Privacy Policy
DATA PRIVACY POLICY OF SOLID WINE MARKETING, INC.
INTRODUCTION
This Data Privacy Policy (“Privacy Policy”) is hereby adopted in compliance with Republic Act No. 10173, or the Data Privacy Act of 2012, its implementing Rules and Regulations, and other relevant policies, including issuances of the National Privacy Commission. Solid Wine Marketing, Inc. respects and values your data privacy rights, and makes sure that all the personal data collected are processed in adherence to the general principles of transparency, legitimate purpose, and proportionality, and the appropriate laws and regulations.
OBJECTIVES
The primary objective of this Privacy Policy is to provide the management direction and support for information security in accordance with its business requirements and Republic Act No. 10173 or the Data Privacy Act of 2012, as well as its Implementing Rules and Regulations, policies, and issuances of the National Privacy Commission.
POLICY STATEMENT
The Company is committed to protect the privacy rights of the individuals’ personal information pursuant to the provisions of Republic Act No. 10173 or the Data Privacy Act of 2012 and its Implementing Rules and Regulations.
All concerned are enjoined to comply with and to share in the responsibility of securing and protecting personal information collected and processed by the Company in pursuit of legitimate purposes.
General Privacy Policy Statements
The Company adheres to the general principles of transparency, legitimate purpose and proportionality in the collection, processing, securing, retention and disposal of personal information.
The Clients and Employees, or Third Parties whose personal information is being collected shall be considered as Data Subjects for purposes of these policies.
Data subjects shall be informed of the reason or purpose of collecting and processing of their respective personal data.
The Data Subjects shall have the right to correct the information especially in cases of erroneous or outdated data, and to object to the collection of personal information within the bounds allowed by privacy and other relevant laws.
The Data Subject has the right to file a complaint in case of breach or unauthorized access of his personal information.
The Company shall secure the personal information of Clients and Employees, or Third Parties from whom personal information is collected and shall take adequate measures to secure both physical and digital copies of the information.
The Company shall ensure that personal information is collected and processed only by authorized personnel for legitimate purposes of the Company.
Any information that is declared obsolete based on the internal privacy and retention procedures of the Company shall be disposed of in a secure and legal manner, as provided for under this Privacy Policy in consonance with the provisions of the Data Privacy Act and its Implementing Rules and Regulations.
Any suspected or actual breach of the Company’s Data Privacy Policy must be reported to any member of the Data Privacy Response Team in accordance with the procedures of this Privacy Policy.
Data subjects may inquire or request for information from the Data Privacy Response Team, regarding any matter relating to the processing of their personal data under the custody of the Company, including the data privacy and security policies implemented to ensure the protection of their personal data.
DEFINITION OF MATERIAL TERMS
“Authorized personnel” refers to employees or officers of Solid Wine Marketing Inc. specifically authorized to collect, store, access, and/ or to process personal information either by their function of their office or position, or through specific authority given in accordance with the policies of the Company.
“Candidate” refers to the prospective employee or jobseeker, who submits his or her curriculum vitae or résumé online.
“Company” refers to Solid Wine Marketing, Inc.
“Consent of the Data Subject” refers to any freely and voluntarily given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of his or her personal, sensitive personal, or privileged information. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of a data subject by a lawful representative or an agent specifically authorized, via a written or sufficiently established authorization, by the data subject to do so.
“DPA” or “Data Privacy Act” refers to Republic Act No. 10173 or the Data Privacy Act of 2012.
“Data Subject” refers to an individual whose personal, sensitive personal, or privileged information is processed by the Company. It refers to officers, employees, consultants, and clients of the Company.
“Data Privacy Officer or DPO” refers to the Company’s officer designated to monitor and ensure the implementation of the Data Privacy policies of the Company. The DPO is also the de facto head of the Data Privacy Response Team.
