This policy outlines the data protection and security measures adopted by the Sandatahan Credit Cooperative (SCC) to safeguard and protect data privacy rights and shall serve as a guide in the exercise of rights under the DPA.
II. Policy Statement
We, at Sandatahan Credit Cooperative (SCC), are committed to provide you with quality and innovative services while implementing safeguards to protect your privacy and keep your personal information safe and secure in compliance with the DPA.
All officers and employees of (SCC) are enjoined to comply with and to share the responsibility to secure and protect personal information, including sensitive personal information, collected and processed by the Cooperative in pursuit of legitimate purposes.
III. Definition of Terms
A. Data Subject refers to an individual whose personal, sensitive personal, or privileged information is processed.
B. Personal information refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
C. Sensitive personal information refers to personal information:
About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or cm-rent health records, licenses or its denials, suspension or revocation, and tax returns; and
Specifically established by an executive order or an act of Congress to be kept classified.
D. Processing refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.
E. Personal information controller refers to a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf.
F. Data Protection Officer refers to an individual designated by the head of agency or organization to be accountable for its compliance with the DPA, its IRR, and other issuances of the NPC.
IV. Processing of Personal Information
Collection of Personal Information
In the course of our transactions with data subjects, (SCC) may collect personal information including, but not limited to:
Name, sex, civil status, residential address, date and place of birth, age, citizenship
Parents’ name, religion, nationality, date and place of birth, occupation, and other information in Birth Certificate
Military serial number, rank, Tax Identification Number (TIN), GSIS or SSS number
Employment status, occupation, service term, employer, office address
Monthly and annual income, financial situation
Contact numbers, e-mail address, and emergency contact information
Spouse’s name, date and place of birth, residence, citizenship, religion, parents,
Date and place of marriage, solemnizing officer, and other information in Marriage Certificate
Name of legal beneficiaries and their personal information
Medical condition and history
Scholastic and other academic records
Date and place of death, cause of death, and other information in Death Certificate
Images via CCTV and other similar recordings taken within office premises or during activities conducted out of office
A data subject’s personal information may be collected through the following ways:
Application for membership by filling out the required forms and submitting additional requirements
Application for loans or other financial and integrated services by filling out the required forms and submitting additional requirements
Interaction with our employees, either written or verbal, through face-to-face transactions, phone, e-mail, or social media inquiries
Filling out of the required forms for inquiries, requests, comments, or complaints
Participation in surveys, focus group discussions, marketing promotions, and other similar initiatives
Submission of requirements for job application
Submission of requirements for scholarship or other requests for assistance
Recording of images and videos through CCTV within office premises
Application for voluntary termination or deceased termination filed by legal beneficiaries by filling out the required forms and submitting additional requirements
Other similar means
Use and Disclosure of Personal Information
SCC uses and discloses collected personal information for the following purposes:
To manage membership of individuals in the cooperative
To provide quality financial and integrated products and services
To provide assistance and feedback to members
To communicate relevant services, advisories, promotions, including responses to queries, requests, and complaints
To allow members to participate in promotional activities, special events, and community initiatives
To undertake marketing and promotional campaigns
To implement prevention, detection, and corrective measures in relation to fraud and other relevant risks
To evaluate and process applications for employment
To comply with the requirements of Republic Act 9510 (“Credit Information System Act”)
To comply with the requirements of other relevant existing laws and legal proceedings such as court orders
To comply with the legal obligation to prevent imminent harm to public security, safety, or order
To utilize relevant data for research, analytical, and promotional purposes
To undertake other similar legitimate purposes
Sharing of Personal Information to Third Parties
In the course of operations and providing services to members, Sandatahan Credit Cooperative may engage the services of third parties. In instances when certain personal information is required to be disclosed to fulfill legitimate business concerns and as may be necessary to provide services, we shall exercise utmost diligence in processing your personal information. Sandatahan Credit Cooperative will never share, sell, or otherwise disclose your personal information with third parties, except as otherwise indicated above, or unless otherwise permitted under the Data Privacy Act or other applicable laws and regulations.
Accessing and Updating your Personal Information
Members may access and update personal information previously collected from them by proceeding to any of our Sandatahan Credit Cooperative and submitting a written request to authorized employees. This information will be available for members’ access during business hours and after a reasonable period of time for us to prepare the same.
