DATA PRIVACY POLICY 

MANUAL 

I.      BACKGROUND

Republic Act No. 10173, also known as the Data Privacy Act of 2012 (DPA), aims to protect personal data in information and communications systems both in the government and the private sector.

It ensures that entities or organizations processing personal data establish policies, and implement measures and procedures that guarantee the safety and security of personal data under their control or custody, thereby upholding an individual’s data privacy rights. A personal information controller or personal information processor is instructed to implement reasonable and appropriate measures to protect personal data against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.

To inform its personnel of such measures, each personal information controller or personal information processor is expected to produce a Privacy Manual. The Manual serves as a guide or handbook for ensuring the compliance of an organization or entity with the DPA, its Implementing Rules and Regulations (IRR), and other relevant issuances of the National Privacy Commission (NPC). It also encapsulates the privacy and data protection protocols that need to be observed and carried out within the organization for specific circumstances (e.g., from collection to destruction), directed toward the fulfillment and realization of the rights of data subjects.

 

II.     INTRODUCTION

This Privacy Manual of CG GARCIA SERVICES INC. is hereby adopted in compliance with Republic Act No. 10173 entitled “An Act Protecting Individual Personal Information and Communication System in the Government and the Private Sector, Creating for this Purpose a National Privacy Commission, and for other Purposes” or otherwise as the “Data Privacy Act of 2012”, its Implementing Rules and Regulations, relevant policies and issuances of the National Privacy Commission (“NPC”).

The Data Privacy Act (“DPA”) and its Implementing Rules and Regulations (“IRR”) provide the following:

  1. Protection of individual’s right to privacy of his personal information and sensitive personal information (“Personal Data”) while ensuring the free flow of information in order to promote innovation and growth;
  2. Regulation in the processing of personal information and, in certain cases, processing of sensitive personal information and privileged information; 
  1. Creation of the NPC tasked to implement the provisions of the DPA and its IRR and to ensure country’s compliance with international standards for data protection;
  2. Security of personal information through the implementation of reasonable and appropriate organizational, physical, and technical measures intended for the protection of personal and sensitive personal information.

CG GARCIA SERVICES INC.  respects, values, and protects the data privacy rights of individuals and ensures that all personal information and sensitive information (“Personal Data”) collected are processed in adherence to the general principles of transparency, legitimate purpose, and proportionality. 

 

III.   DEFINITION OF TERMS

  1. AUTHORIZED PERSONNEL – refers to employee/s or officer/s of the Company authorized to collect and/or to process Personal Data either by the function of their office or position, or through specific authority given in accordance with the policies of the Company.
  2. DATA SUBJECT – refers to an individual whose personal, sensitive personal, or privileged information is processed by the organization. It may refer to officers, employees, consultants, and clients of this organization.
  3. CONSENT OF THE DATA SUBJECT refers to any freely given, specific, informed indication of will, whereby the Data Subject agrees to the collection and Processing of his/her Personal, Sensitive Personal, or Privileged Information.                                                                                                                                           
  4. PERSONAL DATA – refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
  5. PERSONAL DATA BREACH – refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
  6. PROCESSING refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Processing may be performed through automated means, or manual processing, if the Personal Data are contained or are intended to be contained in a filing system.
  7. PRIVACY POLICY – refers to the internal statement that governs the Company’s practices of handling Personal Data. It instructs the users of Personal Data (i.e., Authorized Personnel) on the processing on Personal Data and informs them of the rights of the Data Subjects. This Manual outlines the Privacy Policy of the Company.
  8. PRIVACY NOTICE – refers to the statement made to a Data Subject to inform him/her of how the Company processes his/her Personal Data.
  1. PRIVILEGED INFORMATION – refers to any and all forms of Personal Data, which under the Rules of Court and other pertinent laws constitute privileged communications.
  2. SECURITY INCIDENT – is an event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity and confidentiality of Personal Data. It includes incidents that would result to a personal data breach, if not safeguards that been put in place.
  3. SECURITY MEASURES – refers to the physical, technical and organizational measures employed by the Company to Protect Personal Data from natural and human dangers.

