A. Purpose & Scope
This Policy applies to data subjects of iCAN Mobile Banking App whether as: (1) clients – current, past and prospective customers as individuals or corporations; or (2) non-clients – payees or payors or bank products and services we provide; visitors or inquirers at our branches and online channels; ultimate beneficial owners, directors or representatives of corporate clients; and such other persons involved in transactions with us or with our customers. (“Data Subjects”)
B. Collection of your Personal and Sensitive Personal Data
Personal Data refers to any information that identifies or is linkable to a natural person. On the other hand, Sensitive Personal Data is any attribute that can distinguish, qualify or classify a natural person from the others such as data relating to your ethnicity, age, gender, health, religious or political beliefs, genetic or biometric data.
We collect your Personal and Sensitive Personal Data when you register, sign-up or use Cantilan Bank’s products and services or contact us about them. We also collect through your organization whether private corporation or government instrumentality you authorized. We may also obtain your information from other sources (i.e publicly available platforms, financial institutions, credit agencies, payment gateway processors, public authorities, and other registers) for purposes of identity verification and regulatory requirements by the Bangko Sentral ng Pilipinas (BSP).
C. Kinds of Data We Process
- Know-Your-Customer (KYC) / Identification Data: refer to Personal Data and Sensitive Personal Data we collect when you sign up or register to our products and services such as full legal name, gender, date of birth, nationality, civil status, permanent address, present address, tax identification number and other government-issued identification numbers, mobile number, home number, office contact details, company name, job position or rank, office address, source of funds, gross annual income, and such other information necessary to conduct due diligence and comply with BSP rules and regulations.
- Biometric Data: upon your express consent and subject to limitations imposed by law, data processed for customer verification using: (1) facial recognition technology; (2) liveliness detection mechanism; and (3) fingerprint recognition applications.
- Transactional Data: linkable information to your Personal Data such as (1) bank account number, deposits, withdrawals, such other transfers made to or from your account, and details about them such as reference number, place and time these were made; (2) information when you contact us through our official channels such as branches, web and mobile platforms; and (3) other forms of customer account number, payments, and transactions you have with us.
- Financial Data: information about the value of your property and assets, your credit history and capacity, and other financial products and services you have with us.
- Behavioral Data: this refers to your online behavior, customer segment, usage of our products and services, internet protocol address of your devices used to access our applications, interests and needs you share with us, and customer behavior we collect as part of due diligence, to prevent fraudulent conduct, and comply with banking rules on anti-money laundering, terrorism financing, and tax fraud.
- Audio Visual Data: for security and improvement of our services, we process audio and video recordings of your interactions with us and surveillance videos at branches and automated teller machines, subject to limitations imposed by law.
- Sensitive Personal Data: we may require the following Sensitive Personal Data upon your express consent: (1) your religion when you apply for insurance products with us; (2) for customer verification, your government-issued identification numbers or cards such as passport or driver’s license ID; or (3) any information that is necessary, incidental to contractual agreement or in connection with a requested product or service.
- Children’s Data: we may collect information about children if they have opened an account with us with parental consent or if you provide us in relation to a product or service you signed up with us (i.e. when you register children as beneficiary to an insurance product or trust service with us).
- The foregoing data are collectively referred to as “Customer Data” or “Personal Information”.
D. Data Processing
Processing means any activity pertaining to the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of Customer Data.
We process Customer Data only for legitimate purposes and with lawful basis such as your express consent, terms and conditions of product or service you signed up with us, and as required by law and regulation. We ensure that only authorized employees and third-party service providers, who satisfy our stringent risk management, governance, information security, and data privacy requirements, can process your data.
1. Data Storage
a. We store Customer Data in secure and encrypted Bank-managed environments, devices, and media. For third-party managed environments such as cloud service providers, we employ BSP-sanctioned security protocols and procure BSP approval prior deplyoment.
b. We store physical copies of documents containing Customer Data in physical secure vaults.
2. Data Access
a. Customer Data can only be accessed by authorized personnel on a role-based manner following the proportionality principle that authorized personnel can only access Customer Data they need for their role and purpose in the Bank.
3. Data Use
a. Customer Engagement
i. We use your contact details with us to communicate with you about your relationship with We may ask for feedback, surveys or polls about our products and services.
ii. We may send you email or mobile notifications, telephone calls, or newsletters about product and services enhancements and account security reminders.
iii. You have the right to opt out from this form of communications with you or choose another means for which we can contact you.
i. We may use your information for us to send out campaigns of commercial products and services we hope you find interesting, relevant, and useful.
ii. We want to establish a more personalized relationship with you by providing you offers that would suit your lifestyle and needs.
iii. We perform data analysis on results of our marketing campaigns to measure their effectiveness and relevance
iv. You have the right to withdraw your consent or unsubscribe from receiving personalized offers.
c. Due Diligence and Regulatory Compliance
i. We may use Customer Data to evaluate your eligibility for Bank products and services.
ii. In assessing your ability to repay your loans, we conduct credit risk and investigation and reporting on your credit history and account updates
iii. We use your account details when you instruct us to make a payment or fulfill an investment order.
iv. We use automated processes and data science solutions for faster decision-making in granting loan products.
v. We process Customer Data in compliance with legal obligations and statutory requirements by BSP, and other regulatory agencies.
d. Business Insights
i. We perform data analysis and reporting based on your Customer Data and how we operationalize to aid our management make better decisions.
ii. We analyze your behavioral data, your interactions with our products and services, and our communications with you to aid us understand the areas for improvement and development.
iii. We analyze transactional data performed through our third-party service providers and partners in order to determine how we can jointly improve our products and services for you.
e. Data Quality
i. We shall process your Customer Data in compliance with the data quality standards imposed by We shall obtain additional information about you from government institutions or credit bureaus to improve the quality of your Customer Data with us. We may contact you to ensure accuracy and integrity of your information in our data processing systems.
f. Protection and Security
i. We process Customer Data for your account protection against cybercrime, identity theft, estafa, fraud, financial crimes such as money laundering, terrorism financing, and tax fraud.
ii. We use your Personal Data such as name, age, nationality, IP address, home address, and other Transactional Data to conduct profiling for detection of suspicious activity on your account.
iii. We may employ artificial intelligence and machine learning in real- time detection of suspected fraudulent activities on your account.
iv. We may reset your password or temporarily hold your mobile banking account to protect you from detected suspected fraudulent activities.
