Silay Institute, Inc.
We respect your privacy.
We are committed to protect and respect your personal data, guided by the relevant provisions of data privacy laws and regulations.
The following provides an overview of how your privacy is respected and protected on this website:
I. What personal information do we collect?
With your informed consent, we collect the following personal data in our website:
|Category of Personal Data||Specific Personal Data Collected|
|1. Personal Details||1. First Name and Last Name, Company Name|
|2. Contact Details||2. E-mail Address|
|3. Usage Data / Cookies* and geolocation data||3. Internet Protocol Address (IP Address), browser type, browser version, the pages of the website visited, the time and date of visit, the time spent on specific pages of the website, unique device identifiers and other diagnostic data.|
* Cookies are text files containing small amounts of information which are downloaded to your computer or mobile device when you visit a site and allow a site to recognize your device.
II. For which purposes and on which legal basis do we use your personal data?
We use your personal data only where required for specific purposes. The list of purposes and the corresponding legal basis for the collection of your personal data are outlined in the table below:
|PERSONAL DATA COLLECTED||PURPOSE||LEGAL BASIS|
|1. Personal Details and Contact Details||Facilitating communication with you||Justified on the basis of our legitimate interests for ensuring proper communication and to address properly your inquiry or concern.|
|2. Usage Data / Cookies and geolocation data||Improving the security and functionality of our website, networks and information; analyze traffic, enable social media functionality and offer you marketing content and advertisements according to your interests.||a) Justified on the basis of our legitimate interests for ensuring that you receive an excellent user experience and our networks and information are secure.b) Justified on the basis of our legitimate interests for ensuring that the we only show you content based on the consent you provided.|
III. What about sensitive personal data?
We do not seek or collect or otherwise process sensitive personal data through this site. Where it becomes necessary to process your sensitive personal data for any reason, we rely on your prior express consent for any processing which is voluntary (e.g., for marketing purposes). If we process your sensitive personal data for other purposes, we rely on the following legal bases: (i) detection and prevention of crime (including the prevention of fraud); (ii) establishment, exercise, or defense of legal claims; and (iii) compliance with applicable law.
IV. How do we collect your personal data? (“Manner of Collection of Personal Data”)
Directly through the contact form in our website which will ask for your personal information together with your inquiry or concern.
V. Do we share your information with third parties? (“Disclosure of Personal Data to Third Parties”)
As a global organization, we may share your information with employees of Silay Institute and third party-stakeholders of our company, but only to the extent necessary to address your inquiry or concerns. Such third party-stakeholders may be located in other countries.
Before we do so, we shall take the necessary steps to ensure that your personal data will be given adequate protection as required by relevant data privacy laws in the Philippines and in the territory of the third party, as well as in accordance with Silay Institute’s internal policies.
VI. How do you store and transmit personal information? (“Storage and Transmission of Personal Data”)
- We use a third-party cloud-based CRM platform to store the personal data collected.
- A unique account is registered through the CRM platform, which is administered by our designated Customer Relationship Management (CRM) Administrator. This unique account is secured through a username and password known only to the CRM Administrator.
- The data collected from our website through the form found therein are automatically transmitted to the third-party CRM platform.
- In addition to the storage in the third-party cloud-based CRM platform, we store in an encrypted back up in our company secure local server.
- Any personal data we collected are automatically transmitted to our third-party cloud-based CRM platform.
- Any personal data collected are likewise transmitted to our employees who may have a legitimate interest over the personal data, upon a written request by e-mail. The CRM Administrator transmits the encrypted personal data by e-mail.
VII. How long do we keep the collected personal information? (“Retention of Personal Data”)
We retain your data for a maximum of two (2) years, after which we delete or dispose of the same in accordance with our personal data disposal or deletion policy.
VIII. Disposal of Personal Data Collected.
Disposal of Personal Data Collected in our website through our third-party storage platform and our back-up stored in the CRM Administrator’s computer/laptop is done after two (2) years from collection or upon request of the data subject. Should we need to retain your data for a longer period, you will be notified accordingly.
Our Data Privacy Compliance Office (DPCO) and DPOs monitor and audit respective personal data’s maturity, collected and stored and ensure that data reaching maturity of retention period shall be reviewed for usefulness and disposed of accordingly, following the company policies and procedures in disposal of personal data, to wit:
(a) Our CRM Administrator is the person mainly responsible to delete personal data upon its maturity or request of the data subject. As a policy, all personal data collected in our website are in digital format. These are deleted through the third-party cloud-based CRM Platform by the CRM administrator. A written report of deletion of personal data (with details of the deletion, such as date, time and place of deletion, persons present, manner of deletion and description of the personal data deleted), shall be accomplished by the CRM Administrator for submission to the DPO.
(b) Our third-party cloud-based storage provider is also notified through a request to be made by the CRM Administrator of the maturity of the personal data collected and/or the request made by the data subject, with an instruction that the same should be deleted permanently from their system. A written report shall be required of the third-party cloud-based storage provider, with details of the deletion, such as date, time and place of deletion, persons present, manner of deletion and description of the personal data deleted.
(c) As to the back-up copy of the personal data collected stored in the laptop/computer of the CRM Administrator, the same are deleted in the same manner as letter (a) hereof.
IX. Security Measures to Protect your Personal Data.
We take appropriate steps to maintain the security of your data on the Silay Institute website.
