I. ABOUT THIS POLICY
II. DEFINITION OF TERMS
- Data Privacy Act or DPA refers to the Republic Act No. 10173 or the Data Privacy Act of 2012 and its Implementing Rules and Regulations.
- Data Subject/s refers to an individual or individuals whose Personal Information, Sensitive Personal Information, or Privileged Information is processed.
- Personal Data collectively refers to Personal Information, Sensitive Personal
Information, and Privileged Information.
- Personal Information refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
- Privileged Information refers to any and all forms of Personal Data, which, under the Rules of Court and other pertinent laws constitute privileged communication.
- Sensitive Personal Information refers to Personal Data:
- About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
- About an individual’s health, education, genetic or sexual life, or to any proceeding or any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings;
- Issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and;
- Specifically established by an executive order or an act of Congress to be kept classified.
- Security Incident is an event or occurrence that affects or tends to affect data
protection, or may compromise the availability, integrity and confidentiality of
Personal Data. It includes incidents that would result to a personal data breach,
if not for safeguards that have been put in place.
- Processing refers to any set of operations performed upon Personal Data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.
- Templora Dermatologica shall include individuals employed by Templora Dermatologica to perform functions and deliver services. They include, but are not limited to, associates, managers, and system administrators.
III. PROCESSING OF PERSONAL DATA
A. Collection of Personal Data Templora Dermatologica, through the application portal in its official website – www.temploradermatologica.com may collect basic contact information of clients, which include, but are not limited to, the following:
- Data Subject Information
- Full Name
- Mobile / Landline Number
- Birthdate / Age
- Civil Status
- E-mail Address
- Medical History
B. Use of Personal Data Personal data collected shall be used by Templora Dermatologica for documentation, diagnostic, and contact purposes. It shall also be used to comply with the law, rule or regulation and all legal orders and processes.
C. Storage, Retention and Destruction Templora Dermatologica retains the Data Subject’s Personal Information:
- To the extent necessary in keeping track of the Data Subjects records.
- As may be agreed upon by the parties to a contract.
- For other purpose specifically authorized by law.
Templora Dermatologica will ensure that Personal Data under its custody is protected against any accidental or unlawful destruction, alteration and disclosure as well as against any other unlawful processing.
To maintain the integrity and confidentiality of the Data Subject’s Personal Information, Templora Dermatologica put in place organizational, physical and technical security measures in storing collected Personal Information, depending on the nature of the information, such as:
- Use of secured servers, firewalls, encryptions and other latest security tools.
- Limited access to Personal Information to those duly authorized processors. All transfers are made after complying with the established confidentiality policy and practices in place.
- Maintain a secured server operating environment by performing regular security patch update and server hardening.
Data collected will be retained in accordance with retention limit set by Templora Dermatologica’s standards, industry standards and laws and regulations, unless the Data Subject requests its data to be deleted in Templora Dermatologica’s database.
D. Access to Data Due to the sensitive and confidential nature of the personal data under the custody of Templora Dermatologica, only the Data Subject and the authorized representative of Templora Dermatologica shall be allowed to access such personal data, for any purpose, except for those contrary to law, public policy, public order or morals.
E. Disclosure and Sharing All employees and personnel of Templora Dermatologica shall maintain the confidentiality and secrecy of all personal data that come to their knowledge and possession, even after resignation, termination of contract, or other contractual relations. Personal Data under the custody of Templora Dermatologica shall be disclosed only pursuant to a lawful purpose, and to authorized recipients of such data.
