I. Introduction

This Privacy Policy sets out the commitment of the Governance Commission for Government-Owned or Controlled Corporations (GCG) to collect and process personal information and sensitive personal information (collectively, "personal data") in accordance with the applicable laws and regulations on data privacy, including the Philippine Data Privacy Act of 2012 ("DPA") and its implementing rules and regulations ("DPA IRR").  It explains how the GCG implements that commitment and the terms and conditions under which such personal information is collected and processed. In processing personal information, this Commission seeks to adhere to the general privacy principles of transparency, legitimate purpose, and proportionality, and such other relevant principles in the collection, processing, and retention of personal data as required by applicable law.

The GCG respects the rights of its stakeholders/data subjects and aims to comply with the requirements of all relevant privacy and data protection laws, particularly the DPA. As in the case of the National Privacy Commission (NPC), the GCG seeks to strike a balance between the personal privacy of our stakeholders, and the free flow of information, especially when pursuing the government’s legitimate interests.

II. Confidentiality under Philippine Law

Information that the GCG receives from its stakeholders/data subjects, whether constituting personal information, are generally protected as confidential information. The Commission commits to diligently observe this obligation as a government agency.

The GCG notes that local law, regulations, and authorities permit disclosure of such information under certain conditions, as when the information has become public.

III. DPA Exemptions

Section 4 of the DPA[1] exempts from its application the collection and processing of certain personal information. These data and activities are not covered by this Policy.

IV. How the GCG collects personal information

This Commission may be able to obtain personal data in various ways. These include where a natural or juridical person (a "Person") –

(i) enters into a Contract and/or Agreement with the GCG, whether or not written, including Contract of Service (COS) personnel’s employment contract, consultancy agreement, and/or contract for procurement of goods and/or services;

(ii) submits to us any application, form, complaint, report, request, notice, or some other document;

(iii) inquires after or applies for employment;

(iv) becomes an employee, officer, consultant, agent, supplier or service provider of the GCG; or

(vi) otherwise provides us with personal data, whether directly or through another Person.

Where personal data is publicly available, the GCG may be able to collect the data from such public sources, including any online presence you may have.

V. Purposes, scope and method of collection and processing

Before or at the time of collecting personal data, GCG shall identify the purpose for which the information is being collected which shall be used for the said purpose and for other compatible purposes which it may serve.

The personal information collected by the GCG should be relevant to the purpose for which it is to be used, and to the extent, when necessary, should be accurate, complete, and up-to-date. In the event the GCG, through its Technical Working Group for the Data Privacy Act, finds it necessary to collect further information from the data subject to be properly acted upon by the Commission, it shall be made by lawful and fair means, where applicable, with knowledge or consent of the data subject concerned.

The GCG utilizes standard manual and computerized methods and systems to file, store and process personal data. Collection and processing of personal data will be undertaken in accordance with the principles set out in this Policy and as required by law. Any collected personal data shall only be stored and retained for such period as may be required by applicable laws or as may be needed to enable us to fully and efficiently achieve the Purposes.

VI. Amendments and supplements

The GCG reserves its right to amend and/or supplement this policy. Its stakeholders/data subjects, upon submission of personal or sensitive personal information to the Commission commits to be bound by the prevailing terms of this Policy, as may be updated from time to time, upon the amendment or supplement published by the GCG or otherwise advised to you.

VII. Rights of data subjects

Under the DPA, data subjects have the following rights:

7.1 Right to object

GCG acknowledges its data subjects’ right to indicate its/their refusal to the collection and processing of personal data. Its data subject likewise has the right to be informed and to withhold his/her consent to further processing in case there are any changes or amendment to information given to him/her. Once the Commission has been notified of any withholding of a data subject’s consent, further processing of the said personal data will no longer be allowed, unless:

(i) The processing is required pursuant to a subpoena, lawful order, or as required by law; or

(ii) The collection and processing is undertaken pursuant to any lawful basis or criteria under the DPA or any applicable laws, rules or regulations.

7.2 Right to access

Upon its data subject’s request, access may be given to personal data that the GCG has collected or processed. The GCG likewise acknowledges the right to request access to the circumstances relating to the processing and collection of the data subject’s personal data, insofar as allowed by law.

7.3 Right to rectification

GCG’s data subjects have the right to dispute any inaccuracy or error in personal data and may request the Commission to immediately correct it. Upon receipt of the said request, and after correction has been made, the GCG shall inform any recipient of the said personal data of its inaccuracy and the subsequent rectification that was made.

7.4 Right to erasure or blocking

In the absence of any other legal ground or overriding legitimate interest for the lawful processing of personal data received by GCG from its data subjects, or when there is substantial proof that the said personal data is incomplete, outdated, false, or has been unlawfully obtained, a request to suspend, withdraw, or order the blocking, removal, or destruction of the personal data from our filing system may be made by the concerned data subject. The Commission shall also notify those who have previously received your processed personal data.

