M LHUILLIER PRIVACY STATEMENT

M Lhuillier values your privacy and handles your personal data in line with the Data Privacy Act of 2012. We collect and process necessary personal and sensitive information to verify identities, complete transactions, respond to inquiries, comply with legal requirements, and improve our services. Personal data is collected via forms, digital platforms, or authorized representatives, securely stored, and retained per our privacy policy and legal obligations. We may share them with affiliates, partners, and regulators under lawful terms and valid data sharing or outsourcing agreements. Sharing is limited to what is necessary for verification, transactions, fraud prevention, compliance, or support, and is done in line with Sections 12 or 13 of the DPA of 2012. You have the right to access, correct, transfer, block, delete, or object to data use, and to file complaints or claim damages, subject to legal limits. We apply strict technical, organizational, and physical security measures to protect your personal data, including encryption, multi-factor authentication, access controls, secure storage, staff training, CCTV monitoring, and other protective measures. Privacy practices are updated as needed. 

M LHUILLIER PRIVACY NOTICE

Effective Date: 30th July 2019 Last Update: 15th August 2025 Version: 3.0

M Lhuillier respects your privacy and is committed to protecting your personal data in compliance with the Data Privacy Act of 2012 (DPA), its Implementing Rules and Regulations, and issuances of the National Privacy Commission (NPC). This Notice explains how we collect, use, store, share, and secure your data, as well as your rights as a data subject.

1. PURPOSE AND SCOPE

This Notice applies to all customers, prospective customers, partners, employees, job applicants, website and mobile app users, and other individuals whose personal data we process in connection with our products and services, whether collected manually or electronically.

2. OUR PRODUCTS & SERVICES

• Car Loan

• Home Loan

• Insurance

• Jewelry

• Kwarta Padala

• MCash

• ML ShopSafe

• ML Express

• ML Moves

• ML Payroll Pro

• Money Changer

• Quick Cash Loans

• Telco, Gaming & TV Loading

3. OUR DATA SUBJECTS

We process personal data of:

• Financial and non-financial customers and their beneficiaries

• Tie-Up Partners, Corporate Partners, Remittance Sub-Agents, and their individual stockholders, directors, senior officers, beneficial owners, and stakeholders who are natural persons, including their customers

• Suppliers and/or their authorized representatives

• Job applicants

• Employees and their beneficiaries

• Project-based/seasonal employees

• Interns / On-the-Job Trainees (OJT)

• Individual consultants

4. PURPOSES OF PROCESSING, LAWFUL BASES, AND DATA WE PROCESS

We process personal data based on one or more of the following lawful bases:

• Consent – when you have explicitly agreed to the processing.

• Contract – when processing is necessary to fulfill our agreement with you.

• Legal Obligation – when required by law, regulation, or lawful order.

• Legitimate Interests – when necessary for our operations, provided your fundamental rights and freedoms are not overridden.

Primary Purposes (Essential)

Lawful Basis: Contract / Legal Obligation / Legitimate Interest

These purposes are necessary to deliver the service you request or to fulfill our legal and contractual obligations.

• Provide and deliver our products and services

• Verify identity and process transactions

• Provide customer support and resolve concerns

• Comply with BSP, AMLC, and other regulatory requirements (e.g., Anti-Money Laundering Act)

• Prevent fraud, manage risks, and secure systems

Data We Collect:

The collection of your information will depend on our relationship and the product or service you availed.

Transactions Covered by RA 9160 or the Anti-Money Laundering Act of 2001, as amended

When processing transactions covered by RA 9160, we are required by law to collect certain personal information. This helps us verify your identity, keep your transactions secure, and comply with regulatory requirements.

Personal Information

• Name 

• Place of birth

• Nationality

• Country of birth

• Contact information (e.g., mobile/phone number, email address )

• Current address

• Permanent address

• Nature of work

• Source of income

Sensitive Personal Information (SPI):

• Date of birth

• Civil status

• Identification document (e.g., government-issued ID number, passport, driver’s license)

• Webcam photo

• Status as a Politically Exposed Person (PEP)

• Other supporting documents that reveal identity, financial status, or other sensitive details

Other data: 

• CCTV footage

• Call recordings

• Transaction logs.

Note on Religious Affiliation:

In rare cases where a customer’s date of birth cannot be provided due to religious beliefs or practices, we may request religious affiliation as an alternative identifier. This is required by law for proper identity verification under the Anti-Money Laundering Act and is collected only when necessary, kept strictly confidential, and used solely for this purpose.

We collect data directly from you, through your authorized representative, from lawful third-party sources, or via automated systems.

Rest assured, this information is handled with the highest level of care, protected by strict security measures, and used only for the purposes allowed by law.

Secondary Purposes (Optional) Lawful Basis: Consent / Legitimate Interest

These purposes are not essential for providing our core services but help us improve our offerings, engage with you better, or support business operations.