The DPO is responsible for ensuring the Company’s compliance with applicable laws and regulations for the protection of data privacy and security. The functions and responsibilities of the DPO shall particularly include, among others:
monitoring the Company’s personal data processing activities in order to ensure compliance with applicable Personal Data privacy laws and regulations, including the conduct of periodic internal audits and review to ensure that all the Company’s data privacy policies are adequately implemented by its employees and authorized agents;
acting as a liaison between the Company and the regulatory and accrediting bodies, and is in charge of the applicable registration, notification, and reportorial requirements mandated by the DPA, as well any other applicable data privacy laws and regulations;
developing, establishing, and reviewing policies and procedures for the exercise by Data Subjects of their rights under the DPA and other applicable laws and regulations on Personal Data privacy;
acting as the primary point of contact whom Data Subject may coordinate and consult with for all concerns relating to their personal data;
formulating capacity building, orientation, and training programs for employees, agents or representatives of the Company regarding personal data privacy and security policies;
preparing and filing the annual report of the summary of documented security incidents and personal data breaches, if any, as required under the DPA, and of compliance with other requirements that may be provided in other issuances of the National Privacy Commission.
“The Management” refers to top level officers of the Company, which may include its Directors, Officers, and Managerial employees, who are tasked with the preparation and execution of Company policies.
“Personal Data” as used in this notice refers to all types of personal information.
“Personal data breach” refers to a breach of security leading to the willful, accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed within the Company.
“Personal Data Classification” refers to the categories of personal information collected and processed by the Company. Personal data is classified as follows
“Public” refers to information readily available and may be disclosed to the public. Examples: The Company’s Articles of Incorporation, General Information Sheet, office directory, names of corporate officers, and other information stated in the Company’s website.
“Confidential” refers to those which are declared confidential by law or policy of the Company, and which may only be processed by authorized personnel, and if disclosed may cause material harm to the Company, or information that is sensitive in nature as will affect the health or well-being of the individual. Examples: Employee and candidate names, educational attainment, addresses, contact numbers, SSS, PhilHealth, Passport numbers, employee’s health information, employee 201 files and the information contained therein determined confidential by the Labor Code.
“Classified” are those information the access of which is highly restricted, and if disclosed may cause severe or serious harm or injury to the Employee, Recruiter, Candidate or Third Party. Examples: Employee and Candidate and Recruiter’s Company account, computer passwords, bank account numbers, PIN numbers of employees.
“Personal Information” refers to any information, whether recorded in material form or not, from which the identity of an individual is apparent or can be reasonably ascertained by the entity holding information, or when put together with other information would directly and certainly identify the individual.
“Sensitive Personal Information” refers to personal information pertaining to:
An individual’s race, ethnic origin, marital status, age, color, and religious philosophical or political affiliations;
An individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings;
Any personal information issued by government agencies peculiar to an individual which includes but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
Any personal information established by an executive order or an act of Congress to be kept classified.
“Personal Information Controller” refers to natural or juridical persons, or any other body who controls the processing of personal data, or instructs another to process personal data on its behalf. The terms exclude:
A natural or juridical person, or any other body, who performs such functions as instructed by another person or organization; or
A natural person who processes personal data in connection with his or her personal, family, or household affairs.
“Personal Information Processor” refers to any natural or juridical person or any other body whom a personal information controller may outsource or instruct the processing of personal data pertaining to a data subject;
“Policy” or “Privacy Policy” refers to the instant Internal Data Privacy Policy;
“Privacy Notice” refers to the Privacy Notice as reflected on the Company’s website, and/or made known to the general public to promulgate public awareness about the Company’s goals to ensure the protection of their Personal Data, and their rights as Data Subject.
“Processing” refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating, or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.
“Recruiter” as used in this notice, means a prospective employer, who has used the Website to gain access to Clients, or has applied for the Company’s services.
“Website” means any website under the Company’s control, including:
www.solidwine.com.ph
SCOPE AND LIMITATIONS
The provisions of this Privacy Policy, whether mandatory or prohibitive, shall be applicable to all Directors, Stockholders, Officers, and Employees of the Company. Accordingly, all the Company’s personnel must always comply with the terms set out in this Policy.
MANAGEMENT PARTICIPATION
The Company’s Management understands the importance of complying with the provisions of the Data Privacy Act of 2012, and takes a proactive approach towards ensuring that all processing of Personal Data done by the Company is done in lawful manner, for legitimate purposes, proportionate to the purposes for which they are collected, and accurate.
