Privacy Policy Statement

This Privacy Policy outlines and discusses how the University collects, uses, or otherwise processes your personal data in relation to your engagement with the University. The University protects your right to privacy. As we seek to balance the privacy of your data while ensuring the free flow of information, we also aim to comply with the requirements of the laws on data protection, its implementing rules and regulations and other applicable laws relating to data privacy.

The following privacy policy shall govern the collection, use, storage, and sharing of personal data of applicants, students, and alumni in connection with their application, academic endeavors, and post-graduation engagements with the University:

a. Collection, Acquisition, and Generation of Personal Data. The University may collect, acquire, or generate personal data of applicants, students, and alumni in many forms.

i. Personal data may consist of written records, photographic and video images, digital material, and even biometric records.

ii. Information collected during application for admission includes:

(1) directory information, like data subjects’ name, email address, telephone number, and other contact details;

(2) data about personal circumstances, such as family background, history, and other relevant circumstances, previous schools attended, academic performance, disciplinary record, employment record, and medical records;

(3) any or all information obtained through interviews and/or during entrance
tests or admission examinations.

iii. Information collected or generated after enrolment and during the course of the students’ stay with the University. After students enroll in the University, additional information about them may be collected, including:

(1) academic or curricular undertakings, such as the classes they enroll in, scholastic performance, attendance record, etc.

(2) co-curricular matters they may engage in, such as service learning, outreach activities, internship or apprenticeship compliance;

(3) extra-curricular activities, such as membership in student organizations, leadership positions, and participation and attendance in seminars, competitions, programs, outreach activities, and study tours;

(4) any disciplinary incident that they may be involved in, including accompanying sanctions. There will also be times when the University will acquire other forms of data like pictures or videos of activities students participate in, via official documentation of such activities, or through recordings from closed-circuit security television cameras installed within school premises.

iv. Unsolicited Information. There may be instances when personal information is received by the University without prior request (e.g. medical records submitted by students not required for enrollment, anonymous complaints). In such cases, the University shall promptly assess whether the information is necessary and directly related to its official functions or legitimate interests. If the information is found to be irrelevant, unnecessary, or unsupported by a lawful basis for processing, it shall be securely disposed of in a manner that protects the data subject’s privacy. Only unsolicited information that is clearly aligned with the University’s legitimate purposes and meets the requirements of lawful processing under the Data Privacy Act shall be retained and treated in accordance with applicable privacy policies. The mere receipt of unsolicited information shall not be construed as valid consent or as a basis for unrestricted use or processing.

b. Use of Information. To the extent permitted or required by law, the University may use the data subjects’ personal data to pursue the University’s legitimate interests as an educational institution, including a variety of academic, administrative, research, historical, and statistical purposes.

i. The University may use the information it collected for purposes such as:

(1) evaluating applications for admission to the University;

(2) processing confirmation of incoming, transfer, cross-registering, or non-degree students in preparation for enrollment

(3) recording, generating, and maintaining student records of academic, co-curricular, and extra-curricular progress;

(4) recording, storing, and evaluating student work, such as homework, seatwork, quizzes, long tests, exams, term papers, theses, dissertations, culminating or integrating projects, research papers, reflection papers, essays and presentations;

(5) recording, generating, and maintaining records, whether manually, electronically, or by other means, of grades, academic history, class schedules, class attendance and participation in curricular, co-curricular, and extra-curricular activities;

(6) establishing and maintaining student information systems;

(7) sharing of grades between and among faculty members, and others with legitimate official need, for academic deliberations and evaluation of student performance;

(8) processing scholarship applications, grants, allowances, reports to benefactors, and other forms of financial assistance;

(9) investigating incidents that relate to student behavior and implementing disciplinary measures;

(10) maintaining directories and alumni records;

(11) compiling and generating reports for statistical and research purposes;

(12) providing services such as health, insurance, counseling, information technology, library, sports/recreation, transportation, parking, campus mobility, safety and security;

(13) managing and controlling access to campus facilities and equipment;

(14) communicating official school announcements;

(15) sharing marketing and promotional materials regarding school-related functions, events, projects, and activities;

(16) soliciting participation in research and non-commercial surveys sanctioned by the University;

(17) soliciting support, financial or otherwise, for University programs, projects, and events;

(18) sharing information with persons or institutions as provided below.

ii. The University shall consider the processing personal data for these purposes to be necessary for the performance of its contractual obligations to the data subjects, for the University’s compliance with a legal obligation, to protect the data subjects’ vitally important interests, including their life and health, for the performance of tasks the University carries out in the public interest (e.g., public order, public safety, etc.), or for the pursuit of the legitimate interests of the University or a third party. However, considering that the DPA of 2012 imposes stricter rules for the processing of sensitive personal information and privileged information, the University shall fully commit to abiding by those rules.

iii. If the University requires the data subjects’ consent for any specific use of their personal data, the University shall collect it at the appropriate time.

iv. The University shall not subject the data subjects’ personal data to any automated decision-making process without their prior consent.

c. Sharing, Disclosing, and Transferring of Personal Data. To the extent permitted or required by law, the University may also share, disclose, and transfer personal data to other persons or entities for the purpose/s of upholding the interests and pursue the University’s legitimate interests as an institution of higher learning.

