DON TIM DEVELOPMENT CORPORATION
DATA PRIVACY POLICY

PREFACE

Don Tim Development Corporation (the “Company“) hereby adopts this Data Privacy Manual (the “Manual”) in compliance with the Republic Act No. 10173 or an Act Protecting Individual Personal Information in Information and Communication Systems in the Government and the Private Sector, Creating for this Purpose a National Privacy Commission, and Other purpose of ( the “ DATA PRIVACY ACT”(, it’s Implementing Rules and Regulations ( the “IRR”), and other relevant policies and issuances of the National Privacy Commission (the “Commission”).

The Data Privacy Act passed into law in 2012 for the policy of Government to protect the fundamental human rights of privacy, while ensuring the free flow of information’s. The policy shall act along with the IRR, and govern the processing of personal data by any natural or judicial person in the government or private sector , who must in turn establish policies and implement security measures to guarantee the security of gathering personal data under their control and/or custody.

With the Data Privacy Act, other pertinent laws, and the principles of transparency, legitimate purpose, proportionality and consent. The Corporation abides by this Manual in carrying out its principles in business. This is to ensure that all personal data under its custody remain safe and secured while being processed during its key operations and procedures.

This Manual aims to inform clients, employees, partners, and stakeholders of the Company’s data protection and security measures, and to guide them with to exercises their rights under the DATA Privacy Act and all other relevant regulations and policies in information dissemination.

INTRODUCTION:

Don Tim Development Corporation endeavors to meet leading standards and regulations for data privacy protection and privacy. The Corporation respects and values rights of data privacy subject, and make sure that all personal data and information collected from the data subject are processed in accordance to the general principles of transparency, legitimate purpose, proportionality and consent. While our reasons are founded on corporate responsibility, our privacy practices as outlined in this policy facilitates Good Corporate Citizenship: Business Enablement: Since the Corporation uses significant volumes of data and information’s of personal data : Legal Protection: Appropriate privacy policies offer an opportunity to eliminate allegations of unlawful usage of personal information .

DEFINITION

“Commission“ or the “NPC” shall refer to the National Privacy Commission.

“Data Protection Officer” for Privacy

• “Data subject” refers to an individual whose personal, sensitive personal or privileged information is processed by the organization. It may refer to officers, employees, consultants, and clients of this organization.
• “Personal Information” refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
• “Personal Sensitive Information” refers to data which goes beyond the ascertaining of identity of the data subject.
• “Processing” refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.

RIGHTS OF DATA SUBJECT

DATA SUBJECT TO BE INFORMED

The Data subject has its right to be informed whether Personal Information and/or Personal Sensitive Information pertaining to him/her are being or have been processed. Before the data is entered in the company’s information and Communications System/s or Filing, or at the next practicable opportunity, The Data subject shall be notified and informed/ furnished with the following information’s such as:


a. Description of the Personal Information and/or Personal Sensitive Information to be entered into the information and Communications System, / filing of the corporation.
b. Purposes for which personal data are being or will be processed by the authorized representative of the company only.
c. Basis of processing is new or additional not previously conveyed to the data subject, therefore needing new consent;
d. Scope and method of the processing of personal data;
e. Recipient / classes of recipient to whom his/her personal data are or may be disclosed or shares;
f. In case of automated access, and where allowed by the data subject, the methods to utilized therefore, and the extent in which such access is authorized, including meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject information;
g. Identity and contact details of the company, its representative, and/or, upon request, the Data Protection Officer (DPO), if any;
h. Period of how long the personal data will be stored; and
i. Existence of his/her rights as a data subject, including the right to lodge a complaint before the Commission.

RIGHT TO OBJECT

The Data subject shall have the right to object to the Processing of its Personal data. The Data subject shall also be notified and given an opportunity to withhold its consent to the Processing in case of changes or any amendment to the information supplied or declared to the Data subject in the immediately preceding Section.

The data subject shall express in writing his/her objection and/or withdrawal of consent and transmit the same to DonTim. It shall also be transmitted to the Real Estate portals, or to any other similar third party service provider, which in turn must convey it to DonTim.

