Background

Republic Act No. 10173, also known as the Data Privacy Act of 2012 (DPA), aims to protect Personal Data in information and communications systems both in the government and the private sector.

It ensures that entities or organisations processing Personal Data establish policies, and implement measures and procedures that guarantee the safety and security of Personal Data under their control or custody, thereby upholding an individual’s data privacy rights. A Personal Information controller or Personal Information processor is instructed to implement reasonable and appropriate measures to protect Personal Data against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.

To inform its personnel of such measures, each Personal Information controller or Personal Information processor is expected to produce a Privacy Manual. The Manual serves as a guide or handbook for ensuring the compliance of an organisation or entity with the DPA, its Implementing Rules and Regulations (IRR), and other relevant issuances of the National Privacy Commission (NPC). It also encapsulates the privacy and data protection protocols that need to be observed and carried out within the organisation for specific circumstances (e.g., from collection to destruction), directed toward the fulfilment and realisation of the rights of Data Subjects.

Introduction

Awesomelab Inc. (ALI) is committed to protecting the privacy and confidentiality of Personal Data of its employees, customers, business partners and other identifiable individuals. This privacy manual is hereby adopted in compliance with Republic Act No. 10173 or the DPA, its IRR, and other relevant policies, including issuances of the NPC. ALI respects and values data privacy rights, and makes sure that all Personal Data collected from employees, customers and business partners, are processed in adherence to the general principles to transparency, legitimate purpose, and proportionality.

This Manual sets the minimum standard and shall guide all employees of its data protection, security measures and their rights under the DPA.

Definition of Terms

Company

Refers to Awesomelab Inc

Data Subject

Refers to an individual whose personal, sensitive personal or privileged information is processed by the organisation. It may refer to officers, employees, consultants, and clients of this organisation.

Personal Data

Refers to all types of Personal Information

Personal Information

Refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.

Processing

Refers to any operation or any set of operations performed upon Personal Information including, but not limited to, the collection, recording, organisation, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.

Sensitive Personal Information

Refers to Personal Information

      - About an individual's race, ethnic origin, marital status, age, colour, and religious, philosophical or political affiliations
      - About an individual's health, education, genetic or sexual life of a person, or to any proceedings for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings
      - Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licences or its denials, suspension or revocation, and tax returns
      - Specifically established by an executive order or an act of Congress to be kept classified

Scope and Limitations

All Company personnel must comply with the terms set out in this Privacy Manual.

Processing of Personal Information

  • I. Collection

    • A. Manner and Purpose

      The Company shall ensure that information is only collected for a purpose that is a lawful purpose directly related to a function or activity of the Company. Information will not be collected by unlawful or unfair means.

    • B. Solicitation from Data Subject

      The Company shall ensure that solicitation of any Personal Information is collected from the Data Subject concerned. The Data Subject concerned must be informed and generally aware of

      • - The purpose for which information is collected
      • - If the collection of the information is authorised or required by law
      • - Any entity to which the information will be disclosed or passed to
    • C. Access and Alteration

      The Data Subject concerned is entitled to access and alter his/her Personal Information unless the Company is required or authorised by the law to refuse access to such information.

  • II. Use

    • A. Relevance, Completeness and Accuracy

      The Company shall ensure that information is relevant, up to date and complete upon usage of the information for whatever lawful purpose given upon collection. The Company shall NOT use information except for a purpose to which the information is relevant.

    • B. Limits on Use and Disclosure

      Personal information collected for a particular purpose shall NOT be used for any other purpose unless:

      • - The Data Subject concerned has given full consent to use the information for that other purpose
      • - The use of information is required or authorised by the law
      • - The purpose for which the information is used is directly related to the purpose for which it was collected

      Personal information collected shall not be disclosed to any other entity other than the Data Subject concerned unless:

      • - The Data Subject is reasonably likely to have been aware or made aware that information of that kind is usually passed to that entity
      • - The Data Subject concerned has given full consent to the disclosure
      • - The disclosure is required or authorised by the law
  • III. Storage, Retention and Disposal

    • A. Storage and Security

      The Company shall ensure that storage of Personal Information is protected by safeguards against loss, against unauthorised access, use, modification or disclosure as detailed in the Security Measures section of the policy.

    • B. Retention

      All Personal Information shall only be kept for a specific period of time as stated by law or by contract with the Data Subject or client. If Personal Information was used to make a decision about a Data Subject, said information shall be retained for the legally required period of time thereafter to allow the aforementioned to access the information in order to understand and possibly challenge the decision.

