Data Privacy Notice
Moncada Catholic School, Inc. (MCSI) is committed to protecting your fundamental right to privacy. This Data Privacy Notice clearly outlines our comprehensive policies and practices regarding the collection, use, storage, disclosure, and disposal of personal and sensitive personal information in full compliance with the Data Privacy Act of 2012 (Republic Act No. 10173) and its Implementing Rules and Regulations.
Important: MCSI does not collect, process, or store biometric data (including but not limited to fingerprints, facial recognition data, or other biometric identifiers). Our security and administrative systems do not require biometric data collection.
1. Legal Bases for Processing
We process your information based on the following legal grounds provided under Section 12 of the Data Privacy Act of 2012 (Republic Act No. 10173). Each processing activity is assigned one primary legal basis as outlined below:
1.1 Legal Obligation
Processing is necessary for compliance with mandatory legal requirements. This is the primary legal basis for:
- Submission of student enrollment data to the Department of Education (DepEd), including Learner Information System (LIS) reporting, Form 137/SF10 maintenance, and other DepEd circulars and memoranda
- Submission of employee information to government agencies, including Bureau of Internal Revenue (BIR) for tax reporting, Social Security System (SSS), Philippine Health Insurance Corporation (PhilHealth), and Home Development Mutual Fund (Pag-IBIG) for employee contributions and benefits
- Compliance with retention requirements for academic records as mandated by DepEd Order No. 88, s. 2010 and DepEd Order No. 11, s. 2018
- Compliance with retention requirements for employee records as mandated by Article 290 of the Labor Code of the Philippines
- Compliance with retention requirements for financial records as mandated by Section 203 of the National Internal Revenue Code
1.2 Contractual Necessity
Processing is required to fulfill our obligations under your enrollment contract or employment agreement. This is the primary legal basis for:
- Student admission, enrollment, academic instruction, assessment, grading, and issuance of academic certifications
- Employee payroll processing, benefits administration, performance evaluation, and employment-related documentation
- Billing and payment processing for tuition and fees
- Provision of student support services, including guidance counseling and health services, as specified in the enrollment contract
- Cross-border data transfers required for the operation of our information systems that support these contractual obligations (as detailed in Section 5.1)
- Data processing by Personal Information Processors (PIPs) necessary for the delivery of contracted services
1.3 Vital Interest
Processing is necessary to protect the life, health, or safety of students, employees, or other individuals. This is the primary legal basis for:
- Emergency medical response and health monitoring
- Disclosure of medical information to emergency medical personnel in life-threatening situations
- Processing of medical information necessary for immediate health interventions
1.4 Legitimate Interest
Processing is necessary for the school's legitimate interests, provided these do not override your fundamental rights and freedoms. This is the primary legal basis only for:
- Campus security through CCTV monitoring: Necessary to ensure the physical safety of students, employees, and school property. We maintain documented Legitimate Interest Assessments (LIAs) that evaluate the necessity and proportionality of this processing. CCTV monitoring is limited to public areas and points of entry/exit for security purposes only. CCTV monitoring does not include audio recording, facial recognition technology, or monitoring for performance evaluation purposes. Notices of CCTV monitoring are posted where feasible. Access to footage is restricted to authorized security personnel with a legitimate need for such access.
- Prevention of fraud, academic dishonesty, and misconduct: Necessary to maintain academic integrity and institutional standards. Our documented LIAs evaluate whether this processing is necessary, proportionate, and does not unduly interfere with privacy rights.
- Communication of essential school-related announcements and administrative matters: Necessary for the effective operation of the school and communication with students and parents. This excludes marketing communications, which require consent.
Legitimate Interest Assessment (LIA) Process: For all processing activities based on legitimate interest, we conduct documented LIAs that evaluate: (a) the necessity of the processing; (b) the proportionality of the processing in relation to the legitimate interest pursued; (c) the balancing of our legitimate interests against your fundamental rights and freedoms; and (d) the availability of less intrusive alternatives. These assessments are maintained in our records and reviewed when processing activities change materially. You have the right to object to processing based on legitimate interest, and we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.
