GCG Privacy Policy

I. Privacy Statement

The Governance Commission for Government-Owned or-Controlled Corporations (GCG) is committed to protecting your personal information and sensitive personal information (collectively “Personal Data”).

We give our assurance that all the processing activities of the GCG shall be in accordance with Republic Act No. 10173, otherwise known as the “Data Privacy Act of 2012” (DPA), its Implementing Rules and Regulations (IRR), and the issuances of the National Privacy Commission (NPC).

Further, in the pursuit of its mandate (R.A. No. 10149), legal obligations, and legitimate interests, the GCG shall be guided by the general data privacy principles of transparency, legitimate purpose, and proportionality.

II. GCG Website Privacy Notice

Our official website can be accessed at: https://gcg.gov.ph/

Our website contains functionalities that enable the GCG to collect and process your Personal Data. This Privacy Notice is issued to provide you with information as to how we collect your Personal Data; the basis, use, and purpose of our processing activities; our data protection measures; and your data subject rights.

This is not a Privacy Notice for all our Personal Data collection activities. The GCG will provide a separate Privacy Notice, in an appropriate format and manner, whenever we collect Personal Data through other channels (e.g. different online applications, systems, or physically in our office).

III. Personal Data Collected and the Manner of Collection

We collect the following Personal Data when you submit your inquiries, requests, and concerns through the following website links:

A. Contact Us Form (https://gcg.gov.ph/about-us/#contact-us)

  • Email and other contact information; and
  • Personal Data that you may disclose in the message box.

B. Whistle Blowing Portal (https://whistleblowing.gcg.gov.ph/#/)

  • Name of Violator that you are complaining of;
  • Names of Witnesses that you disclose in the message box;
  • Personal Data that may be contained in the documents that you upload to support your whistleblowing report; and
  • Email and other contact information.

C. Appointive Director Data Form (https://icrs.gcg.gov.ph/addf/#/)

For the registration page:

  • Full name of the applicant;
  • Email; and
  • Date of Birth.

Profile page (Data Sheet)

  • ADDF ID;
  • Place of Birth, Civil Status, Sex, Citizenship;
  • Government Identification numbers (GSIS, Pag-Ibig, Philhealth, SSS, TIN);
  • Name of the parents, Spouse, and Children; and
  • Educational Background, including School Information.

IV. Basis, Use, and Purpose of Processing Personal Data

While your consent may be solicited to process your Personal Data, the same is not always required. This includes instances when the processing is done by the GCG in the pursuit of its mandate or when the processing is allowed under Section 12 or 13 of the DPA.

Your Personal Data is utilized by the GCG for the following purposes:

  • To document inquiries, requests, and other concerns;
  • To process your inquiries, requests, and concerns internally for appropriate action and response;
  • To contact you and provide you with the necessary updates, advisories, and responses to your inquiries, requests, and concerns, as well as to solicit feedback upon its completion;
  • To allow the GCG to comply with its legal obligations to which it is subject;
  • To comply with the legal requirements of public order and safety;
  • To fulfill our functions as the regulator of the GOCC sector, pursuant to our mandate; and
  • To provide the appropriate action when data subjects seek to exercise any of their data subject rights.

V. Methods Utilized for Automated Access

The GCG does not utilize methods for automated access of your Personal Data. Likewise, GCG does not utilize third-party services for web traffic data analytics.

VI. Disclosure of Personal Data to Third Parties

The Personal Data collected by the GCG is not shared with third parties unless done in accordance with our mandate or when the disclosure is permitted or justified under Sections 12 or 13 of the DPA.

VII. Risks Involved

Please be advised that all data processing activities carry data privacy risks that may result in harm or danger to both the GCG and its data subjects. Examples of these risks include but are not limited to: (a) the unauthorized collection, use, disclosure, or access to Personal Data with GCG’s control; (b) breach of confidentiality, integrity, and availability of Personal Data; or (c) violations of the DPA and the general data privacy principles and the rights of data subjects.

There are also digital risks for Personal Data that may be accessed through digital means such as targeted cyberattacks, malware, ransomware, and computer viruses. Meanwhile, physical risks include instances when manual records are accessed or viewed by persons without authority.

VIII. Data Protection and Security Measures

While the GCG cannot guarantee absolute protection against all kinds of data privacy risks, we implement physical, technical, and organizational security measures designed to identify these risks, minimize, or prevent their occurrence, respond appropriately if they occur, and comply with our reportorial duties after the fact, in line with the NPC’s rules on security incident management and data breach reporting Circulars.

Among the physical, technical, and organizational security measures we implement are the following:

A. Physical

  • Physical copies of documents containing Personal Data are kept in our records office, which has access restrictions as to who may enter or what records may be taken therefrom;
  • We maintain clear desk and closed drawers practices to ensure that hardcopies of documents containing Personal Data are not viewable by unintended parties;
  • Our workstations have separators to limit the viewing of monitors by unintended parties; and
  • All records are tracked in line with the GCG’s quality management systems operations manuals.