7.5 Right to damages

Under the DPA, data subjects have the right to be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of his/her personal data, taking into account any violation of your rights and freedoms as a data subject, as provided by law.

7.6 Right to data portability

In the event the personal data was processed through electronic means and in a structured and commonly used format, the data subject has the right to obtain a copy of his/her personal data in such electronic or structured format for reference and/or further use, subject to the guidelines of the National Privacy Commission with regard to the exercise of such right.

7.7 Transmissibility of rights of the data subject

Upon the passing of a data subject, or in case of a data subject’s incapacity or incapability to exercise legal rights, the data subject’s lawful heirs and assigns may invoke the data subject’s rights in place of the data subject.

7.8 Limitation on rights; manner of exercising

The rights mentioned under this item are not applicable if personal data are processed only for scientific and statistical research purposes, and without being used as basis for carrying out any activity or taking any action regarding the data subject.

The law requires that any exercise of the rights as described in this Policy should be made in a reasonable and non-arbitrary manner, and with regard to rights of other parties. All requests, demands or notices which may be made under this Policy or applicable law must be made in writing, and will only be considered made and officially received by the Commission.

VIII. Security Measures

The GCG at all times shall take appropriate security measures to protect personal information of its data subjects against unauthorized access or unauthorized alteration, disclosure, or destruction. These measures include internal reviews of our data collection, storage, and processing practices, as well as physical security measures to protect the said information against unauthorized access. As part of our efforts to ensure your information is protected, the GCG commits to restrict access to personal data to personnel who would need that information to perform their functions.

IX. Data breaches

The GCG commits to comply with the relevant provisions of rules and circulars on handling personal data security breaches, including notification to its data subjects or to the National Privacy Commission, where an unauthorized acquisition of sensitive personal information or information that may be used to enable identity fraud has been acquired by an unauthorized person, and is likely to give rise to a real risk of serious harm to the affected data subject. Please note that under applicable law, not all personal data breaches are notifiable.

X. Data Protection Officer

The Data Protection Officer (DPO) and the GCG Technical Working Group for the Data Privacy Act are principally responsible for ensuring GCG’s compliance with applicable laws and regulations for the protection of data privacy and security. The DPO is responsible for the supervision and enforcement of this Policy, and the relevant contact details are as follows:

Data Protection Officer

Governance Commission for Government-Owned

or Controlled Corporations (GCG)

3rd Floor, Citibank Center, 8741 Paseo de Roxas,

Makati City, Philippines 1226

(632) 328-2030 / 318-1000

privacy@gcg.gov.ph

XI. Inquiries; notices

For any inquiry related to this Policy, please contact our Data Protection Officer through the contact details indicated above.

All requests, demands or notices which a data subject may send or submit to us under this Policy must be in writing, should be addressed to the Data Protection Officer using the contact details above, and will be deemed duly given (i) on the date of delivery if delivered personally, (ii) on the third Business Day following the date of sending if delivered by a nationally recognized next-day courier service and the service has confirmed delivery, or (iii) if given by electronic mail, when such electronic mail is transmitted to the email address specified above and the appropriate confirmation has been received by the sender via email.

[1] SEC. 4. Scope. – This Act applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines subject to the immediately succeeding paragraph: Provided, That the requirements of Section 5 are complied with.

This Act does not apply to the following:

(a) Information about any individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual, including:(1) The fact that the individual is or was an officer or employee of the government institution;(2) The title, business address and office telephone number of the individual;(3) The classification, salary range and responsibilities of the position held by the individual; and(4) The name of the individual on a document prepared by the individual in the course of employment with the government;

(b) Information about an individual who is or was performing service under contract for a government institution that relates to the services performed, including the terms of the contract, and the name of the individual given in the course of the performance of those services;

(c) Information relating to any discretionary benefit of a financial nature such as the granting of a license or permit given by the government to an individual, including the name of the individual and the exact nature of the benefit;

(d) Personal information processed for journalistic, artistic, literary or research purposes;

(e) Information necessary in order to carry out the functions of public authority which includes the processing of personal data for the performance by the independent, central monetary authority and law enforcement and regulatory agencies of their constitutionally and statutorily mandated functions. Nothing in this Act shall be construed as to have amended or repealed Republic Act No. 1405, otherwise known as the Secrecy of Bank Deposits Act; Republic Act No. 6426, otherwise known as the Foreign Currency Deposit Act; and Republic Act No. 9510, otherwise known as the Credit Information System Act (CISA);

(f) Information necessary for banks and other financial institutions under the jurisdiction of the independent, central monetary authority or Bangko Sentral ng Pilipinas to comply with Republic Act No. 9510, and Republic Act No. 9160, as amended, otherwise known as the Anti-Money Laundering Act and other applicable laws; and

(g) Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.