top of page

Data Privacy Policy

Data Privacy Policy

 

The Company values the confidentiality, security, and protection of personal, sensitive personal, and privileged information (“personal data”). This Policy gives details on how personal data are processed by the Company under Republic Act No. 10173, also known as the Data Privacy Act of 2012, its Implementing Rules and Regulations, and other relevant laws of the Philippines.

 

Purpose

 

In compliance with the Data Privacy Act of 2012, its Implementing Rules and Regulations, and other relevant laws of the Philippines effective since 08 September 2016, all customers of the Company (the “data subject/s”) are required to voluntarily provide their consent on the collection, use, processing, and retention of their personal data for their transactions with the Company, as well as in connection with sales, after-market support, and/or warranty registration and claims, as will be provided hereunder.

 

Collection and Retention of Personal Data

 

Personal Data collectively refers to Personal Information, Sensitive Personal Information, and Privileged Information.

 

Personal Information refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.

 

Sensitive Personal Information refers to personal data:

  1. About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;

  2. About an individual’s health, education, genetic or sexual life, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings;

  3. Issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or their denials, suspension or revocation, and tax returns; and

  4. Specifically established by an executive order or an act of Congress to be kept classified.

 

Privileged Information refers to any form of personal data which, under the Revised Rules of Court and other relevant laws, constitutes privileged communication.

 

The Company generally does not collect personal data unless it is provided freely and voluntarily by the data subject/s. The Company shall use personal data to perform business processes effectively and efficiently in conformity with its corporate policies. Any personal data shall be used for legitimate and/or government-related purposes only.  In this regard, the Company may collect the data subject’s personal data for the following purposes:

 

The Company will process the data subject’s personal data for purposes including, but not limited to, the following:

 

  1. To comply with applicable laws and legal obligations;

  2. To respond to other governmental inquiries or requests from public authorities;

  3. To comply with valid legal processes issued by government authorities;

  4. To protect the rights, privacy, safety, or property of the Company, its employees, or the general public;

  5. Request for information about the Company, its products and services;

  6. Warranty registration and claims;

  7. After-sales and technical support; and

  8. To permit the Company to pursue available remedies or limit the damages that it may sustain.

 

The accuracy, completeness, integrity, and relevancy of personal data are of vital importance. Data subject/s are required to inform the Company should any of their personal data change.

 

Types of Personal Data Collected 

 

The Company may collect the following personal data from its customers:

 

  1. Name;

  2. Present/Permanent Address;

  3. Contact Number;

  4. Email Address;

  5. Civil Status;

  6. Gender;

  7. Government-issued identification cards;

  8. Determination of PWD/Senior Citizen; and

  9. Signature.

 

Retention, Withdrawal of Consent, and Disposal

 

The Company shall retain the data subject’s personal data for a period no longer than necessary for the purposes for which such personal data is collected.  The Company shall develop measures to determine the applicable schedule for data retention, procedures for withdrawal of consent previously given by the data subject/s, and proper and secured processing, destruction, and disposal of personal data under the DPA and other applicable laws and regulations.

 

Sharing and Releasing of Personal Data

 

The Company shall hold personal data under strict confidentiality. The Company shall not disclose or share personal data in its possession with other entities without the data subject’s express consent.

 

The Company may share or release the data subject/s’ personal data to its subsidiaries, related companies, and third-party providers to record business transactions with the Company or for any such legal purposes as may be allowed or required by law in connection with such transactions with the Company.

 

Data Protection

 

The Company shall implement appropriate organizational, physical, and technical security measures to ensure the privacy and protection of personal data in its possession. The security shall aim to protect and secure personal data from loss, misuse, unauthorized modification, unauthorized access or disclosure, alteration, or destruction. The following are the Company’s safeguards:

 

  • Strict implementation of information security policies;

  • Access or restriction to unauthorized personnel;

  • Use of secured servers and firewalls; and

  • Data encryption on computing devices.

 

Rights of Data Subject/s

 

Data subjects are entitled to the following rights:

  • To be informed whether personal data shall be, are being, or have been processed with full information of the description of the personal data to be processed, its purposes, basis, scope and methods, the identity of the Company’s contact person, and period of retention, as well as all other rights available to the data subject/s.

  • To object to the processing of personal data.  When the data subject/s object/s or withhold/s consent to the processing of personal data, the Company shall no longer process the personal data unless:

 

i.          The personal data is needed under a subpoena;

ii.         The processing is for obvious purposes, such as necessary for the performance of or concerning a contract or service to which the data subject/s are parties; or

iii.       When the personal data is being collected and processed to comply with the law and regulations.

  • To reasonable access to the personal data processed, the manner of processing, reasons for disclosure and the recipients of the personal data, and the sources where they were obtained and the authorized person processing them, upon demand. 

  • To rectify inaccurate or erroneous personal data, unless such request is unreasonable and to inform the recipients of personal data of such inaccuracy or error.

  • To erase, block, suspend, withdraw, remove, or destroy the personal data from the Company’s filing or storage system should the personal data be proven to be incomplete, outdated, false, or unlawfully obtained or being used without authority or unlawfully, or no longer necessary, or the rights of the data subject/s have been violated.

  • To obtain copies of the personal data stored in electronic or other formats following the National Privacy Commission’s (“NPC”) issuances governing such formats.

 

The rights of the data subject/s may be invoked by the lawful heirs and assigns of the data subject/s.

 

Data Breach Notification/Reports

 

All employees of the Company involved in the processing of personal data shall regularly monitor possible personal data breaches and shall immediately report such occurrences to the authorized officer of the Company tasked to handle and accountable for  Data Privacy compliance.  The NPC and the affected data subject/s shall be immediately notified of such reported breach. The Company shall immediately take measures to mitigate the damage or harmful consequences of such breach. The form and procedure for notification shall follow the NPC’s issuances.

 

The Company shall document, via written reports, all personal data breaches which shall describe the incident, its effects, and the mitigating and remedial measures undertaken.  The reports shall be made available to the NPC.  A yearly summary of the reports shall be submitted to the NPC.

 

This Policy shall be revised, modified or amended as may be required by the lawful business interests of the Company and by the subsequent laws on data privacy protection and issuances of the NPC.

 

 

Questions or concerns regarding data privacy rights, this Policy, or any matter regarding the Data Privacy Act of 2012 may be addressed to:

 

Heintz Baby Company

Tel. No.: (+63) 0998 967 7075

Email Address: Heintzbabycompany@gmail.com

bottom of page