1. Introduction
2. This Privacy Policy sets out the commitment of the Philippine Retirement Authority to collect and process personal information and sensitive personal information (collectively, "personal data") in accordance with the applicable laws and regulations on data privacy, including the Philippine Data Privacy Act of 2012 ("DPA") and its implementing rules and regulations ("DPA IRR"). It explains how the PRA implements that commitment and the terms and conditions under which such personal information is collected and processed.
3. In processing personal information, we adhere to the general privacy principles of transparency, legitimate purpose, proportionality, and such other relevant principles in the collection, processing, and retention of personal data as required by applicable law.
4. The PRA respects the rights of its stakeholders/data subjects and aims to comply with the requirements of all relevant privacy and data protection laws, particularly the DPA. As in the case of the National Privacy Commission (NPC), the PRA seeks to strike a balance between the personal privacy of our stakeholders, and the free flow of information, especially when pursuing the government’s legitimate interests.

2. Confidentiality under Philippine Law
3. Information that the PRA receives from its stakeholders/data subjects, whether constituting personal information, are generally protected as confidential information. The Authority commits to diligently observe this obligation as a government agency.
4. The PRA notes that local law, regulations, and authorities permit disclosure of such information under certain conditions, as when the information has become public.

3. Data Privacy Act (DPA) Exemptions
4. Section 4, provided hereunder, of the DPA exempts from its application the collection and processing of certain personal information. These data and activities are not covered by this Policy.
5. • SEC. 4. Scope. – This Act applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines subject to the immediately succeeding paragraph: Provided, That the requirements of Section 5 are complied with.
   • This Act does not apply to the following:
   • (a) Information about any individual who is or was an officer or employee of a government institution that relates to the position or functions of the individual, including:
   • • (1) The fact that the individual is or was an officer or employee of the government institution;
     • (2) The title, business address and office telephone number of the individual;
     • (3) The classification, salary range and responsibilities of the position held by the individual; and
     • (4) The name of the individual on a document prepared by the individual in the course of employment with the government;
   • (b) Information about an individual who is or was performing service under contract for a government institution that relates to the services performed, including the terms of the contract, and the name of the individual given in the course of the performance of those services;
   • (c) Information relating to any discretionary benefit of a financial nature such as the granting of a license or permit given by the government to an individual, including the name of the individual and the exact nature of the benefit;
   • (d) Personal information processed for journalistic, artistic, literary or research purposes;
   • (e) Information necessary in order to carry out the functions of public authority which includes the processing of personal data for the performance by the independent, central monetary authority and law enforcement and regulatory agencies of their constitutionally and statutorily mandated functions. Nothing in this Act shall be construed as to have amended or repealed Republic Act No. 1405, otherwise known as the Secrecy of Bank Deposits Act; Republic Act No. 6426, otherwise known as the Foreign Currency Deposit Act; and Republic Act No. 9510, otherwise known as the Credit Information System Act (CISA);
   • (f) Information necessary for banks and other financial institutions under the jurisdiction of the independent, central monetary authority or Bangko Sentral ng Pilipinas to comply with Republic Act No. 9510, and Republic Act No. 9160, as amended, otherwise known as the Anti-Money Laundering Act and other applicable laws; and
   • (g) Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.

4. How the PRA collects personal infromation
5. This Authority may be able to obtain personal data in various ways. These include where a natural or juridical person (a "Person") –

1. Enters into a Contract and/or Agreement with the PRA, whether or not written, including Contract of Service (COS) personnel’s employment contract, consultancy agreement, and/or contract for procurement of goods and/or services;
2. Submits to us any application, form, complaint, report, request, notice, or some other document;
3. Inquires after or applies for employment;
4. becomes an employee, officer, consultant, agent, supplier or service provider of the PRA; or
5. otherwise provides us with personal data, whether directly or through another Person.

1. Where personal data is publicly available, the PRA may be able to collect the data from such public sources, including any online presence you may have.

5. Purposes, scope and method of collection and processing
6. Before or at the time of collecting personal data, PRA shall identify the purpose for which the information is being collected which shall be used for the said purpose and for other compatible purposes which it may serve.
7. The personal Information collected by the PRA should be relevant to the purpose for which it is to be used, and to the extent, when necessary, should be accurate, complete, and up-to-date. In the event the PRA, through its Technical Working Group for the Data Privacy Act, finds it necessary to collect further information from the data subject to be properly acted upon by the Authority, it shall be made by lawful and fair means, where applicable, with knowledge or consent of the data subject concerned.
8. The PRA utilizes standard manual and computerized methods and systems to file, store and process personal data. Collection and processing of personal data will be undertaken in accordance with the principles set out in this Policy and as required by law. Any collected personal data shall only be stored and retained for such period as may be required by applicable laws or as may be needed to enable us to fully and efficiently achieve the Purposes.

6. Amendments and Supplements
7. The PRA reserves its right to amend and/or supplement this policy. Its stakeholders/data subjects, upon submission of personal or sensitive personal information to the Authority commits to be bound by the prevailing terms of this Policy, as may be updated from time to time, upon the amendment or supplement published by the PRA or otherwise advised to you.

