Philippines: Issued ruling in NPC investigation into Populus Lending Corporation over multiple breaches of DPA

On 26 September 2023, the Philippine National Privacy Commission (NPC) issued a ruling in its investigation into Populus Lending Corporation (Pesopop) over multiple alleged breaches of the Data Privacy Act of 2012 (DPA). The NPC previously filed a temporary ban on the processing of personal data against Pesopop due to alleged violations of the DPA. The NPC found that Pesopop violated section 25 of the DPA by processing personal data, including sensitive data, without a lawful basis, since the content from users was not validly obtained, as well as by making its application available for download during the effectiveness of the ban. Furthermore, the NPC found that Pesopo’s revised application and its privacy policy were still in violation of the DPS and the Guidelines on the Processing of Personal Data for Loan-Related Transactions (NPC Circular 20-01). Beyond that, the NPC warranted a recommendation for prosecution of the responsible officers of Pesopop due to its violation of the DPA.