“DPA“ refers to Republic Act No. 10173 or the Philippine “Data Privacy Act of 2012”. “Personal Information”, “Sensitive Personal Information”, “Personal Data”, “Data Subject”, “Processing”, “Personal Information Controller”, and “Personal Information Processor”, shall have the same meaning as set forth in the Implementing Rules and Regulations of the DPA, as may be amended and supplemented from time to time.
“Personal Data Breach” refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed, that requires notification to the NPC under the DPA and its implementing rules and regulations, including the relevant NPC issuances.
“NPC” means the National Privacy Commission.
Scope and Application
NC is committed to complying with the Applicable Privacy Laws. For this purpose, NC adheres to the general data privacy principles of Transparency, Legitimate Purpose and Proportionality and requirements of lawful processing, as described below.
Principle of Transparency
NC is aware of its duty to inform Data Subjects of the nature, purpose, and extent of the processing of their Personal Data. NC will provide Data Subjects of specific information relating to the collection and processing of their Personal Data, such as, the identity and contact details of the personal information controller or its representative, scope and method of processing, the recipient or classes of recipients of their Personal Data, and the basis of processing of their Personal Data when they have not provided consent.
Principle of Legitimate Purpose
NC will only undertake processing of Personal Data that is compatible with a declared and specified purpose that is not contrary to law, public morals, or public policy.
Principle of Proportionality
NC will process Personal Data only when it is relevant, necessary, adequate, and compatible with the declared and specified purposes made known to the Data Subjects and for which Personal Data were collected. NC will only retain Personal Data for as long as necessary for the fulfillment of these purposes for which NC collected your Personal Data.
How Personal Data is Collected
We generally collect Personal Data directly from you, for example when you send us correspondence by e-mail or in writing, deal with us over the telephone or in person, contact us, request a quote or information, provide online feedback, register or provide contact details in relation to an event, function, exhibition, promotion or other activity through one of our websites administered by NC or any related company. NC collects only those Personal Data that is reasonably necessary for its activities.
Personal Data collected by NC includes but is not limited to:
- names, addresses, email addresses, roles, telephone and fax numbers and other contact details and means of communication
- details about company or industry
- identifying details such as gender, date of birth, personal attributes, nationality, passport/identification card number and country of residence
- payment information such as credit or debit card information, including the name of cardholder, card number, card issuing bank, card issuing country and expiry date; banking account details
Purposes for Collecting and Processing of Personal Data
NC collects Personal Data from customers, suppliers and contractorsW, to enable NC to conduct its business. The purposes for which NC uses Personal Data of customers, suppliers and contractors and include (but are not limited to):
- to provide them with its services and/or products
- to improve and develop its services and/or products
- to provide ongoing support or help to manage its services and/or products, for example if they have a query
- to obtain services and/or products or obtain information about services and/or products
- to bill, collect payment or make payment including for the purpose of accounting and account administration and auditing
- to communicate with them
- to provide information about other products or services that NC considers would interest them
- to help NC run its business, for example to improve its products or services, security, safety or operations, to conduct training, to undertake marketing activities or statistical or marketing analysis and customer surveys, to manage information systems, test, develop and maintain systems and security controls
- to comply with its legal obligations.
If NC collects your personal information to be used for any other purpose, we will let you know that purpose at the time we collect the information.
Personal Data of Employees and Job Applicants
NC collects Personal Data of job applicants and staff members for the primary purpose of assessing and (if successful) engaging the applicant or staff member as the case may be.
The purposes for which NC uses Personal Data of job applicants and staff members include:
- comparing against job specification or criteria and assessing suitability for employment and generally for the processing of employment application;
- internal and external investigations including disciplinary, grievance, and regulatory issues, and carrying out checks such as medical and police record checks;
- managing individual’s employment or engagement and the provision of employee references;
- insurance purposes;
- ensuring that it holds relevant contact information;
- monitoring compliance with legal requirements, internal rules or contractual obligations of NC;
- human resources management purposes;
- other purposes directly relating to any of the above.
Disclosure of Personal Data
NC aims to confine its disclosure of Personal Data to the primary purpose for which it has been collected, or for a related purpose. This means NC will only disclose personal information in connection with its business and administrative functions, including when disclosure is necessary to provide you with a product or service that you have requested, help us with the running of our organisation, or for security reasons.
Sometimes we may also disclose your Personal Data outside NC for the purpose for which the information was collected, or for a related purpose. For instance, when disclosure is necessary to provide you with a product, service or activity you have requested, to help us with the running of our organisation, or for security reasons or to comply with applicable laws, including but not limited to, Republic Act No. 9510, otherwise known as the Credit Information System Act of 2008, Republic Act No. 9160, as amended, otherwise known as the Anti-Money Laundering Act, and other applicable laws.
We may also disclose your Personal Data to comply with court orders, enforcement actions by regulators or any other legal proceedings, to pursue any remedies available to us or limit damages that we may suffer, or to respond to requests from governmental authorities.
