PRIVACY POLICY
NCCC’s Managing Data Privacy
  1. Data are identified as personal, private and sensitive in nature if it pertains to the following:
    1. Individual’s personal identity such as name, age, race, address, ethnic origin, marital status, religion, contact number, etc.;
    2. Other background such as health, education, work, political affiliation and sexual life;
    3. Offense committed or alleged to have been committed;
    4. Peculiar information issued by Government Agency such as SSS number, TIN, etc.;
    5. Voice and appearance captured in the CCTV images;
    6. Those identified by law as sensitive information.
  2. Data subjects are comprised of, but not limited to the following:
    Internal External
    1. Employees
    2. Board of Directors
    3. Consultants
    1. Customer/Guests
    2. Trade and Non-Trade Vendors
    3. Tenants
    4. Contractors
    5. Third Party Service Providers
    6. Employees Dependents
    7. Scholarship Grantees (NCCC Cares)
    8. Applicants
    9. Buyer/ Bidder for Material Recovery Facility (NCCC Cares)
    10. Banks
  3. A Data Protection Officer (DPO) shall be appointed to manage and safeguard the handling of personal information in compliance of Data Privacy Act (DPA).
    1. One DPO shall be appointed that will represent the entire NCCC Group, however, one (1) Data Privacy representative or coordinator shall be designated per business unit.
  4. The company shall design a privacy management program to ensure proper handling, storage and processing of private information, and protection from all forms of data breaching.
  1. Consent of the data subject must be obtained before collection of data shall commenced.
    1. Consent must be freely given and not obtained through intimidation, coercion or fraud;
    2. Consent must be supported by evidence or any documentary records.
  2. Exemption for consent is only valid for reasons of:
    1. Data subject is a party to a contractual agreement, and that information is necessary for the fulfillment of the contract;
    2. On account of national emergency.
  3. Consent of the data subject is evidenced by completing the required forms or documents and by affixing signature on it.
  4. In instances wherein a person committed/ submitted data not belonging to him/her, such as in cases of proxy or representative, accountability points on the real owner of the information, as the data subject.
  1. Collection of private information must be declared and informed to data subject.
    1. The purpose and extent of the data processing shall also be known to the data subject.
  2. The form or document used for collection of data must reflect a privacy disclaimer which provides overview of the company’s privacy policy statement. Refer to Annex B for the Privacy Policy Disclaimer.
  3. The company’s privacy policy statement shall be posted in a conspicuous area in the Customer Service Counter (CSC) or at the company’s website. See Annex B for Privacy Policy Statement.
  4. The company’s privacy policy statement shall contain specific details on:
    1. The company’s commitment to privacy of personal information and protection of data;
    2. Consent of the data subject;
    3. Purpose and extent of the data processing;
    4. If data is intended for sharing, data subject must be informed and consent shall also be required before data is shared by the company with authorized third parties and business partners.
  5. Private information are collected in a variety of ways including but not limited to:
    1. Purchasing or availing of products and services;
    2. Online and electronic interaction including websites, mobile applications, text messaging programs;
    3. Interaction with company’s sales or customer care associates through personal, email, or
    4. Offline interaction, including marketing campaigns, hard copy registration cards or forms for customer loyalty program (e.g. NCCC rewards card, Kanegosyo Wallet) and competition entries.
    5. Providing personal information in relation to inquiries, request or complaint through Customer Feedback Form, Merchandise Return and Exchange Slip (MRES) and the like;
    6. Responding to surveys, promotions, and other marketing and sales initiatives;
    7. Submitting curriculum vitae/resume for a job application;
    8. Visiting, browsing and using any of the services on company’s website;
    9. Application for vendor accreditation for trade and non-trade assets;
    10. Application for scholarship grant;
    11. Referral from third parties or any of business partners (promotional tie up);
    12. Submission of personal information for any other similar reason not stated above.
  6. Legitimate purpose for data processing may include, but not limited to the following:
    1. Profiling;
    2. Processing for direct marketing;
    3. Enhancing customer experience through product and service innovation;
    4. Communicate relevant services and giving updates on promotions, discounts, advisories or events;
    5. Provide customer service including responses to inquiries, request, complaints and general feedback about product and services;
    6. Consumer engagement
    7. For recruitment purposes;
    8. Community and social response;
    9. Ensuring public security, safety and order;
    10. Process information for statistical, analytical and research purposes;
    11. Data Sharing;
    12. Complies with the requirements imposed by the law, legal proceedings and obligations;
    13. Other uses by nature of the company’s dealings and operations;
    14. For any other purpose incidental, ancillary or in furtherance of the above-mentioned purposes.
  1. The company shall ensure that private information are handled properly, protected at all times, and all control measures are in place in processing:
    1. Encrypting and transmitting of private information collected from data subject to storage shall be in established in a secure way.
  2. Collected Data shall be in a form of and stored through any of the following manner:
    Type Storage
    Soft/ electronic copy Digital or electronic medium
    Hard copy Physical or manual filing
  3. All information for manual or physical filing must be stored in a labeled and secured file cabinets, drawers or shelves. While electronic copies must be stored in a secure and encrypted magnetic tapes and optical disc.
  4. The information available for processing must be accurate, complete and updated as possible.
  5. Collected information shall only be used or processed on its intended purpose.
  1. The company shall ensure that only authorized persons or parties shall have access to the information. See Annex D for the Access Management Matrix.
  2. Private information may be processed by the following as reasonably necessary for the purpose set out in this policy:
    1. Employees and Officers
    2. Consultants and Advisers
    3. Banks, Insurers and Credit Providers
    4. Contractors and third party service providers
    5. Members of our group of companies, subsidiaries and affiliates
    6. Joint venture and alliance partners
  1. Sharing of personal information with anyone outside of NCCC group is not allowed, however, private information may also be disclosed to or for reasons of:
