Privalex Consulting Group ("PrivaLex") is committed to protecting your personal information and sensitive personal information (collectively “Personal Data”).

We give our assurance that all the processing activities of PrivaLex shall be in accordance with Republic Act No. 10173, otherwise known as the “Data Privacy Act of 2012” (DPA), its Implementing Rules and Regulations (IRR), and the issuances of the National Privacy Commission (NPC).

Further, in the pursuit of our business operations, legal obligations, and legitimate interests, the PrivaLex shall be guided by the general data privacy principles of transparency, legitimate purpose, and proportionality.

Our official website can be accessed at: https://www.privalex.com.ph/

Our website contains functionalities that enable the PrivaLex to collect and process your Personal Data. This Privacy Notice is issued to provide you with information as to how we collect your Personal Data; the basis, use, and purpose of our processing activities; our data protection measures; and your data subject rights.

This is not a Privacy Notice for all our Personal Data collection activities. PrivaLex will provide a separate Privacy Notice, in an appropriate format and manner, whenever we collect Personal Data through other channels (e.g. different online applications, systems, or physically in our office).

We collect the following Personal Data when you submit your inquiries, requests, and concerns through the our Contact Us Form  which can be accessed here: https://www.privalex.com.ph/contact

• First Name
• Last Name
• Email
• Company Information

As our Contact Us Form require that you submit your details to us, we deem that such submission is an indication of your consent to process your Personal Data. Nevertheless, we wish to remind that consent is not always required. This includes instances when the processing is done by the PrivaLex when the processing is allowed under Section 12 or 13 of the DPA.

Your Personal Data is utilized by the PrivaLex for the following purposes:

• To document inquiries, requests, and other concerns;

• To process your inquiries, requests, and concerns internally for appropriate action and response;

• To contact you and provide you with the necessary updates, advisories, and responses to your inquiries, requests, and concerns, as well as to solicit feedback upon its completion;

• To allow the PrivaLex to comply with its legal obligations to which it is subject;

• To provide the appropriate action when data subjects seek to exercise any of their data subject rights.

PrivaLex does not utilize methods for automated access of your Personal Data. However, in order to allow us to improve our services, PrivaLex utilizes third-party services for web traffic data analytics which includes the location from where the website was accessed, the length of time a visitor stayed, the page(s) visited, and similar statistics. Rest assured that in doing so, no Personal Data is collected and the website visitor's information are anonymized.

Personal Data collected by PrivaLex is not shared with third parties unless such disclosure is permitted or justified under Sections 12 or 13 of the DPA. Thus, we generally process your personal data internally, by authorized and sanctioned personnel of PrivaLex.

Please be advised that all data processing activities carry data privacy risks that may result in harm or danger to both PrivaLex and its data subjects. Examples of these risks include but are not limited to: (a) the unauthorized collection, use, disclosure, or access to Personal Data with PrivaLex’s control; (b) breach of confidentiality, integrity, and availability of Personal Data; or (c) violations of the DPA and the general data privacy principles and the rights of data subjects.

There are also digital risks for Personal Data that may be accessed through digital means such as targeted cyberattacks, malware, ransomware, and computer viruses. Meanwhile, physical risks include instances when manual records are accessed or viewed by persons without authority.

While PrivaLex cannot guarantee absolute protection against all kinds of data privacy risks, we implement physical, technical, and organizational security measures designed to identify these risks, minimize, or prevent their occurrence, respond appropriately if they occur, and comply with our reportorial duties after the fact, in line with the NPC’s rules on security incident management and data breach reporting Circulars.

Among the physical security measures we implement are the following:

• Physical copies of documents containing Personal Data are kept in our records office, which has access restrictions as to who may enter or what records may be taken therefrom;

• We maintain and practices to ensure that hard copies of documents containing Personal Data are not viewable by unintended parties;

• Our workstations have separators to limit the viewing of monitors by unintended parties; and

• All records are tracked in line with the PrivaLex’s quality management systems operations manuals.

​

Our technical security measures include:

• Access controls on PrivaLex’s digital infrastructure;

• Access controls on PrivaLex’s online and/or digital data processing systems;

• End-to-end encryption and data classification whenever suitable; and

• Other technical measures to protect our computers and databases against accidental, unlawful, or unauthorized usage, interference, or access.

