Schedule A - Definition of Terms and Construction

Definitions

Whenever used in this Policy, the following terms shall have the respective meanings as set forth below:

“Business Day” means any day that Philippine banks are open for business in Makati City, Philippines.

“DPA” means the Data Privacy Act of 2012 and its implementing rules and regulations, as well as the circulars issued by the National Privacy Commission from time to time.

“Person” means any natural or juridical person.

“Personal data” means personal information and sensitive personal information.

“Personal information” refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information, would directly and certainly identify an individual

“Policy” means this data privacy policy as may be amended, modified or supplemented from time to time.

“Processing” refers to any operation or any set of operations performed upon personal data including, but not limited to, the collection, recording, organization, storage, updating, or modification, retrieval, consultation, use, consolidation, blocking, erasure, or destruction of data. Processing may be performed through automated means, or manual processing, if the personal data are contained or are intended to be contained in a filing system.

“Sensitive personal information” refers to personal information:

(1)      about an individual's race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;

(2)      about an individual's health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings;

(3)      issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; or

(4)      specifically established by an executive order or an act of Congress to be kept classified.

 

Construction

Whenever the word, “include”, “includes” or “including” are used in this Policy, they shall be deemed to be followed by the words “without limitation”.

The meaning assigned to each term used here will be equally applicable to both the singular and plural forms of such term, and the words denoting any gender shall include all genders.

 

Schedule B - Personal data not covered

 

This Policy does not apply to the following information:

  1. Information processed for the purpose of allowing public access to information that fall within matters of public concern, pertaining to:
  • Information about any individual who is or was an officer or employee of government that relates to his or her position or functions;
  • Information about an individual who is or was performing a service under contract for a government institution, but only insofar as it relates to such service, including his name and the terms of his contract; and
  • Information relating to a benefit of a financial nature conferred on an individual upon the discretion of the government, such as the granting of a license or permit, including the name of the individual and the exact nature of the benefit: Provided, that they do not include benefits given in the course of an ordinary transaction or as a matter of right.
  1. Personal information that will be processed for research purpose, intended for a public benefit, subject to the requirements of applicable laws, regulations, or ethical standards; and
  1. Information necessary in order to carry out the functions of public authority, in accordance with a constitutionally or statutorily mandated function pertaining to law enforcement or regulatory function, including the performance of the functions of the independent, central monetary authority, subject to restrictions provided by law.

 

Schedule C - Purposes for collection and processing of personal data

  1. General

The Firm uses personal data to:

  • comply with and exercise the Firm’s rights under contracts and agreements, and the law, as may be required by the Firm’s operations and in pursuit of the Firm’s legitimate business and commercial objectives;
  • perform and improve the Firm’s services, and address concerns or questions about those services;
  • implement efficiencies and best practices;
  • obtain services and advice for the Firm’s operations and business;
  • conduct surveys, research, and data gathering exercises;
  • market, promote and share information about the firm and the Firm’s services;
  • communicate with data subjects; and
  • allow audits and diligence for compliance and other reviews by advisers or third parties. In this regard, the Firm will require such advisers or third parties to enter into a confidentiality agreement.

 

  1. Employee Data

The Firm may collect and process personal data from current or prospective employees in order to initiate, carry out, or terminate an employment agreement, including the results of certain medical examinations that are part of conditions of employment, and for other purposes set forth in Schedule D.

For job applicants, the Firm may process personal data required in order to initiate the employment application process. The collected personal data of any applicant, who may not have been hired, may be retained by the firm for purposes of future selection process.

The Firm may share an applicant's or an employee's personal data when expressly authorized by law or when the applicant or employee concerned has given consent, as when the Firm is provided as a reference.

Firm files, records (whether or not electronic), computers, devices, and facilities are the property of the Firm, and the Firm may examine and review their contents at any time, whether or not an officer, employee or other staff have personal data, property or other information stored therein.

 

Schedule D - Employee Personal Information Collection Statement

(1)       The terms used in this Schedule and not otherwise defined in this Schedule have the same definition as used in the Policy. “Employee” refers to an employee of the Firm.

(2)       The Employee's personal data will be collected and held by the Firm in its manual and automated filing systems in accordance with the DPA and DPA IRR as may be amended from time to time. 

(3)       The Employee consents to the processing and disclosure of his personal data both inside and, where necessary, outside the Philippines in accordance with the DPA and DPA IRR as may be amended from time to time for the purposes set forth in Schedule C and in this Schedule D.

(4)       Throughout the course of the Employee’s employment with the Firm, the Firm may receive personal data and will need to collect personal data from the Employee and about the Employee.

