1. Definitions
a. Data Privacy Act or DPA refers to Republic Act No. 10173 or the Data Privacy Act of 2012 and its implementing rules and regulations.
b. Data Subject refers to an individual whose Personal Information, Sensitive Personal Information, or Privileged Information is processed.
c. Company refers to GigaProfessional Partners Inc.
d. Personal Data collectively refers to Personal Information, Sensitive Personal Information, and Privileged Information.
e. Personal Information refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
f. Processing refers to any operation or set of operations performed upon Personal Data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.
g. Privileged Information refers to Personal Data, which, under the Rules of Court and other pertinent laws constitute privileged communication.
h. Security Incident is an event or occurrence that compromise or affect data protection including the availability, integrity and confidentiality of Personal Data.
i. Sensitive Personal Information refers to Personal Data:
1. About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
2. About an individual’s health, education, genetic or sexual life, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings;
3. Issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns;
4. Specifically established by an executive order or an act of Congress to be kept classified.
2. Organizational Security Measures
2.1 DATA PROTECTION OFFICER
A Data Protection Officer (“DPO”) shall be appointed by the Company. The DPO is responsible for the Company’s compliance with applicable laws and regulations for the protection of data privacy and security. The DPO may:
a. monitor the Company’s compliance with the DPA 2012;
b. analyze and check the compliance of processing activities and compliance by third-party service providers;
c. ensure proper data breach and security incident management and submission of reports and other documentation concerning security incidents or data breaches;
d. inform and cultivate awareness on privacy and data protection within Company;
e. advocate for the development, review and/or revision of policies, guidelines, projects and/or programs relating to privacy and data protection;
f. serve as the contact person in all matters concerning data privacy or security issues or concerns;
g. perform other duties and tasks that are related to data privacy and security, like related reports;
h. uphold the rights of the data subjects.
2.2 Data Privacy Principles
Processing of Personal Data should be conducted in compliance with the principles of DPA which are: transparency, legitimate purpose and proportionality.
a. Transparency. The data subject must be aware of the nature, purpose, and extent of the processing of his or her personal data, including the risks and safeguards involved, the identity of personal information controller, his or her rights as a data subject, and how these can be exercised. Any information and communication relating to the processing of personal data should be easy to access and understand, using clear and plain language.
b. Legitimate purpose. The processing of information shall be compatible with a declared and specified purpose which must not be contrary to law, morals, or public policy.
c. Proportionality. The processing of information shall be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose. Personal data shall be processed only if the purpose of the processing could not reasonably be fulfilled by other means.
2.3 DATA PROCESSING RECORDS
The DPO, with the cooperation and assistance of all departments involved in the Processing of Personal Data, shall keep records up-to-date. Records may include:
a. information about the purpose of the Processing of Personal Data, including any intended future Processing or data sharing;
b. a description of all categories of Data Subjects, Personal Data, and recipients of such Personal Data that will be involved in the Processing;
c. general information about the data flow within the Company, from the time of collection and retention, including the time limits for disposal or erasure of Personal Data;
d. a general description of the organizational, physical, and technical security measures in place within the Company; and
e. the name and contact details of the DPO, Personal Data processors, as well as any other staff members accountable for ensuring compliance with the applicable laws and regulations for the protection of data privacy and security.
2.4 MANAGEMENT OF PERSONAL DATA
The DPO, with the cooperation of all departments involved, shall develop and implement measures to ensure that persons who have access to Personal Data will process such data in compliance with the requirements of the Data Privacy Act.
The DPO, with the cooperation of all departments involved, shall ensure that Company shall obtain the Data Subjects consent to:
a. Company is processing and keeping records of his or her Personal Data for legitimate business and legal purposes; and
b. Company employees during their length of stay have an obligation of confidentiality in connection with the Personal Data that he or she may encounter.
