SCM vs. XXXX (NPC 19-382)

Posted byrolandhomeresPosted inLawful Processing, NPC Decisions/Resolutions/OrdersTags:,

Facts: Complainant filed a Complaint and Application for Temporary Ban on the processing of her personal information against respondent. Complainant alleged that received calls and texts from the Respondent, even during office hours, urging her to pay the loan. Complainant allegedly felt depressed because the Respondent forced her to pay despite saying that she does not have money to pay.

Respondent on the other hand prayed for the dismissal of the case on the ground of procedural infirmities and lack of legal standing of the Complainant because the transaction did not push through as the application of the complainant was already denied by the respondent.

Issue: Whether there is violation of the Complainant’s data privacy rights.

Held: Complainant failed to present evidence of a contractual relationship between the parties. On the other hand, the Respondent was able to present proof that the complainant’s loan application was rejected by them. Further, even assuming there is a contractual relationship between the parties, the Complainant would still be defeated due to its failure to state a cause of action that is anchored on any of the provisions of the DPA. A liberal reading of the complaint would reveal that such allegations would only constitute unfair debt collection, which is outside the Commission’s jurisdiction.

The allegation of repeated calls and texts committed by the Respondent must be clearly established by the Complainant as violations of Section 11, 12, or 13 of the DPA in order to be considered unlawful processing.

In sum, the Complaint and Application for Temporary Ban on the processing of personal information should be dismissed for lack of merit.

On another matter, the Commission noticed the phrasing of the Respondent’s Privacy Policy as stated in its consolidated comment/opposition and as part of its attachments:

“5. User Data Processing

  1. Without limitation to the foregoing, User data may be processed by OLP among others for the following purposes:

xxx.”

… processing of personal data cannot be declared in any privacy policy or in a contract to be without limitation because the DPA itself provides the processing should only be adequate and not excessive to the Personal Information Controller.

In this case the complaint was dismissed but the Respondent was sternly reminded to comply with the principle of proportionality.

Leave a comment