Privacy Policy

This Privacy Policy (“Policy”) applies to personal data collected, stored, disclosed and/or processed by First Standard Finance Corporation and its related corporations and affiliates (individually and collectively, “FSFC”, “we”, “our” or “us”). 

At FSFC, your privacy is our priority. We recognize and value your data privacy rights, and we seek to uphold them in accordance with law.  This Policy outlines how we collect, use, store, and protect personal information when you interact with our financial products and services. We are committed to ensuring that your information is handled responsibly and in compliance with applicable laws and regulations. Accordingly, we have instituted the following principles that guide us through our Data Privacy Policy (“DPP”):

1. Lawfulness
2. Fairness
3. Purpose limitation and data minimization
4. Transparency
5. Storage limitation
6. Integrity, Security, and Confidentiality of Data.

This Policy is based on the Republic of the Philippines’ Data Privacy Act of 2012 (R.A. No. 10173) (“DPA”), its Implementing Rules and Regulations (“IRR”), and all the associated regulations and guidelines as may from time to time be issued by the National Privacy Commission (“NPC“) of the Philippines.  It likewise incorporates the policies, guidelines, and amendments contained in NPC Circular No. 20-01 (14 September 2020) (Guidelines on the Processing of Personal Data for Loan-Related Transactions) and NPC Circular No. 2022-02 (December 1, 2022) (Amending Certain Provisions of NPC Circular No. 20-01).  

Personal Data refers to all types of personal information or any information that identifies you as a person.  Personal Information refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained, or when put together with other information would directly and certainly identify an individual.  With respect to Personal Data and Information, this Policy provides for and describes:

1. the purposes for and how we may use that information
2. the types of personal data we may collect from you 
3. with whom we may share it
4. how the same are stored and for how long
5. your rights under this policy and how to use them
6. measures we take to protect the security of the information you provide to us
7. how you can reach us to change or update your personal data, ask questions or provide feedback about our personal data protection practices, or withdraw consent regarding any of your personal data
8. identity and contact details of the data controller, Data Protection Officer, or comparable role

By providing your personal data to FSFC (whether through you or third parties who you have given consent to provide such personal data to FSFC), you agree and consent to the terms of this Policy. Please review this Policy carefully before certifying your consent and providing us with any of your personal data. 

PURPOSES FOR COLLECTION AND USE OF PERSONAL DATA

1. We may gather and utilize your information for any purpose allowed by relevant laws. These purposes include:

1. Conducting routine business activities such as processing transactions and managing your account, which involves sending notices, bills, and other documents essential for the ongoing use of our products and services.
2. Responding to and processing information for purposes you provided it for.

iii. Verifying identities and performing customer due diligence to adhere to Philippine regulations and laws, including measures to prevent money laundering under the Anti-Money Laundering Act of 2001, as amended.

1. Complying with Philippine laws and relevant foreign regulations.
2. Meeting contractual and regulatory obligations, such as submitting data to credit bureaus and the Credit Information Corporation as required by the Credit Information System Act.
3. Responding to court orders, instructions, and requests from local or international authorities, including regulatory bodies, government agencies, tax authorities, and law enforcement.

vii. Following our internal policies and procedures related to operational, audit, administrative, and credit/risk management processes.

viii. Addressing your inquiries, requests, feedback, suggestions, and complaints.

1. Conducting studies and research to review, develop, and enhance our products and services, which may include monitoring and recording calls and communications.
2. Preventing, detecting, and investigating crimes, as well as managing the safety and security of our premises and services, including conducting security checks and using CCTV surveillance.
3. Processing and approving transactions.

xii. Offering products and services.

xiii. Performing data analytics, compiling information, and conducting statistical or demographic analyses.

xiv. Protecting and asserting our legal rights.

1. Carrying out audits, reviewing and analyzing our internal processes, planning actions, and managing commercial risks.
2. Regarding our products or services, as well as your interactions with us, we may have informed you of other specific purposes for which we collect, use, or disclose your personal data. If that is the case, we will gather, utilize, and share your personal data for these additional purposes as well, unless we have explicitly informed you to the contrary.