(5)       The purposes for processing of Employee’s personal data include: 

(a)  To evaluate applications for employment;

(b)  To manage and administer all aspects of employment such as:

(i)     Negotiation, preparation, and execution of instruments, documents, and agreements necessary or desirable for the purpose of entering into, or in the context of, an employer-employee relationship between the Employee and the Firm (e.g. for administrative and management purposes, including but not limited to: recruitment, performance evaluation and appraisal, training, promotion, career development, remuneration, health and safety, discipline, review of human resource policies and/or statistical purposes);

(ii)  Administration of payroll, benefits, incentives, rewards, expenses and reimbursements;

(iii)            Administration of learning, training and development;

(iv) Attendance and absence monitoring (including sickness and maternity); and

(v)   Performance appraisal, disciplinary and grievance processes and other general administrative and human resource related processes;

(c)  For the protection of the safety and security of guests, employees and property (including controlling and facilitating access to and monitoring activity in secured premises and activity using the Firm’s computers, communications and other resources);

(d)  For the protection of the safety and security of the property, premises, facilities, and equipment of the Firm and its clients/customers;

(e)  For the lawful pursuit of the Firm’s business or the provision of services to clients/customers;

(f)   For the protection and/or enforcement of the Firm’s rights and obligations;

(g)  To comply with any applicable laws, rules and regulations, codes of conduct or practice, and guidelines issued by any legal or regulatory body;

(h)  To comply with a legal obligation on the part of the Firm or as mandated by competent governmental or judicial authorities;

(i)    To protect vitally important interests, including individual life and health;

(j)    To respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions or public authority which necessarily includes the processing of Personal Information for the fulfillment of its mandate;

(k)  To prevent fraud or other illegal activities, such as but not limited to willful attacks on the Firm’s information technology systems;

(l)    In case of corporate restructuring in the normal course of business, including, but not limited to, mergers and acquisitions;

(m)For the purpose of any potential sale of the shares of the Firm or any holding Firm of the Firm or other change of control or any potential transfer of the Employee’s employment.

(6)       In order to carry out the purposes outlined above, the Employee’s personal information will be disclosed to human resources staff, line managers, consultants, advisers and other appropriate persons in the Firm.

(7)       The Firm may disclose, share and transfer personal data to any relevant third party pursuant to the purposes set forth above, for any employment-related purposes, and/or whenever necessary to achieve the lawful purposes of interests of the Firm. Relevant third parties include but not limited to:

(a)  The Firm’s affiliates or subsidiaries, any other Firm within the Punongbayan & Araullo and/or Grant Thornton Group;

(b)  The Firm’s insurance providers;

(c)  The Firm’s banks;

(d)  The Firm’s external advisors and other professional advisors, such as auditors, tax advisors, legal advisors;

(e)  The Firm’s contractors, sub-contractors, and service providers;

(f)   The Firm’s clients/customers; and

(g)  Potential buyer/transferee of the Firm’s business, assets or shares of stocks, and/or successor of the Firm;

The above classes of persons are situated in the Philippines as well as in locations where the Firm has business operations and where its staff and data processing agents may perform duties for the Firm. However, in some of these locations, there may not be in place data protection laws which are substantially similar to, or serve the same purpose as the data protection law in the Philippines.

The Firm requires and ensures that the foregoing persons to which personal data may be disclosed, shared and transferred shall also implement the security measures required by the DPA and the DPA IRRs, through the appropriate contractual arrangements as may be necessary.

(8)       The Employee shall use all reasonable endeavors to keep the Firm informed of any changes to the Employee's personal data.

(9)       The Employee acknowledges that in the course of his employment, the Employee may have access to personal data relating to other employees and persons, and the Employee agrees to comply with the Firm's Data Privacy Policy at all times.

(10)     If the Employee does not provide complete and accurate personal data to the Firm as and when it is required, there may be potentially serious consequences for the Employee and, depending on the circumstances, the Employee’s employment relationship with the Firm.

(11)     It is the Firm's policy to retain certain personal data of employees when they cease to be employed. This data may be required for any residual employment-related activities, including for example, provision of references, processing of applications for re-employment, matters relating to retirement benefits and allowing the Firm to fulfil any of the Firm's contractual or statutory obligations.

(12)     The Firm’s Protecting Information Assets Policy is deemed an integral part of this Policy. It is understood that the most current version of the Protection Information Assets Policy shall apply and supersede all previous versions of the same. 

(13)     The consent hereby given supplements but does not supersede or replace any other consents the Employee may have previously provided or will provide to the Firm in respect of the Employee’s personal data, or the existence of a lawful basis or bases for the collection, processing, disclosure and transfer of the Employee’s personal data.