For instance, the University may share, disclose, and transfer personal data for purposes such as:

(1) posting of acceptance to the University, awarding of financial aid and merit scholarship grants, class lists, class schedules, online, in school bulletin boards, or other places within the University;

(2) sharing the data subjects’ personal data with parents, guardians, or next of kin, as required by law, or on a need-to-know basis, as determined by the University, in order to promote best interests, or to protect health, safety, and security, or that of others;

(3) sharing of some information to donors, funders, or benefactors for purposes of scholarship, grants, and other forms of assistance;

(4) publication of scholars’ graduation brochure for distribution to donors, funders, or benefactors;

(5) distribution of the list of graduates and awardees in preparation for and during commencement exercises;

(6) reporting and/or disclosure of information to the NPC and other government bodies or agencies (e.g., Commission on Higher Education [CHED], Department of Budget and Management [DBM], Commission on Audit [COA], Department of Education [DepEd], Bureau of Immigration [BOI], Department of Foreign Affairs [DFA], Civil Service Commission [CSC], Bureau of Internal Revenue [BIR], Professional Regulation Commission [PRC], Legal Education Board [LEB], Supreme Court, etc.), when required or allowed by law;

(7) sharing of information with entities or organizations (e.g. Accrediting
Agency of Chartered Colleges and Universities in the Philippines, ASEAN
University Network, Development Academy of the Philippines,
International Organization for Standardization, Quacquarelli Symonds,
Times Higher Education, UI Green Metric World University Rankings,
(WURI) The World University Rankings for Innovation, Engineering
Accreditation Commission (ABET) for accreditations and rankings;

(8) sharing of information with entities or organizations (e.g., Philippine
Association of State Universities and Colleges, University Athletic
Association of the Philippines and other sports bodies) for determining
eligibility in sports or academic competitions, as well as other similar
events;

(9) complying with court orders, subpoenas and/or other legal obligations;

(10) conducting internal research or surveys for purposes of institutional
development;

(11) publishing academic, co-curricular, and extra-curricular achievements and success, including honors lists and names of awardees in school bulletin boards, website, social media sites, and publications;

(12) sharing academic accomplishments of honors and co-curricular or extra-curricular achievements with schools a student graduated from or were previously enrolled in, upon their request and consent;

(13) use of photos, videos, and other information in order to promote the school, including its activities and events, through marketing or advertising materials, such as brochures, website posts, newspaper advertisements, physical and electronic bulletin boards, and other media;

(14) live-streaming of University events;

(15) publication of communications with journalistic content, such as news information in University publications, and social media sites.

The personal data herein contemplated include, but are not limited to full name, academic standing related personal data, date of birth, scholarship status, list of awards received, participation in competitions or school events, photographs, disciplinary records, and family background or financial status (when applying for aid).

d. Storage and Retention of Personal Data. Personal data shall be stored and transmitted securely in a variety of paper and electronic formats, including databases that are shared between the University’s different units or offices.

i. Access to the data subjects’ personal data is limited to University personnel who have a legitimate interest in them for the purpose of carrying out their contractual duties. The use of personal data shall not be excessive.

ii. Unless otherwise provided by law or by appropriate University policies, the University shall retain the data subjects’ relevant personal data indefinitely for historical and statistical purposes. Where a retention period is provided by law and/or a University policy, all affected records will be securely disposed of after such period.

e. Rights of the Students, Applicants, and Alumni as data subjects. Under the Data Privacy Act of 2012, data subjects are granted several fundamental rights to ensure their personal information is handled appropriately and transparently:

i. Right to be Informed. Data subjects are entitled to know the purposes for which their personal data is being collected and processed. They also have the right to stay informed about the reasons and purpose of data processing and collection. The personnel responsible for such collecting and processing shall provide a clear and thorough explanation and notification with the data subject before proceeding with the processing of personal data.

ii. Right to Access. Data subjects have the right to access their personal information, including details about its origin, the entities it has been shared with, and the manner and reasons for its processing and disclosure.

iii. Right to Object. Data subjects may contest any inaccuracies or errors in their personal data and request corrections from the Personal Information Controller, provided their objections are reasonable and legally justified.

iv. Right to Suspension/Blocking/Removal/Destruction. Data subjects can request the suspension, blocking, removal, or destruction of their personal data from records if it is used unlawfully or is no longer necessary for its original purpose, supported by substantial evidence. Provided, That, the request is not in conflict with the University’s lawful obligations or other legal bases for processing.

v. Right to Rectification. Data subjects have the right to request the correction of any incorrect or incomplete data to ensure accuracy and completeness.

vi. Right to Claim Damages. Data subjects have the right to receive, pursuant to a valid decision, damages due to the inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of personal data, taking into account any violation of their rights and freedoms as a data subject.

vii. Right to Data Portability. Where the personal data is processed by electronic means and in a structured and commonly used format, the data subject shall have the right to obtain from the University a copy of such data in an electronic or structured format that is commonly used and allows for further use by the data
subject. The exercise of this right shall primarily take into account the right of data subject to have control over his or her personal data being processed based on consent or contract, for commercial purpose, or through automated means. Provided, however, That, this shall not be applicable if the processed personal data are used only for the needs of scientific and statistical research and, on the basis of such, no activities are carried out and no decisions are taken regarding the data
subject: Provided, further, That the personal data shall be held under strict
confidentiality and shall be used only for the declared purpose.
This provision is also not applicable to the processing of personal data gathered for
the purpose of investigations in relation to any administrative liabilities of a data
subject. Any limitations on the rights of the data subject shall only be to the
minimum extent necessary to achieve the purpose of said research or investigation.