2.5 DATA COLLECTION PROCEDURES
Consent is required some cases prior to the collection and processing of Personal Data, subject to exemptions provided by the DPA and other applicable laws and regulations. Consent given may be withdrawn. Only Personal Data that is necessary and compatible with declared, specified, and legitimate purpose shall be collected.
2.6 DATA RETENTION
Company keeps Personal Data as long as it is necessary:
a. for the fulfilment of the declared, specified, and legitimate business purpose, or up to when the processing relevant to the purpose has been terminated;
b. for the establishment, exercise or defence of legal claims.
The DPO, with the cooperation of all departments involved, shall be responsible for developing measures to determine the applicable data retention schedules, and procedures to allow for the withdrawal of previously given consent of the Data Subject Personal data shall be disposed or discarded in a secure manner that would prevent further processing, unauthorized access, or disclosure to any other party or the public. Company shall not retain Personal Data in perpetuity in contemplation of a possible future use yet to be determined.
3. Physical Security Measures
Maintaining the physical security of offices and rooms where data is stored, maintained, viewed or accessed is of paramount importance. Rooms or cabinets which have been designated specifically as areas where secure information is located or stored have a method of physically securing access: e.g. a key lock mechanism. Rooms and cabinets which have not been secured should not be used to store Personal Data. The rooms and workstations used in the Processing of Personal Data shall, as far as practicable, be secured against natural disasters, power disturbances, external access, and other similar threats.
4. Technical Security Measures
As provided under the DPA, Data Subjects have the following rights in connection with the Processing of their Personal Data: right to be informed, right to object, right to access, right to rectification, right to erasure or blocking, and right to damages. Employees of the Company are required to respect and obey the rights of the Data Subjects. The DPO, with the cooperation of all departments involved shall be responsible for monitoring such compliance.
a. safeguards to protect the Company’s computer network and systems against accidental, unlawful, or unauthorized usage, any interference which will affect data integrity or hinder the functioning or availability of the system, and unauthorized access;
b. the ability to ensure and maintain the confidentiality, integrity, availability, and resilience of the Company’s data processing systems and services;
c. regular monitoring for security breaches, and a process both for identifying and accessing reasonably foreseeable vulnerabilities in the Company’s computer network and system, and for taking preventive, corrective, and mitigating actions against security incidents that can lead to a Personal Data breach;
d. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
e. a process for regularly testing, assessing, and evaluating the effectiveness of security measures; and
f. encryption of Personal Data during storage and while in transit, authentication process, and other technical security measures that control and limit access.
5. Rights of the Data Subject
As provided under the DPA, Data Subjects have the following rights in connection with the Processing of their Personal Data: right to be informed, right to object, right to access, right to rectification, right to erasure or blocking, and right to damages. Employees of the Company are required to respect and obey the rights of the Data Subjects. The DPO, with the cooperation of all departments involved shall be responsible for monitoring such compliance.
5.1 RIGHT TO BE INFORMED
The Data Subject has the right to be informed whether Personal Data pertaining to him or her shall be, are being, or have been processed.
The Data Subject shall be notified and furnished with information indicated hereunder before the entry of his or her Personal Data into the records of the Company, or at the next practical opportunity:
a. description of the Personal Data to be entered into the system;
b. purposes for which they are being or will be processed, including Processing for direct marketing, profiling or historical, statistical or business purpose;
c. basis of Processing, when Processing is not based on the consent of the Data Subject;
d. scope and method of the Personal Data Processing;
e. the recipients or classes of recipients to whom the Personal Data are or may be disclosed or shared;
f. methods utilized for automated access, if the same is allowed by the Data Subject, and the extent to which such access is authorized, including meaningful information about the logic involved, as well as the significance and the envisaged consequences of such Processing for the Data Subject;
g. the identity and contact details of the DPO or equivalent;
h. the period for which the Personal Data will be stored; and
i. the existence of their rights as Data Subjects, including the right to access, correction, and to object to the Processing.
