MINDANAO CONSOLIDATED COOPERATIVE BANK (MCCB) respects and values CLIENT’s right to privacy with utmost importance. The Bank is taking the necessary steps for the protection and security of its CLIENTs’ personal information and use of the Bank’s services. As provided by the Data Privacy Act of 2012 (“DPA”), its Implementing Rules and Regulations (“IRR”), and issuances by the National Privacy Commission, the Bank guarantees compliance with all the requirements mandated by law, as well as with the generally accepted global data protection standards and regulations. The Bank ensures continued protection of CLIENT’s personal information with the Bank’s organizational, physical, and technical measures for data protection, including policies for evaluation, monitoring, and review of operations and security risks. This Privacy Policy informs CLIENTs of updates on Bank’s corporate policies regarding collection, use, storage, disclosure, and disposal of personal information receive and collect from the Bank customers, payees, users, and any individual who communicate, raise inquiries and concerns, as well as transacting through authorized representatives, bank branches, official websites and platforms, and web-based applications and channels. This Privacy Policy shall be subject to changes relative to policies and the law. The Bank shall notify CLIENT of the changes by posting at the Bank’s website and other means of communication for CLIENT’s information and reference.


Personal Information refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify as an individual. Sensitive Personal Information is any attribute of CLIENT’s personal information that can discriminate, qualify, or classify CLIENT such as your age, date of birth, marital status, government-issued identification numbers, account numbers, and financial information. Privileged Information is any and all forms of information which, under the Rules of Court and other pertinent laws, constitute privileged communication (i.e. lawyer-client, priest- confessor, doctor-patient).

Under the Data Privacy Act of 2012, CLIENTs have the following rights:
  1. Right to be informed – CLIENT may demand the details as to how his/her personal information is being processed or have been processed by the Bank, including the existence of automated decision-making and profiling systems;
  2. Right to access – upon written request, CLIENT may demand reasonable access to his/her personal information, which may include the contents of processed personal information, the manner of processing, sources where they were obtained, recipients and reason of disclosure;
  3. Right to dispute –CLIENT may dispute inaccuracy or error in his/her personal information in the Bank systems through contact center representatives;
  4. Right to object – CLIENT may suspend, withdraw, and remove his/her personal information in certain further processing, upon demand, which include CLIENT’s right to opt-out to any commercial communication or advertising purposes from the Bank;
  5. Right to data erasure – based on reasonable grounds, CLIENT have the right to suspend, withdraw or order blocking, removal or destruction of your personal data from the Bank’s filing system, without prejudice to the Bank’s continuous processing for commercial, operational, legal, and regulatory purposes;
  6. Right to secure data portability – CLIENT have the right to obtain from the Bank his/her personal information in an electronic or structured format that is commonly used and allows for further use;
  7. Right to be indemnified for damages – as data subject, CLIENT have every right to be indemnified for any damages sustained due to such violation of his/her right to privacy through inaccurate, false, unlawfully obtained or unauthorized use of CLIENT’s information; and
  8. Right to file a complaint– CLIENT may file his/her complaint or any concerns to any of our branches or at the Bank’s Head Office at MCCB Building, Capitol Compound, Luna-Velez Street, Cagayan de Oro City 9000 or get in touch with our Customer Relations Officer at

MCCB collects and processes personal information of CLIENT only upon express consent, which refers to any freely given, specific, informed indication of will, whereby CLIENTs agree to the collection and processing of his/her personal, sensitive or privileged information. The Bank processes CLIENTs personal information in accordance with the law, this Privacy Policy, Terms and Conditions, and other legal instruments which the CLIENT may have entered into with the Bank.

As mandated by the Bangko Sentral ng Pilipinas, in the usual course of banking business activities, the Bank collect the following personal information from and about the CLIENT, including, but not limited to: full legal name, gender, date of birth, nationality, civil status, permanent address, present address, tax identification number (TIN) and other government-issued identification numbers, mobile number, home number, personal electronic mail address, office contact details, company name, job position or rank, office address, source of funds, gross annual income, among others.

