Property Location
F.E. Zuellig Avenue, Mandaue City, Cebu, Philippines
HTLand, Inc. (the “Corporation”) recognizes the value of ensuring that all personal information and data of its buyers and employees are protected against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.
In compliance with the general data privacy principles embodied in Republic Act No. 10173 or the Philippine Data Privacy Act of 2012 (“Data Privacy Act”), its Implementing Rules and Regulations, and other relevant policies, including issuances of the National Privacy Commission (“NPC”) (the “Data Privacy Laws”), the Corporation issues this Policy to serve as guidelines and to show its commitment to the protection of personal information and data. This Data Privacy Policy (the “Policy”) shall also encapsulate the privacy and data protection protocols that need to be observed and carried out within the organization for specific circumstances (e.g., from collection to destruction), directed toward the fulfillment and realization of the rights of data subjects.
The Corporation shall exercise its responsibility with the due diligence expected from the nature of the industry, and ensure that its directors, officers, and employees perform their duties with a strict and faithful compliance with these guidelines on personal information and data security and confidentiality.
“Data Subject” refers to an individual whose personal, sensitive, or privileged information is processed;
“Personal Data” refers to all types of personal information;
“Personal Information” refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual;
“Personal Information Processor” refers to any natural or juridical person or any other body to whom a personal information controller may outsource or instruct the processing of personal data pertaining to a data subject;
“Processing” refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data; and
“Sensitive Personal Information” refers to personal data:
All personnel of the Corporation including but not limited to its directors, officers, and employees, regardless of their type of employment or contractual arrangement, must comply with this Policy.
A. Collection
The Corporation as a real estate developer collects the Personal Information of its buyers and employees which include basic contact information such as their full name, address, marital status, e-mail address, and contact number. In addition, the Corporation also collects and processes the Sensitive Personal Information of its buyers and employees which include, among others, the taxpayer’s identification number, government-issued ID, and proof of buyer’s capacity to pay.
B. Use
Personal Information and Sensitive Personal Information is collected by the Corporation for the following major reasons:
C. Storage, Retention, and Destruction
Any Personal Information and Sensitive Personal Information provided to the Corporation is retained only for such duration that is necessary to fulfill whatever purpose for which it is collected subject to compliance with applicable laws and regulations. The Corporation will exercise reasonable security measures to prevent unauthorized, accidental, or unlawful access, processing, deletion, loss or use, including providing standard restrictions to physical access to data within the Corporation’s systems, and encryption of sensitive data when transmitting such data. Such reasonable measures will also be taken to remove information when no longer necessary.
D. Access
Due to the sensitive and confidential nature of the personal data under the custody of the Corporation, only the data subjects and the authorized representative of the Corporation shall be allowed to access such personal data, for any purpose, except for those contrary to law, public policy, public order or morals.
E. Disclosure and Sharing
Where permitted by law and where such disclosure is necessary to satisfy the purpose or a directly related purpose for which the Personal Information and Sensitive Personal Information was collected, the Corporation may share personal data to the Corporation’s affiliates or similar relationships and government regulators after having obtained the consent of the Data Subjects and provided that the provisions and conditions of the Data Privacy Act have been complied with.
The Corporation will take appropriate organizational, physical, and technical measures which are consistent with the Data Privacy Laws. The Corporation will use security procedures and technology to protect the information it holds.
A. Organizational Security Measures
A Data Protection Officer (“DPO”) shall be appointed by the Corporation. The DPO is responsible for ensuring the Corporation’s compliance with the Data Privacy Laws.
B. Physical Security and Technical Security Measures
The Corporation shall ensure that physical security measures are in place, which shall, include, among others, monitoring and limiting access to, and activities in the departments and offices of the Corporation where personal data is processed, including guidelines that specify the proper use of and access to electronic media. In addition, the Corporation shall implement technical security measures to ensure that, among others, the Corporation’s processing systems are not vulnerable to data breach. The Corporation shall faithfully comply with the standards and guidelines in the Data Privact Act on physical security and technical security measures.
A. Data Breach Notification
All employees and agents of the Corporation involved in the processing of personal data are tasked with regularly monitoring for signs of a possible data breach or security incident. In the event that such signs are discovered, the employee or agent shall immediately report the facts and circumstances to the DPO within twenty-four (24) hours from his or her discovery for verification as to whether or not a breach requiring notification under the Data Privacy Act has occurred as well as for the determination of the relevant circumstances surrounding the reported breach and/or security incident.
The DPO shall notify the NPC and affected Data Subjects of any incident of data breach pursuant to requirements and procedures prescribed by the Data Privacy Act.
The notification to the NPC and affected Data Subjects shall describe, among others, the nature of the breach, the personal data possibly involved, and the measures taken by the Corporation to address the breach.
B. Breach Reports
The Corporation shall ensure that all security incidents and personal data breaches shall be documented through written reports, including those not covered by the notification requirements. In the case of personal data breaches, a report shall include the facts surrounding an incident, the effects of such incident, and the remedial actions taken by the personal information controller as defined under the Data Privacy Act. In other security incidents not involving personal data, a report containing aggregated data shall constitute sufficient documentation. These reports shall be made available when requested by the NPC. A general summary of the reports shall be submitted by the DPO to the NPC annually.
The Corporation shall ensure that the rights of Data Subjects are protected and recognized. Towards this purpose, the Corporation shall ensure that all Data Subjects shall be given the (i) right to be informed, (ii) right to object, (iii) right to access, (iv) right to rectification, (v) right to erasure or blocking, and (vi) right to damages as these are provided for in the Data Privacy Act.
Data Subjects may inquire or request for information regarding any matter relating to the processing of their personal data with the Corporation’s DPO.
The Corporation may engage a Personal Information Processor to process the Personal Information and Sensitive Personal Information of the Corporation’s Data Subjects. Such engagement shall comply with the requirements of the Data Privacy Act and shall at all times be covered by the appropriate contractual agreements. The Corporation shall ensure that such Personal Information Processor shall also, where applicable, implement the security measures of the Data Privacy Act. At all times the Personal Information Processor must ensure the confidentiality, integrity, and availability of the personal data processed, and prevent its use for unauthorized purposes.
© HTLand, Inc. 2017