5.2 RIGHT TO OBJECT
The Data Subject shall have the right to object to the Processing of his or her Personal Data, including Processing for direct marketing, automated Processing or profiling. The Data Subject shall also be notified and given an opportunity to withhold consent to the Processing in case of changes or any amendment to the information supplied or declared to the Data Subject in the preceding paragraph.
When a Data Subject objects or withholds consent, the Company shall no longer process the Personal Data, unless:
a. the Personal Data is needed pursuant to a subpoena;
b. the Processing is for obvious purposes, including, when it is necessary for the performance of or in relation to a contract or service to which the Data Subject is a party, or when necessary or desirable in the context of an employer-employee relationship between the Company and the Data Subject; or
c. the Personal Data is being collected and processed to comply with a legal obligation.
5.3 RIGHT TO ACCESS
The Data Subject has the right to reasonable access to, upon demand, the following:
a. contents of his or her Personal Data that were processed;
b. sources from which Personal Data were obtained;
c. names and addresses of recipients of the Personal Data;
d. manner by which his or her Personal Data were processed;
e. reasons for the disclosure of the Personal Data to recipients, if any;
f. information on automated processes where the Personal Data will, or is likely to, be made as the sole basis for any decision that significantly affects or will affect the Data Subject;
g. date when Personal Data concerning the Data Subject were last accessed and modified; and
h. the designation, name or identity, and address of the DPO or equivalent.
5.4 RIGHT TO RECTIFICATION
The Data Subject has the right to dispute the inaccuracy or rectify the error in his or her Personal Data, and the Company shall correct it immediately and accordingly, unless the request is vexatious or otherwise unreasonable. If the Personal Data has been corrected, the Company shall ensure the accessibility of both the new and the retracted Personal Data and the simultaneous receipt of the new and the retracted Personal Data by the intended recipients thereof: Provided, That recipients or third parties who have previously received such processed Personal Data shall be informed of its inaccuracy and its rectification, upon reasonable request of the Data Subject.
5.5 RIGHT TO ERASURE OR BLOCKING
The Data Subject shall have the right to suspend, withdraw, or order the blocking, removal, or destruction of his or her Personal Data from the Company’s filing system.
1. This right may be exercised upon discovery and substantial proof of any of the following:
a. the Personal Data is incomplete, outdated, false, or unlawfully obtained;
b. the Personal Data is being used for purpose not authorized by the Data Subject;
c. the Personal Data is no longer necessary for the purposes for which they were collected;
d. the Data Subject withdraws consent or objects to the Processing, and there is no other legal ground or overriding legitimate interest for the Processing by the Company;
e. the Personal Data concerns private information that is prejudicial to Data Subject, unless justified by freedom of speech, of expression, or of the press or otherwise authorized;
f. the Processing is unlawful; or
g. the Data Subject’s rights have been violated.
2. The DPO may notify third parties who have previously received such processed Personal Data that the Data Subject has withdrawn his or her consent to the Processing thereof upon reasonable request by the Data Subject.
5.6 TRANSMISSIBILITY OF RIGHTS OF DATA SUBJECTS
The lawful heirs and assigns of the Data Subject may invoke the rights of the Data Subject to which he or she is an heir or an assignee, at any time after the death of the Data Subject, or when the Data Subject is incapacitated or incapable of exercising his/her rights.
5.7 DATA PORTABILITY
Where his or her Personal Data is processed by the Company through electronic means and in a structured and commonly used format, the Data Subject shall have the right to obtain a copy of such data in an electronic or structured format that is commonly used and allows for further use by the Data Subject. The exercise of this right shall primarily take into account the right of Data Subject to have control over his or her Personal Data being processed based on consent or contract, for commercial purpose, or through automated means. The DPO with the cooperation of all departments involved shall regularly monitor and implement the National Privacy Commission’s issuances specifying the electronic format referred to above, as well as the technical standards, modalities, procedures and other rules for their transfer.
6. Data Breaches & Security Incidents
Company follows NPC Circular 16-03, dated 15 December 2016, Subject: Personal Data Breach Management.
End of Document