PURPOSE AND SCOPE

CitySavings respects and values your privacy and the secrecy of your account information with us. This Policy informs you, the consumer, how we collect, use, store, and process your personal data with us. We adhere to the data privacy principles of (1) legitimate purpose – we only process upon your consent, in compliance with law or contract, in pursuit of the Bank’s legitimate business purpose and to improve customer experience; (2) transparency – we notify everything that happens to your data; and (3) proportionality – collection is limited based on purpose.

This Policy applies to our consumers whether as: (1) current, past, and prospective customers as individuals or corporations, whether approved or rejected; or (2) non-clients – payees or payors or bank products and services we provide; visitors, or inquirers at our branches and online channels; ultimate beneficial owners, directors or representatives of corporate clients; and such other persons involved in the application of financial services – whether approved or rejected – and transactions with us or with our consumers.

COLLECTION OF YOUR PERSONAL AND SENSITIVE PERSONAL DATA

Personal Data refers to any information that identifies or is linkable to a natural person. On the other hand, Sensitive Personal Data is any attribute that can distinguish, qualify, or classify a natural person from the others such as data relating to your ethnicity, age, gender, health, religious or political beliefs, genetic, or biometric data.

We collect your Personal and Sensitive Personal Data when you register, sign-up, or use our bank products and services or contact us about them. We also collect through your authorized organization whether private corporation or government instrumentality. We may also obtain your information from other sources (i.e., publicly available platforms, financial institutions, credit agencies, payment gateway processors, public authorities, and other registers) for purposes of identity verification and regulatory requirements by the Bangko Sentral ng Pilipinas (BSP).

KINDS OF DATA WE PROCESS

1. Know-Your-Customer (KYC) / Identification Data: refer to Personal Data and Sensitive Personal Data we collect when you sign up or register to our products and services such as full legal name, gender, date of birth, nationality, civil status, permanent address, present address, tax identification number, and other government-issued identification numbers, mobile number, home number, office contact details, company name, job position or rank, office address, source of funds, gross annual income, and such other information necessary to conduct due diligence and comply with BSP rules and regulations.


2. Transactional Data: linkable information to your Personal Data such as (1) bank account number, deposits, withdrawals, such other transfers made to or from your account, and details about them such as reference number, place, and time these were made; (2) information when you contact us through our official channels such as branches, contact centers, web, and mobile platforms; (3) card account number as well as purchases or transactions using your card; and (4) other forms of customer account number, payments, and transactions you have with us.


3. Financial Data: information about the value of your property and assets, your credit history and capacity, and other financial products and services you have with us


4. Behavioral Data: this refers to your online behavior, customer segment, usage of our products and services, internet protocol address of your devices used to access our website and applications, interests and needs you share with us, and customer behavior we collect as part of due diligence, to prevent fraudulent conduct, and comply with banking rules on anti-money laundering, terrorism financing, and tax fraud.


5. Audio Visual Data: for security and improvement of our services, we process audio and video recordings of your interactions with us and surveillance videos at branches and automated teller machines, subject to limitations imposed by law.


6. Sensitive Personal Data: we may require the following Sensitive Personal Data: (1) for customer verification, your government-issued identification numbers or cards such as passport, PhilSys National ID or driver’s license ID; or (2) any information that is necessary, incidental to contractual agreement, or in connection with a requested product or service.


7. Children’s Data: we may collect information about children if they have opened an account with us with parental consent or if you provide us in relation to a product or service you signed up with us (i.e. when your children open a bank account with us).


8. Relevant Individuals: upon your authorization, we may collect information about family members, beneficiaries, attorneys, attorneys-in-fact, shareholders, beneficial owners whenever applicable, persons under any trust, trustees, partners, committee members, directors, officers or authorized signatories, guarantors, other security, and other individuals.

The foregoing data are collectively referred to as “Consumer Data”.

DATA PROCESSING

Processing means any activity pertaining to the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure, or destruction of Consumer Data

We process Consumer Data only for legitimate purposes and with lawful basis such as your consent to be bound by this Policy upon application and submission of the signed terms and conditions and application forms, terms, and conditions of product or service you signed up with us, and as required by law and regulation. We ensure that only authorized employees and third-party service providers, who satisfy our stringent risk management, governance, information security, and data privacy requirements, can process your data.

