Privacy Policy Statement

iii. Information collected or generated after enrolment and during the course of the
students’ stay with the University. After students enroll in the University, additional
information about them may be collected, including:
(1) academic or curricular undertakings, such as the classes they enroll in,
scholastic performance, attendance record, etc.
(2) co-curricular matters they may engage in, such as service learning, outreach
activities, internship or apprenticeship compliance;
(3) extra-curricular activities, such as membership in student organizations,
leadership positions, and participation and attendance in seminars,
competitions, programs, outreach activities, and study tours;
(4) any disciplinary incident that they may be involved in, including
accompanying sanctions. There will also be times when the University will
acquire other forms of data like pictures or videos of activities students
participate in, via official documentation of such activities, or through
recordings from closed-circuit security television cameras installed within
school premises.

iv. Unsolicited Information. There may be instances when personal information is
received by the University without prior request (e.g. medical records submitted by
students not required for enrollment, anonymous complaints). In such cases, the
University shall promptly assess whether the information is necessary and directly
related to its official functions or legitimate interests. If the information is found to

be irrelevant, unnecessary, or unsupported by a lawful basis for processing, it shall
be securely disposed of in a manner that protects the data subject’s privacy. Only
unsolicited information that is clearly aligned with the University’s legitimate
purposes and meets the requirements of lawful processing under the Data Privacy
Act shall be retained and treated in accordance with applicable privacy policies.
The mere receipt of unsolicited information shall not be construed as valid consent
or as a basis for unrestricted use or processing.

b. Use of Information. To the extent permitted or required by law, the University may use
the data subjects’ personal data to pursue the University’s legitimate interests as an
educational institution, including a variety of academic, administrative, research, historical,
and statistical purposes.
i. The University may use the information it collected for purposes such as:
(1) evaluating applications for admission to the University;

(2) processing confirmation of incoming, transfer, cross-registering, or non-
degree students in preparation for enrollment;

(3) recording, generating, and maintaining student records of academic, co-
curricular, and extra-curricular progress;

(4) recording, storing, and evaluating student work, such as homework,
seatwork, quizzes, long tests, exams, term papers, theses, dissertations,
culminating or integrating projects, research papers, reflection papers,
essays and presentations;
(5) recording, generating, and maintaining records, whether manually,
electronically, or by other means, of grades, academic history, class
schedules, class attendance and participation in curricular, co-curricular,
and extra-curricular activities;
(6) establishing and maintaining student information systems;
(7) sharing of grades between and among faculty members, and others with
legitimate official need, for academic deliberations and evaluation of
student performance;
(8) processing scholarship applications, grants, allowances, reports to
benefactors, and other forms of financial assistance;
(9) investigating incidents that relate to student behavior and implementing
disciplinary measures;
(10) maintaining directories and alumni records;
(11) compiling and generating reports for statistical and research purposes;
(12) providing services such as health, insurance, counseling, information
technology, library, sports/recreation, transportation, parking, campus
mobility, safety and security;
(13) managing and controlling access to campus facilities and equipment;
(14) communicating official school announcements;

(15) sharing marketing and promotional materials regarding school-related
functions, events, projects, and activities;
(16) soliciting participation in research and non-commercial surveys sanctioned
by the University;
(17) soliciting support, financial or otherwise, for University programs, projects,
and events;
(18) sharing information with persons or institutions as provided below.
ii. The University shall consider the processing personal data for these purposes to be
necessary for the performance of its contractual obligations to the data subjects, for
the University’s compliance with a legal obligation, to protect the data subjects’
vitally important interests, including their life and health, for the performance of
tasks the University carries out in the public interest (e.g., public order, public
safety, etc.), or for the pursuit of the legitimate interests of the University or a third
party. However, considering that the DPA of 2012 imposes stricter rules for the
processing of sensitive personal information and privileged information, the
University shall fully commit to abiding by those rules.
iii. If the University requires the data subjects’ consent for any specific use of their
personal data, the University shall collect it at the appropriate time.
iv. The University shall not subject the data subjects’ personal data to any automated
decision-making process without their prior consent.

c. Sharing, Disclosing, and Transferring of Personal Data. To the extent permitted or
required by law, the University may also share, disclose, and transfer personal data to other
persons or entities for the purpose/s of upholding the interests and pursue the University’s
legitimate interests as an institution of higher learning.
For instance, the University may share, disclose, and transfer personal data for purposes
such as:
(1) posting of acceptance to the University, awarding of financial aid and merit
scholarship grants, class lists, class schedules, online, in school bulletin
boards, or other places within the University;
(2) sharing the data subjects’ personal data with parents, guardians, or next of
kin, as required by law, or on a need-to-know basis, as determined by the
University, in order to promote best interests, or to protect health, safety,
and security, or that of others;
(3) sharing of some information to donors, funders, or benefactors for purposes
of scholarship, grants, and other forms of assistance;
(4) publication of scholars’ graduation brochure for distribution to donors,
funders, or benefactors;
(5) distribution of the list of graduates and awardees in preparation for and
during commencement exercises;
(6) reporting and/or disclosure of information to the NPC and other government
bodies or agencies (e.g., Commission on Higher Education [CHED],

Department of Budget and Management [DBM], Commission on Audit
[COA], Department of Education [DepEd], Bureau of Immigration [BOI],
Department of Foreign Affairs [DFA], Civil Service Commission [CSC],
Bureau of Internal Revenue [BIR], Professional Regulation Commission
[PRC], Legal Education Board [LEB], Supreme Court, etc.), when required
or allowed by law;
(7) sharing of information with entities or organizations (e.g. Accrediting
Agency of Chartered Colleges and Universities in the Philippines, ASEAN
University Network, Development Academy of the Philippines,
International Organization for Standardization, Quacquarelli Symonds,
Times Higher Education, UI Green Metric World University Rankings,
(WURI) The World University Rankings for Innovation, Engineering
Accreditation Commission (ABET) for accreditations and rankings;
(8) sharing of information with entities or organizations (e.g., Philippine
Association of State Universities and Colleges, University Athletic
Association of the Philippines and other sports bodies) for determining
eligibility in sports or academic competitions, as well as other similar
events;
(9) complying with court orders, subpoenas and/or other legal obligations;
(10) conducting internal research or surveys for purposes of institutional
development;
(11) publishing academic, co-curricular, and extra-curricular achievements and
success, including honors lists and names of awardees in school bulletin
boards, website, social media sites, and publications;

(12) sharing academic accomplishments of honors and co-curricular or extra-
curricular achievements with schools a student graduated from or were

previously enrolled in, upon their request and consent;
(13) use of photos, videos, and other information in order to promote the school,
including its activities and events, through marketing or advertising
materials, such as brochures, website posts, newspaper advertisements,
physical and electronic bulletin boards, and other media;
(14) live-streaming of University events;
(15) publication of communications with journalistic content, such as news
information in University publications, and social media sites.