viii. Right to file a Complaint. Data subjects have the right to lodge a complaint before the NPC if they determine that their personal data are being misused, maliciously disclosed, or improperly disposed, or that any of their data privacy rights have been violated.

f. Mechanism on exercising the data subject rights. The University is committed to ensuring that data subject rights are respected, protected, and facilitated through clear and responsive procedures as outlined hereunder:

i. The right to be informed is exercised by the data subjects through this Manual and other applicable privacy notices of the University.

ii. The right to file a complaint must take into account the exhaustion of administrative remedies by filing a request with the proper offices or a complaint with the DPO/COP either in person, via email, or registered mail. In the exercise thereof, the data subject shall briefly discuss the complaint or inquiry, together with contact details for reference. The data subject may accomplish the prescribed Data Privacy Complaint/Inquiry Form for the purpose. The University shall resolve the complaint/inquiry within 15 calendar days from the receipt of complaint or inquiry sufficient in form and substance.

iii. The right to claim damages may be exercised by filing a complaint with the NPC, in accordance with its Rules of Procedure governing all complaints filed before the Commission. Claiming for damages shall be subject to existing laws, rules, regulations, and jurisprudence on the filing of money claims against the government.

iv. The right to access personal data shall be subject to the provisions of Article XVI, Section 46 of this Manual. The provisions of the immediately succeeding items on the standard response time, proof of identification, and transmissibility of rights are likewise applicable for right to access personal data.

v. As to all other rights of the data subjects, appropriate request using the Data Subject Rights Request Form shall be submitted to the DPO/COP either in person, via email, or registered mail. The DPO/COP shall acknowledge submissions within two (2) working days, and upon receipt of a valid request, the DPO/COP shall transmit the request to the concerned office or unit for appropriate action, and shall monitor compliance and delivery of the required response or remedy.

vi. The DPO/COP shall resolve or respond within twenty (20) working days, extendable with due notice to the requestor and justification for such extension. The maximum time prescribed may be extended only once for the same number of days pursuant to R.A. No. 11032 or the Ease of Doing Business and Efficient Government Service Delivery Act of 2018.

vii. To exercise any of these rights, the data subject must present a valid University ID or a government-issued ID. If submitted through a representative, a letter of authorization indicating the name of the authorized representative, the purpose of the request, and valid identification of both the data subject and the representative must be submitted. Data subjects who are alive but incapacitated, and for some reason are unable to assert their own personal privacy rights but wish to authorize a “legal assignee” to act as their proxy may do so by executing a legal notice to the effect, such as through a Special Power of Attorney. In case of a deceased data subject, the legal heir must be prepared to show legal evidence to back their claim. Parents or guardians automatically assume the responsibility of protecting the privacy rights of minors
under their care. Provided, however, That, this shall not be applicable if the processed personal data are used only for the needs of scientific and statistical research and, on the basis of such, no activities are carried out and no decisions are taken regarding the data subject: Provided, further, That the personal data shall be held under strict confidentiality and shall be used only for the declared purpose. This provision is also not applicable to the processing of personal data gathered for
the purpose of investigations in relation to any administrative liabilities of a data subject. Any limitations on the rights of the data subject shall only be to the minimum extent necessary to achieve the purpose of said research or investigation.

The following policy shall govern the collection, use, storage, and sharing of personal data of University personnel, including faculty, officials, job order, and contractual employees:

a. Collection, Acquisition and Generation of Personal Data. The University may collect the data subjects’ personal data in many forms.

i. Personal data may consist of written records, photographic and video images, digital material, and even biometric records.

ii. Information collected and generated prior to engagement includes:

(1) Personal Data Sheet (PDS) and Work Experience Sheet (WES);

(2) request to provide the resume;

(3) transcript of Records;

(4) Performance rating; and

(5) details about professional license and eligibility, if any.

iii. During the preliminary screening, the University may collect additional information, including those generated from the interview and/or those obtained from indicated professional referees. If the personnel is already engaged by the University, the information already in the University’s possession to process application may be utilized for the new or different position.

iv. The University may also collect and generate information upon issuance of an employment offer or commencement of engagement. Once the job offer is accepted and the applicant agree to the terms of a proposed engagement, the University will collect another set of information including, but not limited to, the following:

(1) Certificate of Employment;

(2) Medical/Fit-to-Work Clearance;

(3) National Bureau of Investigation (NBI) or Police Clearance;

(4) Philippine Statistics Authority (PSA) Birth Certificate (applicant/dependents);

(5) PSA Marriage Contract;

(6) SSS ID or E1 or E4;

(7) Pag-IBIG Member’s Data Form and/or ID;

(8) Pag-IBIG Member’s Change in Information Form (MCIF);

(9) PhilHealth MDR or ID PhilHealth Member Registration Form;

(10) tax-related documents, such as TIN ID or BIR Form 1902 (with stamp) and 2316; and

(11) bank account details necessary to facilitate the processing of compensation.

v. The University may also collect and generate information during the course of employment or engagement with the University. After joining the University, collecting additional information about personnel may pursue, which may include:

(1) annual physical examination results;

(2) union membership (if applicable);