• Marketing and promotions of products and services

• Customer profiling, analytics, and segmentation for targeted offers

• Surveys, research, and product development

Data We May Collect:

Generally limited to your contact details and basic account information relevant to the purpose.

Your Choice: You may withdraw your consent for optional processing (e.g., marketing) at any time by contacting our DPO or customer care channels, or by informing our branch personnel. Withdrawal will not affect processing necessary to fulfill our contractual or legal obligations.

General Inquiries or Concerns Lawful Basis: Legitimate Interest / Contract (where applicable)

To help us respond to your questions, concerns, or feedback about our products and services, we may need to collect a few basic details from you. This allows us to provide accurate information and address your needs promptly.

Personal Information (PI):

• Full Name

• Contact details (e.g., phone number, mobile number, email address)

We collect this information based on our legitimate interests to serve you better and, where applicable, to perform a contract or take steps before entering into one. 

Your details are handled securely and used only for the purposes you have entrusted to us.

5. DATA COLLECTION

We collect your personal, and when necessary, sensitive personal information in ways that make it easier for us to serve you while complying with the Data Privacy Act of 2012:

• Directly from you - when you fill out application forms, use our online portals, send us an email, call us, or visit our branches and customer service channels

• From your authorized representative - if you've given someone permission to act or transact on your behalf.

• From trusted third parties - with your consent, or in situations allowed by law under Sections 12 or 13 of the Data Privacy Act (such as legal requirements, contractual obligations, or legitimate interests).

• Through secure automated systems - like CCTV footage in our premises, call recordings, and transaction logs generated while using our services.

No matter how we collect it. your information is always handled with care, kept secure, and used only for the purposed we've explained in this Privacy Notice.

6. AUTOMATED PROCESSING & PROFILING

We use automated tools to detect fraud, assess risks, and segment customers for relevant updates. We do not make solely automated decisions with legal or significant effects without your knowledge. You may request human review, object to, or contest such decisions unless required by law.

7. DATA SHARING & TRANSFERS

We share your personal information (e.g., name, contact details, transaction details) and, when necessary, your sensitive personal information (e.g., government-issued IDs, financial account details, biometric data) only as lawful and necessary, such as with:

• Government agencies and regulators (e.g., BSP, AMLC, NPC) as required by law.

• Authorized partners and service providers who assist in processing transactions, delivering services, or providing technical support—bound by strict confidentiality and data protection agreements.

• Financial institutions and remittance partners for transaction fulfillment and settlement.

• Law enforcement agencies, when disclosure is legally mandated.

When data sharing involves automated processing or profiling, we ensure that:

• Only the minimum necessary data is shared.

• Processing is done securely and in compliance with the DPA.

• You are informed of your rights and allowed to object, where applicable.

8. DATA RETENTION AND STORAGE

We store and maintain your personal data in a secure environment using physical, technical, and organizational safeguards.

• Retention Periods

  • Customer records – Retained for five (5) years from your last transaction, or as required by AMLA, BSP rules, and other applicable laws.

  • Extended retention – Data may be kept longer if necessary for legal, regulatory, or technical reasons, or for legitimate business purposes such as research or statistics, with strict privacy safeguards in place.

  • Employee records – as required by labor and tax laws

  • CCTV – retained only for as long as necessary

• Storage Methods

  • Physical records – Kept in locked storage areas with access controls.

  • Electronic records – Stored in secure servers with encryption, firewalls, and password protection.

• Access Control

  • Access is granted only to authorized personnel with a legitimate need to process your information.

• Secure Disposal

  • After the retention period, personal data is securely disposed of by deletion from systems and/or shredding of physical records to prevent unauthorized access or use.

9. DISPOSAL OF PERSONAL DATA

When your personal data is no longer needed, we securely dispose of it by:

• Shredding physical documents

• Deleting electronic data after clearance from the authorized department

Once the retention period has passed, we securely dispose of your information in a way that prevents unauthorized access, use, or disclosure.

10. CONFIDENTIALITY AND DATA SECURITY MEASURES

M Lhuillier implements reasonable, appropriate, and adequate organizational, physical, and technical security measures to maintain the availability, integrity, and confidentiality of personal data. These safeguards protect collected, processed, and stored information against accidental or unlawful destruction, alteration, disclosure, or unauthorized processing.

We protect your personal information at every stage of processing by addressing possible risks such as:

• Collecting unnecessary details

• Theft or hacking of stored records

• Misuse or outdated use of data

• Insecure sharing or transfers

• Keeping data longer than necessary

• Improper disposal

• Errors in automated processing

• Delays in breach response

To guard against these risks, we:

• Collect only what’s needed and explain why we need it

• Store data securely using encryption, locked storage, and access controls

• Process data only for lawful purposes and keep it accurate

• Share data only when required by law or with your consent

• Follow strict retention schedules and dispose of data securely

• Review important automated decisions and allow opt-out when possible

• Maintain systems to detect, respond to, and report breaches promptly

• Technical Measures

  • Automated Access Controls – Enforced through least-privilege and just-in-time access protocols, strong password authentication, administrator access restrictions, and continuous monitoring of server logs. These uphold the principles of proportionality, confidentiality, and integrity under the Data Privacy Act.

