I

DATA PRIVACY POLICY



PRIVACY STATEMENT AND NOTICE TO DATA SUBJECTS

            Mount Carmel Rural Bank, Inc. (MCRBi) (hereafter referred to as “The Bank”) is committed to responsible processing and                protecting your personal information. We value your rights as a data subject and assure you that the Bank secures and                          respects your privacy.


            This privacy policy applies to past, present, and prospective MCRBi clients, as well as anyone involved in any transaction or                  business relationship with the Bank, whether in your capacity or as a representative of a legal entity and non-bank clients                    such as payees, contact persons of corporate clients, and Bank partners, subject to data retention regulations and internal                  policies of MCRBi.


            It provides how we process, manage, and protect your information including your rights in compliance with the Data Privacy                Act of 2012, its implementing rules and regulations, and other applicable laws such as, but not limited to Secrecy of Bank                    Deposits Law.


            With the MCRBi’s commitment to protecting your bank information, records, and banking transactions, the Bank employs the              following security measures every time you perform your banking transactions with us or access accounts on payroll, the                      core banking system, the collection app, and other online banking applications.

A. SECURITY MEASURES

            1. FIREWALL

                 The Bank uses an industry-standard firewall technology to secure its IT infrastructure against unauthorized network                               access.

            2. AUTHENTICATION

                 Authentication procedures, such as Multi-Factor Authenticator (MFA) and Virtual Private Network (VPN), ensure that only                     authorized persons or users have access to their accounts by verifying the user’s or person’s identity when transacting                           with us. It is crucial for cybersecurity because it prevents unauthorized access and protects sensitive data from cyber                             threats.

             3. ENCRYPTION

                  Encryption is the process of scrambling private information to prevent unauthorized access. Our system uses SSL 

                  (Secured Socket Layer) to ensure that all your online banking transactions are encrypted. SSL is a cryptographic protocol                      that provides security and data integrity for communications over networks such as the Internet.

B. ELECTRONIC CHANNELS

              1. USER ACCOUNT CREATION

                   Logging into the Core Banking system account is necessary before creating a user with a collector role. Personal data such

                   as full name was collected upon user account creation. The process also requires setting up credentials such as                                       password and PIN.

                   The system admin role, or super admin, has all the permissions required in the CBS (Core Banking System). This includes                     full access to all technical functions, system configurations, user management, etc.


               2. ACCESS

                    Access to the MCRBi Collection Application is only allowed after the user (collector) has entered the correct login                                    information and set up a PIN and the MFA. If the user’s device is capable of a biometric system, this will prompt the user                      if they would like to use Biometrics authentication. This allows the user to log in to the app using the device’s face                                    recognition or fingerprint scanning system.

                    Once the CBS start-off day is enabled, that’s the time that the user will be able to log in to the collection app. The data                            can be downloaded from the core banking system and the Dashboard will appear.


                3. USER VALIDATION

                        A. Dashboard Information

                                MCRBi online banking applications exhibit the following sensitive data on the dashboard:

                                               1. Full name of the collector and clients

                                               2. Email Address

                                               3. Product Number

                                               4. Loan status

                                               5. Loan payment details


                         B. Password Handling

                                 Only the IT Admin can initiate the password reset as requested by the user. This is to ensure the privacy and                                              security of information and fraud control.


                4. SETTINGS AND DEACTIVATION

                     The user can navigate to logout, change PIN, enable or disable Biometrics, check on information such as Privacy Policy,                         Terms and Conditions, and lastly, view the App Version.


                     The MCRBi Collection App has a security feature to link the device to the user once registration is done. In cases where                       the registered device should be removed due to a lost phone or the collector transferred to another branch, etc., this                               removed active device should be executed to allow the collector to register again in the app. The removal is                                               initiated by the IT admin only. If this is not executed before the registration, an error will appear in the app                                                 saying, “The number of activated devices exceeded the maximum allowed limit. Please deactivate your                                                       previous device first to continue.” To secure data transactions, it is strictly implementing, one device, per user only.