(3) other data that may be used in the processing of loan applications and insurance claims, in performance evaluation and in administrative and disciplinary cases. There will also be times when the University will acquire other forms of data like pictures or videos of activities participated, via official documentation of such activities, or through recordings CCTV installed within the school premises.

vi. Unsolicited Information. There may be instances when personal information is received by the University without prior request (e.g. medical records submitted by personnel not required for employment, when a third party sends resumes without a job posting, anonymous complaints). In such cases, the University shall promptly assess whether the information is necessary and directly related to its official functions or legitimate interests. If the information is found to be irrelevant, unnecessary, or unsupported by a lawful basis for processing, it shall be securely disposed of in a manner that protects the data subject’s privacy. Only unsolicited information that is clearly aligned with the University’s legitimate purposes andmeets the requirements of lawful processing under the Data Privacy Act shall be retained and treated in accordance with applicable privacy policies. The mere receipt of unsolicited information shall not be construed as valid consent or as a basis for unrestricted use or processing.

b. Use of Information. To the extent permitted or required by law, the University shall use personal data to pursue legitimate interests as an educational institution, employer, and/or contracting party, including a variety of administrative, research, historical, and statistical purposes.

i. The University may use the information collected for purposes such as:

(1) identifying applicants and processing their respective applications;

(2) assessing the suitability of candidates for a particular role or position

(3) verifying the provided or submitted information;

(4) checking background information;

(5) evaluating academic qualifications;

(6) supporting personnel when implementing health-related adjustments that will allow them to carry out a particular role or task;

(7) administering remuneration, payroll, pension, and other standard
employment functions;

(8) administering human resource-related processes, including those relating to performance management, and disciplinary issues;

(9) delivering or providing facilities, services, security, and staff benefits to employees;

(10) facilitating claims and remittances for mandatory benefits;

(11) communicating effectively with personnel, including the distribution of relevant newsletters and circulars;

(12) supporting personnel training, health, safety, welfare and religious
requirements;

(13) compiling statistics and conducting surveys and research for internal and statutory reporting purposes;

(14) enabling the Office of Human Resource Management and to contact others in the event of an emergency; and

(15) other similar or related tasks.

ii. The University considers the processing of personal data for these purposes necessary for the performance of contractual obligations, compliance with a legal obligation, to protect vitally important interests, including life and health, for the performance of tasks the University carry out in the public interest (e.g., public order, public safety, etc.), or for the pursuit of the legitimate interests of the University, or a third party. The University understand that the DPA imposes stricter rules for the processing of sensitive personal information and privileged information, and the University shall be fully committed to abiding by those rules.

c. Sharing, Disclosing and Transferring of Personal Data. To the extent permitted or required by law, the University may also share, disclose, or transfer personal data to other persons or organizations in order to pursue legitimate interests as an educational institution, employer, and/or contracting party.

University may share, disclose, or transfer personal data for purposes such as

(1) submission of information to government agencies such as the Commission on Higher Education and Department of Education, Civil Service Commission, Department of Budget and Management, Commission on Audit all for accreditation and/or reportorial requirements for:

a. the Government Service Insurance System;

b. Philippine Health Insurance Corporation; and

c. Pag-IBIG, and Bureau of Internal Revenue, for the provision of
employment benefits and remittance of taxes as mandated by law.

(2) sharing of necessary information to contracted providers such as insurance companies, banks, and other similar organizations, in relation to any or all of loan applications and insurance claims;

(3) sharing information with entities or organizations (e.g. Accrediting Agency of Chartered Colleges and Universities in the Philippines, ASEAN
University Network, Development Academy of the Philippines, International Organization for Standardization, Quacquarelli Symonds, Times Higher Education, UI Green Metric World University Rankings, (WURI) The World University Rankings for Innovation, Engineering
Accreditation Commission (ABET) for accreditation and university ranking purposes;

(4) disclosure of information related to termination of employment, flexible fixed/variable work arrangements, employee’s compensation report to the Civil Service Commission, as part of the University’s reportorial obligations; and

(5) other purposes, when necessary and under circumstances permitted or required by law.

The personal data herein contemplated include, but are not limited to full name, employee number, position title/designations, plantilla, professional qualifications, performance ratings, service records, compensation details, government-issued identification numbers, notices of appointment, termination documents, incident reports, or disciplinary records, and investigation records.

d. Storage and Retention of Personal Data. Personal data is stored and transmitted securely in a variety of paper and electronic formats, including databases that are shared between the University and its different units or offices. Access to personal data is limited to University personnel who have a legitimate interest in them for the purpose of carrying out their contractual duties. In retaining personal information, the University shall follow the document retention policies as developed by the Records Management Office. In the absence thereof, the University shall follow the retention periods as prescribed by the National Archives of the Philippines (NAP).

e. Rights of University Personnel as data subjects. Under the Data Privacy Act of 2012, data subjects are granted several fundamental rights tob ensure their personal information is handled appropriately and transparently:

i. Right to be Informed. Data subjects are entitled to know the purposes for which their personal data is being collected and processed. They also have the right to stay informed about the reasons and purpose of data processing and collection. The personnel responsible for such collecting and processing shall provide a clear and thorough explanation and notification with the data subject before proceeding with the processing of personal data.

v. Right to Rectification. Data subjects have the right to request the correction of any incorrect or incomplete data to ensure accuracy and completeness.

vii. Right to Data Portability. Where the personal data is processed by electronic means and in a structured and commonly used format, the data subject shall have the right to obtain from the University a copy of such data in an electronic or structured format that is commonly used and allows for further use by the data subject. The exercise of this right shall primarily take into account the right of data subject to have control over his or her personal data being processed based on consent or contract, for commercial purpose, or through automated means. Provided, however, That, this shall not be applicable if the processed personal data are used only for the needs of scientific and statistical research and, on the basis of such, no activities are carried out and no decisions are taken regarding the data subject: Provided, further, That the personal data shall be held under strict confidentiality and shall be used only for the declared purpose.