The personal data herein contemplated include, but are not limited to full name, academic
standing related personal data, date of birth, scholarship status, list of awards received,
participation in competitions or school events, photographs, disciplinary records, and family
background or financial status (when applying for aid).
d. Storage and Retention of Personal Data. Personal data shall be stored and transmitted
securely in a variety of paper and electronic formats, including databases that are shared
between the University’s different units or offices.
i. Access to the data subjects’ personal data is limited to University personnel who
have a legitimate interest in them for the purpose of carrying out their contractual
duties. The use of personal data shall not be excessive.

ii. Unless otherwise provided by law or by appropriate University policies, the
University shall retain the data subjects’ relevant personal data indefinitely for
historical and statistical purposes. Where a retention period is provided by law
and/or a University policy, all affected records will be securely disposed of after
such period.

e. Rights of the Students, Applicants, and Alumni as data subjects. Under the Data
Privacy Act of 2012, data subjects are granted several fundamental rights to ensure their
personal information is handled appropriately and transparently:
i. Right to be Informed. Data subjects are entitled to know the purposes for which
their personal data is being collected and processed. They also have the right to stay
informed about the reasons and purpose of data processing and collection. The
personnel responsible for such collecting and processing shall provide a clear and
thorough explanation and notification with the data subject before proceeding with
the processing of personal data.
ii. Right to Access. Data subjects have the right to access their personal information,
including details about its origin, the entities it has been shared with, and the
manner and reasons for its processing and disclosure.
iii. Right to Object. Data subjects may contest any inaccuracies or errors in their
personal data and request corrections from the Personal Information Controller,
provided their objections are reasonable and legally justified.
iv. Right to Suspension/Blocking/Removal/Destruction. Data subjects can request
the suspension, blocking, removal, or destruction of their personal data from
records if it is used unlawfully or is no longer necessary for its original purpose,
supported by substantial evidence. Provided, That, the request is not in conflict with
the University’s lawful obligations or other legal bases for processing.
v. Right to Rectification. Data subjects have the right to request the correction of any
incorrect or incomplete data to ensure accuracy and completeness.
vi. Right to Claim Damages. Data subjects have the right to receive, pursuant to a
valid decision, damages due to the inaccurate, incomplete, outdated, false,
unlawfully obtained, or unauthorized use of personal data, taking into account any
violation of their rights and freedoms as a data subject.
vii. Right to Data Portability. Where the personal data is processed by electronic
means and in a structured and commonly used format, the data subject shall have
the right to obtain from the University a copy of such data in an electronic or
structured format that is commonly used and allows for further use by the data
subject. The exercise of this right shall primarily take into account the right of data
subject to have control over his or her personal data being processed based on
consent or contract, for commercial purpose, or through automated means.
Provided, however, That, this shall not be applicable if the processed personal data
are used only for the needs of scientific and statistical research and, on the basis of
such, no activities are carried out and no decisions are taken regarding the data
subject: Provided, further, That the personal data shall be held under strict
confidentiality and shall be used only for the declared purpose.
This provision is also not applicable to the processing of personal data gathered for
the purpose of investigations in relation to any administrative liabilities of a data
subject. Any limitations on the rights of the data subject shall only be to the
minimum extent necessary to achieve the purpose of said research or investigation.

viii. Right to file a Complaint. Data subjects have the right to lodge a complaint before
the NPC if they determine that their personal data are being misused, maliciously
disclosed, or improperly disposed, or that any of their data privacy rights have been
violated.

f. Mechanism on exercising the data subject rights. The University is committed to
ensuring that data subject rights are respected, protected, and facilitated through clear and
responsive procedures as outlined hereunder:
i. The right to be informed is exercised by the data subjects through this Manual and
other applicable privacy notices of the University.
ii. The right to file a complaint must take into account the exhaustion of administrative
remedies by filing a request with the proper offices or a complaint with the
DPO/COP either in person, via email, or registered mail. In the exercise thereof,
the data subject shall briefly discuss the complaint or inquiry, together with contact
details for reference. The data subject may accomplish the prescribed Data Privacy
Complaint/Inquiry Form for the purpose. The University shall resolve the
complaint/inquiry within 15 calendar days from the receipt of complaint or inquiry
sufficient in form and substance.
iii. The right to claim damages may be exercised by filing a complaint with the NPC,
in accordance with its Rules of Procedure governing all complaints filed before the
Commission. Claiming for damages shall be subject to existing laws, rules,
regulations, and jurisprudence on the filing of money claims against the
government.
iv. The right to access personal data shall be subject to the provisions of Article XVI,
Section 46 of this Manual. The provisions of the immediately succeeding items on
the standard response time, proof of identification, and transmissibility of rights are
likewise applicable for right to access personal data.
v. As to all other rights of the data subjects, appropriate request using the Data Subject
Rights Request Form shall be submitted to the DPO/COP either in person, via
email, or registered mail. The DPO/COP shall acknowledge submissions within
two (2) working days, and upon receipt of a valid request, the DPO/COP shall
transmit the request to the concerned office or unit for appropriate action, and shall
monitor compliance and delivery of the required response or remedy.
vi. The DPO/COP shall resolve or respond within twenty (20) working days,
extendable with due notice to the requestor and justification for such extension. The
maximum time prescribed may be extended only once for the same number of days
pursuant to R.A. No. 11032 or the Ease of Doing Business and Efficient
Government Service Delivery Act of 2018.
vii. To exercise any of these rights, the data subject must present a valid University ID
or a government-issued ID. If submitted through a representative, a letter of
authorization indicating the name of the authorized representative, the purpose of
the request, and valid identification of both the data subject and the representative
must be submitted.
Data subjects who are alive but incapacitated, and for some reason are unable to
assert their own personal privacy rights but wish to authorize a “legal assignee” to
act as their proxy may do so by executing a legal notice to the effect, such as through
a Special Power of Attorney. In case of a deceased data subject, the legal heir must
be prepared to show legal evidence to back their claim. Parents or guardians

automatically assume the responsibility of protecting the privacy rights of minors
under their care. Provided, however, That, this shall not be applicable if the
processed personal data are used only for the needs of scientific and statistical
research and, on the basis of such, no activities are carried out and no decisions are
taken regarding the data subject: Provided, further, That the personal data shall be
held under strict confidentiality and shall be used only for the declared purpose.
This provision is also not applicable to the processing of personal data gathered for
the purpose of investigations in relation to any administrative liabilities of a data
subject. Any limitations on the rights of the data subject shall only be to the
minimum extent necessary to achieve the purpose of said research or investigation.

