DATA PRIVACY MANUAL
INTRODUCTION
Ocampo Manalo Valdez Lim (“OMLAW”) is a full service law firm. We are committed to protecting and securing the information and data we collect, store, and process. To this end, we have adopted a data privacy policy (“Privacy Policy”) in accordance with Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012 (“DPA”).
The objective of this Privacy Policy is to set the guidelines as to how and when the information provided to us is collected, used, stored, processed and disposed to ensure that such information is not misused and to prevent its unlawful and unauthorized disclosure. This Privacy Policy likewise informs persons who have provided us with information of their rights under the DPA and remedies available to protect their rights.
As a law firm, we are committed to complying with existing rules on confidentiality with respect to information disclosed by our clients. Likewise, we endeavor to comply with all laws and regulations that apply to the collection and use of personal information, including but not limited to the DPA, its rules and regulations.
DEFINITION OF TERMS
Whenever used in this Data Privacy Manual, the following terms shall have the respective meanings hereafter set forth:
- DPA refers to the Data Privacy Act of 2012 and its implementing rules and regulations, as well as the circulars issued by the National Privacy Commission from time to time.
- Data Subject (DS) refers to an individual whose personal information is processed.
- Data Protection Officer (DPO) is the individual principally responsible for ensuring the Firm’s compliance with applicable laws and regulations for the protection of data privacy and security. The DPO is responsible for the supervision and enforcement of this Policy.
- Firm refers to Ocampo Manalo Valdez Lim Law Firm
- Legitimate Uses refer to any of the permitted uses by which the Firm process the Personal Data of various Data Subjects
- Manual refers to the Firm’s Data Privacy Manual that may be amended from time to time.
- Personal Data refers to the collective term of personal information and sensitive personal information
- Personal Information refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
- Personal Information Processor refers to any natural or juridical personqualified to act as such under this Act to whom a personal information controller may outsource the processing of personal data pertaining to a data subject.
- Privileged Information refers to any and all forms of data, which under the Rules of Court and other pertinent laws constitute privileged communication.
- Processing refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.
- Sensitive Personal Information refers to personal information:
- About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
- About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
- Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
- Specifically established by an executive order or an act of Congress to be kept classified.
THE TYPES OF INFORMATION THAT WE COLLECT
The types of Personal Data we collect will vary, depending on our specific relationship with the DS, and the context. Our Firm classifies its relationships into four (4) primary categories of Data Subjects:
- Members of the Firm (which include partners, associates, and non legal staff);
- Clients of the Firm or prospective clients of the Firm;
- Contractual 3rd Parties (which include consultants, suppliers, contractors, interns, and in general those who have a limited contractual relationship with the Firm)
- Non-contractual 3rd Parties (which include visitors of the Firm’s website, walk-in individuals who do not formally engage the services of the Firm but who may secure some limited service such as notarial services, general inquiries etc., visitors to the Firm’s website)
Based on these categories, we may collect certain Personal Data from the DS (for example, to provide legal services if the DS is a client, to recruit or employ the DS, or to engage the DS if it is a potential supplier/contractor). The types of Personal Data which we will typically collect and process includes:
- Basic personal details such as the name and job title, company or organization of the DS, as well as proof of identification and other background verification such as a valid government ID (passport, TIN, driver’s license etc.)
- Contact information such as the telephone and mobile number, as well as email and/or postal/residential/work address
- Financial information such as payment related information or bank account details
- Any other information that the DS may provide, which is necessary to carry out any of the Legitimate Uses as defined by this Manual
On certain occasions, we may process Personal Data, including Sensitive Personal Information, only where necessary, lawful and pursuant to any of the Legitimate Uses defined in this Manual.
For instance, if the DS is a member of the Firm, we may collect information relating to the member’s social security number, PhilHealth or Pag-IBIG number, age, marital status, health status, in order to comply with reportorial requirements by relevant government agencies or to enable the Firm to process the member’s leaves and/or benefits.
If the DS is a prospective member of the Firm, we may require certain recruitment related information such as the resume, curriculum vitae, education and employment history, references from previous employers and other related information to enable us to review and process the person’s job application.
If the DS is a client or prospective client of the Firm, we may process Sensitive Personal Information such as the marital status, health status, and information in connection with any civil, criminal or administrative investigations or proceedings that the client or the company/organization that the person represents are involved in.
