Customer Survey

What is the usual cause of brownouts in your area?
We have 62 guests online
Our Company
History of Cotabato Light & Power Company PDF  | Print |  E-mail

Almost two generations of Cotabateños have grown up under the illumination and convenience that electric power brings, delivered to their homes, schools, workplaces, businesses and streets by the Cotabato Light & Power Company, or Cotabato Light.

Company Profile PDF  | Print |  E-mail
Written by ingenuity   


Cotabato Light and Power Company is a wholly owned electric distribution utility of the Aboitiz Company.

Incorporated on April 23, 1938, Cotabato Light's service area covers Cotabato City and parts of Datu Odin Sinsuat and Sultan Kudarat municipalities under Maguindanao Province.

Originally granted a 50-year distribution franchise, it was extended by the then Energy Regulatory Board, now Energy Regulatory Commission (ERC), in 1990 for another 25 years from June 17, 1989, or until 2014.

The electric utility's main source of power comes from the National Power Corporation (NPC) delivered through the transmission operator, the National Grid Corporation of the Philippines (NGCP).

It maintains a diesel-fed power plant. Always on hot standby, it operates during times of severe power shortages.

As of December 2013, Cotabato Light is serving 37,000 customers through its three distribution substations. These lines can be remotely controlled using the Supervisory Control Data Acquisition (SCADA).

To sustain a below cap system loss, Cotabato Light is continuously innovating on its systems and processes.

The company also benchmarks its customer services with the world-class standards. One of these is the ability to connect a new customer's meter the same day he signs his service contract.

The electric distribution company utilizes the most up-to-date systems such as the Customer Care and Billing (CC&B), Enterprise Resource Planning (ERP) and soon the Work and Asset Management (WAM).

The distribution firm constantly looks for ways in order to provide its customers with safe and reliable power and operate as a low cost service provider.


Service Area PDF  | Print |  E-mail
Written by ingenuity   

Cotabato Light and Power Company is an electric utility and a member company of Aboitiz Power group. Its office is located in Cotabato City, with service area covering Cotabato City and parts of Datu Odin Sinsuat and Sultan Kudarat municipalities, under Maguindanao, Province.

Vision and mission PDF  | Print |  E-mail
Written by Arlene V. Hepiga   
We are committed to deliver at the most reasonable cost, safe and reliable electric service to the people and businesses we serve. We affirm that the ultimate measure of success is the satisfaction of our customers.

Social Responsibility PDF  | Print |  E-mail
Written by ingenuity   

Cotabato Light and Power Company through its social development arm, the Aboitiz Foundation,  implements various social responsibility program.

One of it's major focus is on Education. Through the years, Cotabato Light has been very supportive of providing assistance to schools within its franchise.  Among the various assistance extended are refurbishments of school classroom buildings, science and computer laboratory, computer donations and educational assistance to performing students.

Data Privacy Policy PDF  | Print |  E-mail
Written by Arlene V. Hepiga   



1.1 Comply with the statutory obligation set forth under the Data Privacy Act and the

regulations of the National Privacy Commission, in particular.


1.2 Ensure the fair and lawful processing of the personal data of data subjects, including

employees, clients, customers, shareholders and other individuals.


1.3 Provide guidelines to team members on the proper handling of personal data.


1.4 Ensure the confidentiality, integrity and availability of personal data under the control of the Company.


1.5 Protect the Company from reputational and legal risks that may result from non-compliance with the Data Privacy Act.





2.1 This policy shall cover all personal data in whatever form (e.g., physical or digital), and processing of personal data in whatever manner (e.g., manual or automated) by the Company, its directors, officers, and employees of the Company.




3.1 ”Company” refers to Cotabato Light and Power Co.


