Data Privacy Manual

Introduction

Northeast Business Solutions Inc., in its commitment to uphold, respect, and value data privacy rights, hereby adopts in this Data Privacy Manual in compliance with the DPA, its Implementing Rules and Regulations, and other relevant policies, including issuances of the NPC. All personal data collected from all its officials, personnel, and clients shall be processed in adherence to the general principles of transparency, legitimate purpose, and proportionality.


This Manual shall inform you of our data protection and security measures, and may serve as your guide in exercising your rights under the DPA.


Definition of Terms

For the purpose of this Manual, the following terms shall have the respective meanings hereafter set forth:


  1. Authorized Personnel - refers to employee/s or officer/s of the company authorized to collect and/or process Personal Data either by the function of their office or position, or through specific authority given in accordance with the policies of the Company.
  2. Company - refers to Northeast Business Solutions Inc,.
  3. Commission or NPC - refers to National Privacy Commission
  4. Compliance Officer for Privacy or COP - refers to an individual duly authorized by the Company to perform some of the functions of the DPO.
  5. Data Privacy Response (DPR) Team - refers to the group of individuals designated by the company to respond to inquiries and complaints relating to data privacy, and to assist in ensuring the Company's compliance with the Data Privacy Act, its IRR, and any other government-issued data privacy regulations and issuances, as well as in implementing this Manual.
  6. Data Protection Officer or DPO - refers to the officer duly designated by the Company to be accountable for the latter's compliance with the Data Privacy Act, its IRR, and any other government-issued data privacy regulations and issuances, as well as in implementing this Manual. The DPO shall also act as liaison between the Company and the National Privacy Commission for privacy-related compliance matters.
  7. Data Subject - refers to an individual whose personal, sensitive personal or privileged information is processed by the Company. It may refer to its officials, employees, trainees, applicants, consultants, stockholders, subcontractors, service providers, visitors, suppliers, business partners, clients, and other persons.
  8. Personal Data - refers to all types of personal information.
  9. Personal Data Breach - refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.
  10. Personal Information - refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
  11. Personal Information Controller (“PIC”) - refers to a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf. This term excludes a person or organization who performs such functions as instructed by another person or organization.
  12. Personal Information Processor (“PIP”) - refers to any natural of juridical person or any other body to whom a personal information controller may outsource or instruct the processing of personal data pertaining to a Data Subject.
  13. Processing - refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.
  14. Privileged Information - refers to any and all forms of data which under the Rules of Court and other pertinent laws constitute privileged communication.

  15. Sensitive Personal Information - refers to personal information:

    1. About an individual's race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
    2. About an individual's health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
    3. Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
    4. Specifically established by an executive order or an act of Congress to be kept classified.

Scope and Limitation

All individuals interacting with the company, including personnel, regardless of employment status or rank, as well as the external parties such as service providers, and clients, must comply with the terms set out in this Privacy Manual.


Types of Data Collected

We may collect the following types of sensitive data to provide, improve, and ensure the security of our services:


  1. Personal Identifiers: This includes your name, address, phone number, email, government identification numbers (e.g., social security numbers, national ID), and other personal details. These are collected to create your account, verify your identity, and provide support.
  2. Financial Information: This may include bank account details, payroll details, etc. We collect this data to process base on the service you avail/ subscribe to us.
  3. Health Information: In cases that our client has requirements related that are related to health or wellness, we may collect data such as medical history, health conditions, or prescriptions. This data is used to provide health information- medical history, healthcare-related services.
  4. Biometric Data: We may collect biometric data, such as fingerprints, facial recognition, or access pins, for secure authentication and to provide personalized services. This data is used exclusively for authentication or some other functions.
  5. Location Data: In cases that our client has a requirement to locate the user's location, we may collect them using geographical location data (e.g., GPS coordinates). This data is used to provide location-based services as per client needs.
  6. Login Credentials: This includes your usernames, passwords, or any other authentication details you provide to access our services. This data is necessary for secure account management.
  7. Communication Data: We may collect information you provide in communications with us, such as emails, chats, or thru any forms (feedback forms, etc.). This data is used to respond to your inquiries, improve services, and for customer support purposes.
  8. Other Sensitive Information: In certain cases, we may collect other types of sensitive data as required for specific services or in compliance with relevant legal obligations. This will be clearly outlined at the time of collection, and your consent will be sought.