(9) PhilHealth MDR or ID PhilHealth Member Registration Form;
(10) tax-related documents, such as TIN ID or BIR Form 1902 (with stamp) and
2316; and
(11) bank account details necessary to facilitate the processing of compensation.
v. The University may also collect and generate information during the course of
employment or engagement with the University. After joining the University,
collecting additional information about personnel may pursue, which may include:
(1) annual physical examination results;
(2) union membership (if applicable);
(3) other data that may be used in the processing of loan applications and
insurance claims, in performance evaluation and in administrative and
disciplinary cases. There will also be times when the University will acquire
other forms of data like pictures or videos of activities participated, via
official documentation of such activities, or through recordings CCTV
installed within the school premises.

vi. Unsolicited Information. There may be instances when personal information is
received by the University without prior request (e.g. medical records submitted by
personnel not required for employment, when a third party sends resumes without
a job posting, anonymous complaints). In such cases, the University shall promptly
assess whether the information is necessary and directly related to its official
functions or legitimate interests. If the information is found to be irrelevant,
unnecessary, or unsupported by a lawful basis for processing, it shall be securely
disposed of in a manner that protects the data subject’s privacy. Only unsolicited
information that is clearly aligned with the University’s legitimate purposes and
meets the requirements of lawful processing under the Data Privacy Act shall be
retained and treated in accordance with applicable privacy policies. The mere
receipt of unsolicited information shall not be construed as valid consent or as a
basis for unrestricted use or processing.

b. Use of Information. To the extent permitted or required by law, the University shall use
personal data to pursue legitimate interests as an educational institution, employer, and/or
contracting party, including a variety of administrative, research, historical, and statistical
purposes.
i. The University may use the information collected for purposes such as:
(1) identifying applicants and processing their respective applications;
(2) assessing the suitability of candidates for a particular role or position;
(3) verifying the provided or submitted information;
(4) checking background information;
(5) evaluating academic qualifications;
(6) supporting personnel when implementing health-related adjustments that
will allow them to carry out a particular role or task;

(7) administering remuneration, payroll, pension, and other standard
employment functions;
(8) administering human resource-related processes, including those relating to
performance management, and disciplinary issues;
(9) delivering or providing facilities, services, security, and staff benefits to
employees;
(10) facilitating claims and remittances for mandatory benefits;
(11) communicating effectively with personnel, including the distribution of
relevant newsletters and circulars;
(12) supporting personnel training, health, safety, welfare and religious
requirements;
(13) compiling statistics and conducting surveys and research for internal and
statutory reporting purposes;
(14) enabling the Office of Human Resource Management and to contact others
in the event of an emergency; and
(15) other similar or related tasks.
ii. The University considers the processing of personal data for these purposes
necessary for the performance of contractual obligations, compliance with a legal
obligation, to protect vitally important interests, including life and health, for the
performance of tasks the University carry out in the public interest (e.g., public
order, public safety, etc.), or for the pursuit of the legitimate interests of the
University, or a third party. The University understand that the DPA imposes
stricter rules for the processing of sensitive personal information and privileged
information, and the University shall be fully committed to abiding by those rules.
c. Sharing, Disclosing and Transferring of Personal Data. To the extent permitted or
required by law, the University may also share, disclose, or transfer personal data to other
persons or organizations in order to pursue legitimate interests as an educational institution,
employer, and/or contracting party.
University may share, disclose, or transfer personal data for purposes such as:
(1) submission of information to government agencies such as the Commission
on Higher Education and Department of Education, Civil Service
Commission, Department of Budget and Management, Commission on
Audit all for accreditation and/or reportorial requirements for:
a. the Government Service Insurance System;
b. Philippine Health Insurance Corporation; and
c. Pag-IBIG, and Bureau of Internal Revenue, for the provision of
employment benefits and remittance of taxes as mandated by law.
(2) sharing of necessary information to contracted providers such as insurance
companies, banks, and other similar organizations, in relation to any or all
of loan applications and insurance claims;

(3) sharing information with entities or organizations (e.g. Accrediting Agency
of Chartered Colleges and Universities in the Philippines, ASEAN
University Network, Development Academy of the Philippines,
International Organization for Standardization, Quacquarelli Symonds,
Times Higher Education, UI Green Metric World University Rankings,
(WURI) The World University Rankings for Innovation, Engineering
Accreditation Commission (ABET) for accreditation and university ranking
purposes;
(4) disclosure of information related to termination of employment, flexible
fixed/variable work arrangements, employee’s compensation report to the
Civil Service Commission, as part of the University’s reportorial
obligations; and
(5) other purposes, when necessary and under circumstances permitted or
required by law.

The personal data herein contemplated include, but are not limited to full name, employee
number, position title/designations, plantilla, professional qualifications, performance
ratings, service records, compensation details, government-issued identification numbers,
notices of appointment, termination documents, incident reports, or disciplinary records,
and investigation records.
d. Storage and Retention of Personal Data. Personal data is stored and transmitted securely
in a variety of paper and electronic formats, including databases that are shared between
the University and its different units or offices. Access to personal data is limited to
University personnel who have a legitimate interest in them for the purpose of carrying out
their contractual duties.
In retaining personal information, the University shall follow the document retention
policies as developed by the Records Management Office. In the absence thereof, the
University shall follow the retention periods as prescribed by the National Archives of the
Philippines (NAP).
e. Rights of University Personnel as data subjects. Under the Data Privacy Act of 2012,
data subjects are granted several fundamental rights to ensure their personal information is
handled appropriately and transparently:
i. Right to be Informed. Data subjects are entitled to know the purposes for which
their personal data is being collected and processed. They also have the right to stay
informed about the reasons and purpose of data processing and collection. The
personnel responsible for such collecting and processing shall provide a clear and
thorough explanation and notification with the data subject before proceeding with
the processing of personal data.
ii. Right to Access. Data subjects have the right to access their personal information,
including details about its origin, the entities it has been shared with, and the
manner and reasons for its processing and disclosure.
iii. Right to Object. Data subjects may contest any inaccuracies or errors in their
personal data and request corrections from the Personal Information Controller,
provided their objections are reasonable and legally justified.
iv. Right to Suspension/Blocking/Removal/Destruction. Data subjects can request
the suspension, blocking, removal, or destruction of their personal data from
records if it is used unlawfully or is no longer necessary for its original purpose,

