Purpose & Scope
UnionBank respects and values your privacy and the secrecy of your account information with us. This Policy informs you how we collect, use, store, and process your personal data in EON. We adhere to the data privacy principles of (1) legitimate purpose – we only process upon your consent, mandated by law or contract; (2) transparency – we notify everything that happens to your data; and (3) proportionality – collection is limited based on purpose.
This Policy applies to data subjects of EON whether as: (1) clients – current, past and prospective customers as individuals or corporations; or (2) non-clients – payees or payors or bank products and services we provide; visitors or inquirers at our branches and online channels; ultimate beneficial owners, directors or representatives of corporate clients; and such other persons involved in transactions with us or with our customers.
How we collect your personal data
We collect your personal data when you register, sign-up or use our bank products and services or contact us about them. We may collect your personal data through your organization whether private corporation or government instrumentality you authorized. We may also obtain your information from other sources (i.e publicly available platforms, financial institutions, credit agencies, payment gateway processors, public authorities, and other registers) for purposes of identity verification and regulatory requirements by the Bangko Sentral ng Pilipinas.
What kinds of personal data we process
Personal data refers to any information that identifies or is linkable to a natural person. Sensitive personal data is any attribute that can distinguish, qualify or classify a natural person from the others such as data relating to your ethnicity, age, gender, health, religious or political beliefs, genetic or biometric data.
- Know-Your-Customer (KYC) / Identification Data: personal data we collect when you sign up or register to our products and services such as full legal name, gender, date of birth, nationality, civil status, permanent address, present address, tax identification number and other government-issued identification numbers, mobile number, home number, office contact details, company name, job position or rank, office address, source of funds, gross annual income, and such other information for us to conduct due diligence and comply with BSP rules and regulations.
- Biometric Data: upon your express consent and subject to limitations imposed by law, data processed for customer verification using: (1) facial recognition technology; (2) liveliness detection mechanism; and (3) fingerprint recognition applications.
- Transactional Data: linkable information to your personal data such as (1) bank account number, deposits, withdrawals, such other transfers made to or from your account, and details about them such as reference number, place and time these were made; (2) information when you contact us through our official channels such as branches, contact centers, web and mobile platforms; (3) credit card account number as well as purchases or transactions using your credit card; and (4) other forms of customer account number, payments, and transactions you have with us.
- Financial Data: information about the value of your property and assets, your credit history and capacity, and other financial products and services you have with us.
- Behavioral Data: this refers to your online behavior, customer segment, usage of our products and services, internet protocol address of your devices used to access our applications, interests and needs you share with us, and customer behavior we collect as part of due diligence, to prevent fraudulent conduct, and comply with banking rules on anti-money laundering, terrorism financing, and tax fraud.
- Audio Visual Data: for security and improvement of our services, we process audio and video recordings of your interactions with us and surveillance videos at branches and automated teller machines, subject to limitations imposed by law.
- Sensitive Personal Data: we may require the following sensitive personal data upon your express consent: (1) your religion when you apply for insurance products with us; (2) for customer verification, your government-issued identification numbers or cards such as passport or driver’s license ID; or (3) any information that is incidental to contractual agreement or in connection with a requested product or service.
- Children’s Data: we may collect information about children if they have opened an account with us with parental consent or if you provide us in relation to a product or service you signed up with us (i.e. when you register children as beneficiary to an insurance product or trust service with us).
How we process your personal data with us
We process your personal data only with lawful basis such as your express consent, terms and conditions of product or service you signed up with us, and as required by law and regulation. We ensure that only authorized employees and third-party service providers, who satisfy our stringent risk management, governance, information security, and data privacy requirements, can process your personal data. Processing means any activity pertaining to the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.
- Data Storage
- We store customer data in secure and encrypted Bank-managed environments, devices, and media. For third-party managed environments such as cloud service providers, we employ BSP-sanctioned security protocols and procure BSP approval prior deployment.
- We store physical copies of documents containing your data in physical secure vaults.
- Data Access
- Your personal data can only be accessed by authorized personnel on a role-based manner following the proportionality principle that authorized personnel can only access the data they need for their role and purpose in the bank.
- Data Use
- Customer Engagement
- We use your contact details with us to communicate with you about your relationship with us. We may ask for feedback, surveys or polls about our products and services.
- We may send you email or mobile notifications, telephone calls, or newsletters about product and services enhancements and account security reminders.
- You have the right to opt out from this form of communications with you or choose another means for which we can contact you.
- We may use your information for us to send out campaigns of commercial products and services we hope you find interesting, relevant, and useful.
- We want to establish a more personalized relationship with you by providing you offers that would suit your lifestyle and needs.
- We perform data analysis on results of our marketing campaigns to measure their effectiveness and relevance.
- You have the right to withdraw your consent or unsubscribe from receiving personalized offers.
- Due Diligence and Regulatory Compliance
- We may use your personal data to evaluate your eligibility for bank products and services.
- In assessing your ability to deliver your repay your loans, we conduct credit risk and investigation and reporting on your credit history and account updates.
- We use your account details when you instruct us to make a payment or fulfill an investment order.
- We use automated processes and data science solutions for faster decision-making in granting loan products.
- We process your data in compliance with legal obligations and statutory requirements by BSP, and other regulatory agencies.
- Business Insights
- We perform data analysis and reporting based on your personal data and how we operationalize to aid our management make better decisions.
- We analyze your behavioral data, your interactions with our products and services, and our communications with you to aid us understand the areas for improvement and development.
- We analyze transactional data performed through our third-party service providers and partners in order to determine how we can jointly improve our products and services for you.
- Data Quality
- We may process your data to comply with data quality standards imposed by BSP. We may obtain additional information about you from government institutions or credit bureaus to improve the quality of your data with us. We may contact you to ensure accuracy and integrity of your information in our data processing systems.