This provision is also not applicable to the processing of personal data gathered for the purpose of investigations in relation to any administrative liabilities of a data subject. Any limitations on the rights of the data subject shall only be to the minimum extent necessary to achieve the purpose of said research or investigation.

viii. Right to file a Complaint. Data subjects have the right to lodge a complaint before the NPC if they determine that their personal data are being misused, maliciously disclosed, or improperly disposed, or that any of their data privacy rights have been violated.

f. Mechanism on exercising the data subject rights. The University is committed to ensuring that data subject rights are respected, protected, and facilitated through clear and responsive procedures as outlined hereunder:

i. The right to be informed is exercised by the data subjects through this Manual and other applicable privacy notices of the University.

Data subjects who are alive but incapacitated, and for some reason are unable to assert their own personal privacy rights but wish to authorize a “legal assignee” to act as their proxy may do so by executing a legal notice to the effect, such as through a Special Power of Attorney. In case of a deceased data subject, the legal heir must be prepared to show legal evidence to back their claim. Parents or guardians automatically assume the responsibility of protecting the privacy rights of minors
under their care. Provided, however, That, this shall not be applicable if the processed personal data are used only for the needs of scientific and statistical research and, on the basis of such, no activities are carried out and no decisions are taken regarding the data subject: Provided, further, That the personal data shall be held under strict confidentiality and shall be used only for the declared purpose. This provision is also not applicable to the processing of personal data gathered for the purpose of. investigations in relation to any administrative liabilities of a data subject. Any limitations on the rights of the data subject shall only be to the minimum extent necessary to achieve the purpose of said research or investigation.

The following policy shall govern the collection, use, storage, and sharing of personal data of individuals visiting the University’s official website and other platforms:

a. Collection, Acquisition and Generation of Personal Data. In cases of browsing the University’s website, it automatically records technical information about the visit. They may include:

(1) browser type and version;

(2) browser plug-in types and versions;

(3) date and time of connection;

(4) length of visits to certain pages;

(5) IP address;

(6) operating system;

(7) pages viewed/searched for;

(8) page interaction information (e.g., scrolling, clicks, and mouse overs);

(9) page response time;

(10) time zone setting;

(11) download errors;

(12) platforms and referrers.

b. Purpose of Collection. The recorded information is used primarily to help keep the site safe and secure. In addition, it may also be used for bug tracking, investigations relating to a security or data breach, and usage statistics.

If the University need to use any collected information that constitutes personal data for purposes not compatible with those listed here, it shall inform the data subject prior to such use and, where required by law, obtain proper consent.

c. Use, Storage, and Retention of Personal Data. All information collected by domains maintained by the University is stored in its data centers that are accessible only to authorized personnel and agents, such as, in some cases, third party service providers. Third parties who maintain or manage websites for some units or offices of the University store their collected information in their own designated servers or data centers.

The collected information is kept for as long as necessary to achieve the declared purpose for its collection. In no case will it shared with or transferred to other persons or organizations, unless required or permitted by law.

d. Rights of Web Visitors as data subjects. Under the Data Privacy Act of 2012, data subjects are granted several fundamental rights to ensure their personal information is handled appropriately and transparently:

ii. Right to Access. Data subjects have the right to access their personal information, including details about its origin, the entities it has been shared with, and the manner and reasons for its processing and disclosure.

v. Right to Rectification. Data subjects have the right to request the correction of any incorrect or incomplete data to ensure accuracy and completeness.

vi. Right to Claim Damages. Data subjects have the right to receive, pursuant to a valid decision, damages due to the inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of personal data, taking into account any violation of their rights and freedoms as a data subject.

vii. Right to Data Portability. Where the personal data is processed by electronic means and in a structured and commonly used format, the data subject shall have the right to obtain from the University a copy of such data in an electronic or structured format that is commonly used and allows for further use by the data subject. The exercise of this right shall primarily take into account the right of data subject to have control over his or her personal data being processed based on consent or contract, for commercial purpose, or through automated means.
Provided, however, That, this shall not be applicable if the processed personal data are used only for the needs of scientific and statistical research and, on the basis of such, no activities are carried out and no decisions are taken regarding the data subject: Provided, further, That the personal data shall be held under strict confidentiality and shall be used only for the declared purpose.

e. Mechanism on exercising the data subject rights. The University is committed to ensuring that data subject rights are respected, protected, and facilitated through clear and responsive procedures as outlined hereunder:

i. The right to be informed is exercised by the data subjects through this Manual and other applicable privacy notices of the University.