3.2 “Data subject” refers to an individual whose personal, sensitive personal, or privileged information is processed;

3.3 “Data processing systems” refers to the structure and procedure by which personal data is collected and further processed in an information and communications system or relevant filing system, including the purpose and intended output of the processing;


3.4 “Data sharing” is the disclosure or transfer to another entity of personal data under the custody of a company. The term excludes outsourcing, or the disclosure or transfer of personal data by the company to a contractor;


3.5 “Direct marketing” refers to communication by whatever means of any advertising or marketing material which is directed to particular individuals;


3.6 “Personal data” refers to all types of personal information including sensitive personal information and privileged information;


3.7 “Personal data breach” refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. A personal data breach may be in the nature of:


3.7.1. An availability breach resulting from loss, accidental or unlawful destruction of personal data;


3.7.2 Integrity breach resulting from alteration of personal data; and/or


3.7.3 A confidentiality breach resulting from the unauthorized disclosure or access to personal data.


3.8 “Personal information” refers to any information from which the identity of an individual is apparent or can be reasonably and directly ascertained, or when put together with other information would directly and certainly identify an individual;

3.9 “Processing” refers to any operation or any set of operations performed upon personal data including the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Processing may either be automated or manual;


3.10 “Profiling” refers to any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects of an individual, in particular to analyze or predict aspects concerning an individual's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements;


3.11 “Privileged information” refers to any and all forms of data considered to be privileged communication under pertinent laws, including spousal communication, attorney-client communication and doctor-patient communication;


3.12 “Security incident” is an event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity and confidentiality of personal data. It includes incidents that would result to a personal data breach, if not for safeguards that have been put in place;


3.13 Sensitive personal information refers to personal information:


3.13.1 About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;

3.13.2 About an individual’s health, education, genetic or sexual life, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings;


3.13.3 Issued by government agencies peculiar to an individual including social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and


3.13.4 Specifically established by law to be kept classified.




4.1 Oversight. The Board of Directors of the Company shall have overall oversight of compliance with the Data Privacy Act and implementation of this policy and other related policies of the Company.


4.2 Data Privacy Officer. A Data Privacy Officer (DPO), who shall be an organic employee of the Company, shall be appointed.


The DPO shall have the following duties and responsibilities:


4.2.1 Ensure compliance with the Data Privacy Act and regulations as well as this policy and other related policies of the Company;


4.2.2 Ensure the regular review (at least annually) of privacy related policies,  guidelines and procedures of the Company;


4.2.3 Coordinate with the relevant officer/s of the Company responsible for information security management for the effective implementation of information security measures in the Company to ensure the confidentiality, integrity and availability of personal data;


4.2.4 Organize privacy and information security trainings;


4.2.5 Coordinate with the Company’s Data Breach Response Team in the

management of security incidents and personal data breaches;


4.2.6 Escalate security incidents and personal data breaches to senior management and the Board of Directors in accordance with existing risk management policies;


4.2.7 Oversee and coordinate the conduct of privacy impact assessments to identify privacy risks in the Company;


4.2.8 Develop and implement remediation plans for privacy and information security risks in coordination with the information security officer and process owners;


4.2.9 Monitor compliance with the Company’s privacy and information security standards of third party providers and other entities with access to personal data under the control of the Company;


4.2.10 Ensure compliance by the Company of the reportorial, registration and other regulatory requirements of the National Privacy Commission; and


4.2.11 Report to the senior management and the Board of Directors the status of compliance with the Data Privacy Act, this policy and other related policies and guidelines, as well as other privacy and information security issues that may impact the Company’s compliance with the Data Privacy Act.


4.3 Team Leaders. The team leader of any department which process personal data shall have the following duties and responsibilities:


4.3.1 Understand the Company’s compliance obligations under the Data Privacy Act and related regulations;


4.3.2 Ensure implementation of policies and guidelines established for compliance with the Data Privacy Act and related regulations, as well as with this policy and other privacy and information security related policies of the Company, by embedding such policies and guidelines in the day-to-day processes and procedures of the department;


4.3.3 Conduct privacy impact assessments as may be needed;


4.3.4 Coordinate with the DPO and the information security officer in the development of controls and mitigation plans to address identified privacy risks.


