Privacy Policy
1. PRIVACY STATEMENT
This Privacy Policy reflects our commitment to protect the personal data we collect and process. Should there be any future amendments to this document because of any changes in our personal data processing activities, we shall undertake reasonable efforts to effectively notify affected data subjects, and, where applicable, appropriately obtain their consent.
2. SCOPE
2.1. This Privacy Policy enumerates our organizational policy in relation to the collection and processing of all personal data.
2.2. We reserve the right to amend and/or modify its Privacy Policy to comply with any future developments in local and/or foreign data privacy regulations where applicable.
2.3. This Privacy Policy applies to all of our personal data processing activities, including, but not limited to, the collection, use, storage, sharing and disposal of all personal data about the organization’s customers and employees.
3. COLLECTION AND USE OF PERSONAL DATA
3.1. Scope and Purpose of Personal Data Processing
We collect and process personal data through the following activities of the organization:
- Maintenance and Implementation of CCAP’s Vendor Management System. The purpose of this system is to provide CCAP-member organizations with a centralized database of CCAP-accredited vendors and service providers as well as their products and services. We collect and process personal data including the contact information CCAP-Member organization representatives for purposes of restricting user access to the system. We also collect the personal data of vendor and service provider representatives to allow CCAP-member organizations to reach out to them.
- Maintenance of CCAP-membership database. We collect the personal data including contact information of representative of CCAP-member organization for purposes of communication and coordination in relation to CCAP-related activities, services and events.
- Human Resource Management. We collect personal data about our staff for human resource management purposes and compliance with applicable laws, rules and regulations.
3.2 THE RIGHTS OF DATA SUBJECTS
We fully recognize the following privacy rights of our data subjects:
- Right to be informed – Data subjects have the right to demand and be informed of the details about how and why we collect and process their personal.
- Right to Object – They have the right to object to the sharing of their data.
- Right to withdraw consent anytime -They have the right to withdraw their consent to the processing of their personal data anytime subject to any lawful basis for which such data is processed other than by consent.
- Right to access – They have the right to have reasonable access to their personal data.
- Right to dispute/rectify – They have the right to review and amend their personal data as processed by the organization should there be any inaccuracies.
- Right to object/block/erase – They have the right to reject further processing of their personal data which are falsely collected or unlawfully processed.
3.3. POLICY ON THE COLLECTION AND USE OF PERSONAL DATA
It is our policy to:
- Adequately inform our data subjects of their rights;
- Ensure that they are fully and adequately informed of all processing activities performed by the organization with respect to their personal data including the scope, purpose and means used for such processing, period of retention, manner of disposal.
- Obtain their express, informed and properly documented consent, where applicable, to our data processing activities.
- Ensure that they have the facility to reasonably exercise their rights and that the organization can respond to such requests within reasonable time.
- Ensure that they have the facility to dispute any inaccuracy or error in their personal data, to object to any changes in the manner and purpose by which their personal data is being processed, to withdraw consent where applicable, and to suspend or remove any unnecessary, falsely collected or unlawfully processed personal data;
- Ensure that the personal data obtained from them are proportional, necessary and limited to the declared, specified and legitimate purpose of the processing;
- Ensure that their personal data are retained for only a limited period or until the lawful purpose of the processing has been achieved;
- Ensure that their personal data are destroyed or disposed of in a secure manner;
- Ensure that they have the facility to lodge complaints with us relating to any violations of their rights and that such complaints are adequately and timely addressed.
- With respect to personal data collected and processed from foreign sources, we ensure that their personal data, is collected and processed in accordance with the applicable foreign law, if any.
4. PERSONAL DATA SECURITY POLICY
- STORAGE OF AND ACCESS TO PERSONAL DATA
It is our policy to store both paper-based and electronic personal data in a secure data center covered by appropriate organizational, technical and physical security standards. Transfers of personal data within and without the organization shall only be made in accordance with strict security protocols.
- RETENTION AND DISPOSAL OF PERSONAL DATA
We only retain personal data for a limited period or until the lawful and legitimate purpose of the processing is achieved. To that effect, we have established procedures for securely disposing files that contain personal data.
- MANAGEMENT OF THIRD-PARTY RISKS
a. PERSONAL INFORMATION PROCESSORS
Where any processing of personal data is outsourced to a third-party processor, we make sure that such third party shall be covered by the appropriate contracts that will enforce adequate data security standards under terms and conditions compliant with the requirements of both local and/or foreign law, where necessary.
b. PERSONAL INFORMATION CONTROLLERS
We ensure that any disclosures or transfers of personal data to controllers shall be governed by legally-compliant data sharing agreements and in accordance with the rights of data subjects. Data subjects shall be duly informed and consent from them obtained, where applicable, before such data sharing activities are performed.
5. PRIVACY GOVERNANCE
- DATA PROTECTION OFFICER
CCAP has duly appointed and Data Protection Officer (“DPO”) tasked to monitor our compliance with the Data Privacy Act, its Implementing Rules and Regulations, Memorandum Circulars issued by the NPC and this Privacy Policy.
- CONTACT INFORMATION
Our DPO is fully committed to enforcing our privacy policy. Should you have any concerns regarding CCAP’s privacy practices and policies, you may contact us.