vii. To exercise any of these rights, the data subject must present a valid University ID or a government-issued ID. If submitted through a representative, a letter of authorization indicating the name of the authorized representative, the purpose of the request, and valid identification of both the data subject and the representative
must be submitted. Data subjects who are alive but incapacitated, and for some reason are unable to assert their own personal privacy rights but wish to authorize a “legal assignee” to act as their proxy may do so by executing a legal notice to the effect, such as through a Special Power of Attorney. In case of a deceased data subject, the legal heir must be prepared to show legal evidence to back their claim. Parents or guardians
automatically assume the responsibility of protecting the privacy rights of minors under their care. Provided, however, That, this shall not be applicable if the processed personal data are used only for the needs of scientific and statistical research and, on the basis of such, no activities are carried out and no decisions are taken regarding the data subject: Provided, further, That the personal data shall be held under strict confidentiality and shall be used only for the declared purpose.
This provision is also not applicable to the processing of personal data gathered for the purpose of investigations in relation to any administrative liabilities of a data subject. Any limitations on the rights of the data subject shall only be to the minimum extent necessary to achieve the purpose of said research or investigation.

The following privacy policy shall govern the collection, use, storage, and sharing of personal data of guests and visitors to the University’s premises:

a. Collection, Acquisition and Generation of Personal Data. The University may collect basic information about the data subjects by asking them to sign the official log book and requiring them to deposit a proof of identity (ID) for verification purposes. For those with vehicles, the University shall take note of vehicle plate number and ask to present any valid ID. Video footage shall also be recorded via a CCTV system installed in all campus entry and exit points.

b. Purpose of Collection. While the University collects the data primarily as a security measure, they also help in investigating reported violations of University policies and other applicable laws, and generate statistics useful for planning and service improvement purposes.

c. Use, Storage and Retention of Personal Data. Data are kept in a place inside the University where at least one security personnel is on-duty 24/7. Only authorized University and security personnel have access to them. For the disposal of logbooks, the University shall follow the document retention policies as developed by the Records Management Office. In the absence thereof, the University shall follow the retention periods as prescribed by the NAP. CCTV footages, on the other hand, are stored for thirty (30) days before being automatically deleted. The University shall not transfer or share personal data with other persons or organizations, unless required or permitted by law.

d. Rights of Guests and Visitors as data subjects. Under the Data Privacy Act of 2012, data subjects are granted several fundamental rights to ensure their personal information is handled appropriately and transparently:

iii. Right to Object. Data subjects may contest any inaccuracies or errors in their personal data and request corrections from the Personal Information Controller, provided their objections are reasonable and legally justified.

iv. Right to Suspension/Blocking/Removal/Destruction. Data subjects can request the suspension, blocking, removal, or destruction of their personal data from records if it is used unlawfully or is no longer necessary for its original purpose, supported by substantial evidence. Provided, That, the request is not in conflict with the University’s lawful obligations or other legal bases for processing.

v. Right to Rectification. Data subjects have the right to request the correction of any incorrect or incomplete data to ensure accuracy and completeness.

vii. Right to Data Portability. Where the personal data is processed by electronic means and in a structured and commonly used format, the data subject shall have the right to obtain from the University a copy of such data in an electronic or structured format that is commonly used and allows for further use by the data subject. The exercise of this right shall primarily take into account the right of data subject to have control over his or her personal data being processed based on consent or contract, for commercial purpose, or through automated means. Provided, however, That, this shall not be applicable if the processed personal data are used only for the needs of scientific and statistical research and, on the basis of such, no activities are carried out and no decisions are taken regarding the data subject: Provided, further, That the personal data shall be held under strict confidentiality and shall be used only for the declared purpose. This provision is also not applicable to the processing of personal data gathered for the purpose of investigations in relation to any administrative liabilities of a data
subject. Any limitations on the rights of the data subject shall only be to the minimum extent necessary to achieve the purpose of said research or investigation.

i. The right to be informed is exercised by the data subjects through this Manual and other applicable privacy notices of the University.

Data subjects who are alive but incapacitated, and for some reason are unable to assert their own personal privacy rights but wish to authorize a “legal assignee” to act as their proxy may do so by executing a legal notice to the effect, such as through a Special Power of Attorney. In case of a deceased data subject, the legal heir must be prepared to show legal evidence to back their claim. Parents or guardians automatically assume the responsibility of protecting the privacy rights of minors under their care. Provided, however, That, this shall not be applicable if the processed personal data are used only for the needs of scientific and statistical research and, on the basis of such, no activities are carried out and no decisions are taken regarding the data subject: Provided, further, That the personal data shall be held under strict confidentiality and shall be used only for the declared purpose. This provision is also not applicable to the processing of personal data gathered for the purpose of investigations in relation to any administrative liabilities of a data subject. Any limitations on the rights of the data subject shall only be to the minimum extent necessary to achieve the purpose of said research or investigation.