7. Rights of Data Subjects
8. Under the DPA, data subjects have the following rights:

1. Right to Object

1. The PRA reserves its right to amend and/or supplement this policy. Its stakeholders/data subjects, upon submission of personal or sensitive personal information to the Authority commits to be bound by the prevailing terms of this Policy, as may be updated from time to time, upon the amendment or supplement published by the PRA or otherwise advised to you.

1. The PRA reserves its right to amend and/or supplement this policy. Its stakeholders/data subjects, upon submission of personal or sensitive personal information to the Authority commits to be bound by the prevailing terms of this Policy, as may be updated from time to time, upon the amendment or supplement published by the PRA or otherwise advised to you.
2. The collection and processing is undertaken pursuant to any lawful basis or criteria under the DPA or any applicable laws, rules or regulations.

2. Right to Access

1. Upon its data subject’s request, access may be given to personal data that the PRA has collected or processed. The PRA likewise acknowledges the right to request access to the circumstances relating to the processing and collection of the data subject’s personal data, insofar as allowed by law.

3. Right to Rectification

1. PRA’s data subjects have the right to dispute any inaccuracy or error in personal data and may request the Authority to immediately correct it. Upon receipt of the said request, and after correction has been made, the PRA shall inform any recipient of the said personal data of its inaccuracy and the subsequent rectification that was made.

4. Right to Erasure or Blocking

1. In the absence of any other legal ground or overriding legitimate interest for the lawful processing of personal data received by PRA from its data subjects, or when there is substantial proof that the said personal data is incomplete, outdated, false, or has been unlawfully obtained, a request to suspend, withdraw, or order the blocking, removal, or destruction of the personal data from our filing system may be made by the concerned data subject. The Authority shall also notify those who have previously received your processed personal data.

5. Right to Data Portability

1. In the event the personal data was processed through electronic means and in a structured and commonly used format, the data subject has the right to obtain a copy of his/her personal data in such electronic or structured format for reference and/or further use, subject to the guidelines of the National Privacy Commission with regard to the exercise of such right.

6. Transmissibility of Rights of the Data Subject

1. Upon the passing of a data subject, or in case of a data subject’s incapacity or incapability to exercise legal rights, the data subject’s lawful heirs and assigns may invoke the data subject’s rights in place of the data subject.

7. Limitation on Rights; Manner of Exercising

1. The rights mentioned under this item are not applicable if personal data are processed only for scientific and statistical research purposes, and without being used as basis for carrying out any activity or taking any action regarding the data subject. The law requires that any exercise of the rights as described in this Policy should be made in a reasonable and non-arbitrary manner, and with regard to rights of other parties. All requests, demands or notices which may be made under this Policy or applicable law must be made in writing, and will only be considered made and officially received by the Authority.

8. Security Measures
9. The PRA at all times shall take appropriate security measures to protect personal information of its data subjects against unauthorized access or unauthorized alteration, disclosure, or destruction. These measures include internal reviews of our data collection, storage, and processing practices, as well as physical security measures to protect the said information against unauthorized access. As part of our efforts to ensure that your information is protected, the PRA commits to restrict access to personal data to personnel who would need that information to perform their functions.
10. Personal information collected are stored and later on disposed through shredding and then permanently deleted in our electronic files in accordance to R.A. No. 9470 otherwise known as National Archives of the Philippines Act of 2007.

9. Data Breaches
10. The PRA commits to comply with the relevant provisions of laws, rules and circulars on handling personal data security breaches, including notification to its data subjects or to the National Privacy Commission, in accordance to the National Privacy Commission Circular 16-03 or the Personal Data Breach Management, where an unauthorized acquisition of sensitive personal information or information that may be used to enable identity fraud has been acquired by an unauthorized person, and is likely to give rise to a real risk of serious harm to the affected data subject. Please note that under applicable law, not all personal data breaches are notifiable.

10. Data Protection Officer
11. The Data Protection Officer (DPO) and the PRA Technical Working Group for the Data Privacy Act are principally responsible for ensuring GCG’s compliance with applicable laws and regulations for the protection of data privacy and security. The DPO is responsible for the supervision and enforcement of this Policy, and the relevant contact details are as follows:

1. Data Protection Officer: Atty. Antonio R. Rivera - DM III, MSD
2. Alternate Data Protection Officer: Remus Erlan S. Palmos - ITO III, ICTD
3. Philippine Retirement Authority (PRA)
4. 29th Floor, BDO Tower, Valero Condominium Corporation,
5. (formerly known as Citibank Tower Building),
6. 8741 Paseo de Roxas (corner Valero and Villar Streets) Bel-Air Makati City, Philippines 1226
7. Bel-Air Makati City, Philippines 1226
8. (632) 8848 1412 to 15 / (632) 8247-1679 / (632) 8247 1632
9. privacy@pra.gov.ph

11. Inquiries and Notices
12. For any inquiry related to this Policy, please contact our Data Protection Officer through the contact details indicated above.
13. All requests, demands or notices which a data subject may send or submit to us under this Policy must be in writing and addressed to the Data Protection Officer using the contact details above, and will be deemed duly submitted:

1. On the date of delivery if delivered personally,
2. On the third business day following the date of sending if delivered by a nationally recognized next-day courier service and the service has confirmed delivery, or
3. After the letter sender receives the confirmation email by the Data Protection Officer in case the communication is sent through electronic mail.