1.5 Consent
Consent is used only where no other lawful basis applies. This is the primary legal basis exclusively for:
- Participation in optional extracurricular programs or activities that are not part of the core educational contract
- Use of photographs or videos of students or employees for marketing, promotional, or public relations purposes beyond official school documentation
- Sharing information with third parties for non-essential services or programs not required for enrollment or employment
- Processing of additional optional data categories that you voluntarily provide
Consent Requirements: Consent must be freely given, specific, informed, and an unambiguous indication of agreement. For minors, parental or guardian consent is required. Consent may be withdrawn at any time by submitting a written request to our Data Protection Officer. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. Withdrawal of consent for optional activities will result in the cessation of those specific activities, but will not affect mandatory processing based on other legal grounds.
Note on Minors: For students who are minors, the school does not rely on consent as the legal basis for core educational data processing. We recognize the inherent power imbalance and the mandatory nature of educational data processing. The primary legal bases for processing children's data are legal obligation and contractual necessity (through the enrollment contract executed by parents/guardians). Parental consent is obtained only for optional activities where consent is the appropriate legal basis, such as participation in optional programs or use of photographs for marketing purposes.
2. Information We Collect and Process
We collect and process the following categories of information:
2.1 Personal Information (PI)
Personal Information refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained. We collect the following PI:
- Students: Full name (including previous names, if applicable), date of birth, age, gender, nationality, civil status, contact details (address, telephone, email), emergency contact information, academic performance records (grades, assessments, transcripts), attendance records, disciplinary history, co-curricular and extracurricular participation, awards and recognitions, photographs and videos taken during official school activities and events for documentation purposes (see Section 2.5 for details on photograph and video use), and academic certifications issued.
- Parents/Guardians: Full name, relationship to student, occupation, employer, contact information (address, telephone, email), and financial information related to tuition and fee payments (payment history, outstanding balances, payment methods).
- Employees: Full name, date of birth, gender, nationality, civil status, contact details, educational background, professional qualifications, employment history, job title, department, salary information, attendance records, performance evaluations, and photographs for identification purposes.
2.2 Sensitive Personal Information (SPI)
Sensitive Personal Information refers to personal information about an individual's race, ethnic origin, marital status, age, color, religious, philosophical or political affiliations, health, education, genetic or sexual life, or any proceeding for any offense committed or alleged to have been committed, the disposal of such proceedings, or the sentence of any court. We collect the following SPI:
- Students: Medical and health records (including vaccination records, allergies, medical conditions, medications), psychological evaluations and counseling records, religious affiliation (for religious education and activities), government-issued identification numbers (Learner Reference Number/LRN, if applicable), and information related to disciplinary proceedings.
- Employees: Medical and health records (including pre-employment medical examinations, health insurance information), government-issued identification numbers (SSS, TIN, PhilHealth, Pag-IBIG), background check results (NBI clearance, police clearance, if applicable), and information related to administrative or disciplinary proceedings.
- Parents/Guardians: Government-issued identification numbers (TIN, if required for tax purposes), and financial information necessary for billing and payment processing.
2.3 Mandatory vs. Optional Data Collection
Mandatory Data: The following data is mandatory and required by law or necessary for the performance of our contractual obligations:
- Student enrollment and academic records (required by DepEd)
- Government-issued identification numbers (LRN for students; SSS, TIN, PhilHealth, Pag-IBIG for employees as required by law)
- Basic contact and emergency contact information
- Medical information necessary for health and safety (allergies, medical conditions requiring accommodation)
- Financial information necessary for billing and payment processing
Optional Data: The following data is optional and may be provided at your discretion:
- Additional contact information (secondary email, alternative phone numbers)
- Participation in optional extracurricular activities
- Consent for use of photographs/videos for marketing or promotional purposes beyond official school documentation
- Additional emergency contacts beyond the primary guardian
Consequences of Refusal to Provide Mandatory Data: Failure to provide mandatory data required for enrollment, employment, or legal compliance may result in the school's inability to process your application, enroll the student, enter into an employment contract, or comply with regulatory requirements. The school reserves the right to decline enrollment or employment if mandatory data is not provided.