The following privacy policy shall govern the collection, use, storage, and sharing of personal data of benefactors, donors, and sponsors engaging with the University:

a. Collection, Acquisition and Generation of Personal Data. Unless a benefactor, donor, or sponsor expressly indicate the desire to keep the donation confidential, whenever the University receives a donation or gift of any kind, it may collect personal data which may include:

(1) Name;

(2) Contact number;

(3) Email address;

(4) Mailing address (home, office and business);

(5) Tax Identification Number, if applicable;

(6) Valid identification number, if applicable (e.g., when a Deed of Donation or a memorandum of agreement needs to be notarized);

(7) Birthdate;

(8) Alumni details, if applicable;

(9) Job title/position;

(10) Company affiliated with and business details;

(11) Contact information of representative, in the case of a corporate donor. There will be instances when personal data is sent to or received by the University even without prior request. In such cases, the University shall determine if it can legitimately keep such information. If it is not related to any of our legitimate interests, it shall immediately dispose of the information in a way that will safeguard privacy. Otherwise, it shall treat it as if the benefactor, donor or sponsor have provided it directly.

b. Use of Information. To the extent permitted or required by law, the University shall use personal data to pursue its legitimate interests as an organization, including a variety of administrative, communication, research, historical, and statistical purposes. For instance, the University may use the personal data for:

(1) issuance and delivery of official receipt;

(2) issuance of Certificate of Donation;

(3) execution of a Deed of Donation, Memorandum of Agreement or
Understanding, and similar agreements or documents;

(4) sending a letter of acknowledgment or appreciation, announcement or invitation, or special greeting on birthday or holidays;

(5) communicating fundraising campaign opportunities;

(6) announcement of and/or invitation to relevant University events, whether for acknowledgment, transparency, or promotion purposes;

(7) feature write-up in the University website to inspire similar giving from potential donors;

(8) updating of personal data in our University alumni database and donor database, if applicable;

(9) compiling statistics and conducting research for internal and statutory reporting purposes auditing purposes.

c. Disclosing and Sharing of Personal Data. The University may disclose, share, or transfer personal data to other persons or organizations pursuant to the legitimate interests of the University or the third party concerned or if required or permitted by law, and subject to the applicable access restriction of the University. Recipients of personal data may include:

(1) service providers of the University;

(2) relevant government agencies and/or public authorities;

(3) organizations affiliated with the University. The personal data herein contemplated include, but are not limited to full name, address, and professional profile of the benefactor, donor, or sponsor. It must be noted that in cases where the University believe that consent is needed, it shall secure such consent before disclosing, sharing, or transferring personal data. When so required by law or regulations, the University will also make sure to adopt contractual means to guarantee the protection of personal data when these are shared with others.

d. Storage and Retention of Personal Data. Personal data is transmitted and stored securely in paper and electronic formats. Access to personal data is limited to University personnel who have a legitimate interest in them for the purpose of carrying out their official functions or duties. The data are kept for as long as necessary to achieve the declared purpose of their collection or generation.

e. Protection of Personal Data. The University ensures the protection of personal data by implementing appropriate standards for organizational, physical, and technical security measures. It includes requiring a Non-Disclosure Agreement (NDA) for personnel and contracts entered into with third parties that is embedded with data protection clauses.

f. Rights of Benefactors, Donors and Sponsors as data subjects. Under the Data Privacy Act of 2012, data subjects are granted several fundamental rights to ensure their personal information is handled appropriately and transparently:

v. Right to Rectification. Data subjects have the right to request the correction of any incorrect or incomplete data to ensure accuracy and completeness.

vii. Right to Data Portability. Where the personal data is processed by electronic means and in a structured and commonly used format, the data subject shall have the right to obtain from the University a copy of such data in an electronic or structured format that is commonly used and allows for further use by the data subject. The exercise of this right shall primarily take into account the right of data subject to have control over his or her personal data being processed based on consent or contract, for commercial purpose, or through automated means. Provided, however, That, this shall not be applicable if the processed personal data are used only for the needs of scientific and statistical research and, on the basis of such, no activities are carried out and no decisions are taken regarding the data subject: Provided, further, That the personal data shall be held under strict confidentiality and shall be used only for the declared purpose. This provision is also not applicable to the processing of personal data gathered for the purpose of investigations in relation to any administrative liabilities of a data
subject. Any limitations on the rights of the data subject shall only be to the minimum extent necessary to achieve the purpose of said research or investigation.

g. Mechanism on exercising the data subject rights. The University is committed to ensuring that data subject rights are respected, protected, and facilitated through clear and responsive procedures as outlined hereunder:

i. The right to be informed is exercised by the data subjects through this Manual and other applicable privacy notices of the University.

Data subjects who are alive but incapacitated, and for some reason are unable to assert their own personal privacy rights but wish to authorize a “legal assignee” to act as their proxy may do so by executing a legal notice to the effect, such as through a Special Power of Attorney. In case of a deceased data subject, the legal heir must be prepared to show legal evidence to back their claim. Parents or guardians automatically assume the responsibility of protecting the privacy rights of minors under their care. Provided, however, That, this shall not be applicable if the. processed personal data are used only for the needs of scientific and statistical research and, on the basis of such, no activities are carried out and no decisions are taken regarding the data subject: Provided, further, That the personal data shall be held under strict confidentiality and shall be used only for the declared purpose. This provision is also not applicable to the processing of personal data gathered for the purpose of investigations in relation to any administrative liabilities of a data subject. Any limitations on the rights of the data subject shall only be to the minimum extent necessary to achieve the purpose of said research or investigation.