 

IV.        SCOPE AND LIMITATIONS

This Manual shall lay down the data protection and Security Measures of the Company, it shall govern the Processing of Personal Data of Data Subjects by the Company.

All personnel of CG GARCIA SERVICES INC., regardless of the type of employment or contractual arrangement, must  comply  with  the  terms  set  out  in  this  Privacy  Manual.  

 

 V.       DATA PRIVACY PRINCIPLES

In the Processing of Personal Data, the Company and its employees shall abide by the following principles:

  1. Transparency – The Data Subject shall be informed of the nature, purpose, and extent of the Processing of his/her Personal Data, including the risks and safeguards involved, the identity of the Company, his/her rights as a Data Subject, and how these rights may be exercised.
  2. Legitimate Purpose – The Processing of Personal Data shall only be the purpose declared and specified to the Data Subject. No further Processing of Personal Data shall be done without the consent of the Data Subject.
  3. Proportionality – The Processing of Personal Data shall be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose. Personal Data will be processed by the Company only if the purpose of the Processing could not be reasonably fulfilled by other means, and if required by the Company’s business operations.

 

VI.            PROCESSING OF PERSONAL DATA

CG GARCIA SERVICES INC., in the processing of personal information, implements and observes the following applicable provisions of Section 12 of the DPA which provides: “ The processing of personal information shall be permitted only if not otherwise prohibited by law, and when at least one of the following conditions exists:  

  1. COLLECTION – The Company shall only collects Personal Data of a Data Subject for documentation purposes and for the processing of the said Personal Data.

Information collected shall be relayed to the Data Subject through a Privacy Notice. The Company’s Authorized Personnel shall inform the Data Subject of the purpose/s for the collection of Personal Data.

  1. USE – The Company’s use of the Personal Data shall only be for the purpose/s specified and declared to the Data Subject, and with the Consent of the Data Subject.

The Company may use and process the Personal Data of Data Subjects for government regulatory compliance, company disclosures, and reportorial requirements, and pursuant to a lawful order of any court or tribunal.

  1. STORAGE, RETENTION AND DESTRUCTION – The Company will ensure that the Personal Data under its custody are protected against any accidental or unlawful destruction, alteration and disclosure as well as against any other unlawful processing. The company will implement appropriate security measures in storing collected Personal Data, depending on the nature of the information.
  2. ACCESS – The Company will ensure the confidentiality of the Personal Data collected, only the client and the authorized personnel of the company shall be allowed to access such Personal Data, for any purpose, except for those contrary to law, public policy public order or morals.
  3. DISCLOSURE AND SHARING – All employees and personnel of the company shall maintain the confidentiality and secrecy of all personal data that come to their knowledge and possession, even after resignation, termination of contract, or other contractual relations. Personal data under the custody of the company shall be disclosed only pursuant to a lawful purpose, and to authorized recipients of such data.

 

VII.          SECURITY MEASURES

The Company shall establish and implement reasonable and appropriate physical, technical, and organizational measures to ensure privacy and data protection. These Security Measures aim to protect Personal Data against natural dangers, such as accidental loss or destruction, and human dangers, such as unlawful access, fraudulent misuse, unlawful destruction, alteration, and contamination.

A. ORGANIZATIONAL SECURITY MEASURES

  1. DATA PROTECTION OFFICER

The Company designated Ms. Jedda D. Dimalanta as its Data Protection Officer (DPO).

  1. FUNCTIONS OF THE DPO

The Data Protection Officer shall oversee the compliance of the organization with the DPA, its IRR, and other related policies, including the conduct of a Privacy Impact Assessment, implementation of security measures, security incident and data breach protocol, and the inquiry and complaints procedure.

