DATA PRIVACY NOTICE
Republic Act No. 10173, also known as the Data Privacy Act of 2012 (DPA), aims to protect personal data in information and communications systems both in the government and the private sector.
It ensures that entities or organizations processing personal data establish policies, and implement measures and procedures that guarantee the safety and security of personal data under their control or custody, thereby upholding an individual’s data privacy rights. A personal information controller or personal information processor is instructed to implement reasonable and appropriate measures to protect personal data against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration, and contamination.
In compliance with Republic Act No. 10173 or the Data Privacy Act of 2012 (DPA), its Implementing Rules and Regulations, and other relevant policies, including issuances of the National Privacy Commission. Dolores Hotels and Resorts, in its commitment to uphold, respects and values your data privacy rights, and makes sure that all personal data collected from our guests, suppliers, applicants and employees are processed properly.
This Manual served as your guide for your data protection in exercising your rights under the DPA.
A. Data Privacy Act or DPA refers to Republic Act No. 10173 or the Data Privacy Act of 2012 and it’s implementing rules and regulations.
B. Personal Data collectively refers to Personal Information, Sensitive Personal Information, and Privileged Information.
C. Personal Information refers to any information, such as full name, nickname, home addresses/billing address/shipping address, e-mail address, employment information, telephone, or other personal contact numbers;
D. Processing refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.
E. Sensitive Personal Information refers to Personal Data:
1. An individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
2. An individual’s health, education, genetic or sexual life, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings;
3. Issued by government agencies peculiar social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns.
4. Specifically established by an executive order or an act of Congress to be kept classified.
F. Personal Information Controller (PIC) refers to a natural or juridical person, or any other body who controls the processing of personal data or instructs another to process personal data on his behalf.
G. Personal Information Processor (PIP) refers to any natural or juridical person or any other body to whom a Personal Information Controller may outsource or instruct the processing of Personal Data pertaining to a data subject.
SCOOP AND LIMITATIONS
This Privacy Manual shall apply to all DHR guests, suppliers, job applicants and employees regardless of the type of employment such as contractual, part-time, project, agency-based, working scholars, full-time basis and interns/trainees (who have no employer-employee relationship with the Company).
The Manual shall also apply to lessees and other persons contracting with the company who may be required to submit their own Personal Data and the Personal Data of their employees as a matter of policy or security.
PROCESSING OF PERSONAL DATA
The collection of both personal information and sensitive personal information is done by lawful means and for a lawful purpose and is directly related and necessary in the achievement of the DHR’s Vision and Mission.
Personal information of DHR guests, suppliers, job applicants and employees includes full name, address and cellular/telephone numbers. These are obtained openly and straightforwardly without any hidden motive by filling up the respective official forms.
Personal data collected shall be used by the DHR solely for reportage and documentation purposes. In all this, the individual is not deemed identified as the data shall be presented in statistics form. The DHR shall ensure no manipulation of personal data and that the same shall not be used against any individual.
C. Storage, Retention and Destruction
DHR shall ensure that personal data under its custody are protected against any accidental or unlawful destruction, alteration and disclosure as well as against any other unlawful processing. It shall implement appropriate security measures in storing collected personal information, depending on the nature of the information. The retention period shall be ten (10) years from the date of transaction.
After the retention period, all hard and soft copies of personal information are authorized for purging through secured means.
Access to personal data of DHR guests, suppliers, job applicants and employees shall be limited to the DHR Authorized Personnel. At no time should anyone be given access to the personal files.
E. Disclosure and Sharing
All DHR officials and employees shall maintain the confidentiality and secrecy of all personal data that come to their knowledge and possession, even after resignation, termination of contract, or other contractual relations. Personal data under the custody of the DHR shall be disclosed only pursuant to a lawful purpose, and to authorized recipients of such data.
The DHR shall establish and implement reasonable and appropriate physical, technical, and organizational measures to ensure protection on sensitive personal data. The security measures aim to maintain the availability, integrity and confidentiality of personal data and protect them against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.