• Data Storage
  • We store Consumer Data in secure and encrypted Bank-managed environments, devices, and media. For third-party managed environments such as cloud service providers, we employ BSP-sanctioned security protocols and procure BSP approval prior deployment.
  
  
  • We store physical copies of documents containing Consumer Data in physical secure vaults.


• Data Access
  • Consumer Data can only be accessed by authorized personnel on a role-based manner following the proportionality principle that authorized personnel can only access Customer Data they need for their role and purpose in the Bank.


• Data Use
  
  

  The Bank collects and processes personal data to fulfill our contractual obligations to you, comply with legal obligations and regulatory requirements, or as may be reasonably necessary to conduct our business. The personal data we collect pertain to basic information which we employ to improve our services and better address our clients’ specific demands.

  
  

  We organize or consolidate your personal data to allow the Bank to use the data for the purposes stated below. The Bank can also retrieve any of your stored data for the same purposes, as well as to update, modify or correct your data upon your request.

  
  

  In particular, we collect your data for the following purposes:

  • Data Profiling
    
    • We perform automated processing of Consumer Data to evaluate certain personal aspects relating to a natural person, in particular to organize, analyze or predict aspects containing that natural person’s economic situation, financial attitude and propensities, health, personal preferences, interests, reliability, behavior, location or movements.
  
  
  • Customer Engagement
    
    • We use your contact details with us to communicate with you about your relationship with us, and to undertake activities related to the provision of Bank accounts and services including, but not limited to, transaction authorization, statement printing and distribution, customer service and conduct of surveys, the provision of research reports, offering documents, product profiles, term sheets or other product related materials, and administration of rewards and loyalty programs.
    • We may send you email or mobile notifications, telephone calls, or newsletters about product and services enhancements and account security reminders.
    • We use your contact details with us to contact you to verify the identity or authority of Relevant Individuals, representatives who contact the Bank or may be contacted by the Bank to carry out or respond to requests, questions, or instructions from verified representatives.
    • We may also communicate with you to enable an actual or proposed assignee of CitySavings, or participant or sub-participant or transferee of CitySavings’ rights in respect of the Data Subject to evaluate or consummate a transaction intended to be the subject of the assignment, transfer, participation or sub-participation.
    • We may also contact you to get your consent to enable us to provide product related services and support, including, without limitation, provision of processing or administrative support or acting as an intermediary / nominee shareholder / agent / broker / market participant /counterparty in connection with participation in various products including credit, debit, charge, prepaid or any type of card, personal loan, motorcycle loan and mortgage.
    • We may also contact you, through your other contact information which have been shared to us by our service providers, to get your consent to enable us to update your information with us and process the same in accordance with this Policy.
    • You have the right to opt out from this form of communications with you or choose another means for which we can contact you.
  
  
  • Marketing
    
    • We may use your information for us to send out campaigns of commercial products and services we hope you find interesting, relevant, and useful.
    • We want to establish a more personalized relationship with you by providing you offers that would suit your lifestyle and needs.
    • We perform data analysis on results of our marketing campaigns to measure their effectiveness and relevance.
    • You have the right to withdraw your consent or unsubscribe from receiving personalized offers.
  
  
  • Due Diligence and Regulatory Compliance
    
    • We may use Consumer Data to evaluate your eligibility for Bank products and services.
    • In assessing your ability to repay your loans, we conduct credit risk and investigation and reporting on your credit history and account updates.
    • We use your account details when you instruct us to make a payment or fulfill an investment order.
    • We use automated processes and data science solutions for faster decision-making in granting loan products.
    • We process Consumer Data in compliance with legal obligations and statutory requirements by BSP, and other regulatory agencies, or to support initiatives, projects and programs by or between financial industry self-regulatory organizations, financial industry bodies, associations of financial services providers or other financial institutions, including assisting other financial institutions to conduct background or credit checks or collect debts.
    • We use your Consumer Data to establish, maintain or terminate accounts and establish, provide or continue banking/credit facilities or financial services including credit, debit, charge, prepaid or any type of card, personal loan, mortgage, motorcycle loan, financial products and services, and otherwise maintaining accurate “KYC” information and conducting anti-money laundering and sanctions, and credit and background checks (whether such facilities or services are offered or issued by the Bank’s affiliates, third parties or through other intermediaries, providers or distributors).
  