​

Finally, our organizational security measures include:

• Privalex has a dedicated Data Protection Officer (DPO);

• Data Privacy policies are implemented within the organization; and

• We conduct privacy-enhancing projects, programs, and activities, including capacity-building activities to promote data privacy practices within the organization.

Please note that this is not an exhaustive list of our security measures, and we may not disclose any proprietary, confidential, and highly technical information that may be jeopardized if made publicly available.

We store files containing personal information in our computers and servers, which are kept in a secure environment and accessible strictly by authorized personnel.

These files are stored by the PrivaLex until inquiries and requests are acted upon. If it can be reasonably determined that such inquiries or requests have attained finality and that the files will no longer be needed for future use, then said files shall be disposed of securely.

Other categories of data may be kept longer when its retention period is determined to be necessary for the continued performance of business, or by other relevant laws and regulations.

Physical records shall be disposed of through shredding, while digital files shall be deleted from our internal storage. All Personal Data that need not be retained will be destroyed within two (2) years from the date of collection through proper procedures that will render it inaccessible and irretrievable.

Under the DPA, you may exercise the following data subject rights:

​

A. Right to be Informed

​

Under the DPA, you have the right to be informed regarding processing the personal information we hold about you. Additionally, you have the following rights as a data subject under the DPA:

B. Right to Object

​

Subject to certain limitations, you may refuse to the collection and processing of Personal Data. Once the Commission has been notified of any withholding of a data subject’s consent, further processing of the said Personal Data will no longer be allowed, unless:

• The collection and processing are undertaken pursuant to the performance of our mandate, and other lawful basis or criteria under the DPA or any applicable laws, rules or regulations; or

• The processing is required pursuant to a subpoena, lawful order, or as required by law.

​

C. Right to Access

​

You have the right to request access to the circumstances relating to the processing and collection of your Personal Data or information on automated processes where the Personal Data is or likely to be made as sole basis for any decision of the PrivaLex that may affect your data subject rights, when circumstances so warrant.

​

D. Right to Rectification

​

You have the right to dispute any inaccuracy or error in your Personal Data and may request the PrivaLex to immediately correct it. Upon receipt of the said request, and after correction has been made, the PrivaLex shall inform you of its inaccuracy and the subsequent rectifications that were made.

​

E. Right to Erasure or Blocking

​

In the absence of any other legal ground or overriding legitimate interest for the lawful processing of Personal Data received by PrivaLex from its data subjects, or when there is substantial proof that the said Personal Data is incomplete, outdated, false, or has been unlawfully obtained, a request to suspend, withdraw, or order the blocking, removal, or destruction of the Personal Data from our filing system may be made by the concerned data subject.

​

F. Right to Damages

​

You may claim compensation if you believe you suffered damages due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of Personal Data or for violating your rights and freedoms as a data subject.

If you think that your Personal Data has been misused, maliciously disclosed, or improperly disposed of or that your data privacy rights have been violated, you have a right to file a complaint with the NPC.

G. Right to Data Portability

In the event the Personal Data was processed through electronic means and in a structured and commonly used format, you have the right to obtain a copy of your Personal Data in such electronic or structured format for reference and/or further use, subject to the guidelines of the NPC with regard to the exercise of such right.

H. Transmissibility of rights of the data subject

Upon the passing of a data subject, or in case of a data subject’s incapacity or incapability to exercise legal rights, the data subject’s lawful heirs and assigns may invoke the data subject’s rights in place of the data subject.

The rights mentioned under this item are not applicable if Personal Data are processed only for scientific and statistical research purposes, and without being used as basis for carrying out any activity or taking any action regarding the data subject.

The law requires that any exercise of the rights as described in this Policy should be made in a reasonable and non-arbitrary manner, and with regard to the rights of other parties. All requests, demands or notices which may be made under this Notice or applicable law must be made in writing, and will only be considered made and officially received by the Commission.

PrivaLex reserves the right to update or revise this Privacy Notice at any time and will provide a new Privacy Notice whenever there are substantial changes. Prior versions of the Privacy Notice shall be retained by the Commission and shall be provided to data subjects upon request.

If you have comments or suggestions regarding this Privacy Notice, or if you have any issues concerning PrivaLex’s data privacy practices, you may reach us through our Data Protection Officer with the following details:

​

Data Protection OfficerPrivalex Consulting Group

26 F. The Podium West Tower

ADB Ave. cor. Dona Julia Vargas St.

privacy@privalex.com.ph

​

Date updated: 01 June 2024