The Lookout PH website is a platform offering various digital content to its readers and viewers, and aims to inform, entertain, and drive them to take an action on matters that are important to them. When the readers and viewers access the website, their personal data and information are collected by the website through cookies and other data tracking technologies. Said data and information are the basis by which our Company serves the needs of all our clients. Accordingly, it is imperative that we ensure that the information we collect, store, and process are protected against unauthorized access and use. Further, once the data and information are no longer required by our business, we are to ensure that they are disposed of in a manner that retains the security and protection of such data and information.
With that in mind, the objective of this policy is to lay down the guidelines in the protection and security of the data and information collected, stored, processed, and disposed of by the Company. Thus, this DATA PROTECTION POLICY is adopted in compliance with Republic Act No. 10173 of the Data Privacy Act of 2012 (the DPA), its implementing rules and regulations, and other relevant policies, including issuances of the National Privacy Commission of the Philippines.
This policy covers all data and information that the Lookout PH website collects, stores, processes, and disposes of, irrespective of their source.
All of our employees, regardless of rank and job description, are required to abide by this policy.
DEFINITION OF TERMS
1. Data Subject refers to an individual whose personal information is collected, processed, or disposed. He or she is also referred in this policy as “User”, “Individual”, or “Person”.
2. Personal Information refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual. It is also referred in this policy as “data”, “personal data or information”, or “demographic information”.
3. Processing refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.
PROCESSING OF DATA
I. Collection of Data
a. What data are collected, and from whom?
The Lookout PH website collects all of the personal and demographic information from the persons (or users) who engage and visit it. Personal information includes but not limited to the name, address, e-mail, and phone number; while demographic information includes but not limited to the date of birth, age, gender, education, and employment details.
b. Who collects the data, and how are they collected?
The website and third-party users collect the data with the consent of the users.
ii. Third-party users are legitimate sources that collect data from the users. They refer to third party information aggregators, promotional partners, public sources, and third-party social networking sites, which collect data upon the consent given by such user.
The data collected are used and processed by the Lookout PH website for the following reasons:
a. Provide the users with our products, services, and other information relating to our brand. This shall include, but not limited to: identification and contact purposes; sales of products that the Company sells; delivery of products; Assistance through the use of our Customer Support System; to market and promote our products; carry out any or all of the activities necessary for the development and fulfillment of the obligations that arise and derive from the contractual and / or commercial relationship with the Company including billing, collection; for internal administration; for the purposes of analysis and / or research and periodic monitoring; to contact the Client in order to respond to the Client’s requirements and monitor its use of our products and for statistical purposes; marketing, advertising and/or commercial prospecting related to products and services, which can be carried out by the Company or third parties with which the Company has entered into agreements or contracts; and to inform the Client of the launch or changes of new products, promotions and / or offers according to their interests; and
b. For conducting market research and development of our products and services. This shall include, but not limited to: advertising; analytics; displaying content from external factors; interaction with external social networks and platforms; managing contacts and sending messages; remarketing and behavioral targeting; advertising serving infrastructure; commercial affiliation; hosting and backend infrastructure; location-based interactions; platform services and hosting; tag management; profiling; and automated decision-making.
III. Storage, Retention, and Destruction
All data are stored in-house at the Lookout PH website server in Makati City.
The website only retains the data collected for as long as necessary to provide the services, products, and information; or, upon the users’ request. Otherwise, our Company will undertake to destroy or delete it in a secure manner.
To carry out the processing of the data collected, our Company has implemented a series of procedures and policies to manage and ensure the security of information. Any measure, procedure, and/or policy in relation to the availability, integrity, confidentiality, and/or authorized use of personal data, are also required to be complied with by the service providers we hire, third parties, and by affiliated companies and subsidiaries of the Company.
The Lookout Team, Production Team, and persons authorized by the management of our Company shall have access to all the data collected. No other person shall have access to such data without their consent. They shall be allowed to access such data for any purpose, except for those contrary to law, public policy, public order, or morals.
