Schedule A - Definition of Terms and Construction

Definitions

Whenever used in this Policy, the following terms shall have the respective meanings as set forth below:

“Business Day” means any day that Philippine banks are open for business in Makati City, Philippines.

“DPA” means the Data Privacy Act of 2012 and its implementing rules and regulations, as well as the circulars issued by the National Privacy Commission from time to time.

“Person” means any natural or juridical person.

“Personal data” means personal information and sensitive personal information.

“Personal information” refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information, would directly and certainly identify an individual

“Policy” means this data privacy policy as may be amended, modified or supplemented from time to time.

“Processing” refers to any operation or any set of operations performed upon personal data including, but not limited to, the collection, recording, organization, storage, updating, or modification, retrieval, consultation, use, consolidation, blocking, erasure, or destruction of data. Processing may be performed through automated means, or manual processing, if the personal data are contained or are intended to be contained in a filing system.

“Sensitive personal information” refers to personal information:

(1)      about an individual's race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;

(2)      about an individual's health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings;

(3)      issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; or

(4)      specifically established by an executive order or an act of Congress to be kept classified.

 

Construction

Whenever the word, “include”, “includes” or “including” are used in this Policy, they shall be deemed to be followed by the words “without limitation”.

The meaning assigned to each term used here will be equally applicable to both the singular and plural forms of such term, and the words denoting any gender shall include all genders.

 

Schedule B - Personal data not covered

 

This Policy does not apply to the following information:

  1. Information processed for the purpose of allowing public access to information that fall within matters of public concern, pertaining to:
  • Information about any individual who is or was an officer or employee of government that relates to his or her position or functions;
  • Information about an individual who is or was performing a service under contract for a government institution, but only insofar as it relates to such service, including his name and the terms of his contract; and
  • Information relating to a benefit of a financial nature conferred on an individual upon the discretion of the government, such as the granting of a license or permit, including the name of the individual and the exact nature of the benefit: Provided, that they do not include benefits given in the course of an ordinary transaction or as a matter of right.
  1. Personal information that will be processed for research purpose, intended for a public benefit, subject to the requirements of applicable laws, regulations, or ethical standards; and
  1. Information necessary in order to carry out the functions of public authority, in accordance with a constitutionally or statutorily mandated function pertaining to law enforcement or regulatory function, including the performance of the functions of the independent, central monetary authority, subject to restrictions provided by law.

 

Schedule C - Purposes for collection and processing of personal data

  1. General

The Company uses personal data to:

  • comply with and exercise the Company’s rights under contracts and agreements, and the law, as may be required by the Company’s operations and in pursuit of the Company’s legitimate business and commercial objectives;
  • perform and improve the Company’s services, and address concerns or questions about those services;
  • implement efficiencies and best practices;
  • obtain services and advice for theCompany’s operations and business;
  • conduct surveys, research, and data gathering exercises;
  • market, promote and share information about the Company and the Company’s services;
  • communicate with data subjects; and
  • allow audits and diligence for compliance and other reviews by advisers or third parties. In this regard, the Company will require such advisers or third parties to enter into a confidentiality agreement.

 

  1. Employee Data

The Company may collect and process personal data from current or prospective employees in order to initiate, carry out, or terminate an employment agreement, including the results of certain medical examinations that are part of conditions of employment, and for other purposes set forth in Schedule D.

For job applicants, the Company may process personal data required in order to initiate the employment application process. The collected personal data of any applicant, who may not have been hired, may be retained by the company for purposes of future selection process.

The Company may share an applicant's or an employee's personal data when expressly authorized by law or when the applicant or employee concerned has given consent, as when the Company is provided as a reference.

Company files, records (whether or not electronic), computers, devices, and facilities are the property of the Company, and the Company may examine and review their contents at any time, whether or not an officer, employee or other staff have personal data, property or other information stored therein.

 

Schedule D - Employee Personal Information Collection Statement

(1)       The terms used in this Schedule and not otherwise defined in this Schedule have the same definition as used in the Policy. “Employee” refers to an employee of the Company.

(2)       The Employee's personal data will be collected and held by the Company in its manual and automated filing systems in accordance with the DPA and DPA IRR as may be amended from time to time. 

(3)       The Employee consents to the processing and disclosure of his personal data both inside and, where necessary, outside the Philippines in accordance with the DPA and DPA IRR as may be amended from time to time for the purposes set forth in Schedule C and in this Schedule D.

(4)       Throughout the course of the Employee’s employment with the Company, the Company may receive personal data and will need to collect personal data from the Employee and about the Employee.