For the above reasons, we may provide your Personal Data to:
- our affiliate entities and business partners;
- our agents, contractors, professional advisers or third party service providers (including their employees, directors and officers) who provide us with or other services under a duty of confidentiality to us; the service they provide to us may include, where approved by the applicable law, fraud prevention, remittance, currency exchange, bill collection, data entry, database management, software development, promotion, marketing, customer service, technology services, products and services alerts and payment extension services, and other similar services;
- merchants and other organizations;
- third party financial institutions, such as banks, collection agents and credit agencies;
- professional advisers, law enforcement agencies, insurers, government and regulatory authorities or any other organizations to which NC is under an obligation to make disclosures under the requirements of any applicable law, regulation or commercial arrangement; and
- entities involved in any merger, acquisition, financing transaction or joint venture with us.
LAWFUL COLLECTION AND PROCESSING OF PERSONAL DATA
To the extent required by Applicable Privacy Laws, NC or any third party service providers engaged by us will aim to obtain your consent to collect and use your Personal Data at the time of collection. NC adopts an ‘opt-in’ policy to obtain your express consent when collecting your Personal Data. You may be asked, for example, to sign a form or tick a box on a website. If you do not permit the collection, use, processing or disclosure of some Personal Data as NC has notified or requests, NC then may not be able to meet its legal obligations or may not be able to do business with you or engage you to work for NC. If that is the case, we will let you know. In most instances, it is obligatory for you to provide us with your Personal Data in order to allow us to satisfy your request or provide you with the service that you have requested.
Protection of Personal Data
NC implements reasonable and appropriate physical, technical, and organizational measures for the protection of Personal Data. These security measures aim to maintain the availability, integrity, and confidentiality of Personal Data and protect them against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.
NC will keep any Personal Data collected from you only as long as it remains necessary or relevant for the purposes for which they were collected, unless longer retention period is otherwise required to meet legal or regulatory requirements.
Security Incident Management
NC has developed a comprehensive incident readiness and response plan designed to identify the cause, extent and nature of an incident involving Personal Data and to allow timely reporting to the NPC and/or the any affected Data Subject in accordance with Applicable Privacy Laws and our contractual terms.
NC will provide reasonable assistance to any affected Data Subject to investigate and assist in the reporting of the incident to the NPC or other required parties to prevent or minimise any loss or harm arising from such incident.
YOUR Rights AS A Data Subject
Under the DPA, you have the right to be informed of your data privacy rights. These rights include the following:
Right to be informed – prior to collection and processing of your Personal Data, you have the right to be informed of the following:
- The fact of collection and processing of your Personal Data;
- Description and categories of Personal Data being collected and processed;
- Purpose for the collection, and processing, including the purposes for data sharing or automated processing;
- Lawful basis of the collection and processing, in case you have not given consent;
- Scope and method of personal data processing;
- Identities of intended recipients of Personal Data;
- Methods and logic used for automated processing, if any;
- Identity and contact details of the personal data controller (other than the Company) or its representative;
- Retention period; and Rights of a data subject.
- Right to object – you have the right to indicate your refusal to the collection and processing of your Personal Data, including processing for direct marketing, automated processing, or profiling. You also have the right to be informed and to withhold your consent to further processing in case there are any changes or amendments to information given to you concerning the processing of your Personal Data.
Right to access – upon request in writing, you have the right to be given access to the following:
- Contents of your Personal Data that were processed;
- Sources from which your Personal Data were obtained;
- Identities and addresses of recipients of your Personal Data;
- Manner by which your Personal Data were processed;
- Purposes for granting access to the recipients of your Personal Data;
- Information on automated processing, in case the data was used as the sole basis for any decision that significantly affects or will significantly affect you;
- Date when your Personal Data was last accessed or modified;
- The designation, identity, and address of the controller other than NC, if any.
Right to rectification – you have the right to dispute any inaccuracy or error in your Personal Data and may request us to immediately correct any such inaccuracy or error. Upon reasonable request, and after the correction has been made, we will inform any recipient of your Personal Data of the inaccuracy and the subsequent rectification that was made.
Right to erasure or blocking – in the absence of any other legal ground or overriding legitimate interest for the lawful processing of your Personal Data, or when there is substantial proof that Personal Data is incomplete, outdated, false, or has been unlawfully obtained, you may request us to suspend, withdraw, or order the blocking, removal, or destruction of your Personal Data from our filing system.
Right to damages – you have the right to be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of your Personal Data, taking into account any violation of you rights and freedoms as a data subject.
Right to data portability – in case your Personal Data was processed through electronic means and in a structured and commonly used format, you have the right to obtain a copy of your Personal Data in such electronic or structured format for your further use, subject to the guidelines of the NPC with regard to the exercise of such right.
Transmissibility of rights of the Data Subject – upon your death, or in case of your incapacity or incapability, your lawful heirs and assigns may invoke your rights as a data subject in your place and stead.
Right to lodge a complaint before the NPC – you have the right to lodge a complaint before the NPC in accordance with their rules of procedure.
Data Protection Officer
Our Data Protection Officer is responsible for managing any issues with Personal Data collected by NC and can be reached at any of the following contact details:
All NC Personnel are responsible for reporting actual or suspected Personal Data Breaches to our Data