Privacy Policy - Southern de Oro Philippines College

Privacy Policy – Southern de Oro Philippines College Inc.

Effective Date: July 17, 2025

1. Introduction

Southern de Oro Philippines College Inc. (referred to as “the Institution,” “we,” “us,” or “our”) is committed to protecting the privacy and personal data of our students, prospective students, alumni, staff, faculty, researchers, visitors, and other individuals with whom we interact. This Privacy Policy outlines how we collect, use, disclose, and protect your data in accordance with the General Data Protection Regulation (GDPR) (EU) 2016/679 and other applicable data protection laws, including the Data Privacy Act of 2012 (Republic Act No. 10173) of the Philippines.

2. Who We Are (Data Controller)

Southern de Oro Philippines College Inc.

Julio Pacana St. Licuan, Cagayan de Oro City, Misamis Oriental, 9000

[email protected]

+639363351820

https://www.spccdo.edu.ph

We are the Data Controller responsible for processing your data collected under this Privacy Policy.

3. Principles of Data Processing

We process personal data by the following GDPR principles:

Lawfulness, Fairness, and Transparency: Processed lawfully, fairly, and in a transparent manner.
Purpose Limitation: Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Data Minimisation: Adequate, relevant, and limited to what is necessary for the purposes for which they are processed.
Accuracy: Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that inaccurate personal data, having regard to the purposes for which they are processed, are erased or rectified without delay.
Storage Limitation: Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Integrity and Confidentiality (Security): Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures.

4. Types of Personal Data We Collect

We collect various types of personal data depending on your relationship with the Institution. This may include, but is not limited to:

Identity Data: Name, gender, date of birth, nationality, civil status, photographs, video recordings (CCTV).
Contact Data: Postal address, email address, telephone numbers.
Academic Data: Admission applications, enrollment details, student ID, course registration, grades, academic progress, attendance records, disciplinary records, research outputs.
Financial Data: Bank account details (for salaries, scholarships, tuition payments, refunds), financial aid applications, and billing information.
Employment Data (for staff/faculty): Resume/CV, employment history, qualifications, performance reviews, payroll information, benefits information.
Health Data (Special Category Data): Medical conditions, disabilities, allergies (only when necessary and with explicit consent or a lawful basis, e.g., for accommodations, health services, or emergencies).
Biometric Data (Special Category Data): Fingerprints for attendance tracking (if applicable and with explicit consent or a lawful basis).
Dietary Requirements (Special Category Data): Information about allergies or special diets (only when necessary and with explicit consent, e.g., for catering during events).
Background Check Data: Criminal records (if required by law or for specific roles, with a lawful basis).
Technical Data: IP address, browser type and version, time zone setting and location, operating system and platform, and other technology on the devices you use to access our websites and systems.
Usage Data: Information about how you use our website, products, and services.
Marketing and Communications Data: Your preferences in receiving marketing from us and your communication preferences.

5. How We Collect Your Data

We collect personal data through various channels, including:

Direct Interactions: When you apply for admission, enroll, register for courses, apply for a job, request information, participate in surveys, or attend events.
Automated Technologies or Interactions: As you interact with our website or online systems, we may automatically collect Technical Data about your equipment, browsing actions, and patterns. We collect this personal data by using cookies, server logs, and other similar technologies.
Third Parties or Publicly Available Sources: We may receive personal data about you from various third parties, such as previous educational institutions, government agencies, background check providers, or publicly available sources.

6. Purposes and Legal Basis for Processing Personal Data

We will only process your data when we have a lawful basis to do so under GDPR. The main purposes for which we process personal data and the corresponding legal bases are:

Purpose of Processing	Legal Basis for Processing
For Students/Prospective Students:
Processing admissions applications and enrollment	Performance of a contract with you (application for admission, enrollment agreement) or steps preparatory to entering into a contract.
Providing educational services, courses, and programs	Performance of a contract with you (enrollment agreement).
Managing student records, academic progress, and assessments	Performance of a contract with you; Legitimate interests (e.g., maintaining academic standards, ensuring proper administration); Compliance with legal obligations.
Providing student support services (e.g., counseling, career services)	Performance of a contract with you; Legitimate interests (e.g., promoting student well-being); Explicit consent (for sensitive data where required).
Managing tuition fees, scholarships, and financial aid	Performance of a contract with you; Compliance with legal obligations.
Administering examinations and assessments	Performance of a contract with you; Legitimate interests (e.g., assessing academic performance).
Maintaining safety and security on campus (e.g., CCTV)	Legitimate interests (e.g., protecting property, ensuring safety of individuals); Public interest (e.g., crime prevention).
Communicating important updates, announcements, and alerts	Performance of a contract with you; Legitimate interests (e.g., ensuring effective communication).
Managing disciplinary matters	Performance of a contract with you; Legitimate interests (e.g., maintaining order and discipline); Compliance with legal obligations.
For Staff/Faculty:
Processing job applications and recruitment	Performance of a contract with you (employment contract) or steps preparatory to entering into a contract; Legitimate interests (e.g., assessing suitability for roles).
Managing employment contracts, payroll, and benefits	Performance of a contract with you; Compliance with legal obligations.
Performance management and professional development	Performance of a contract with you; Legitimate interests (e.g., fostering professional growth, improving institutional performance).
Providing IT services and access to institutional systems	Performance of a contract with you; Legitimate interests (e.g., enabling efficient work, securing systems).
Managing leave, attendance, and disciplinary matters	Performance of a contract with you; Legitimate interests; Compliance with legal obligations.
For Alumni:
Maintaining alumni relations and engaging with the alumni community	Legitimate interests (e.g., fostering community, promoting the institution); Consent (for marketing communications).
Sending alumni newsletters, event invitations, and fundraising appeals	Legitimate interests (unless consent is required for specific marketing communications).
For All Data Subjects:
Conducting institutional research and statistical analysis (anonymized or pseudonymized where possible)	Legitimate interests (e.g., improving institutional operations, educational offerings); Public interest.
Compliance with legal and regulatory obligations (e.g., reporting to government bodies)	Compliance with a legal obligation.
Responding to queries, complaints, and requests	Legitimate interests (e.g., providing good customer service).
Marketing and promotional activities (e.g., sending newsletters, event invitations)	Consent (where required by law, especially for direct marketing); Legitimate interests (e.g., promoting the institution, provided your interests and fundamental rights do not override these interests).
Website analytics and improvement of online services	Legitimate interests (e.g., improving user experience); Consent (for certain non-essential cookies).
Exercising and defending legal claims	Legitimate interests (e.g., protecting legal rights).
Protecting vital interests (e.g., in medical emergencies)	To protect the vital interests of the data subject or another natural person.

Export to Sheets

Special Category Data: When we process special category data (e.g., health, biometric, racial or ethnic origin, religious beliefs), we do so only under specific lawful bases as permitted by GDPR, such as:

Explicit Consent: Where you have given explicit consent to the processing for one or more specified purposes.
Employment, Social Security, and Social Protection Law: Processing necessary for carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment, social security, and social protection law.
Vital Interests: Processing necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.
Public Interest in the Area of Public Health: Processing is necessary for reasons of public interest in the area of public health.
Archiving Purposes, Scientific or Historical Research Purposes, or Statistical Purposes: Processing necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes.
Legal Claims: Processing necessary for the establishment, exercise, or defence of legal claims or whenever courts are acting in their judicial capacity.

7. Data Sharing and Disclosure

We may share your data with the following categories of recipients, always ensuring that appropriate safeguards are in place:

Internal Departments and Personnel: Within the Institution, strictly on a “need-to-know” basis, for the purposes outlined in this policy.
Service Providers: Third-party vendors and service providers who assist us in delivering our services (e.g., IT support, cloud hosting, payment processors, catering, transport, marketing agencies, external auditors, legal advisors). These providers are contractually obligated to protect your data and only process it according to our instructions.
Educational Partners: Other educational institutions for purposes such as student exchange programs, joint degrees, or verification of academic records (with your consent where appropriate).
Government and Regulatory Authorities: As required by law, to comply with legal obligations, or to respond to lawful requests (e.g., Department of Education, CHED, BIR, NBI, immigration authorities).
Accreditation Bodies: To maintain accreditation and quality assurance standards.
Law Enforcement and Emergency Services: In cases of legal necessity, to prevent harm, or in emergencies.
Research Partners: For collaborative research projects, typically with data anonymized or pseudonymized, where possible.
Parents/Guardians: For students under the age of majority, consistent with applicable laws and the student’s best interests.
Alumni Associations and Foundations: For engagement, fundraising, and community building, with appropriate consent mechanisms for marketing.
Insurance Providers: For necessary insurance claims or coverage.

We will not sell, rent, or lease your data to third parties.