The following privacy policy shall govern the collection, use, storage, and sharing of personal data of contractors, suppliers, service providers, and other payees engaged with the University:

a. Collection, Acquisition, and Generation of Personal Data. The University may collect personal data either directly from the suppliers, service providers or payees or from the entity it represents. They may include:

(1) Name

(2) Address

(3) Country of citizenship

(4) Tax Identification Number (TIN)

(5) Business permits

(6) Financial statements

(7) Contact details

(8) Bank account information

(9) Other data as may be requirement by existing procurement laws, rules, and regulations

b. Use of Information. To the extent required or permitted by law, personal data is used in connection with mandate or functions as an educational institution, employer, and/or contracting party, including a variety of administrative, research, historical, and statistical purposes. The University may use personal data collected for purposes such as:

(1) evaluating a possible engagement with the suppliers, service providers, and other payees;

(2) execution of a service agreement, purchase agreements, construction agreement and similar agreements or documents;

(3) sending notices and other communications;

(4) processing payments to you or the entity you represent;

(5) issuing and delivering payment vouchers and, if applicable, withholding tax certificates;

(6) preparation of reports to be submitted to government agencies;

(7) compliance to the reportorial requirements of monitoring and regulatory agencies of the national government, and to comply with legal processes and court orders;

(8) if the University requires consent for any specific use of personal data, or as determined by the type of data involved, personal data will be collected at the appropriate time. Similarly, the University will not subject personal data to any automated decision-making process without prior consent.

c. Sharing, Disclosing, and Transferring of Personal Data. To the extent required or permitted by law, the University may also share, disclose, or transfer personal data to other persons or organizations.

The University may share, disclose and transfer personal data in the following instances:

(1) submission of personal data to government agencies, such as the Bureau of Internal Revenue, Government Procurement Policy Board, Commission on Audit etc. in order to meet their reportorial requirements;

(2) other purposes, when necessary and under circumstances permitted or required by law.

The personal data herein contemplated include, but are not limited to full name, full name, business interest, tax identification number, address, contact information, bank account details (when required for lawful payment processing), and names and positions of company representatives or signatories.

d. Storage and Retention of Personal Data. Personal data is stored and transmitted securely in paper and electronic formats, including databases accessible to some of the University’s other units or offices. Access is limited only to University personnel who have a legitimate interest in them, such as when it is necessary for them to carry out their respective duties and responsibilities. The use of personal data will not be excessive, and shall be limited only to that which is necessary to achieve the purpose of collection, and/or only when it is permitted by law. Personal data is kept while still necessary to achieve the declared purpose of its collection or generation or as required or permitted by applicable laws and regulations.

e. Rights of Contractors, Suppliers, Providers and other Payees as data subjects. Under the Data Privacy Act of 2012, data subjects are granted several fundamental rights to ensure information is handled appropriately and transparently:

v. Right to Rectification. Data subjects have the right to request the correction of any incorrect or incomplete data to ensure accuracy and completeness.

vii. Right to Data Portability. Where the personal data is processed by electronic means and in a structured and commonly used format, the data subject shall have the right to obtain from the University a copy of such data in an electronic or structured format that is commonly used and allows for further use by the data subject. The exercise of this right shall primarily take into account the right of data subject to have control over his or her personal data being processed based on consent or contract, for commercial purpose, or through automated means. Provided, however, That, this shall not be applicable if the processed personal data are used only for the needs of scientific and statistical research and, on the basis of such, no activities are carried out and no decisions are taken regarding the data subject: Provided, further, That the personal data shall be held under strict confidentiality and shall be used only for the declared purpose. This provision is also not applicable to the processing of personal data gathered for the purpose of investigations in relation to any administrative liabilities of a data subject. Any limitations on the rights of the data subject shall only be to the minimum extent necessary to achieve the purpose of said research or investigation.

f. Mechanism on exercising the data subject rights. The University is committed toensuring that data subject rights are respected, protected, and facilitated through clear and responsive procedures as outlined hereunder:

i. The right to be informed is exercised by the data subjects through this Manual and other applicable privacy notices of the University.
ii. The right to file a complaint must take into account the exhaustion of administrative remedies by filing a request with the proper offices or a complaint with the DPO/COP either in person, via email, or registered mail. In the exercise thereof, the data subject shall briefly discuss the complaint or inquiry, together with contact details for reference. The data subject may accomplish the prescribed Data Privacy Complaint/Inquiry Form for the purpose. The University shall resolve the complaint/inquiry within 15 calendar days from the receipt of complaint or inquiry sufficient in form and substance.

iv. The right to access personal data shall be subject to the provisions of Article XVI,Section 46 of this Manual. The provisions of the immediately succeeding items onthe standard response time, proof of identification, and transmissibility of rights are likewise applicable for right to access personal data.

vii. To exercise any of these rights, the data subject must present a valid University ID or a government-issued ID. If submitted through a representative, a letter of authorization indicating the name of the authorized representative, the purpose of the request, and valid identification of both the data subject and the representative must be submitted. Data subjects who are alive but incapacitated, and for some reason are unable to assert their own personal privacy rights but wish to authorize a “legal assignee” to act as their proxy may do so by executing a legal notice to the effect, such as through a Special Power of Attorney. In case of a deceased data subject, the legal heir must be prepared to show legal evidence to back their claim. Parents or guardians automatically assume the responsibility of protecting the privacy rights of minors under their care. Provided, however, That, this shall not be applicable if the processed personal data are used only for the needs of scientific and statistical research and, on the basis of such, no activities are carried out and no decisions are taken regarding the data subject: Provided, further, That the personal data shall be held under strict confidentiality and shall be used only for the declared purpose. This provision is also not applicable to the processing of personal data gathered for the purpose of investigations in relation to any administrative liabilities of a data subject. Any limitations on the rights of the data subject shall only be to the minimum extent necessary to achieve the purpose of said research or investigation.

Certificate of Registration