(14)     The Firm reserves the right to amend and modify the Data Privacy Policy including this Schedule D. Employees are expected to regularly review the same. Employees will also be notified and informed of material changes thereto through the Firm website and/or by email. Whenever required, the Firm will obtain consent from the Employees.  The most updated version of the Policy and Schedule shall apply and supersede all previous versions thereof.

 

Schedule E - Client Personal Information Collection Statement

(1)      The terms used in this Schedule and not otherwise defined in this Schedule have the same definition as used in the Policy. “Client” refers to an individual who is a current or prospective client, of the Firm. Where the current or prospective client of the Firm is a juridical person, “Client” refers to the individual representative or liaison of such client to, or personnel of such client who communicates with, the Firm.

(2)      The Client's personal data will be collected and held by the Firm in its manual and automated filing systems in accordance with the DPA and DPA IRR as may be amended from time to time. 

(3)      The Client consents to the processing and disclosure of his personal data both inside and, where necessary, outside the Philippines in accordance with the DPA and DPA IRR as may be amended from time to time for the purposes set forth in Schedule C and in this Schedule E.

(4)      Throughout the course of the Client’s engagement of, and relationship with, the Firm, the Firm may receive personal data and will need to collect personal data from and about the Client.

(5)      The purposes for processing of Client’s personal data include:

  • To manage and administer all aspects preparatory to, during, and following the rendering of services by the Firm, as may be necessary in the normal course of business, such as the negotiation, preparation, and execution of instruments, documents, and agreements necessary and desirable for the purpose of entering into, or in the context of, a business relationship between the Client and the Firm;
  • For the protection of the safety and security of Clients, guests, and property (including controlling and facilitating access to and monitoring activity in secured premises and activity using the Firm’s computers, communications, and other resources);
  • For the protection of the safety and security of the property, premises, facilities, and equipment of the Firm and the Client;
  • For the lawful pursuit of the Firm’s business or the provision of services to Client;
  • For the protection and/or enforcement of the Firm’s rights and obligations;
  • To comply with any applicable laws, rules, and regulations, codes of conduct or practice, and guidelines issued by any legal or regulatory body;
  • To comply with a legal obligation on the part of the Firm or as mandated by competent governmental or judicial authorities;
  • To protect vitally important interests, including individual life and health;
  • To respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions or public authority which necessarily includes the processing of Personal Information for the fulfillment of its mandate;
  • To prevent fraud or other illegal activities, such as but not limited to willful attacks on the Firm’s information technology systems;
  • In case of corporate restructuring in the normal course of business, including, but not limited to, mergers and acquisitions;  
  • For the purpose of any potential sale of the shares of the Firm or any holding Firm of the Firm or other change of control in the Firm.

(6)      In order to carry out the purposes outlined above, the Client’s personal information will be disclosed to officers, employees, staff, consultants, advisers and other appropriate persons in the Firm.

(7)      The Firm may disclose, share and transfer personal data to any relevant third party pursuant to the purposes set forth above, for any business-related purposes, and/or whenever necessary in accordance with the business relationship between the Client and the Firm. Relevant third parties include but not limited to:

  • The Firm’s affiliates or subsidiaries, any other Firm within the Punongbayan & Araullo and/or Grant Thornton Group;
  • The Firm’s insurance providers;
  • The Firm’s banks; 
  • The Firm’s external advisors and other professional advisors, such as auditors, tax advisors, legal advisors;
  • The Firm’s contractors, sub-contractors, and service providers;
  • Potential buyer/transferee of the Firm’s business, assets or shares of stocks, and/or successor of the Firm;

The above classes of persons are situated in the Philippines as well as in locations where the Firm has business operations and where its staff and data processing agents may perform duties for the Firm. However, in some of these locations, there may not be in place data protection laws which are substantially similar to, or serve the same purpose as the data protection law in the Philippines.

The Firm requires and ensures that the foregoing persons to which personal data may be disclosed, shared and transferred shall also implement the security measures required by the DPA and the DPA IRRs, through the appropriate contractual arrangements as may be necessary.

(8)     The Client shall use all reasonable endeavors to keep the Firm informed of any changes to the Client's personal data.

(9)     The consent hereby given supplements but does not supersede or replace any other consents the Client may have previously provided or will provide to the Firm in respect of the Client’s personal data, or the existence of a lawful basis or bases for the collection, processing, disclosure, and transfer of the Client’s personal data.

(10)    The Firm reserves the right to amend and modify the Data Privacy Policy including this Schedule E. Clients will be notified of material amendments and modifications through the Firm website and/or by email, and they are expected to keep themselves apprised of such amendments and modifications. Whenever required, the Firm will obtain consent from the Clients.  The most updated version of the Policy and Schedule shall apply and supersede all previous versions thereof.

 

Back to top