    • C. Disposal

      All media, whether physical or digital, containing Personal Information must be properly disposed of in such a way that:

      • - Personal information cannot be reconstructed or recovered in any way
      • - All associated copies or backups are also disposed

Security Measures

  • I. Organisation Security Measures

    • A. DPO Appointment

      The designated Data Protection Officer is Justin Danielle S. Sumulong, who is concurrently serving as the Chief Technology Officer of the organisation. Any change in the designation shall be communicated by ALI from time to time.

    • B. Functions of the DPO

      The Data Protection Officer shall oversee the overall compliance of the organisation with the Data Privacy Act. His/her functions include, but not limited to:

      • - Conducting of Privacy Impact Assessments
      • - Implementation of security measures
      • - Implementation of security incident and breach protocols
      • - Inquiry and complaints procedure
    • C. Conduct of Privacy Impact Assessments (PIA)

      The organisation shall conduct a PIA relative to all activities, projects and systems involving the Processing of Personal Information.

    • D. Review of Privacy Manual

      This manual shall be reviewed and evaluated annually. Privacy and security policies within the organisation shall be updated to remain consistent with current data privacy best practises.

  • II. Physical Security Measures

    • A. Storage Type and Location

      All digital information processed by the Company shall be stored in the cloud while physical information is stored in filing cabinets within the Company grounds which only authorised personnel have access to.

    • B. Equipment Assignment and Responsibility

      Employees provided with workstations and other equipment containing Personal Information are responsible for safekeeping and security of such equipment.

      Employees are expected to follow, at the minimum, protocols outlined in this manual to ensure security of all information.

      Employees who use personal effects such as laptops and mobile phones for business purposes shall also adhere to the same rules and responsibilities as aforementioned above.

    • C. Clean Desk Policy

      All sensitive and confidential paperwork must be removed from the desk and locked in a safe place.

      All waste paper which contains sensitive and confidential paperwork must be disposed of properly as stated in the Storage, Retention and Disposal section above.

      Workstations, laptops and other devices must be safely stored/shut down when left unattended.

  • III. Technical Security Measures

    • A. Password policies

      • 1. Effective/Strong Password

        All passwords should at least have 8 - 10 characters and a combination of letters and numbers.

      • 2. Password Reuse

        All employees are encouraged NOT to reuse the same passwords on multiple sites or applications.

      • 3. Password Rotation

        All passwords must be changed regularly - at least every 90 days.

      • 4. Two Factor Authentication (2FA)

        All employees are required to enable 2FA in all sites and applications used where applicable.

    • B. Administrator Access Control

      Administrator access to cloud and network resources shall not be limited to a single person to ensure check and balance controls.

      Access to data shall only be given to particular employees who are going to process said data.

      Those with administrator access shall only use their access controls for administrative use and not for Processing client data or Personal Information. Administrators who need to access Personal Information must do so through regular access channels like those of regular employees.

    • C. Network Security

      • 1. Firewall

        Firewalls shall be installed in Company premises to ensure that possibilities of data breaches and hacks are kept at a minimum.

      • 2. Antivirus

        All workstations and personal effects used for business purposes are required to have an antivirus installed and must be up to date.

      • 3. Regular Software Updates

        All operating systems and applications used for business purposes must be up to date to ensure latest security patches and fixes are installed.

    • D. Internet and Online Resource Usage

      • 1. Internet Usage

        Employees are encouraged to be mindful of sites visited, links and emails opened.

      • 2. Email and Online Resource Usage

        Company emails, messaging platforms, cloud and any other Company sanctioned online resources must ONLY be used for business purposes. Personal use of Company resources are prohibited and will be sanctioned accordingly.

    • E. Data Encryption

      • 1. Email Encryption

        Emails containing any Sensitive Personal Information must be encrypted using the OpenPGP protocol.

      • 2. File Encryption

        Any files containing Sensitive Personal Information must be encrypted using the OpenPGP protocol before it is shared through any means whether through digital transmission such as email or Slack or through physical transmission such as a USB.
        Only the designated recipient of the file must be able to decrypt and open the file.

    • F. Regular Security Testing

      The Company shall conduct regular vulnerability assessments and testing within the Company on a regular schedule as prescribed by the appropriate department.

Rights of the Data Subject

Data Subjects have the following rights in regards to the Processing of their Personal Data as provided by the DPA.

  • I. Right to be Informed

    The Data Subject has the right to be informed whether Personal Data pertaining to him or her shall be, are being, or have been collected or processed including the existence of automated decision-making and profiling.