                     For those resigning users, the deactivation of the Collection App on the device shall be strictly monitored and reviewed.  


C. WHAT WE MAY COLLECT FROM YOU

                    Bank transactions, products, or services such as accessing online banking applications may require the input or use of                          some of your personal data to be able to verify your identity and authenticate your transactions.


                    We collect personal and non-personal data that you may purposely provide to us.

                1. For account creation/account opening and for availing of bank products and services

                        •  Name and personal details such as address, age, sex, marital status, gender, nationality, and contact details,                                              date/place of birth

                        •  Employment details

                        •  Payroll details

                        •  Banking information and financial details such as assets, income, expenses, deposits, savings, payment history, and                                account activities including dealings and transactions with third parties

                        •  Official receipts, invoices, payslips, payment behavior, the value of your property or other assets

                        •  Credit history and credit capacity

                        •  Specimen signature, images (videos and/or photos) collected via CCTV and similar devices when you visit our bank                                  premises

                        •  Government identification details

                        •  Permits, licenses and registrations

                        •  Status of pending civil or criminal cases (if any)

                        •  Socio-demographic data on whether you are married and have children

                        •  Interests and needs that you share with us through the accomplishment of Bank surveys to continuously improve                                    the Bank products and services.

                        •  Other electronic data or information relating to you such as IP addresses, cookies, activity logs, online identifiers,                                    geographic and location data through your usage of our products and services

                        •  Other personal data authorized and mandated by law to be collected such as but not limited to Anti-Money                                                Laundering Act of 2001 (AMLA), Bangko Sentral ng Pilipinas (BSP), Securities and Exchange Commission (SEC), and                                Bureau of Internal Revenue (BIR).

                        •  Information about your transactions with third parties, including merchants and utility companies 


                   We will not collect sensitive information regarding your health, ethnicity, religion, or political beliefs unless essential.                             When we do, it is only under certain conditions such as employment requirements and that will be notified to you and                             require your consent.


                2. For Identification
                     Personal data we collect through our official website are limited to what will allow us to process your submitted career                           applications and appropriately respond to your queries about the Bank’s product and service offerings or complaints.

                     To do this, we gather only the following personal data from you through our website:


                                               • Name

                                               • Address

                                               • Contact Number

                                               • Email Address

                                               • Other personal and sensitive information from the submitted resume 


                        As a matter of implementing the Bank’s customer identification process, our banking offices collect the minimum                                    information and other required information subject to applicable laws and regulations of BSP and AMLC. 

                3. For login credentials on online banking transactions

                        •  Full name

                        •  Birth date

                        •  Document number

                        •  Product number

                        •  PIN code or biometrics and other authentication credentials


                4. For accessing the Online Banking Applications

                        •  Collections and other banking transactions are executed through the app.

                        •  Date and time when mobile accesses our servers.

                        •  IP address of your device and other device-related identifiers.

                        •  Personal and non-personal information combined downloaded from online banking apps.

                        •  Mobile device contacts (nominated by the user).

                        •  Video, image, and sound recordings of when you transact with us or contact us via phone calls

                        •  Type of operating system you have

                        •  Your device model and manufacturer

                        •  Online application interactions

                        •  Online application crash logs

                        •  Online application diagnostics

                        •  Geolocation

                        •  Device Types

                        •  Other device information

                5. For Existing Employees, Officers, and the Board of Directors
                     We also collect information with our Human Resources Department for reasons such as:

                               •  Personnel Record

                               •  Leave/Absence Management

                               •  Compensation and Benefits

                               •  Key Skills Assessment and Performance Management

                               •  Legal requirement

                               •  Supply management information

                               •  Internal and external regulatory reports and compliances


                    We ensure that the data we collect from our employees, officers, and the members of the Board is kept strictly                                          confidential and protected following our HRD policies. The laws of the BSP and AMLA shall control data retention and                            personnel records shall be stored on the premises solely for the term required by the regulations.