Processing of Personal Data

  1. Collection

    The collection of both personal information and sensitive personal information is done by lawful means and for a lawful purpose and is directly related and necessary in the achievement of the Company's function or activities.


    The Company must only collect sensitive personal information when the information required is reasonably necessary for one or more of the Company's functions or activities.


    Personal Data collected by Company as shared by clients who subscribed into Company's application solutions namely, HRMS, Time Keeping and Payroll shall be bounded the agreement like Business Software Agreement, Non-Disclosure Agreement, Data Privacy Agreement and/or Data Privacy Agreement.

  2. Use

    Personal Data collected shall be used by the Company only for the purpose specified and declared to the Data Subject.


    Personal Data collected by Company as shared by clients who subscribed into Company's application shall be used only by the client itself in order to fulfill the subscription of service availed by the client.


    The use of the Personal Data shall only be for the purpose of carrying out the Company's business operation.

  3. Storage, Retention and Destruction

    The company shall ensure that personal data under its custody are protected against any accidental or unlawful destruction, alteration and disclosure as well as against any other unlawful processing. It shall implement appropriate security measures in storing collected personal information, depending on the nature of the information.


    Personal Data will be stored only for as long as necessary to carry out an aspect of the business operation of the Company. The purpose for which it was collected and processed, as well as the applicable periods prescribed by law, if any, shall be considered in retaining the Personal Data.


    Upon the expiration of identified lawful business purposes or withdrawal of consent, the Company must take reasonable steps to securely destroy or permanently de-identify or anonymize personal information if it is no longer needed. Disposal should be in a manner that the personal data should be unreadable for paper records or irretrievable for digital records.

  4. Access and Correction

    As a general rule, the Data Privacy Officer (DPO) shall, at the request of the Data Subject, provide the Data Subject with access to his/her personal data within a reasonable time after such request is made and will consider a request from the Data Subject for correction of that information.


    The DPO may,however, choose not to provide the Data Subject with access to such information in cases where:


    1. The Company reasonably believes that giving access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety;
    2. Providing access would have an unreasonable impact on the privacy and affairs of other individuals;
    3. The request for access is frivolous or vexatious or the information requested is trivial;
    4. The information relates to anticipated or existing legal proceedings and would not be discoverable in those proceedings;
    5. Providing access would reveal the intentions of the Group in relation to negotiations with the said Data Subject in such a way as to prejudice those negotiations;
    6. Providing access would be unlawful;
    7. Denying access is authorized under law or a court/tribunal order;
    8. Providing access would be likely to prejudice an investigation of possible unlawful activity or security, defense or international relations; or
    9. Providing access would be likely to prejudice activities which are carried out by the Group on behalf of an enforcement body; or

    10. Where the Data Subject:

      • has been refused access to his/her personal data which the Group holds about him/her; and/or
      • having requested correction of his/her personal information, is refused

      In such cases, the DPO will give the Data Subject a written notice that sets out:

      • The reasons for the refusal where it is reasonable to do so; and
      • The way in which the Data Subject may make a complaint about such refusal.

  5. Disclosure and Sharing

    Personal Data shall be disclosed to third parties only for identified lawful business purposes and after obtaining appropriate consent from the data subjects, unless a law or regulation allows or requires otherwise.


    Where reasonably possible, management shall ensure that third parties collecting, storing or processing personal data on behalf of the Company have:

    1. Signed agreements to protect personal data consistent with this Manual, Data Privacy Agreement and information security practices or implemented measures as prescribed by law;
    2. Signed non-disclosure agreement or confidentiality agreement which include privacy clauses in the contracts;
    3. Established procedures to meet the terms of their agreement with the Company to protect the personal information; and
    4. Remedial action to be taken in response to the misuse or unauthorized disclosure of personal information by third party collecting, storing or processing personal information on behalf of the Company.