4. Data Retention
a. Pursuant to BSP Regulations, retention period for transaction records shall be five (5) years from the date of transaction except where specific laws and/or regulations require a different retention period, in which case, the longer retention period is observed.
b. For financial data and documents which indicate taxable transactions, data shall be preserved for ten (10) years per BIR Regulation.
c. We keep your data as long as it is necessary: a) for the fulfillment of the declared, specified, and legitimate purposes, or when the processing relevant to the purposes has been terminated; b) for the establishment, exercise or defense of legal claims; or c) for legitimate business purposes, which shall be in accordance with the standards of the banking industry.
5. Data Disposal
a. After the expiration of the imposed retention period, we dispose personal data in a secure manner in order to prevent further processing, unauthorized access, or disclosure to any other party.
E. Data Sharing and Purpose
When you consent to the processing of your Customer Data with us, you also agree to help us comply with our statutory and contractual obligations with other financial institutions. We may also share Customer Data externally with our partners, upon your written and/or electronic consent, for value added services you may find useful and relevant on top of your account with us. For contractual and value-added service data sharing agreements, we employ standardized model clauses as recommended by National Privacy Commission to ensure data protection of Customer Data. Below are the disclosures required by the government entities, other regulatory authorities and financial institutions:
1. Bangko Sentral ng Pilipinas (BSP), Anti-Money Laundering Council (AMLC)
a. We are subjected to mandatory disclosures to the AMLC under Republic Act 9160 or the Anti-Money Laundering Act of 2001, as amended, when there is probable cause that the deposits or investments involved are in anyway related to unlawful activities or money laundering offenses.
b. BSP mandates disclosures and reporting in compliance with its issuances for the protection of the integrity of the banking sector.
2. Bureau of Internal Revenue (BIR)
a. We may conduct random verification with the BIR in order to establish authenticity of tax returns submitted to us.
b. BIR may inquire into bank accounts of the following: a) a decedent in order to determine his gross estate; b) a taxpayer who has filed an application to compromise his tax liability on the ground of financial incapacity; and c) a taxpayer, information on whose account is requested by a foreign tax auhority.
3. Credit Information Corporation (CIC)
a. Credit Information Systems Act (RA No. 9510) mandates us to submit your credit data to the CIC and share the same with other accessing entities and special accessing entities authorized by the CIC.
4. Judicial and Investigative Authorities
a. We may be mandated to disclose certain Customer Data upon service of legal court orders (i.e. unexplained wealth under Section 8 of RA No. 3019) or express legal request from police, public prosecutors, courts, or dispute resolution providers allowed by law.
b. In these cases, we would notify you of the disclosure to the requesting government authority, subject to limitations imposed by law.
5. Other Regulatory Authorities
a. Regulatory authorities when such other persons or entities we may deem as having authority or right to such disclosure of information as in the case of regulatory agencies, government or otherwise, which have required such disclosure from us and when the circumstance so warrant.
6. Financial Institutions
a. We disclose your Customer Data with insurers, insurance brokers, or providers of deposit or credit protection or protection against all kinds of risks.
7. Value Added Services
a. With your express consent, we may disclose your Customer Data to our partners who collaborate with us to provide services to you and provide joint communications that we hope you find of interest
b. Through our digital channels, you may instruct other mobile financial technology applications to retrieve your account information, initiate payments or cash-in from your account with us via our Application Programming Interface (API) facility.
F. Rights of Data Subjects
Under the Data Privacy Act of 2012, you have the following rights:
- Right to be informed – you may demand the details as to how your Personal Data is being processed or have been processed by the Bank, including the existence of automated decision-making and profiling systems.
- Right to access – upon written request, you may demand reasonable access to your Personal Information, which may include the contents of your processed personal information, the manner of processing, sources where they were obtained, recipients and reason of disclosure.
- Right to dispute – you may dispute inaccuracy or error in your Personal Information in the Bank systems through our contact center representatives.
- Right to object – you may suspend, withdraw, and remove your Personal Information in certain further processing, upon demand, which include your right to opt-out to any commercial communication or advertising purposes from the Bank.
- Right to data erasure – based on reasonable grounds, you have the right to suspend, withdraw or order blocking, removal or destruction of your personal data from the Bank’s filing system, without prejudice to the Bank continuous processing for commercial, operational, legal, and regulatory purposes.
- Right to data portability – you have the right to obtain from the Bank your Personal Information in an electronic or structured format that is commonly used and allows for further use.
- Right to be indemnified for damages – as data subject, you have every right to be indemnified for any damages sustained due to such violation of your right to privacy through inaccurate, false, unlawfully obtained or unauthorized use of your information.
- Right to file a complaint – you may file your complaint or any concerns with our Data Protection Officer and/or with the National Privacy Commission through www.privacy.gov.ph
G. Contact our Data Protection Officer
For inquiries and concerns, you may address them to Cantilan Bank’s Data Protection Officer at Orozco St., Magosilom, Cantilan Surigao del Sur or through email at firstname.lastname@example.org