                6. For the Bank’s Business Engagement with Partners

                     To administer business ties with our partners, we collect personal information such as a person’s name, address,                                     payment information, and financial records only for corporate bodies. This information will be processed in accordance                         with legal regulations, such as storage and identification.


                 7. Job applicants

                      We collect personal data from you from the job application contact form and your uploaded resume. This allows us to                            correctly match your profile with our numerous positions and their relevant requirements, including, but not limited to,                          the following:

                                    1.  Basic personal and family history.

                                    2.  Educational background.

                                    3.  Employment background and details (if applicable)

                                    4.  Character references

                                    5.  Information required to be asked and gathered in accordance with a BSP requirement.


                      When you access our website, we may collect non-personal information such as location, device types, sources, usage                          data, and other information that can be read on your device to help us improve your browsing experience.


                HOW WE USE YOUR INFORMATION

                      We use your personal data for legitimate purposes, as follows:

                                     1.  To make it easier to manage your account and transactions.

                                     2.  To put our credit risk management system into action, we will use credit risk and behavioral analysis to                                                         estimate your ability to repay a loan based on your personal data and other required information.

                                     3.  To make our products and services more readily available.

                                     4.  To provide you with appropriate products and services, the Bank will collect and analyze information in order                                             to improve  and develop its products and services. 

                                     5.  To manage customer relationships, we use your comments, notes taken during talks with you by our staff in                                               person, over the phone, or over the website about your business dealings and transactions with us, and                                                       personalized marketing.

                PURPOSE OF COLLECTION

                     Your personal information will be processed by us, both manually and electronically, in connection with the following                             purposes:


                                  •  Compliance with banking laws and regulations (for Know-Your-Client or client identification).

                                  •  Availment of our products or services.

                                  •  Facilitate the opening, depositing, updating, and maintenance of your account.

                                  •  Evaluation, analysis, and approval of your information for intelligent decision-making to deliver your request.

                                  •  Provide you with your latest billings, account details, and other requests.

                                  •  Send you reminders, announcements. promotions, offers, invitations, and other notifications

                                  •  As sample for risk analysis, research and planning to improve our products and services

                                  •  Performance of our obligation arising from the contract between you and the Bank.

                                  •  To comply with the MCRBi’s legal obligation with the law and regulatory mandates of concerned government                                            entities.

                                  •  Identify and authorize your login to your mobile banking account, authentication of transactions, and                                                            processing of applications.

                                  •  Recognize you or your device when launching the app for a more secure and personalized experience.

                                  •  Respond to and process your requests.

                                  •  Improve and further customize other mobile services.

                                  •  Use your information to detect fraud and for other uses on information security.

                                  •  Other such activities permitted by law or with your consent.


                STORAGE, RETENTION, AND DISPOSAL

                We retain your personal information only in accordance with its operational needs and in compliance with legal and                                regulatory purposes. We keep your personal information in paper and electronic formats and may store your data on                              servers provided by third-party hosting vendors we have contracted.


                We protect your personal information from misuse, unauthorized access, modification, and disclosure by enforcing                                  organizational, physical, and technical measures. We will maintain and retain your personal information for a maximum of                    ten (10) years. With your consent, the retention period may be extended when you re-avail our products and services.


                SHARING OF YOUR PERSONAL DATA

                As a Banking institution, MCRBi is obligated to various agencies or third parties to submit personal information of data                          subjects with whom it has contractual agreements or follows regulatory agencies, rules, and laws. The Bank will never                          share or disclose your data to any third party without explicit consent. 


                DATA SHARING WITH GOVERNMENT AGENCIES

                We are obliged to comply with the legal and regulatory requirements hence we are required to submit information to                              government agencies such as but not limited to the Anti-Money Laundering Council (AMLC), Bangko Sentral ng Pilipinas                  (BSP), Securities and Exchange Commission (SEC), Philippine Deposit Insurance Corporation (PDIC) and Bureau of                        Internal Revenue  (BIR).