Security Measures

The Company shall establish and implement reasonable and appropriate physical, technical, and organizational measures for the protection of personal data. These security measures aim to maintain the availability, integrity, and confidentiality of personal data and protect them against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.


  1. Organizational Measures

    The DPO, with assistance of Compliance Officer of Privacy (COP), if any, and the Data Privacy Response Team, shall monitor the Company’s compliance with the Security Measures specified in this Manual.

  2. Physical Security Measures
    1. Format of Data. The Personal Data in the custody of the Company may be in digital and/or physical document format.
    2. Storage Type. All personal data being processed by the company shall be stored in a secure facility, whether virtual or physical.

      b.1. File Cabinets.

      b.2. Local Storage (Digital).

      b.3. Cloud Storage (Digital).

    3. Locations. Physical and digital data are stored on-premise (cabinets/servers), cloud servers.

      c.1. On-Premise Physical Data.

      c.2. On-Premise Servers.

      c.3. Cloud Servers. Northeast Business Solutions Inc., have third party vendor for the cloud servers. It’s a dedicated server that is hosted by Hetzner Online GmbH and often buy a server located in finland and germany.

      c.4. Portable Devices (Laptops).

    4. Access and Security Clearances. Only Authorized Personnel and PIP may access the personal data stored by the company, subject to procedures set out in “Disclosure and Sharing” section of this Manual.

      d.1. File Cabinets. Bearing personal data shall be stored in locked filing cabinets, access keys to which shall be entrusted only to authorized personnel. As extra security measures, our on-site file cabinets are protected by CCTV and being recorded 24 hours a day, seven days a week.

      d.2. Local Storage (Digital). Containing personal data shall be stored in servers, computers, portable disks, and other devices, provider either the document or the device where it is stored is encrypted and it can be decrypt using passwords or pass codes. The server also protected by a CCTV and being recorded 24 hours a day, seven days a week.

      d.3. Cloud Storage (Digital). Specifically Personal data encoded on HRMS stored in cloud servers(third party vendor). Only the devops member who’s authorized personnel to connect to the server. And for the network security, the server has its ip whitelisting as well as they are using reverse proxy server for the isolation of the HRMS server in public networks and using SSL certificate for the encryption of HTTP transmission.

    5. Monitoring of Access. All authorized personnel who will access the stored personal data must fill out and register details in a logbook. They shall indicate the date, time, duration and purpose of each access. Also our servers keep log files for authentication (successful or not).
    6. Design of Workspace. Work space and/or computers shall be positioned with considerable spaces between them to maintain the privacy, protect the processing of personal data and minimize the risk of personal data breach.
    7. Maintenance of Confidentiality. Confidentiality shall be observed and maintained at every stage of data processing. Employees, whether authorized personnel or not, shall not be allowed to bring, connect, and /or use their own gadgets or storage devices of any form when processing personal data.
    8. Modes of Transfer of Personal Data within the Company or to Other Parties. Transfer of Personal Data via electronic mail shall use a secure email facility with encryption of the data. All attachment being sent via email should be encrypted and protected by password. Use of facsimile technology shall be avoided for transmitting documents containing Personal Data.
    9. Retention and Disposal Procedure. The Company shall retain Personal Data in its custody following the schedule identified in the Storage, Retention and Destruction under the Processing of Personal Data in this Manual. Upon expiration of such period, all physical and electronic copies of the personal data shall be destroyed and disposed of using secure technology.

  3. Technical Security Measures

    1. Monitoring of Security Breaches

      The Company shall install anti-virus software when necessary on all desktops and laptops. The IT Administrator shall regularly check the firewall logs to monitor security breaches and alert the DPO of any unauthorized attempt to access the Company network.

    2. Security Features of the Software and Application Used

      The Information and Technology Department (ITD) shall first review and evaluate software applications before the deployment thereof in computers and devices of the Company to ensure compatibility of security features with the data privacy policies.