V. Disclosure and Sharing
Our Company shall not share the data collected from a user to any person or third party without the user’s consent. However, a user is deemed to have authorized us to share the data collected from him/her with the website’s business units, suppliers, agents, contractors, collectors, service providers, our affiliates, financial and legal advisers, such as but not limited to auditors, consultants, accountants and lawyers. For instance, our Company is deemed authorized to do the following:
i. We may send and share the data collected only to our subsidiary and affiliated companies or our suppliers in order to fulfill the purposes described in item II of this policy; and we may disclose or allow access to the such data that provided in order to comply with the applicable legislation or at the request of the competent authority; and
ii. We may share the data collected with one or more third parties, with whom we have previously entered into agreements with confidentiality and personal data protection clauses, as well as with selected service providers to support the marketing, promotion of our products, software development, as well as for the purpose of verifying that the information provided to the Company is correct and current. We may even transfer the data collected to such third party(s) for commercial use. Moreover, the Company may share or transmit such data to its Controllers, Subsidiaries, related parties and/or its Business Units for purposes of product and service improvement, promotions, statistical purposes, internal management, and for purposes of analysis. Any transfer of personal data that the Company performs, will be solely for the purposes permitted by the laws and the recipients of the personal data, are obliged to observe this Notice.
All of our employees and authorized representatives shall maintain the confidentiality and secrecy of all the data collected that come to their knowledge and possession, even after resignation, termination of contract, or other contractual relations. Personal data under our custody shall be disclosed only pursuant to a lawful purpose, and to authorized recipients of such data.
I. Organizational Security Measures
a. The Data Protection Officer
• The Data Protection Officer shall oversee the compliance of the Company with the DPA, its IRR, and other related policies, including the conduct of a Privacy Impact Assessment, implementation of security measures, security incident and data breach protocol, and the inquiry and complaints procedure.
b. Trainings and Seminars
i. Our Company shall sponsor a mandatory training on data privacy and security at least once a year. For personnel directly involved in the processing of personal data, management shall ensure their attendance and participation in relevant trainings and orientations, as often as necessary.
c. Privacy Impact Assessment
i. Our Company shall conduct a Privacy Impact Assessment (PIA) relative to all activities, projects and systems involving the processing of personal data. It may choose to outsource the conduct a PIA to a third party.
d. Duty of Confidentiality
i. All employees will be asked to sign a Non-Disclosure Agreement. All employees with access to personal data shall operate and hold personal data under strict confidentiality if the same is not intended for public disclosure.
e. Review of Data Protection Policy
i. This Policy shall be reviewed and evaluated annually. Privacy and security policies and practices within the organization shall be updated to remain consistent with current data privacy best practices.
II. Data Protection Measures Against High-risk Factors
a. Duty to Prevent Data Manipulation
i. Safety and security measures involving the data collected from the users shall be prioritized. Threats and vulnerabilities affecting their privacy shall be eliminated, or at the very least mitigated.
ii. Our Company shall have a proper, adequate, and regular system safety and security check for the website to prevent manipulation of individuals, unsolicited messages/mail from advertisers, hacking, fraud, uncontrolled circulation of personal data, data leakage, dumpster diving of data collected, and other similar issues.
iii. We shall have regular team meet-ups to thwart insider threats affecting the data collected by the website.
b. Duty to Ensure the Maintenance of Hardware and Software Systems
i. Our Company shall ensure the preservation and protection of the hardware and software systems required for the operation of the website. The same is done through their proper, adequate, and regular maintenance to prevent hardware overload/damage, software function creeps, server damage, hardware and software loss, and other similar issues.
c. Duty to Prevent Disappearance or Loss of Data
i. Our Company shall regularly maintain a dependable system of data backup and retrieval to avoid disappearance or loss of data collected by the website.