                DATA SHARING WITH CREDIT REPORTING BODIES

                Pursuant to Republic Act No. 9510 or the Credit Information Act. We may disclose your personal and other relevant                            information to the Credit Information Corporation about your application for or availment of a credit facility with us. As a                        submitting entity, we are required to submit credit information of borrowers to the Corporation and notify you of such                            obligation to submit and disclose subject to the provisions of the Credit Information System Act and its implementing                          rules and regulations.


                DATA SHARING WITH SERVICE PROVIDERS

                During our banking operations, we may share your personal information with third-party services provided to perform tasks                  and activities on our behalf concerning the products or services you availed. With your consent, we may transmit your                            personal information to third-party entities to which the Bank has non-disclosure agreements or data-sharing agreements,                  whichever is applicable. This is to ensure that the third party will take appropriate security measures to uphold the privacy                    of your personal information and determine our level of control over how they will use or process your personal                                        information.


                HOW WE PROTECT YOUR INFORMATION

                The privacy and security of your personal information are critical to us. We implement appropriate digital, operational, and                  physical security procedures and protections to ensure the confidentiality, integrity, and availability of your personal data.                    We teach our personnel how to correctly and safely maintain personal data. We require that our third-party partners and                      contractors protect personal data in accordance with our security requirements.


                 YOUR RIGHTS AS A DATA SUBJECT

                 Under Section 16 of the Data Privacy Act of 2012, as data subjects, you have the right to:

                       •  Be informed that your personal information will be, are being, or were, collected and processed.

                       •  Be furnished with the information given before entry of the data into the processing system of the Bank.

                       •  Have reasonable access to, upon demand and subject to restrictions, any information relating to you that we have on                             our manual filing system and computer databases.

                       •  Obtain and electronically move, copy, or transfer your data securely, for further use (Data Portability). 

                       •  Dispute and correct any error in your personal information or have your personal data updated subject to the                                             necessary controls to protect your account and personal data.

                       •  Suspend, withdraw, or order the blocking. removal or destruction of your personal information from the Bank’s filing                               system upon discovery and substantial proof that the personal information is incomplete, outdated, false, unlawfully                               obtained, used for unauthorized purposes, or is no longer necessary for the purposes for which they were collected.

                       •  Object to the processing of your personal information; and

                       •  If you have concerns about how we process your personal data or have evidence that the Bank mishandled it, you                                   can file a complaint with the National Privacy Commission and be indemnified for any damages.

                 Please keep in mind that this privacy policy does not apply to the collection and use of information by firms over which we                   have no control, nor to persons who are not employed or controlled by us. If you visit a website that we reference or link                       to, please verify its privacy policy before giving information to the site.

                WHAT ARE YOUR DUTIES AS A DATA SUBJECT

                To commence and execute our duties as a Bank and fulfill our associated contractual duties, you will duly provide specific                    information based on the bank’s requirements. We are also legally obliged to collect certain information. Without these                          data, we may not be able to open an account for you or perform certain banking activities.


                SCOPE OF THIS PRIVACY POLICY

                Please remember that this privacy policy does not apply to the collection and use of information by firms over which we                        have no control, nor to persons who are not employed or controlled by us. If you visit a website that we reference or link to,                  please verify its privacy policy before giving information to the site.


                CHANGES TO THIS PRIVACY POLICY

                We may amend this Notice to comply with the changes in relevant laws and regulations and to keep you informed of the                        changes in the ways we process your personal information.


                CONTACT INFORMATION

                For your data privacy requests and concerns, you can email us through our Data Protection Officer at dpo@mcrbi.com.ph                      or send a message via 0917-716-3742.


                To learn more about our terms and conditions in our MCRBi Website, click here.

                To learn more about our terms and conditions in our MCRBi COLLECTION APP, click here.


Follow us on Social Media:

Facebook

Head Office Address:

J. M. Kalaw Street, Poblacion 5, Lipa City, Batangas 4217


Email:

kapartner@mcrbi.com.ph

Quick Links:

Loans
Savings
Ropa
Branches

About:

Privacy Statement
Contact Us
Sustainability

A PROUD MEMBER OF