If the DS is a visitor of the Firm’s website, we may collect Cookies. Unless the DS provides us with personal information, such as when an inquiry is made under the “Contact Us” tab of the website, the Cookies we collect do not reveal any personal or identifying information about the DS.
We only process and collect such Personal Data to the extent that is reasonably necessary for the Firm to effectively carry out the objective or purpose for which it is used.
Privileged Communication Rule and Confidential Nature of Client’s Information
As a general rule, any information provided by our clients, whether or not constituting Personal Data, is covered by the Privileged Communication Rule. In other words, the Firm has a responsibility to keep its clients’ information confidential. The Firm adopts a policy that all members of the Firm, whether legal or non-legal, must faithfully and diligently keep such information confidential. We note, however, that the Privileged Communication Rules admits of some exceptions, such as when the disclosure is required by law or pursuant to a court order, or when the client consents to such disclosure.
HOW WE PROCESS THE INFORMATION WE COLLECT
Objectives
As a general rule, we process the Personal Data of the DS:
- To fulfill a legal or regulatory obligation
- Pursuant to any of the Legitimate Uses provided in this Manual
- To defend, or prosecute a legal claim
Collection
We primarily collect information from the DS and with its consent or from the authorized representatives or counterparts of the DS. We may also collect information from third parties such as regulatory agencies, courts, or tribunals, or from public records.
Legitimate Uses
Below is a non-exhaustive list of Legitimate Uses by which we may process the Personal Data of the DS:
- To provide our legal or other related services, and for billing purposes
- To comply with a legal or regulatory obligation (i.e. due diligence requirements required by law, permit and/or license applications, compliance with an order of a court/tribunal)
- To defend, enforce and/or protect our legal rights in a legal proceeding
- To hire, recruit or employ the DS
- To enter into a contract or fulfill an obligation under an existing contract with the DS (i.e. supplier contracts, employment contracts, consultancy contracts, client engagements)
- Pursuant to a legitimate interest after considering all the circumstances and rights affected by the processing of such data.
WITH WHOM DO WE SHARE PERSONAL DATA OF THE DATA SUBJECT
Personal Data will, where appropriate, be shared with relevant members of our Firm. We may also share Personal Data with select third parties, including but not limited to:
- Those persons related to the DS such as its agents, representatives, employees, counterparties to transactions or litigation, or other persons necessary to effectively carry out any of the Legitimate Uses in this Manual
- Government agencies, public officers, law enforcement authorities, and courts/tribunals where such disclosure is authorized by the rules and applicable law
- Our consultants, advisers and affiliate law firms
- Persons with whom we have a business relationship such as contractors/sub-contractors, suppliers, IT systems and software providers, and other service providers
With respect to foreign clients, the processing of the Personal Data in particular, may involve a cross-border transfer of such data to other countries in which case the applicable local law of that country will apply.
When sharing Personal Data with third parties, we take appropriate measures to ensure that only such data, which is relevant under the circumstances, is disclosed. We will endeavor to secure the consent or authorization of the DS prior to disclosing Personal Data to third parties.
KEEPING PERSONAL DATA SECURE
Measures
We are committed to ensuring that Personal Data is properly secured against unauthorized disclosure or processing and have thus adopted a range of administrative, organizational, physical and technical security measures. In particular, the Firm discloses its data privacy policy when communicating externally.
The Firm destroys all types of private information of a client within one (1) year from termination of the engagement by a client unless sooner requested by the Client. Electronic data is deleted from the inboxes or hard drives and shredded if data was physically collected.
Data and Security Breaches
If the DS has any reason to believe that there has been unauthorized processing of Personal Data, or any other security breach or violation of its rights under the DPA, the DS may exercise its remedies available under the DPA as well as under applicable local law.