III. Physical Security Measures
a. Format of Data
i. Personal data in the custody of our Company may be in digital/electronic format and paper-based/physical format.
b. Storage Type and Location
i. All personal data being processed by the website shall be stored in a data room, where paper-based documents are kept in locked filing cabinets while the digital/electronic files are stored in computers provided and installed by the company.
c. Access Procedure of Personnel
i. Only authorized personnel shall be allowed inside the data room. For this purpose, they shall each be given a duplicate of the key to the room. Other personnel may be granted access to the room upon filing of an access request form with the Data Protection Officer and the latter’s approval thereof.
d. Monitoring and Limitation of Access to Room or Facility
i. All personnel authorized to enter and access the data room or facility must fill out and register with the register of our Company, and a logbook placed at the entrance of the room. They shall indicate the date, time, duration and purpose of each access.
ii. Persons involved in processing shall always maintain confidentiality and integrity of personal data. They are not allowed to bring their own gadgets or storage device of any form when entering the data room.
e. Modes of Transfer of Data
i. Transfer of personnel data shall be sent via email as a compressed file with password protection. Password can be sent via SMS or any mode of communication other than email.
IV. Technical Security Measures
a. Monitoring for Security Breaches
i. Our Company shall use an intrusion detection system such as, but not limited to, CCTV monitoring and biometrics access monitoring, to ensure that security breaches are avoided and to alert the organization of any attempt to interrupt or disturb the system.
b. Security Features of the Software/s and Application/s Used
i. Our Company shall first review and evaluate software applications before the installation thereof in computers and devices of the organization to ensure the compatibility of security features with overall operations.
c. Process for regularly testing, assessment and evaluation of effectiveness of security measures
i. The organization shall first review and evaluate software applications before the installation of them in computers and devices of the organization to ensure the compatibility of security features with overall operations.
BREACH AND SECURITY INCIDENTS
I. Data Breach Response Team
a. A Data Breach Response Team headed by the Data Protection Officer together with four (4) officers of the Company shall be responsible for ensuring immediate action in the event of a security incident or personal data breach. The team shall conduct an initial assessment of the incident or breach in order to ascertain the nature and extent thereof. It shall also execute measures to mitigate the adverse effects of the incident or breach.
II. Measures to Minimize Occurrence of Breach and Security Incidents
a. Our Company shall regularly conduct a Privacy Impact Assessment to identify risks in the processing system and monitor for security breaches and vulnerability scanning of computer networks. Personnel directly involved in the processing of personal data must attend trainings and seminars for capacity building. There must also be a periodic review of policies and procedures being implemented in the organization.
III. Procedure for Recovery and Restoration of Data
a. Our Company shall always maintain a backup file for all personal data under its custody. In the event of a security incident or data breach, it shall always compare the backup with the affected file to determine the presence of any inconsistencies or alterations resulting from the incident or breach.
IV. Notification Protocol
a. The Head of the Data Breach Response Team shall inform the management of the need to notify the NPC and the data subjects affected by the incident or breach within the period prescribed by law. Management may decide to delegate the actual notification to the head of the Data Breach Response Team.
V. Documentation and Reporting Procedure
a. The Data Breach Response Team shall prepare a detailed documentation of every incident or breach encountered, as well as an annual report, to be submitted to management and the NPC, within the prescribed period.
RIGHTS OF DATA SUBJECTS; INQUIRIES AND COMPLAINTS
Data Subjects may exercise certain rights regarding their Data processed by our Company.
In particular, Users have the right to do the following:
1. Withdraw their consent at any time.
2. Object to the processing of their data.
3. Access their data.
4. Verify and seek rectification.
5. Restrict the processing of their data.
6. Have their personal data deleted or otherwise removed.
7. Receive their data and have it transferred to another Controller.
8. Lodge a complaint
Data subjects may exercise their rights, inquire or request for information regarding any matter relating to the processing of their personal data under the custody of our Company, including the data privacy and security policies implemented to ensure the protection of their personal data. They may write to the organization at firstname.lastname@example.org and briefly discuss the inquiry, together with their contact details for reference.
Complaints shall be filed in three (3) printed copies or sent to email@example.com. The concerned department or unit shall confirm with the complainant its receipt of the complaint.
COMPLIANCE AND ENFORCEMENT
All Company employees are enjoined to faithfully comply with this policy. Any deviation or violation shall be subject to the provisions of the EMPLOYEE CODE OF CONDUCT. Provided, that any deviation or violation of this policy shall be classified as a Major Offense and the appropriate penalty under the EMPLOYEE CODE OF CONDUCT shall be imposed.