supported by substantial evidence. Provided, That, the request is not in conflict with
the University’s lawful obligations or other legal bases for processing.
v. Right to Rectification. Data subjects have the right to request the correction of any
incorrect or incomplete data to ensure accuracy and completeness.
vi. Right to Claim Damages. Data subjects have the right to receive, pursuant to a
valid decision, damages due to the inaccurate, incomplete, outdated, false,
unlawfully obtained, or unauthorized use of personal data, taking into account any
violation of their rights and freedoms as a data subject.
vii. Right to Data Portability. Where the personal data is processed by electronic
means and in a structured and commonly used format, the data subject shall have
the right to obtain from the University a copy of such data in an electronic or
structured format that is commonly used and allows for further use by the data
subject. The exercise of this right shall primarily take into account the right of data
subject to have control over his or her personal data being processed based on
consent or contract, for commercial purpose, or through automated means.
Provided, however, That, this shall not be applicable if the processed personal data
are used only for the needs of scientific and statistical research and, on the basis of
such, no activities are carried out and no decisions are taken regarding the data
subject: Provided, further, That the personal data shall be held under strict
confidentiality and shall be used only for the declared purpose.
This provision is also not applicable to the processing of personal data gathered for
the purpose of investigations in relation to any administrative liabilities of a data
subject. Any limitations on the rights of the data subject shall only be to the
minimum extent necessary to achieve the purpose of said research or investigation.
viii. Right to file a Complaint. Data subjects have the right to lodge a complaint before
the NPC if they determine that their personal data are being misused, maliciously
disclosed, or improperly disposed, or that any of their data privacy rights have been
violated.

iv. The right to access personal data shall be subject to the provisions of Article XVI,
Section 46 of this Manual. The provisions of the immediately succeeding items on
the standard response time, proof of identification, and transmissibility of rights are
likewise applicable for right to access personal data.
v. As to all other rights of the data subjects, appropriate request using the Data Subject
Rights Request Form shall be submitted to the DPO/COP either in person, via
email, or registered mail. The DPO/COP shall acknowledge submissions within
two (2) working days, and upon receipt of a valid request, the DPO/COP shall
transmit the request to the concerned office or unit for appropriate action, and shall
monitor compliance and delivery of the required response or remedy.
vi. The DPO/COP shall resolve or respond within twenty (20) working days,
extendable with due notice to the requestor and justification for such extension. The
maximum time prescribed may be extended only once for the same number of days
pursuant to R.A. No. 11032 or the Ease of Doing Business and Efficient
Government Service Delivery Act of 2018.
vii. To exercise any of these rights, the data subject must present a valid University ID
or a government-issued ID. If submitted through a representative, a letter of
authorization indicating the name of the authorized representative, the purpose of
the request, and valid identification of both the data subject and the representative
must be submitted.
Data subjects who are alive but incapacitated, and for some reason are unable to
assert their own personal privacy rights but wish to authorize a “legal assignee” to
act as their proxy may do so by executing a legal notice to the effect, such as through
a Special Power of Attorney. In case of a deceased data subject, the legal heir must
be prepared to show legal evidence to back their claim. Parents or guardians
automatically assume the responsibility of protecting the privacy rights of minors
under their care. Provided, however, That, this shall not be applicable if the
processed personal data are used only for the needs of scientific and statistical
research and, on the basis of such, no activities are carried out and no decisions are
taken regarding the data subject: Provided, further, That the personal data shall be
held under strict confidentiality and shall be used only for the declared purpose.
This provision is also not applicable to the processing of personal data gathered for
the purpose of investigations in relation to any administrative liabilities of a data
subject. Any limitations on the rights of the data subject shall only be to the
minimum extent necessary to achieve the purpose of said research or investigation.

b. Purpose of Collection. The recorded information is used primarily to help keep the site
safe and secure. In addition, it may also be used for bug tracking, investigations relating to
a security or data breach, and usage statistics.
If the University need to use any collected information that constitutes personal data for
purposes not compatible with those listed here, it shall inform the data subject prior to such
use and, where required by law, obtain proper consent.
c. Use, Storage, and Retention of Personal Data. All information collected by domains
maintained by the University is stored in its data centers that are accessible only to
authorized personnel and agents, such as, in some cases, third party service providers. Third
parties who maintain or manage websites for some units or offices of the University store
their collected information in their own designated servers or data centers.
The collected information is kept for as long as necessary to achieve the declared purpose
for its collection. In no case will it shared with or transferred to other persons or
organizations, unless required or permitted by law.