EXCLUDED INFORMATION
This Privacy Policy reiterates the types of information not covered by the DPA, such as:
- Information about any individual who is or was an officer or employee of a
government institution that relates to the position or functions of the individual,
including:- The fact that the individual is or was an officer or employee of the government institution;
- The title, business address and office telephone number of the individual;
- The classification, salary range and responsibilities of the position held by the individual; and
- The name of the individual on a document prepared by the individual in the course of employment with the government;
- Information about an individual who is or was performing service under contract for a government institution that relates to the services performed, including the terms of the contract, and the name of the individual given in the course of the performance of those services;
- Information relating to any discretionary benefit of a financial nature such as the granting of a license or permit given by the government to an individual, including the name of the individual and the exact nature of the benefit;
- Personal information processed for journalistic, artistic, literary or research purposes;
- Information necessary in order to carry out the functions of public authority which includes the processing of personal data for the performance by the independent, central monetary authority and law enforcement and regulatory agencies of their constitutionally and statutorily mandated functions. Nothing in this Act shall be construed as to have amended or repealed Republic Act No. 1405, otherwise known as the Secrecy of Bank Deposits Act; Republic Act No. 6426, otherwise known as the Foreign Currency Deposit Act; and Republic Act No. 9510, otherwise known as the Credit Information System Act (CISA);
- Information necessary for banks and other financial institutions under the jurisdiction of the independent, central monetary authority or Bangko Sentral ng Pilipinas to comply with Republic Act No. 9510, and Republic Act No. 9160, as amended, otherwise known as the Anti-Money Laundering Act and other applicable laws; and
- Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.
RIGHTS OF THE DATA SUBJECT
Under the DPA, the DS has the following rights:
- Right to be informed whether personal information pertaining to the DS shall be, is being or has been processed;
- Right to be furnished the information before the entry of personal information into the processing system of the personal information controller, or at the next practical opportunity;
- Right to reasonable access, upon demand:
- Contents of personal information that were processed;
- Sources from which personal information were obtained;
- Names and addresses of recipients of the personal information;
- Manner by which such data were processed;
- Reasons for the disclosure of the personal information to recipients;
- Information on automated processes where the data will or likely to be made as the sole basis for any decision significantly affecting or will affect the DS;
- Date when your personal information concerning the data subject were last accessed and modified; and
- The designation, or name or identity and address of the personal information controller;
- Right to dispute the inaccuracy or error in the personal information and have the personal information controller correct it immediately and accordingly, unless the request is vexatious or otherwise unreasonable.If the personal information have been corrected, the personal information controller shall ensure the accessibility of both the new and the retracted information and the simultaneous receipt of the new and the retracted information by recipients thereof: Provided, That the third parties who have previously received such processed personal information shall be informed of its inaccuracy and its rectification upon reasonable request of the data subject;
- Right to suspend, withdraw or order the blocking, removal or destruction of personal information from the personal information controller’s filing system upon discovery and substantial proof that the personal information are incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes or are no longer necessary for the purposes for which they were collected. In this case, the personal information controller may notify third parties who have previously received such processed personal information;
- Right to be indemnified for any damages sustained due to such inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal information;
- Right to data portability – In case personal data was processed through electronic means and in a structured and commonly used format, the DS has the right to obtain a copy of the personal data in such electronic or structured format for further use, subject to the guidelines of the National Privacy Commission with regard to the
exercise of such right; - Transmissibility of your rights – The lawful heirs and assigns of the DS may invoke its rights, at any time after death or incapacity of the DS or incapability of exercising the rights of the DS as enumerated in the immediately preceding sections;
- Limitation of rights – The immediately preceding sections are not applicable if the processed personal information are used only for the needs of scientific and statistical research and, on the basis of such, no activities are carried out and no decisions are taken regarding yourself: Provided, That the personal information shall be held under strict confidentiality and shall be used only for the declared purpose. Likewise, the immediately preceding sections are not applicable to processing of personal information gathered for the purpose of investigations in relation to any criminal, administrative or tax liabilities.
CONTACT AND OTHER IMPORTANT INFORMATION
For further information on the collection, use, disclosure or processing of Personal Data or any of rights under this Manual or under relevant laws, we may be contacted at:
Data Protection Officer
Ocampo Manalo Valdez Lim
28th Floor, Pacific Star Building
Makati Ave. cor. Sen. Gil Puyat Ave.,
Makati City, 1220
Telephone: (02)7751-8899
Email: dpo@omlawphil.com
Effectivity
This Manual reflects our Firm’s current data privacy policies. We reserve the right to make changes to this Privacy Policy from time to time. We may also make changes as required to comply with changes in applicable law or regulatory requirements. Any changes we make to this Privacy Policy take effect once published on our Website. We encourage you to review this Privacy Policy periodically to be informed of how we use your Personal Data.
Published on 25 November 2021