(5)       The purposes for processing of Employee’s personal data include: 

(a)  To evaluate applications for employment;

(b)  To manage and administer all aspects of employment such as:

(i)     Negotiation, preparation, and execution of instruments, documents, and agreements necessary or desirable for the purpose of entering into, or in the context of, an employer-employee relationship between the Employee and the Company (e.g. for administrative and management purposes, including but not limited to: recruitment, performance evaluation and appraisal, training, promotion, career development, remuneration, health and safety, discipline, review of human resource policies and/or statistical purposes);

(ii)  Administration of payroll, benefits, incentives, rewards, expenses and reimbursements;

(iii)            Administration of learning, training and development;

(iv) Attendance and absence monitoring (including sickness and maternity); and

(v)   Performance appraisal, disciplinary and grievance processes and other general administrative and human resource related processes;

(c)  For the protection of the safety and security of guests, employees and property (including controlling and facilitating access to and monitoring activity in secured premises and activity using the Company’s computers, communications and other resources);

(d)  For the protection of the safety and security of the property, premises, facilities, and equipment of the Company and its clients/customers;

(e)  For the lawful pursuit of the Company's business or the provision of services to clients/customers;

(f)   For the protection and/or enforcement of the Company’s rights and obligations;

(g)  To comply with any applicable laws, rules and regulations, codes of conduct or practice, and guidelines issued by any legal or regulatory body;

(h)  To comply with a legal obligation on the part of the Company or as mandated by competent governmental or judicial authorities;

(i)    To protect vitally important interests, including individual life and health;

(j)    To respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions or public authority which necessarily includes the processing of Personal Information for the fulfillment of its mandate;

(k)  To prevent fraud or other illegal activities, such as but not limited to willful attacks on the Company’s information technology systems;

(l)    In case of corporate restructuring in the normal course of business, including, but not limited to, mergers and acquisitions;

(m)For the purpose of any potential sale of the shares of the Company or any holding Company of the Company or other change of control or any potential transfer of the Employee’s employment.

(6)       In order to carry out the purposes outlined above, the Employee’s personal information will be disclosed to human resources staff, line managers, consultants, advisers and other appropriate persons in the Company.

(7)       The Company may disclose, share and transfer personal data to any relevant third party pursuant to the purposes set forth above, for any employment-related purposes, and/or whenever necessary to achieve the lawful purposes of interests of the Company. Relevant third parties include but not limited to:

(a)  The Company’s affiliates or subsidiaries, any other Company within the Punongbayan & Araullo and/or Grant Thornton Group;

(b)  The Company’s insurance providers;

(c)  The Company’s banks;

(d)  The Company’s external advisors and other professional advisors, such as auditors, tax advisors, legal advisors;

(e)  The Company s contractors, sub-contractors, and service providers;

(f)   The Company’s clients/customers; and

(g)  Potential buyer/transferee of the Company’s business, assets or shares of stocks, and/or successor of the Company ;

The above classes of persons are situated in the Philippines as well as in locations where the Company has business operations and where its staff and data processing agents may perform duties for the Company. However, in some of these locations, there may not be in place data protection laws which are substantially similar to, or serve the same purpose as the data protection law in the Philippines.

The Company requires and ensures that the foregoing persons to which personal data may be disclosed, shared and transferred shall also implement the security measures required by the DPA and the DPA IRRs, through the appropriate contractual arrangements as may be necessary.

(8)       The Employee shall use all reasonable endeavors to keep the Company informed of any changes to the Employee's personal data.

(9)       The Employee acknowledges that in the course of his employment, the Employee may have access to personal data relating to other employees and persons, and the Employee agrees to comply with the Company's Data Privacy Policy at all times.

(10)     If the Employee does not provide complete and accurate personal data to the Company as and when it is required, there may be potentially serious consequences for the Employee and, depending on the circumstances, the Employee’s employment relationship with the Company.

(11)     It is the Company policy to retain certain personal data of employees when they cease to be employed. This data may be required for any residual employment-related activities, including for example, provision of references, processing of applications for re-employment, matters relating to retirement benefits and allowing the Company to fulfil any of the Company's contractual or statutory obligations.

(12)     The Company’s Protecting Information Assets Policy is deemed an integral part of this Policy. It is understood that the most current version of the Protection Information Assets Policy shall apply and supersede all previous versions of the same. 

(13)     The consent hereby given supplements but does not supersede or replace any other consents the Employee may have previously provided or will provide to the Company in respect of the Employee’s personal data, or the existence of a lawful basis or bases for the collection, processing, disclosure and transfer of the Employee’s personal data.

