WHY BTR COLLECTS AND PROCESSES PERSONAL DATA

Subject to any future changes due to the development of new data processing systems, the BTr collects and processes personal data for the following purposes:

1. Implementation of laws, rules, and regulations – To perform the mission and mandate of the BTr.
2. Provision of services via electronic platforms – To process personal data in connection with services provided by or performance of the BTr’s mandate through electronic portals and platforms, subject to specific privacy notices, policies, laws, rules, and regulations applicable to these platforms.
3. Facility management – To provide and maintain facilities such as reception areas, conference rooms, Wi-Fi, transportation services, medical clinics and services, and other facilities in any BTr office, which involve the collection and processing of personal data.
4. Recruitment and hiring activities – To collect and process personal data of applicants, candidates, or individuals for positions within the BTr, subject to specific privacy notices and policies applicable to recruitment and hiring activities.
5. Client feedback – To collect and process personal data related to questionnaires, surveys, and other feedback forms in the BTr website or through other official modes of feedback gathering to improve services.

Some BTr data processing systems involve transactions with other Personal Information Controllers, such as financial institutions, through which the BTr receives personal data of their respective data subjects as part of their compliance with BTr’s mandate under applicable laws (e.g. registration of government securities).

For details on how your personal data is processed in these contexts, you are encouraged to also check the privacy notices and privacy policies of the relevant Personal Information Controllers that control your data and are subject to the BTr’s authority.

WHAT IS BTR’S BASIS IN COLLECTING AND PROCESSING PERSONAL DATA

The BTr only processes (e.g. collects, use, retain, dispose) your personal data when the law allows or requires it to, that is, when the BTr has a legal basis for processing. Your personal data will be used only for purposes compatible with the purpose for which it is collected.

In most situations, as a government agency, the BTr operates data processing systems in the performance of its statutorily mandated functions, with its legal basis for data processing found in Section 4(e), and Section 13(f) of the Republic Act No. 10173 or the Data Privacy Act of 2012. The mandate of the BTr, as well as the laws and executive orders it implements, can be accessed here: MISSION AND MANDATE.

Subject to applicable laws, the BTr processes personal data under the following circumstances:

1. Statutory mandate – When processing is necessary for the fulfillment of the BTr’s duties and responsibilities as a government agency. (e.g. implementation of Executive Order No. 449 s. of 1997)
2. Legal or regulatory obligation – When processing is required for the BTr to comply with laws or regulations to which it is subject (e.g., reporting requirements to authorities, use and reporting of feedback results for Anti-Red Tape compliance, compliance with government procurement laws).
3. Performance of a contract – When processing is necessary for the BTr to fulfill an obligation under a contract, without which the contract cannot be effectively performed.
4. Health, safety and security interests – When processing is required to ensure safety and security within BTr facilities and electronic platforms. This also includes processing data for use of medical facilities and services during medical events occurring within BTr premises or during official BTr activities and functions.
5. Legitimate interests – When processing is necessary for the BTr’s operational or institutional interests, provided that such interests do not override the fundamental rights of data subjects (e.g. background checks; due diligence activities).

Because the BTr’s data processing is generally based, among other things, on its legal mandate, it does not rely on consent of the data subject as a basis for processing personal data.

WHAT IF YOU ARE NOT IN THE PHILIPPINES

The BTr’s privacy practices comply with the Philippine’s Data Privacy Act of 2012 and its implementing rules and regulations. Whether you are located within or outside the Philippines, by availing of BTr services, or having your personal data processed under the BTr’s authority, your personal data may be processed in the Philippines in accordance with local legal and regulatory standards, which may differ from those in your home jurisdiction.

WHAT PERSONAL DATA BTR COLLECTS

Personal data refers to any information relating to an identified or identifiable natural person (i.e. a human being). It does not include data that cannot be linked to a natural person (e.g., anonymised data, statistical data, or the name, address or contact details of juridical entities, such as corporations).

In general, the BTr collects the following personal data in the performance of its mandate and in the delivery of its services:

1. Identity Data – Includes first name, middle names, maiden name, last name, marital status, title, date of birth, signatures, official identification cards and numbers, photographs, and sex.
2. Contact Data – Includes residential address, place of birth, region/city/province of residence, country of residence, delivery address, email address, and telephone or mobile number.
3. Professional Information – Includes job title, official email address, contact numbers, and employment details.
4. CCTV and Physical Security Data – Includes CCTV footage and other information related to access of BTr facilities, obtained through physical or electronic means (e.g., biometric entries, visitor logbook entries).
5. Recorded Data – Includes images or voice recordings captured during recorded events, and meetings.