The Management likewise understands and values the rights of Data Subjects to privacy, and that the Company has a responsibility towards ensuring that the rights of Data Subjects are respected.
Towards this understanding, the Management must strive to ensure that it would actively participate in crafting information security policies which are adequate to address requirements created by business strategies, regulations, legislation, and contracts, as well as the current and projected information security threat environment.
The Management, thus, has the responsibility to revisit, review, and revise this Policy from time to time, in order to ensure its timeliness, applicability, and adequacy. Further, Management has the responsibility to commit to the strict implementation of this Policy.
PROCESSING OF PERSONAL DATA
Collection
The Company collects Personal Data, from its Clients, users of the Website, and its employees.
Company Name;
Name of Contact Person or representative;
Email;
Website;
Industry;
Company Size;
Mobile Number;
Contact Details;
Location; and
Company Logo.
From Employees
The Company may collect information from its Employees for purposes of their employment:
Name;
Gender;
Email;
Mobile Number;
Current Job Title;
Current Salary;
Date of Birth;
Civil Status;
Address, current location;
Nationality;
Professional Summary;
Curriculum Vitae;
Educational Background;
Previous Work Experience;
Skills;
Languages spoken and understood; and
Images;
The information collected from Clients and Employees, may be classified as follows:
Data Subjects
Personal Information
Sensitive Personal Information
Clients
Name;
Gender;
Email;
Mobile Number;
Current Job Title;
Current Salary;
Date of Birth;
Civil Status;
Address, current location;
Nationality;
Professional Summary;
Curriculum Vitae;
Educational Background;
Previous Work Experience;
Skills;
Languages spoken and understood; and
Images;
Gender;
Date of Birth;
Civil Status;
Nationality;
Educational Background;
Skills;
Languages Spoken or Understood;
Images;
Employees
Name;
Gender;
Email;
Mobile Number;
Current Job Title;
Current Salary;
Date of Birth;
Civil Status;
Address, current location;
Nationality;
Professional Summary;
Curriculum Vitae;
Educational Background;
Previous Work Experience;
Skills;
Languages spoken and understood; and
Images;
Gender;
Date of Birth;
Civil Status;
Nationality;
Educational Background;
Skills;
Languages Spoken or Understood;
Images;
Use of Personal Data
Use of Personal Data of Clients
The Company may use the Personal Data of the Clients only for the following legitimate purposes:
Use of Personal Data of Employees
The Company uses the information it collects from its Employees for the following purposes:
For purposes of pursuing their employment with the Company;
Identify an Employee’s strengths, areas for improvement, and development of a suitable career path;
Ensure compliance with the labor laws, and other laws governing the provision of other employee benefits;
To ensure exertion of due diligence in the selection and management of its employees.
STORAGE
Storage of Personal Data of Clients
Since information gathered from Clients are primarily gathered through the website, all information from the Clients shall be stored in a secured database server based in Singapore.
In storing such information from Clients, the Company must ensure that it undertakes all appropriate technological, organizational, and physical security measures to protect any and all information it has gathered from its Clients, from unauthorized access, unauthorized alterations, and unauthorized disclosure.
Storage of Personal Information of Employees
Personal Information gathered from Employees must be stored, using the “HR Tool” and a company-owned computer which is encrypted using a secure password.
Any hard copies of Personal Data coming from Employees must be stored in lockers which could only be accessed by authorized personnel.
RETENTION
Retention of Personal Data of Clients
The Company may store personal information of Clients so long as the said Clients’ profiles remain active.
If ever a Clients’ profile becomes inactive or has been deactivated, the Company shall only store the information for a maximum period of five (5) years.
A Candidate’s profile shall be considered inactive if the Candidate fails to update or access his or her account for a period of ________.
A Candidate’s profile shall be considered deactivated if the Candidate ______________________.
The Company shall immediately stop processing any information from a Candidate upon the Candidate’s explicit instructions, and destroy any and all Personal Data collected from the Candidate, upon the latter’s demand.
Retention of Personal Data of Employees
The Company may store Personal Data of its employees as long as they remain employed by the Company.