  • System and Device Protection – Use of firewalls, antivirus software, and regular security updates to protect servers and desktops.

  • Access Management – Restrict administrator rights to authorized personnel only.

  • Monitoring and Testing – Conduct continuous server log monitoring, as well as regular vulnerability assessments and penetration testing (VAPT) to identify and address potential security gaps.

• Organizational Measures

  • Enforce a clear-desk policy.

  • Store paper files in secure locations.

  • Restrict access to authorized personnel only.

  • Dispose of physical records through secure shredding.

  • Conduct regular company-wide privacy training.

• Physical Measures Use CCTV with proper warning signage.

  • Install and maintain secure locks and padlocks.

  • Restrict workstation access.

  • Equip facilities with fire extinguishers and other safety measures to protect resources and data.

11. DATA BREACH RESPONSE

In case of a breach:

• We will notify the NPC and affected data subjects within 72 hours, as required by law

• We will provide details of the breach, affected data, and mitigation steps

12. YOUR RIGHTS

Under the Data Privacy Act of 2012, you have the following rights regarding your personal data:

• Right to Be Informed – To know why and how your personal data is collected, processed, used, and stored.

• Right to Object – To refuse the use of your data for legitimate interests, including automated processing, profiling, and direct marketing. Exceptions apply when processing is required by law, by court order, in an employer–employee relationship, or due to other lawful bases. You may opt out of tailored marketing messages, although you may still receive general, non-targeted promotions.

• Right to Access – To request a copy of the personal data we hold about you through a Data Subject Access Request (DSAR), helping ensure its accuracy and lawful use.

• Right to Rectification – To request the correction or completion of inaccurate or incomplete personal data. M Lhuillier will address such requests within a reasonable period, unless the request is deemed unreasonable.

• Right to Data Portability – To obtain and transfer your data securely for use across different services without affecting its usability.

• Right to Erasure or Blocking – To request suspension, blocking, deletion, or destruction of data proven to be incomplete, outdated, false, unlawfully obtained, or no longer necessary. M Lhuillier will address such requests within a reasonable period, unless the request is deemed unreasonable.

• Right to Damages – To seek compensation for damages resulting from inaccurate, unlawfully obtained, or unauthorized use of your data.

• Right to Complain – To file a complaint with any branch personnel, our customer care hotline, or the contact details provided herein.

DSAR Process: To exercise your rights under Section 11, you may submit a Request for Assistance and Complaint form together with a valid government-issued ID to mldpo@mlhuillier.com. We will respond within a reasonable period or inform you if additional time is needed due to the complexity of the request.

13. LIMITATION OF RIGHTS

Your data privacy rights may not apply in the following cases:

• When your personal data is used for scientific or statistical research.

• When your personal data is processed for investigations related to criminal, administrative, or tax liabilities in which you are involved.

• In such cases, M Lhuillier will process your data only to the minimum extent necessary to achieve the research or investigation’s purpose.

14. COMPLAINT HANDLING

• Submit your concern to any branch personnel, our customer care hotline, or via the contact details provided in Section 16.

• We will acknowledge receipt within 3 working days.

• Investigation and resolution will be completed within a reasonable period, unless extended for valid reasons.

• Request for Assistance & Complaint Form: Click here to access the form

15. COOKIES & ONLINE TRACKING

When you visit our website or app, we may use cookies and similar technologies to improve your experience and analyze site usage. You may adjust your browser settings to block or delete cookies.

16. CONTACT INFORMATION

For concerns on privacy:	For general concerns:
Data Protection Officer (DPO)	Customer Care Department
M Lhuillier Group of Financial Services	M Lhuillier Group of Companies
ML Bldg. B. Benedicto St. Brgy. Tejero, North Reclation Area, 6000 Cebu City	ML Bldg. B. Benedicto St. Brgy. Tejero, North Reclation Area, 6000 Cebu City
📧 mldpo@mlhuillier.com	customercare@mlhuillier.com
📞 (032) 380-3000	📞 0947-999-0337 /0522 /2721 /2472 (0917-871-2973)

17. CHANGES TO THIS NOTICE

M LHUILLIER reserves the right to update or revise this Privacy Notice at any time to keep it accurate, relevant, and compliant with laws and best practices. If we make significant changes, we will issue a new version and inform you through our official channels.

TO KNOW MORE ABOUT R.A. 10173 or DPA and its RIRR:

DPO (Data Protection Officer) | DPS (Data Processing System)