Preamble:
This addendum is enacted to complement and specify certain provisions of Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012, specifically tailored to the payment, user acceptance, and data security practices of ISELCO-2 (hereinafter referred to as "the Organization").
a. This addendum applies to all personal information collected, processed, stored, or transmitted by the Organization in the course of payment transactions and user acceptance.
b. The provisions of the Data Privacy Act of 2012 shall remain in full force and effect, with this addendum serving as a supplementary document for matters specific to payment, user acceptance, and data security.
The purpose of this addendum is to establish guidelines and safeguards for the proper handling of personal information in the context of payment processing and user acceptance, ensuring a transparent and secure user experience.
For the purposes of this addendum, payment information refers to any data related to the financial transactions of users, including but not limited to credit/debit card details, bank account information, and other forms of electronic payment.
User acceptance information encompasses data collected during the registration and onboarding process, including but not limited to user profiles, login credentials, and consent records.
Data security involves the implementation of measures to protect personal information against accidental or unlawful destruction, alteration, and disclosure, as well as against unauthorized access, abuse, or processing.
a. The Organization shall process payment and user acceptance information lawfully, ensuring transparency in data processing activities.
a. Payment and user acceptance information shall be collected and processed solely for the purposes explicitly disclosed to the data subjects.
a. The Organization shall only collect and process the minimum amount of payment and user acceptance information necessary for the intended purposes.
a. Payment and user acceptance information shall be encrypted during transmission and storage to prevent unauthorized access.
a. Access to payment and user acceptance information shall be restricted to authorized personnel, and strong access controls shall be implemented.
a. The Organization shall implement technical, organizational, and physical security measures in accordance with the guidelines set forth by the National Privacy Commission to ensure the confidentiality, integrity, and availability of personal information.
b. Regular risk assessments shall be conducted to identify and address potential vulnerabilities in the processing of payment and user acceptance information.
a. Prior to collecting payment and user acceptance information, the Organization shall obtain the informed consent of the data subjects.
a. Users shall be presented with a clear and concise pop-up window, explicitly detailing the terms and conditions governing payment and user acceptance processes, including the handling of their personal information.
b. The pop-up window shall include language emphasizing the security measures in place and the commitment of ISELCO-2 to protect user accounts.
c. Users will be required to click an "I Agree" button to signify their acceptance and consent to proceed with the payment and user acceptance processes.
a. In the event of a data breach affecting payment and user acceptance information, the Organization shall promptly notify affected data subjects and the National Privacy Commission as required by RA 10173
a. The Organization shall regularly audit and assess its practices related to payment and user acceptance, including compliance with data security measures and the guidelines provided by the National Privacy Commission
a. The Organization shall appoint a Data Protection Officer responsible for overseeing compliance with this addendum, the Data Privacy Act of 2012, and the data security guidelines provided by the National Privacy Commission.
This addendum shall take effect upon approval and shall remain in force until modified or revoked in accordance with the provisions of the Data Privacy Act of 2012.
Article IX: Data Security Audits and Assessments
a. The Organization shall conduct regular audits of its data security measures, including but not limited to penetration testing, vulnerability assessments, and reviews of access logs.
a. Periodic risk assessments shall be carried out to identify and evaluate potential risks to the security of payment and user acceptance information.
a. The Organization shall develop and implement mitigation plans to address identified risks promptly. These plans shall be regularly reviewed and updated as necessary.
a. Payment and user acceptance information shall only be retained for the duration necessary to fulfill the purposes for which it was collected or as required by applicable laws and regulations.
a. When the retention period expires or upon the data subject's request, the Organization shall securely dispose of payment and user acceptance information to prevent unauthorized access.
a. The Organization shall implement training programs for its employees, ensuring they are educated on data security best practices, the importance of confidentiality, and their responsibilities in protecting personal information.
a. Regular awareness campaigns shall be conducted to keep employees informed about the latest data security threats and measures they can take to prevent breaches.
a. When engaging third-party data processors for payment processing or user acceptance services, the Organization shall conduct due diligence to ensure that these entities comply with data security standards and guidelines.
a. Contracts with third-party data processors shall include provisions requiring them to implement appropriate data security measures and comply with the principles of this addendum.
a. The Organization shall establish an incident response team responsible for promptly responding to and mitigating any data security incidents.
a. Clear communication protocols shall be established to inform stakeholders, including data subjects, authorities, and the public, in the event of a data security incident.
a. The Organization shall maintain detailed records of processing activities related to payment and user acceptance information, including the purposes of processing, categories of data subjects, and data flows.
a. Where applicable, the Organization shall conduct Data Protection Impact Assessments (DPIAs) to assess and mitigate the risks associated with processing payment and user acceptance information.
IN WITNESS WHEREOF,the undersigned parties, being duly authorized representatives of ISELCO-2, hereby adopt and enact this extended addendum to the Data Privacy Act of 2012 for Payment, User Acceptance, and Data Security, emphasizing the User Acceptance.