If the data subject objects or withholds consent, the Company shall no longer process the personal data and information gathered, unless:

a. Personal data is needed pursuant to a subpoena;
b. The personal data collected, and information processed pursuant to a legal obligation to take the mandatory contributions to an employee’s Social Security System, Pag-IBIG Home Development Mutual Fund, and Philhealth accounts.

RIGHT TO ACCESS

The Data subject has the right to demand reasonable access to the following:

a. Source where consents of the data subject originated;
b. Sources from which personal data were obtained;
c. Names and addresses of recipient/s of the personal data and the reasons for their access;
d. Manner by which his/her personal data were processed subject to protection of corporate interest;
e. Information on new process where the personal data will, or likely to be made as the sole basis for any decision that significantly affect or will affect the subject data;
f. Date when Personal data concerning the Data subject were last accessed;

RIGHT TO CORRECTION

The data subject has the right to correct the inaccuracy or error in the data, and have the corporation accordingly correct thereof, unless unreasonable or tending. If the data has been corrected, the corporation will ensure the accessibility and receipt of the new data by the intended recipient/s thereof. Recipients or third parties who have previously received such processed Personal data will be informed of its inaccuracy and the rectification, upon reasonable request of the data subject.

SECTION 5. RIGHT TO ERASURE OR BLOCKING

The data subject shall have the right to suspend , withdraw or advice the blocking, disposal or destruction of his/her personal data from the Corporation’s Information and Communication channel/ filing systems, and may exercise such right upon discovery and/or proof of any of the following.

a. The personal data is incomplete, outdated, false, or unlawfully obtained;
b. The personal data is being used for purpose/s not authorized by the Data subject;
c. The personal data is no longer necessary for the purpose/s for it was collected;
d. The data subject withdraws consent or objects to the processing and there is no other legal ground or legitimate overriding interest for the processing of data
e. The personal data concerns information prejudicial to the data subject, unless justified by the form of speech, of expressions, or of the press, or otherwise authorized
f. The processing is unlawful; or
g. The right /s of the data subject has been violated.

SECTION 6. RIGHT TO DATA PORTABILITY

Where the personal data is processed by electronic means and in a structured and commonly used format and upon his/her written request with corresponding ID w/ 3 specimen signature as validation for the data subject signature. The data subject has the right to obtain from the corporation a copy of such Personal data in an electronic structured format used and allows for the use by the data subject.

WITH COMPLAIN BEFORE THE COMMISION

The data subject shall have the right to complain before the Commission for any data privacy violation committed by the corporation, if any.

TRANSMISSIBILITY OF RIGHTS

Any lawful heir and / or assignee of the data subject may invoke the rights to which it may transmit or assign at any time after death of the data subject, or when the data subject is incapable to exercise his / her right.

PROCESSING OF PERSONAL DATA

Whenever necessary, the Corporation may modify any of its Data Processing Systems, but under all circumstances, must be respect the rights of the Data subjects and observe compliance with this Article, among others, in Processing the Personal data of data subject

COLLECTION

Conditions. The Corporation shall collect and process on the Personal data of a Data subject upon occurrence of the following conditions:

a. Prior to collection, or as soon as practicable, the Corporation shall inform the Data subject the following:
• The specific purpose of collection and processing of Personal data
• The extent of processing of personal data
• The rights of the data subject
b. The Corporation shall maintain the data obtained despite the absence of consent of the Data subject under the following circumstances:
• Pursuant to law and/or government issuances
• Necessary to perform a contract to which the data subject is a party, or to take steps prior to entering a contract
• Necessary to protect the interest of the data subject
• Necessary to perform a task for the interest of the public or in the exercise of official authority vested upon the Corporation; or
• Necessary to protect the lawful rights and interest of the corporation in court proceedings, or to establish, exercise, or defend a legal claim.
Privacy Notice. Information on collection and processing of personal data of the data subject shall be relayed though a privacy notice, which shall substantially be in the form prescribed by the corporation. The authorized representative of the corporation shall inform the data subject the purpose in which the collection of personal data, the extent of processing the information and the Rights of the data subject with regards to privacy and data protection.

Consent. The Consent of the Data subject shall be evidenced by written, electronic or recorded means, substantially in the form prescribed by the corporation. Consent may also be given on behalf of a data subject by a lawful representative or an agent authorized by the data subject to do so, with corresponding Authorization Letter w/ attached ID of the data subject.

