Data Privacy Manual
Background
Republic Act No. 10173, also known as the Data Privacy Act of 2012 (DPA), aims to protect personal data in information and communications systems both in
the government and the private sector.
It ensures that entities or organizations processing personal data establish policies, and implement measures and procedures that guarantee the safety and
security of personal data under their control or custody, thereby upholding an individual’s data privacy rights. A personal information controller or personal
information processor is instructed to implement reasonable and appropriate measures to protect personal data against natural dangers such as accidental loss
or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.
To inform its personnel of such measures, each personal information controller or personal information processor is expected to produce a Privacy Manual.
The Manual serves as a guide or handbook for ensuring the compliance of an organization or entity with the DPA, its Implementing Rules and Regulations (IRR),
and other relevant issuances of the National Privacy Commission (NPC). It also encapsulates the privacy and data protection protocols that need to be observed
and carried out within the organization for specific circumstances (e.g., from collection to destruction), directed toward the fulfillment and realization of the
rights of data subjects.
Introduction
SSB Property Management Services is committed to ensuring the confidentiality, security and protection of personal data. This document gives details on how
the Company uses and protects personal data for the purpose of obtaining the consent of data subjects, in pursuant with RA 10173 also known as the Data
Privacy Act (DPA) of 2012, its Implementing Rules and Regulation (IRR), and other relevant laws of the Philippines. As a users of our system, you are considered
as a data subject. Please read the details of this document carefully to ensure informed consent, this also serves as your guide in exercising your rights under
the DPA.
Definition of Terms
“Data Subject” – refers to an individual whose personal, sensitive personal or privileged information is processed by the organization. It may refer to officers,
employees, consultants, and clients of this organization.
“Processing” refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording,
organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.
“Personal Data” – refers to all types of Personal Information specifically:
Personal Information – Referring to any data or information recorded in a material form or not, from which the identity of the individual is evident or can be
reasonably and directly ascertained by the entity holding the information, or when put together with other data or information would directly and certainly
identify an individual.
Sensitive Information – Referring to (i) An individual’s race, ethnic origin, marital status, age, color and religious, philosophical or political affiliations. (ii) An
individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such
person, the disposal of such proceedings or the sentence of any court in such proceedings. (iii) Data or information issued by government agencies which are
peculiar to an individual. Includes but not limited to the following: Social Security Number, Health Records (Current or Previous), Licenses or its denials,
suspension or revocation and tax returns. (iv) Data or Information which are specifically established by an executive order or an Act of Congress to be kept
classified.
Privileged Information – Referring to any and all forms of personal data which under the Rules of the Court and other pertinent laws constitute a privileged
communication.
Scope and Limitations
All personnel of this organization, regardless of the type of employment or contractual arrangement, must comply with the terms set out in this Data Policy
Manual.
Policy Manual
I. Collection and Use of Personal Data: SSB Property Management Services generally do not collect personal data unless it is provided to us voluntarily by you
directly. We may use the personal data or information in order to perform business processes effectively and efficiently in conformity with corporate policies.
II. Type of Personal Data Collected: The company may collect the following personal data:
Name
Company
Contact Number
Email Address
Position
Signature
Photo
Bank details
Emergency Contact Information
This company also collects documents needed for condo admin to process contract of lease, move in permit and gate pass. The staff attending to customers
will collect such information through accomplished forms and collection of documents sent thru email and any other messaging platform.
Personal data collected shall be used by the company for documentation purposes only.
III. Confidentiality of Data: SSB Property Management Services shall operate and hold personal data under strict confidentiality. The company shall not disclose
or share personal information in its possession other entities without your expressed written consent.
Due to the sensitive and confidential nature of the personal data under the custody of the company, only the client and the authorized representative of the
company shall be allowed to access such personal data, for any purpose, except for those contrary to law, public policy, public order or morals.
