SyCipLaw TMT Quick Notes – Data Privacy January 2026

The case of Grace M. Trimillos v. FCash Global Lending, Inc., G.R. No. 271360 (13 August 2025) was decided on the basis of a procedural issue – the failure to timely object to unauthenticated electronic evidence in a proceeding before the National Privacy Commission (NPC). It also touched on the procedure for filing a complaint with the NPC.

A complaint was filed by the petitioner against a digital lending platform. The latter's operator accessed the petitioner's contact list on her phone and proceeded to inform her contacts that as the petitioner's supposed guarantors, they will be forced to settle the petitioner's unpaid loan obligations. The NPC decided in favor of the petitioner but the decision was reversed by the Court of Appeals (CA) on the ground that the evidence – screenshots of text messages – were unauthenticated and therefore inadmissible. This was raised by the operator only at the CA level.

The Supreme Court reinstated the NPC ruling, noting that the failure to timely object to the evidence was a waiver of the objection, and the rule that a question of inadmissibility may not be raised on the first time on appeal, is true whether the decision elevated for review originated from a regular court, administrative agency, or a quasi-judicial body such as the NPC.

The tribunal also briefly explained the rules of procedure for initiating a complaint with the NPC. In the course of the proceedings before the NPC, the assigned investigating officer must issue an order for all parties to confer as to whether discovery of information and of electronically-stored information is likely to be sought. A copy of the complaint and its supporting evidence will be included in the order to confer for discovery. Parties have the right to examine the evidence submitted.

The mention of the NPC's ruling on unauthorized processing may also be noted. In ruling for the complainant (the petitioner in the Supreme Court case), the NPC explained that the lending platform, in sending out messages to the contacts of the complainant, gathered personal information in excess of what was necessary and processed them for purposes other than those stated in their own privacy policy. The tenor of the messages, and the intention to shame the complainant and jeopardize her reputation until the latter settled her obligations constituted unauthorized processing of personal information with malice.

PhilSys QR Code is Personal Data

In NPC Advisory Opinion No. 2025-015, the NPC advised that the PhilSys QR code constitutes personal and sensitive personal information. The PhilSys QR code enables access to or verification of information linked to government-issued identifiers, which are expressly classified as sensitive personal information under Section 3(l) of the Data Privacy Act (DPA). Accordingly, the QR code and any data derived from it are subject to the stricter requirements for processing sensitive personal information.

The opinion also noted that a bank may lawfully allow a third-party KYC provider to access and process the PhilSys QR code on the basis of Sections 12 and 13 of the DPA, particularly compliance with legal obligations under the Anti-Money Laundering Act and BSP regulations, and for sensitive personal information, processing provided for by existing laws and regulations. Since the third-party provider acts as a personal information processor, it may only process the personal data only upon the bank's documented instructions.

BIR Can Ask CondoCorps for Information about Condo Owners with Airbnb Businesses

NPC Advisory Opinion No. 2025-006 involved a condominium corporation that received an Access Letter from a Bureau of Internal Revenue (BIR) Revenue District Office requesting the names and tax identification numbers of condominium unit and parking slot owners involved in leasing, sub-leasing, Airbnb, staycations, and similar activities. The NPC advised that the BIR could do so and obtain the data without violating the DPA even without the consent of the condominium owners, as consent is not the only lawful basis for processing under the DPA. The disclosure may be justified under Section 12(c) of the DPA, as it is necessary for compliance with a legal obligation, and under Section 13(f), as the information is provided to a government or public authority in the exercise of its regulatory mandate. The BIR, as a public authority tasked with enforcing tax laws under the National Internal Revenue Code, is authorized to obtain information necessary for tax compliance. Processing of personal data pursuant to such statutory mandate falls under the special cases recognized by Section 5 of the DPA IRR.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.