IV. ORGANIZATIONAL SECURITY MEASURES
A. Data Protection Officer The Data Protection Officer (“DPO”) is the person duly appointed by Templora Dermatologica who is responsible for ensuring its compliance with applicable laws and regulations for the protection of data privacy and security. The functions and responsibilities of the DPO shall particularly include, among others:
1. He/she shall monitor Templora Dermatologica’s Personal Data Processing activities in order to ensure compliance with applicable Personal Data privacy laws and regulations, including the conduct of periodic internal audits and review to ensure that all of Templora Dermatologica’s data privacy policies are adequately implemented by its employees and authorized agents;
2. He/she shall act as a liaison between Templora Dermatologica and the regulatory and accrediting bodies, and is in charge of the applicable registration, notification, and reportorial requirements mandated by the DPA, as well any other applicable data privacy laws and regulations;
3. He/she is responsible for developing, establishing, and reviewing policies and procedures for the exercise by Data Subjects of their rights under the DPA and other applicable laws and regulations on Personal Data privacy;
4. He/she shall act as the primary point of contact whom Data Subject may coordinate and consult with for all concerns relating to their Personal Data;
5. He/she shall oversee the formulating capacity building, orientation, and training programs for employees, agents or representatives of Templora Dermatologica regarding Personal Data privacy and security policies; and
6. He/she shall prepare and file the annual report of the summary of documented security incidents and Personal Data breaches, if any, as required under the Data Privacy Act, and of compliance with other requirements that may be provided in other issuances of the NPC.
B. Data Processing Records Adequate records of Templora Dermatologica’s Personal Data Processing activities shall be maintained at all times. The DPO, with the cooperation and assistance of all the concerned representatives and authorized agents involved in the Processing of Personal Data, shall be responsible for ensuring that these records are kept up-to-date. These records shall include, at the minimum:
1. information about the purpose of the Processing of Personal Data, including any intended future Processing or data sharing;
2. a description of all categories of Data Subjects, Personal Data, and recipients of such Personal Data that will be involved in the Processing;
3. general information about the data flow within Templora Dermatologica, from the time of collection and retention, including the time limits for disposal or erasure of Personal Data;
4. a general description of the organizational, physical, and technical security measures in place within Templora Dermatologica; and
5. the name and contact details of the DPO, Personal Data processors, as well as any other staff members accountable for ensuring compliance with the applicable laws and regulations for the protection of data privacy and security
C. Data Collection Procedures The DPO, with the assistance of Templora Dermatologica’s staff and authorized agents, shall document Templora Dermatologica’s Personal Data Processing procedures. The DPO shall ensure that such procedures are updated and that the consent of the Data Subjects (when required by the DPA or other applicable laws or regulations) is properly obtained and evidenced by written, electronic or recorded means. Such procedures shall also be regularly monitored, modified, and updated to ensure that the rights of the Data Subjects are respected, and that Processing thereof is done fully in accordance with the DPA and other applicable laws and regulations.
F. Data Retention Schedule Subject to applicable requirements of the DPA and other relevant laws and regulations, Personal Data shall not be retained by Templora Dermatologica for a period longer than necessary and/or proportionate to the purposes for which such data was collected. The DPO, with the assistance of the other departments of Templora Dermatologica responsible for the Processing of Personal Data, shall be responsible for developing measures to determine the applicable data retention schedules, and procedures to allow for the withdrawal of previously given consent of the Data Subject, as well as to safeguard the destruction and disposal of such Personal Data in accordance with the DPA and other applicable laws and regulations.
V. PHYSICAL SECURITY MEASURES
The DPO, with the assistance of Templora Dermatologica’s staff and authorized agents, shall develop and implement policies and procedures for Templora Dermatologica to monitor and limit access to, and activities in, as well as any other departments and/or workstations where Personal Data is processed, including guidelines that specify the proper use of, and access to, electronic media.
The design and layout of the office spaces and work stations of the abovementioned departments, including the physical arrangement of furniture and equipment, shall be periodically evaluated and adjusted in order to provide privacy to anyone Processing Personal Data, taking into consideration the environment and accessibility to unauthorized persons.
The duties, responsibilities, and schedules of individuals involved in the Processing of Personal Data shall be clearly defined to ensure that only the individuals actually performing official duties shall be in the room or work station, at any given time. Further, the rooms and workstations used in the Processing of Personal Data shall, as far as practicable, be secured against natural disasters, power disturbances, external access, and other similar threats.