HOW WE USE YOUR INFORMATION

The personal information we collect may be used for the following purposes:

1. Loan Application Processing: To assess and process your loan application.
2. Creditworthiness Evaluation: To verify your creditworthiness and assess risk by using credit reporting agencies and other sources.
3. Loan Servicing: To manage your loan account, process payments, and send you loan statements. 
4. Legal and Compliance Obligations: To comply with applicable laws and regulations, including anti-fraud, anti-money laundering, and tax reporting requirements. 
5. Communication: To contact you about your loan account, repayments, updates, or changes to our services. 
6. Marketing and Promotional Purposes: With your consent, to send you information about products or services we offer that may be relevant to you.

LEGAL BASIS FOR PROCESSING

We process your personal data based on the following legal grounds: 

1. Contractual necessity: To enter into and fulfill the loan agreement with you. 
2. Legal obligations: To comply with legal and regulatory requirements. 
3. Legitimate interests: To protect our business, enforce loan agreements, and ensure security. 
4. Consent: When required, such as for marketing communications or sharing data with third parties.

DATA SHARING

We may share your personal information with trusted third parties for legitimate business purposes, including: 

1. Credit Reporting Agencies: For credit assessments and reporting your loan activities. 
2. Service Providers: Third parties that help us manage our loan services (e.g., payment processors, IT service providers). 
3. Regulatory and Law Enforcement Authorities: To comply with legal obligations, subpoenas, or regulatory inquiries. 
4. Affiliates and Business Partners: With your consent, for joint marketing purposes or co-branded services.

We ensure that any third party we share your data with has appropriate safeguards in place to protect your information.

WHAT INFORMATION WE COLLECT

At various times, we may collect personal data and information about you, related individuals, and/or those accompanying you, depending on how you interact with us, the products or services you use, and the transactions you engage in. This collection will occur as you interact with our employees and authorized representatives across different business units, branches, social media, and other channels. This may include, but is not limited to:

1. Identification information: Name, date of birth, national ID, driver’s license, passport number
2. Basic personal information like your gender, marital status and citizenship including supporting documents such as government ID details
3. Contact information: Home address, office address, postal address, Email address, mobile and telephone number
4. Specimen signatures
5. Education, employment and business details
6. Employment information: Employer, occupation, salary
7. Images via CCTV and other similar recording devices which may be observed when visiting our offices and/or using our other facilities
8. Voice recordings of our conversations with you
9. Financial information (such as income, expenses, balances, investments, tax, insurance, financial and transaction history, etc.)
10. Business interests, assets and credit information
11. Account transactions, movements and interactions with third parties such as merchants
12. Bank account details, income, credit history, tax identification number
13. Information related to your financing applications, payments, and loan history
14. Data related to your interaction with our website, mobile apps, or online portals (cookies, IP addresses, device data)

HOW WE COLLECT DATA

We obtain personal data from you through various means, including when you fill out a form, make a phone call, submit records and official documents, undergo background and credit investigations related to a potential business relationship with us, and interact with us via social media and other electronic platforms. Here are some specific ways we may collect personal data from you:

1. When you use our services.
2. When you complete and submit a form related to any of our products or services, including application forms or other documentation for investments through FSFC.
3. When you contact us by phone.
4. When you provide records and official documents.
5. During background and credit investigations related to a potential business relationship.
6. When you enter into any agreements or provide documentation regarding your transactions with us or when you utilize our products and services.
7. When you interact with our personnel, such as relationship managers and branch managers, via phone calls (which may be recorded), letters, faxes, videoconferences, face-to-face meetings, and emails.
8. When your image is captured by closed-circuit television (CCTV) or other devices while you are on our premises.
9. When you use our products and services offered through online platforms, such as websites and apps.
10. When you ask us to contact you, add you to an email or mailing list, or respond to our requests for additional personal data, promotional activities, or marketing campaigns.
11. When you engage with our marketing representatives, agents, or other service providers.
12. When we obtain your personal data from third parties related to your relationship and transactions with us, such as from referrers, business partners, independent asset managers, public agencies, or relevant authorities.
13. In connection with any investigation, litigation, or inquiry involving you or any associated individual.
14. When you submit your personal data to us for any other reason.

HOW WE MAY SHARE YOUR DATA 

FSFC will not share your personal data with third parties unless it is necessary for the purposes mentioned above and you have given your consent.

We may share your information with service providers and third-party vendors that assist us in our business operations (such as payment processing, IT services, and credit reporting agencies). This may also include FSFC’s business units, subsidiaries, affiliates, agents, and business partners involved in joint services or products. Additionally, we may share your data with outsourced service providers and other third parties that help us deliver services to you. Finally, we may disclose your information to regulatory authorities as required by law or legal processes to meet our legal obligations, including fraud prevention and anti-money laundering, such as government regulators, judicial bodies, supervisory authorities, tax agencies, or courts with jurisdiction.

