Our business is founded on data and information. They are the basis by which we are able to serve the needs of all our clients. With that in mind, it is imperative that we ensure that the data and information we collect, store, and process are protected against unauthorized access and use. Further, once the data and information are no longer required by our business, we are to ensure that they are disposed of in a manner that retains the security and protection of such data and information.
With that in mind, the objective of this policy is to lay down the guidelines in the protection and security of the data and information collected, stored, processed, and disposed of by the Company. Thus, this DATA PROTECTION POLICY is adopted in compliance with Republic Act No. 10173 of the Data Privacy Act of 2012 (the DPA), its implementing rules and regulations, and other relevant policies, including issuances of the National Privacy Commission of the Philippines.
This policy covers all data and information that the Company collects, stores, processes, and disposes of irrespective of their source.
All employees, regardless of rank and job description, are required to abide by this policy.
Collection of Data
The Company collects the basic contact information of clients and customers, including their name, address, email address, contact number, names of relevant employees and their contact details, including information regarding the service or product purchased or sought to be purchase. The Company collects this from the documents and/or contracts signed by such client or customer.
From the Public
In order to undertake the services and products it offers to its clients, the Company collects, by itself or through third parties, the following data: cookies, usage data, unique device identifiers for advertising (Google Advertiser ID or IDFA, for example), email address and geographic position.
From its Employees
Data from Clients
The Company may likewise use Client data to carry out any or all of the secondary purposes such as: to contact the Client in order to respond to the Client’s requirements and monitor its use of our products and for statistical purposes; marketing, advertising and/or commercial prospecting related to products and services, which can be carried out by the Company or third parties with which the Company has entered into agreements or contracts; and to inform the Client of the launch or changes of new products, promotions and / or offers according to their interests.
Data from Third Parties
The Company shall use the data collected and received from Third Parties for purposes of undertaking the activities, services, and products it offers and sells to its clients. Use of said data shall include, but are not limited to: advertising; analytics; displaying content from external factors; interaction with external social networks and platforms; managing contacts and sending messages; remarketing and behavioral targeting; advertising serving infrastructure; commercial affiliation; hosting and backend infrastructure; location-based interactions; platform services and hosting; tag management; profiling; and automated decision-making.
Data from Employees
The Company shall use the data it collected and received from its employees for the accomplishment of the process of recruiting, selecting, and on-boarding of an employee; research, identification and validation purposes regarding the veracity of the information provided to the Company; medical evaluation; incorporation and updating of employee information; integration of physical and digital records aimed at creating and administering employee portfolios; and comply with the obligations arising from the applicable legislation or at the request of a competent authority;
Storage, Retention, and Destruction
To carry out the processing of your personal data, the Company has implemented a series of procedures and policies to manage and ensure the security of information, whether of a technological, physical or administrative nature. Any measure, procedure, and/or policy in relation to the availability, integrity, confidentiality, and/or authorized use of personal data, are also required to be complied with by the service providers we hire, third parties, and by affiliated companies and subsidiaries of the Company.
All information gathered shall not be retained for a period longer than one (1) year counted from the time the data is deemed unnecessary or unrequired. Provided, that employee data shall be retained for a period no longer than four (4) years from the time of the separation of the employee from his/her employment. After the period herein specified, all hard and soft copies of personal information shall be disposed and destroyed, through secured means.
For more information, please refer to:
Due to the sensitive and confidential nature of the personal data under the custody of the company, only its clients, their authorized representatives, and the authorized representative/s of the Company shall be allowed to access such personal data, for any purpose, except for those contrary to law, public policy, public order or morals.
For your information, please refer to:
Disclosure and Sharing
Data from Employees
The Company may send and share your personal data, including employee’s sensitive personal data only to its subsidiary and affiliated companies; its suppliers with whom KOF enters into contracts in order to fulfill the purposes described in item II (c) (i); and the Company may disclose or allow access to the personal data that provided in order to comply with the applicable legislation or at the request of the competent authority.
Data from Clients and Third Parties
All employees and personnel of the Company shall maintain the confidentiality and secrecy of all personal data that come to their knowledge and possession, even after resignation, termination of contract, or other contractual relations. Personal data under the custody of the Company shall be disclosed only pursuant to a lawful purpose, and to authorized recipients of such data.
