Updated: 15 January 2023
Thank you for accessing and/or using our digital platform and/or services (collectively the “Services”).
1. Definition of Terms
Whenever used in herein, and to the extent provided for by law or regulations on Data Privacy, the following terms shall have the respective meanings hereafter set forth:
a. “Data Privacy Act” – refers to Republic Act No. 10173, also known as the Data Privacy Act of 2012;
b. “NPC” or the “Commission”– refers to the National Privacy Commission (NPC);
c. “Consent of the data subject” – refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of his or her personal, sensitive personal, or privileged information. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of a data subject by a lawful representative or an agent specifically authorized by the data subject to do so (Section 3[c], Rule I, IRR of R.A. 10173);
d. “Data subject” – refers to an individual whose personal, sensitive personal, or privileged information is processed (Section 3[d], Rule I, IRR of R.A. 10173);
e. “Data processing systems” – refers to the structure and procedure by which personal data is collected and further processed in an information and communications system or relevant filing system, including the purpose and intended output of the processing (Section 3[e], Rule I, IRR of R.A. 10173);
f. “Data sharing” – is the disclosure or transfer to a third party of personal data under the custody of a personal information controller or personal information processor. In the case of the latter, such disclosure or transfer must have been upon the instructions of the personal information controller concerned. The term excludes outsourcing, or the disclosure or transfer of personal data by a personal information controller to a personal information processor (Section 3[f], Rule I, IRR of R.A. 10173);
g. “Direct marketing” – refers to communication by whatever means of any advertising or marketing material which is directed to particular individuals (Section 3[g], Rule I, IRR of R.A. 10173);
h. “Filing system” – refers to any set of information relating to natural or juridical persons to the extent that, although the information is not processed by equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible (Section 3[h], Rule I, IRR of R.A. 10173);
i. “Information and communications system” refers to a system for generating, sending, receiving, storing, or otherwise processing electronic data messages or electronic documents, and includes the computer system or other similar device by which data is recorded, transmitted, or stored, and any procedure related to the recording, transmission, or storage of electronic data, electronic message, or electronic document (Section 3[i], Rule I, IRR of R.A. 10173);
j. “Personal data” – refers to all types of personal information (Section 3[j], Rule I, IRR of R.A. 10173);
k. “Personal data breach” – refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed (Section 3[k], Rule I, IRR of R.A. 10173);
l. “Personal information” – refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual (Section 3[l], Rule I, IRR of R.A. 10173);
m. “Personal information controller” – refers to a natural or juridical person, or any other body who controls the processing of personal data, or instructs another to process personal data on its behalf. The term excludes:
1. A natural or juridical person, or any other body, who performs such functions as instructed by another person or organization; or
2. A natural person who processes personal data in connection with his or her personal, family, or household affairs;
There is control if the natural or juridical person or any other body decides on what information is collected, or the purpose or extent of its processing (Section 3[m], Rule I, IRR of R.A. 10173);
n. “Personal information processor” – refers to any natural or juridical person or any other body to whom a personal information controller may outsource or instruct the processing of personal data pertaining to a data subject (Section 3[n], Rule I, IRR of R.A. 10173);
o. “Processing” – refers to any operation or any set of operations performed upon personal data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Processing may be performed through automated means, or manual processing, if the personal data are contained or are intended to be contained in a filing system (Section 3[o], Rule I, IRR of R.A. 10173)
p. “Profiling” – refers to any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements (Section 3[p], Rule I, IRR of R.A. 10173);
q. “Privacy notices” – refer to advisories/notices in writing informing data subjects and/or the public of the relevant and salient points of the Company’s data privacy policies which may be applicable in a given situation, such as Privacy Memos and/or Bulletins at workplaces, and Privacy Policies in the Company’s website, application, technology, and analogous therewith;
r. “Privileged information” – refers to any and all forms of data, which, under the Rules of Court and other pertinent laws constitute privileged communication (Section 3[q], Rule I, IRR of R.A. 10173);
s. “Public authority” – refers to any government entity created by the Constitution or law, and vested with law enforcement or regulatory authority and functions (Section 3[r], Rule I, IRR of R.A. 10173);
t. “Security incident” – is an event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity and confidentiality of personal data. It includes incidents that would result to a personal data breach, if not for safeguards that have been put in place (Section 3[s], Rule I, IRR of R.A. 10173);
u. “Sensitive personal information” – refers to personal information:
1. About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
2. About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings;
3. Issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
4. Specifically established by an executive order or an act of Congress to be kept classified. (Section 3[t], Rule I, IRR of R.A. 10173)
2. In General
We aim to collect avoid, if not minimize, collecting personal data.
a. No collection of personal data
It is our general policy to avoid processing of personal data.