(14)     The Company reserves the right to amend and modify the Data Privacy Policy including this Schedule D. Employees are expected to regularly review the same. Employees will also be notified and informed of material changes thereto through the Company website and/or by email. Whenever required, the Company will obtain consent from the Employees.  The most updated version of the Policy and Schedule shall apply and supersede all previous versions thereof.

 

Schedule E - Client Personal Information Collection Statement

(1)      The terms used in this Schedule and not otherwise defined in this Schedule have the same definition as used in the Policy. “Client” refers to an individual who is a current or prospective client, of the Company. Where the current or prospective client of the Company is a juridical person, “Client” refers to the individual representative or liaison of such client to, or personnel of such client who communicates with, the Company.

(2)      The Client's personal data will be collected and held by the Company in its manual and automated filing systems in accordance with the DPA and DPA IRR as may be amended from time to time. 

(3)      The Client consents to the processing and disclosure of his personal data both inside and, where necessary, outside the Philippines in accordance with the DPA and DPA IRR as may be amended from time to time for the purposes set forth in Schedule C and in this Schedule E.

(4)      Throughout the course of the Client’s engagement of, and relationship with, the Company, the Company may receive personal data and will need to collect personal data from and about the Client.

(5)      The purposes for processing of Client’s personal data include:

  • To manage and administer all aspects preparatory to, during, and following the rendering of services by the Company, as may be necessary in the normal course of business, such as the negotiation, preparation, and execution of instruments, documents, and agreements necessary and desirable for the purpose of entering into, or in the context of, a business relationship between the Client and the Company;
  • For the protection of the safety and security of Clients, guests, and property (including controlling and facilitating access to and monitoring activity in secured premises and activity using the Company’s computers, communications, and other resources);
  • For the protection of the safety and security of the property, premises, facilities, and equipment of the Company and the Client;
  • For the lawful pursuit of the Company’s business or the provision of services to Client;
  • For the protection and/or enforcement of the Company’s rights and obligations;
  • To comply with any applicable laws, rules, and regulations, codes of conduct or practice, and guidelines issued by any legal or regulatory body;
  • To comply with a legal obligation on the part of the Company or as mandated by competent governmental or judicial authorities;
  • To protect vitally important interests, including individual life and health;
  • To respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions or public authority which necessarily includes the processing of Personal Information for the fulfillment of its mandate;
  • To prevent fraud or other illegal activities, such as but not limited to willful attacks on the Company’s information technology systems;
  • In case of corporate restructuring in the normal course of business, including, but not limited to, mergers and acquisitions;  
  • For the purpose of any potential sale of the shares of the Company or any holding Company of the Company or other change of control in the Company.

(6)      In order to carry out the purposes outlined above, the Client’s personal information will be disclosed to officers, employees, staff, consultants, advisers and other appropriate persons in the Company.

(7)      The Company may disclose, share and transfer personal data to any relevant third party pursuant to the purposes set forth above, for any business-related purposes, and/or whenever necessary in accordance with the business relationship between the Client and the Company. Relevant third parties include but not limited to:

  • The Company’s affiliates or subsidiaries, any other Company within the Punongbayan & Araullo and/or Grant Thornton Group;
  • The Company’s insurance providers;
  • The Company’s banks; 
  • The Company’s external advisors and other professional advisors, such as auditors, tax advisors, legal advisors;
  • The Company’s contractors, sub-contractors, and service providers;
  • Potential buyer/transferee of the Company’s business, assets or shares of stocks, and/or successor of the Company;

The above classes of persons are situated in the Philippines as well as in locations where the Company has business operations and where its staff and data processing agents may perform duties for the Company. However, in some of these locations, there may not be in place data protection laws which are substantially similar to, or serve the same purpose as the data protection law in the Philippines.

The Company requires and ensures that the foregoing persons to which personal data may be disclosed, shared and transferred shall also implement the security measures required by the DPA and the DPA IRRs, through the appropriate contractual arrangements as may be necessary.

(8)     The Client shall use all reasonable endeavors to keep the Company informed of any changes to the Client's personal data.

(9)     The consent hereby given supplements but does not supersede or replace any other consents the Client may have previously provided or will provide to the Company in respect of the Client’s personal data, or the existence of a lawful basis or bases for the collection, processing, disclosure, and transfer of the Client’s personal data.

(10)    The Company reserves the right to amend and modify the Data Privacy Policy including this Schedule E. Clients will be notified of material amendments and modifications through the Company website and/or by email, and they are expected to keep themselves apprised of such amendments and modifications. Whenever required, the Company will obtain consent from the Clients.  The most updated version of the Policy and Schedule shall apply and supersede all previous versions thereof.

 

Back to top