    The Data Subject shall be notified with the following information before entry of his or her Personal Data into the Processing system of the Company, or at the next practical opportunity:

    • - Description of the Personal Data to be processed
    • - Purposes for which they are being or will be processed, including Processing for direct marketing, profiling or historical, statistical or scientific purpose
    • - Basis of Processing, when Processing is not based on the consent of the Data Subject
    • - Scope and method of the Personal Data Processing
    • - The recipients of classes of recipients to whom the Personal Data are or may be disclosed
    • - Methods utilised for automated access, if the same is allowed by the Data Subject, and the extent to which such access is authorised, including the meaningful information about the logic involved, as well as the significance and the envisaged consequences of such Processing for the Data Subject
    • - The identity and contact details of the Personal Data controller or its representative
    • - The period for which the information will be stored
    • - The existence of the Data Subject's rights, including the right to access, correction, and object to the Processing, as well as the right to lodge a complaint before the Commission
  • II. Right to Object

    The Data Subject shall have the right to object to the Processing of his or her Personal Data, including Processing for direct marketing, automated Processing or profiling. The Data Subject shall be notified and given opportunity to withhold consent to the Processing in case of changes or any amendment to the information supplied or declared to the Data Subject.

    When a Data Subject objects or withholds consent, the Company shall no longer process their Personal Data, unless

    • - The Personal Data is needed pursuant to a subpoena
    • - The Processing is for obvious purposes, including, when it is necessary for the performance of or in relation to a contract or service to which the Data Subject is a party, or when necessary or desirable in the context of an employer-employee relationship between the Company and the Data Subject
    • - The Personal Data is being collected and processed to comply with a legal obligation
  • III. Right to Access

    The Data Subject has the right to reasonable access to the following:

    • - Contents of his or her Personal Data that were processed
    • - Sources from which Personal Data were obtained
    • - Names and addresses of recipients of the Personal Data
    • - Manner by which Personal Data were processed
    • - Reasons for the disclosure of Personal Data to recipients, if any
    • - Information on automated processes where the Personal Data will, or is likely to, be made as the sole basis for any decision that significantly affects or will affect the Data Subject
    • - Date when Personal Data concerning the Data Subject were last accessed and modified
    • - The designation, name or identity, and address of the DPO
  • IV. Right to Rectification

    The Data Subject has the right to dispute the inaccuracy or error in the Personal Data and have the Company correct it immediately and accordingly, unless the request is vexatious or otherwise unreasonable. If the Personal Data has been corrected, the Company shall ensure the accessibility of both the new and retracted information and the simultaneous receipt of the new and the retracted information by the intended recipients thereof: Provided, that recipients or third parties who have previously received such processed Personal Data shall be informed of its inaccuracy and its rectification, upon reasonable request of the Data Subject.

  • V. Right to Erasure or Blocking

    The Data Subject shall have the right to suspend, withdraw or order the blocking, removal or destruction of his or her Personal Data from the Company's filing system.

    This right may be exercised upon discovery and substantial proof of any of the following:

    • - The Personal Data is incomplete, outdated, false, or unlawfully obtained
    • - The Personal Data is being used for purposes not authorised by the Data Subject
    • - The Personal Data is no longer necessary for the purposes for which they were collected
    • - The Data Subject withdraws consent to the Processing, and there is no other legal ground or overriding legitimate interest for the Processing
    • - The Personal Data concerns private information that is prejudicial to the Data Subject, unless justified by freedom of speech, of expression, or of the press or otherwise authorised
    • - The Processing is unlawful
    • - The Company violated the rights of the Data Subject
  • VI. Data Portability

    Where a Data Subject's Personal Data is processed by electronic means and in a structured and commonly used format, the Data Subject shall have the right to obtain a copy of such data in an electronic or structured format that is commonly used and allows for further use by the Data Subject. The exercise of this right shall primarily take into account the right of Data Subject to have control over his or her Personal Data being processed based on consent or contract, for commercial purpose, or through automated means. The Commission may specify the electronic format referred to above, as well as the technical standards, modalities, procedures and other rules for their transfer.

Breach and Security Incidents

  • I. Data Breach Response Team

    In the event of a data breach or security incident, a response team shall be created to ensure that immediate action is taken. The team shall be responsible for the following:

    • - Conducting an initial assessment of the breach or incident
    • - Execution of measures that addresses the effects of the incident or breach
    • - Detailed documentation of incident or breach to be submitted to management and the NPC
  • II. Data Recovery and Restoration

    In the event of a data breach or security incident, the organisation shall ensure affected data are free of inconsistency or alterations using regular backups maintained by the organisation.

  • III. NPC Notification

    In the event of a data breach or security incident, the organisation shall notify the NPC and all Data Subjects involved about the incident or breach.

Inquiries and Complaints

Data subjects may inquire or request information regarding any matter relating to the Processing of their Personal Information under the custody of the organisation, including the data privacy and security policies implemented to ensure the protection of their Personal Data.

They may go directly to the involved department or email justinsumulong@awesomelabph.com and briefly discuss the inquiry or complaint.

Effectivity

The provisions of this manual are effective this 1st day of January 2022, until revoked or amended by the Company.