Film Experts, Inc. (“FILMEX”) respects the privacy of all our clients and business partners, and is committed to safeguarding the personal information provided to us in view of our business dealings.
1. Application of the Policy
2. Definition of Terms
(a) Data subject refers to an individual whose personal information is processed.
(b) Personal information controller refers to a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf. The term excludes:
(1) A person or organization who performs such functions as instructed by another person or organization; and (2) An individual who collects, holds, processes or uses personal information in connection with the individual’s personal, family or household affairs.
(c) Processing refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.
3. Processing of Personal Data
A. Collection of Personal Data For the purpose of carrying on our business, there may be instances wherein clients and/or business partners may be requested to provide personal data such as, but not limited to the following, without which it may not be possible for us to fulfill our obligations under contracts which we may have entered into:
a) Full Name;
b) Residential Address;
c) Copy of identification cards;
d) Payment details, including banking information;
e) Contact details, including telephone number or email address; and
f) Employment/business information.
B. Use of Personal Data Collected
We currently use or may in the future use our clients’ and/or business partners’ personal data for any purpose not prohibited by applicable law. This includes the following purposes:
a) Providing services and facilities;
b) Administering or managing the business relationships;
c) Conducting identity or credit checks;
d) Developing new services or products;
e) Providing (by post or e-mail) with marketing, advertising and promotional information, materials or documents;
f) Complying with any law or the requirements of any regulatory authority;
g) Updating others of our products and services;
h) Processing any applications or requests for new products or services;
i) Enforcing our rights; and
j) Maintaining the safety and security of premises with the use of security cameras.
We will not use, disclose or process personal data for purposes which are not stated above or for which we have not obtained your consent. If we wish to use, disclose or process personal data for purposes other than the above enumeration, we will seek the data subject’s prior written consent.
C. Storage, Retention and Destruction of Personal Data Collected
We will ensure that personal data under our custody are protected against accidental or unlawful destruction, alteration and disclosure as well as against any other unlawful processing. We will implement appropriate security measures in storing collected personal information, depending on the nature of the information. We will retain personal data for as long as the purposes for which such data is collected or used continue to exist, or where necessary for our legal or business purposes. Thereafter, we will delete or destroy the personal data, or remove the means by which the data can be associated with the data subject.
Due to the sensitive and confidential nature of the personal data under our custody, only the client and its authorized representative/s, as well as our authorized representative/s shall be allowed to access such personal data collected, except when otherwise required by law or by the courts.
E. Disclosure of Personal Data
All employees and personnel shall maintain the confidentiality and secrecy of all personal data that come to their knowledge and possession, even after resignation, termination of contract, or other contractual relations. Personal data under the custody of FILMEX shall be disclosed only pursuant to a lawful purpose, and to authorized recipients of such data.
F. Withdrawal of Consent
Consent to collect, use, disclose or retain personal data may be withdrawn at any time by giving written notice pursuant to the Data Privacy Act of 2012. However, depending on the circumstances and the nature or extent of the withdrawal of consent, it may result in us not being able to provide the services contracted and thus may terminate the same.
G.Access and Correction of Personal Data
Any information provided may be accessed, updated or otherwise changed or removed upon proper request made.
3. Accuracy of Personal Data
Personal data shall be kept as accurate, complete and up-to-date as possible, taking into account its use and the interests of clients and business partners. Where possible, the data provided shall be validated using generally accepted practices and guidelines.
4. Security Measures for the Protection of Personal Data
Personal data shall be protected against loss or theft, as well as unauthorized access, disclosure, reproduction, use or modification with security safeguards appropriate to the sensitivity of the personal data, regardless of the format in which it is held.
FILMEX uses various methods to safeguard personal data. They include the following:
A. Organizational Security Measures
We have designated a Data Protection Officer (DPO) to oversee our compliance with the Data Privacy Act of 2012, its IRR, and other related policies, including the conduct of a Privacy Impact Assessment, implementation of security measures, security incident and data breach protocol, and the inquiry and complaints procedure.
Conduct mandatory training on data privacy and security for personnel directly involved in the processing of personal data.
Regularly conduct a privacy impact assessment relative to all activities, projects and systems involving the processing of personal data.
All employees are asked to sign a Non-Disclosure Agreement. All employees with access to personal data operate and hold personal data under strict confidentiality if the same is not intended for public disclosure.
This Policy shall be reviewed and evaluated annually to remain consistent with current data privacy best practices.
B. Physical Security Measures
All personal data being processed are stored in a safe and secure manner. Paper-based documents are kept in locked filing cabinets while the digital/electronic files are stored in computers with ample security features.
Only authorized personnel are allowed access to the locked filing cabinets and storage computers. Other personnel may be granted access to the locked filing cabinets and storage computers upon filing of an access request form with the DPO and the latter’s approval thereof.
Transfers of personal data via electronic mail are via a secure email facility with encryption of the data, including any or all attachments. Facsimile technology shall not be used for transmitting documents containing personal data.
C. Technical Security Measures
Each personal information controller must implement technical security measures to make sure that there are appropriate and sufficient safeguards to secure the processing of personal data, particularly the computer network in place, including encryption and authentication processes that control and limit access. They include the following, among others:
We shall use an intrusion detection system to monitor security breaches and alert the organization of any attempt to interrupt or disturb the system.
Software applications shall always be reviewed and evaluated before the installation thereof in computers and devices to ensure the compatibility of security features with overall operations.
There shall be a regular review of security policies, conduct of vulnerability assessments and the performance of penetration testing within the organization to be prescribed by the appropriate department or unit.
5. Breach and Security Incidents
A Data Breach Response Team comprising of three 2 officers – DPO and Asst DPO shall be responsible for ensuring immediate action in the event of a security incident or personal data breach. The team shall conduct an initial assessment of the incident or breach in order to ascertain the nature and extent thereof. It shall also execute measures to mitigate the adverse effects of the incident or breach.
There shall regularly be the conduct of a Privacy Impact Assessment to identify risks in the processing system and monitor for security breaches and vulnerability scanning of computer networks. Personnel directly involved in the processing of personal data must attend trainings and seminars, whenever practicable, for capacity building. There must also be a periodic review of policies and procedures that are being implemented in FILMEX.
FILMEX shall always maintain a backup file for all personal data under its custody. In the event of a security incident or data breach, it shall always compare the backup with the affected file to determine the presence of any inconsistencies or alterations resulting from the incident or breach.
The Head of the Data Breach Response Team shall inform the management of the need to notify the National Privacy Commission and the data subjects affected by the incident or breach within the period prescribed by law. Management may decide to delegate the actual notification to the Head of the Data Breach Response Team.
The Data Breach Response Team shall prepare a detailed documentation of every incident or breach encountered, as well as an annual report, to be submitted to management and the National Privacy Commission, within the prescribed period.
6. Inquiries and Complaints
Data subjects may inquire or request for information regarding any matter relating to the processing of their personal data under our custody, including the data privacy and security policies implemented to ensure the protection of their personal data. They may write to the organization at (Data Protection Officer email ad) and briefly discuss the inquiry, together with their contact details for reference. Complaints shall be filed in three (3) printed copies.
7. Changes to this Policy
We reserve the right to modify or change this Policy at any time.