DATA PRIVACY POLICY
Century Properties Group Inc. (“CPGI”, “we”, “us”, or “our”) values your privacy and is committed to protecting your personal data in accordance with Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012, and its Implementing Rules and Regulations.
Personal Data and Basis for Processing
We collect and process the following personal and sensitive personal information:
• Full name, contact details and payment information
• Preferences and feedback from surveys, contests or loyalty programs
• Device identifiers when using Wi-Fi or mobile apps
• CCTV footage and other security-related data
The processing of personal data is based on the following:
• Consent provided by the data subject
• Fulfillment of contractual obligations such as ticketing and promotions
• Legitimate interests such as security and service improvement
• Compliance with legal obligations
Manner of Storage
Your data is stored in secure physical and digital formats, including, encrypted databases and cloud systems; locked filing cabinets for physical records; and access-controlled servers and devices.
Disclosure to Other Parties
We may disclose your personal data to:
- Authorized service providers and contractors (e.g., payment processors, IT support)
- Government agencies when required by law
Retention Period and Basis
Your data is retained only for as long as necessary:
Type of Data | Retention Period | Basis |
|---|---|---|
Payment records | 5 years | BIR and financial regulations |
CCTV Footage | 30 days | Security protocols |
Marketing and feedback data | Until consent is withdrawn or 2 years | Business use and consent |
Personnel files (employment contracts, 201 files, job descriptions, performance evaluations) | 5 years after separation | DOLE regulations on employment records; prescription periods for labor claims |
Payroll records (timesheets, payslips, deductions, benefits) | 3–5 years | Labor Code record‑keeping requirements; BIR documentation rules |
Government‑mandated records (SSS, PhilHealth, Pag‑IBIG, BIR forms) | 10 years | Agency‑specific regulations and audit requirements |
Health and medical records (pre‑employment medical exams, fit‑to‑work notes) | 1–5 years, depending on purpose | Occupational Safety and Health Standards; data‑minimization under the Data Privacy Act |
Recruitment data (CVs, interview notes, assessments) | 1 year unless consent allows longer | Data Privacy Act; legitimate business interest |
Training and disciplinary records | 5 years after separation | Labor claims prescription periods; internal compliance |
Biometric logs / access logs | 30–90 days, unless needed for investigations | Security protocols; data‑minimization principles |
Incident reports / investigation files | 5 years after case closure | Labor and legal claim timelines |
Exit documents (clearance, exit interview, final pay computation) | 5 years | DOLE and BIR audit requirements |
How Data is Securely Disposed
When no longer needed, your data is securely disposed of through:
- Permanent deletion from systems
- Physical shredding of documents
- Anonymization for statistical use
Protection Measures
To address risks and ensure data security, we implement:
- Organizational controls such as staff training on privacy policies.
- Physical safeguards such as cctv surveillance and restricted access areas.
- Technical measures such as firewalls, encryption and regular audits.
Risks Involved at Any Stage of Data Processing
We inform you of the potential risks associated with the processing of personal data throughout its life cycle, from collection to disposal. These risks include:
- Unauthorized Access: Despite our security protocols, there remains a residual risk of personal data being accessed by unauthorized individuals due to cyber threats, system vulnerabilities or internal breaches.
- Accidental Loss or Destruction: Data may be inadvertently deleted, corrupted or lost due to technical failures, human error or natural disasters.
- Improper Use or Disclosure: Personal data may be misused or disclosed without proper authorization, especially in cases of negligence or non-compliance by third-party service providers.
- Third-Party Risks: Data shared with external partners (e.g., payment processors, marketing platforms) may be subject to different security standards, posing additional exposure.
- Cross-border Data Transfers: If data is transmitted outside the Philippines, it may be governed by foreign laws that offer varying levels of protection.
We take these risks seriously and implement appropriate organizational, physical and technical safeguards to mitigate them. In the event of a data breach or incident, affected individuals will be notified promptly in accordance with applicable laws and regulations.
Automated Access Methods
We use automated tools such as:
- Cookies and analytics for website and app usage
- Loyalty program algorithms for personalized offers
No decisions with legal or significant effects are made solely through automated processing.
The Rights of the Data Subject
Your right to data privacy empowers you to have reasonable control over the flow of your personal data. Under Data Privacy Act of 2012, individuals whose personal information is collected, stored, and processed are referred to as data subjects. It is the responsibility of the Personal Information Controllers (PIC) and Personal Information Processors (PIP) that handle your personal details, whereabouts, and preferences to uphold and respect your data privacy rights.
Data Subject Rights
RIGHT TO BE INFORMED
RIGHT TO DAMAGES
RIGHT TO ACCESS
RIGHT TO FILE A COMPLAINT
RIGHT TO OBJECT
RIGHT TO RECTIFY
RIGHT TO ERASURE OR BLOCKING
RIGHT TO DATA PORTABILITY
To exercise these rights, please contact our Data Protection Officer.
Contact Information
Data Protection Officer
Email: cpgi2024.dpo@gmail.com
Address: 35th Floor, Century Diamond Tower, Century City, Kalayaan Ave. cor. Salamanca St., Poblacion, Makati City
This Data Privacy Policy and Notice was last amended in February 2026.