    Recipient Reason of Transfer
    Parents, subsidiaries and Affiliated Companies
    • Communicate company’s performance
    • Business and financial decisions
    Third Parties such as:
    • Agents (marketing and promotions)
    • Research Agencies
    • Logistics
    • Third Party Service Provider
    • Deliver and analyze the effectiveness of marketing and other promotions.
    • Collate and analyze consumer feedback regarding products and services.
    • Deliver products and services to customers.
    • Administrative or any other services in connection with the operation of business and provision of products and services.
    Credit agencies
    • Credit decisions and transactions
    Any Government agencies or regulatory authorities
    • Comply with legal and statutory requirements and obligation;
    • In connection with any ongoing or prospective legal proceeding.
  2. If data obtained is for sharing there must be agreement between the company and the recipient containing purpose and details of authorization: See Annex E for Data Transfer and Sharing Agreement.
    1. Why data sharing is necessary for the effective and efficient operation of the business;
    2. The rights of the data subject is protected at all times;
    3. Data is used or processed only consonance with the company’s purpose or in a manner consistent with NCCC’s privacy policy as per stated in the agreement and data protection law;
    4. Information is secured and protected from any misuse and mishandling.
  1. Data breaching may be committed through any of the following manner:
    1. Insecure Storage
    2. Theft or loss of data
    3. Unauthorized viewing or access of personal data;
    4. Unauthorized copying or transmitting of personal data;
    5. Insecure transmission or sharing of personal data;
    6. Password hacked or revealed;
    7. Incomplete and incorrect processing of information;
    8. Disclosure to any unauthorized third party;
    9. Improper disposal or destruction of data.
  2. Personal information breaches shall be regarded by the company seriously and must be acted upon immediately.
    1. An investigation on how and why the breach happened shall be conducted before imposition of décor action shall be made.
    2. If investigation results showed that the breach was committed deliberately for any malicious intent or due diligence was not afforded in the exercise of duty leading to information breach, the accountable associate shall be subject to a décor action in accordance with NCCC spirit.
  3. An assessment on the impact of the breach shall be conducted.
  4. The following recourse shall be performed to address or prevent data breach. See Data Breach Matrix attached here as Annex F.
    Recourse Description
    Dissemination Spreading or making an information known to everyone.
    Safe keep Keeping an information safe and protected.
    Encrypt A process wherein data is translated into another form or code, so that only people with access to a secret key (formally called a decryption key) or password can read it.
    Update Modification of data for improvement and proliferation.
    Block Reasonable constraint imposed on the exchange and transmission of data.
    Quarantine Antivirus software isolates infected file on a computer’s hard disk to prevent infecting the hosting system.
    Remove Erasure or removal of personal data from the filing system.
    Notification Informing the data subject of the occurrence of breach.
    Destruction Process of destroying data stored on electronic media and physical filing so that it is completely unreadable and cannot be accessed or used for unauthorized purposes.
    Audit Review of data to assess quality or utility for specific purpose.
    Penalties A punishment imposed for breaking a law, rule or contract which may be in form of fines or penal in nature.
  5. Notification to the National Privacy Commission (NPC) as well as the affected data subject shall be made in cases that personal information got compromised or there is a risk of impending data breach.
  6. The content of the notification shall be:
    1. Description the nature of the breach;
    2. Specific information on personal data breached;
    3. Measures taken by the company to address the breach, or to reduce the harm or consequences of the breach;
    4. Contact details of the company or the Data Protection Officer; and
    5. Any assistance that could be provided to the affected data subject.
  7. Notification shall be made within seventy-two (72) hours from knowledge of the happening of the breach or upon personal belief by the Data Protection Officer that data breach has been committed and requires notification.
  8. Data Subject shall be afforded of all remedies in case of data breaching:
    1. The “right to be forgotten” in the form of suspension, erasure, blocking, withdrawal or removal of personal data from the filing system of the company upon discovery and substantial proof that the personal information are incomplete, outdated, false or unlawfully obtained;
    2. Data portability; and
    3. Institution of civil and criminal proceedings both penal and monetary.
  1. Data shall be retained only for as long as reasonably needed by the company to achieve a legitimate business purpose.
  2. All data that has reached its retention period is considered for disposal. See Annex G for Data Retention and Disposal Matrix.
  3. Information may be disposed for any of the following reasons:
    1. Data subject order the removal of his or her personal information after substantial evidence has been adduced that storing of information may violate his or her constitutional rights.
    2. Data is deemed no longer needed by the company because the purpose of the collection has already been achieved or the data are no longer necessary for the purposes for which they were collected.
    3. There is data breach incident and continued retention of data is declared unlawful.
  4. Disposal of data shall be supported by the Document Disposal List and shall be approved by the highest ranking officer of the department or business unit.
  5. Personal information must be discarded in a secure manner that would prevent further processing, recreated or reread, unauthorized access or disclosure to any other party or the public, including but not limited to:
    1. Shredding
    2. Deleting digital documents
  1. The privacy management program shall be constantly reviewed, monitored, updated and enhanced to ensure continuous fulfillment of its objectives or apply changes due to new laws affecting data privacy act.
  2. Checking and monitoring of the information system and other mode of data storage shall be performed regularly and shall include the following:
    1. Security Vulnerability
    2. Penetration Testing
  3. Result of the checking and assessment shall be recorded in the Data Safety and Security Monitoring Report attached as Annex G.
  4. Aside from security assessment, the following actions shall also be performed to facilitate monitoring and security of private information:
    1. Reporting and monitoring of breach incidents and security events;
    2. Performing physical, technical and organizational safeguards to protect personal information
Annex B. Privacy Policy Disclaimer

