Skip to content

Privacy Policy

Introduction

This Privacy Manual is hereby adopted in compliance with Republic Act No. 10173 or the Data Privacy Act of 2012 (DPA), its Implementing Rules and Regulations, and other relevant policies, including issuances of the National Privacy Commission. This organization respects and values your data privacy rights, and makes sure that all personal data collected from you, our clients and customers, are processed in adherence to the general principles of transparency, legitimate purpose, and proportionality.

This Manual shall inform you of our data protection and security measures, and may serve as your guide in exercising your rights under the DPA.

Definition of Terms

  • “Data Subject” – refers to an individual whose personal, sensitive personal or privileged information is processed by the organization. It may refer to officers, employees, consultants, and clients of this organization.
  • “Personal Information” – refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
  • “Processing” refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.

Scope and Limitations

All personnel of this organization, regardless of the type of employment or contractual arrangement, must comply with the terms set out in this Privacy Manual.

Processing of Personal Data

  1. Collection (e.g. type of data collected, mode of collection, person collecting information, etc.)

    • This company collects the basic contact information of clients and customers, including their full name, address, email address, contact number, together with the products that they would like to purchase. The sales representative attending to customers will collect such information through accomplished order forms.

  2. Use

    • Personal data collected shall be used by the company for documentation purposes, for warranty tracking vis-à-vis purchased items, and for the inventory of products.

  3. Storage, Retention and Destruction (e.g. means of storage, security measures, form of information stored, retention period, disposal procedure, etc.)

    • This company will ensure that personal data under its custody are protected against any accidental or unlawful destruction, alteration and disclosure as well as against any other unlawful processing. The company will implement appropriate security measures in storing collected personal information, depending on the nature of the information. All information gathered shall not be retained for a period longer than one (1) year. After one (1) year, all hard and soft copies of personal information shall be disposed and destroyed, through secured means.

  4. Access (e.g. personnel authorized to access personal data, purpose of access, mode of access, request for amendment of personal data, etc.)

    • Due to the sensitive and confidential nature of the personal data under the custody of the company, only the client and the authorized representative of the company shall be allowed to access such personal data, for any purpose, except for those contrary to law, public policy, public order or morals.

  5. Disclosure and Sharing (e.g. individuals to whom personal data is shared, disclosure of policy and processes, outsourcing and subcontracting, etc.)

    • All employees and personnel of the company shall maintain the confidentiality and secrecy of all personal data that come to their knowledge and possession, even after resignation, termination of contract, or other contractual relations. Personal data under the custody of the company shall be disclosed only pursuant to a lawful purpose, and to authorized recipients of such data.

Security Measures

  1. Organization Security Measures

    Every personal information controller and personal information processor must also consider the human aspect of data protection. The provisions under this section shall include the following:

    1. Data Protection Officer (DPO), or Compliance Officer for Privacy (COP)

      • The designated Data Protection Officer is Mr. Juan Dela Cruz, who is
        concurrently serving as the Executive Director of the organization.

    2. Functions of the DPO, COP and/or any other responsible personnel with similar functions

      • The Data Protection Officer shall oversee the compliance of the
        organization with the DPA, its IRR, and other related policies,
        including the conduct of a Privacy Impact Assessment, implementation of
        security measures, security incident and data breach protocol, and the
        inquiry and complaints procedure.

    3. Conduct of trainings or seminars to keep personnel, especially the Data Protection Officer updated vis-à-vis developments in data privacy and security

      • The organization shall sponsor a mandatory training on data privacy
        and security at least once a year. For personnel directly involved in
        the processing of personal data, management shall ensure their
        attendance and participation in relevant trainings and orientations, as
        often as necessary.

    4. Conduct of Privacy Impact Assessment (PIA)

      • The organization shall conduct a Privacy Impact Assessment (PIA)
        relative to all activities, projects and systems involving the
        processing of personal data. It may choose to outsource the conduct a
        PIA to a third party.

    5. Recording and documentation of activities carried out by the DPO, or the organization itself, to ensure compliance with the DPA, its IRR and other relevant policies.

      • The organization shall sponsor a mandatory training on data privacy
        and security at least once a year. For personnel directly involved in
        the processing of personal data, management shall ensure their
        attendance and participation in relevant trainings and orientations, as
        often as necessary.

    6. Duty of Confidentiality

      • All employees will be asked to sign a Non-Disclosure Agreement. All employees with access to personal data shall operate and hold personal
        data under strict confidentiality if the same is not intended for public disclosure.

    7. Review of Privacy Manual

      • This Manual shall be reviewed and evaluated annually. Privacy and security policies and practices within the organization shall be updated to remain consistent with current data privacy best practices.

  2. Physical Security Measures

    This portion shall feature the procedures intended to monitor and limit access to the facility containing the personal data, including the activities therein. It shall provide for the actual design of the facility, the physical arrangement of equipment and furniture, the permissible modes of transfer, and the schedule and means of retention and disposal of data, among others. To ensure that mechanical destruction, tampering and alteration of personal data under the custody of the organization are protected from man-made disasters, power disturbances, external access, and other similar threats, provisions
    like the following must be included in the Manual:

    1. Format of data to be collected

      • Personal data in the custody of the organization may be in digital/electronic format and paper-based/physical format.