Notwithstanding, it may be necessary to collect personal data in certain situations, such as for signing up for masterclass or online courses, downloading certain digital files, availing of email newsletters, and analogous thereto.
b. Limited collection of personal data
Where it cannot be avoided, personal data that would be processed will be limited and only to the extent that may be solely determined by us to be necessary to effectively provide for the requested services or products.
3. Your consent
By accessing and continued use of our Services, you unconditionally give your informed consent to the following:
1) The processing of your personal data, including but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data (collectively, the “processing”); and
2) Such processing shall be in compliance primarily with the Republic of the Philippine’s privacy laws and regulations, namely Republic Act No. 10173 or the Data Privacy Act of 2012 (“Data Privacy Law”) and its Implementing Rules and Regulations (“IRR”), and by way of suppletory application and to the extent legally applicable, to the data privacy laws and regulations applicable to you, or to the country/jurisdiction where you are accessing and using our Services, including but not limited to, the European Union’s General Data Protection Regulation (EU GDPR), the California Consumer Privacy Act (CCPA), and similar laws and/or regulations.
a. Contact information
For any concerns, you may reach us at: email@example.com or firstname.lastname@example.org.
4. Principles on privacy
a. General Data Privacy Principles.
The processing of personal data shall be allowed, subject to compliance with the requirements of the Act and other laws allowing disclosure of information to the public, and adherence to the principles of transparency, legitimate purpose, and proportionality. (Section 17, Rule IV, IRR)
b. Principles of Transparency, Legitimate Purpose and Proportionality
The processing of personal data shall be allowed subject to adherence to the principles of transparency, legitimate purpose, and proportionality. (Section 18, Rule IV, Ibid.)
a. Transparency. The data subject must be aware of the nature, purpose, and extent of the processing of his or her personal data, including the risks and safeguards involved, the identity of personal information controller, his or her rights as a data subject, and how these can be exercised. Any information and communication relating to the processing of personal data should be easy to access and understand, using clear and plain language. (Section 18[a], Rule IV, Ibid.)
b. Legitimate purpose. The processing of information shall be compatible with a declared and specified purpose which must not be contrary to law, morals, or public policy. (Section 18[b], Rule IV, Ibid.)
c. Proportionality. The processing of information shall be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose. Personal data shall be processed only if the purpose of the processing could not reasonably be fulfilled by other means. (Section 18[c], Rule IV, Ibid.)
c. General principles in collection, processing and retention
The processing of personal data shall adhere to the following general principles in the collection, processing, and retention of personal data (Section 19[c], Rule IV, Ibid.):
1) Declared, specified, legitimate purpose
Collection must be for a declared, specified, and legitimate purpose. (Section 19[a], Rule IV, Ibid.)
1) Consent is required prior to the collection and processing of personal data, subject to exemptions provided by the Act and other applicable laws and regulations. When consent is required, it must be time-bound in relation to the declared, specified and legitimate purpose. Consent given may be withdrawn. (Section 19[a], Rule IV, Ibid.):
2) The data subject must be provided specific information regarding the purpose and extent of processing, including, where applicable, the automated processing of his or her personal data for profiling, or processing for direct marketing, and data sharing. (Section 19[a], Rule IV, Ibid.):
3) Purpose should be determined and declared before, or as soon as reasonably practicable, after collection. (Section 19[a], Rule IV, Ibid.):
4. Only personal data that is necessary and compatible with declared, specified, and legitimate purpose shall be collected. (Section 19[a], Rule IV, Ibid.)
2) Fair and lawful processing
Personal data shall be processed fairly and lawfully. (Section 19[b], Rule IV, Ibid.):
1) Processing shall uphold the rights of the data subject, including the right to refuse, withdraw consent, or object. It shall likewise be transparent, and allow the data subject sufficient information to know the nature and extent of processing. (Section 19[b], Rule IV, Ibid.)
2) Information provided to a data subject must always be in clear and plain language to ensure that they are easy to understand and access. (Section 19[b], Rule IV, Ibid.)
3) Processing must be in a manner compatible with declared, specified, and legitimate purpose. (Section 19[b], Rule IV, Ibid.)