Should an employee’s relationship with the Company be severed, for any reason, the Company may keep the said employee’s Personal Data for a maximum period of ten (10) years.
An employee may request for the deletion of his or her Personal Data, only after his or her separation from the Company.
DESTRUCTION
After the periods stated for storage of Personal Data, as stated in the previous subsection have lapsed, or upon instructions of the Data Subject, the Company must dispose and destroy all hard and soft copies of the Personal Data, through secured means.
For purposes of destruction, the Company may designate a team of its employees charged with the destruction of Personal Data.
After Personal Data has been destroyed, the person who has been charged with the conduct of the same, must issue a certification under oath, certifying that Personal Data of the said Data Subject has been destroyed. The Company shall keep such certification, and shall make such certification available to the Data Subject whose Personal Data has been destroyed, upon written request.
ACCESS
Considering the sensitive and confidential nature of the Personal Data under the custody of the Company, only the Data Subjects, and authorized representatives of the Company shall be allowed to access any Personal Data under its custody, for any purpose, except for those contrary to law, public policy, public order, or morals.
The Management shall promulgate rules governing the access of its employees to Personal Data under its custody.
The Company’s Management, including all its officers, and employees, shall have limited, and only necessary, access to Personal Data of the Clients and Employees.
The Company shall select and designate personnel who shall be in charge of processing, storage, and destruction of Personal Data, for Personal Data collected from each group of Data Subjects.
Only Employees or Officers of the Company, who are designated to process, store, or destroy Personal Data, for each group of Data Subjects, shall have access to Personal Data assigned to them.
Officers, Employees, or other personnel of the Company, who are not designated to process, store, or destroy Personal Data, from each group of Data Subjects, shall not be allowed access to Personal Data, except for valid reasons, and for lawful purposes.
DISCLOSURE AND SHARING
All Employees, and personnel of the Company, shall maintain the confidentiality and secrecy of all personal data that come to their knowledge and possession, even after resignation, or separation from the Company for whatever reason.
Personal Data under the custody of the Company shall be disclosed only pursuant to a lawful purpose, upon written consent of its Data Subjects, and to authorized recipients of such data.
The Company shall ensure that all of its personnel, including those of the Management, execute Non-Disclosure Agreements, to ensure the confidentiality and secrecy of all Personal Data under its possession.
In case the Company decides to share Personal Data, it shall ensure that it executes the necessary Data Sharing Agreement with the other party, in case of mutual sharing of Personal Data. The Company must also execute a Sub-Contracting Agreement containing the necessary provisions governing privacy and confidentiality of Personal Data, in case it decides to outsource the processing of Personal Data to any third party. At all times, the Company shall ensure that the written consent of the relevant Data Subjects shall be secured for such disclosure or sharing.
GENERAL GUIDELINES IN THE PROCESSING OF PERSONAL DATA
Consent
Whenever the Company processes Personal Data, from any Data Subject, it shall ensure that the Data Subject concerned signs a Consent Form which allows the Company to process his or her Personal Data.
The Consent Form shall, as much as possible, be broad enough to cover all types of Personal Data Processing, such as, collection, use, storage, retention, destruction, provision of access, and sharing.
Such Consent Form shall, likewise be, at all times, compliant with the provisions of the Data Privacy Act of 2012, and its Implementing Rules and Regulations.
Processing
The Company must ensure that it only processes Personal Data, lawfully, for each category.
The Company must take note that it may only process Personal Data, when it is not prohibited by law, and at least one of the following conditions are prevalent:
The Data Subject has given his or her consent, or the same has been validly acquired by the Company through the Consent Form;
The Processing of Personal Information is necessary and is related to the fulfillment of a contract with the Data Subject, or in order to take steps at the request of the Data Subject prior to entering into a contract;
The processing is necessary to protect vitally important interests of the Data Subject, including life and health;
The processing is necessary in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate; or
The processing is necessary for the purposes of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.