    2. Storage type and location (e.g. filing cabinets, electronic storage system, personal data room/separate room or part of an existing room)

      • All personal data being processed by the organization shall be stored
        in a data room, where paper-based documents are kept in locked filing
        cabinets while the digital/electronic files are stored in computers
        provided and installed by the company.

    3. Access procedure of agency personnel

      • Only authorized personnel shall be allowed inside the data room. For
        this purpose, they shall each be given a duplicate of the key to the
        room. Other personnel may be granted access to the room upon filing of
        an access request form with the Data Protection Officer and the latter’s
        approval thereof.

    4. Monitoring and limitation of access to room or facility

      • All personnel authorized to enter and access the data room or
        facility must fill out and register with the online registration
        platform of the organization, and a logbook placed at the entrance of
        the room. They shall indicate the date, time, duration and purpose of
        each access.

    5. Design of office space/work station

      • The computers are positioned with considerable spaces between them to
        maintain privacy and protect the processing of personal data.

    6. Persons involved in processing, and their duties and responsibilities

      • Persons involved in processing shall always maintain confidentiality
        and integrity of personal data. They are not allowed to bring their own
        gadgets or storage device of any form when entering the data storage
        room.

    7. Modes of transfer of personal data within the organization, or to third parties

      • Transfers of personal data via electronic mail shall use a secure
        email facility with encryption of the data, including any or all
        attachments. Facsimile technology shall not be used for transmitting
        documents containing personal data.

    8. Retention and disposal procedure

      • The organization shall retain the personal data of a client for one
        (1) year from the data of purchase. Upon expiration of such period, all
        physical and electronic copies of the personal data shall be destroyed
        and disposed of using secure technology.

  3. Technical Security Measures

    Each personal information controller and personal information processor must implement technical security measures to make sure that there are appropriate and sufficient safeguards to secure the processing of personal data, particularly the computer network in place, including encryption and authentication processes that control and limit access.
    They include the following, among others:

    1. Monitoring for security breaches

      • The organization shall use an intrusion detection system to monitor
        security breaches and alert the organization of any attempt to interrupt
        or disturb the system.

    2. Security features of the software/s and application/s used

      • The organization shall first review and evaluate software
        applications before the installation thereof in computers and devices of
        the organization to ensure the compatibility of security features with
        overall operations.

    3. Process for regularly testing, assessment and evaluation of effectiveness of security measures

      • The organization shall review security policies, conduct
        vulnerability assessments and perform penetration testing within the
        company on regular schedule to be prescribed by the appropriate
        department or unit.

    4. Encryption, authentication process, and other technical security measures that control and limit access to personal data

      • Each personnel with access to personal data shall verify his or her
        identity using a secure encrypted link and multi-level authentication.

Breach and Security Incidents

  1. Creation of a Data Breach Response Team

    • A Data Breach Response Team comprising of five (5) officers shall be
      responsible for ensuring immediate action in the event of a security
      incident or personal data breach. The team shall conduct an initial
      assessment of the incident or breach in order to ascertain the nature
      and extent thereof. It shall also execute measures to mitigate the
      adverse effects of the incident or breach.

  2. Measures to prevent and minimize occurrence of breach and security incidents

    • The organization shall regularly conduct a Privacy Impact Assessment
      to identify risks in the processing system and monitor for security
      breaches and vulnerability scanning of computer networks. Personnel
      directly involved in the processing of personal data must attend
      trainings and seminars for capacity building. There must also be a
      periodic review of policies and procedures being implemented in the
      organization.

  3. Procedure for recovery and restoration of personal data

    • The organization shall always maintain a backup file for all personal
      data under its custody. In the event of a security incident or data
      breach, it shall always compare the backup with the affected file to
      determine the presence of any inconsistencies or alterations resulting
      from the incident or breach.

  4. Notification protocol

    • The Head of the Data Breach Response Team shall inform the management
      of the need to notify the NPC and the data subjects affected by the
      incident or breach within the period prescribed by law. Management may
      decide to delegate the actual notification to the head of the Data
      Breach Response Team.

  5. Documentation and reporting procedure of security incidents or a personal data breach

    • The Data Breach Response Team shall prepare a detailed documentation
      of every incident or breach encountered, as well as an annual report, to
      be submitted to management and the NPC, within the prescribed period.

Inquiries and Complaints

Data subjects may inquire or request for information regarding any matter relating to the processing of their personal data under the custody of the organization, including the data privacy and security policies implemented to ensure the protection of their personal data. They may write to the organization at [email protected] and briefly discuss the inquiry, together with their contact details for reference.

Complaints shall be filed in three (3) printed copies, or sent to [email protected] The concerned unit shall confirm with the complainant its receipt of the complaint.

Effectivity

The provisions of this Manual are effective this 29th day of May, 2021, until revoked or amended by this company