We are implementing organizational, physical and technical security arrangements for all the personal data we hold. We have protocols, controls and relevant policies, procedures and guidance to maintain these arrangements taking into account the risks associated with the categories of personal data and the processing we undertake.
We adopt organizational and market leading security measures and technology, and maintain annual certifications by leading authorities in compliance, in order to protect your personal data, including but not limited to:
- Organizational Measures. Our company has appointed a Data Protection Officer (DPO) and Compliance Office (COP) to ensure compliance with DPA. We also ensure that all our employees are equipped with knowledge on DPA, through internal and external trainings and seminars. Our company conducts Privacy Impact Assessment (PIA), especially for our teams who handle the company’s website, to ensure that personal data is protected at all times.
Access to personal data collected through our website are granted only to authorized personnel. Each personnel with access to personal data shall verify his or her identity using a secure encrypted link and multi-level authentication.
We ensure that a data sharing agreement, with specific provisions on security measures to protect your data is executed with our service providers, including our third-party cloud-based service storage provider.
- Physical and Technical Security Measures. The personal data collected through our website are all in digital format. Hence, we do not print collected data nor do we retain paper-based or hard copies thereof.
- We review and evaluate software applications before its installation in computers and devices owned by the organization to ensure compatibility of security features with the overall operations, including the third-party cloud-service storage we use to store the personal data collected through our website.
- We review security policies, conduct vulnerability assessments and perform penetration testing within the company on regular schedule to be prescribed by our BTS & InfoSec department.
- Encryption, authentication process, and other technical security measures that control and limit access to personal data are implemented. All files with personal data collected are password-protected, and may only be accessed by authorized personnel.
A full and comprehensive procedure of these Security Measures are available upon request.
- We also subscribe to the following globally recognized Quality Management Standards (ISO/IEC 9001) and Information Security Management Standards (ISO/IEC 27001) and conform to globally accepted best practices, to ensure personal data remain safe and secured while it is processed with transparency, legitimacy and proportionality to preserve its confidentiality, integrity and availability, thereby upholding the data privacy rights of our employees, customers and business stakeholders. Our organization remains compliant and ensures updated certification for ISO 9001, ISO 27001 and ISO 14001; and implements reasonable and appropriate measures to protect personal data against natural dangers such as accidental loss or destruction; and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination:
1) ISO/IEC 27002, Information Technology – Security Techniques—Code of Practice for Information Security Controls;
2) ISO/IEC 27003, Information Technology- Security Techniques – Information Security Management System Implementation Guidance;
3) ISO/IEC 27005, Information Technology – Security Techniques – Information Security Risk Management;
4) ISO/IEC 29134, Information Technology – Security Techniques—Guidelines for Privacy Impact Assessment;
5) ISO/IEC 29151, Information Technology – Security Techniques—Code of Practice for personally identifiable information (PII) protection;
6) ISO/IEC 29100, Information Technology – Security Techniques – Privacy Framework;
7) ISO/IEC 3100:2018 Guidelines on Risk Assessment; and
8) ISO/IEC 27018:2014 Information Technology- Security Techniques—Code of Practice for protection of personally identifiable information (PII) in public clouds acting as PII processors.
While we use reasonable technical and administrative measures within our means to protect your data against unauthorized or unlawful use, processing, accidental loss, alteration, disclosure or access, accidental or unlawful destruction or damage thereto, you must understand that the open nature of the Internet is such that data may flow over networks without security measures and may be accessed and used by people other than those for whom the data is intended. Thus, please remember that no method of transmission over the Internet, or method of electronic storage is 100% secure and while we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security.
X. What are your rights in relation to the processing of your personal data?
The following are your rights subject to limitations set by law:
- RIGHT TO INFORMATION. This right entitles you to know the specific personal data being collected, the purposes for its processing.
- RIGHT OF ACCESS. This right entitles you to know whether we hold personal data about you and, if we do, to obtain information on and a copy of that personal data.
- RIGHT TO RECTIFICATION. This right entitles you to have your personal data be corrected if it is inaccurate or incomplete.
- RIGHT TO OBJECT. This right entitles you to object the processing of your personal data.
- RIGHT TO ERASURE. This right entitles you to request the erasure of your personal data, especially when no longer necessary to achieve the purposes.
- RIGHT TO RESTRICTION OF PROCESSING : This right entitles you to limit the personal data to be processed.
- RIGHT TO DATA PORTABILITY. This right entitles you to receive a copy (in a structured, commonly used and machine-readable format) of personal data that you have provided to us, or request us to transmit such personal data to another data controller.
XI. WITHDRAWAL OF CONSENT. RIGHT TO COMPLAINT and DAMAGES.
To the extent that the processing of your personal data is based on your consent, you have the right to withdraw such consent at any time by contacting Silay Institute’s Data Protection Officer. Please note that this will not affect Silay Institute’s right to process personal data obtained prior to the withdrawal of your consent, or its right to continue parts of the processing based on other legal bases than your consent.
If, despite our commitment and efforts to protect your personal data, you believe that your data privacy rights have been violated, we encourage and welcome you to first to seek resolution of any complaint. You have the right, at all times, to register or file a complaint directly with the relevant supervisory authority (the National Privacy Commission) or to make a claim against us with a competent court (either in the country where you live, the country where you work or the country where you deem that data privacy law has been infringed), with a right to seek damages.
For any concerns and request to exercise the foregoing rights, except those which are within the jurisdiction of the NPC or a competent court, you may contact us at firstname.lastname@example.org.