8. International Data Transfers

The Institution may transfer your data to countries outside of the European Economic Area (EEA) and the Philippines, for example, if our service providers or IT infrastructure are located outside these regions. In such cases, we will ensure that the transfer is protected by appropriate safeguards, as required by GDPR and the Data Privacy Act of 2012, which may include:

Adequacy Decision: Transfer to a country deemed by the European Commission to provide an adequate level of data protection.
Standard Contractual Clauses (SCCs): Implementing SCCs approved by the European Commission or the National Privacy Commission (Philippines) for data transfers.
Binding Corporate Rules (BCRs): For intra-group transfers, if applicable.
Explicit Consent: Where you have explicitly consented to the proposed transfer after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards.
Necessity for the performance of a contract or the implementation of pre-contractual measures.
Necessity for the establishment, exercise, or defence of legal claims.

9. Data Security

We have implemented appropriate technical and organizational measures to protect your data from accidental loss, unauthorized access, use, alteration, or disclosure. These measures include:

Access Controls: Restricting access to personal data to authorized personnel on a “need-to-know” basis.
Encryption: Encrypting data both in transit and at rest, where appropriate.
Pseudonymisation/Anonymisation: Using these techniques where possible to reduce identifiability.
Firewalls and Intrusion Detection Systems: To protect our networks and systems.
Regular Security Audits and Penetration Testing: To identify and address vulnerabilities.
Staff Training: Ensuring that all staff handling personal data are aware of their responsibilities and best practices for data protection.
Data Backup and Recovery Procedures: To ensure data availability and resilience.
Physical Security Measures: Protecting our premises and data storage facilities.

Despite our efforts, no security system is impenetrable, and we cannot guarantee the absolute security of your data. In the event of a data breach, we have procedures in place to address it promptly and by applicable laws.

10. Data Retention

We will retain your data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider:

The amount, nature, and sensitivity of the personal data.
The potential risk of harm from unauthorized use or disclosure of your data.
The purposes for which we process your data and whether we can achieve those purposes through other means.
Applicable legal requirements (e.g., statutes of limitations, academic record retention policies, employment laws).

Upon the expiry of the retention period, your data will be securely deleted, anonymized, or securely destroyed.

11. Your Data Protection Rights

Under GDPR and the Data Privacy Act of 2012, you have the following rights regarding your data:

The Right to Be Informed: To be informed about the collection and use of your data. This Privacy Policy serves to fulfill this right.
The Right of Access: To request a copy of the personal data we hold about you.
The Right to Rectification: To request that any inaccurate or incomplete personal data we hold about you is corrected.
The Right to Erasure (“Right to be Forgotten”): To request the deletion of your data where there is no compelling reason for its continued processing (e.g., the data is no longer necessary for the purposes for which it was collected). This right is not absolute and may be subject to legal obligations or legitimate interests.
The Right to Restrict Processing: To request the restriction of the processing of your data in certain circumstances (e.g., if you contest the accuracy of the data, or the processing is unlawful).
The Right to Data Portability: To receive your data in a structured, commonly used, and machine-readable format and to transmit that data to another controller, where technically feasible. This right applies to data processed by automated means based on consent or contract.
The Right to Object: To object to the processing of your data where we are relying on a legitimate interest as our legal basis (unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or for the establishment, exercise, or defence of legal claims), or for direct marketing purposes.
Rights about Automated Decision-Making and Profiling: Not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, unless necessary for entering into or performing a contract, authorized by law, or based on your explicit consent.
The Right to Withdraw Consent: Where we are relying on your consent to process your data, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
The Right to Lodge a Complaint: To complain to a supervisory authority, particularly in the Member State of your habitual residence, place of work, or the place of the alleged infringement. In the Philippines, this is the National Privacy Commission (NPC).

To exercise any of these rights, please contact our Data Protection Officer/Privacy Office using the contact details provided in Section 2. We may need to request specific information from you to help us confirm your identity and ensure your right to access your data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask for further information in relation to your request to speed up our response.

We will endeavor to respond to all legitimate requests within one (1) month. Occasionally, it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

12. Cookies and Similar Technologies

Our website may use cookies and similar technologies to enhance your browsing experience, analyze website traffic, and personalize content. Cookies are small text files stored on your device. You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly.

For detailed information on the cookies we use and the purposes for which we use them, please refer to our separate Cookie Policy

13. Links to Third-Party Websites

Our website may contain links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any significant changes by posting the updated policy on our website and, where appropriate, by other means of communication. We encourage you to review this policy periodically.

15. Contact Us

If you have any questions about this Privacy Policy or our data protection practices, please contact our Data Protection Officer/Privacy Office at: [email protected]