Company refers to Victor Consunji Development Corporation;
Consent of Data Subject refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of his/her personal, sensitive personal, or privileged information. Consent shall be evidence by written, electronic or recorded means. It may also be given on behalf of a data subject by a lawful representative or an agent specifically authorized by the data subject to do so;
Data Privacy Act or DPA or Act refers to Republic Act No. 10173 or the Data Privacy Act of 2012 and its implementing rules and regulations;
Data Subject refers to an individual or the Company’s clients whose personal Information, Sensitive Personal Information or Privilege Information is processed;
Personal Information refers to any information, whether recorded in a material form or not, from which the identity of a client is apparent or can be reasonably and directly ascertained by the entity holding the information or when put together with other information would directly and certainly identify a client;
Personal Information Processor refers to any natural or juridical person or any other body to whom a personal information controller may outsource or instruct the processing of personal data pertaining to a data subject;
Personal Information Controller refers to a natural or juridical person, or any other body who controls the processing of personal data, or instructs another to process personal data on its behalf. The term excludes:
a. A natural or juridical person, or any other body, who performs such functions as instructed by another person or organization; or
b. A natural person who processes personal data in connection with his/her personal, family, or household affairs;
There is control if the natural or juridical person or any other body decides on what information is collected, or the purpose or extent of its processing;
Processing refers to any operation or set of operations performed upon Personal Data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Processing may be performed though automated means or manual processing, if the Personal Data are contained or are intended to be contained in a filing system;
Profiling refers to any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements;
Security Incident is an event or occurrence that affects or tends to affect data protection or may compromise the availability, integrity and confidentiality of Personal Data. It includes incidents that would results to a personal data breach, if not for safeguards that have been put in place;
Sensitive Personal Information refers to Personal Data:
- About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
- About an individual’s health, education, genetic or sexual life or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal such proceedings or the sentence of any court in such proceedings;
- Issued by government agencies peculiar to an individual which includes, but is not limited to, suspension or revocation and tax returns.
Unless otherwise indicated, the Site is our proprietary property and all source code, databases, functionality, software, website designs, audio, video, text, photographs, and graphics on the Site (collectively, the “Content”) and the trademarks, service marks, and logos contained therein (the “Marks”) are owned, controlled by us, licensed to us, and are protected by copyright and trademark laws and various other applicable intellectual property rights, while some are otherwise in the process of acquiring the necessary license with the respective authorities/agencies.
DATA COLLECTION, PROCESSING AND RETENTION
Adequate records of the Company’s Personal Data Processing activities shall be maintained at all times. The Personal Information Controller and Personal Information Processor, with the cooperation and assistance of all the concerned business and service units involved in the Collection, Processing and Retention of Personal Data, shall be responsible for ensuring that these records are kept up to date. These business and service units include but not limited to, Business Relations, Legal, Sales and Marketing Department.
The processing of personal data shall adhere to the following general principles in the collection, processing and retention of personal data:
- Collection shall be for a declared, specified and legitimate purpose
- Consent by the data subject is required prior to the collection and processing of personal data, subject to exemptions provided by the Act and other applicable laws and regulations. When consent is required, it must be time-bound in relation to the declared, specified and legitimate purpose. Consent given may be withdrawn.
- The Data Subject shall be provided with specific information regarding the purpose and extent of processing, including, where applicable, the automated processing of his/her personal data for profiling, or processing for direct marketing and data sharing.
- Purpose shall be determined and declared before, or as soon as reasonably practicable, after collection.
- Only personal data that is necessary and compatible with declared, specified, and legitimate purpose shall be collected.
- The Company may use and process personal data of the data subject to permit his/her agent to assist the latter in complying with the requirements of his/her account.
- Personal data shall be processed fairly and lawfully.
- Processing shall uphold the rights of the data subject, including the right to refuse, withdraw consent, or object. It shall likewise be transparent, and allow the data subject sufficient information to know the nature and extent of processing.
- Information provided to a data subject shall be in clear and plain language to ensure that they are easy to understand and access.
- Processing shall be conducted/performed in a manner compatible with declared, specified, and legitimate purpose.
- Processed personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
- Processing shall be undertaken in a manner that ensures appropriate privacy and safeguards.
- Processing should ensure data quality.
- Personal data taken shall be accurate and where necessary for declared, specified and legitimate purpose, kept up to date.
- Inaccurate or incomplete data of the data subject shall be immediately coordinated with the data subject to be rectified, supplemented, destroyed or their further processing restricted.
- Personal Data shall not be retained longer than necessary.