  
  • Business Insights
    
    • We perform data analysis and reporting based on your Consumer Data and how we operationalize to aid our management make better decisions.
    • We analyze your behavioral data, your interactions with our products and services, and our communications with you, and we carry out business risk, control, or compliance review or testing, internal audits or enable the conduct of external audits to aid us understand the areas for improvement and development.
    • We analyze transactional data performed through our third-party service providers and partners in order to determine how we can jointly improve our products and services for you.
  
  
  • Data Quality
    
    • We shall process your Consumer Data in compliance with the data quality standards imposed by BSP. We shall obtain additional information about you from government institutions or credit bureaus to improve the quality of your Customer Data with us. We may contact you to ensure accuracy and integrity of your information in our data processing systems.
  
  
  • Protection and Security
    
    • We process Consumer Data for your account protection against cybercrime, identity theft, estafa, fraud, and other financial crimes such as money laundering, terrorism financing, and tax fraud.
    • We use your Personal Data such as name, age, nationality, IP address, home address, and other Transactional Data to conduct profiling for detection of suspicious activity on your account.
    • We may employ artificial intelligence and machine learning in real-time detection of suspected fraudulent activities on your account.
    • We may reset your password or temporarily hold your online banking account to protect you from detected suspected fraudulent activities.
    • Upon your consent, we may monitor and record calls and electronic communications with Relevant Individuals and consumers for record keeping, quality assurance, customer service, training, investigation, litigation, and fraud prevention purposes.
  
  
  • Bank Remedies and Verification
    
    • We may use Consumer Data to enforce (including without limitation collecting amounts outstanding) or defend the rights of CitySavings and/or any of its affiliates and subsidiaries, its employees, officers, and directors, contractual or otherwise.
    • We need to verify the identity or authority of your family members, friends, beneficiaries, attorneys, attorneys-in-fact, shareholders, beneficial owners (if relevant), persons under any trust, trustees, partners, committee members, directors, officers, or authorized signatories, sureties, guarantors, other security and other individuals, representatives who contact CitySavings or may be contacted by CitySavings (collectively, the “Related Person/s”) and to carry out or respond to requests, questions, or instructions from verified representatives or other parties pursuant to CitySavings’ then-current security procedures.
  
  
  • Analogous Uses
    
    • We may use Consumer Data for other transactions and/or purposes analogous or relating directly thereto.
  
  
• Data Retention
  
  • For financial data and documents which indicate taxable transactions, data shall be preserved for ten (10) years per BIR regulation.
  • We keep your data as long as it is necessary: a) for the fulfillment of the declared, specified, and legitimate purposes, or when the processing relevant to the purposes has been terminated; b) for the establishment, exercise or defense of legal claims; or c) for legitimate business purposes, which shall be in accordance with the standards of the banking industry.
  • The processing, profiling, and sharing apply during the prospecting and application stages, as well as for the duration of and even after the rejection, termination, closure or cancellation of the Services (collectively "Termination") for a period of at least ten (10) years from the Termination of the last existing account or relationship of the Data Subject or Relevant Individual as determined by the Bank.
  • All other transactions and accounts that are not defined above shall be retained following BSP Regulations where retention period for transaction records shall be five (5) years from the date of transaction except where specific laws and/or regulations require a different retention period, in which case, the longer retention period is observed.


• Data Disposal
  
  • After the expiration of the imposed retention period, we dispose personal data in a secure manner in order to prevent further processing, unauthorized access, or disclosure to any other
  • Consumers Data and Consumers’ right to Data Deletion are subject to data retention requirements and to certain limitations. We can only exclude you from receiving advertisements and other notifications by emailing CitySaving’s Data Protection Officer dpo@citysavings.com.ph. The request shall be processed after submission of the completed Do Not Contact Form. You will be informed of the limits and bounds, and consequences of such request. You likewise understand that prior to such Do Not Contact Request, your data has already been processed and shared in accordance with this Policy. We will inform said third-party recipients of your Request, and inform you of those third-parties accordingly.