4.3.5 Ensure the implementation of risk controls and mitigation plans in the department;


4.3.6 Promote a culture of privacy in the department;


4.3.7 Ensure that team members have the capability to comply with privacy and information security requirements as provided by law, regulations or internal company policies and guidelines; and


4.3.8 Report immediately to the DPO any security incident or data breach in accordance with the Company’s incident response policy and procedure.


4.4. Team Members. Each team member who process personal data shall have the following duties and responsibilities:


4.4.1 Understand the Company’s compliance obligations under the Data Privacy Act and related regulations;


4.4.2 Understand and comply with privacy and information security policies and procedures in the processing of personal data;


4.4.3 Report immediately to his/her respective TL any security incident or data breach in accordance with the Company’s incident response policy and procedure;


4.4.4 Implement controls and mitigation plans to address privacy risks; and


4.4.5 Regularly attend or undergo privacy trainings and other learning activities.




5.1 Rights of a Data Subject. The rights of a data subject as provided in the Data Privacy Act should be observed when processing personal data.


5.1.1 Right to be informed. A data subject has the right to be informed on the following matters: Whether his personal data shall be, are being or have been processed; The type of personal data to be entered into the data processing system; The purpose/s for the processing; The scope and method of processing; The parties to whom the personal data may be disclosed; Methods utilized for automated access if allowed by the data subject; Contact details of the company or its representative Period for which the personal data will be stored; and Existence of their rights as data subject.


5.1.2 Right to object. A data subject has a right to object to processing which may cause him damage or distress, as well as processing for direct marketing, automated processing or profiling.


5.1.3 Right to access.  A data subject has the right to reasonable access, upon demand, to the following: Contents of his personal data which were processed; Sources from which personal information were obtained; Names and addresses of recipients of the personal data; Manner by which the personal data were processed; Reasons for disclosure of the personal data to recipients; Information on automated processes where the personal data will or likely to be made as the sole basis for any decision significantly affecting or that will affect the data subject; Date when his personal data was last accessed or modified; and Name, address and contact details of the company or its representative.


5.1.4 Right to rectification. The data subject has the right to dispute the inaccuracy or error in the personal data and have the company correct it immediately and accordingly, unless the request is vexatious or unreasonable.


5.1.5 Right to erasure or blocking. A data subject has the right to suspend, withdraw or order the blocking, removal or destruction of his personal data from the company’s filing system upon discovery and substantial proof that the personal data are incomplete, outdated, false, unlawfully obtained, used for unauthorized purpose or no longer necessary for the purposes for which they were collected.


5.1.6 Right to be indemnified. A data subject has a right to be indemnified for any damages sustained due to inaccurate, incomplete, false, unlawfully obtained or unauthorized use of personal data.


5.1.7 Right to lodge a complaint. A data subject has the right to lodge a complaint before the National Privacy Commission for any violations of his or her rights granted under the Data Privacy Act.


5.1.8 Right to data portability. A data subject shall have the right to obtain from the Company a copy of his or her personal data in an electronic or structured format that allows for further use, should his or her personal data be processed in an electronic or structured format subject to the specifications, technical standards, modalities, procedures and other rules for transfer of such personal data in an electronic or structured format to be issued by the National Privacy Commission.

The foregoing rights may be invoked by the data subject’s lawful heirs or assigns in case of the data subject’s death or incapacity.


5.2 Data Processing System. To ensure effective privacy compliance and risk management, the Company shall document the following:


5.2.1  Departments, employees or third parties with functions relating to personal data processing.


5.2.2 The categories of and inventory of data subjects and the types of personal data being processed.


5.2.3 A description of the information flow, from the point of collection up to the disposal of personal data, including any processing done in between, as well as the manner and extent of processing.


5.2.4 The purposes for processing including any intended future processing or data sharing.


5.2.5 The recipients or intended recipients of personal data.


5.3 Data Collection.


5.3.1 The data subject must be informed in clear and plain language that his personal data is or will be collected and processed. For this purpose, a privacy statement containing the following information shall be supplied to the data subject at the point of collection (e.g., websites, intranet, microsite, mobile apps, customer and employee forms): Description of personal data to be processed; Purpose/s of processing; Scope and method of processing; Parties to whom the personal data may be disclosed; Contact details of the company or its Data Privacy Officer; Retention period; and His rights as data subject.