4) Processed personal data should be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. (Section 19[b], Rule IV, Ibid.)
5) Processing shall be undertaken in a manner that ensures appropriate privacy and security safeguards. (Section 19[b][c], Rule IV, Ibid.)
3) Data quality
Processing should ensure data quality.
1) Personal data should be accurate and where necessary for declared, specified and legitimate purpose, kept up to date. (Section 19[c], Rule IV, Ibid.)
2) Inaccurate or incomplete data must be rectified, supplemented, destroyed or their further processing restricted. (Section 19[c], Rule IV, Ibid.)
4) Retained not longer than necessary
Personal Data shall not be retained longer than necessary. (Section 19[d], Rule IV, Ibid.)
1) Retention of personal data shall only for as long as necessary:
a) for the fulfillment of the declared, specified, and legitimate purpose, or when the processing relevant to the purpose has been terminated (Section 19[d][a], Rule IV, Ibid.);
b) for the establishment, exercise or defense of legal claims (Section 19[d][b], Rule IV, Ibid.); or
c) for legitimate business purposes, which must be consistent with standards followed by the applicable industry or approved by appropriate government agency. (Section 19[d][c], Rule IV, Ibid.)
2) Retention of personal data shall be allowed in cases provided by law. (Section 19[d], Rule IV, Ibid.)
3) Personal data shall be disposed or discarded in a secure manner that would prevent further processing, unauthorized access, or disclosure to any other party or the public, or prejudice the interests of the data subjects. (Section 19[d], Rule IV, Ibid.)
4) Adequate safeguards
Any authorized further processing shall have adequate safeguards. (Section 19[e], Rule IV, Ibid.)
1) Personal data originally collected for a declared, specified, or legitimate purpose may be processed further for historical, statistical, or scientific purposes, and, in cases laid down in law, may be stored for longer periods, subject to implementation of the appropriate organizational, physical, and technical security measures required by the Act in order to safeguard the rights and freedoms of the data subject. (Section 19[e], Rule IV, Ibid.)
2) Personal data which is aggregated or kept in a form which does not permit identification of data subjects may be kept longer than necessary for the declared, specified, and legitimate purpose. (Section 19[e], Rule IV, Ibid.)
3) Personal data shall not be retained in perpetuity in contemplation of a possible future use yet to be determined. (Section 19[e], Rule IV, Ibid.)
d. General Principles for Data Sharing
Further Processing of Personal Data collected from a party other than the Data Subject shall be allowed under any of the following conditions (Section 20, Rule IV, Ibid.):
1) Only when authorized by law
Data sharing shall be allowed when it is expressly authorized by law: Provided, that there are adequate safeguards for data privacy and security, and processing adheres to principle of transparency, legitimate purpose and proportionality. (Section 20[a], Rule IV, Ibid.)
2) Data subject’s consent
Data Sharing shall be allowed in the private sector if the data subject consents to data sharing, and the following conditions are complied with (Section 20[b], Rule IV, Ibid.):
1) Consent for data sharing shall be required even when the data is to be shared with an affiliate or mother company, or similar relationships (Section 20[b], Rule IV, Ibid.);
2) Data sharing for commercial purposes, including direct marketing, shall be covered by a data sharing agreement. (Section 20[b], Rule IV, Ibid.)
a) The data sharing agreement shall establish adequate safeguards for data privacy and security, and uphold rights of data subjects (Section 20[b][a], Rule IV, Ibid.);
b) The data sharing agreement shall be subject to review by the Commission, on its own initiative or upon complaint of data subject (Section 20[b][b], Rule IV, Ibid.);
3) The data subject shall be provided with the following information prior to collection or before data is shared (Section 20[b], Rule IV, Ibid.):
a) Identity of the personal information controllers or personal information processors that will be given access to the personal data (Section 20[b][a], Rule IV, Ibid.);
b) Purpose of data sharing (Section 20[b][b], Rule IV, Ibid.);
c) Categories of personal data concerned (Section 20[b][c], Rule IV, Ibid.);
d) Intended recipients or categories of recipients of the personal data (Section 20[b][d], Rule IV, Ibid.);
e) Existence of the rights of data subjects, including the right to access and correction, and the right to object (Section 20[b][e], Rule IV, Ibid.);
f) Other information that would sufficiently notify the data subject of the nature and extent of data sharing and the manner of processing. (Section 20[b][f], Rule IV, Ibid.)