DATA SHARING AND PURPOSE

When you consent to the processing of your Consumer Data with us, you also agree to help us comply with our statutory and contractual obligations with other financial institutions. We may also share Consumer Data externally with our partners, upon your written and/or electronic consent, for value-added services you may find useful and relevant on top of your account with us. For contractual and value-added service data sharing agreements, we employ standardized model clauses as recommended by National Privacy Commission to ensure data protection of Consumer Data.

Further, the Consumer Data shall be provided in a manner and form as specified in a separate contract of agreement. The Bank and third parties shall take reasonable measures to protect the Consumer Data from breach of the agreement or any part thereof or from unauthorized and unlawful disclosure to other parties. The following shall be observed in sharing data:

1. The amount of information that shall be collected and processed are defined.
2. The information shall be provided only to the authorized recipients as of the date of the agreement.
3. The Bank may withhold or order to cease processing or sharing of data at any time if it deems that such processing or disclosure is contrary to law or adversarial to the Bank’s interests.
4. The Bank may share anonymized or aggregated information internally and with third parties for any purposes. Anonymized information will not identify you individually.

Below are the disclosures required by the government entities, other regulatory authorities and financial institutions:

• BSP, Anti-Money Laundering Council (AMLC)
  
  • We are subjected to mandatory disclosures to the AMLC under Republic Act 9160 or the Anti-Money Laundering Act of 2001, as amended, when there is probable cause that the deposits or investments involved are in anyway related to unlawful activities or money laundering offenses.
  • BSP mandates disclosures and reporting in compliance with its issuances for the protection of the integrity of the banking sector.


• Bureau of Internal Revenue (BIR)
  
  • We may conduct random verification with the BIR in order to establish authenticity of tax returns submitted to us.
  • BIR may inquire into bank accounts of the following: a) a decedent in order to determine his gross estate; b) a taxpayer who has filed an application to compromise his tax liability on the ground of financial incapacity; and c) a taxpayer, information on whose account is requested by a foreign tax authority.


• Credit Information Corporation (CIC)
  
  • Credit Information Systems Act (RA 9510) mandates us to submit your credit data to the CIC and share the same with other accessing entities and special accessing entities authorized by the CIC.


• Judicial and Investigative Authorities
  
  • We may be mandated to disclose certain Consumer Data upon service of legal court orders (i.e. unexplained wealth under Section 8 of RA 3019) or express legal request from police, public prosecutors, courts, or dispute resolution providers allowed by law.
  • In these cases, we would notify you of the disclosure to the requesting government authority, subject to limitations imposed by law.
  • Any person or entity to whom the Bank is under an obligation or otherwise required to make disclosure pursuant to legal process or under the requirements of any Philippine Law, regulation, court order, or agreement entered into, binding on or applying to the Bank, or agreement entered into by the Bank, whether such legal process, obligation, request, requirement, agreement, or guidance may be existing currently or created in the future.


• Other Regulatory Authorities
  
  • Regulatory authorities when such other persons or entities we may deem as having authority or right to such disclosure of information as in the case of regulatory agencies, government or otherwise, which have required such disclosure from us and when the circumstance so warrant.


• Financial Institutions
  
  • To fulfill payments and services, we may have to share your information with correspondent banks, network payment processors (i.e. Visa), stockbrokers, fund managers, portfolio service providers, or to any financial institution, processing agent, intermediary, clearing house, issuer, borrower, underwriter, dealer, seller, registrar, registry, paying and collecting agent, custodian, depository, underwriter, fund manager, fund provider, insurer, acquiring company, securities and investment services provider, trustee, or any other person who will be involved in the transactions, Services, or any banking/credit or financial activities or with whom the Data Subject has or proposed to or is required to have dealings
  • We disclose your Consumer Data with insurers, insurance brokers, or providers of deposit or credit protection for protection against all kinds of risks.
  • For purposes of credit investigation, consumer reporting, or for reports of credit history, account updates and fraud prevention, we may share your data with reference agencies such as the Bankers Association of the Philippines (BAP).