    3. Process for Regular Testing, Assessment and Evaluation of Effectiveness of Security Measures

      The ITD shall make regular penetration testing of the firewall from outside the Company's network and from within to conduct vulnerability assessment of the same.

Breach and Security Incidents

  1. Data Breach Response Team

    A Data Breach Response (DBR) Team comprising of the DPO, CPO and Personnel of ITD shall be responsible for ensuring immediate action in the event of security incident or personal data breach. The team shall conduct an initial assessment of the incident or breach in order to ascertain the nature of the extent thereof. It shall also execute measures to mitigate the adverse effects of the incident or breach.

  2. Measures to Prevent and Minimize Occurrence of Breach and Security Incidents

    The DBR Team shall regularly conduct Privacy Impact Assessment to identify risks in the processing system and monitor for security breaches and vulnerability scanning of computer networks and web applications. Personnel directly involved in the Processing of Personal Data shall attend trainings and seminars for capacity building. A periodic review of policies and procedures being implemented in the Company shall be undertaken.

  3. Procedure for Recovery and Restoration of Personal Data

    The Company shall always maintain backup of files for all personal data under its custody. In the event of a security incident or data breach, it shall always compare the backup with the affected file to determine the presence of any inconsistencies or alterations resulting from the incident or breach.

  4. Notification Protocol

    Upon knowledge of, or reasonable belief that a Personal Data Breach has occurred, the DBR Team shall notify the Company's management within twenty-four (24) hours, and the Commission within seventy-two (72) hours, of such occurrence.

  5. Documentation and Reporting of Procedure of Security Incidents or a Personal Data Breach

    The Data Breach Response Team shall prepare a detailed documentation of every incident or breach encountered, as well as an annual report, to be submitted to the Executive Director and the NPC within the prescribed period. The report shall contain the following:

    1. Description of the nature of the breach;
    2. Personal data possibly involved;
    3. Measures undertaken by the team to address the breach and reduce the harm or its negative consequences; and
    4. Names of the personal information controller, including contact details, from whom the data subject can obtain additional information about the breach and any assistance to be provided to the affected data subjects.

Rights, Inquiries and Complaints of Data Subjects

Every Data Subject has the right to:

  1. Be notified and furnished with his or her information before entry into the processing system within forty-eight (48) hours when such data shall be used for direct marketing, profiting or historical or scientific purpose. Notification shall be made through a memorandum and/or email.
  2. View and recommend corrections to his or her data being processed. The Data Subject may also write or email the Company at [email protected] with a brief discussion of the inquiry and/or correction/s together with his or her contact details for reference.

Procedure for Complaints

The procedure to be observed in case of complaints for data privacy violation shall be as follows:

  1. Any suspected or actual violation of this Manual, the Data Privacy Act, and/or other government issuances related to data privacy, or any breach, loss, or unauthorized access or disclosure of Personal Data in the possession or under the custody of the Company must be reported immediately to any member of DPR Team who shall reply within twenty-four (24) hours to acknowledge the receipt of the complaint.
  2. In case of a complaint for a violation of this Manual, the Data Privacy Act, and/or other government issuances related to the data privacy, or any breach, loss or unauthorized access or disclosure of Personal Data in the possession or under the custody of the Company, the DPO, the COP, or any, or any two (2) members of the DPR Team shall:
    1. Verify the allegations of the complaint;
    2. If warranted, conduct an official investigation in case of serious security breach as provided under the Data Privacy Act and its IRR; and
    3. Report the Security Incident or Personal Data Breach to the Commission following the procedure laid down under Notification Protocol of this Manual.

The DPR Team may also convene as an investigation committee to recommend actions, particularly when the violation is serious, or causes or has the potential to cause material damage to the Company or any of its Data Subject. Such recommendation shall be submitted to the management of the Company for approval.


This Manual was approved by the Management of the Company on June 10, 2020 and shall take effect immediately.

Security Policy | Privacy Policy | Data Privacy Manual | Terms and Agreement