4) Further processing of shared data shall adhere to the data privacy principles laid down in the Act, these Rules, and other issuances of the Commission. (Section 20[b], Rule IV, Ibid.)
3) Research purposes
Data collected from parties other than the data subject for purpose of research shall be allowed when the personal data is publicly available, or has the consent of the data subject for purpose of research: Provided, that adequate safeguards are in place, and no decision directly affecting the data subject shall be made on the basis of the data collected or processed. The rights of the data subject shall be upheld without compromising research integrity. (Section 20[c], Rule IV, Ibid.)
4) Government agencies
Data sharing between government agencies for the purpose of a public function or provision of a public service shall be covered a data sharing agreement. (Section 20[d], Rule IV, Ibid.)
1) Any or all government agencies party to the agreement shall comply with the Act, these Rules, and all other issuances of the Commission, including putting in place adequate safeguards for data privacy and security. (Section 20[d], Rule IV, Ibid.)
2) The data sharing agreement shall be subject to review of the Commission, on its own initiative or upon complaint of data subject. (Section 20[d], Rule IV, Ibid.)
5. What may be collected
We collect as little personal information as possible.
Generally, the following are our purposes for collecting your personal information are as follows:
1) To comply with existing laws and regulations, including lawful orders issued by competent authorities;
2) To be responsive for any message or feedback that you may have forwarded to us;
3) To assist us in improving the quality of our Services;
4) To verify your identity, where necessary;
5) To comply with contractual obligations that we may have with you;
6) To allow us to utilize the information to the extent allowed for by law.
The personal information that may be collected includes your complete name, email address, mobile number, and other relevant information, depending on the Services that you may have signed-up.
For our Cookies Policy, you may view it here: Cookies Policy (https://laborlaw.ph/legal/cookies)
7. Third party services
Our Services depend on trusted third-party services, such as Google / Google Ads. They have robust privacy policies and practices. As we rely on them, your trust in us also extends to them.
You have the option of opting out of the cookies served by third-party services via www.aboutads.info.
8. Protection measures
The Services is built on trusted third-party services, primarily using Automattic’s WordPress which is a Content Management System (CMS).
On our end, the protection of your personal information is complemented by our implementation of reasonable and appropriate organizational, physical and technical measures intended for the protection of personal information against any accidental or unlawful destruction, alteration and disclosure, as well as against any other unlawful processing.
9. Processing and sharing
The processing of your personal information requires us to share them with the earlier mentioned trusted third-party services.
Where necessary, we may share them with trusted external third-party service providers, professionals, and consultants, including, but not limited to, lawyers, accountants, auditors, information and technology (IT) or software service providers, and analogous thereto.
10. Duration of retention
We shall be retaining the personal information to the extent allowed by law and/or insofar as the purposes remain or until such purposes have been served. The retention may be for at least a period of five (5) years unless sooner shortened by your or by legal requirement.
11. Rights as a Data Subject
Under Data Privacy Act, data subjects, such as you, have the following rights in relation to your personal information:
1) Right to be informed.
a) The data subject has a right to be informed whether personal data pertaining to him or her shall be, are being, or have been processed, including the existence of automated decision-making and profiling. (Section 34[a], Rule VIII Ibid.)
2. The data subject shall be notified and furnished with information indicated hereunder before the entry of his or her personal data into the processing system of the personal information controller, or at the next practical opportunity:
a) Description of the personal data to be entered into the system;
b) Purposes for which they are being or will be processed, including processing for direct marketing, profiling or historical, statistical or scientific purpose;
c) Basis of processing, when processing is not based on the consent of the data subject;
d) Scope and method of the personal data processing;
e) The recipients or classes of recipients to whom the personal data are or may be disclosed;
f) Methods utilized for automated access, if the same is allowed by the data subject, and the extent to which such access is authorized, including meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;
g) The identity and contact details of the personal data controller or its representative;
h) The period for which the information will be stored; and
i) The existence of their rights as data subjects, including the right to access, correction, and object to the processing, as well as the right to lodge a complaint before the Commission. (Section 34[a], Rule VIII Ibid.)
2) Right to object. The data subject shall have the right to object to the processing of his or her personal data, including processing for direct marketing, automated processing or profiling. The data subject shall also be notified and given an opportunity to withhold consent to the processing in case of changes or any amendment to the information supplied or declared to the data subject in the preceding paragraph. (Section 34[b], Rule VIII Ibid.)