VI. TECHNICAL SECURITY MEASURES
The DPO, with the cooperation and assistance of Templora Dermatologica, shall continuously develop and evaluate its security policy with respect to the Processing of Personal Data. The security policy should include the following minimum requirements:
a. safeguards to protect Templora Dermatologica’s computer network and systems against accidental, unlawful, or unauthorized usage, any interference which will affect data integrity or hinder the functioning or availability of the system, and unauthorized access;
b. the ability to ensure and maintain the confidentiality, integrity, availability, and resilience of Templora Dermatologica’s data processing systems and services;
c. regular monitoring for security breaches, and a process both for identifying and accessing reasonably foreseeable vulnerabilities in Templora Dermatologica’s computer network and system, and for taking preventive, corrective, and mitigating actions against security incidents that can lead to a Personal Data breach;
d. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
e. a process for regularly testing, assessing, and evaluating the effectiveness of security measures; and
f. encryption of Personal Data during storage and while in transit, authentication process, and other technical security measures that control and limit access thereto.
VII. DATA BREACHES & SECURITY INCIDENTS
- Data Breach Notification All employees and agents of Templora Dermatologica involved in the Processing of Personal Data are tasked with regularly monitoring for signs of a possible data
breach or Security Incident. In the event that such signs are discovered, the
employee or agent shall immediately report the facts and circumstances to the
DPO within twenty-four (24) hours from his or her discovery for verification as to whether or not a breach requiring notification under the Data Privacy Act has occurred as well as for the determination of the relevant circumstances surrounding the reported breach and/or Security Incident. The DPO shall notify the NPC and the affected Data Subjects pursuant to requirements and procedures prescribed by the DPA. The notification to the NPC and the affected Data Subjects shall at least describe the nature of the breach, the Personal Data possibly involved, and the measures taken by Templora Dermatologica to address the breach. The notification shall also include measures taken to reduce the harm or negative consequences of the breach and the name and contact details of the DPO. The form and procedure for notification shall conform to the regulations and circulars issued by the NPC, as may be updated from time to time. Please note that under applicable law, not all personal data breaches are notifiable.
B. Breach Reports All Security Incidents and Personal Data breaches shall be documented through written reports, including those not covered by the notification requirements. In the event of Personal Data breaches, a report shall include the facts surrounding an incident, the effects of such incident, and the remedial actions taken by Templora Dermatologica. In other security incidents not involving Personal Data, a report containing aggregated data shall constitute sufficient documentation. These reports shall be made available when requested by the NPC. A general summary of the reports shall be submitted by the DPO to the NPC annually.
VIII. RIGHTS OF THE DATA SUBJECT
As provided under the DPA, Data Subjects have the following rights in connection with the Processing of their Personal Data: right to be informed, right to object, right to access, right to rectification, right to erasure or blocking, and right to damages. Employees and agents of Templora Dermatologica are required to strictly respect and obey the rights of the Data Subjects. The DPO shall be responsible for monitoring such compliance and developing the appropriate disciplinary measures and mechanism.
- Right to be Informed
The Data Subject has the right to be informed whether Personal Data
pertaining to him or her shall be, are being, or have been processed.
The Data Subject shall be notified and furnished with information indicated
hereunder before the entry of his or her Personal Data into the records of
Templora Dermatologica, or at the next practical opportunity:
a. description of the Personal Data to be entered into Templora Dermatologica’s database system;
b. purposes for which they are being or will be processed, including
Processing for profiling, requirements review, or retention checking;
c. basis of Processing, when Processing is not based on the consent of
the Data Subject;
d. scope and method of the Personal Data Processing;
e. the recipients or classes of recipients to whom the Personal Data are
or may be disclosed or shared;
f. methods utilized for automated access, if the same is allowed by the
Data Subject, and the extent to which such access is authorized,
including meaningful information about the logic involved, as well as the significance and the envisaged consequences of such Processing for the Data Subject;
g. the identity and contact details of the DPO;
h. the period for which the Personal Data will be stored; and
i. the existence of their rights as Data Subjects, including the right to
access, correction, and to object to the Processing, as well as the right
to lodge a complaint before the NPC.
B. Right to Object
The Data Subject shall have the right to object to the Processing of his or her Personal Data, including Processing for direct marketing, automated
Processing or profiling. The Data Subject shall also be notified and given an
opportunity to withhold consent to the Processing in case of changes or any
amendment to the information supplied or declared to the Data Subject in the
preceding paragraph. When a Data Subject objects or withholds consent, Templora Dermatologica shall no longer process the Personal Data, unless:
- the Personal Data is needed pursuant to a subpoena, lawful order, or as required by law;
- the Processing is for obvious purposes, including, when it is necessary for the performance of or in relation to a contract or service to which the Data Subject is a party, or when necessary or desirable in the context of an employer-employee relationship between Templora Dermatologica and the Data Subject; or
- the Personal Data is being collected and processed to comply with a legal obligation.