2.4 Photographs and Videos
We process photographs and videos in two distinct categories, each with different legal bases:
- Official School Documentation (Legal Basis: Contractual Necessity and Legal Obligation): Photographs and videos taken during official school activities, events, ceremonies, and classes are processed for documentation, record-keeping, and historical purposes. This includes yearbook photos, graduation ceremonies, school events, and class activities. These are necessary for the performance of our educational services and compliance with DepEd requirements for maintaining institutional records. This processing is mandatory as part of enrollment and does not require separate consent.
- Marketing and Promotional Use (Legal Basis: Consent): Use of photographs or videos for marketing materials, promotional campaigns, public relations, social media, website features, advertisements, or external publications requires explicit consent from students (or parental/guardian consent for minors) and employees. This use is optional, and consent may be withdrawn at any time by submitting a written request to our Data Protection Officer. Upon withdrawal of consent, we will immediately cease all future marketing use of your photographs or videos and will remove or discontinue distribution of such materials from our active marketing channels, websites, and social media platforms where technically feasible and within our operational control. Withdrawal of consent will not affect photographs or videos already published in physical formats (e.g., printed yearbooks, brochures) that cannot practicably be withdrawn, nor will it affect photographs or videos used for official documentation purposes.
If you do not provide consent for marketing use, your photographs and videos will still be used for official school documentation purposes only. You will be asked to provide separate consent if you wish to permit marketing use.
2.5 Special Protections for Children's Data
Recognizing that students are minors and require heightened protection under the Data Privacy Act, we implement additional safeguards for children's personal data:
- Primary Legal Bases: For students who are minors, we primarily rely on legal obligation and contractual necessity (through the enrollment contract executed by parents/guardians) as the legal bases for processing. We do not rely on consent as the primary legal basis for core educational data processing, recognizing the inherent power imbalance and the mandatory nature of educational services.
- Data Minimization: We limit the collection of children's data to what is strictly necessary for educational purposes and legal compliance. We do not collect more data than is required to fulfill our educational and legal obligations.
- Access Restrictions: Access to children's sensitive personal information (such as medical records, psychological evaluations, and disciplinary records) is restricted to authorized personnel who have a legitimate need to access such information in the performance of their duties (e.g., school nurse for medical records, guidance counselor for psychological records, registrar for academic records). Access is monitored where practicable.
- Marketing Restrictions: We do not use children's data for marketing, advertising, or promotional purposes without explicit parental or guardian consent. Use of children's photographs or videos for marketing purposes requires separate, explicit consent that may be withdrawn at any time.
- Parental Information: We provide parents and guardians with clear information about what data is collected about their children, how it is used, the legal basis for processing, and their rights regarding such data.
- Parental Rights: Parents and guardians have the right to access, correct, or request deletion of their child's personal data, subject to legal and contractual limitations (e.g., we cannot delete academic records required to be retained by DepEd). Parents and guardians may object to processing based on legitimate interest and may withdraw consent for optional activities.
- Consent for Optional Activities: For optional activities that require consent (such as participation in optional programs or use of photographs for marketing), explicit parental or guardian consent is obtained and may be withdrawn at any time.
3. Purpose of Processing
Your data is processed for the following purposes, each with its primary legal basis indicated:
- Academic Management (Legal Basis: Contractual Necessity): Admission, enrollment, grading, graduation, and issuance of certifications necessary to fulfill our obligations under the enrollment contract.
- Student Support Services (Legal Basis: Contractual Necessity and Vital Interest): Guidance counseling, health services, and coordination of required co-curricular activities as specified in the enrollment contract. Emergency health interventions are based on vital interest.
- Optional Extracurricular Activities (Legal Basis: Consent): Participation in optional programs or activities not required by the enrollment contract. Consent may be withdrawn at any time.
- Administrative Operations (Legal Basis: Contractual Necessity): Billing and payment processing for tuition and fees, payroll processing, and human resources management necessary to fulfill contractual obligations.
- Campus Security (Legal Basis: Legitimate Interest): CCTV monitoring for campus security purposes, as detailed in Section 1.4 on Legitimate Interest. This is subject to documented Legitimate Interest Assessments.