When CLIENT provide the Bank with personal information by which he/she can be reasonably identified, he/she can be assured that his/her personal information will be used only in accordance with this Privacy Policy and the relevant Terms and Conditions governing his/her relationship with the Bank. The Bank collects CLIENT’s personal information from the following sources:

  1. your Personal Information Sheet;
  2. information collected by the Bank about the CLIENT upon contacting through authorized representatives in bank branches and contact centers, email, mobile applications or services, and other online and mobile platforms; and
  3. information collected about the CLIENT from public records and from other available sources authorized to disclose your information.

All personal information collected by the Bank about the CLIENT may be combined and processed to improve its products, services, and communications. The Bank ensures that only authorized employees and third-party service providers, who have undertaken to satisfy Bank’s stringent corporate, legal, information security, and data privacy requirements, are allowed to process CLIENT’s personal information. Through CLIENT’s express consent, he/she agrees that the Bank may disclose his/her personal information to Bank’s third-party service providers who perform business operations on the Bank’s behalf or partners who collaborated to provide services to CLIENTs and business partners that provide joint communications with hope find CLIENT’s interest.

By registering, signing in to, or using the Bank’s consent forms on products, services and applications, CLIENTs authorize and consent to the processing, sharing and/or transferring by the Bank of his/her Personal Information relating to the accounts with the Bank for specified purposes which in all cases are in compliance with or pursuant to the Bank’s legal or contractual obligations:

  1. Government regulatory agencies, credit information or investigation companies, financial institutions, credit bureaus, other banks, credit card companies, loyalty program partners, consumer reporting or reference agencies such as Cooperative Bank Federation of the Philippines (BANGKOOP), Credit Information Corporation (CIC), and the Transunion Credit Bureau for the purpose of credit investigation, consumer reporting, or for reports of CLIENT’s credit history and account updates;
  2. Third persons, correspondent banks, service providers and entities as the Bank deems necessary, to enable the Bank to service CLIENT’s account/s and to provide all the existing features of account/s, the Bank’s products, services, facilities, and channels, and any future enhancements thereto or to assist the Bank in the processing of data, including its collection, recording, organization, storage, management, protection, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure, or destruction;
  3. Third parties engaged by the Bank or by its subsidiaries or affiliates for the purpose of direct or indirect marketing to offer selected products and services which may interest CLIENT unless specifically instructed otherwise in writing;
  4. Insurers, Insurance brokers, or providers of deposit or credit protection or protection against all kinds of risks;
  5. Republic Act No. 9510 or the Credit Information Systems Act and its Implementing Rules and Regulations, which mandates the Bank to submit CLIENT’s credit data to the Credit Information Corporation (CIC) and share the same with other accessing entities and special accessing entities authorized by the CIC;
  6. Bangko Sentral ng Pilipinas Circular No. 472 Series of 2005 as implemented by the Bureau of Internal Revenue Regulation No. 4-2005, which mandates the Bank to conduct random verification with the Bureau of Internal Revenue in order to establish authenticity of the Income Tax Return (ITR), accompanying financial statements and such other documents, information, and data;
  7. National Internal Revenue Code, as amended, which mandates the Commissioner of Internal Revenue to inquire into the bank accounts of the following taxpayers: a) a decedent in order to determine his gross estate; b) a taxpayer who has filed an application to compromise his tax liability on the ground of financial incapacity; and c) a taxpayer, information on whose account is requested by a foreign tax authority;
  8. Unexplained wealth under Section 8 of Republic Act No. 3019 or the Anti-Graft and Corrupt Practices Act;
  9. Cases under Republic Act No. 9160 or the Anti-Money Laundering Act of 2001, when there is probable cause that the deposits or investments involved are in anyway related to an unlawful activity or a money laundering offense;
  10. Regulatory authorities when such other persons or entities the Bank may deem as having authority or right to such disclosure of information as in the case of regulatory agencies, government or otherwise, which have required such disclosure from the Bank and when the circumstance so warrant;
  11. Other related and applicable laws and regulations, subject to CLIENT’s right to information under the Data Privacy Act, which legally mandate the Bank to obtain and disclose his/her personal information to government regulatory agencies and consumer reporting or reference agencies, subject to his/her right to information under the Data Privacy Act.
  12. CLIENT’s personal information provided to the Bank shall only be used for the purpose of service and product delivery consented to, subject to the Terms and Conditions agreed to. With express consent, he/she may agree and authorize the Bank to share personal information with private entities subject to mandatory disclosure pursuant to government and public functions. In all instances, the Bank process and/or disclose personal information in accordance with the Data Privacy Act and its Implementing Rules and Regulations.