d. Rights of Web Visitors as data subjects. Under the Data Privacy Act of 2012, data
subjects are granted several fundamental rights to ensure their personal information is
handled appropriately and transparently:
i. Right to be Informed. Data subjects are entitled to know the purposes for which
their personal data is being collected and processed. They also have the right to stay
informed about the reasons and purpose of data processing and collection. The
personnel responsible for such collecting and processing shall provide a clear and
thorough explanation and notification with the data subject before proceeding with
the processing of personal data.
ii. Right to Access. Data subjects have the right to access their personal information,
including details about its origin, the entities it has been shared with, and the
manner and reasons for its processing and disclosure.
iii. Right to Object. Data subjects may contest any inaccuracies or errors in their
personal data and request corrections from the Personal Information Controller,
provided their objections are reasonable and legally justified.
iv. Right to Suspension/Blocking/Removal/Destruction. Data subjects can request
the suspension, blocking, removal, or destruction of their personal data from
records if it is used unlawfully or is no longer necessary for its original purpose,
supported by substantial evidence. Provided, That, the request is not in conflict with
the University’s lawful obligations or other legal bases for processing.
v. Right to Rectification. Data subjects have the right to request the correction of any
incorrect or incomplete data to ensure accuracy and completeness.
vi. Right to Claim Damages. Data subjects have the right to receive, pursuant to a
valid decision, damages due to the inaccurate, incomplete, outdated, false,
unlawfully obtained, or unauthorized use of personal data, taking into account any
violation of their rights and freedoms as a data subject.
vii. Right to Data Portability. Where the personal data is processed by electronic
means and in a structured and commonly used format, the data subject shall have
the right to obtain from the University a copy of such data in an electronic or
structured format that is commonly used and allows for further use by the data
subject. The exercise of this right shall primarily take into account the right of data
subject to have control over his or her personal data being processed based on
consent or contract, for commercial purpose, or through automated means.
Provided, however, That, this shall not be applicable if the processed personal data
are used only for the needs of scientific and statistical research and, on the basis of
such, no activities are carried out and no decisions are taken regarding the data
subject: Provided, further, That the personal data shall be held under strict
confidentiality and shall be used only for the declared purpose.
This provision is also not applicable to the processing of personal data gathered for
the purpose of investigations in relation to any administrative liabilities of a data
subject. Any limitations on the rights of the data subject shall only be to the
minimum extent necessary to achieve the purpose of said research or investigation.
viii. Right to file a Complaint. Data subjects have the right to lodge a complaint before
the NPC if they determine that their personal data are being misused, maliciously
disclosed, or improperly disposed, or that any of their data privacy rights have been
violated.

e. Mechanism on exercising the data subject rights. The University is committed to
ensuring that data subject rights are respected, protected, and facilitated through clear and
responsive procedures as outlined hereunder:
i. The right to be informed is exercised by the data subjects through this Manual and
other applicable privacy notices of the University.
ii. The right to file a complaint must take into account the exhaustion of administrative
remedies by filing a request with the proper offices or a complaint with the
DPO/COP either in person, via email, or registered mail. In the exercise thereof,
the data subject shall briefly discuss the complaint or inquiry, together with contact
details for reference. The data subject may accomplish the prescribed Data Privacy
Complaint/Inquiry Form for the purpose. The University shall resolve the
complaint/inquiry within 15 calendar days from the receipt of complaint or inquiry
sufficient in form and substance.
iii. The right to claim damages may be exercised by filing a complaint with the NPC,
in accordance with its Rules of Procedure governing all complaints filed before the
Commission. Claiming for damages shall be subject to existing laws, rules,
regulations, and jurisprudence on the filing of money claims against the
government.
iv. The right to access personal data shall be subject to the provisions of Article XVI,
Section 46 of this Manual. The provisions of the immediately succeeding items on
the standard response time, proof of identification, and transmissibility of rights are
likewise applicable for right to access personal data.
v. As to all other rights of the data subjects, appropriate request using the Data Subject
Rights Request Form shall be submitted to the DPO/COP either in person, via
email, or registered mail. The DPO/COP shall acknowledge submissions within
two (2) working days, and upon receipt of a valid request, the DPO/COP shall
transmit the request to the concerned office or unit for appropriate action, and shall
monitor compliance and delivery of the required response or remedy.
vi. The DPO/COP shall resolve or respond within twenty (20) working days,
extendable with due notice to the requestor and justification for such extension. The
maximum time prescribed may be extended only once for the same number of days
pursuant to R.A. No. 11032 or the Ease of Doing Business and Efficient
Government Service Delivery Act of 2018.
vii. To exercise any of these rights, the data subject must present a valid University ID
or a government-issued ID. If submitted through a representative, a letter of
authorization indicating the name of the authorized representative, the purpose of
the request, and valid identification of both the data subject and the representative
must be submitted.
Data subjects who are alive but incapacitated, and for some reason are unable to
assert their own personal privacy rights but wish to authorize a “legal assignee” to
act as their proxy may do so by executing a legal notice to the effect, such as through
a Special Power of Attorney. In case of a deceased data subject, the legal heir must
be prepared to show legal evidence to back their claim. Parents or guardians
automatically assume the responsibility of protecting the privacy rights of minors
under their care. Provided, however, That, this shall not be applicable if the
processed personal data are used only for the needs of scientific and statistical
research and, on the basis of such, no activities are carried out and no decisions are
taken regarding the data subject: Provided, further, That the personal data shall be

held under strict confidentiality and shall be used only for the declared purpose.
This provision is also not applicable to the processing of personal data gathered for
the purpose of investigations in relation to any administrative liabilities of a data
subject. Any limitations on the rights of the data subject shall only be to the
minimum extent necessary to achieve the purpose of said research or investigation.

This Privacy Policy outlines and discusses how the University collects, uses, or otherwise
processes your personal data in relation to your engagement with the University. The University
protects your right to privacy. As we seek to balance the privacy of your data while ensuring the
free flow of information, we also aim to comply with the requirements of the laws on data
protection, its implementing rules and regulations and other applicable laws relating to data
privacy.
The following privacy policy shall govern the collection, use, storage, and sharing of personal data
of guests and visitors to the University’s premises:
a. Collection, Acquisition and Generation of Personal Data. The University may collect
basic information about the data subjects by asking them to sign the official log book and
requiring them to deposit a proof of identity (ID) for verification purposes. For those with
vehicles, the University shall take note of vehicle plate number and ask to present any valid
ID. Video footage shall also be recorded via a CCTV system installed in all campus entry
and exit points.
b. Purpose of Collection. While the University collects the data primarily as a security
measure, they also help in investigating reported violations of University policies and other
applicable laws, and generate statistics useful for planning and service improvement
purposes.
c. Use, Storage and Retention of Personal Data. Data are kept in a place inside the
University where at least one security personnel is on-duty 24/7. Only authorized
University and security personnel have access to them. For the disposal of logbooks, the
University shall follow the document retention policies as developed by the Records
Management Office. In the absence thereof, the University shall follow the retention
periods as prescribed by the NAP. CCTV footages, on the other hand, are stored for thirty
(30) days before being automatically deleted. The University shall not transfer or share
personal data with other persons or organizations, unless required or permitted by law.
d. Rights of Guests and Visitors as data subjects. Under the Data Privacy Act of 2012, data
subjects are granted several fundamental rights to ensure their personal information is
handled appropriately and transparently:
i. Right to be Informed. Data subjects are entitled to know the purposes for which
their personal data is being collected and processed. They also have the right to stay
informed about the reasons and purpose of data processing and collection. The
personnel responsible for such collecting and processing shall provide a clear and
thorough explanation and notification with the data subject before proceeding with
the processing of personal data.
ii. Right to Access. Data subjects have the right to access their personal information,
including details about its origin, the entities it has been shared with, and the
manner and reasons for its processing and disclosure.
iii. Right to Object. Data subjects may contest any inaccuracies or errors in their
personal data and request corrections from the Personal Information Controller,
provided their objections are reasonable and legally justified.
iv. Right to Suspension/Blocking/Removal/Destruction. Data subjects can request
the suspension, blocking, removal, or destruction of their personal data from
records if it is used unlawfully or is no longer necessary for its original purpose,
supported by substantial evidence. Provided, That, the request is not in conflict with
the University’s lawful obligations or other legal bases for processing.

