Privacy Notice

Last Updated: February 10, 2026

At Reyes Tacandong & Co. (“we,” “us,” or “our”), we respect your privacy and are committed to protecting your personal data. This Privacy Notice
explains what personal data we collect, how we use and protect it, how we may share it, and what rights you have under the Data Privacy Act of 2012 (“DPA” or “Republic Act No. 10173”), its Implementing Rules and Regulations, and issuances of the National Privacy Commission (NPC).

This Privacy Notice applies to website visitors, clients, prospective clients, training participants, job applicants, on-the-job trainees or interns, vendors, partners, and other individuals whose personal data we process.

Depending on your interaction with us, we may collect the following types of personal data:

Basic Information

  • Full name
  • Email address
  • Contact number
  • Company, organization, or affiliation
  • Position or professional designation

Client and Engagement Information

  • Taxpayer and business registration details
  • Financial, accounting, and audit records
  • Information and documents related to tax, audit, and advisory services
  • Communications related to professional engagements

Training, Seminar, and Event Information

  • Registration and attendance details
  • Professional affiliation and CPD-related information
  • Certificates, evaluations, and feedback

Website Information

  • IP address
  • Browser and device information
  • Pages visited and date/time of access
  • Cookies and similar technologies

Employment-Related Information

  • Resume or curriculum vitae
  • Employment and educational background
  • Government-issued identification numbers, when required by law

We collect personal data when:

  • You visit or browse our website
  • You submit inquiries or contact us through forms, email, or other channels
  • You engage us for professional services
  • You register for or participate in trainings, seminars, webinars, or public events
  • You apply for employment or submit job-related documents
  • We are required to collect information by law, regulation, court order, or contractual obligation

We process personal data only for legitimate and lawful purposes, including:

  • Providing tax, audit, accounting, and advisory services
  • Managing professional engagements and client relationships
  • Responding to inquiries and requests
  • Conducting trainings, seminars, webinars, and professional events
  • Complying with legal, regulatory, professional, and network requirements
  • Maintaining internal records and administrative operations
  • Improving our website, services, and client or participant experience
  • Recruitment and employment-related activities
  • Sending professional updates, insights, and event-related communications
  • Direct marketing and promotional communications, where applicable, subject to your right to object and/or your consent when required by law

We collect and process only data that is adequate, relevant, suitable, and not excessive for the stated purposes.

We process personal data based on one or more of the following lawful grounds under the DPA:

  • The performance of a contract, professional engagement, or participation in a training or event
  • Compliance with legal, regulatory, professional, or network obligations
  • Our legitimate business interests, provided these do not override your rights and freedoms
  • Your consent, where required by applicable law

We may send marketing or promotional communications based on our legitimate interest in maintaining professional relationships and providing relevant, timely, and helpful information about our services, professional insights, trainings, and events.

Where consent is required by applicable law, we obtain your consent before sending such communications. In other cases, marketing or promotional communications may be sent based on legitimate interest, provided that such communications are relevant, appropriate, and not excessive, and do not override your rights and freedoms as a data subject.

If you no longer wish to receive marketing or promotional communications, you may:

  • Reply to the marketing email indicating your preference, or
  • Contact our Data Protection Officer (DPO) using the details provided in this Privacy Notice

Choosing not to receive marketing or promotional communications will not affect our ability to provide professional services or allow participation in trainings or events, where applicable.

We share personal data only when necessary, for legitimate business, professional, or legal purposes, and with appropriate safeguards in place to protect your privacy.

Personal data may be shared with the following:

  • Authorized personnel within the firm
    Access is limited to employees and partners who need the information to perform their duties and who are bound by confidentiality obligations.
  • Government agencies and regulators
    Including, but not limited to, the Bureau of Internal Revenue (BIR), Securities and Exchange Commission (SEC), and Professional Regulation Commission (PRC), and other government authorities or regulatory bodies, when disclosure is required or permitted by law, regulation, court order, or official directive.
  • External auditors, consultants, and professional advisers
    Engaged under confidentiality and data protection obligations for legitimate and agreed purposes.
  • Third-party service providers
    Such as IT service providers, cloud service providers, event platforms, and similar vendors who process personal data on our behalf under data processing or data sharing agreements requiring compliance with the DPA.
  • Member firms of the RSM Network
    As a member firm of the RSM Network, we may share limited personal data with other RSM member firms or the RSM International organization only when necessary and subject to appropriate confidentiality, data protection, and security safeguards. Client personal data is not shared within the RSM Network, except with the client’s consent and only in limited cases, such as referrals, where basic contact details are shared solely for coordination or introduction purposes.
  • Training organizers, partner institutions, and professional associations
    For public, external, or association-based trainings, seminars, or events, personal data may be shared with event organizers, partner institutions, or professional associations for purposes such as registration, attendance tracking, certification, CPD compliance, documentation, or post-event communications.

We do not sell personal data to any third party. We use appropriate agreements (e.g., subcontracting/data processing agreements for processors, and data sharing agreements where applicable between controllers) and require confidentiality and security safeguards.

We retain personal data only for as long as necessary to fulfill the purposes stated in this Privacy Notice or as required by applicable laws, regulations, professional standards, and network requirements.

Retention periods are determined in accordance with our Information Asset Classification Policy. After the applicable retention period, personal data is securely deleted, destroyed, or anonymized.

If you would like more information on the specific retention periods applicable to certain types of personal data, you may contact or email our DPO using the details provided in this Privacy Notice.

We implement reasonable and appropriate organizational, physical, and technical security measures to protect personal data against unauthorized access, loss, misuse, alteration, or disclosure.

Our information security controls are aligned with internationally recognized standards, including ISO/IEC 27001 for Information Security Management, and are supported by documented policies, procedures, and risk management practices to ensure the confidentiality, integrity, and availability of personal data.

Privacy Risks Involved

Despite these safeguards, certain risks may still exist, such as:

  • Cybersecurity threats or system vulnerabilities
  • Accidental loss or unauthorized disclosure of personal data
  • Human error in handling or transmitting information
  • Security incidents involving third-party service providers

We continuously review and improve our data protection practices to minimize these risks.

In case of a notifiable personal data breach, we will notify the NPC and affected data subjects as required by law, and provide information on the breach and mitigation steps.

Our website uses cookies and similar technologies to improve functionality and analyze website usage. You may manage or disable cookies through your browser settings.

As a data subject, you have the right to:

  • Be informed about how your personal data is processed
  • Access your personal data
  • Object to the processing of your personal data
  • Request the correction of inaccurate or incomplete personal data
  • Request the deletion or blocking of personal data, subject to legal and regulatory limitations
  • Request data portability, where applicable
  • Be indemnified for damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of personal data, in accordance with applicable laws
  • File a complaint with the NPC

For more information on your rights, you may visit:
https://privacy.gov.ph/data-subject-rights/

You may exercise your rights by submitting a written request to our DPO using the contact details below.

Requests are subject to identity verification and applicable legal, regulatory, and professional requirements. We may request proof of identity to protect your account and information. We will respond within a reasonable period, subject to legal/professional restrictions and any lawful grounds to retain or process data.

We may update this Privacy Notice from time to time to reflect changes in laws, regulations, or our data processing practices. Any updates will be posted on this page and will take effect upon publication.

For questions, concerns, or requests related to this Privacy Notice or the processing of your personal data, you may email our DPO at dpo@reyestacandong.com.