We engage third parties for the following reasons:

1. Verify your personal information
2. Assist in business operations
3. Comply with legal requirements
4. Enforcing our terms of use including, among others, our rights as creditor to customers availing of our loan or credit products, or such other applicable policies with respect to the services that we provide
5. Addressing fraud, security or technical issues, to respond to an emergency or otherwise protect the rights, property or security of our customers or third parties
6. Carrying out all other purposes set out above
   Personal data shared with third parties shall be covered by the appropriate agreement to ensure that all personal data is adequately safeguarded
7. Courier services, telecommunications, and information technology
8. Insurance companies and insurance brokers
9. Banks, credit card companies, and their respective service providers
10. Professional advisors such as lawyers, auditors and tax consultants
11. Such party to whom we transfer our rights and duties to
12. Such party as required by any applicable law, regulation, direction, court order, code or guidelines
13. Any party to whom you authorize us to disclose your personal data. 

We require that parties to whom we transfer personal data, and service providers only process personal data strictly for purposes for which we engage them for and consistent with the purposes that we have described as Purposes for Collection and Use of Personal Data or with other purposes for which consent has been sought and obtained.

FSFC does not, and will not, sell personal data to any third party. All our engagements with third parties shall be fully compliant with our obligation of confidentiality imposed on us under applicable agreements and/or terms and conditions or any applicable laws that govern our relationship with you.

HOW WE PROTECT YOUR DATA 

FSFC uses reasonable precautions to protect your personal data and store it securely. The security of your personal data is important to us. FSFC implements appropriate technical and organizational measures to protect your personal data from unauthorized access, disclosure, alteration, or destruction. These measures include encryption, access controls, secure servers, and regular security audits.  We strictly enforce data privacy and information security policies.  We implement physical security measures to protect your personal data against loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction.  

We have instituted safeguards such as the following:

1. We keep and protect data using a secured server behind a firewall, deploying encryption on computing devices and physical security controls
2. We restrict access to your personal data only to qualified and authorized personnel who hold your personal data with strict confidentiality
3. We train our employees to properly handle your data
4. We require our third parties to protect personal data aligned with our own security
5. External service providers will be bound by contractual information security arrangements that we have with them
6. Regardless of where personal data is transferred, we take all steps reasonably necessary to ensure that personal data is kept securely.

STORAGE AND DISPOSAL OF PERSONAL DATA

FSFC will retain your personal data only for as long as the purposes for which the data is collected or used (as notified to you) continues, or where necessary for our legal or business purposes. Thereafter, FSFC will delete or destroy the personal data, or restrict access to data which can be associated with you.  We retain personal data for as long as necessary to fulfill the purposes for which it was collected and to comply with legal obligations according to operational need and in compliance with legal and regulatory purposes. Once personal information is no longer needed, we will securely delete or anonymize it. 

FSFC stores personal data in a data center (on premise and cloud) and physical document storage facilities.  FSFC’s data retention and disposal policy is in accordance with R.A. 9470 (National Archives of the Philippines Act) and BSP regulations.  In general, FSFC shall only retain your data for five (5) years after the processing relevant to the purpose has been terminated.  However, we may retain your data when necessary to establish, exercise or defend legal claims, for legitimate business purposes, or when provided by law.

YOUR ROLE IN ENSURING THE COMPLETENESS, ACCURACY AND SECURITY OF YOUR PERSONAL DATA

You are responsible for ensuring that the personal data you submit to us is complete, accurate, and truthful. If you fail to do so, it may hinder our ability to provide the products and services you request.

Please notify FSFC immediately of any changes in circumstances or facts that might make any previously provided information inaccurate or incorrect. You should also provide any information or documentation that FSFC may reasonably need to verify the accuracy of the updated data.

We encourage you to be proactive in safeguarding your personal data by keeping your account details, PINs, usernames, and passwords confidential and not sharing them with others or writing them in accessible places. Additionally, we advise you to remain cautious to protect yourself against phishing, skimming, and other forms of electronic fraud.