- Regulatory Compliance (Legal Basis: Legal Obligation): Submission of required reports to Department of Education (DepEd) via Learner Information System (LIS), PEAC/FAPE for GASTPE programs, and other government agencies as mandated by law.
- Official School Documentation (Legal Basis: Contractual Necessity and Legal Obligation): Maintenance of official records, including photographs and videos of official school activities and events, for institutional documentation and compliance with DepEd record-keeping requirements.
- Marketing and Promotional Activities (Legal Basis: Consent): Use of photographs, videos, or other personal information for marketing, promotional, or public relations purposes. This requires explicit consent and is optional.
4. Automated Decision-Making and Profiling
MCSI does not engage in automated decision-making or profiling processes that produce legal effects concerning data subjects or similarly significantly affect them. All decisions affecting students and employees, including admissions, grading, promotion, and disciplinary matters, involve human review and judgment.
Automated decision-making refers to decisions made solely by automated means without human intervention that produce legal effects or similarly significantly affect individuals (e.g., automated admission decisions, automated grading that determines promotion without human review, automated disciplinary decisions).
Should we implement automated decision-making or profiling that produces legal effects or similarly significantly affects individuals in the future, we will update this Data Privacy Notice to clearly identify such processing, provide information about the logic involved, explain the significance and consequences, and inform you of your rights, including the right to object and the availability of human intervention.
5. Data Sharing and Disclosure
Personal Information Controller (PIC) Designation: Moncada Catholic School, Inc. (MCSI) is the Personal Information Controller (PIC) for all personal and sensitive personal information processed under this Data Privacy Notice, as defined under Section 3(f) of the Data Privacy Act of 2012 (Republic Act No. 10173). Ownership, control, and decision-making authority over personal data remain with MCSI at all times.
Personal Information Processor (PIP) Relationship: MCSI engages Personal Information Processors (PIPs), including VYRM and other service providers, for processing activities including hosting, system maintenance, technical support, and related services, solely for the purpose of processing personal data on our documented instructions and in support of our contractual obligations. All PIPs, including VYRM, are contractually bound by written Data Processing Agreements that comply with the Data Privacy Act of 2012 (RA 10173), its Implementing Rules and Regulations, and National Privacy Commission requirements. PIPs are contractually prohibited from: (a) using personal data for their own purposes; (b) further disclosing personal data to third parties; and (c) engaging sub-processors without MCSI's prior written authorization. PIPs process personal data only as instructed by MCSI, and all processing activities remain subject to MCSI's control and oversight.
We do not sell, rent, or trade your personal information to third parties. We may disclose your information only in the following circumstances:
- Government Agencies (Legal Obligation): Mandatory reporting and disclosure to government agencies as required by law, including but not limited to:
- Department of Education (DepEd) for enrollment reporting, LIS submission, and academic record maintenance
- Bureau of Internal Revenue (BIR) for tax reporting and compliance
- Social Security System (SSS), Philippine Health Insurance Corporation (PhilHealth), and Home Development Mutual Fund (Pag-IBIG) for employee contributions and benefits
- Other government agencies as required by applicable laws, rules, and regulations
- Personal Information Processors (PIPs) (Legal Basis: Contractual Necessity): We engage Personal Information Processors, including VYRM and other service providers, for processing activities including hosting, system maintenance, technical support, and related services. This sharing is necessary for the performance of our enrollment and employment contracts. PIP processing is subject to the Data Processing Agreements and PIC–PIP relationship requirements described in Section 5.
- Professional Organizations and Educational Institutions (Legal Basis: Consent or Contractual Necessity): Verification of academic records, certifications, and credentials for college admissions, scholarship applications, or employment, upon your written request or authorization. In such cases, the disclosure is based on your explicit consent or authorization. Where educational institutions or employers request verification directly, we may disclose information only with your prior written consent or authorization, or in compliance with applicable laws or court orders.
- Emergency Situations (Legal Basis: Vital Interest): Disclosure to medical personnel, law enforcement, or emergency services when necessary to protect the life, health, or safety of students, employees, or other individuals.
- Legal Proceedings (Legal Basis: Legal Obligation): Disclosure as required by court order, subpoena, or other legal process, or to defend our legal rights in legal proceedings.
