DATA PRIVACY MANUAL
Inquire NowI. BACKGROUND
Republic Act No. 10173, also known as the Data Privacy Act of 2012 (DPA), aims to protect personal data in information and communications systems both in the government and the private sector. The DPA created the National Privacy Commission (NPC) which is tasked to monitor its implementation. It covers the processing of personal information and sensitive personal information and sets, as its basic premise, the grant of direct consent by a data subject before data processing of personal information is allowed. The law requires all government and private entities or organizations processing personal data to establish policies and implement measures and procedures to ensure and guarantee the safety and security of personal data under their control or custody, thereby upholding an individual's data privacy rights. In addition, they are required to implement reasonable and appropriate measures to protect personal data against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration, and contamination. To inform its personnel and data subjects of such measures, all agencies are expected to produce a DPM. The DPM serves as a guide or handbook for ensuring the compliance of an organization or entity with the DPA, its Implementing Rules and Regulations (IRR), and other relevant issuances of the NPC. It also encapsulates the privacy and data protection protocols that need to be observed and carried out within the organization for specific circumstances (e.g., from collection to destruction), directed toward the fulfillment and realization of the rights of the data subjects
II. INTRODUCTION
The Cashsolutionz Marketing Campaign Services (“Company”), in its commitment to uphold, respect, and value data privacy rights hereby adopts this DPM in compliance with the DPA, its IRR, and other relevant policies, including issuances of the NPC.
The Company ensures that through this DPM all personal data collected from all its clients and other data subjects shall be processed in adherence to the general principles of transparency, legitimate purpose, and proportionality. To guide the Company and its data subjects in exercising their rights under the DPA, this DPM shall include data protection and security measures.
III. DEFINITION OF TERMS
Consent of the data subject refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her. Consent shall be evidenced by written, electronic, or recorded means. It may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so.
Data subject refers to an individual whose personal information is processed.
Filing system refers to any act of information relating to natural or juridical persons to the extent that, although the information is not processed by equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular person is readily accessible.
Information and Communications System refers to a system for generating, sending, receiving, storing, or otherwise processing electronic data messages or electronic documents and includes the computer system or other similar device by or which data is recorded, transmitted, or stored and any procedure related to the recording, transmission or storage of electronic data, electronic message, or electronic document.
Personal information refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
Privileged information refers to any and all forms of data which under the Rules of Court and other pertinent laws constitute privileged communication.
Sensitive personal information refers to personal information about an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; about an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings; issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and specifically established by an executive order or an act of Congress to be kept classified.
IV. SCOPE AND LIMITATIONS
The Data Protection Policy (DPM) is adopted in compliance with Republic Act No. 10173, DPA of 2012, and other policies. It covers all personal data processed by the company, including suppliers, partners, employees, and service providers.
V. PROCESSING OF PERSONAL DATA
1. Collection
The Company uses lawful methods to collect personal data from clients, including full name, address, and phone numbers, for services provided transparently and without hidden motives.
2. Processing or Use
The company will use client data for services and communication, ensuring no manipulation or use against any client.
3. Storage, Retention and Destruction
The Company guarantees the protection of personal data from unlawful destruction, alteration, disclosure, and processing. Client data is stored securely, only accessible to authorized personnel, and destroyed after five years.
4. Access
Personal data access is restricted to authorized personnel based on roles, with clients' data only accessible to proprietor.
5. Disclosure and Sharing
Employees must maintain confidentiality of personal data, even after contract termination, and only disclose it for lawful purposes to authorized recipients.
VI. SECURITY MEASURES
A. Organization Security Measures
a. Data Protection Officer (DPO) or Compliance Officer for Privacy (COP)
The Sole Proprietor is the designated Data Protection Officer.
b. Functions of the DPO, COP, and/or any other responsible personnel with similar functions
The role of a DPO involves monitoring their compliance with laws and policies, including the DPA, IRR, and NPC issuances. This includes collecting information, analyzing processing activities, advising on data-sharing agreements, conducting privacy impact assessments, addressing complaints, managing data breaches, and promoting awareness of privacy and data protection. The DPO also advocates for the development of policies and programs related to privacy and data protection, serves as the contact point for data subjects, and seeks advice from the NPC. The role also involves performing other duties to further data privacy and security interests.
c. Conduct of trainings or seminars to keep personnel, especially the Data Protection Officer updated vis-à-vis developments in data privacy and security
The company is required to conduct annual mandatory training on data privacy and security, covering best practices for personal data protection, handling sensitive data, and recognizing phishing attempts.
d. Conduct of Privacy Impact Assessment (PIA)
The Company must conduct a PIA on all personal data processing activities, potentially outsourcing, provided they assess security protocols and sign data protection agreements.
e. Recording and documentation of activities carried out by the DPO, or the organization itself, to ensure compliance with the DPA, its IRR and other relevant policies.