Prior notification to data subjects shall be made in case of amendment privacy statement.


5.3.2 Except in instances allowed by law or regulation, the consent of the data subject to processing must be obtained prior to collection. In the case of the processing of sensitive or privileged information, all parties must have given their consent prior to processing.


5.4 Fair and Lawful Processing. Processing must be for purposes that are not contrary to law, morals or public policy. Personal data must not be misused and processing must be in accordance with the declared and specified purposes. Appropriate measures shall be implemented to prevent misuse of personal data that can harm a data subject.


5.5 Data Quality.  Data quality must be ensured when processing personal data.


5.5.1 Personal data must be accurate, relevant and, where necessary for purposes for which it is to be used, kept up to date.


5.5.2 Inaccurate or incomplete data must be corrected, supplemented, destroyed or their further processing restricted.


5.6 Proportionality of Processing. Processing must be adequate and not excessive in relation to the purposes for which they are collected and processed.


5.7 Retention. Personal data shall be retained only for as long as necessary for the fulfillment of the purposes for which it was obtained, or for the establishment, exercise or defense or legal claims, or for legitimate business purposes, or as provided by law.


5.8 Data Sharing.


5.8.1 The consent of the data subject on data sharing must be obtained even when the data is to be shared with the Company’s parent, subsidiaries or affiliates.


5.8.2 Any data sharing arrangement must be covered by a data sharing agreement which shall provide, among others, the data privacy and security standards to be observed.


5.9 Security Measures. Taking into account its risk profile, the Company shall implement the appropriate organizational, physical and technical security measures to ensure privacy and data protection.


5.9.1 Promote privacy and data protection awareness in the company through trainings and regular communication.


5.9.2 Establish proficiency skills development and training for employees handling personal data to ensure protection of personal data. Trainings in data privacy and information security policies and procedures should be part of the on-boarding process for new employees handling personal data.


5.9.3 Employees, service providers and other third parties who have access to personal data not intended for public disclosure shall be required to hold personal data under strict confidentiality even after termination of employment or contractual relations. This requirement shall be enforced through confidentiality agreements or confidentiality clauses in service agreements.


5.9.4 Information security measures shall be adopted. In this regard, information security management policies are deemed incorporated in this policy.


5.10 Outsourcing. The Company shall ensure the protection of personal data when outsourcing activities that involve processing of personal data. Among the measures that can be undertaken to ensure data protection by contractors or service providers are the following:


5.10.1 Set appropriate privacy and security standards (organizational, physical and technical measures) to be complied by contractors or service providers when processing personal data.


5.10.2 Take into account in the accreditation, hiring and performance evaluation processes the capability of contractors or service providers to meet the privacy and security standards set by the company.


5.10.3 Embed privacy requirements, security standards, data breach management protocol and the right of the company to audit compliance with the foregoing requirements in the agreements with contractors or service providers.


5.10.4 Conduct compliance audits where appropriate.




6.1 As part of its information security management system, the Company shall establish detective controls (which, depending on a company’s risk profile, may be a combination of process, human capital, physical and technological controls) to detect potential or actual security incidents or data breaches as well as complaints, non-compliances or misconducts relating to privacy and data protection.


6.2 The Company shall establish and implement a security incident management policy, which shall include the following:


6.2.1 Creation of a data breach response team to ensure that timely and appropriate action is taken in the event of a security incident or personal data breach.


6.2.2 Implementation of an incident response procedure including the execution of corrective actions and controls to: Contain or mitigate the negative effect of a security incident, data breach, complaint, non-compliance or misconduct; Restore integrity to the information and communications system; and Improve prevention and detection of future incidents.


6.2.3 The conduct of internal investigation to understand the facts, circumstances, root causes and appropriate resolution.


