DATA PRIVACY NOTICE FOR

BUSINESS PERMIT ONLINE APPLICATION SYSTEM

BACKGROUND
The Republic Act No. 10173 also known as the Data Privacy Act of 2012 which requires
the government and the private sector to follow and comply to fulfill their objective to
protect personal data in information and communications systems.
With this, it ensures that the entities of the City Government of Cagayan de Oro are
implementing measures and procedures that guarantee the safety and security of
personal data under their control or custody and thereby upholding an individual’s data
privacy rights; this also applies the principles of Transparency, Legitimate Purpose, and
Proportionality in processing of the personal data submitted and stored in the
information and communication system.
This Notice serves as a guide or handbook for ensuring the compliance of the City
Government with the Data Privacy Act and its Implementing Rules and Regulations
(IRR). This also encapsulates the privacy and data protection protocols that are being
observed and carried out within this entity for specific circumstances (e.g., from
collection to destruction), directed toward the fulfillment and realization of the rights of
data subjects.

INTRODUCTION
We, the City Government of Cagayan de Oro, respect and value your data privacy
rights. It is our duty to give you assurance and confidence to notify you on the submitted
data, most specifically your given personal information on how it is being collected,
processed, and kept. This is also to inform you of your rights in accordance with the
laws and regulations stated and specified in the Republic Act No. 10173 which is also
known as the “Data Privacy Act of 2012 (DPA)”.

DEFINITION OF TERMS

● Data Privacy Act – refers to the Republic Act No. 10173 or the Data Privacy Act
of 2012 and its implementing rules and regulations;

● Processing – refers to any operation or set of operations performed upon

personal data including, but not limited to, the collection, recording, organization,
storage, updating or modification, retrieval, consultation, use, consolidation,
blocking, erasure or destruction of data. Processing may be performed through
automated means, or manual processing, if the personal data are contained or
are intended to be contained in a filing system;

● Personal data – collectively refers to personal information, sensitive personal

information, and privileged information;
● Personal Information – refers to any information, whether recorded in a material
form or not, from which the identity of an individual is apparent or can be
reasonably and directly ascertained by the entity holding the information, or when
put together with other information would directly and certainly identify an
individual;

● Sensitive Personal Information – refers to personal data:

o About an individual’s race, ethnic origin, marital status, age, color, and
religious, philosophical or political affiliations;
o About an individual’s health, education, genetic or sexual life of a person,
or to any proceeding for any offense committed or alleged to have been
committed by such individual, the disposal of such proceedings, or the
sentence of any court in such proceedings;

● Privileged information – refers to any and all forms of personal data, which, under
the Rules of Court and other pertinent laws constitute privileged communication;

● Data Subject / Clients – refers to an individual whose personal, sensitive

personal, or privileged information is processed; who gives consent to the
processors to process the stated data specifically the business owners.

● Business Permit Information System – an online application and a system

processing the personal information of both applicants and anyone whose
undergoing the Business Permit Application;

● Processor – Business Permit Licensing Office (BPLO) Staff, personnel,

processing office of City Government of Cagayan de Oro who processes the
personal data using the Business Permit Information System with utmost
confidentiality, integrity and authenticity;

● Developer- City Management Information Systems and Innovation Department

(CMISID)

● National Privacy Commission (NPC) – refers as the forefront of not only

implementing but complying with the Data Privacy Act of 2012;

● Data Protection Officer – Any natural or juridical person or other body involved in
the processing of personal data or otherwise be accountable for ensuring
compliance with applicable laws and regulations for the protection of data privacy
and security (City Government Data Privacy Officer: Atty. Reymond Q.
Villablanca)
 ● Third Party Sharing and Processing – Information as well as Personal information
of the Data Subjects is being shared and processed outside the entity, subject to
cross-border arrangement and cooperation.

● Data Sharing Agreement – Needed when third party sharing and processing of
data is being made for the relevant process or use of the data of the data
subjects.

SCOPE AND LIMITATIONS

All personnel of the City Government of Cagayan de Oro, especially the processor,
regardless of the type of employment or contractual arrangement, must comply with the
terms set out in this Data Privacy Notice. This Data Privacy Notice is publicly posted for
the information and transparency of the data being processed through this Business
Permit Information System.
This Data Privacy Notice is written to notify data subjects of the Business Permit
Information System regarding the processing of their personal information and sensitive
personal information: from the collection of data through this Business Permit
Information System, to the actual generation of the Business Permit using the data
collected; this notice also includes how the processors will keep, secure, and protect the
collected data.

PROCESSING OF PERSONAL DATA: WHAT WE PROCESS, HOW WE PROCESS,

WHO WILL PROCESS, WHY WE PROCESS

1. Collection (What Information Do We Collect):

The processors collect the information required in the Business Permit Information
System. The following information that are being collected from the data subjects
through the information system are the following:
● E-mail Address
● Full name
● Mobile Number
The Business Permit Online Application System stores the personal data in the
database respectively and is being protected through a security protocol where the
database system is located for data security and protection.