Personal Information Retention and Disposal
The personal information of data subjects shall be retained by Sandatahan Credit Cooperative only for as long as it is necessary to fulfill the purpose/s for which it was obtained and in accordance with the prescribed retention period depending on the nature of the personal information collected and subject to the specific retention policy of the department or section storing such information.
Thereafter, the personal information shall be disposed of or de-identified in a secure manner sufficient to make the information non-personally identifiable in order to prevent further processing, unauthorized access, or unlawful disclosure to any other party.
V. Data Protection
Sandatahan Credit Cooperative implements reasonable and appropriate organizational, physical, and technical security measures for the protection of personal information which we collected.
The security measures aim to maintain the availability, integrity, and confidentiality of personal information and are intended for the protection of personal information against any accidental or unlawful destruction, alteration, and disclosure, as well as against any other unlawful processing.
In compliance with the DPA, Sandatahan Credit Cooperative has appointed a Data Protection Officer (DPO) to manage and safeguard the processing of your personal information. A Data Privacy Section under the direct supervision of the DPO was also established for the same purpose. Sandatahan Credit Cooperative commits itself to ensuring that your personal information is secured and protected under the standards provided for by law and in line with the best practices of the industry.
Sandatahan Credit Cooperative employees process and hold personal information under strict confidentiality. They are required to sign non-disclosure agreements and are trained on the company’s privacy and security policies to ensure confidentiality and security of your personal information.
VII. Rights of the Data Subjects
Data subjects are entitled to the following rights:
A. Be informed of when and how personal information shall be, is being or has been processed;
B. Be furnished with the information indicated below before the entry of personal information into the processing system of the personal information controller, or at the next practical opportunity:
(1) Description of the personal information to be entered into the system;
(2) Purposes for which it is being or are to be processed;
(3) Scope and method of the personal information processing;
(4) The recipients or classes of recipients to whom it is or may be disclosed;
(5) Methods utilized for automated access, if the same is allowed by the data subject, and the extent to which such access is authorized;
(6) The identity and contact details of the personal information controller or its representative;
(7) The period for which the information will be stored; and
(8) The existence of their rights, i.e., to access, correction, as well as the right to lodge a complaint before the Commission.
Any information supplied or declaration made to the data subject on these matters shall not be amended without prior notification: Provided, That the notification under subsection (b) shall not apply should the personal information be needed pursuant to a subpoena or when the collection and processing are for reasonably apparent purposes, including when it is necessary for the performance of or in relation to a contract or service or when necessary or desirable in the context of an employer-employee relationship, or when the information is being collected and processed as a result of legal obligation;
C.Reasonable access to, upon demand, the following:
(1) Contents of personal information that were processed;
(2) Sources from which personal information were obtained;
(3) Names and addresses of recipients of the personal information and sensitive personal information;
(4) Manner by which such data were processed;
(5) Reasons for the disclosure of the personal information to recipients;
(6) Information on automated processes where the data will or likely to be made as the sole basis for any decision significantly affecting or will affect the data subject;
(7) Date when personal information was last accessed and modified; and
(8) The designation, or name or identity and address of the personal information controller (PIC).
D. Dispute the inaccuracy or error in the personal information and have the personal information controller correct it immediately and accordingly, unless the request is vexatious or otherwise unreasonable. If the personal information has been corrected, the PIC shall ensure the accessibility of both the new and the retracted information and the simultaneous receipt of the new and the retracted information by recipients thereof: Provided, That the third parties who have previously received such processed personal information shall be informed of its inaccuracy and its rectification upon request of the data subject;
E. Suspend, withdraw or order the blocking, removal or destruction of personal information from the PIC’s filing system upon discovery and substantial proof that the personal information are incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes or are no longer necessary for the purposes for which they were collected; and
F. Be indemnified for any damages sustained due to such inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal information.
G. Where personal information is processed by electronic means and in a structured and commonly used format, data subjects have the right to obtain from the PIC a copy of data undergoing processing in an electronic or structured format, which is commonly used and allows for further use.
IX. Contact Information
If you have further questions or concerns, you may contact our Data Protection Officer through the following details:
Contact Number :
Email Address :