6.2.4 The procedure for contacting law enforcement authorities in case possible criminal acts were committed.


6.2.5 Compliance with the notification and reporting requirements of the National Privacy Commission in the event of occurrence of personal data breach or security incident.




7.1 Registration of Data Processing System.


7.1.1 The Company is required to register its personal data processing system with the National Privacy Commission if it has at least two hundred fifty (250) employees.


7.1.2 Even if it has less than two hundred fifty (250) employees, it may nevertheless be required to register its personal data processing system with National Privacy Commission if it carries out processing that: Involves the sensitive personal information of at least one thousand (1,000) individuals; Is likely to pose a risk to the rights and freedom of data subject; or Is not occasional.


7.2 Notification of Automated Processing System. The Company is required to notify the National Privacy Commission if:


7.2.1 It carries out automated data processing which becomes the company’s sole basis for decision making about a data subject, and


7.2.2 The decision would significantly affect the data subject.


7.3 Annual Report. A general summary of the security incidents and data breaches hereof shall be submitted to the National Privacy Commission annually in accordance with its rules.




8.1 Violations of this policy, the Data Privacy Act and its Implementing Rules and Regulations, including data breaches, will be dealt with in accordance with an established disciplinary action and appropriate responses for potential legal actions, including civil and criminal actions.

Website Privacy Statement PDF  | Print |  E-mail
Written by Arlene V. Hepiga   

Cotabato Light and Power Company Privacy Statement (APBUs)


We would like to inform you of our Company’s commitment to compliance with the Data Privacy Act of 2012, its Implementing Rules and Regulations, and our Company data privacy and protection policies we have adopted internally.


From time to time, it may be necessary for you to provide personal data in connection with your visits to our company website and portals, our offices, with your direct or indirect dealings with our Company, our officers and employees, and in your browsing activities through any of our mobile applications, as a customer, an applicant, or a third party service provider of goods or services.




We may collect and process personal data from you in the ordinary course of the company business which may include, to the extent necessary to respond to your requests, queries and concerns, basic information such as your account identification number, name, spouse’s name, residence, contact details, demographic information such as postcode and number of people residing in your household, and other bill details such as monthly consumption and payment, and sensitive personal information such as your age, marital status, tax identification number, government issued identification cards, financial information, and tax returns, among others and other information relevant to customer or applicant surveys and/or offers (collectively, your “Personal Data”).


When you visit our websites or use any of our mobile applications, other information that may also constitute Personal Data, such as your browser type, operating system, IP address, domain name, number of times you visited the website or accessed the mobile application, dates you visited or accessed, and the amount of time you spent browsing through the website or mobile application, may be collected via cookies and other tracking technologies, such as transparent GIF files. Aggregate Information, or non-personally identifiable and anonymous data, such as how many times you log onto our websites or mobile applications may also be collected.




A cookie is a small file which asks permission to be placed on your computer’s hard drive. Cookies allow websites to recognize your computer when you return, enabling it to display personalized settings and other user preferences. It also allows websites to respond to you as an individual. The websites and apps can tailor operations to your needs, likes and dislikes by gathering and remembering information about your preferences.


We use traffic log cookies to identify which pages are being visited. This helps us to analyze data about web page traffic and to improve our website in order to tailor it to your needs. We only use this information for statistical analysis purposes after which, the data is removed from the system.


In general, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.


You will be given the opportunity to accept or reject the use of cookies on our websites in a pop-up box when you first access our website. Once you agree, the file is added and the cookie helps analyze web traffic or lets you know when you visit a particular site. Most web browsers, however, automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. You may choose not to accept the cookies, however, this may restrict the services that you can access at our websites. Declining cookies may also prevent you from taking full advantage of our websites.