By signing below, I am agreeing to NCCC’s Privacy Notice and giving my consent to the collection, processing and sharing of my personal data in accordance with NCCC’s privacy policy and applicable data protection law. If you have any questions or concerns about how we handle your personal information, you may contact us via telephone number __________, email us at _____________ or refer directly your concerns to NCCC’s Privacy Policy posted at our website and all Customer Service counters.

Annex C. Privacy Policy Statement

NCCC is committed to conduct our business in compliance with applicable laws and regulations on privacy and data protection also known as Data Privacy Act of 2012 or RA no. 10173. This commitment reflects the value we place on earning and keeping the trust of our employees, customers, business partners and others who share their personal information with us.

By interacting with us, visiting our website or by voluntarily providing your personal information to us in the use of any of our products and services you are deemed to have read and explicitly authorized and consented us collecting, using and sharing your personal information. You can assure that when you submit sensitive information to us, the same shall be treated with confidentiality, and we shall take all necessary physical and technical precautions to protect your personal information from unauthorized access, loss, disclosure, use and modification, and we shall only process the collected personal data for consumer engagement, marketing and research conducted relating to NCCC products and services and all other activities in connection with the legitimate operation of our business, on the basis of a statutory provision or in a manner that is consistent with this privacy policy.

If we share your personal information with a third party, we shall use our best efforts to ensure that they keep your information secure, take all reasonable steps to protect it from misuse and use it only in a manner consistent with NCCC’s privacy Policy and applicable data protection law. However, kindly note that the company reserves the right to change, amend, and/ or vary this Policy at any time in a manner consistent with requirement set by the Data Privacy Act.

If you have any questions, comments or concerns about how we handle your personal information, then you may contact us via _________________ or email us at _____________.