In limited circumstances, or when operating specific data processing systems, the BTr may collect additional personal data as part of its mandate or where necessary for a specific service provided to you. (e.g. back account names and account numbers in compliance with Act No. 3936 and Presidential Decree No. 679 or the Unclaimed Balances Law; criminal history and administrative proceedings history in the implementation of the Act No. 2711, Chapter 15 or the Public-Bonding Law, and Treasury Circulars).

HOW BTR COLLECTS YOUR DATA

BTr collects personal data through various means: collection through printed forms, attachments, and other documents submitted to the BTr, its Services, and Divisions and its Regional and Provincial/District Offices.

Personal data may also be gathered through electronic forms, dedicated online portals and platforms for specific services, or via email.

Personal data may also be obtained through direct input by the data subject, including information directly conveyed for official purposes to BTr personnel or officials via established communication platforms, telephone conversations, e-mail, or in-person interactions.

WHEN DOES BTR COLLECT DATA

The BTr generally collects personal data when you manually or electronically submit an application or request for services. It also collects personal data when required by law or regulation, where the BTr serves as the implementing authority. In such cases, other Personal Information Controllers or entities that collect your data, and are subject to the BTr's authority, may be legally required to submit and disclose your personal information to us.

IF YOU FAIL OR REFUSE TO PROVIDE REQUIRED DATA TO US

In instances where the BTr is required to collect personal data by law — such as in hiring and selection processes, or when the data is necessary for the BTr to effectively provide its mandated services — failure to provide the required data may prevent the BTr from fulfilling its legal mandate or duties.

As a result, the BTr may be unable to provide the requested product or service. In such cases, you will be notified at the time of data collection if the service cannot be provided due to the lack of necessary information.

WHEN YOU GIVE US DATA ABOUT OTHER INDIVIDUALS

On certain occasions, in the course of implementing the BTr’s mandate or providing services, you may be required to provide personal data of individuals who are unaware of the BTr’s involvement or the processing of their personal data (e.g. your character references in processes that require an evaluation of your character). In such cases, the BTr may not have direct contact with the individuals whose personal data is being processed, or it may not be appropriate, due to confidentiality concerns, to provide them with a privacy notice outlining how their personal data is processed (e.g. background investigations, fidelity bonding applicant evaluations).

In instances where you must seek consent before sharing the personal data of others, you are responsible for obtaining their consent before submitting their personal data to the BTr.

Once the BTr receives their personal data from you, its processing will be based on the BTr’s legal mandate, and the BTr is not required to seek the consent of the individuals whose personal data you have shared in order to perform BTr functions.

HOW BTR STORES, RETAINS, AND DISPOSES YOUR DATA

Your personal data is stored in both physical and electronic data processing systems managed by various units of the BTr. Physical records are typically stored in folders or envelopes in secured drawers or shelves within physical offices. Electronic records are generally stored in servers owned or controlled by BTr or in cloud storage managed by BTr.

The BTr retains and disposes of personal data in accordance with a records management policy in compliance with the National Archives of the Philippines guidelines on the records retention and disposition. These policies govern the duration for which the BTr retains the information it collects. The retention period for specific data depends on the type of information and the document in which it is included. Different types of information may be subject to different retention and disposition schedules.

Subject to the National Archives of the Philippines records disposition guidelines, physical records due for disposition are typically destroyed, such as by shredding, and important digital files are anonymized. Digital files that are no longer necessary and due for disposition are deleted.

In all cases, the BTr ensures that disposal methods prevent unauthorized access, retrieval, or processing of personal information.

TO WHAT EXTENT CAN THE BTR SHARE AND DISCLOSE YOUR DATA

The BTr may only share or disclose personal data in connection with lawful functions and activities related to implementing its mandate, to the extent permitted or required by law, and in compliance with the Data Privacy Act of 2012. The BTr does not share personal data with other entities except as necessary to fulfill its mandate, or as required or authorized by law, such as for compliance with court orders, subpoenas, other legal obligations imposed by competent authorities, for law enforcement purposes, or when disclosure is authorized under the Freedom of Information Program.

In some cases, the BTr may anonymize personal data by removing personally identifiable information for research, statistical purposes, and reporting requirements to other regulatory agencies. In such cases, the anonymized information may be used indefinitely.

Please note that your personal data may be shared internally among a limited number of BTr personnel and officials who need access to the data in order to effectively perform their duties related to the personal data collected by the BTr. For this purpose, "BTr personnel" includes individuals and contractors responsible for maintaining and securing the BTr's facilities, as well as those contractually tasked to assist the BTr’s regular workforce in its official operations, such as contract-of-service and job-order personnel.

