Data Privacy Notice

We may collect the following types of personal information:

• 1.1 General Personal Information:
  • Full name, birthdate, contact details (e.g., phone number, email address, physical address)
  • Government-issued ID details
  • Specimen signatures
  • Images and video footage via CCTV and similar recording devices observed during visits to our offices and facilities
  • Voice recordings of our conversations with you (e.g., phone calls or other recorded communications)
• 1.2 Financial and Employment Information:
  • Financial data such as income, expenses, balances, investments, tax information, insurance details, and financial and transaction history
  • Employment and professional information, including job title, employer, work contact details, and salary data (when relevant)
  • Business interests and declared assets
• 1.3 Customer Information:
  • Payment and transaction data, booking history, equipment and vehicle preferences
• 1.4 Visitor and Guest Information: (if applicable)
  • Purpose of visit, vehicle details (if applicable), and visitor log entries
• 1.5 Third-Party Service Providers/Vendors:
  • Company name, business contact information, key personnel details including their respective government issued valid ID, legal registration documents, and service agreement data

We collect and process your personal data to fulfill the following purposes, in accordance with the Data Privacy Act of 2012 and its Implementing Rules and Regulations:

• 2.1 Contractual Necessity
  • To process and fulfill rented equipment and motor vehicles bookings, payments, and related transactions.
  • To manage customer relationships and maintain service records.
  • To manage contracts and relationships with service providers and vendors.
  • To perform profile analysis, behavioral modeling, and analytics to understand needs, preferences, and market trends to improve and recommend suitable products and services.
  • To send statements, billings, notices, and other documents necessary for the continued use of our products and services.
  • To respond to queries, requests, and complaints and improve how we interact with you.
• 2.2 Legal Obligation
  • To comply with tax, insurance, and financial reporting obligations.
  • To comply with applicable laws of the Philippines and those of other jurisdictions, including the Anti-Money Laundering Act of 2001 (Republic Act No. 9160, as amended), Anti-Terrorism Act of 2020 (Republic Act No. 11479), and the implementation of Know Your Customer (KYC) and sanction screening checks.
  • To comply with legal and regulatory requirements such as submission of data to credit bureaus, the Credit Information Corporation (CIC) pursuant to Republic Act No. 9510 and its implementing rules and regulations, responding to court orders, and other instructions and requests from any local or foreign authorities, including regulatory, governmental, tax, and law enforcement authorities.
• 2.3 Legitimate Interest
  • To assess and manage risks, including financial and operational risks.
  • To ensure the safety and security of our premises through CCTV surveillance and security logs.
  • To record communications for service quality and security purposes.
  • To perform certain protective safeguards against improper use or abuse of our products and services, including fraud prevention.
  • To determine the effectiveness of our marketing efforts and initiatives.
  • To perform profile analysis, behavioral modeling, and analytics to understand needs, preferences, and market trends to improve and recommend suitable products and services.
• 2.4 Consent
  • To reach out to you regarding products and services information, including offers, promotions, discounts, rewards, and for personalizing your experience with our various touchpoints such as branches, call center, email, messaging, and other channels.
  • To conduct studies and research for the purpose of reviewing, developing, and improving our products and services.

BPITCRC ensure that the collection and processing of personal data are specific, legitimate, and not excessive in relation to the purposes for which they are collected. We adhere to the principles of transparency, legitimate purpose, and proportionality as mandated by the Data Privacy Act of 2012 and its Implementing Rules and Regulations. We also comply with the guidelines set forth by the National Privacy Commission, including NPC Circular No. 2023-04 on Consent and NPC Circular No. 2023-07 on Legitimate Interest, among other relevant issuances.

BPITCRC is committed to protecting your personal data. As a general rule, we do not engage in the sharing of personal data unless it is necessary, lawful, and compliant with the Data Privacy Act of 2012, its Implementing Rules and Regulations, and relevant issuances of the National Privacy Commission (NPC). Unless otherwise provided by law or upon the lawful order of a competent court, we may disclose or provide access to your personal data only to under the following circumstances:

• 3.1 Parent Companies
  • BPITCRC may share your personal data with its parent companies, Bank of the Philippine Islands (BPI) and Tokyo Century Corporation for legitimate business and operational purposes, and in accordance with the law. This is done under the following conditions:
    • Legal Basis: Consent, contractual necessity, or legitimate interest, as applicable.
    • Transparency: You are adequately informed of the data sharing arrangement.
    • Data Sharing Agreement (DSA): A DSA is in place, as required by NPC Circular 16-02, ensuring compliance with applicable data privacy laws, including provisions on data protection, accountability, and data subject rights.
• 3.2 Third-Party Service Providers or Vendors
  • BPITCRC strictly do not share personal data with their service providers or vendors. Instead:
    • It is BPITCRC's strict policy to enter into Data Processing Agreements (DPAs) with all third-party providers engaged to perform services on behalf of the company
    • These third parties act only as data processors and are prohibited from using the data for any purpose other than those explicitly stated in the agreement.
    • All processing is subject to appropriate organizational, physical, and technical safeguards, as required by the Data Privacy Act and NPC Advisory No. 2017-01.
• 3.3 Regulatory and Government Authorities
  • BPITCRC may disclose personal data to government agencies, regulatory bodies, tax authorities, courts of law, or law enforcement entities:
    • When required by law, regulation, subpoena, or court order;
    • In compliance with financial, tax, anti-money laundering, consumer protection, or credit reporting obligations (e.g., submission to the Credit Information Corporation in accordance with RA No. 9510);
    • Under a valid legal obligation, and with appropriate safeguards in place.
    • Where applicable, a Data Sharing Agreement is executed in accordance with NPC Circular 16-02, particularly for government-to-private sector engagements.
• 3.4 Security-Related Disclosures
  • CCTV footage and other security recordings may be shared with authorized personnel, law enforcement agencies, or legal authorities when reasonably necessary:
    • To ensure the security of BPITCRC's premises, personnel, and visitors;
    • To investigate incidents or respond to lawful requests;
    • Based on legitimate interest and with due regard to data subject rights and proportionality.