When necessary, we request for your Personal Data for us to understand your needs and provide you with a better service, and in particular for the following purposes:

1.    to improve our products and services to you;

2.    to evaluate and determine your continued qualification for service connection;

3.    to administer and/or manage your service connection and account with us;

4.    to meet any requirement in support of your service connection;

5.    to keep an internal record for confirming, maintaining or updating our customer records;

6.    for customer relationship management purposes, such as updating you on our activities in connection with our services;

7.    for statistical analysis and internal reporting;

8.    for identification or verification purposes;

9.    to communicate or contact you with regard to your account with us;

10.  to satisfy any legal or regulatory requirements; and

11.  as required under applicable law or regulation or by any decision or order of any court or government agency.




We are committed to ensuring that your Personal Data is kept secure. We have implemented suitable and adequate organizational, physical and technical security measures, policies and procedures intended to reduce the risks of accidental destruction or loss, or the unauthorized disclosure or access to such information which are appropriate and adequate to the nature of the Personal Data we collect.


We may retain your Personal Data only for as long as necessary for legitimate business purposes, to comply with laws, regulations, or lawful court order, or to establish or defend a legal action.




We may share with or disclose your Personal Data to:


1.    any collection agency, payment center or similar service providers for facilitation of payment for the services we provided you, for debt tracing or for fraud prevention;

2.    any meter reading provider, electric services contractor or other service providers we engaged to perform our obligations under our contract with you;

3.    any of our consultant, adviser or auditor performing services in connection with your account or we have engaged in connection with our operations;

4.    any person to whom we propose to assign or transfer any of our rights and/or duties under our contract with you;

5.    any guarantor or person providing security in relation to your obligations under your contract with us;

6.    any of our affiliate or subsidiary only for the purposes we have collected your Personal Data;

7.    any quasi-judicial or judicial tribunal where we have reason to believe that disclosing your Personal Data is necessary for establishing a legal claim or defense, including to obtain legal advice, to exercise our rights those of our affiliates or subsidiaries or to institute any legal action, whether under our contract with you or against any third party; or

8.    any person as required or permitted by law, rule or regulation or by any decision or order of any court or government agency.


Any access to Personal Data will be limited to the person who require your Personal Data to perform the functions for which personal information has been collected, and as required or allowed by law. We do not sell, trade, or otherwise transfer your Personal Data to third parties. If shared, we will, at your request, provide you with details of the companies with whom we have shared your Personal Data.



We recommend that you check this privacy notice every time you visit our website or mobile applications as we may update this privacy notice from time to time, by posting the amended notice on this page. Any changes will be effective when posted.




You are entitled to request that we:


1.    provide you with a copy of your Personal Data that we hold and you have the right to be informed of: (a) the source of your Personal Data; (b) the purposes and methods of processing; (c) the data controller’s identity; and (d) the entities or categories of entity with whom your Personal Data may be shared;

2.    cease processing your Personal Data, in whole or in part, as you direct us, for any purpose, save to the extent it is lawful to do so without consent under the Data Privacy Act of 2012;

3.    do not transfer your Personal Data to third parties for the purposes of direct marketing or any other purposes you have not consented to;

4.    correct any errors in your personal Data; and

5.    update your personal Data as required.


If you have questions, concerns or complaints regarding our compliance with the Data Privacy Act of 2012 or if you wish to exercise your rights to access, rectification, object, portability or deletion in instances allowed under the law, we encourage you to first contact us as required by the National Privacy Commission (“NPC”). We will make every reasonable effort to correct, update and respond to your request promptly, unless we require further information from you in order to fulfill your request, and in each case, subject to legal and other permissible considerations. We will also investigate and attempt to resolve complaints and disputes regarding use and disclosure of personal data in accordance with the Data Privacy Act of 2012, its Implementing Rules and Regulations, and other data privacy and protection policies we have put in place. For any complaints that cannot be resolved with us directly, you may bring your concern to the NPC and we commit to cooperate with the NPC and comply with their advice.

You may contact our Data Privacy Officer at (064) 520-2572 or via e-mail at This e-mail address is being protected from spambots. You need JavaScript enabled to view it or by writing to the Data Privacy Officer, Sinsuat Avenue, Cotabato City for your requests, concerns, questions and complaints.