YOUR DATA PRIVACY RIGHTS UNDER THE DATA PRIVACY ACT

Under the Data Privacy Act, you have the following rights:

1. Right to be informed;
2. Right to object;
3. Right to access;
4. Right to rectify or correct erroneous data;
5. Right to erase or block;
6. Right to secure data portability;
7. Right to be indemnified for damages; and
8. Right to file a complaint

FSFC’s decisions regarding access requests, corrections, erasures, and objections to data processing are always governed by applicable internal policies and relevant laws and regulations.

ADDITIONAL RIGHTS UNDER NPC CIRCULAR NO. 20-01 and NPC CIRCULAR NO. 2022-02 GUIDELINES

Under NPC Circular No. 20-01 (14 September 2020) (Guidelines on the Processing of Personal Data for Loan-Related Transactions) and NPC Circular No. 2022-02 (December 1, 2022) (Amending Certain Provisions of NPC Circular No. 20-01), the processing of personal data for evaluating loan applications, granting loans, collection of loans, and closure of loan accounts shall be subject to the following general guidelines:

1. Borrowers shall be provided all the details required under Section 16 (b) of the DPA and Section 34 (a)(2) of its IRR, in a clear language and in the most appropriate format (as provided herein); 

1. In cases where a borrower’s personal data will be further processed for purposes compatible with the primary purpose, the same may be allowed, provided that: 

1. A direct and objective link must exist between the primary purpose for the processing of the personal data and the other compatible purposes. Such other purposes may include customer behavior analysis, system administration, service quality maintenance, customer service or support, among others; and 

1. Should information be used for marketing, cross-selling, or sharing to third parties for purposes of offering other products or services not related to loans, Loan Companies (LCs), Finance Companies (FCs) and other persons acting as such must have a separate lawful criterion for such processing pursuant to Sections 12 and/or 13 of the DPA. 

1. LCs, FCs, and other persons acting as such shall limit the collection of personal data from the borrowers to those which are adequate, relevant, suitable, necessary, and not excessive in relation with the applicable know your customer (KYC) policies, rules and regulations, as well as those necessary for determining creditworthiness and preventing fraud. 

1. Where online apps are used for loan processing activities, LCs, FCs, and other persons acting as such shall be prohibited from requiring unnecessary permissions that involve personal and sensitive personal information. 

1. LCs, FCs, and other persons acting as such shall bear in mind that they are at all times accountable for personal data under its control or custody. They shall not use any personal data to engage in unfair collection practices as defined under SEC Memorandum Circular No. 18 series of 2019. Such practices may also be construed as a punishable act under the DPA;

1. LCs, FCs, and other persons acting as such shall adopt and implement reasonable policies regarding the retention of the personal data of those whose loan applications were denied and of borrowers who have fully settled their loans. Personal data shall not be retained in perpetuity in contemplation of a possible future use yet to be determined. Otherwise, applicable penalties as provided for in the DPA may be imposed;

1. LCs, FCs and other persons acting as such shall obtain consent for the processing of personal data at the point where the personal data is necessary. They should provide just-in-time notices before obtaining the consent of the data subjects;

1. A just-in-time notice provides data subjects with information on how a particular piece of information he or she is asked to provide will be processed. This information is provided at the point in time where the LCs, FCs, or other persons acting as such is about to process or processes such personal data of the data subject;

1. The most appropriate format in providing details of processing to borrowers, as required by Section 16 (b) of the DPA and Section 34 (a) (2) of its Implementing Rules and Regulations (IRR), shall be the format which is aligned with the business processes of the LCs, FCs, or other persons acting as such, with utmost consideration to the accessibility of the information and convenience of the borrowers [e.g., if the loan transaction is being facilitated through a mobile application, the aforementioned information, shall be readily accessible and easily located within the mobile application];

1. Mobile applications shall only require data subjects to provide access to personal data through permissions or protected resources when suitable, necessary, and not excessive to the legitimate purposes provided in Section 3 (B) (1) and Section 3 (C) of this Circular, and debt collection, subject to the limitations provided by law and in accordance with applicable provisions of law;

1. Processing of personal data from application permissions, such as but not limited to accessing contact lists and cameras of data subjects, should only commence at the point where the information is necessary for the purposes provided for in the preceding paragraph;

1. In cases where the data subjects provide information that was not obtained through application permissions, such information should still be processed in a manner that is not excessive to the legitimate purpose;

1. When the purpose for accessing an application permission has already been achieved and there are no other applicable lawful criteria for such access, such online applications shall prompt the data subject to turn off, disallow these permissions, or inform the data subject that access to the relevant application permissions may already be revoked;