On the other hand, the Company must take note, that it may only Process Sensitive Personal Information, in the following purposes:
The Data Subject has given his or her consent, specific to the purpose prior to the processing, or in the case of privileged information, all parties to the exchange have given their consent prior to processing;
The processing of the same is provided for by existing laws and regulations: Provided, that such regulatory enactments guarantee the protection of the sensitive personal information and the privileged information: Provided, further, That the consent of the Data Subjects are not required by law or regulation permitting the processing of the sensitive personal information or the privileged information;
The processing is necessary to protect the life and health of the Data Subject or another person, and the Data Subject is not legally or physically able to express his or her consent prior to the processing;
The processing is necessary to achieve the lawful and noncommercial objectives of public organizations and their associations: Provided, That such processing is only confined and related to the bona fide members of these organizations or their associations: Provided, further, That the Sensitive Personal Information are not transferred to third parties: Provided, finally, That consent of the Data Subject was obtained prior to processing;
The processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal information is ensured; or
The processing concerns such personal information as is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise or defense of legal claims, or when provided to government or public authority.
The Company may follow the following table as a guide in complying with the Provisions of the Data Privacy Act, in terms of processing of Personal Information and Sensitive Personal Information and Privileged Information:
Personal Information
Sensitive Personal Information and Privileged Information
Processing is allowed if not prohibited by law and subject to conditions
Processing is prohibited except for certain cases
Processing is allowed if Data Subject Provides his or her consent
Processing is allowed if Data Subject has given his or her consent:
specific to the purpose,
done prior to the processing;
In case of privileged information, all parties to the exchange have given consent prior to processing;
Processing is necessary and is related to the fulfillment of a contract with the Data Subject or in order to take steps at the request of the data subject prior to entering into a contract
Is generally not allowed if the only basis is the fulfillment of a contract.
The processing must be provided for by existing laws and regulations, and such regulatory enactments guarantee the protection of sensitive personal information and privileged information, and the consent of the Data Subject are not required by law or regulation permitting the processing of the sensitive personal information or the privileged information
The processing is necessary for compliance with a legal obligation to which the Company is subject; i.e. compliance with SSS law, etc.
Is generally not allowed if the only basis is the fulfillment of a contract.
The processing must be provided for by existing laws and regulations, and such regulatory enactments guarantee the protection of sensitive personal information and privileged information, and the consent of the Data Subject are not required by law or regulation permitting the processing of the sensitive personal information or the privileged information
The Processing is necessary to protect vitally important interests of the Data Subject, including life and health
The processing is necessary to protect the life and health of the data subject or another person, and:
The Data Subject is not legally or physically able to express his or her consent prior to processing;
The processing is necessary for purposes of medical treatment, is carried out by a medical practitioner, or a medical treatment institution, and an adequate level of protection or personal information is ensured
The Processing is necessary in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal date for the fulfillment of its mandate
The processing concerns such personal information as is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise or defense of legal claims, or when provided to government or public authority.
The Processing is necessary for the purposes of legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.
The Processing is necessary to achieve the lawful and non-commercial objectives of public organizations and their associations provided
Such Processing is only confined and related to the bona fide members of these organizations or their associations
The Sensitive Personal Information are not transferred to third parties
The consent of the Data Subject was obtained prior to processing.
SECURITY MEASURES
Organizational Security Measures
Internal Organization
The Company understands that each of its employees have access to information which may or may not include Personal Data. The Company must define and allocate the Personal Data security responsibilities of all its personnel.
The duties of the Company’s employees in relation to Personal Data of Data Subjects may be summarized as follows
Data Subject
Employees/Team In Charge
Clients
The Marketing Department shall be primarily in charge of collecting Personal Data of Clients.
Their duties include:
_______________
_______________
_______________
The Audit Team shall be in charge of ensuring the security of the Personal Data, as well as its storage.
The duties of the Audit Team Includes:
_________________
_________________
_________________
Employees
Not one team or individual must be able to access or control Personal Data without detection.
Data Protection Officer
The Company has designated Mr./Ms. ________________ as its Data Protection Officer.
The Data Protection Officer shall oversee the compliance of the Company with the DPA, its IRR, and other related policies, including the conduct of a Privacy Impact Assessment, implementation of security measures, security incident and data breach protocol, and the inquiry and complaints procedure.