v. Right to Rectification. Data subjects have the right to request the correction of any
incorrect or incomplete data to ensure accuracy and completeness.
vi. Right to Claim Damages. Data subjects have the right to receive, pursuant to a
valid decision, damages due to the inaccurate, incomplete, outdated, false,
unlawfully obtained, or unauthorized use of personal data, taking into account any
violation of their rights and freedoms as a data subject.
vii. Right to Data Portability. Where the personal data is processed by electronic
means and in a structured and commonly used format, the data subject shall have
the right to obtain from the University a copy of such data in an electronic or
structured format that is commonly used and allows for further use by the data
subject. The exercise of this right shall primarily take into account the right of data
subject to have control over his or her personal data being processed based on
consent or contract, for commercial purpose, or through automated means.
Provided, however, That, this shall not be applicable if the processed personal data
are used only for the needs of scientific and statistical research and, on the basis of
such, no activities are carried out and no decisions are taken regarding the data
subject: Provided, further, That the personal data shall be held under strict
confidentiality and shall be used only for the declared purpose.
This provision is also not applicable to the processing of personal data gathered for
the purpose of investigations in relation to any administrative liabilities of a data
subject. Any limitations on the rights of the data subject shall only be to the
minimum extent necessary to achieve the purpose of said research or investigation.
viii. Right to file a Complaint. Data subjects have the right to lodge a complaint before
the NPC if they determine that their personal data are being misused, maliciously
disclosed, or improperly disposed, or that any of their data privacy rights have been
violated.

the standard response time, proof of identification, and transmissibility of rights are
likewise applicable for right to access personal data.
v. As to all other rights of the data subjects, appropriate request using the Data Subject
Rights Request Form shall be submitted to the DPO/COP either in person, via
email, or registered mail. The DPO/COP shall acknowledge submissions within
two (2) working days, and upon receipt of a valid request, the DPO/COP shall
transmit the request to the concerned office or unit for appropriate action, and shall
monitor compliance and delivery of the required response or remedy.
vi. The DPO/COP shall resolve or respond within twenty (20) working days,
extendable with due notice to the requestor and justification for such extension. The
maximum time prescribed may be extended only once for the same number of days
pursuant to R.A. No. 11032 or the Ease of Doing Business and Efficient
Government Service Delivery Act of 2018.
vii. To exercise any of these rights, the data subject must present a valid University ID
or a government-issued ID. If submitted through a representative, a letter of
authorization indicating the name of the authorized representative, the purpose of
the request, and valid identification of both the data subject and the representative
must be submitted.
Data subjects who are alive but incapacitated, and for some reason are unable to
assert their own personal privacy rights but wish to authorize a “legal assignee” to
act as their proxy may do so by executing a legal notice to the effect, such as through
a Special Power of Attorney. In case of a deceased data subject, the legal heir must
be prepared to show legal evidence to back their claim. Parents or guardians
automatically assume the responsibility of protecting the privacy rights of minors
under their care. Provided, however, That, this shall not be applicable if the
processed personal data are used only for the needs of scientific and statistical
research and, on the basis of such, no activities are carried out and no decisions are
taken regarding the data subject: Provided, further, That the personal data shall be
held under strict confidentiality and shall be used only for the declared purpose.
This provision is also not applicable to the processing of personal data gathered for
the purpose of investigations in relation to any administrative liabilities of a data
subject. Any limitations on the rights of the data subject shall only be to the
minimum extent necessary to achieve the purpose of said research or investigation.

(3) execution of a Deed of Donation, Memorandum of Agreement or
Understanding, and similar agreements or documents;
(4) sending a letter of acknowledgment or appreciation, announcement or
invitation, or special greeting on birthday or holidays;
(5) communicating fundraising campaign opportunities;
(6) announcement of and/or invitation to relevant University events, whether
for acknowledgment, transparency, or promotion purposes;
(7) feature write-up in the University website to inspire similar giving from
potential donors;
(8) updating of personal data in our University alumni database and donor
database, if applicable;
(9) compiling statistics and conducting research for internal and statutory
reporting purposes auditing purposes.

c. Disclosing and Sharing of Personal Data. The University may disclose, share, or transfer
personal data to other persons or organizations pursuant to the legitimate interests of the
University or the third party concerned or if required or permitted by law, and subject to
the applicable access restriction of the University. Recipients of personal data may include:
(1) service providers of the University;
(2) relevant government agencies and/or public authorities;
(3) organizations affiliated with the University.
The personal data herein contemplated include, but are not limited to full name, address,
and professional profile of the benefactor, donor, or sponsor.
It must be noted that in cases where the University believe that consent is needed, it shall
secure such consent before disclosing, sharing, or transferring personal data. When so
required by law or regulations, the University will also make sure to adopt contractual
means to guarantee the protection of personal data when these are shared with others.
d. Storage and Retention of Personal Data. Personal data is transmitted and stored securely
in paper and electronic formats. Access to personal data is limited to University personnel
who have a legitimate interest in them for the purpose of carrying out their official
functions or duties. The data are kept for as long as necessary to achieve the declared
purpose of their collection or generation.
e. Protection of Personal Data. The University ensures the protection of personal data by
implementing appropriate standards for organizational, physical, and technical security
measures. It includes requiring a Non-Disclosure Agreement (NDA) for personnel and
contracts entered into with third parties that is embedded with data protection clauses.
f. Rights of Benefactors, Donors and Sponsors as data subjects. Under the Data Privacy
Act of 2012, data subjects are granted several fundamental rights to ensure their personal
information is handled appropriately and transparently:
i. Right to be Informed. Data subjects are entitled to know the purposes for which
their personal data is being collected and processed. They also have the right to stay