USE OF PERSONAL INFORMATION AND PERSONAL SENSITIVE INFORMATION

GENERAL. The use of the Personal data and Information shall only be for the purpose/s specified and declared to the Data subject, and with the Consent of the data subject.

PURPOSE. The Corporations use of the personal data shall only be used for the purpose of carrying out the business operation only. The processing of the Information of Data subjects shall be for the following general purpose;

a. To document and manage the Corporations’ Records;
b. To conduct due diligence prior to executing contract, and to facilitate the fulfilment of the terms of the contract thereafter;
c. To respond to queries, complaints, ad requests;
d. To provide information about corporation’s services
e. To conduct research and analysis to improve customer experience
f. Maintain security
g. To comply with legal, regulatory, and contractual requirements or obligations.

The use and processing of Personal data also depends on the corporation’s services, the corporations may use and collect or process the data subject’s personal data to;

a. Conduct appropriate credit investigation to assess the risks of transacting with the data subject
b. Prepare and execute the necessary contract to cover the transaction
c. Update the corporation’s records and keep its contact details and billings address up to date; and
d. Communicate any advisories, changes, and other information relevant to the data privacy subject’s contract with the corporations.

If the data subject is sole propriety/ vendor/ supplier or a contractor, the corporation may collect; use or process the data subject’s personal data to;

a. Conduct the appropriate due diligence checks;
b. To evaluate the proposal or any request letter of the data subject, including his/her technical, financial, and operational capacity to acquire the business of the corporation
c. the viability of the data subject’s proposal and process an accreditation
d. To communicate any decision of the corporation on such proposal; and
e. To perform any other action as may be necessary to implement the terms and condition of the contract with the data subject, if any.

If the data subject is a corporation’s employee, they may collect, use, and process the data subject’s personal data;

a. To evaluate the suitability for employment and, with a written or expressed consent, retain the personal data for a maximum of 5 years for future job opportunities that may be of interest to the data subject
b. To communicate with the data subject about his/her employment applications
c. If hired, the corporation may process his/her personal data as may be necessary for purpose such as, but not limited to, payroll, benefits applications, allowances and refunds processing , tax processing of his/her personal information (execute business transaction directly related and /or incidental to his/her job, business travels, socials, and so on);
d. While employed, evaluate his/her Personal data for the exit interview and to prepare his/her final pay
e. Upon separation from the company, process his/her personal data for the exit interview and to prepare his/her final pay;
f. Aid, and account for, employees in case of emergency; and
g. Perform such other processing or disclosure that may be required during the corporation’s business or under law of regulations.

If the data subject is a corporation’s stockholder, the company may use, collect, or process the data subject’s personal data:

a. Maintain and update the data subject’s records with the corporation;
b. To administer his/her stock transactions; and
c. Comply with legal, regulatory, and contractual requirements or obligations.
If data subject is a visitor of the corporation’s premises or any of the corporation’s project sites, the corporation may use, collect, or process the data subject personal data in order to:
a. Grant access to the premises and/project site/s provided he/she is accompanied by authorized personnel who is familiar with data protection and security measures;
b. Maintain the security within the premise and/or project site.

GOVERNMENT–MANDATED USE. The corporation may use the personal data of data subject for government regulatory compliance, corporation disclosure, and reportorial requirements, and pursuant to a lawful order o ay court or tribunal

QUALITY. Personal data processed by the corporation must be accurate and, to the extent necessary, up to date. Personal data that is inaccurate or incomplete shall be corrected and supplemented, and/or erased by the corporation through its authorized representative, upon a written request or an accomplished data privacy right forum of the corporation from the data subject.

NOTIFICATION ON USE OF PERSONAL DATA FOR MARKETING AND PROFILING

A data subject must be properly notified before entry of their personal information into the communication systems of the corporation, whenever the data will be used for marketing, profiling or historical or scientific purpose. Notification shall made through electronic mail to the address of the data subject found in the records.

REQUEST AND INQUIRIES PERTAINING TO DATA PRIVACY ISSUES

A data subject may access and recommend corrections to their personal information being process by the corporations by accomplishing the data privacy rights form provided by the corporation including an employee who is required by their functions within the corporation with access request from.