5.1 Cross-Border Data Transfers
PIC–PIP Relationship in Cross-Border Processing: For all cross-border data transfers and processing, MCSI remains the Personal Information Controller (PIC) with full ownership, control, and decision-making authority over personal data at all times. Service providers, including VYRM, engaged in cross-border processing in the United States of America are designated as Personal Information Processors (PIPs) and are contractually bound by written Data Processing Agreements that comply with the Data Privacy Act of 2012 (RA 10173), its Implementing Rules and Regulations, and National Privacy Commission requirements. PIPs process personal data solely on MCSI's documented instructions and are contractually prohibited from: (a) using personal data for their own purposes; (b) further disclosing personal data to third parties; and (c) engaging sub-processors without MCSI's prior written authorization. These PIC–PIP relationship requirements apply equally to cross-border processing in the United States and any local processing.
Primary Data Storage and Processing Location: The primary storage and processing of personal data collected by MCSI occurs in the United States of America through our service providers. This includes the majority of personal and sensitive personal information processed by the school, including but not limited to:
- Student Records: Academic records, enrollment data, attendance records, grades, assessments, transcripts, disciplinary records, and related educational information
- Employee Records: Personnel files, employment history, payroll information, performance evaluations, attendance records, and related employment information
- Administrative Data: Financial records, billing information, payment history, contact information, emergency contact details, and other administrative records necessary for school operations
- Sensitive Personal Information: Medical and health records, government-issued identification numbers, and other sensitive personal information as defined under Section 3(l) of the Data Privacy Act of 2012
Legal Basis for Transfer: This cross-border data transfer is necessary for the operation of our information systems that support the performance of our enrollment and employment contracts (contractual necessity) and compliance with legal obligations, including mandatory reporting to government agencies and retention of records as required by law (legal obligation). The transfer is essential for the delivery of educational services, administrative operations, and regulatory compliance.
Safeguards and Protections: We have implemented comprehensive safeguards to ensure that personal data transferred to and processed in the United States receives a level of protection comparable to that required under the Data Privacy Act of 2012 (Republic Act No. 10173). These safeguards include:
- Written Data Processing Agreements: All service providers engaged in cross-border data processing, including VYRM, are bound by written Data Processing Agreements that comply with the Data Privacy Act of 2012 (RA 10173), its Implementing Rules and Regulations, and National Privacy Commission requirements. These agreements specify the purposes of processing, data security requirements, confidentiality obligations, restrictions on further disclosure, and prohibitions on using personal data for the PIP's own purposes or engaging sub-processors without MCSI's prior written authorization.
- Confidentiality Obligations: All service providers and their personnel are contractually bound by strict confidentiality obligations that prohibit unauthorized access, use, or disclosure of personal data. These obligations extend beyond the termination of the service relationship.
- Security Measures: We require service providers to implement appropriate technical, organizational, and physical security measures to protect personal data against unauthorized access, accidental loss, destruction, alteration, or disclosure. These measures include encryption of data in transit and at rest, access controls, regular security assessments, and incident response procedures.
- Level of Protection Comparable to RA 10173: Our data processing agreements require service providers to maintain data protection standards that provide a level of protection comparable to the Data Privacy Act of 2012, including requirements for data minimization, purpose limitation, data security, and respect for data subject rights.
- Access Limitations: Access to personal data stored and processed in the United States is strictly limited to authorized personnel and service providers who have a legitimate need to access such data in the performance of their duties or contractual obligations. Access is granted on a need-to-know basis and is monitored where technically feasible.
- Data Subject Rights: Our data processing agreements require service providers to cooperate with us in responding to data subject requests and exercising rights under the Data Privacy Act of 2012, including the right to access, rectification, erasure, and data portability.
- Breach Notification: Service providers are contractually required to immediately notify us of any personal data breach and to cooperate with us in investigating, mitigating, and reporting such breaches in accordance with NPC requirements.
Ongoing Compliance: We regularly review and assess the adequacy of safeguards implemented by our service providers and update our data processing agreements as necessary to ensure continued compliance with the Data Privacy Act of 2012 and NPC requirements. We reserve the right to terminate service relationships with providers who fail to maintain adequate data protection standards.