WHAT ARE THE RISKS TO YOUR PERSONAL DATA

Risks refers to the potential of an incident to result in harm or danger to a data subject or organization. Risks are those that could lead to the unauthorized collection, use, disclosure or access to personal data. It includes risks that the confidentiality, integrity and availability of personal data will not be maintained, or the risk that processing will violate rights of data subjects or privacy principles (transparency, legitimacy and proportionality).

The BTr deploys appropriate physical, technical, and organizational security measures to protect the confidentiality, integrity, and availability of personal data. However, while these safeguards aim to prevent and mitigate risks, absolute protection against all threats—such as targeted cyberattacks, malware, ransomware, computer viruses, or unauthorized access to physical records—can never be guaranteed.

To strengthen its security posture, the BTr has established policies and implemented measures for security incident management.

HOW BTR KEEPS YOUR DATA SECURE

The BTr respects your privacy and is committed to protecting the confidentiality, integrity, and availability of your personal data. The BTr implements organizational, physical, and technical security measures aligned with generally accepted data privacy and information security standards to safeguard your information.

To ensure the security of personal data, the BTr adopts the following measures, among others:

1. Organizational policies – Circulars and internal orders that define the principles and procedures for collecting, using, storing, sharing, and disposing of personal data in compliance with applicable laws and regulations, binding on all BTr personnel.
2. Access controls – Policies and mechanisms governing both digital and physical infrastructures to prevent unauthorized access to personal data.
3. Acceptable use policies – Guidelines for the proper handling and processing of personal data to prevent misuse.
4. Data protection technologies – Use of encryption, data classification, and other security tools where appropriate.
5. Resilience and risk management – Safeguards against natural disasters, power disruptions, external threats, and other security risks to ensure data availability and integrity.
6. System and network security – Technical controls to protect information systems, databases, and digital assets from unauthorized access, breaches, and other cyber threats.
7. Vulnerability management systems – Regular security assessments, patches, and penetration testing, to identify, mitigate, and address potential weaknesses in the BTr’s information systems.

These measures are continuously reviewed and enhanced to address emerging risks and maintain compliance with data protection laws and best practices.

BTR’S PRESENCE IN SOCIAL NETWORKING SITES

The BTr uses social networking sites (e.g., Facebook) for public announcements and communication with the public and stakeholders. While the BTr maintains accounts on these platforms, please be aware that these sites have their own privacy notices and policies, which are beyond the BTr’s control. We encourage you to review these policies before submitting or disclosing personal data.

Please note that, aside from the basic security features provided by social networking sites for account protection, the BTr does not control the security measures of these platforms. If you need to provide sensitive personal data to the BTr, such as copies of government identification cards or other sensitive documents, we recommend using safeguards, such as password protection for documents, or choosing a more secure mode of communication, such as emails to official BTr email addresses listed in this website, where you can apply appropriate safeguards.

COMMUNICATIONS TRANSMITTED THROUGH THE INTERNET

If you transmit personal information electronically (e.g., via email), your data must travel over the Internet to reach its destination. Please be aware that before the BTr receives your electronic communication, it passes through various stages of transmission over which the BTr has no control and may be subject to interception.

Therefore, you are encouraged to implement safeguards (e.g., encryption and password protection) when sending electronic communications, particularly those containing sensitive personal data (e.g., documents containing your financial information, government-issued IDs).

THE BTR WEBSITE

This website is created to provide information about BTr and its services. This website does not use cookies or other similar technologies and does not obtain web-traffic data such as the data subject’s IP address, operating system, browser type, date and time of visit, or geolocation.

However, as a means of communication, this website incorporates a contact form that allows visitors to send feedback to BTr. The type of data obtained therein only includes the data subject’s name and email address.

LINKS TO OTHER WEBSITES

The BTr websites and online platforms may contain links to websites of other entities. This Notice applies only to the website controlled by the BTr. Websites controlled by other entities may have different privacy notices or policies.

CHANGES TO THIS NOTICE

If the BTr changes the way it handles personal data, this Notice will be updated accordingly. The BTr reserves the right to amend its practices and this Notice at any time. You are encouraged to check for updates regularly.

BTR RESPECTS YOUR DATA PRIVACY RIGHTS

Data subjects have rights under Chapter IV of the Data Privacy Act of 2012. The BTr is committed to respecting these rights and will act promptly on meritorious concerns in accordance with the Data Privacy Act of 2012 and other applicable laws, rules, or regulations related to the processing of personal data.

HOW DO YOU CONTACT US

Inquiries and concerns on your data privacy, and reports of privacy incidents and breaches may be directed to the BTr Data Protection Office:

Address:	Ayuntamiento Building, Cabildo Street Corner A. Soriano Avenue, Intramuros, City of Manila
Email:	dpo@treasury.gov.ph
Phone:	8663-2275

The BTr may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data or to exercise any of your applicable data privacy rights.