Privacy Notice

The National Privacy Commission (NPC) of the Republic of the Philippines, designated as the Fee-Funded Secretariat (Secretariat) of the Global Privacy Assembly (Assembly), processes personal data and controls information provided by the members of the Assembly, its applicants, observers, alumni, volunteers, conference speakers, and members of the public who proactively communicate with the Secretariat for any correspondence of the Assembly.

The Secretariat shall process personal data collected from and submitted on this website with strict adherence to the provisions of the Data Privacy Act of 2012 (DPA) of the Philippines.

This Privacy Notice is for the Global Privacy Assembly (Assembly). Our official website is  https://globalprivacyassembly.org/.

 

Scope of Privacy Notice

This Privacy Notice applies to the processing of personal data of individuals who visit and interact with this website. Users who access external websites through links provided here are advised to consult the privacy notice of those respective sites.

 

Purpose and Lawful Basis for Processing Data

While your consent may be solicited to process your personal data, we may also process your personal data without your consent, such as when the processing is according to the Secretariat’s mandate or when processing is allowed under the other lawful bases for processing in Sections 12 or 13 of the DPA.

In these instances, your personal data is utilized for the following purposes:

  • To document and process inquiries and requests within the Assembly, and enable the Secretariat to properly address them and forward them to the appropriate party for action and response.
  • To solicit feedback for any Secretariat-related concerns.
  • To provide you with timely updates and advisories in an orderly manner.
  • To comply with a legal obligation to which the Secretariat is subject.
  • To comply with the requirements of public order and safety or to fulfill the functions of public authority, including processing personal data to fulfill the mandate of the NPC.
  • To be able to provide the appropriate action that a data subject may require concerning their data privacy rights.

 

Moreover, we may collect other personal data that are relevant and necessary to perform our mandate of providing data subject assistance.

 

Personal Data Collected and Manner of Collection

We collect personal data, including full name, designation/title, email address, and gender pronoun (non-compulsory) upon submission of your inquiries or requests.

 

Disclosure and Transfer of Personal Data

Personal data processed by the Secretariat will not be shared with any other party unless allowed under Sections 12 or 13 of the DPA.

Personal data may be transferred to the following recipients to  carry out the work and tasks assigned for the operation of the GPA which do not require consent:

  1. Jersey Data Protection Authority
  2. Morocco-National Commission for the Protection of Personal Data Protection
  3. Bulgarian Commission for Personal Data Protection
  4. Korea Personal Information Protection Commission
  5. Philippines National Privacy Commission
  6. Dubai International Financial Centre Office of the Data Protection Commissioner
  7. South Africa Information Regulator

 

No transfers will be made that require consent, in compliance with the DPA, as well as section 101 and articles 44, 45 and 46 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), ensuring an adequate level.

 

Risks Involved

Risk refers to the potential of an incident to result in harm or danger to a data subject or organization. Risks may lead to the unauthorized collection, use, disclosure, or access to personal data. It includes risks involving the confidentiality, integrity, and availability of personal data or the risk that processing will violate the general data privacy principles and the rights of data subjects. The GPA website may face various internal and external risks including, but not limited to:

  • Outdated contact information resulting in communications being sent to incorrect recipients;
  • Unauthorized access to the administrative portal through compromised login credentials;
  • Use of unauthorized devices (i.e. use of portable devices);
  • Human error in data handling or management;
  • IT security risks associated with using external email accounts for GPA activities;
  • Targeted cyberattacks on web hosting infrastructure;
  • Malware, ransomware, and computer viruses;
  • Cross-border data transfer risks due to cloud-based hosting; and
  • Unauthorized access attempts to manual or digital records.

 

The Secretariat ensures that adequate policies consistent with existing NPC policies, circulars, and other issuances, as well as security measures are in place to protect personal data’s confidentiality, integrity, and availability.  These include but are not limited to the following security measures:

  • Implementation of encryption for secure data transmission, firewall for website protection, regular vulnerability scanning, secure authentication mechanisms for the GPA website administrative portal, and monitoring of login attempts;
  • Restricted access to physical locations where data is stored, secure disposal of physical records containing personal data; and
  • Regular security assessments, implementation of a bi-annual review process for contact information, scanning of email attachments before opening, and following established protocols for addressing security incidents promptly.

 

However, this does not guarantee absolute protection against certain risks involving the processing of personal data, such as exposure of systems to targeted cyberattacks, malware, ransomware, and computer viruses or unauthorized access to manual records.

 

Data Protection and Security Measures

We safeguard the confidentiality, integrity, and availability of your personal data by maintaining a combination of organizational, physical, and technical security measures based on generally accepted data privacy and information security standards. Among the measures we implement are the following:

  • Policies on access control in both digital and physical infrastructures to prevent unauthorized access to personal data.
  • Acceptable use policies.
  • End-to-end encryption and data classification whenever suitable.
  • Security measures against natural disasters, power disturbances, external access, and similar threats.
  • Technical measures to protect our computers and databases against accidental, unlawful, or unauthorized usage, interference, or access.

 

Storage and Retention

We store files containing personal data in our computers and servers, which are kept in a secure environment. We may also store your personal data with cloud-based third-party data storage providers. We shall ensure that proper measures are adopted to protect your personal data.

Personal data shall be stored in appropriate databases until December 2028 at the end of the term of the NPC Philippines as the Secretariat or until full turnover of such personal data to the succeeding Secretariat.

Other categories of data may be kept longer than December 2028 when its retention period is determined by other relevant laws and regulations.

 

Rights of a Data Subject

Under the DPA, a data subject has the right to be informed and request a copy of personal data collected as well as to dispute and have the data therein corrected in case of inaccuracy or error. You may request a copy from the Secretariat. You also have the right to suspend, withdraw or order the blocking, removal, or destruction of your personal data under certain circumstances, such as when it is no longer necessary.

The data subject shall have the right, where personal data is processed by electronic means and in a structured and commonly used format, to obtain from the personal information controller (PIC), a copy of data undergoing processing in an electronic or structured format, which is commonly used and allows for further use by the data subject.

If you believe that your personal data has been misused, maliciously disclosed, or improperly disposed of, or if you feel your data privacy rights have been violated, you have the right to file a complaint with the NPC.

Also, if you are a resident of a European territory, and you consider that there is any violation of your rights of access, rectification and deletion of your data, limitation and opposition to its processing, you can file a complaint with the data protection authority of your country and other competent supervisory authorities.

 

Changes to the Privacy Notice

The Secretariat reserves the right to update, amend or revise the privacy notice at any time. Prior versions of the privacy notice shall be retained by the Secretariat and may be provided to the data subject upon request.

 

Feedback on the Privacy Notice

For any suggestions, comments, or recommendations to improve this privacy notice or any issues concerning NPC’s data privacy practices as the GPA Secretariat, please contact us at dpo@privacy.gov.ph.

 

Date of effectivity: January 2025