  1. CONDUCT OF TRAININGS OR SEMINARS to keep personnel, especially the Data Protection Officer updated vis-à-vis developments in data privacy and security.

The Company shall sponsor a mandatory training on data privacy and security at least once a year. For personnel directly involved in the processing of personal data, management shall ensure their attendance and participation in relevant trainings and orientations, as often as necessary.

  1. CONDUCT OF PRIVACY IMPACT ASSESSMENT

The Company shall conduct a Privacy Impact Assessment (PIA) relative to all activities, projects and systems involving the processing of personal data. It may choose to outsource the conduct a PIA to a third party.

  1. DUTY OF CONFIDENTIALITY

All employees will be asked to sign a Non-Disclosure Agreement. All employees with access to personal data shall operate and hold personal data under strict confidentiality if the same is not intended for public disclosure.

  1. REVIEW OF PRIVACY MANUAL

This Manual shall be reviewed and evaluated annually. Privacy and security policies and practices within the organization shall be updated to remain consistent with current data privacy best practices.

B. PHYSICAL MEASURES.   

  1. FORMAT TO PERSONAL DATA

Personal Data in the custody of the Company are in digital or electronic format and paper based or physical format.

  1. STORAGE TYPE AND LOCATION

All Personal Data in paper-based documents being processed by the Company are stored in designated storage areas or kept in locked in filing cabinets / fire-proof vaults while the digital or electronic files are safely stored in computers and hard drives with protected passwords or passcodes. 

  1. ACCESS PROCEDURE OF COMPANY’S PERSONNEL

Only authorized personnel shall be allowed inside the data room. For this purpose, they shall each be given a duplicate of the key to the room. Other personnel may be granted access to the room upon filing of an access request form with the Data Protection Officer and the latter’s approval thereof. 

  1. MONITORING AND LIMITATIONS OF ACCESS

Physical access is restricted to authorized personnel and any visitor is escorted by an authorized individual while in the office or secure area. All authorized personnel who seek to access the stored Personal Data must fill out and register access details in a logbook. They shall indicate the date, time, duration and purpose of each access.

  1. DESIGN OF OFFICE SPACE/WORK STATION

For purposes of ensuring privacy of Personal Data, the computers used by the Company’s personnel are positioned with considerable spaces between them to maintain privacy and protect the processing of Personal Data.  

  1. PERSON INVOLVED IN PROCESSING AND THEIR DUTIES AND RESPONSIBILITIES

Persons involved in processing shall always maintain the confidentiality and integrity of Personal Data. They are not allowed to bring their own gadgets or storage device of any form when entering the data storage room. Moreover, all employees and officers of the Company with access to Personal Data shall operate and hold Personal Data under strict confidentiality if the same is not intended for public disclosure or unless such disclosure is required under the law or its rules and regulations of SEC, CMIC, PSE, or SCCP.

  1. MODES OF TRANSFER OF PERSONAL DATA WITHIN THE ORGANIZATION, OR TO THIRD PARTIES

Transfer of Personal Data via electronic mail shall use a secure email facility with encryption of the data, including any or all attachments. Facsimile technology shall not be used for transmitting documents containing Personal Data, unless with the consent of the data subjects.

  1. RETENTION AND DSIPOSAL PROCEDURE

The Company shall retain the Personal Data for a period allowed by law, rules and regulations. Upon expiration of such period, all physical and electronic copies of the Personal Data shall be destroyed and disposed of using secure technology.

C.  TECHNICAL SECURITY MEASURES

The Company shall implement technical security measures to make sure that there are appropriate and sufficient safeguards to secure the processing of Personal Data, particularly the computer network in place, including encryption and authentication processes that control and limit access.  They include the following, among others:

1.MONITORING FOR SECURITY BREACHES

The Company shall use an intrusion detection system to monitor security breaches and alert the Company of any attempt to interrupt or disturb the system. The Company installs antivirus software to computers and laptops that regularly access the internet and uses firewalls and antivirus/anti-spyware software to protect systems that are accessible from the internet. The systems that are exposed to the Internet such as the web servers and their software or servers supporting sensitive applications are removed or disabled of unnecessary services.   