• Value-Added Services
  
  • We may disclose your Consumer Data to our partners who collaborate with us to provide services to you and provide joint communications that we hope you find of interest.
  • Through our digital channels, you may instruct other mobile financial technology applications to retrieve your account information, initiate payments, or cash-in from your account with us via our Application Programming Interface (API) facility.
  • In the course of the Bank’s business, we may also disclose your Consumer Data to the following authorized personnel, including, but not limited to, an agent, broker, adviser, contractor or third party service provider who provides administrative, mailing, telemarketing, direct sales, telecommunications, call center, business process, travel, visa, knowledge management, human resource, data processing, information technology, computer, information security, anti-fraud, payment, debt collection, credit or business information, reference or other background checks, leads and referrals, nominee or securities clearing, consulting service, or other services to the Bank.
  • We may also share your data to any of the Bank and Aboitiz Equity Ventures, Inc.’s subsidiaries and affiliates, for the purposes as set out in the Bank’s Privacy Policy, in force provided by you to us from time to time or for compliance to any law, regulations, government requirement, treaty, agreement, policy, or as required by or for the purpose of any court legal process, examination, inquiry, audit, or investigation of any authority. This applies notwithstanding any non-disclosure agreement.


• Assignees/Relevant Individual
  
  • We disclose your Consumer Data to our Bank directors, officers, and employees.
  • We may also share your Consumer Data to enable an actual or proposed assignee of the Bank, or participant or sub-participant or transferee of the Bank's rights in respect of the Data Subject or any other Relevant Individual, of all or any part of the assets or business of the Bank, to evaluate or consummate a transaction intended to be the subject of the assignment, transfer, participation, or sub-participation.
  • Your data may be shared to any party giving or proposing to give a guarantee or third-party security to guarantee or secure the Data Subject's obligations or those of any Relevant Individual.

RIGHTS OF THE CONSUMER

Under the Data Privacy Act of 2012, you have the following rights:

1. Right to be informed – you may demand the details as to how your Personal Information is being processed or have been processed by the Bank, including the existence of automated decision-making and profiling systems.


2. Right to access – upon written request, you may demand reasonable access to your Personal Information, which may include the contents of your processed personal information, the manner of processing, sources where they were obtained, recipients, and reason of disclosure.


3. Right to dispute – you may dispute inaccuracy or error in your Personal Information in the Bank systems through our contact center representatives.


4. Right to correct – you may require CitySavings to correct any Information and/or Personal Data relating to you which is inaccurate.


5. Right to object – you may suspend, withdraw, and remove your Personal Information in certain further processing, upon demand, which include your right to opt-out to any commercial communication or advertising purposes from the Bank.


6. Right to data erasure – based on reasonable grounds and subject to applicable laws and regulations, you have the right to suspend, withdraw or order blocking, removal or destruction of your personal data from the Bank’s filing system, without prejudice to the Bank continuous processing for commercial, operational, legal, and regulatory purposes.


7. Right to data portability – you have the right to obtain from the Bank your Personal Information in an electronic or structured format that is commonly used and allows for further use.


8. Right to be indemnified for damages – as data subject, you have every right to be indemnified for any damages sustained due to such violation of your right to privacy through inaccurate, false, unlawfully obtained, or unauthorized use of your information


9. Right to file a complaint – you may file your complaint or any concerns with our Data Protection Officer and/or with the National Privacy Commission through www.privacy.gov.ph.

CONTACT OUR DATA PROTECTION OFFICER

To exercise your data privacy rights and for other inquiries and concerns, you may address them to CitySaving’s Data Protection Officer at 29/F UnionBank Plaza, Meralco Avenue cor. Onyx Road, Pasig City or through email at dpo@citysavings.com.ph.

Please clearly indicate the information that you wish to review, correct, update or modify. The Bank will endeavor to comply with your request as soon as reasonably possible. If the Bank is unable to uphold your data privacy rights, you have the right to lodge a complaint before the NPC.

The Bank welcomes any feedback from your regarding any area of our existing services or marketing strategies. You may send your specific feedback to the email address above. Any feedback you provide shall be deemed to be confidential. Your feedback is highly appreciated as it serves as a way for us to improve our services and best satisfy your needs.

From time to time, we may modify, update or amend the terms of this Privacy Policy by placing the updated Privacy Policy on our website. The effective date of such modifications, updates or amendments will be noted at the end of the Privacy Policy. The Bank will inform you in writing of any changes to this Policy, either by email, letter, posting the changes at the Bank’s official website, or other communication channels.

Effective Date: April 30, 2023