Company refers to Victor Consunji Development Corporation;
Consent of Data Subject refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of his/her personal, sensitive personal, or privileged information. Consent shall be evidence by written, electronic or recorded means. It may also be given on behalf of a data subject by a lawful representative or an agent specifically authorized by the data subject to do so;
Data Privacy Act or DPA or Act refers to Republic Act No. 10173 or the Data Privacy Act of 2012 and its implementing rules and regulations;
Data Subject refers to an individual or the Company’s clients whose personal Information, Sensitive Personal Information or Privilege Information is processed;
Personal Information refers to any information, whether recorded in a material form or not, from which the identity of a client is apparent or can be reasonably and directly ascertained by the entity holding the information or when put together with other information would directly and certainly identify a client;
Personal Information Processor refers to any natural or juridical person or any other body to whom a personal information controller may outsource or instruct the processing of personal data pertaining to a data subject;
Personal Information Controller refers to a natural or juridical person, or any other body who controls the processing of personal data, or instructs another to process personal data on its behalf. The term excludes:
There is control if the natural or juridical person or any other body decides on what information is collected, or the purpose or extent of its processing;
Processing refers to any operation or set of operations performed upon Personal Data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Processing may be performed though automated means or manual processing, if the Personal Data are contained or are intended to be contained in a filing system;
Profiling refers to any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements;
Security Incident is an event or occurrence that affects or tends to affect data protection or may compromise the availability, integrity and confidentiality of Personal Data. It includes incidents that would results to a personal data breach, if not for safeguards that have been put in place;
Sensitive Personal Information refers to Personal Data:
The Company values the confidentiality of Personal Information provided by its clients and is stanch in complying with the Data Privacy Act. We value data privacy rights and strive to warrant that all personal information collected from our clients, brokers, partners, employees, associates and other shareholders, are processed in adherence to the general principles of transparency and legitimate purpose.
Adequate records of the Company’s Personal Data Processing activities shall be maintained at all times. The Personal Information Controller and Personal Information Processor, with the cooperation and assistance of all the concerned business and service units involved in the Collection, Processing and Retention of Personal Data, shall be responsible for ensuring that these records are kept up to date. These business and service units include but not limited to, Business Relations, Legal, Sales and Marketing Department.
The processing of personal data shall adhere to the following general principles in the collection, processing and retention of personal data:
The Personal Information Controller and Personal Information Processor with the assistance of any other departments of the company shall be responsible for the processing procedures. The Personal Information Controller and Personal Information Processor shall ensure that such procedures are updated and that the consent of the Data subjects (when required by the DPA or other applicable laws or regulations) is property obtained and evidenced by written, electronic or recorded means. Such procedures shall also be regularly monitored, modified and updated to ensure that the rights of the data subjects are respected and that processing thereof is done fully in accordance with the DPA and other applicable laws and regulations.
Data Retention Schedule
Subject to applicable requirements of the DPA and other relevant laws and regulations, Personal Data shall not be retained by the Company for a period longer than necessary and/or proportionate to the purposes for which such data was collected. The Personal Information Controller and Personal Information Processor with the assistance of HR and any other departments of the company responsible for the processing of Personal Data, shall be responsible for developing measures to determine the applicable data retention schedules and procedures to allow for the withdrawal of previously given consent of data subject as well as to safeguards the destruction and disposal of such Personal Data in accordance with the DPA and other applicable laws and regulations.
Personal Information Controller and Personal Information Processor
The Personal Information Controller and Personal Information Processor is responsible for ensuring the Company’s compliance with applicable laws and regulations for the protection of data privacy and security. The Personal Information Controller and Personal Information Processor’s Functions and responsibilities shall particularly include among others:
Data Privacy Principles
All Processing of Personal Data Within the Company should be conducted in compliance with the requirements of the Act and other laws allowing disclosure of information to the public, and adherence to the principles as espoused in the Data Privacy Act:
Rights of the Data Subject
As provided under the DPA, Data Subjects have the following rights in connection with the processing of their Personal Data: Right to be informed, right to object, right to access, right to rectification, right to erasure or blocking and right to damages. Employees and agents of the Company are required to strictly respect and obey the rights of the Data Subjects. The Personal Information Controller and Personal Information Processor, with the assistance of all business units that got access to Personal Information, shall be responsible for monitoring such compliance and developing the appropriate disciplinary measures and mechanism.
Right to be Informed
The Client has the right informed whether Personal Data pertaining to him or her are being or have been processed. The Client shall be notified and furnished with information indicated hereunder before the entry of his/her Personal Data into the records of the company, or at the next practical opportunity:
Right to Access
The Data Subject has the right to reasonable access to upon demand the following:
Transmissibility of Rights of Data Subjects
The Lawful heirs and assigns of the data Subject may invoke the rights of the Data Subjects to which he or she is an heir or an assignee at any time after the death of the Data Subject or when the Data Subject is incapacitated or incapable of exercising his/her rights.
All Security Incidents and Personal Data breaches shall be documented through written reports, including those covered by the notification requirements. In the case of Personal Data breaches, a report shall include the facts surrounding an incident, the effects such incident and the remedial actions taken by the Company. In other security incidents involving Personal Data, a report containing aggregated data shall constitute sufficient documentation. These reports shall be made available when requested by the national privacy Commission Annually.
Any Personal Data Processing conducted by an external agent or entity (third-party service provider) on behalf of the company should be evidenced by a valid written contract with the company. Such contract should expressly set out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of Data Subjects, the obligations and rights of the Company and the geographic location of the processing under the contract.
The fact that the company entered into such contract or arrangement does not give the said external agent or entity the authority to subcontract to another entity the whole part of the subject matter of said contract or arrangement, unless expressly stipulated in writing in the same contract or evidenced by a separate written consent/agreement of the company. The subcontracting agreement must also comply with the standards/criteria prescribed by the immediately preceding paragraph.
In Addition, the contract and the subcontracting contract shall include express stipulations requiring the external agent or entity (including the subcontractor) to:
By signing the accompanying Data Privacy Consent Form, you are expressly giving your consent to the collection, processing and storage of your personal data as provided herein.
The Company may update this policy to apply changes due to new laws and regulations affecting the data privacy act, as well as changes in our business operations. Any updates will be posted in our website with date stamp for proper notification to the public.
Name: Bernabe Alejandro B. Mendoza
Delegation: Data Privacy Compliance Officer
Email Address: [email protected]
Telephone Number: 8856-1366