informed about the reasons and purpose of data processing and collection. The
personnel responsible for such collecting and processing shall provide a clear and
thorough explanation and notification with the data subject before proceeding with
the processing of personal data.
ii. Right to Access. Data subjects have the right to access their personal information,
including details about its origin, the entities it has been shared with, and the
manner and reasons for its processing and disclosure.
iii. Right to Object. Data subjects may contest any inaccuracies or errors in their
personal data and request corrections from the Personal Information Controller,
provided their objections are reasonable and legally justified.
iv. Right to Suspension/Blocking/Removal/Destruction. Data subjects can request
the suspension, blocking, removal, or destruction of their personal data from
records if it is used unlawfully or is no longer necessary for its original purpose,
supported by substantial evidence. Provided, That, the request is not in conflict with
the University’s lawful obligations or other legal bases for processing.
v. Right to Rectification. Data subjects have the right to request the correction of any
incorrect or incomplete data to ensure accuracy and completeness.
vi. Right to Claim Damages. Data subjects have the right to receive, pursuant to a
valid decision, damages due to the inaccurate, incomplete, outdated, false,
unlawfully obtained, or unauthorized use of personal data, taking into account any
violation of their rights and freedoms as a data subject.
vii. Right to Data Portability. Where the personal data is processed by electronic
means and in a structured and commonly used format, the data subject shall have
the right to obtain from the University a copy of such data in an electronic or
structured format that is commonly used and allows for further use by the data
subject. The exercise of this right shall primarily take into account the right of data
subject to have control over his or her personal data being processed based on
consent or contract, for commercial purpose, or through automated means.
Provided, however, That, this shall not be applicable if the processed personal data
are used only for the needs of scientific and statistical research and, on the basis of
such, no activities are carried out and no decisions are taken regarding the data
subject: Provided, further, That the personal data shall be held under strict
confidentiality and shall be used only for the declared purpose.
This provision is also not applicable to the processing of personal data gathered for
the purpose of investigations in relation to any administrative liabilities of a data
subject. Any limitations on the rights of the data subject shall only be to the
minimum extent necessary to achieve the purpose of said research or investigation.
viii. Right to file a Complaint. Data subjects have the right to lodge a complaint before
the NPC if they determine that their personal data are being misused, maliciously
disclosed, or improperly disposed, or that any of their data privacy rights have been
violated.

g. Mechanism on exercising the data subject rights. The University is committed to
ensuring that data subject rights are respected, protected, and facilitated through clear and
responsive procedures as outlined hereunder:
i. The right to be informed is exercised by the data subjects through this Manual and
other applicable privacy notices of the University.

ii. The right to file a complaint must take into account the exhaustion of administrative
remedies by filing a request with the proper offices or a complaint with the
DPO/COP either in person, via email, or registered mail. In the exercise thereof,
the data subject shall briefly discuss the complaint or inquiry, together with contact
details for reference. The data subject may accomplish the prescribed Data Privacy
Complaint/Inquiry Form for the purpose. The University shall resolve the
complaint/inquiry within 15 calendar days from the receipt of complaint or inquiry
sufficient in form and substance.
iii. The right to claim damages may be exercised by filing a complaint with the NPC,
in accordance with its Rules of Procedure governing all complaints filed before the
Commission. Claiming for damages shall be subject to existing laws, rules,
regulations, and jurisprudence on the filing of money claims against the
government.
iv. The right to access personal data shall be subject to the provisions of Article XVI,
Section 46 of this Manual. The provisions of the immediately succeeding items on
the standard response time, proof of identification, and transmissibility of rights are
likewise applicable for right to access personal data.
v. As to all other rights of the data subjects, appropriate request using the Data Subject
Rights Request Form shall be submitted to the DPO/COP either in person, via
email, or registered mail. The DPO/COP shall acknowledge submissions within
two (2) working days, and upon receipt of a valid request, the DPO/COP shall
transmit the request to the concerned office or unit for appropriate action, and shall
monitor compliance and delivery of the required response or remedy.
vi. The DPO/COP shall resolve or respond within twenty (20) working days,
extendable with due notice to the requestor and justification for such extension. The
maximum time prescribed may be extended only once for the same number of days
pursuant to R.A. No. 11032 or the Ease of Doing Business and Efficient
Government Service Delivery Act of 2018.
vii. To exercise any of these rights, the data subject must present a valid University ID
or a government-issued ID. If submitted through a representative, a letter of
authorization indicating the name of the authorized representative, the purpose of
the request, and valid identification of both the data subject and the representative
must be submitted.
Data subjects who are alive but incapacitated, and for some reason are unable to
assert their own personal privacy rights but wish to authorize a “legal assignee” to
act as their proxy may do so by executing a legal notice to the effect, such as through
a Special Power of Attorney. In case of a deceased data subject, the legal heir must
be prepared to show legal evidence to back their claim. Parents or guardians
automatically assume the responsibility of protecting the privacy rights of minors
under their care. Provided, however, That, this shall not be applicable if the
processed personal data are used only for the needs of scientific and statistical
research and, on the basis of such, no activities are carried out and no decisions are
taken regarding the data subject: Provided, further, That the personal data shall be
held under strict confidentiality and shall be used only for the declared purpose.
This provision is also not applicable to the processing of personal data gathered for
the purpose of investigations in relation to any administrative liabilities of a data
subject. Any limitations on the rights of the data subject shall only be to the
minimum extent necessary to achieve the purpose of said research or investigation.