- Retention of personal data shall only for as long as necessary:
- For the fulfillment of the declared, specified, and legitimate purpose, or when the processing relevant to the purpose has been terminated;
- For the establishment, exercise or defense of legal claims; or
- For legitimate business purposes, which must be consistent with the standards followed by the applicable industry or approved by appropriate government agency.
- Retention of personal data shall be allowed in cases provided by law.
- Personal data shall be disposed or discarded in a secure manner that would prevent further processing, unauthorized access, or disclosure to any other party or the public, or prejudice the interests of the data subjects.
- Retention of personal data shall only for as long as necessary:
- Any authorized further processing shall have adequate safeguards.
- Personal data originally collected for a declared, specified, or legitimate purpose may be processed further for historical, statistical, or scientific purposes, and, in cases laid down in law, may be stored for longer periods, subject to implementation of the appropriate organizational, physical, and technical security measures required by the Act in order to safeguard the rights and freedoms of the data subject.
- Personal data which is aggregated or kept in a from which does not permit identification of data subjects may be kept longer than necessary for the declared, specified, and legitimate purpose.
- Personal data shall not be retained in perpetuity in contemplation of a possible future use yet to be determined.
DATA COLLECTION PROCEDURES
The Personal Information Controller and Personal Information Processor with the assistance of any other departments of the company shall be responsible for the processing procedures. The Personal Information Controller and Personal Information Processor shall ensure that such procedures are updated and that the consent of the Data subjects (when required by the DPA or other applicable laws or regulations) is property obtained and evidenced by written, electronic or recorded means. Such procedures shall also be regularly monitored, modified and updated to ensure that the rights of the data subjects are respected and that processing thereof is done fully in accordance with the DPA and other applicable laws and regulations.
Data Retention Schedule
Subject to applicable requirements of the DPA and other relevant laws and regulations, Personal Data shall not be retained by the Company for a period longer than necessary and/or proportionate to the purposes for which such data was collected. The Personal Information Controller and Personal Information Processor with the assistance of HR and any other departments of the company responsible for the processing of Personal Data, shall be responsible for developing measures to determine the applicable data retention schedules and procedures to allow for the withdrawal of previously given consent of data subject as well as to safeguards the destruction and disposal of such Personal Data in accordance with the DPA and other applicable laws and regulations.
ORGANIZATIONAL SECURITY MEASURES
Personal Information Controller and Personal Information Processor
The Personal Information Controller and Personal Information Processor is responsible for ensuring the Company’s compliance with applicable laws and regulations for the protection of data privacy and security. The Personal Information Controller and Personal Information Processor’s Functions and responsibilities shall particularly include among others:
- Monitoring the Company’s Personal Data Processing activities in order to ensure compliance with applicable Personal Data privacy laws and regulations, including the conduct of periodic internal audits and review to ensure that all the Company’s data privacy policies are adequately implemented by its employees and authorized agents;
- Developing, establishing and reviewing policies and procedures for the exercise by Data Subjects of their rights under the Data Privacy Act and other applicable laws and regulations on Personal Data Privacy; and
- Acting as the primary point of contact whom data Subject may coordinate and consult with for all concerns relating to their Personal Data;
Data Privacy Principles
All Processing of Personal Data Within the Company should be conducted in compliance with the requirements of the Act and other laws allowing disclosure of information to the public, and adherence to the principles as espoused in the Data Privacy Act:
- Transparency. The Data subject must be aware of nature, purpose and extend of the processing of his/her Personal Data by the Company, including the risks and safeguards involved, the identity of persons and entities involved in processing his/her personal Data, his/her rights as a Data subject and how these can be exercised. Any information and Communication relating to the processing of Personal Data should be easy to access and understand using clear and plain language.
- Legitimate purpose. The processing of Personal Data by the company shall be compatible with declare and specified purpose which must not be contrary to law, morals or public policy.
- Proportionality. The processing of Personal Data shall be adequate, relevant, suitable, necessary and not excessive in relation to a declared and specified purpose. Personal Data shall be processed by the company only if the purposed of the processing could not reasonably be fulfilled by other means.
Rights of the Data Subject
As provided under the DPA, Data Subjects have the following rights in connection with the processing of their Personal Data: Right to be informed, right to object, right to access, right to rectification, right to erasure or blocking and right to damages. Employees and agents of the Company are required to strictly respect and obey the rights of the Data Subjects. The Personal Information Controller and Personal Information Processor, with the assistance of all business units that got access to Personal Information, shall be responsible for monitoring such compliance and developing the appropriate disciplinary measures and mechanism.
