Preamble:
This addendum is enacted to complement and specify certain provisions of Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012, specifically tailored to the payment, user acceptance, and data security practices of NetGlobal Solutions, Inc. (hereinafter referred to as "the Organization"). This addendum focuses on payments made exclusively through QRPh and the secure handling of account information.
Scope a. This addendum applies to all personal information collected, processed, stored, or transmitted by the Organization in the course of payment transactions and user acceptance.
The provisions of the Data Privacy Act of 2012 shall remain in full force and effect, with this addendum serving as a supplementary document for matters specific to payment via QRPh, user acceptance, and data security.
Purpose: The purpose of this addendum is to establish guidelines and safeguards for the proper handling of personal information in the context of payment processing through NetGlobal Pay’s QRPh and user acceptance, ensuring a transparent and secure user experience.
Payment Information: For the purposes of this addendum, payment information refers to any data related to financial transactions of users made through the NetGlobal Pay payment platform, specifically the account number used during the transaction.
Data Security: Data security involves the implementation of measures to protect personal information against accidental or unlawful destruction, alteration, and disclosure, as well as against unauthorized access, abuse, or processing.
Lawfulness and Transparency: a. The Organization shall process payment and user acceptance information lawfully, ensuring transparency in data processing activities, particularly the encryption of account information during payment.
Purpose Limitation: a. Payment and user acceptance information shall be collected and processed solely for the purposes explicitly disclosed to the data subjects.
Data Minimization: a. The Organization shall only collect and process the minimum amount of payment and user acceptance information necessary for the intended purposes, focusing specifically on the account number for payment processing through NetGlobal Pay’s QRPh.
Encryption: a. The account number entered before the payment form will be the access on proceeding on paying the bill and the information shown will be encrypted through the account number logged in.
Access Controls: a. Access to payment and user acceptance information shall be restricted to authorized personnel, and strong access controls shall be implemented.
Data Security Measures: a. The Organization shall implement technical, organizational, and physical security measures in accordance with the guidelines set forth by the National Privacy Commission to ensure the confidentiality, integrity, and availability of personal information.
b. Regular risk assessments shall be conducted to identify and address potential vulnerabilities in the processing of payment and user acceptance information.
Informed Consent: a. Prior to collecting payment and user acceptance information, the Organization shall obtain the informed consent of the data subjects from Iselco-II.
User Agreement: a. Users shall be presented with a clear and concise pop-up window, explicitly detailing the terms and conditions governing payment and user acceptance processes, including the handling of their personal information through NetGlobal Pay’s payment form and pay using QRPh.
b. The pop-up window shall include language emphasizing the encryption of the account number and the commitment of ISELCO-II to protect user accounts.
c. Users will be required to click an "I Agree" button to signify their acceptance and consent to proceed with the payment and user acceptance processes.
Notification Requirement: a. In the event of a data breach affecting payment and user acceptance information, the Organization shall promptly notify affected data subjects and the National Privacy Commission as required by RA 10173.
Compliance: a. The Organization shall regularly audit and assess its practices related to payment and user acceptance, including compliance with data security measures and the guidelines provided by the National Privacy Commission.
Monitoring: a. The Organization shall appoint a Data Protection Officer responsible for overseeing compliance with this addendum, the Data Privacy Act of 2012, and the data security guidelines provided by the National Privacy Commission.
Effectivity: This addendum shall take effect upon approval and shall remain in force until modified or revoked in accordance with the provisions of the Data Privacy Act of 2012.
Regular Audits: a. The Organization shall conduct regular audits of its data security measures, including but not limited to penetration testing, vulnerability assessments, and reviews of access logs.
Risk Assessments: a. Periodic risk assessments shall be carried out to identify and evaluate potential risks to the security of payment and user acceptance information.
Mitigation Plans: a. The Organization shall develop and implement mitigation plans to address identified risks promptly. These plans shall be regularly reviewed and updated as necessary.
Data Retention Limitation: a. Payment and user acceptance information shall only be retained for the duration necessary to fulfill the purposes for which it was collected or as required by applicable laws and regulations.
Secure Disposal: a. When the retention period expires or upon the data subject's request, the Organization shall securely dispose of payment and user acceptance information to prevent unauthorized access.
Training Programs: a. The Organization shall implement training programs for its employees, ensuring they are educated on data security best practices, the importance of confidentiality, and their responsibilities in protecting personal information.
Awareness Campaigns: a. Regular awareness campaigns shall be conducted to keep employees informed about the latest data security threats and measures they can take to prevent breaches.
Due Diligence: a. When engaging third-party data processors for payment processing or user acceptance services, the Organization shall conduct due diligence to ensure that these entities comply with data security standards and guidelines.
Contractual Obligations: a. Contracts with third-party data processors shall include provisions requiring them to implement appropriate data security measures and comply with the principles of this addendum.
Incident Response Team: a. The Organization shall establish an incident response team responsible for promptly responding to and mitigating any data security incidents.
Communication Protocols: a. Clear communication protocols shall be established to inform stakeholders, including data subjects, authorities, and the public, in the event of a data security incident.
Documentation: a. The Organization shall maintain detailed records of processing activities related to payment and user acceptance information, including the purposes of processing, categories of data subjects, and data flows.
Data Protection Impact Assessments: a. Where applicable, the Organization shall conduct Data Protection Impact Assessments (DPIAs) to assess and mitigate the risks associated with processing payment and user acceptance information through NetGlobal Pay’s QRPh.
IN WITNESS WHEREOF, the undersigned parties, being duly authorized representatives of ISELCO-2, hereby adopt and enact this extended addendum to the Data Privacy Act of 2012 for Payment, User Acceptance, and Data Security, emphasizing the User Acceptance and security measures involved in QRPh transactions.