When a data subject objects or withholds consent, the personal information controller shall no longer process the personal data, unless:
1. The personal data is needed pursuant to a subpoena;
2. The collection and processing are for obvious purposes, including, when it is necessary for the performance of or in relation to a contract or service to which the data subject is a party, or when necessary or desirable in the context of an employer-employee relationship between the collector and the data subject; or
3. The information is being collected and processed as a result of a legal obligation. (Paragraph 2, Section 34[b], Rule VIII Ibid.)
3) Right to Access. The data subject has the right to reasonable access to, upon demand, the following:
1. Contents of his or her personal data that were processed;
2. Sources from which personal data were obtained;
3. Names and addresses of recipients of the personal data;
4. Manner by which such data were processed;
5. Reasons for the disclosure of the personal data to recipients, if any;
6. Information on automated processes where the data will, or is likely to, be made as the sole basis for any decision that significantly affects or will affect the data subject;
7. Date when his or her personal data concerning the data subject were last accessed and modified; and
8. The designation, name or identity, and address of the personal information controller. (Section 34[c], Ibid.)
4) Right to rectification. The data subject has the right to dispute the inaccuracy or error in the personal data and have the personal information controller correct it immediately and accordingly, unless the request is vexatious or otherwise unreasonable. If the personal data has been corrected, the personal information controller shall ensure the accessibility of both the new and the retracted information and the simultaneous receipt of the new and the retracted information by the intended recipients thereof: Provided, That recipients or third parties who have previously received such processed personal data shall be informed of its inaccuracy and its rectification, upon reasonable request of the data subject. (Section 34[d], Rule VIII Ibid.)
5) Right to Erasure or Blocking. The data subject shall have the right to suspend, withdraw or order the blocking, removal or destruction of his or her personal data from the personal information controller’s filing system.
1. This right may be exercised upon discovery and substantial proof of any of the following:
(a) The personal data is incomplete, outdated, false, or unlawfully obtained;
(b) The personal data is being used for purpose not authorized by the data subject;
(c) The personal data is no longer necessary for the purposes for which they were collected;
(d) The data subject withdraws consent or objects to the processing, and there is no other legal ground or overriding legitimate interest for the processing;
(e) The personal data concerns private information that is prejudicial to data subject, unless justified by freedom of speech, of expression, or of the press or otherwise authorized;
(f) The processing is unlawful;
(g) The personal information controller or personal information processor violated the rights of the data subject. (Section 34[e], Ibid.)
2. The personal information controller may notify third parties who have previously received such processed personal information. (Section 34[e], Rule VIII Ibid.)
6) Right to damages. The data subject shall be indemnified for any damages sustained due to such inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal data, taking into account any violation of his or her rights and freedoms as data subject. (Section 34[f], Rule VIII Ibid.)
7) Transmissibility of Rights of the Data Subject. The lawful heirs and assigns of the data subject may invoke the rights of the data subject to which he or she is an heir or an assignee, at any time after the death of the data subject, or when the data subject is incapacitated or incapable of exercising the rights as enumerated in the immediately preceding section. (Section 35, Rule VIII Ibid.)
8) Right to Data Portability. Where his or her personal data is processed by electronic means and in a structured and commonly used format, the data subject shall have the right to obtain from the personal information controller a copy of such data in an electronic or structured format that is commonly used and allows for further use by the data subject. The exercise of this right shall primarily take into account the right of data subject to have control over his or her personal data being processed based on consent or contract, for commercial purpose, or through automated means. The Commission may specify the electronic format referred to above, as well as the technical standards, modalities, procedures and other rules for their transfer. (Section 36, Rule VIII Ibid.)
12. Limitation on Rights
The immediately preceding sections shall not be applicable if the processed personal data are used only for the needs of scientific and statistical research and, on the basis of such, no activities are carried out and no decisions are taken regarding the data subject: Provided, that the personal data shall be held under strict confidentiality and shall be used only for the declared purpose. The said sections are also not applicable to the processing of personal data gathered for the purpose of investigations in relation to any criminal, administrative or tax liabilities of a data subject. Any limitations on the rights of the data subject shall only be to the minimum extent necessary to achieve the purpose of said research or investigation. (Section 37, Rule VIII Ibid.)
13. Updates and Revisions
The terms herein may be revised from time to time. It is your responsibility to regularly visit this page for your awareness and information.