Right to be Informed
The Client has the right informed whether Personal Data pertaining to him or her are being or have been processed. The Client shall be notified and furnished with information indicated hereunder before the entry of his/her Personal Data into the records of the company, or at the next practical opportunity:
- Description of the Personal Data to be entered into the system of the Company;
- Purposes for which they are being or will be processed, including Processing for direct marketing, profiling or historical, statistical or scientific purpose;
- Basic Processing, when processing is not based on the consent of the Data Subject;
- Scope and method of the Personal Data Processing;
- The recipients or classes of the recipients to whom the personal data are or may be disclosed or shared;
- Methods utilized for automated access, if the same is allowed by the Data Subject and the extend to which such access is authorized, including meaningful information about the logic involved as well as the significance and the envisaged consequences of such processing for the Client;
- The identity and contact details of the Personal Information Controller and Personal Information Processor;
- The period for which the Personal Data will be stored; and
- The existence of theirs rights as Data Subjects, including the right to access, correction and to object to the processing, as well as the right to lodge a complaint before the National Privacy Commission.
Right to Access
The Data Subject has the right to reasonable access to upon demand the following:
- Contents of his/her Personal Data that were processed;
- Sources from which Personal Data were obtained;
- Names and addresses of recipients of the Personal Data;
- Manner by which his/her Personal Data were processed;
- Reasons for the disclosure of the Personal Data to recipients, if any;
- Information on automated processes where the Personal Data will, or is likely to be made as the sole basis for any decisions that significantly affects or will affect the Data Subjects;
- Date when Personal Data concerning the Data Subject were last accessed and modified; and
- The designation, name or identity and address of the Personal Information Controller and Personal Information Processor.
Transmissibility of Rights of Data Subjects
The Lawful heirs and assigns of the data Subject may invoke the rights of the Data Subjects to which he or she is an heir or an assignee at any time after the death of the Data Subject or when the Data Subject is incapacitated or incapable of exercising his/her rights.
All Security Incidents and Personal Data breaches shall be documented through written reports, including those covered by the notification requirements. In the case of Personal Data breaches, a report shall include the facts surrounding an incident, the effects such incident and the remedial actions taken by the Company. In other security incidents involving Personal Data, a report containing aggregated data shall constitute sufficient documentation. These reports shall be made available when requested by the national privacy Commission Annually.
OUTSOURCING AND SUBCONTRACTING AGREEMENTS
Any Personal Data Processing conducted by an external agent or entity (third-party service provider) on behalf of the company should be evidenced by a valid written contract with the company. Such contract should expressly set out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of Data Subjects, the obligations and rights of the Company and the geographic location of the processing under the contract.
The fact that the company entered into such contract or arrangement does not give the said external agent or entity the authority to subcontract to another entity the whole part of the subject matter of said contract or arrangement, unless expressly stipulated in writing in the same contract or evidenced by a separate written consent/agreement of the company. The subcontracting agreement must also comply with the standards/criteria prescribed by the immediately preceding paragraph.
In Addition, the contract and the subcontracting contract shall include express stipulations requiring the external agent or entity (including the subcontractor) to:
- Process the Personal Data only upon the documented instructions of the company, including transfers of Personal Data to another country or an international organization, unless such transfer is required by law;
- Ensure that an obligation of confidentially is imposed on persons and employees authorized by the external agent/entity and subcontractor to process the Personal Data;
- Implement appropriate security measures;
- Comply with the Data Privacy Act and other issuances of the National Privacy Commission, and other applicable laws, in addition to the obligations provided in the contract, or other legal act with the external party;
- Not engage another processor without prior instruction from the company; Provided, that any such arrangement shall ensure that the same obligations for data protection under the contract or legal act are implemented, taking into account the nature of the processing;
- Assist the Company, by appropriate technical and organizational measures, and to the extend possible, fulfill the obligation to respond to requests by Data Subjects relative to the exercise of their rights;
- Assist the company in ensuring compliance with the Data Privacy Act and other issuances of the National Privacy Commission, is taking into account the nature of processing and the information available to the external party who acts as a Personal Information Processor as defined under the Data Privacy Act;
- At the choice of the company, delete or return all Personal Data to it after the end of the provision of services relating to the processing; Provided, that this includes deleting existing copies unless storage is authorized by the Data Privacy Act or other applicable laws or regulations;
- Make available to the company all information necessary to demonstrate compliance with the obligations laid down in the Data Privacy Act, and allow for and contribute to audits, including inspections, conducted by the Company or another mandated by the latter; and
- Immediately inform the Company if, in its opinion, an instruction violates the Data Privacy Act or any other issuance of the National Privacy Commission.
By signing the accompanying Data Privacy Consent Form, you are expressly giving your consent to the collection, processing and storage of your personal data as provided herein.
UPDATES TO THE POLICY
The Company may update this policy to apply changes due to new laws and regulations affecting the data privacy act, as well as changes in our business operations. Any updates will be posted in our website with date stamp for proper notification to the public.