Contact Information: If you have questions or concerns about cross-border data transfers, or if you wish to exercise your rights regarding personal data stored or processed in the United States, please contact our Data Protection Officer using the contact information provided in Section 9 of this notice.
6. Data Security & Access
We implement appropriate technical, organizational, and physical security measures as required by law to protect your personal data against unauthorized access, accidental loss, destruction, alteration, or disclosure.
Access Control: Access to personal data is restricted to authorized personnel and monitored where practicable. Access to sensitive personal information, such as medical records, psychological evaluations, and background checks, is further restricted to specific authorized personnel (e.g., school nurse for medical records, guidance counselor for psychological records, HR manager for employee background checks, registrar for academic records).
Third-Party Security: We contractually require all Personal Information Processors to implement appropriate security measures.
Data Breach Notification: In the event of a personal data breach that poses a real risk of serious harm to affected data subjects, we will notify the NPC and affected data subjects as required by law.
7. Data Retention and Disposal
We retain personal data only for as long as necessary to fulfill the declared purposes, comply with legal obligations, or establish, exercise, or defend legal claims. Specific retention periods are as follows:
- Student Academic Records (Permanent Records): Form 137/SF10 (Permanent Student Records) and official transcripts are retained indefinitely as mandated by DepEd Order No. 88, s. 2010 and DepEd Order No. 11, s. 2018. These records are maintained for historical, verification, and legal purposes.
- Student Enrollment and Academic Records (Non-Permanent): General enrollment data, attendance records, and supporting academic documents are retained for ten (10) years after the student's graduation, transfer, or withdrawal, unless a longer retention period is required by law or for pending legal proceedings.
- Employee Personnel Records: Retained for the duration of employment and for seven (7) years after separation, in compliance with Article 290 of the Labor Code of the Philippines and accounting requirements. This includes employment contracts, performance evaluations, disciplinary records, and payroll information.
- Employee Medical and Health Records: Retained for the duration of employment and for five (5) years after separation, or longer if required for ongoing health-related claims or legal proceedings.
- Financial and Accounting Records: Retained for ten (10) years in compliance with Section 203 of the National Internal Revenue Code (Tax Code) and BIR regulations. This includes billing records, payment history, receipts, and financial statements.
- CCTV Footage: Retained for thirty (30) days, unless required for investigation of incidents, in which case retention may be extended until the conclusion of the investigation or legal proceedings.
- General Administrative Data: Retained for three (3) years after the purpose of collection has been served, unless a longer retention period is required by law or for legitimate business purposes.
- Data Subject Request Records: Records of data subject requests and our responses are retained for three (3) years for audit and compliance purposes.
Disposal Methods: Upon expiration of the retention period, we dispose of personal data in a secure manner using the following methods:
- Physical Records: Securely shredded using cross-cut shredders or incinerated, to the extent reasonably practicable, ensuring that the information cannot be easily reconstructed or recovered using standard methods.
- Digital Data: Permanently deleted using secure deletion methods that overwrite the data where technically feasible, or the storage media is physically destroyed. Data may also be anonymized so that it can no longer be linked to an identifiable individual, in which case the anonymized data may be retained for statistical or historical purposes. Complete deletion may not be immediately possible for data stored in backup systems or archived storage, but such data will be deleted in accordance with our retention schedule when backups are rotated or archives are purged.
- Third-Party Processors: We contractually require our Personal Information Processors to securely dispose of personal data in accordance with our instructions and this policy.
Exception for Legal Holds: If personal data is subject to a legal hold, investigation, or ongoing legal proceedings, retention may be extended beyond the standard retention period until the matter is resolved.
8. Rights of the Data Subject
Under the Data Privacy Act of 2012 (Republic Act No. 10173), you have the following rights:
- Right to be Informed: You have the right to be notified whether your personal data is being processed, the purpose of processing, the categories of personal data concerned, the recipients or classes of recipients, the retention period, and your rights as a data subject. This right is fulfilled through this Data Privacy Notice and any additional notices we may provide.
