Mapúa Malayan Colleges Laguna

Careers
Services
Request for Documents
Parent Portal
MMCL Logo - ASU Mobile.
Apply Now
Ask Us
Engage

Mapúa MCL Privacy Notice

NPC-Registration-Seal-2026.

Key Privacy Information

Who we are 
Mapúa Malayan Colleges Laguna (Mapúa MCL), with principal office at Pulo-Diezmo Road, Barangay Banay-Banay, Cabuyao City, Laguna 4025, Philippines is the Personal Information Controller responsible for deciding how and why your personal data are collected, used, shared, and retained. 

What data we collect 
We collect personal data such as your name and contact details, student or employee ID, academic and employment information, governmentissued identifiers, guardian and emergency contact details, health and medical information you voluntarily provide, CCTV footage and campus access logs, and information generated when you use our online systems (for example, learning management systems, portals, and WiFi). 

Why we process your data 
We process your personal data primarily to manage your application, enrollment or employment, maintain academic and employment records, administer scholarships and other benefits, comply with legal and regulatory requirements, ensure campus safety and security, and operate and improve our academic and support services. We may also use your data for institutional research, alumni engagement, and limited marketing or promotional activities, subject to your preferences. 

Our legal bases 
Depending on the context, we rely on one or more of the following legal bases: fulfillment of a contract with you (such as your enrollment or employment), compliance with laws and regulations, Mapúa MCL’s legitimate interests that do not override your fundamental rights and freedoms (for example, campus security or service improvement), and your consent for certain optional or additional activities (such as receiving marketing materials), which you may withdraw at any time. 

How long we keep your data 
We keep your personal data only for as long as necessary to achieve the purposes described above and as required by applicable laws and institutional policies. Some records, such as permanent academic records, may be kept for longer periods, while others, such as CCTV recordings, are kept only for a limited time unless needed for an investigation. 

How we share your data 
When necessary and proportionate, we may share your personal data with government regulators (such as DepEd, CHED, PRC, and BIR), service providers that support our operations (such as IT, cloud, LMS, testing, and payment service providers), and Mapúa MCL’s affiliates for academic or administrative purposes. These parties are bound by contracts that require them to protect your personal data and process them only for authorized purposes, which may include processing on servers located outside the Philippines under appropriate safeguards. 

How to exercise your rights 
Under the Data Privacy Act, you have rights such as to be informed, to access, to rectify, to object to certain processing, and to request erasure or blocking of your personal data, subject to legal and institutional limitations. To exercise these rights or to ask questions about this Notice, you may contact our Data Protection Officer at [email protected]. We will respond in accordance with applicable laws and Mapúa MCL policies. 

Please read the full Privacy Notice below for more detailed information on how Mapúa MCL processes your personal data. 

Mapúa MCL Privacy Notice

1. Introduction and Commitment

Mapúa Malayan Colleges Laguna (Mapúa MCL), with principal office at PuloDiezmo Road, Barangay BanayBanay, Cabuyao City, Laguna 4025, Philippines, acts as the Personal Information Controller (PIC) responsible for deciding how and why your personal data are processed. This Privacy Notice applies to students, applicants, alumni, employees, job applicants, visitors, and users of Mapúa MCL’s physical and online services (for example, campus facilities, website, learning management systems, and institutional events). 

Mapúa MCL is committed to protecting the privacy rights of individuals regarding personal information pursuant to Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012 (DPA), its Implementing Rules and Regulations (IRR), and relevant issuances of the National Privacy Commission (NPC). We process personal data in a manner that is lawful, fair, transparent, and aligned with the principles of proportionality, legitimate purpose, and data quality under the DPA and NPC guidance. 

2. Information We Collect

We collect and process personal data in various forms, including written records, electronic documents, photographic and video images, and other digital materials. This occurs during application, enrollment, employment, and throughout your engagement with Mapúa MCL and its services. 