A. Company Security Measures
Every personal information controller and personal information processor must also consider the human aspect of data protection. The provisions under this section shall include the following:
a. Data Protection Officer (DPO), or Compliance Officer for Privacy (COP)
i. In line with the Company’s mandate to comply with the DPA and its IRR to secure personal data, the Company shall designate a Data Protection Officer (DPO).
b. Functions of the DPO, COP and/or any other responsible personnel with similar functions
i. The Data Protection Officer is responsible for the compliance of the Company with the DPA, and other applicable laws and regulations for the protection and security of personal data, including the supervision of a Privacy Impact Assessment, enforcement of security and data breach protocols, and inquiry and complaints procedures.
c. Conduct/Attend of trainings or seminars to keep personnel, especially the Data Protection Officer updated vis-à-vis developments in data privacy and security
i. The Company shall conduct an annual awareness campaign and data privacy training to all its personnel involved in the processing of personal data.
d. Conduct of Privacy Impact Assessment (PIA)
i. The Company shall conduct a Privacy Impact Assessment (PIA) relative to all activities, projects and systems involving the processing of personal data.
e. Recording and documentation of activities carried out by the DPO, or the Company itself, to ensure compliance with the DPA, its IRR and other relevant policies.
i. The Company shall hold a copy of all the activities carried out by the DPO, or the Company itself in accordance with the DPA and other related policies.
f. Duty of Confidentiality
i. All personnel will be asked to sign a Non-Disclosure Agreement. All personnel with access to personal data shall operate and hold personal data under strict confidentiality if the data is not intended for public disclosure.
g. Review of Privacy Manual
i. This Manual shall be reviewed and evaluated annually. Privacy and security policies and practices within the Company shall be updated to remain consistent with current data privacy best practices.
B. Physical Security Measures
This portion shall feature the procedures intended to monitor and limit access to the facility containing the personal data, including the activities therein. It shall provide for the actual design of the facility, the physical arrangement of equipment and furniture, the permissible modes of transfer, and the schedule and means of retention and disposal of data, among others. To ensure that mechanical destruction, tampering and alteration of personal data under the custody of the Company are protected from man-made disasters, power disturbances, external access, and other similar threats, provisions like the following must be included in the Manual:
a. Format of data to be collected
i. Personal data in the custody of the Company may be in digital/electronic format and paper-based/physical format.
b. Storage type and location (e.g. filing cabinets, electronic storage system, personal data room/separate room or part of an existing room)
i. All personal data processed by the Company shall be stored in a data room, where paper-based documents are kept in locked filing cabinets while the digital/electronic files are stored in computers protected by passwords or pass codes and are encrypted with the most appropriate encryption standard complete with up-to-date enterprise level antivirus software.
c. Access procedure of agency personnel
i. Only authorized personnel may access the personal data stored by the company. Other personnel may be granted access to the room upon filing of an access request form with the Data Protection Officer and the latter’s approval thereof.
d. Monitoring and limitation of access to room or facility
i. Access of the Personal Data by all authorized personnel shall be monitored by the General Manager, or the head of the branch, or department  concerned. All personnel authorized to enter and access the data room or facility must fill out and register in a log book where they shall indicate the date,time, duration and purpose of each access.
e. Design of office space/work station
i. The computers are positioned with considerable spaces between them to maintain privacy and protect the processing of personal data.
f. Persons involved in processing, and their duties and responsibilities
i. Confidentiality will be observed and maintained at every stage of personal data processing. Personnel are not allowed to bring, connect and/or use their own gadgets or storage device of any form when processing personal data.
g. Modes of transfer of personal data within the Company, or to third parties
i. Transfers of personal data via electronic mail shall use a secure email facility with encryption of the data, including any or all attachments. Facsimile technology shall not be used for transmitting documents containing personal data.
h. Retention and disposal procedure|
i. The company shall retain all Personal Data in its custody under its corporate rules and policies. Upon the disposal of the data, only the DPO shall be allowed to dispose of personal data in a secure environment.