- Right to Access: You have the right to request access to your personal data, including: (a) the contents of your personal data that were processed; (b) the sources from which personal data were obtained; (c) the names and addresses of recipients of your personal data; (d) the manner by which your personal data were processed; (e) the reasons for the disclosure of your personal data to recipients; (f) information on automated decision-making processes (if applicable); and (g) the date when your personal data were last accessed and modified, to the extent such information is available. Please note that some historical information (such as detailed access logs from several years ago) may not be available if it has been purged in accordance with our data retention policies.
- Right to Object: You have the right to object to the processing of your personal data, including processing for direct marketing, automated processing, or profiling. You may also object to processing based on legitimate interest. When you object to processing based on legitimate interest, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.
- Right to Rectification: You have the right to dispute and request the correction of any inaccuracy or error in your personal data. We will make reasonable efforts to act on verified requests in accordance with law.
- Right to Erasure or Blocking: You have the right to suspend, withdraw, or order the blocking, removal, or destruction of your personal data if: (a) the personal data is incomplete, outdated, false, or unlawfully obtained; (b) the personal data is being used for purposes not authorized by you; (c) the personal data is no longer necessary for the purposes for which it was collected; (d) you have withdrawn consent and there is no other legal ground for processing; or (e) the personal data concerns information prejudicial to you, unless justified by freedom of speech, of expression, or of the press, or otherwise authorized. This right is subject to limitations, including our legal obligations to retain certain records (e.g., academic records as required by DepEd Order No. 88, s. 2010 and DepEd Order No. 11, s. 2018), ongoing contractual obligations, pending legal proceedings, and technical limitations that may prevent immediate deletion from all systems (e.g., data in backup systems or archived storage that cannot be immediately accessed). We will make reasonable efforts to honor erasure requests to the extent legally and technically feasible.
- Right to Damages: You have the right to be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of your personal data, taking into account any violation of your rights and freedoms as a data subject.
- Right to Data Portability: Where your personal data is processed by electronic means and in a structured and commonly used format, you have the right to obtain a copy of your data in such format, to the extent technically feasible. This right applies to personal data you have provided to us and is processed based on consent or contractual necessity. We will provide data in a format reasonably available to us.
- Right to File a Complaint: You have the right to file a complaint with the National Privacy Commission (NPC) if you believe that your personal data has been misused, mishandled, or your rights have been violated. Complaints may be filed at the NPC office or through their online portal at privacy.gov.ph.
8.1 Process for Exercising Your Rights
To exercise any of the rights mentioned above, please follow these steps:
- Submit a Written Request: Send a written request to our Data Protection Officer (DPO) using the contact information provided in Section 9 below. Your request should clearly state: (a) which right(s) you wish to exercise; (b) the specific personal data concerned; and (c) the reason for your request, if applicable.
- Provide Proof of Identity: We will require proof of your identity to process your request and prevent unauthorized access to personal data. For requests concerning a minor's data, we will require proof of parental or guardian authority.
- Response Timeline: We will respond to your request within fifteen (15) calendar days from receipt of your complete request and verification of your identity. If the request is complex or involves a large volume of data, we may extend the response time by an additional fifteen (15) calendar days, in which case we will inform you of the extension and the reason for it within the initial 15-day period. Response times may be extended only if circumstances beyond our reasonable control prevent timely processing (e.g., system outages, natural disasters, or other force majeure events), in which case we will notify you of the delay and provide an estimated response time.
- Fees: Requests for access to personal data are provided free of charge. However, we reserve the right to charge a reasonable fee based on administrative costs if: (a) the request is manifestly unfounded or excessive, particularly if it is repetitive; or (b) additional copies are requested. We will inform you of any applicable fees before processing your request.
- Denial of Request: If we deny your request, we will provide you with a written explanation of the reasons for denial and inform you of your right to file a complaint with the NPC.
Note: Some rights may be subject to limitations based on our legal obligations (e.g., retention of academic records as required by DepEd Order No. 88, s. 2010 and DepEd Order No. 11, s. 2018), contractual necessity, or legitimate interests that override your rights. We will inform you of any such limitations when responding to your request.
9. Contact Our Data Protection Officer
For any inquiries, concerns, requests to exercise your rights, or reports of data breaches, please contact our Data Protection Officer:
Data Protection Officer
Moncada Catholic School, Inc.