B. Technical

  • Access controls on GCG’s digital infrastructure;
  • Access controls on GCG’s online and/or digital data processing systems;
  • End-to-end encryption and data classification whenever suitable; and
  • Other technical measures to protect our computers and databases against accidental, unlawful, or unauthorized usage, interference, or access.

C. Organizational

  • The GCG has a dedicated Data Protection Officer (DPO), assisted by an assistant DPO and a Technical Working Group for Data Privacy;
  • Data Privacy policies are implemented within the organization; and
  • We conduct privacy-enhancing projects, programs, and activities, including capacity-building activities to promote data privacy practices within the organization.

Please note that this is not an exhaustive list of our security measures, and we may not disclose any proprietary, confidential, and highly technical information that may be jeopardized if made publicly available.

IX. Storage and Retention

We store files containing personal information in our computers and servers, which are kept in a secure environment and accessible strictly by authorized personnel.

These files are stored by the GCG until inquiries and requests are acted upon. If it can be reasonably determined that such inquiries or requests have attained finality and that the files will no longer be needed for future use, then said files shall be disposed of securely.

Other categories of data may be kept longer when its retention period is determined to be necessary for the continued performance of our mandate, or by other relevant laws and regulations.

X. Disposal

Physical records shall be disposed of through shredding, while digital files shall be deleted from our internal storage. In all instances, our manner of disposal shall ensure that personal information shall no longer be retrieved, processed, or accessed by unauthorized persons.

XI. Rights of the Data Subject

Under the DPA, you may exercise the following data subject rights:

A. Right to be Informed

Under the DPA, you have the right to be informed regarding processing the personal information we hold about you. Additionally, you have the following rights as a data subject under the DPA:

B. Right to Object

Subject to certain limitations, you may refuse to the collection and processing of  Personal Data. Once the Commission has been notified of any withholding of a data subject’s consent, further processing of the said Personal Data will no longer be allowed, unless:

  • The collection and processing are undertaken pursuant to the performance of our mandate, and other lawful basis or criteria under the DPA or any applicable laws, rules or regulations; or
  • The processing is required pursuant to a subpoena, lawful order, or as required by law.

C. Right to Access

You have the right to request access to the circumstances relating to the processing and collection of your Personal Data or information on automated processes where the  Personal Data is or likely to be made as sole basis for any decision of the GCG that may affect your data subject rights, when circumstances so warrant.

D. Right to Rectification

You have the right to dispute any inaccuracy or error in your Personal Data and may request the GCG to immediately correct it. Upon receipt of the said request, and after correction has been made, the GCG shall inform you of its inaccuracy and the subsequent rectifications that were made.

E. Right to Erasure or Blocking

In the absence of any other legal ground or overriding legitimate interest for the lawful processing of  Personal Data received by GCG from its data subjects, or when there is substantial proof that the said  Personal Data is incomplete, outdated, false, or has been unlawfully obtained, a request to suspend, withdraw, or order the blocking, removal, or destruction of the Personal Data from our filing system may be made by the concerned data subject.

F. Right to Damages

You may claim compensation if you believe you suffered damages due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of Personal Data or for violating your rights and freedoms as a data subject.

If you think that your Personal Data has been misused, maliciously disclosed, or improperly disposed of or that your data privacy rights have been violated, you have a right to file a complaint with the NPC.

G. Right to Data Portability

In the event the Personal Data was processed through electronic means and in a structured and commonly used format, you have the right to obtain a copy of your Personal Data in such electronic or structured format for reference and/or further use, subject to the guidelines of the NPC with regard to the exercise of such right.

H. Transmissibility of rights of the data subject

Upon the passing of a data subject, or in case of a data subject’s incapacity or incapability to exercise legal rights, the data subject’s lawful heirs and assigns may invoke the data subject’s rights in place of the data subject.

​​​​​​​XII. Limitation on rights; manner of exercising

The rights mentioned under this item are not applicable if Personal Data are processed only for scientific and statistical research purposes, and without being used as basis for carrying out any activity or taking any action regarding the data subject.

The law requires that any exercise of the rights as described in this Policy should be made in a reasonable and non-arbitrary manner, and with regard to the rights of other parties. All requests, demands or notices which may be made under this Notice or applicable law must be made in writing, and will only be considered made and officially received by the Commission.

XIII. Changes to the Privacy Notice

GCG reserves the right to update or revise this Privacy Notice at any time and will provide a new Privacy Notice whenever there are substantial changes. Prior versions of the Privacy Notice shall be retained by the Commission and shall be provided to data subjects upon request.

XIV. Details of the Data Protection Officer

If you have comments or suggestions regarding this Privacy Notice, or if you have any issues concerning GCG’s data privacy practices, you may reach us through our Data Protection Officer with the following details:


Data Protection Officer

Governance Commission for Government-Owned

or Controlled Corporations (GCG)

3rd Floor, Citibank Center, 8741 Paseo de Roxas,

Makati City, Philippines 1226

(632) 328-2030 / 318-1000



Date Updated: 23 April 2024