PROVIDERS, AND OTHER PAYEES

b. Use of Information. To the extent required or permitted by law, personal data is used in
connection with mandate or functions as an educational institution, employer, and/or
contracting party, including a variety of administrative, research, historical, and statistical
purposes. The University may use personal data collected for purposes such as:
(1) evaluating a possible engagement with the suppliers, service providers, and
other payees;
(2) execution of a service agreement, purchase agreements, construction
agreement and similar agreements or documents;
(3) sending notices and other communications;
(4) processing payments to you or the entity you represent;
(5) issuing and delivering payment vouchers and, if applicable, withholding tax
certificates;
(6) preparation of reports to be submitted to government agencies;

(7) compliance to the reportorial requirements of monitoring and regulatory
agencies of the national government, and to comply with legal processes
and court orders;
(8) if the University requires consent for any specific use of personal data, or
as determined by the type of data involved, personal data will be collected
at the appropriate time. Similarly, the University will not subject personal
data to any automated decision-making process without prior consent.
c. Sharing, Disclosing, and Transferring of Personal Data. To the extent required or
permitted by law, the University may also share, disclose, or transfer personal data to other
persons or organizations.
The University may share, disclose and transfer personal data in the following instances:
(1) submission of personal data to government agencies, such as the Bureau of
Internal Revenue, Government Procurement Policy Board, Commission on
Audit etc. in order to meet their reportorial requirements;
(2) other purposes, when necessary and under circumstances permitted or
required by law.

The personal data herein contemplated include, but are not limited to full name, full name,
business interest, tax identification number, address, contact information, bank account
details (when required for lawful payment processing), and names and positions of
company representatives or signatories.
d. Storage and Retention of Personal Data. Personal data is stored and transmitted securely
in paper and electronic formats, including databases accessible to some of the University’s
other units or offices. Access is limited only to University personnel who have a legitimate
interest in them, such as when it is necessary for them to carry out their respective duties
and responsibilities. The use of personal data will not be excessive, and shall be limited
only to that which is necessary to achieve the purpose of collection, and/or only when it is
permitted by law. Personal data is kept while still necessary to achieve the declared purpose
of its collection or generation or as required or permitted by applicable laws and
regulations.
e. Rights of Contractors, Suppliers, Providers and other Payees as data subjects. Under
the Data Privacy Act of 2012, data subjects are granted several fundamental rights to ensure
information is handled appropriately and transparently:
i. Right to be Informed. Data subjects are entitled to know the purposes for which
their personal data is being collected and processed. They also have the right to stay
informed about the reasons and purpose of data processing and collection. The
personnel responsible for such collecting and processing shall provide a clear and
thorough explanation and notification with the data subject before proceeding with
the processing of personal data.
ii. Right to Access. Data subjects have the right to access their personal information,
including details about its origin, the entities it has been shared with, and the
manner and reasons for its processing and disclosure.
iii. Right to Object. Data subjects may contest any inaccuracies or errors in their
personal data and request corrections from the Personal Information Controller,
provided their objections are reasonable and legally justified.

iv. Right to Suspension/Blocking/Removal/Destruction. Data subjects can request
the suspension, blocking, removal, or destruction of their personal data from
records if it is used unlawfully or is no longer necessary for its original purpose,
supported by substantial evidence. Provided, That, the request is not in conflict with
the University’s lawful obligations or other legal bases for processing.
v. Right to Rectification. Data subjects have the right to request the correction of any
incorrect or incomplete data to ensure accuracy and completeness.
vi. Right to Claim Damages. Data subjects have the right to receive, pursuant to a
valid decision, damages due to the inaccurate, incomplete, outdated, false,
unlawfully obtained, or unauthorized use of personal data, taking into account any
violation of their rights and freedoms as a data subject.
vii. Right to Data Portability. Where the personal data is processed by electronic
means and in a structured and commonly used format, the data subject shall have
the right to obtain from the University a copy of such data in an electronic or
structured format that is commonly used and allows for further use by the data
subject. The exercise of this right shall primarily take into account the right of data
subject to have control over his or her personal data being processed based on
consent or contract, for commercial purpose, or through automated means.
Provided, however, That, this shall not be applicable if the processed personal data
are used only for the needs of scientific and statistical research and, on the basis of
such, no activities are carried out and no decisions are taken regarding the data
subject: Provided, further, That the personal data shall be held under strict
confidentiality and shall be used only for the declared purpose.
This provision is also not applicable to the processing of personal data gathered for
the purpose of investigations in relation to any administrative liabilities of a data
subject. Any limitations on the rights of the data subject shall only be to the
minimum extent necessary to achieve the purpose of said research or investigation.
viii. Right to file a Complaint. Data subjects have the right to lodge a complaint before
the NPC if they determine that their personal data are being misused, maliciously
disclosed, or improperly disposed, or that any of their data privacy rights have been
violated.

regulations, and jurisprudence on the filing of money claims against the
government.
iv. The right to access personal data shall be subject to the provisions of Article XVI,
Section 46 of this Manual. The provisions of the immediately succeeding items on
the standard response time, proof of identification, and transmissibility of rights are
likewise applicable for right to access personal data.
v. As to all other rights of the data subjects, appropriate request using the Data Subject
Rights Request Form shall be submitted to the DPO/COP either in person, via
email, or registered mail. The DPO/COP shall acknowledge submissions within
two (2) working days, and upon receipt of a valid request, the DPO/COP shall
transmit the request to the concerned office or unit for appropriate action, and shall
monitor compliance and delivery of the required response or remedy.
vi. The DPO/COP shall resolve or respond within twenty (20) working days,
extendable with due notice to the requestor and justification for such extension. The
maximum time prescribed may be extended only once for the same number of days
pursuant to R.A. No. 11032 or the Ease of Doing Business and Efficient
Government Service Delivery Act of 2018.
vii. To exercise any of these rights, the data subject must present a valid University ID
or a government-issued ID. If submitted through a representative, a letter of
authorization indicating the name of the authorized representative, the purpose of
the request, and valid identification of both the data subject and the representative
must be submitted.
Data subjects who are alive but incapacitated, and for some reason are unable to
assert their own personal privacy rights but wish to authorize a “legal assignee” to
act as their proxy may do so by executing a legal notice to the effect, such as through
a Special Power of Attorney. In case of a deceased data subject, the legal heir must
be prepared to show legal evidence to back their claim. Parents or guardians
automatically assume the responsibility of protecting the privacy rights of minors
under their care. Provided, however, That, this shall not be applicable if the
processed personal data are used only for the needs of scientific and statistical
research and, on the basis of such, no activities are carried out and no decisions are
taken regarding the data subject: Provided, further, That the personal data shall be
held under strict confidentiality and shall be used only for the declared purpose.
This provision is also not applicable to the processing of personal data gathered for
the purpose of investigations in relation to any administrative liabilities of a data
subject. Any limitations on the rights of the data subject shall only be to the
minimum extent necessary to achieve the purpose of said research or investigation.