IV. Data Protection: SSB Property Management Services shall implement appropriate organizational, physical and technical security measures in order to
ensure the privacy and protection of personal data in its possession. The security shall aim to protect and secure data from loss, misuse, unauthorized
modification, unauthorized access or disclosure , alteration or destruction. The following are the company safeguards:
Strict implementation of information security policies
Access Restriction to unauthorized personnel
Use of secured servers and firewalls
Data encryption on computing devices
As a personal information controller or personal information processor, an organization will implement reasonable and appropriate physical, technical and
organizational measures for the protection of personal data. Security measures aim to maintain the availability, integrity and confidentiality of personal data
and protect them against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful
destruction, alteration and contamination. In this section, you give a general description of those measures.
Organization Security Measures
Every personal information controller and personal information processor must also consider the human aspect of data protection. The provisions under this
section shall include the following:
Data Protection Officer (DPO), or Compliance Officer for Privacy (COP)
The designated Data Protection Officer is Operations Manager.
Functions of the DPO, COP and/or any other responsible personnel with similar functions
The Data Protection Officer shall oversee the compliance of the organization with the DPA, its IRR, and other related policies, including the conduct of a Privacy
Impact Assessment, implementation of security measures, security incident and data breach protocol, and the inquiry and complaints procedure.
Conduct of trainings or seminars to keep personnel, especially the Data Protection Officer updated vis-à-vis developments in data privacy and security
The organization shall sponsor a mandatory training on data privacy and security at least once a year. For personnel directly involved in the processing of
personal data, management shall ensure their attendance and participation in relevant trainings and orientations, as often as necessary.
Conduct of Privacy Impact Assessment (PIA)
The organization shall conduct a Privacy Impact Assessment (PIA) relative to all activities, projects and systems involving the processing of personal data. It may
choose to outsource the conduct a PIA to a third party.
Recording and documentation of activities carried out by the DPO, or the organization itself, to ensure compliance with the DPA, its IRR and other relevant
policies.
Duty of Confidentiality
All employees will be asked to sign a Non-Disclosure Agreement. All employees with access to personal data shall operate and hold personal data under strict
confidentiality if the same is not intended for public disclosure.
Review of Privacy Manual
This Manual shall be reviewed and evaluated annually. Privacy and security policies and practices within the organization shall be updated to remain consistent
with current data privacy best practices.
Physical Security Measures
This portion shall feature the procedures intended to monitor and limit access to the facility containing the personal data, including the activities therein. It
shall provide for the actual design of the facility, the physical arrangement of equipment and furniture, the permissible modes of transfer, and the schedule and
means of retention and disposal of data, among others. To ensure that mechanical destruction, tampering and alteration of personal data under the custody of
the organization are protected from man-made disasters, power disturbances, external access, and other similar threats, provisions like the following must be
included in the Manual:
Format of data to be collected
Personal data in the custody of the organization may be in digital/electronic format and paper-based/physical format.
Storage type and location
All personal data being processed by the organization shall be stored in a data room, where paper-based documents are kept in locked filing cabinets while the
digital/electronic files are stored in computers provided and installed by the company.
Access procedure of agency personnel
Only authorized personnel shall be allowed inside the data room. For this purpose, they shall each be given a duplicate of the key to the room. Other personnel
may be granted access to the room upon filing of an access request form with the Data Protection Officer and the latter’s approval thereof.
Monitoring and limitation of access to room or facility
All personnel authorized to enter and access the data room or facility must fill out and register with the online registration platform of the organization, and a
logbook placed at the entrance of the room. They shall indicate the date, time, duration and purpose of each access.
Design of office space/work station
The computers are positioned with considerable spaces between them to maintain privacy and protect the processing of personal data.
Persons involved in processing, and their duties and responsibilities
Persons involved in processing shall always maintain confidentiality and integrity of personal data. They are not allowed to bring their own gadgets or storage
device of any form when entering the data storage room.
Modes of transfer of personal data within the organization, or to third parties
Transfers of personal data via electronic mail shall use a secure email facility with encryption of the data, including any or all attachments. Facsimile technology
shall not be used for transmitting documents containing personal data.
Technical Security Measures
Each personal information controller and personal information processor must implement technical security measures to make sure that there are appropriate
and sufficient safeguards to secure the processing of personal data, particularly the computer network in place, including encryption and authentication
processes that control and limit access. They include the following, among others:
Monitoring for security breaches
The organization shall use an intrusion detection system to monitor security breaches and alert the organization of any attempt to interrupt or disturb the
system.
