Effective Date: 8 October 2025

Last Updated: 8 October 2025

This Privacy Notice (or “Policy”) explains how the Municipal Government of Balatan – Office of Disaster Risk Reduction & Management (hereafter “we,” “us,” “our,” or “the Office”) collects, uses, discloses, retains, and protects personal data through balatandrrm.org (the “Site”), and your rights as a data subject under Republic Act No. 10173 (Data Privacy Act of 2012, “DPA”) and its Implementing Rules and Regulations (IRR), and relevant NPC issuances.

By using the Site, you agree to the terms in this Notice. If you do not agree, please do not use the Site.

1. Definitions & Legal Bases

Data subject — An individual whose personal data is processed.
Personal data / personal information — Any information about an individual from which that person may be identified, directly or indirectly.
Sensitive personal data — Data that is more strictly protected (e.g., health, biometric, religious beliefs).
Processing — Any operation or set of operations performed on personal data (collecting, recording, organizing, storing, updating, use, disclosure, erasure, etc.)
Personal Information Controller (PIC) — The entity that determines the purpose and means of processing personal data (in this case, the Office).
Personal Information Processor (PIP) — An entity which processes personal data on behalf of the controller.

Under the DPA, processing must have a valid legal basis (e.g. consent, compliance with a law, public interest mandate) and must adhere to the principles of transparency, legitimate purpose, and proportionality.

NPC Circular No. 2023-04 details requirements for how valid consent must be obtained and documented (i.e. it must be freely given, specific, informed, and evidenced) when consent is the basis.

2. What Personal Data We Collect & How

We may collect the following categories of personal data:

CategoryExamples / FieldsWhen / How Collected
Identifiers & contact dataName, email address, phone number, mailing addressWhen you fill contact forms, request information, register for services, etc.
Demographic / backgroundAge, gender, occupation, etc. (if relevant)When needed for certain programs, forms, or surveys
Transactional / service dataRecords of requests, submissions, interactions with the Site or OfficeWhen you use services, interact with the Site, or engage with us
Technical / usage dataIP address, browser type & version, pages visited, date/time stampsCollected automatically when you access/use the Site
Sensitive data(Only if needed) e.g. health, medical conditions, biometric data, etc. (if applicable)Only if required by specific programs or services, with stricter safeguards

Manner of Collection

Directly from you via forms, e-mail, surveys, registrations, feedback submissions, etc.

Automatically via system logs, cookies, analytics tools, and web server technologies.

From third parties or public sources (if allowed and in compliance with law) to enhance or validate data.

  • Directly from you via forms, e-mail, surveys, registrations, feedback submissions, etc.
  • Automatically via system logs, cookies, analytics tools, and web server technologies.
  • From third parties or public sources (if allowed and in compliance with law) to enhance or validate data.

We will limit collection to what is necessary for the purpose (proportionality principle).

3. Purposes of Processing / Use of Data

Your personal data may be processed for the following purposes (but not limited to):

  1. To respond to your inquiries, requests, or feedback
  2. To provide and manage our services, programs, or events
  3. To send newsletters, updates, announcements (if you opt in)
  4. To perform site analytics, monitor usage, improve the Site
  5. To maintain, secure, and ensure the integrity of our systems
  6. To comply with legal, regulatory, or governmental obligations
  7. To enforce our policies, protect rights or property
  8. In connection with planning, research, development relating to disaster risk management

We will not process your personal data for purposes incompatible with the purposes upfront disclosed, unless we obtain your additional consent or another legal basis is applicable.

4. Cookies, Tracking & Automated Tools

We may use cookies, pixel tags, local storage, or similar technologies to:

  • Recognize your device or browser
  • Retain your preferences or session state
  • Collect analytics (e.g., pages visited, time spent)
  • Improve the performance of the Site

You may disable or reject cookies via browser settings, but that may affect some Site features.

5. Disclosure & Sharing of Data

We may share your personal data under the following circumstances:

  • With employees, agents, contractors, or PIPs who assist us (e.g. hosting, analytics, email services) under contractual obligations to protect confidentiality
  • When required by law, court order, or government bodies
  • To enforce our terms, defend rights, or investigate wrongdoing
  • In connection with a merger, acquisition, restructure, or transfer of operations
  • With your explicit consent

We do not sell or rent your personal data for third-party marketing use without your consent.

While Data Sharing Agreements (DSAs) are not mandatory under the DPA, they are strongly encouraged by the NPC as part of accountability and best practices.

6. Data Retention & Disposal

We keep personal data only as long as necessary for the disclosed purposes, or as required by applicable laws, whichever is longer.

When data is no longer needed, we will securely dispose of it (e.g., shredding for physical records, secure deletion for digital records).

Retention periods for some data may be driven by other laws or archival requirements.

7. Data Security & Protection Measures

We commit to implementing reasonable organizational, physical, and technical safeguards to protect personal data against unauthorized access, alteration, disclosure, or destruction.
Examples of measures include:

  • Access controls and authentication
  • Encryption or secure transmission
  • Regular security audits and vulnerability assessments
  • Backup and disaster recovery protocols
  • Training of staff on privacy and security

However, no system is absolutely immune to risk. We cannot guarantee zero risk.

8. Your Rights & How to Exercise Them

Under the DPA, you have the following rights as a data subject:

  • Right to be informed — You can request details about your personal data processed.
  • Right of access — You can request a copy of your personal data in our possession.
  • Right of rectification / correction — You can ask us to correct or update inaccurate or incomplete data.
  • Right of erasure / blocking / removal — You may request deletion, blocking, or removal of personal data under certain conditions.
  • Right of data portability — You may request to receive your data in a structured, machine-readable format (if applicable).
  • Right to object — You may object to certain processing, including automated processing or direct marketing.
  • Right to withdraw consent — If processing is based on consent, you may retract it (without affecting legality of past processing).
  • Right to lodge a complaint with the NPC if you think your rights have been violated.

To exercise any of these rights, please submit a written request to our Data Protection Officer (contact details below). We may ask you to verify your identity before acting on the request.

9. Personal Data Breach Notification
In the event of a personal data breach that is likely to result in risk to the rights and freedoms of individuals, we will follow applicable procedures:

  • Notify the National Privacy Commission (NPC) and affected data subjects in a timely manner, as required by the DPA and NPC issuances.
  • Provide information about the nature of the breach, affected data, steps taken, and measures to mitigate harm.
  • Implement remedial, corrective, and preventive measures.

10. Third-Party Links / External Sites

Our Site may contain links to external websites not owned or controlled by us. We are not responsible for their privacy practices. If you click on external links, please review their privacy policies before submitting any data.

11. Updates to this Notice

We may update this Privacy Notice periodically to reflect changes in laws, practices, or services. We will revise the “Last Updated” date accordingly. Continued use of the Site after changes means acceptance of the revised Notice.

12. Contact / Data Protection Officer (DPO)

Data Protection Officer / Privacy Contact (Interim)

We are currently in the process of appointing a Data Protection Officer (DPO) for balatan.gov.ph in accordance with the Data Privacy Act of 2012 (RA 10173) and NPC Advisory No. 2017-01.

In the interim, if you have any questions, concerns, or requests regarding your personal data, please direct them to our Office Head / Privacy Coordinator at:

• Email:
• Mailing Address:
• Phone:

Once a DPO is formally appointed, their name and direct contact details will be published here and communicated accordingly.