Categories of Data 

  • Personal Information 
    Examples of personal information include name, student or employee ID, home and email addresses, contact numbers, date and place of birth, nationality, and emergency or guardian contact information. 
  • Sensitive Personal Information 
    Examples of sensitive personal information include health and medical information you voluntarily provide, governmentissued identifiers, information about offenses or disciplinary actions, and data about a minor’s status, where applicable, as defined under the Data Privacy Act and its IRR. 
  • Automated and Online Usage Data 
    We collect certain information automatically when you access Mapúa MCL’s online services, such as IP addresses, device and browser types, login timestamps, pages visited, cookies and similar technologies, and usage data from Mapúa MCL systems (for example, learning management systems, portals, and WiFi access logs) for security, academic, and administrative purposes. 
  • Security and Campus Operations Data 
    We also process data such as CCTV images, campus access logs, visitor information, and incident reports generated within Mapúa MCL premises, primarily to help maintain safety, security, and order within the campus. 

Where feasible, Mapúa MCL may aggregate or anonymize personal data so that they can no longer be used to identify you, and use such data for statistical, research, or institutional planning purposes in accordance with the Data Privacy Act and NPC guidance. 

3. Lawful Basis and Purpose of Processing

We process your personal data only when there is a lawful basis to do so and for purposes that are legitimate, specific, and explicitly declared in this Notice. We rely on different legal bases depending on the context of your relationship with Mapúa MCL, as described below. 

  • Contract 
    We process personal data when this is necessary for the performance of our contract with you, or to take steps at your request before entering into such a contract. Examples include managing applications and admissions, administering your enrollment or employment, maintaining academic and employment records, handling grades and evaluations, and processing scholarships, benefits, and payroll. 
  • Legal Obligation 
    We process personal data when required by law or regulation, or by regulatory and accrediting bodies. This covers, among others, reporting and submissions to DepEd, CHED, PRC, BIR, and other government agencies, compliance with labor, tax, and education laws, and responding to lawful orders or legal processes. 
  • Legitimate Interests 
    We process personal data when it is necessary for Mapúa MCL’s legitimate interests and when these interests are not overridden by your fundamental rights and freedoms. These interests include ensuring campus safety and security (such as through CCTV and access management), operating and improving academic and support services, conducting institutional research and analytics (using deidentified or aggregated data where appropriate), maintaining IT and network security, and managing internal governance and risk. 
  • Consent 
    In situations where processing is not strictly necessary for a contract, legal obligation, or legitimate interest, we will rely on your freely given, specific, and informed consent. This may include certain marketing or promotional communications, alumni engagement activities, or optional services and events. You may withdraw your consent at any time by contacting us through the channels indicated in this Notice or by using the unsubscribe or preference tools provided, without affecting the lawfulness of processing carried out before such withdrawal. 

Our primary purposes for processing personal data include academic administration, student and employee records management, provision of educational and support services, processing of scholarships and financial transactions, and compliance with legal and regulatory requirements. Secondary purposes include institutional research and planning, alumni relations, and marketing or promotional activities consistent with your preferences and applicable laws. 

For processing activities that rely on your consent (such as direct marketing emails or SMS), we will retain your personal data only for as long as you have not withdrawn your consent or for the period reasonably necessary to achieve the declared purpose, whichever comes earlier, subject to applicable laws and institutional policies. 

4. Third-Party Disclosures and Transfers

Mapúa MCL may disclose or transfer personal data to third parties only when such disclosure or transfer is necessary, lawful, and proportionate to the purposes described in this Privacy Notice. We share personal data only to the extent reasonably necessary to carry out legitimate academic, administrative, legal, regulatory, security, and operational functions, and we do not allow third parties to use your personal data for their own independent purposes unless otherwise permitted by law or with your consent. 