The Data Protection Officer shall at all times, keep abreast with the current laws and policies related to Data Privacy, and shall keep in constant communication with the National Privacy Commission.
Trainings
The Company shall sponsor a mandatory training on data privacy and security at least once a year. For personnel directly involved in the processing of personal data, management shall ensure their attendance and participation in relevant training and orientations as often as necessary.
Conduct of Privacy Impact Assessment
The Company shall conduct a Privacy Impact Assessment (PIA) relative to all activities, projects and systems involving the processing of personal data.
In conducting the Privacy Impact Assessment, the Company may seek the assistance of third-parties, which may include its counsel. In all instances, the PIA must be conducted through the leadership of the Company’s DPO.
Recording of Data Privacy Activities
The Company shall make a record of all activities carried out by the Company to ensure Compliance with the Data Privacy Act of 2012, its Implementing Rules and Regulations and other relevant policies.
Duty of Confidentiality
The Company shall ask all members of its organizations to sign Non-Disclosure Agreements.
Employees with access to Personal Data shall operate and hold personal data under strict confidentiality.
Review of the Privacy Policy
The Company must ensure that the Privacy Policy is aligned with existing laws and current issuances of the National Privacy Commission.
For this purpose, the Company must review and evaluate its Privacy Policy every year.
The Company must likewise align the contents of its Privacy Policy with the results of its Privacy Impact Assessment.
Mobile Device Usage
Company employees may only be allowed to use their personal Mobile Devices on areas specifically designated by the Company.
No Employee of the Company may use his or her Mobile Device, while on duty, and especially while working in his or her desk.
Employees must register all of their Mobile Devices with the Company, which shall keep a record of all the cellular phones’ International Mobile Equipment Identity (IMEI), and their Media Access Control (MAC) addresses.
Mobile Devices, which IMEIs may be altered or changed by the user, shall be prohibited from Company premises.
Company employees shall be required to make sure that their Mobile Devices have remote disabling, in case of theft.
Teleworking
In case an employee chooses to work remotely, the said employee shall only be required to register his or her location, and shall be given access to the Company’s database using a secured and encrypted portal.
An employee working remotely shall only be allowed to access the Company’s database using a device which has been registered with the Company.
An employee working out of the office shall be in charge of his or her physical security, and shall be liable to the Company, in case of any security breach arising out of his or her activities outside of the office.
HUMAN RESOURCE SECURITY
Screening
Before employment, the Company, through its Human Resources Department, must ensure that the Employees who join the organization are well screened not only in relation to their capabilities, but also as to their moral fitness.
For such purposes the Company must seek for a prospective employee’s character references, from which the completeness and accuracy of the prospective employee’s representations in his or her application.
The Company must also require other verification documents such as clearances from the National Bureau of Investigation, and the Philippine National Police. The Company must avoid hiring employees who have been charged with crimes involving moral turpitude.
In screening its prospective employees, the Company must make sure that it complies with the provisions of the Data Privacy Act of 2012, and ask the prospective employee to sign a Data Privacy Consent Form.
Terms of Employment
The Company must also make sure that the terms of employment are clear, and that the employee has been well informed of his or her security role in the organization.
All Employees should be made to sign Non-Disclosure Agreements, and Non-Competition Agreements, which could serve as deterrent to future information breaches. Such Contracts must contain provisions laying down the consequences of breach.
Training and Education
The Company has the duty to spread awareness about the roles of its employees in data privacy.
For such purpose, the Company must conduct training on data security for all of its employees at least once a year.
Disciplinary Process
Should an Employee be subjected to any disciplinary sanctions due to a security breach, the Company shall conduct the same through the following guidelines:
Any part of the disciplinary process, in relation to a security breach may not be undertaken unless it has been verified that a security breach has occurred.
Any form of disciplinary proceedings must comply with the twin-notice rule requirement provided for by the Labor Code of the Philippines.
In case a security breach occurs, and it has been verified to be traceable to an employee, the Company must provide the concerned employee a First Notice, informing the employee of the particular acts which he or she has committed, and further informing him of the violations which he or she has committed. The First Notice must also contain the particular ground for termination which he or she is charged with violating.