2. Use (How We Process Your Information):

Personal data collected shall be used accordingly for the Business Permit profiling. By
filling up the application form through the Business Permit Information System, the data
subject consents the processor and developer to obtain, collect, process, keep the
personal data and sensitive personal information of the data subject.
Data Subject Request

3. Disclosure and Sharing

All processors shall maintain the confidentiality and secrecy of all personal data that
come to their knowledge and possession, even after resignation, termination of contract,
or other contractual relations. Personal data under the custody of the City Government
shall be disclosed only pursuant to a lawful purpose, and to authorized recipients of
such data.

4. Access

Due to the sensitive and confidential nature of the personal data under the custody of
the City Government, only the data subject and the authorized processor shall be
allowed to access such personal data, for any purpose, except for those contrary to law,
public policy, public order or morals. The authorized processor of this information
system are as follows:

● Processing Office: Business Permit Licensing Office (BPLO).

● CMISID: The developer of the Business Permit Information System. Data
accessibility of this unit is only limited to the structure of the database for the
development purposes only. This shared accessibility is being protected by a
data sharing agreement between the processing office and the developer.
● Only statistical reports will be shown without any disclosure of personal
information or sensitive personal information of the data subjects for
transparency of the processor’s service.

1. Storage, Retention and Destruction

The processor as well as the Business Permit Information System will ensure that
personal data under its custody are protected against any other unlawful processing
(misused, modified, interfered, lost or disclosed to unauthorized processors without the
Data Sharing Agreement).
The implementation and the management of the information system shall have security
practices and processes such as but not limited to the following:

● Document storage security policies;

● Security measures to control access to our systems and premises;
● Limitations on access to personal data;
● Strict selection of third-party data processors and partners; and
 ● Electronic security systems, such as firewalls, data encryption and transmission
of data through a secured file transfer protocol.

The personal data shall be kept and maintained up to a certain period or as long as
necessary for the purpose for which they were collected or as required by laws and
regulations.

BREACH AND SECURITY INCIDENTS: RISK INVOLVED IN PROCESSING

The developer [City Management Information Systems and Innovation Department]
shall always maintain a backup file for all personal data under its custody. In the event
of a security incident or data breach, it shall always compare the backup with the
affected file to determine the presence of any inconsistencies or alterations resulting
from the incident or breach.
In case of any breach incident, the CMISID developer will report to the Data Protection
Officer together with the responsible Compliance Officer for Privacy of Business Permit
Online Application System. The CMISID detailed documentation of the incident or
breach encountered as will be forwarded to the management and to the NPC depending
on the City Government Data Privacy Officers’s advice.

SECURITY MEASURED: HOW WE PROTECT YOUR DATA

The privacy of data of the City Government is legally monitored and managed by the
registered Data Privacy Officer. The Compliance Officer for Privacy in the Business
Permit Licensing Office coordinates with the City Data Privacy Officer is given the role to
oversee the compliance of the office or the PIC on the Data Privacy Act, its
Implementing Rules and Regulations, and other related policies. PIPs of this request
system were trained, oriented, and signed the Non-Disclosure Agreement. All the
personal data that is stored in the database of this request system followed the security
protocol

YOU MAY CONTACT US FOR INQUIRIES AND COMPLAINTS

You as our Data Subjects have the following rights (RIGHTS OF DATA
SUBJECTS):
Personal information will be made available to the clients and authorized processors
anytime in case there are requests for correction, modification or deletion. It is the right
of the individual owning the personal data to inquire or obtain a copy of the personal
information provided to us.

1. The right to be informed, thus this Data Privacy Notice on how your personal
information collected be processed through this Business Permit Online
Application System.
 2. The right to access, thus you have the access of your personal details and
account.
3. The right to object, thus you can the right not to submit the data so as not the
data to be processed.
4. The right to damages, thus you can request for assessment of your data that
might be mishandled to our Data Privacy Officer.
5. The right to file a complaint, thus you can file a complaint to our Data Privacy
Officer to any misused, maliciously disclosed, or improperly disposition of your
data.
6. The right to rectify, thus you have the right to correct and update your submitted
through Business Permit Information System.

For further inquiries or complaints, you may report or coordinate with our City
Government’s Data Privacy Officer:
Atty. Reymond Q. Villablanca
Asst. City Legal Officer
City Legal Office
Ground Floor, Executive Building, City Hall, Cagayan de Oro City
Email: dpo.cdo@gmail.com
Contact Number: (088) 857-2260 / +63-960-902-1208

Compliance Officer for Privacy:

[
]
EFFECTIVITY OF THIS DATA PRIVACY MANUAL:
The provisions of this Manual are effective this 29 day of June 2021, until revoked or
amended by this entity, the City Government of Cagayan de Oro.
DPM Version 1.0 as of June 29, 2021