Address: P. Jacinto Street, Poblacion No. 4, Moncada, Tarlac 2308
Email: registrar.mcs1949@gmail.com
Phone: 0946 572 3110
Office Hours: Monday to Friday, 8:00 AM to 5:00 PM (excluding holidays)
You may also file a complaint directly with the National Privacy Commission:
National Privacy Commission
Address: 5th Floor, Delegation Building, PICC Complex, Roxas Boulevard, Pasay City, Metro Manila 1307
Website: privacy.gov.ph
Email: privacy@privacy.gov.ph
Hotline: (02) 8234-2228
10. Third-Party Services and External Links
Our information systems may integrate with or link to third-party services, websites, or platforms that are not under our direct control. This Data Privacy Notice applies only to personal data collected and processed by MCSI. We are not responsible for the privacy practices, data processing activities, or security measures of third-party services, websites, or platforms.
Third-Party Service Providers: When you interact with third-party services through our systems (such as payment processors, cloud storage providers, or educational technology platforms), your personal data may be subject to the privacy policies and terms of service of those third parties. We encourage you to review the privacy policies of any third-party services you access through our systems.
Personal Information Processors: We contractually require our Personal Information Processors (PIPs) to implement appropriate security measures and comply with data protection requirements. In the event of a data breach or non-compliance by a third-party processor, we will take immediate steps to address the issue and notify affected data subjects as required by law.
Your Responsibility: You are responsible for maintaining the confidentiality of your account credentials, passwords, and any authentication information used to access our systems. You should not share your login credentials with others and should notify us immediately if you suspect unauthorized access to your account.
11. Limitations and Reasonable Efforts
MCSI implements appropriate technical, organizational, and physical security measures as required by law. While no method of transmission over the internet or method of electronic storage is 100% secure, we cannot guarantee that all unauthorized access, data loss, or security incidents can be prevented in all circumstances.
Circumstances Beyond Reasonable Control: In the event of circumstances beyond our reasonable control (including but not limited to acts of God, natural disasters, war, terrorism, civil unrest, government actions, cyberattacks by third parties, internet service provider failures, power outages, or other force majeure events), we will restore normal operations and protect your personal data as soon as practicable.
Technical Limitations: Some security measures, logging, auditing, or data protection practices may be subject to genuine technical limitations, system constraints, or operational requirements. Where we have qualified our commitments with phrases such as "to the extent technically feasible," "where applicable," or similar language, such qualifications reflect actual technical or operational constraints and are not intended to diminish our commitment to data protection.
Legal Compliance: This Data Privacy Notice is provided for informational purposes and describes our data processing practices in compliance with the Data Privacy Act of 2012 (RA 10173). Nothing in this notice creates contractual obligations beyond what is required by applicable law. Our data processing activities are subject to applicable laws, regulations, and NPC guidelines, which may require us to process personal data in ways not explicitly described in this notice.
Limitation of Liability: MCSI's liability for any claims arising from data processing activities, security breaches, or privacy violations is limited to the extent permitted by the Data Privacy Act of 2012 and other applicable laws. This limitation does not affect your statutory rights under RA 10173, including the right to damages for violations of your data privacy rights.
12. Changes to This Data Privacy Notice
MCSI reserves the right to update or amend this Data Privacy Notice at any time to reflect changes in our data processing practices, legal requirements, or NPC guidelines. Material changes to this notice will be communicated to data subjects through:
- Posting the updated notice on our official website with a clear indication of the date of the last update
- Email notification to registered email addresses, where applicable
- Written notice through school circulars or announcements, where appropriate
- Other reasonable means to ensure data subjects are informed of significant changes
We encourage you to review this notice periodically to stay informed about how we protect your personal data. Your continued use of our services, enrollment, or employment after the posting of changes constitutes your acknowledgment of such changes, subject to your rights under the Data Privacy Act of 2012.
Notice of Material Changes: We will notify you of material changes to this notice through the methods described above. However, it is your responsibility to periodically review this notice for updates. The "Last Updated" date at the bottom of this notice indicates when the most recent changes were made.