Employees with direct access to personal data must regularly attend and actively participate in relevant training sessions and orientations about DPA.
f. Duty of Confidentiality
Employees must sign a Non-Disclosure Agreement, ensuring confidentiality of personal information unless it's for public disclosure.
g. Review of Privacy Manual
The DPM will be regularly reviewed and evaluated, and the company will regularly update its privacy and security policies to ensure compliance with best practices.
B. Physical Security Measures
1. Format of data to be collected
The company may hold personal data in either digital or electronic format.
2. Storage type and location
Digital/electronic files must be stored on secure computers with passwords, accessible only by authorized personnel.
3. Access procedure of agency personnel
Data processing facilities are protected through access controls like key card entry, security personnel, and surveillance cameras.
4. Monitoring and limitation of access to room or facility
The Company employs CCTV cameras to monitor critical locations, detect suspicious activity, and register access details for authorized personnel, ensuring security and privacy in data storage.
5. Design of office space/workstation
All workstations accessing personal data are locked when not in use and are protected with strong passwords.
6. Persons involved in processing, and their duties and responsibilities
Employees processing data are obligated to consistently uphold the integrity and confidentiality of such information.
7. Modes of transfer of personal data within the organization, or to third parties
The company ensures secure email transmission of personal information through a secure provider and utilizes Google Business's warning message features.
8. Retention and disposal procedure
The company ensures client information is securely stored for five (5) years after their final engagement, and disposes of old hard drives using certified software for data wiping.
C. Technical Security Measures
a. Monitoring for security breaches
The company must annually install anti-virus software on internet-accessing devices.
b. Security features of the software/s and application/s used
The DPO must review and evaluate software applications before deployment to ensure compatibility with data privacy policies.
c. Process for regularly testing, assessment and evaluation of effectiveness of security measures
The DPO is mandated to conduct weekly vulnerability scans and firewall penetration testing to proactively address security vulnerabilities against viruses and hackers.
d. Encryption, authentication process, and other technical security measures that control and limit access to personal data
The Company uses robust encryption for network and database data, enforces password policies, and regularly reviews access permissions for personal data.
VII. BREACH AND SECURITY INCIDENTS
1. Creation of a Data Breach Response Team
The Data Breach Response Team (DBRT) is the Sole Proprietor or the DPO responsible for swift action in security incidents or personal data breaches, assessing the incident's scope, risks, and compliance with regulations.
2. Measures to prevent and minimize the occurrence of breach and security incidents
The Data Breach Response Team conducts regular Privacy Impact Assessments to identify system risks, monitor security breaches, and scan computer networks, while reviewing CCTV footage for security purposes.
3. Procedure for recovery and restoration of personal data
The company securely stores off-site backups, regularly tests and verifies data restoration processes, and employs real-time monitoring to detect unauthorized access or suspicious activities.
4. Notification protocol
The Company's sole proprietor must inform the NPC and affected data subjects within 72 hours of the incident or breach.
5. Documentation and reporting procedure of security incidents or a personal data breach
The company maintains detailed records of security incidents and breaches of personal data, submitting an annual report to Management and NPC within specified timeframes. The report details the nature of the breach, potential data involved, team measures, and contact details for affected individuals.
VIII. INQUIRIES AND COMPLAINTS
To address data privacy concerns, contact the company's DPO at 09086497656. The company responds within 48 hours and takes corrective actions. If dissatisfied, individuals can escalate the matter to the relevant authority. Complaints should be filed in three copies or sent to the relevant department. The company provides guidance and assists with privacy rights requests.
IX. EFFECTIVITY
The provisions of this DPM are effective this 1st day of July 2024, until revoked or amended by the Company.