C. Technical Security Measures
Each personal information controller and personal information processor must implement technical security measures to make sure that there are appropriate and sufficient safeguards to secure the processing of personal data, particularly the computer network in place, including encryption and authentication processes that control and limit access. They include the following, among others:
a. Monitoring for security breaches
i. The Company shall impose strict monitoring on the access of personal data so as to minimize the risk of personal data breach and other security incidents. For this purpose, the company shall keep an up-to-date copy of its Data Privacy Tracker, which shall contain all the logs of the data privacy incidents, inquiry, complaints, and requests from Data subjects and other entities entered into the company.
ii. The company shall oversee keeping updated versions of antivirus software on the personnel terminals so as to avoid viruses and malware infection.
b. Security features of the software/s and application/s used
i. The company shall procure and install anti-virus software and firewall for Company issued devices where Personal data are stored that accesses the internet regularly. The Company shall also review and evaluate software applications requested before installation to ensure security and compatibility so as to not hamper the company operations.
c. Process for regularly testing, assessment and evaluation of effectiveness of security measures
i. The Company shall review security policies, conduct vulnerability assessments and perform penetration testing within the company on a regular schedule to be prescribed by the appropriate department or unit.
ii. If the use of any software application poses a security risk to the company and also to the Personal data such that it may disturb or interrupt the normal operations of the Company, the Company shall immediately notify the end-user of the application through the DPO / PIP to the immediate removal of the application
d. Encryption, authentication process, and other technical security measures that control and limit access to personal data
i. Each personnel with access to personal data shall verify his or her identity using a secure encrypted link and multi-level authentication. Passwords or pass codes that is used to access personal data shall be of sufficient strength to deter data breach.
BREACH AND SECURITY INCIDENTS
A. Creation of a Data Breach Response Team
A Data Breach Response Team comprising of the DPO, authorized personnel, and all IT Personnel, is responsible for ensuring immediate action in the event of a security incident or personal data breach. The team shall conduct an initial assessment of the incident or breach in order to ascertain the nature and extent thereof. It shall also execute measures to mitigate the adverse effects of the incident or breach.
B. Measures to Prevent and Minimize Occurrence of Breach and Security Incidents
The Data Breach Response Team shall regularly conduct a Privacy Impact Assessment to identify risks in the processing system and monitor for security breaches and vulnerability scanning of computer networks. Personnel directly involved in the processing of personal data shall attend training and seminars for capacity building. A periodic review of policies and procedures being implemented in the DHR shall be undertaken.
C. Procedure for Recovery and Restoration of Personal Data
The DHR shall always maintain a backup file for all personal data under its custody. In the event of a security incident or data breach, it shall always compare the backup with the affected file to determine the presence of any inconsistencies or alterations resulting from the incident or breach.
D. Notification Protocol
The Head of the Data Breach Response Team shall inform the Executive Director of the National Privacy Commission (NPC) and the data subjects affected by the incident or breach within 72 hours from knowledge thereof.
E. Documentation and Reporting Procedure of Security Incidents or a Personal Data Breach
The Data Breach Response Team shall prepare detailed documentation of every incident or breach encountered, as well as an annual report, to be submitted to the Executive Director and the NPC within the prescribed period. The report shall contain the following:
i. Description of the nature of the breach
ii. Personal data possibly involved
iii. Measures were undertaken by the team to address the breach and reduce the harm or its negative consequences; and
iv. Names of the personal information controller, including contact details, from whom the data subject can obtain additional information about the breach and any assistance to be provided to the affected data subjects.
RIGHTS, INQUIRIES AND COMPLAINTS OF DATA SUBJECTS
Every data subject has the right to:
1. Be notified and furnished with his or her information before entry into the processing system within 48 hours when such data shall be used for direct marketing, profiling or historical or scientific purpose. Notification shall be made through an Office Memoranda and/or email.
2. View and recommend corrections to his or her data being processed. The data subject may also write or email the DHR Authorized Personnel with a brief discussion of the inquiry and/or correction/s together with his/her contact details for reference.
3. Complaint and be indemnified for any damages sustained when the data subject’s recommendations for corrections to his or her data was not acted upon which resulted in damages due to inaccurate, incomplete, outdated and false information, unlawfully obtained or unauthorized use of personal data. Complaints shall be filed in three printed copies, or sent to the email address of DHR. The department or division concerned shall confirm with the complainant its receipt of the complaint.
Data Protection Officer: firstname.lastname@example.org
2nd Floor Anchor Hotel Building, Cagampang Ext.
Santiago Blvd., Brgy. Bula, General Santos City
Tel No.: (083) 552-6514 to 17