BPITCRC ensure that all disclosures or authorized access to personal data are carried out with due diligence, accountability, and transparency. Data sharing or processing activities are always governed by lawful grounds and appropriate contractual and security measures to uphold your privacy rights.

Your personal data will be retained only as long as necessary for the purposes stated or as required by law:

• Customer Data: 5 years post-transaction
• Visitor Data (if applicable): 1 year from date of visit unless required for investigation
• Vendor Data: 6 years from end of the relationship
• CCTV Footage (if applicable): 30 days unless required for investigation
• Security Logs: 1 year unless required for investigation

Under the Data Privacy Act of 2012 and its Implementing Rules and Regulations, data subjects are entitled to the following rights:

• 5.1 Right to be Informed
  • The data subject has the right to be informed whether personal data pertaining to them shall be, are being, or have been processed. Before the entry of personal data into the processing system, or at the next practical opportunity, the data subject must be furnished with the following information:
    • Description of the personal data to be entered into the system;
    • Purposes for which they are being or will be processed;
    • Basis of processing, when processing is not based on consent;
    • Scope and method of the personal data processing;
    • Recipients or classes of recipients to whom the personal data may be disclosed;
    • Methods utilized for automated access, if allowed by the data subject, and the extent to which such access is authorized;
    • Identity and contact details of the personal information controller or its representative;
    • Period for which the information will be stored; and
    • Existence of their rights as data subjects, including the right to access, correction, and objection to the processing, as well as the right to lodge a complaint before the Commission.
• 5.2 Right to Object
  • The data subject shall have the right to object to the processing of their personal data, including processing for direct marketing, automated processing, or profiling. The data subject shall also be notified and given an opportunity to withhold consent to the processing in case of changes or any amendment to the information supplied or declared to the data subject in the preceding paragraph.
• 5.3 Right to Access

  • The data subject has the right to reasonable access to, upon demand, the following:

    • Contents of their personal data that were processed;
    • Sources from which personal data were obtained;
    • Names and addresses of recipients of the personal data;
    • Manner by which such data were processed;
    • Reasons for the disclosure of the personal data to recipients, if any;
    • Information on automated processes where the data will, or is likely to, be made as the sole basis for any decision that significantly affects or will affect the data subject;
    • Date when their personal data concerning the data subject were last accessed and modified; and
    • The designation, name or identity, and address of the personal information controller.
• 5.4 Right to Rectification
  • The data subject has the right to dispute the inaccuracy or error in the personal data and have the personal information controller correct it immediately and accordingly, unless the request is vexatious or otherwise unreasonable. If the personal data has been corrected, the personal information controller shall ensure the accessibility of both the new and the retracted information and the simultaneous receipt of the new and the retracted information by the intended recipients thereof.
• 5.5 Right to Erasure or Blocking

  • The data subject shall have the right to suspend, withdraw, or order the blocking, removal, or destruction of their personal data from the personal information controller's filing system. This right may be exercised upon discovery and substantial proof of any of the following:

    • The personal data is incomplete, outdated, false, or unlawfully obtained;
    • The personal data is being used for a purpose not authorized by the data subject;
    • The personal data is no longer necessary for the purposes for which they were collected;
    • The data subject withdraws consent or objects to the processing, and there is no other legal ground or overriding legitimate interest for the processing;
    • The personal data concerns private information that is prejudicial to the data subject, unless justified by freedom of speech, of expression, or of the press or otherwise authorized;
    • The processing is unlawful;
    • The personal information controller or personal information processor violated the rights of the data subject.
• 5.6 Right to Data Portability
  • Where their personal data is processed by electronic means and in a structured and commonly used format, the data subject shall have the right to obtain from the personal information controller a copy of such data in an electronic or structured format that is commonly used and allows for further use by the data subject. The exercise of this right shall primarily take into account the right of the data subject to have control over their personal data being processed based on consent or contract, for commercial purposes, or through automated means.
• 5.7 Right to Damages
  • The data subject shall be indemnified for any damages sustained due to such inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of personal data, taking into account any violation of their rights and freedoms as a data subject.
• 5.8 Right to File a Complaint
  • The data subject has the right to lodge a complaint before the National Privacy Commission regarding any violation of their rights under the Data Privacy Act of 2012.
• 5.9 Transmissibility of Rights
  • The lawful heirs and assigns of the data subject may invoke the rights of the data subject to which they are an heir or assignee, at any time after the death of the data subject, or when the data subject is incapacitated or incapable of exercising the rights as enumerated in the immediately preceding section.