Security features of the software/s and application/s used
The organization shall first review and evaluate software applications before the installation thereof in computers and devices of the organization to ensure the
compatibility of security features with overall operations.
Process for regularly testing, assessment and evaluation of effectiveness of security measures
The organization shall review security policies, conduct vulnerability assessments and perform penetration testing within the company on regular schedule to
be prescribed by the appropriate department or unit.
Encryption, authentication process, and other technical security measures that control and limit access to personal data
Each personnel with access to personal data shall verify his or her identity using a secure encrypted link and multi-level authentication.
V. Data Retention: All personal data or information that the company had obtained shall not be retained for a period as specified by law and after the period,
all hard and soft copies of personal data or information shall be disposed of and destroyed, through secured means.
This company will ensure that personal data under its custody are protected against any accidental or unlawful destruction, alteration and disclosure as well as
against any other unlawful processing. The company will implement appropriate security measures in storing collected personal information, depending on the
nature of the information.
VI. Breach and Security Incidents: Every personal information controller or personal information processor must develop and implement policies and
procedures for the management of a personal data breach, including security incidents.
This section must adequately describe or outline such policies and procedures, including the following:
Creation of a Data Breach Response Team
A Data Breach Response Team comprising of five (3) officers shall be responsible for ensuring immediate action in the event of a security incident or personal
data breach. The team shall conduct an initial assessment of the incident or breach in order to ascertain the nature and extent thereof. It shall also execute
measures to mitigate the adverse effects of the incident or breach.
Measures to prevent and minimize occurrence of breach and security incidents
The organization shall regularly conduct a Privacy Impact Assessment to identify risks in the processing system and monitor for security breaches and
vulnerability scanning of computer networks. Personnel directly involved in the processing of personal data must attend trainings and seminars for capacity
building. There must also be a periodic review of policies and procedures being implemented in the organization.
Procedure for recovery and restoration of personal data
The organization shall always maintain a backup file for all personal data under its custody. In the event of a security incident or data breach, it shall always
compare the backup with the affected file to determine the presence of any inconsistencies or alterations resulting from the incident or breach.
Notification protocol
The Head of the Data Breach Response Team shall inform the management of the need to notify the NPC and the data subjects affected by the incident or
breach within the period prescribed by law. Management may decide to delegate the actual notification to the head of the Data Breach Response Team.
Documentation and reporting procedure of security incidents or a personal data breach
The Data Breach Response Team shall prepare a detailed documentation of every incident or breach encountered, as well as an annual report, to be submitted
to management and the NPC, within the prescribed period.
VII. Rights of Data Subjects : As a data subject you have the following rights under Data Privacy Act of 2012: Right to be informed, Right to object, Right to
access, Right to rectify or correct erroneous data, Right to erase or block, Right to secure data portability, Right to indemnified for damages, Right to file a
complaint.
Data subjects may inquire or request for information regarding any matter relating to the processing of their personal data under the custody of the
organization, including the data privacy and security policies implemented to ensure the protection of their personal data. They may write to the organization
and briefly discuss the inquiry, together with their contact details for reference.
The concerned department or unit shall confirm with the complainant its receipt of the complaint.
Contact Information : If you have questions or concerns or would want to lodge a complaint, you may reach our Data Protection Officer through the following
details:
1. Company Address : 116 Ground Floor, The Manila Residences Tower 1, 2320 Taft Avenue, Brgy 725 Zone 79 Singalong, Malate Manila, Philippines 1004
2. Contact Number : +63 998 417 5266
3. Email Address : mail@kondoko.com
You may also lodge a complaint in the National Privacy Commission (NPC). For further details please refer to the NPC website: https://privacy.gov.ph
CONSENT : I have read this form and understand its content and voluntarily give my consent for the collection, use, processing, storage and retention of my
personal data or information to SSB Property Management Services for the purpose(s) described in this document. I also understand that my consent does not
prevent the existence of other criteria for lawful processing of personal data and does not waive any of my rights under RA 10173 – Data Privacy Act of 2012
and other applicable laws.