC does not share any information with any third party unless otherwise provided by law.
The Accessing Entities, Non-Accessing Entities, Special Accessing Entities, Outsource Entities, and other participating entities who are authorized by the CIC to access its database shall use the same only for the declared purpose of establishing the creditworthiness of the borrower.
Outsource entities, which may process and consolidate basic credit data are absolutely prohibited from releasing such data received from the CIC other than to the CIC.
Processing of Personal Data
When using the Contact Us portion of the website, the stakeholder will have to fill-up the “Online Contact Form” which contains among others the name, email address, the inquiry, and other relevant information for the proper processing of the same. After filling up the form, the CIC will automatically create an email thread in our CIC Help Desk Ticketing System which bears a reference number. The email will then be forwarded to the appropriate CIC internal units to properly address the inquiries or concerns.
Protection Measures
The CIC exercises the required diligence in protecting the data you provided to us. We implement all the standard security, technical, and organizational measures that ensure a high level of security to significantly reduce the risk of unauthorized access to, and accidental or unlawful destruction, loss, alteration, and unauthorized disclosure of, personal data transmitted, stored, or otherwise processed by the CIC.
All basic credit data of borrowers are encrypted.
Data Dissemination, Sharing, and Communication
The CIC upholds, with highest degree of confidentiality, all personal information provided to us. The personal information collected is given only to the proper CIC internal unit for its prompt resolution.
CIC’s Storage of data
The CIC store files containing personal information in our computers and servers, which are kept in a secure and encrypted environment. We may also store your personal information with cloud-based third-party data storage providers. We shall ensure that proper measures are adopted to protect your information.
Personal data shall be stored in a database as long as the inquiries and requests are not acted upon or needed for other purpose. After which, records shall be disposed of securely.
Other categories of data may be kept longer when its retention period is determined by other relevant laws and regulations.
Disposal of information
Physical records shall be disposed of through shredding, while digital files shall be anonymized. In all instances, our manner of disposal shall ensure that the personal information shall no longer be retrieved, processed, or accessed by unauthorized persons.
The Data Subject’s Rights
The Data Privacy Act enumerates the following rights of a Data Subject, to wit:
- Right to be informed whether your personal data shall be, are being, or have been processed, including the existence of automated decision-making and profiling;
- Right to obtain confirmation on whether or not data relating to you are being processed
- Right to file a complaint with the NPC
- Right to be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of your personal data, taking into account any violation of your right and freedoms as data subject.
- Right to object to the processing of your personal data where such processing is based on consent or legitimate interest.
- Right to dispute the inaccuracy or error in your personal data and have the Personal Information Controller (“PIC”) correct the same within a reasonable period of time.
- Right to request for the suspension, withdrawal, blocking, removal, or destruction of your personal data from the PIC’s filing system, in both live and backup systems.
- Right to obtain from the PIC a copy of your personal data and/or have the same transmitted from one PIC to another, in an electronic or structured format that is commonly used.
If ever you have concerns regarding CIC’s way of handling your personal data, do not hesitate to send a letter or an email to the CIC’s Data Privacy Officer (“DPO”) through the contact details provided below. Whenever circumstances warrant, the CIC may ask for additional information or evidence before we process your concerns.
This Privacy Notice was last updated on June 03, 2024.
Data Protection Officer
Data Protection Officer |
Mr. Christoper L. Tumpalan |
If you believe that your data privacy rights have been violated, we encourage you to contact CIC for its immediate resolution.
1 Section 3(q) of CISA states that: (q) "Submitting Entity" refers to any entity that provides credit facilities such as, but not limited to, banks, quasi-banks, trust entities, investment houses, financing companies, cooperatives, nongovernmental, micro-financing organizations, credit card companies, insurance companies and government lending institutions.
2 Section 4(e and f) of the Data Privacy Act of 2012.
3 Section 6 of CISA.
4 Section 4(o) of CISA.
5 Section 3(f) of CISA states that: (f) "Credit facility" refers to any loan, credit line, guarantee or any other form of financial accommodation from a submitting entity: Provided, That for purposes of this Act, deposits in banks shall not be considered a credit facility extended by the depositor in favor of the bank.