Personal data may be shared with the following categories of recipients: 

  • Government and Regulatory Agencies 
    These may include, when required or authorized by law, the Department of Education (DepEd), Commission on Higher Education (CHED), Professional Regulation Commission (PRC), Bureau of Internal Revenue (BIR), law enforcement authorities, courts, and other government agencies. 
  • Service Providers and Processors 
    These may include third-party providers that support Mapúa MCL’s operations, such as providers of cloud hosting, information technology systems, learning management systems, email and communications platforms, payment processing, identity and access management, library systems, security services, and other institutional support tools. 
  • Affiliates and Academic or Administrative Partners 
    Mapúa MCL may share personal data with its affiliates, partner institutions, accreditation bodies, practicum or internship partners, and other organizations when necessary for collaborative academic programs, student services, institutional processes, or other lawful and declared purposes. 

Mapúa MCL requires third parties that process personal data on its behalf to implement appropriate organizational, physical, and technical security measures and to process personal data only in accordance with Mapúa MCL‘s instructions, applicable contracts, and the Data Privacy Act. Where required, Mapúa MCL enters into appropriate data sharing agreements, outsourcing arrangements, or other binding contractual safeguards to ensure a level of protection comparable to Philippine privacy standards. 

Some of Mapúa MCL’s service providers may process or store personal data on servers located outside the Philippines. In such cases, Mapúa MCL takes reasonable steps to ensure that cross-border processing is subject to appropriate contractual and technical safeguards and that your personal data remain protected in a manner consistent with applicable Philippine laws and regulations 

5. Risks and Protection Measures

Mapúa MCL recognizes that the processing of personal data involves risks such as unauthorized access, accidental or unlawful destruction, loss, alteration, disclosure, misuse, and other forms of unauthorized processing. To help protect personal data against these risks, Mapúa MCL implements appropriate organizational, physical, and technical security measures consistent with the Data Privacy Act, its Implementing Rules and Regulations, and relevant issuances of the National Privacy Commission. 

  • Physical Security Measures 
    Mapúa MCL protects physical records and devices through controlled access to offices, records storage areas, and archives, as well as through visitor management, surveillance measures, and other campus security controls appropriate to the sensitivity of the information involved. 
  • Technical Security Measures 
    Mapúa MCL uses safeguards such as access controls, authentication mechanisms, encryption where appropriate, firewalls, anti-malware tools, system monitoring, backup procedures, and other technical protections designed to prevent unauthorized access to and compromise of personal data. We maintain access controls based on role and need-to-know, regularly review user access, and log access to critical systems in line with the National Privacy Commission’s minimum security requirements. 
  • Organizational Security Measures 
    Mapúa MCL adopts internal policies and procedures for privacy and information security, conducts privacy and security awareness activities for personnel, performs privacy impact assessments where appropriate, and requires confidentiality and data protection obligations from employees, contractors, and relevant third parties. Mapúa MCL also takes steps to assess and manage risks involving service providers and other third parties that may process personal data on its behalf. 

Mapúa MCL regularly reviews and updates its security measures to address evolving operational, technological, and regulatory risks. In the event of a personal data breach that is likely to affect your rights and freedoms, Mapúa MCL will act in accordance with applicable law and regulations, including taking appropriate containment and response measures and notifying the National Privacy Commission and affected data subjects when required. 

6. Storage, Retention, and Disposal

Mapúa MCL stores personal data in secure physical and electronic repositories and retains them only for as long as necessary to fulfill the purposes for which they were collected, in accordance with applicable laws, regulations, and institutional policies. The period of retention may vary depending on the nature of the data, the purpose of processing, and any legal, regulatory, academic, administrative, or operational requirements applicable to Mapúa MCL. 

