St. Dominic College of Asia operates the https://www.stdominiccollege.edu.ph/ website, which provides the SERVICE.
This privacy policy is used to inform website visitors about our policies with the usage, collection, and disclosure of Personal Data if anyone decided to use our Service, the St. Dominic College of Asia website.
If you accept to use our Service, then you agree to the collection and use of information concerning this privacy policy. The Personal Information that we collect is used for implementing and developing the Service. St. Dominic College of Asia respects and values your data privacy rights, and ensures that all personal information gathered from you will not be utilized or distributed to anyone without your consent as stipulated in this Privacy Policy.
The terms used in this Privacy Policy have the same definitions as defined by Republic Act No. 10173, also known as the Data Privacy Act of 2012 (DPA), which is accessible at https://www.privacy.gov.ph/data-privacy-act/ unless otherwise defined in this Privacy Policy.
PRINCIPLES OF PROCESSING DATA SUBJECT INFORMATION
-
Creation and Collection
-
Consent is required prior to the collection and processing of personal data, subject to exemptions provided by the Act and other applicable laws and regulations.
-
When consent is required, it must be time-bounded in relation to the declared, specified and legitimate purpose. Consent given may be withdrawn through Email at This email address is being protected from spambots. You need JavaScript enabled to view it. .
-
The data subject must provide specific information regarding the purpose and extent of processing, including, where applicable, the automated processing of his or her personal data for profiling, or processing for direct marketing and data sharing.
-
Purpose should be determined and declared before, or as soon as reasonable and practicable after collection.
-
Only personal data that is necessary and compatible with declared, specified, and legitimate purpose shall be collected.
-
-
Transparency
-
The data subject must be aware of the nature, purpose, and extent of the processing of his or her personal data, including the risks and safeguards involved, the rights as data subject and how these rights can be exercised.
-
The data subject must be informed or aware whether personal information pertaining to him or her shall be, are being, or have been processed.
-
-
Legitimate Purpose
-
The processing of data subject information should be compatible with a declared and specified purpose which was not contrary to law, morals or public policy.
-
The data subject has the right to refuse consent and can withdraw the consent anytime.
-
Waiver of the data subject of his or her data privacy rights shall not be considered as valid consent as required under the DPA (AdOp No. 2017-007).
-
Data subject has a genuine choice and control over how the PIC uses their data or information.
-
-
Proportionality
-
The processing of the data subject information shall be adequate, relevant, suitable, necessary, and not excessive in relation to the declared and specific purpose.
-
Personal data shall be processed only if the purpose of the processing of information could not reasonably be fulfilled by other means.
-
The free flow of the data subject information across the organization is allowed as where the information is necessary, valid and legal.
-
-
Security Measures
-
Implement data protection policy that will maintain the availability, integrity and confidentiality of personal information against accidental or unlawful processing.
-
Provide limitations on access workstation or facilities, including proper guidelines that specify the use of and access of electronic media (e.g. locks, back-up protection, and other related hereinto).
-
Provide monitoring guidelines when access workstation or facilities and electronic media (e.g. locks, back-up protection, and other related hereinto).
-
DATA SUBJECTS RIGHTS
-
Rights to be informed
-
The data subject has the right to be informed with regards to where the personal information shall be, being or have been processed.
-
The right to be informed is a basic right of the data subject.
-
The right to be informed empowers the data subject to consider other action in order to protect and assert the data privacy rights.
-
-
Rights to Access
-
Aside from the right to be informed, the data subject is also having the reasonable right to access his/her personal information, if:
-
Contents of the data subject information were processed;
-
Sources from which the information were obtained;
-
Name and address of the recipient is from the data subject;
-
Manner by which the information of the data subject was processed;
-
Reason for disclosure of the data subject information;
-
Information or automated processes where the data will or likely to be made as the sole basis for any decision by which it would significantly affect the data subject.
-
Name and address of the personal information controller.
-
-
-
Rights to Correct/Rectify
-
The data subject has the right to dispute any inaccuracy or error in your personal data.
-
The data subject has the right to immediately request for correction of the information, unless the request is vexatious or unreasonable.
-
The PIC should provide receipt of the corrected information and the retracted information by the intended recipient thereof.
-
-
Rights to Erasure/Blocking
-
The data subject has the right to suspend, withdraw or order the blocking, removal or destruction of the information, on the following conditions:
-
Personal data is incomplete, outdated, false or unlawful obtained;
-
Personal data is being used for a purpose that is not authorized;
-
Personal data is no longer necessary for the purpose for which the information was collected;
-
The data subject has decided to withdraw the consent, or object the processing and there is no overriding legal grounds for processing;
-
The processing of the data subject information is unlawful;
-
The PIP and PIC violated the rights of the data subject.
-
-
-
Rights to Damages
-
The data subject has the right to get indemnified for any damages sustained to such inaccurate, incomplete, outdated, false, unlawfully obtained personal information and considering any violation of the rights and freedom of the data subject.
