Philippines: Closed NPC investigation (NPC 20-283) into BPI over alleged unauthorised access and disclosure

On 17 August 2023, the Philippine National Privacy Commission (NPC) closed its investigation into the Bank of the Philippine Islands (BPI) over an alleged violation of the Data Privacy Act of 2012 (DPA). The investigation concerned a customer who was contacted by a fraudster pretending to be an employee of the BPI and wanting to gain personal information from her. The customer claimed that the BPI did not safely guard her personal data, which made it possible for the fraudster to contact and fraud her. Specifically, the NPC investigated whether the BPI violated section 26 concerning accessing due to negligence and section 32 regarding unauthorised disclosure of the DPA. The NPC found no evidence to support the claims, as the fraudster only had the customer’s name and phone number, which he could have obtained elsewhere and no indication was shown that the information came from the BPI.