1. Where an online application requires access to the borrower’s phone camera, or access to the photo gallery to choose a photo for the legitimate purposes of KYC and preventing fraud at the beginning of the loan application or for payment verification and other similar legitimate purposes, permissions for such access may be allowed during that particular stage in the loan process and must be turned-off after the fulfillment of such purposes or the data subject shall be informed when such purposes have been fulfilled and access to the relevant application permission(s) may already be revoked;

1. Where the photo has already been taken and saved in the application, the application should already turn off the relevant application permission by default, or at the very least, prompt the borrower through appropriate means (e.g., just-in time, pop-up notices) that he or she may already turn off or disallow such permission as the same is no longer necessary for the operation of the application;

1. Unbridled processing of contact list, in whatever form, is prohibited. “Unbridled processing” refers to processing, that is unconstrained, excessive, and disproportional to its purpose;

1. The processing of contact lists for purposes of identifying and contacting the character references or guarantors provided by the borrowers themselves is allowed, but LCs, FCs, and other persons acting as such may only be provided limited access to and only to the minimum extent necessary to allow the borrowers to choose from their phone contact list their character references and guarantors, if any; and,
2. LCs, FCs, and other persons acting as such shall, as part of their registration with the NPC, submit a complete list of the names of all publicly available applications owned or operated by such entities including all publicly available online applications used for loan processing activities, in accordance with the applicable Rules on Registration of Data Processing Systems and Notifications regarding Automated Decision-Making 

HOW YOU MAY CONTACT US 

For further inquiries or complaints, please visit any of our branches or get in touch with our Customer Services Department at:

Email: clientspecialist@firststandard.ph

For data privacy requests and concerns, you may write to our Data Protection Officer or Compliance Officer at:

Email: dataprotection@firststandard.ph

CHANGES TO OUR DATA PRIVACY POLICY NOTICE AND CONSENT

FSFC may update this Data Privacy Policy Notice and Consent to align with industry trends and legal or regulatory requirements related to the handling of your personal data. Any relevant updates will be posted on our website.

1. FSFC reserves the right to amend this Policy at any time and without prior notice to you. The latest version of this Policy is always available on our website. Please review this Policy from time to time so you are aware of any changes or updates to the notice. 
2. By continuing to use our services or purchasing products from us or by your continued engagement with us following the change or revision to this Policy, you will be deemed to have agreed to and accepted such amendments. 

CONSENT

By submitting your data to FSFC, you confirm that you have read and understood this Data Privacy Policy Notice and Consent, and expressly consent to the processing of your personal and/or sensitive personal information as outlined in this Policy and Notice. You acknowledge that this includes access to the personal data and records you have submitted, which may be classified as personal and/or sensitive personal data under the Data Privacy Act of 2012.

You also grant FSFC permission to share your data with accredited or affiliated third parties, as well as independent or non-affiliated third parties, whether local or foreign, under the following conditions:

1. When necessary for the proper execution of processes related to the stated purpose.
2. When the use or disclosure is reasonably necessary, required, or authorized by law.
3. Provided that adequate security measures are in place to protect your data.

For complete reference on the Data Privacy Act, please visit the National Privacy Commission website at https://www.privacy.gov.ph/. 

By signing this Data Privacy Policy Notice and Consent I/We certify and confirm:

1. That I/We have read and understood the FSFC Data Privacy Policy Notice and Consent herein;
2. That I/We knowingly and fully consent thereto;
3. That I/We,  (as “Data Subject”) grant my/our free, voluntary and unconditional consent to the collection and processing of all Personal Data (as defined above), and account or transaction information or records relating to me/us disclosed/transmitted by me/us in person or by my/our authorized agent/representative/s to the information database system of the FSFC and/or any of its authorized agent/s or representative/s and/or Information controller, by whatever means; 
4. That I/We give such full consent in accordance with Republic Act (R.A.) 10173, otherwise known as the “Data Privacy Act of 2012” of the Republic of the Philippines, including its Implementing Rules and Regulations (IRR), and all other guidelines and issuances by the National Privacy Commission (NPC), as well as the FSFC Data Privacy Policy Notice and Consent herein; and,
5. That I/We have read and understood the above and hereby consent to, agree on, accept and acknowledge these terms of consent for myself/ourselves and/or as agent/s for and on behalf of the principal/s I/we represent by signing below.