-
-
Rights to Data Portability
-
All data subject information that is processed electronically, the data subject has the right to obtain from the PIC a copy of such an electronically or structured that is commonly used and allows for further use.
-
The data subject has the control over his/her information based on the consent and contract, for commercial purpose or through automated means.
-
-
Rights to File a Complaint
-
If the information of the data subject has been misused, maliciously disclosed or improperly disposed, or that any of the data privacy rights have been violated, the data subject has a right to file a complaint to the DPO of the institution/NPC.
-
SECURITY MEASURES
-
Organizational Security Measures
-
Data Protection Officer (DPO) or CPO Compliance Office for Privacy Duties and Responsibilities
-
A Data Protection Officer (DPO) should be appointed by the Institution, a full-time organic employee.
-
Monitor the compliance of the PIC and PIP with the Data Privacy Act of 2012, IRR, issuances by the NPC and other applicable laws and policies. The DPO may:
-
Collect information to identify the processing operations, activities, measures, projects, programs or system of the PIC or PIP, and maintain a record thereof;
-
Analyze and check the compliance of the processing activities, including the issuance of security clearance to and compliance by third-party service providers;
-
Inform, advise and issue recommendations to the PIC and PIP;
-
Ascertain renewal of accreditation or certifications necessary to maintain the required standards in personal data processing; and
-
Advice the PIC or PIP as regards the necessity of executing a Data Sharing Agreement with third parties and to ensure its compliance with the law.
-
-
-
-
Ensure the conduct of Privacy Impact Assessments relative to the activities, measures, projects, programs or system of the PIC or PIP;
-
Advice the PIC or PIP regarding complaints and/or the exercise by the data subject of their rights;
-
Ensure proper data breach and security incident management by the PIC or PIP, including the latter’s preparation and submission to the NPC of reports and other documentation concerning security incidents or data breaches within the prescribed period;
-
Inform and cultivate awareness on privacy and data protection within the organization of the PIP or PIC, including all relevant laws, rules and regulations and issuances of the NPC;
-
Advocate for the development, review and/or revision of policies, guidelines, project and or programs of the PIC or PIP relating to privacy and data protection, adopting a privacy by design approach.
-
Serve as the contact person of the PIC and PIP vis-à-vis data subjects, the NPC and other authorities in all matters concerning data privacy or security issues or concerns and the PIC or PIP;
-
Cooperate, coordinate and seek advice from th e NPC regarding matters concerning data privacy and security; and
-
Perform other duties and tasks that may be assigned by the PIC that will further the interest of data privacy and security and uphold the rights of the data subjects.
-
Personal Information Controller (PIC) or Personal Information Processor (PIP) General Obligations
-
Effectively communicate to its personnel the designation of the DPO or COP and his or her functions;
-
Allow the DPO or COP to be involve d from the earliest stage possible in all issues relating to privacy and data protection;
-
Provide sufficient time and resources necessary for the DPO and COP to keep himself/herself updated with the developments in data privacy and security and to carry out his or her tasks effectively and efficiently;
-
Grant the DPO or COP appropriate access to the personal data it is processing, including the processing system;
-
Where applicable, invite the DPO or COP to participate in meetings of senior and middle management to represent the interest of privacy and data protection;
-
Ensure that the DPO or COP is made a part of all relevant working groups that deal with personal data processing activities conducted inside the organization or with other organization.
-
-
Management of Human Resources
The DPO, in collaboration with the Human Resource Office (HRO) shall implement measures to ensure that all SDCA employees who have access to personal data of the data subject will strictly process such information in compliance with the requirements of the Data Privacy Act and other applicable laws and regulations. These measures may include developing of new or updating relevant policies of SDCA and conducting orientation program to educate employees on data pri vacy-r elated concerns.
The Human Resource Office shall obtain the employee’s consent, evid enced by written, electronic or recorded means, to:
-
The processing of his or her Personal Data/Information, for the purpose of gathering and maintaining the institution’s records; and
-
A continuing agreement of confidentiality on the employee’s part in relation with the Personal Data during the period of contract with the institution. Further, the above agreement shall also be considered even after the employment for whatever reason.
-
-
Data Privacy Principles
All processing of personal data within the institution should be conducted in compliance with the Data Privacy Act with transparency, legitimate purpose, proportionality, data quality, security measures and rights of the data subject.
-
Data Collection Procedures
The assigned PIPs in all departments may collect personal information from the data subject if the collection is relevant to the process of the department or unit. The DPO shall ensure that the procedure in collection personal information is updated and that the consent of the data subject is properly obtained and evidenced by written, electronic or recorded means. Such procedure shall be regularly monitored, modified (if needed), and updated (when necessary) to ensure that the rights of the data subject are respected and that processing is fully in accordance with the Data Privacy Act and other applicable laws and regulations.