It is the policy of the Bank that all systems and storage medium or repositories that store customer data shall have completed the appropriate information security, risk, legal compliance, and privacy impact assessments. CLIENT’s personal information shall only be stored in the Bank- managed environment. Physical copies of documents containing personal information of the CLIENT shall be stored in physical vaults in a sealed and secure manner. All systems or storage medium or repositories which are used and will be used in the future to store personal information are and will be duly approved and registered with the Bangko Sentral ng Pilipinas and other regulatory agencies, as the case may be.


Access refers to a user’s capacity to access or retrieve data stored within a database or other repository. CLIENT’s personal information can only be accessed and retrieved by authorized personnel of the Bank and only pursuant to a legitimate business purpose, in accordance with the consent provided to the Bank. Remote connectivity to any Bank- managed environment is only through Virtual Private Network or Access Gateway technology solutions that will enable us to enforce security controls required to protect CLIENT’s personal information.


Regulation and legitimate bank business purpose and policy define the data retention period of CLIENT’s personal information. Pursuant to Section X808 of the Manual of Regulations for Banks issued by Bangko Sentral ng Pilipinas, transaction records shall be maintained and safely stored for five (5) years from the date of transaction except where specific laws and/or regulations require a different retention period, in which case, the longer retention period is observed. Pursuant to the Bureau of Internal Revenue Regulation 17-2013, documents pertaining to CLIENT’s billing statements, which indicate taxable transactions shall be preserved for ten (10) years.

Further, the Bank keeps CLIENT’s personal information as long as it is necessary:

  1. for the fulfillment of the declared, specified, and legitimate purposes provided above, or when the processing relevant to the purposes has been terminated;
  2. for the establishment, exercise or defense of legal claims; or
  3. for legitimate business purposes, which shall be in accordance with the standards of the banking industry.

The Bank has established mechanisms for secure disposal of data from the Bank’s systems after the data is no longer required by the business for any legitimate purpose and activity. After the defined retention periods, the Bank shall dispose CLIENT’s personal information in a secure manner in order to prevent further processing, unauthorized access, or disclosure to any other party.


Personal Data Breach refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. A Personal Data Breach shall be subject to notification requirements under the following conditions:

  1. Compromised data involves personal data that may be used to enable identity fraud;
  2. There is reason to believe that the information may have been acquired by an unauthorized person; and
  3. The unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject.

The Bank shall notify the National Privacy Commission and affected Customers in case of breach within 72 hours upon knowledge of or reasonable belief by the Bank or its third-party processor that a personal data breach has occurred. If such event occurs, Bank shall notify CLIENT, through a secure means of communication, of the nature of the breach, his/her personal information possibly compromised, measures taken to address the breach and reduce negative consequences, contact details of government authorities concerned who can assist him/her in mitigating the possible ramifications that can compromise his/her right to privacy. For inquiries, complaints, and other concerns, CLIENT may address them in writing to the Bank’s Compliance Officer at

Go Back To Home