- Protection and Security
- We process your personal data for your account protection against cybercrime, identity theft, estafa, fraud, financial crimes such as money laundering, terrorism financing, and tax fraud.
- We use your personal data such as name, age, nationality, IP address, home address, and other transactional data to conduct profiling for detection of suspicious activity on your account.
- We may employ artificial intelligence and machine learning in real-time detection of suspected fraudulent activities on your account.
- We may reset your password or temporarily hold your online banking account in order to protect you from detected suspected fraudulent activities.
- Data Retention
- Pursuant to BSP Regulations, retention period for transaction records shall be five (5) years from the date of transaction except where specific laws and/or regulations require a different retention period, in which case, the longer retention period is observed.
- For financial data and documents which indicate taxable transactions, data shall be preserved for ten (10) years per BIR Regulation.
- We keep your data as long as it is necessary: a) for the fulfillment of the declared, specified, and legitimate purposes, or when the processing relevant to the purposes has been terminated; b) for the establishment, exercise or defense of legal claims; or c) for legitimate business purposes, which shall be in accordance with the standards of the banking industry.
- Data Disposal
- After the expiration of the imposed retention period, we dispose personal data in a secure manner in order to prevent further processing, unauthorized access, or disclosure to any other party.
Whom we share data with and its purpose
When you consent to the processing of your data with us, you also agree to help us comply with our statutory and contractual obligations with other financial institutions. We may also share your data externally with our partners, upon your consent, for value added services you may find useful and relevant on top of your account with us. For contractual and value-added service data sharing agreements, we employ standardized model clauses as recommended by National Privacy Commission to ensure data protection of personal data.
- Government Authorities
- Bangko Sentral ng Pilipinas (BSP), Anti-Money Laundering Council (AMLC)
- We are subjected to mandatory disclosures to the AMLC under Republic Act No. 9160 or the Anti-Money Laundering Act of 2001, as amended, when there is probable cause that the deposits or investments involved are in anyway related to unlawful activities or money laundering offenses.
- BSP mandates disclosures and reporting in compliance with its issuances for the protection of the integrity of the banking sector.
- Bureau of Internal Revenue (BIR)
- We may conduct random verification with the BIR in order to establish authenticity of tax returns submitted to us.
- BIR may inquire into bank accounts of the following: a) a decedent in order to determine his gross estate; b) a taxpayer who has filed an application to compromise his tax liability on the ground of financial incapacity; and c) a taxpayer, information on whose account is requested by a foreign tax authority.
- Credit Information Corporation (CIC)
- Credit Information Systems Act (RA No. 9510) mandates us to submit your credit data to the CIC and share the same with other accessing entities and special accessing entities authorized by the CIC.
- Judicial and Investigative Authorities
- We may be mandated to disclose certain personal data upon service of legal court orders (i.e. unexplained wealth under Section 8 of RA No. 3019) or express legal request from police, public prosecutors, courts, or dispute resolution providers allowed by law.
- In these cases, we would notify you of the disclosure to the requesting government authority, subject to limitations imposed by law.
- Other Regulatory Authorities
- Regulatory authorities when such other persons or entities we may deem as having authority or right to such disclosure of information as in the case of regulatory agencies, government or otherwise, which have required such disclosure from us and when the circumstance so warrant.
- Financial Institutions
- To fulfill payments and services, we may have to share your information with correspondent banks, network payment processors (i.e. Visa, Mastercard, American Express, JCB), stockbrokers, fund managers, or portfolio service providers.
- We disclose your personal data with insurers, insurance brokers, or providers of deposit or credit protection or protection against all kinds of risks.
- For purposes of credit investigation, consumer reporting, or for reports of credit history, account updates and fraud prevention, we may share your data with reference agencies such as Credit Card Association of the Philippines (CCAP) and Bankers Association of the Philippines (BAP).
- Value Added Services
- With your express consent, we may disclose your data to our partners who collaborate with us to provide services to you and provide joint communications that we hope you find of interest.
- Through our digital channels, you may instruct other mobile financial technology applications to retrieve your account information, initiate payments or cash-in from your account with us via our Application Programming Interface (API) facility.
Your Data Subject Rights
Under the Data Privacy Act of 2012, you have the following rights:
- Right to be informed – you may demand the details as to how your personal information is being processed or have been processed by the Bank, including the existence of automated decision-making and profiling systems.
- Right to access – upon written request, you may demand reasonable access to your personal information, which may include the contents of your processed personal information, the manner of processing, sources where they were obtained, recipients and reason of disclosure.
- Right to dispute – you may dispute inaccuracy or error in your personal information in the Bank systems through our contact center representatives.
- Right to object – you may suspend, withdraw, and remove your personal information in certain further processing, upon demand, which include your right to opt-out to any commercial communication or advertising purposes from the Bank.
- Right to data erasure – based on reasonable grounds, you have the right to suspend, withdraw or order blocking, removal or destruction of your personal data from the Bank’s filing system, without prejudice to the Bank continuous processing for commercial, operational, legal, and regulatory purposes.
- Right to data portability – you have the right to obtain from the Bank your personal information in an electronic or structured format that is commonly used and allows for further use.
- Right to be indemnified for damages – as data subject, you have every right to be indemnified for any damages sustained due to such violation of your right to privacy through inaccurate, false, unlawfully obtained or unauthorized use of your information.
- Right to file a complaint – you may file your complaint or any concerns with our Data Protection Officer and/or with the National Privacy Commission through www.privacy.gov.ph
Contact our Data Protection Officer
For inquiries and concerns, you may address them to UnionBank’s Data Protection Officer at 33/F UnionBank Plaza, Meralco Avenue cor. Onyx Road, Pasig City or through email at firstname.lastname@example.org