- Right to Access
The Data Subject has the right to reasonable access to, upon demand, the following:
- Contents of his or her Personal Data that were processed;
- Sources from which Personal Data were obtained;
- Names and addresses of recipients of the Personal Data;
- Manner by which his or her Personal Data were processed;
- Reasons for the disclosure of the Personal Data to recipients, if any;
- Information on automated processes where the Personal Data will, or is likely to, be made as the sole basis for any decision that significantly affects or will affect the Data Subject;
- Date when Personal Data concerning the Data Subject were last accessed and modified; and
- The designation, name or identity, and address of the DPO.
- Right to Rectification
The Data Subject has the right to dispute the inaccuracy or rectify the error in his or her Personal Data, and Templora Dermatologica shall correct it immediately and accordingly, unless the request is vexatious or otherwise unreasonable. If the Personal Data has been corrected, Templora Dermatologica shall ensure the accessibility of both the new and the retracted Personal Data and the simultaneous receipt of the new and the retracted Personal Data by the intended recipients thereof: Provided, That recipients or third parties who have previously received such processed Personal Data shall be informed of its inaccuracy and its rectification, upon reasonable request of the Data Subject.
- Right to Erasure or Blocking
The Data Subject shall have the right to suspend, withdraw, or order the blocking, removal, or destruction of his or her Personal Data from Templora Dermatologica’s filing system.
1. This right may be exercised upon discovery and substantial proof of any of the following:
(a) The Personal Data is incomplete, outdated, false, or unlawfully obtained;
(b) The Personal Data is being used for purpose not authorized by the Data Subject;
(c) The Personal Data is no longer necessary for the purposes for which they were collected;
(d) The Data Subject withdraws consent or objects to the Processing, and there is no other legal ground or overriding legitimate interest for the Processing by Templora Dermatologica;
(e) The Personal Data concerns private information that is prejudicial to Data Subject, unless justified by freedom of speech, of expression, or of the press or otherwise authorized;
(f) The Processing is unlawful; or
(g) The Data Subject’s rights have been violated.
2. The DPO may notify third parties who have previously received such
processed Personal Data that the Data Subject has withdrawn his or her
consent to the Processing thereof upon reasonable request by the Data
- Transmissibility of Rights of Data Subjects
The lawful heirs and assigns of the Data Subject may invoke the rights of the Data Subject to which he or she is an heir or an assignee, at any time after the
death of the Data Subject, or when the Data Subject is incapacitated or
incapable of exercising his/her rights.
- Data Portability
Where his or her Personal Data is processed by Templora Dermatologica through electronic means and in a structured and commonly used format, the Data Subject shall have the right to obtain a copy of such data in an electronic or structured format that is commonly used and allows for further use by the Data Subject. The exercise of this right shall primarily take into account the right of Data Subject to have control over his or her Personal Data being processed based on consent or contract, for commercial purpose, or through automated means. The DPO shall regularly monitor and implement the NPC’s issuances specifying the electronic format referred to above, as well as the technical standards, modalities, procedures and other rules for their transfer.
IX. INQUIRIES AND COMPLAINTS
Concerned Data Subjects may inquire or complain about how Templora Dermatologica have processed his/her personal data. They may inform Templora Dermatologica in writing which would include the following data:
- Contact details for identification
- Brief description of the complaint
- How they would like to happen in resolving their complaint
Templora Dermatologica shall acknowledge receipt of their complaint and address as soon as possible. Templora Dermatologica shall investigate the Data Subject’s complaint further and may need to obtain additional information from them, review supporting documents and/or obtain legal or technical advice to carry out the investigation. Once Templora Dermatologica is complete with the investigation, the body will also respond in writing to inform of them of investigation’s result.
Data Protection Officer
537 M.H. Del Pilar St.,
Santolan, Malabon City