-
Data Processing of Records
Records of the institution should be effectively and efficiently maintained ensuring that these records are kept updated. The institution record should:
a. Inform the purpose of processing the data subject information, including the intention for future processing or data sharing;
b. A clear entity of the data subject that will be involved in the processing;
c. Provide general information about the data flow of information within the Institution, form the time of collection, retention, and the process of disposal or erasure of the data subject information.
d. Clearly name and contact details of the DPO, PIP, and PIC to ensure compliance with the applicable laws and regulations for protection of data privacy and security.
-
Data Retention Procedure
Data retention of the data subject should be compliant with the requirements of the DPA and other relevant laws and regulations. The data subject information should be retained for a period not longer than necessary and/or appropriate to the purposes for which the data was collected. The PIC or PIP in each office should be responsible for developing measures to determine the applicable data retention schedules and procedures to allow for the withdrawal of previously given consent of the data subject as well as to safeguard the destruction and disposal of such personal data.
-
Physical Security Measures
The DPO, with the assistance and cooperation of the Information Communication Technology (ICT), Human Resource Office (HRO), Transport and General Services (TAGS), and Building Administration Office (BAO), shall develop and implement policies and procedures for the institution to monitor and limit access to, and activities in, the offices including guidelines that specify the proper use of, and access to, electronic media.
OUTSOURCING DATA SUBJECT INFORMATION
-
The disclosure and transfer to a third party of personal information is under the control or custody of a Personal Information Controller (PIC).
-
The disclosure or transfer of personal information may be done by a Personal Information Processor (PIP) upon the instruction of the PIC.
-
Contract, joint issuance or any similar document that contains the terms and conditions of an outsourcing or subcontracting should be arranged between two parties.
-
Only the Personal Information Controller (PIC) shall be made parties to an outsourcing or subcontracting agreement.
DATA SHARING
-
The disclosure and transfer to a third party of personal information is under the control or custody of a Personal Information Controller (PIC).
-
disclosure or transfer of personal information may be done by a Personal Information Processor (PIP) upon the instruction of the PIC.
-
Contract, joint issuance or any similar document that contains the terms and conditions of a data sharing should be arranged between two or more parties.
-
Only the Personal Information Controller (PIC) shall be made parties to a data sharing agreement.
PROCESSING OF CONFIDENTIAL INFORMATION
-
Upon employment with St Dominic College of Asia, each employee should strictly observe and protect the following confidential information:
-
Any confidential information employees have access to should be discussed with others only on a need-to-know basis;
-
Confidential information may not be disclosed to any outside persons, outsource, industry partners without the appropriate confidential information disclosure agreement from legal counsel; and
-
Sensitive and confidential information should not be discussed, even with fellow employees in public places;
-
-
Employees are advised to maintain the confidentiality of information in their specific workplace, depending on the type of job and access to information. Further, all employees of St. Dominic College of Asia should:
-
Secure the confidential information at all times;
-
Shred confidential documents that are no longer needed;
-
Make sure that confidential information should be viewed in a secure devices and place;
-
Disclosed to information to employees when necessary, authorized and with legal advice; and
-
Keep all confidential information inside the company premises with proper security.
-
DATA BREACH AND SECURITY INCIDENTS
-
In the event that the sign of security or data breach is discovered or encountered, such incidents shall be immediately reported to the DPO within 24 hours.
-
All data or security breaches should be sufficiently documented through written reports. All data breaches reports should include the facts, the effects of such incident and the remedial action taken by the Institution.
-
The discovery or encounter of the data breach should be verified to determine the relevant circumstances surrounding the reported data or security breach.
-
The HR Office will convene a meeting of every personnel involved in the data or security breach for investigation and clarification. Concrete documentation should be gathered for proper reporting.
-
Upon identifying the degree of the relevant circumstance surrounding the reported data or security breach, the DPO should notify the National Privacy Commission (NPC) and the affected data subject pursuant to the requirements and procedures prescribed by the Data Privacy Act (DPA).
-
The report to the NPC should present the measurements used to reduce the harm or negative consequences of the breach, the name and contact details of the DPO.
LINKS TO OTHER SITES
The Service contains links to other sites. If a visitor clicks on a third-party link, he/she will be directed to that site. Note that these external sites are not operated by SDCA. Therefore, visitors are strongly advised to review the Privacy Policy of these websites. SDCA has no control over and assumes no responsibility for the content, privacy policies, or practices of any third-party sites or services.
CHANGES TO THIS PRIVACY POLICY
SDCA may update its Privacy Policy at any time without prior notice. Thus, visitors are advised to review the page periodically for any changes. SDCA will notify its visitors of any changes by posting the new Privacy Policy on its official page. These changes are effective immediately after they are posted on the page.
CONTACT US
If you have any questions or suggestions about our Privacy Policy, please do not hesitate to contact us through This email address is being protected from spambots. You need JavaScript enabled to view it. .