For more information, please refer to:
Organizational Security Measures
The Data Protection Officer
The Data Protection Officer shall oversee the compliance of the Company with the DPA, its IRR, and other related policies, including the conduct of a Privacy Impact Assessment, implementation of security measures, security incident and data breach protocol, and the inquiry and complaints procedure.
Trainings and Seminars
The Company shall sponsor a mandatory training on data privacy and security at least once a year. For personnel directly involved in the processing of personal data, management shall ensure their attendance and participation in relevant trainings and orientations, as often as necessary.
Privacy Impact Assessment
The Company shall conduct a Privacy Impact Assessment (PIA) relative to all activities, projects and systems involving the processing of personal data. It may choose to outsource the conduct a PIA to a third party.
Duty of Confidentiality
All employees will be asked to sign a Non-Disclosure Agreement. All employees with access to personal data shall operate and hold personal data under strict confidentiality if the same is not intended for public disclosure.
Review of Data Protection Policy
This Policy shall be reviewed and evaluated annually. Privacy and security policies and practices within the organization shall be updated to remain consistent with current data privacy best practices.
Physical Security Measures
Format of Data
Storage Type and Location
Monitoring and Limitation of Access to Room or Facility
Persons involved in processing shall always maintain confidentiality and integrity of personal data.
Modes of Transfer of Data
Transfer of personnel data shall be sent via email as a compressed file with password protection. Password can be sent via SMS or any mode of communication other than email.
Technical Security Measures
Monitoring for Security Breaches
The Company shall use an intrusion detection system such as, but not limited to, CCTV monitoring and biometrics access monitoring, to ensure that security breaches are avoided and to alert the organization of any attempt to interrupt or disturb the system.
Security Features of the Software/s and Application/s Used
The Company shall first review and evaluate software applications before the installation thereof in computers and devices of the organization to ensure the compatibility of security features with overall operations.
Process for regularly testing, assessment and evaluation of effectiveness of security measures
Data Breach Response Team
A Data Breach Response Team headed by the Data Protection Officer together with four (4) officers of the Company shall be responsible for ensuring immediate action in the event of a security incident or personal data breach. The team shall conduct an initial assessment of the incident or breach in order to ascertain the nature and extent thereof. It shall also execute measures to mitigate the adverse effects of the incident or breach.
Measures to Minimize Occurrence of Breach and Security Incidents
The Company shall regularly conduct a Privacy Impact Assessment to identify risks in the processing system and monitor for security breaches and vulnerability scanning of computer networks. Personnel directly involved in the processing of personal data must attend trainings and seminars for capacity building. There must also be a periodic review of policies and procedures being implemented in the organization.
Procedure for Recovery and Restoration of Data
The Company shall always maintain a backup file for all personal data under its custody. In the event of a security incident or data breach, it shall always compare the backup with the affected file to determine the presence of any inconsistencies or alterations resulting from the incident or breach.
The Head of the Data Breach Response Team shall inform the management of the need to notify the NPC and the data subjects affected by the incident or breach within the period prescribed by law. Management may decide to delegate the actual notification to the head of the Data Breach Response Team.
Documentation and Reporting Procedure
Data Subjects may exercise certain rights regarding their Data processed by the Company.
In particular, Users have the right to do the following:
Data subjects may exercise their rights, inquire or request for information regarding any matter relating to the processing of their personal data under the custody of the Company, including the data privacy and security policies implemented to ensure the protection of their personal data. They may write to the organization at firstname.lastname@example.org and briefly discuss the inquiry, together with their contact details for reference.
Complaints shall be filed in three (3) printed copies or sent to email@example.com. The concerned department or unit shall confirm with the complainant its receipt of the complaint.
All Company employees are enjoined to faithfully comply with this policy. Any deviation or violation shall be subject to the provisions of the SPECTRUM ONE I.T. SOLUTIONS CORP. EMPLOYEE CODE OF CONDUCT. Provided that any deviation or violation of this policy shall be classified as a Major Offense and the appropriate penalty under the SPECTRUM ONE I.T. SOLUTIONS EMPLOYEE CODE OF CONDUCT shall be imposed.
Tell us more about your project.Contact us today