2.SECURITY FEATURES OF THE SOFTWARE/S AND APPLICATION/S USED

The Company reviews and evaluates software applications before the installation thereof in computers and devices of the Company to ensure the compatibility of security features with overall operations and to ensure privacy protection of Personal Data stored in said computers. 

3.PROCESS FOR REGULARLY TESTING, ASSESSMENT AND EVALUATION OF EFFECTIVESS OF SECURITY MEASURES

The Company reviews security policies, conduct vulnerability assessments, and perform penetration testing within the APS on regular schedule to be prescribed by the appropriate department or unit. 

4.ENCRYPTION, AUTHENTICATION PROCESS, AND OTHER TECHNICAL SECURITY MEASURES THAT CONTROL AND LIMIT ACCESS TO PERSONAL DATA

The Company’s personnel with access to Personal data shall verify his or her identity using a secure encrypted link and multi-level authentication.

 

VIII.        BREACH AND SECURITY INCIDENTS

1. CREATION OF A DATA BREACH RESPONSE (“DBR”) TEAM

A DBR Team shall be responsible for ensuring immediate action in the event of security incident or personal data breach. The team shall conduct an initial assessment of the security incident or personal data breach in order to ascertain the nature and extent thereof. It shall also execute measures to mitigate the adverse effects of the security incident or personal data breach.

2. MEASURES TO PREVENT AND MINIMIZE OCCURANCE OF BREACH AND SECURITY INCIDENTS

The Company shall regularly conduct a Privacy Impact Assessment to identify risks in the processing system and monitor for security breaches and vulnerability scanning of computer networks. Personnel directly involved in the processing of Personal Data must attend trainings and seminars for capacity building. There must also be a periodic review of policies and procedures being implemented in the organization. 

3. PROCEDURE TO RECOVERY AND RESTORATION OF PERSONAL DATA

The Company shall always maintain a backup file for all Personal Data under its custody. In the event of a security incident or data breach, it shall always compare the backup with the affected file to determine the presence of any inconsistencies or alterations resulting from the incident or breach. 

4. NOTIFICATION PROTOCOL

The Head of the Data Breach Response Team shall inform the management of the need to notify the NPC and the data subjects affected by the incident or breach within the period prescribed by law. Management may decide to delegate the actual notification to the head of the Data Breach Response Team.

5. DOCUMENTATION AND REPORTING PROCEDURE OF SECURITY INCIDENTS OR A PERSONAL DATA BREACH

The Data Breach Response Team shall prepare a detailed documentation of every incident or breach encountered, as well as an annual report, to be submitted to management and the NPC, within the prescribed period.

IX.   INQUIRES AND COMPLAINTS

A Data Subject may access and recommend corrections to his/her Personal Data being processed by the Company. Data subjects may inquire or request for information regarding any matter relating to the processing of their Personal Data. They may email to the Company at cglandtitleservices@gmail.com and briefly discuss the inquiry, together with their contact details for reference.

In case of a complaint for violation of this Manual, the Data Privacy Act, and/or other government issuances related to data privacy, or any breach, loss or unauthorized access or disclosure of Personal Data in the possession or under the custody of the Company must be reported immediately to any member of the Data Privacy Response Team who shall reply within twenty-four (24) hours to acknowledge receipt of the complaint.

X.     EFFECTIVITY

This Manual was approved by the Board of Directors of the Company on 11 January 2022, and shall take effect immediately.

 

CG Garcia Services Inc. is the leading professional firm engaged in real estate and land title resolution. We have more than 50 years of experience in dealing with all kinds of real estate issue.

Quick Links

Contact Information

Our Location

NPC Registration

Privacy Policy

Copyright 2026. CG Garcia Services Inc. All rights reserved.