  • Storage 
    Personal data may be stored in secured filing systems, institutional databases, servers, and authorized cloud-based platforms that are protected by appropriate physical, organizational, and technical safeguards. Access to stored personal data is limited to authorized personnel, service providers, or partners with a legitimate need to know and subject to applicable confidentiality and data protection obligations. 
  • Retention 
    As a general rule, Mapúa MCL retains personal data only for as long as necessary to achieve the declared and legitimate purposes for which they were obtained. By way of illustration, student academic records may be retained permanently or for extended periods where required by law, regulation, or institutional policy; employment and administrative records may be retained for the period required by applicable labor, tax, audit, or operational requirements; and CCTV footage or access logs may be retained only for a limited period unless needed for an investigation, legal proceeding, or security incident. 
  • Disposal and Deletion 
    Once retention is no longer necessary and there is no lawful basis for further processing, Mapúa MCL will securely dispose of, delete, anonymize, or otherwise render personal data inaccessible or irreversibly unusable, as appropriate to the format of the records and the sensitivity of the information involved. Physical records may be destroyed through secure shredding or similar disposal methods, while electronic records may be deleted, overwritten, anonymized, or otherwise sanitized using appropriate technical methods. 

Where feasible and appropriate, Mapúa MCL may anonymize or aggregate personal data so that they can no longer be associated with a specific individual, and may use such anonymized or aggregated data for statistical, research, planning, or institutional improvement purposes consistent with applicable law and privacy principles. 

7. Automated Access and Decision-Making

Mapúa MCL may use automated tools and systems as part of its academic, administrative, and security operations, including learning management systems, online portals, attendance or access systems, plagiarism detection tools, and similar technologies used to support institutional processes. Access to personal data through such systems is restricted to authorized users and subject to appropriate access controls and monitoring measures. 

Where automated tools are used to assist in processing personal data, Mapúa MCL does not rely solely on purely automated decision-making for decisions that significantly affect data subjects, unless otherwise allowed by law and supported by appropriate safeguards. Final significant decisions, such as those relating to academic standing, disciplinary action, employment status, or comparable outcomes, remain subject to human review and institutional procedures. 

If Mapúa MCL introduces a processing activity in the future that involves solely automated decision-making with significant effects on a data subject, Mapúa MCL will provide an appropriate and specific privacy notice for such activity, explain the nature and consequences of the processing, and provide a lawful mechanism for the data subject to raise concerns, request review, or contest the decision, consistent with applicable law and principles of fairness and transparency. 

8. Rights of the Data Subject 

Under the Data Privacy Act of 2012 and its Implementing Rules and Regulations, you have the right to be informed, to access, to object, to rectify, to erase or block, to damages, and to lodge a complaint before the National Privacy Commission, subject to the conditions and limitations provided by law. These rights allow you to understand how your personal data are processed, request correction of inaccurate or incomplete data, object to certain forms of processing, and seek appropriate remedies where your privacy rights may have been violated. 

You may exercise your rights by submitting a written request to Mapúa MCL’s Data Protection Officer through the contact details provided in this Privacy Notice. To help us process your request efficiently, your request should include your full name, contact details, proof of identity or authority, the specific right you wish to exercise, and sufficient information about the personal data or processing activity concerned. Mapúa MCL may ask for additional information when reasonably necessary to verify your identity, clarify your request, or protect the personal data of other individuals. 

Mapúa MCL will evaluate and respond to requests in accordance with applicable law, regulations, and institutional procedures. Please note that some requests may be denied, limited, or deferred where retention or continued processing is required by law, regulation, accreditation standards, institutional policy, public interest, the establishment or defense of legal claims, or other lawful grounds, including the need to preserve permanent academic and official records. 

If you believe that your data privacy rights have been violated, you may also lodge a complaint with the National Privacy Commission through its official website or through its authorized contact channels. 

9. Contact Information

If you have questions, concerns, or requests relating to this Privacy Notice or the exercise of your data privacy rights, you may contact Mapúa MCL’s Data Protection Officer through the following details: 

Data Protection Officer 
Mapúa Malayan Colleges Laguna 
Pulo-Diezmo Road, Barangay Banay-Banay 
Cabuyao City, Laguna 4025 
Philippines 
Email: [email protected] 
Contact Number: (049) 832-4000 

Mapúa MCL will make reasonable efforts to respond to privacy-related inquiries and requests in accordance with applicable law, regulations, and institutional procedures. If you believe that your concerns have not been adequately addressed, you also have the right to lodge a complaint with the National Privacy Commission through its official website or through its authorized contact channels.