Under the First Notice, the employee must further be given a period of at least five (5) days within which to submit a written explanation, as well as an invitation to an administrative hearing wherein he may further explain his or her side.
After determination of the outcome of the investigation, and in cases where a disciplinary sanction is warranted, the Company must issue the concerned employee a notice of decision stating clearly the facts of his case, and the Company’s findings.
Termination
In case an employee is separated from the Company for any reason, the Company must make sure that the Employee is aware of the fact that his or her obligations to maintain the confidentiality of all information made known to him during his employment persists even until after he has left the Company.
The provisions of the Non-Disclosure Agreement should contain a continuing obligation to keep in confidence all information which the employee has gathered or learned during the period of his or her employment with the Company, even after employment.
In case the Employee violates the provisions of his or her Non-Disclosure Agreement, the Company may pursue all legal actions against the employee.
ASSET MANAGEMENT
Conduct of an Inventory
The Company must conduct a regular inventory of all of its assets which are related to Data Privacy.
In conducting its inventory, the Company must identify the IMEI and/or MAC addresses, as well as any other identifiers of its devices to immediately ascertain whether it has been subject of an intrusion using unauthorized devices.
Ownership of Assets
To maintain effective control over the security of Personal Data, the Company must, as much as possible, own all the assets used by its personnel, especially electronic devices.
Through such measures, the Company would have effective ownership and control over all the information stored in the said assets.
Should an asset be assigned to an Employee, the said employee must sign an accountability form for the said asset, and the Company must register the device associated with the Employee.
Use of Assets
Company-owned assets which have been assigned to Employees may only be used by Employees exclusively for purposes of performing their work.
The Company shall conduct a periodic review of the Assets assigned to its employees. Should the asset be an electronic device, the Company shall audit the contents of the said device, and monitor the activity logs of the said device.
Return of Assets
The following guidelines must be observed in the return and use of the Company’s assets:
Upon separation of an Employee from the Company, for any reason, the Employee must return all assets assigned to or registered to him or her, to the Company.
The Company shall not allow the issuance of a clearance for an Employee who has failed to return a Company-owned asset which has been assigned to him or her.
If an Employee has been allowed by the Company to bring his or her own device, the Company shall have the right to delete all Company owned information stored in the said device before the Employee can be cleared.
Upon termination or separation of an Employee for any purpose, the said Employee shall not be allowed to access any of the Company’s devices.
Media Handling
The Company shall ensure that all types of storage media are secured regardless of whatever information has been stored in them. Employees are therefore directed to observe the following in handling of Media.
In case of reusable media, such as flash drives, the Company shall make sure that any information contained therein, which are no longer required by the Company should be deleted and made unrecoverable.
All types of media should be stored in safe, secure environments, free from the elements, and in accordance with the manufacturer’s specifications.
All Employees using removable media, must use encryption techniques to ensure the confidentiality, and integrity of the information stored in the said removable media.
Secured back-ups of information which the Company classifies as critical, should be made in different sets of Media to reduce any risk of loss of information.
All Employees of the Company are prohibited from bringing their own removable media, and flash drives at work.
In case the Company allows the use of Removable Media, it shall maintain a record of the custody of the said Removable Media.
Disposal of Media
In case of disposal, media containing Personal Data, or which may have contained Personal Data, must be disposed of securely, by completely destroying the drive and ensuring that none of the destroyed data may be recovered, accessed or used by any other person or entity.
The Company shall keep a record of all the Media it has disposed to ensure the security of Personal Data.
Transfer of Media
The Company must ensure that Media containing information should be protected against unauthorized access, misuse or corruption during transportation.
To this end, all Employees must observe the following in transporting Media, such as USB drives, and other portable Media:
Only reliable transportation carriers should be utilized in sending Media from one point to another.
Employees may only utilize transportation service providers or common carriers, which the Company has already evaluated to be trustworthy, and capable of ensuring the safe transportation of Media and its contents.
When transporting Media, all Employees of the Company should make sure that they have identified the common carrier or transportation provider, and that they have recorded or logged the transfer. Logs should be kept identifying the content of the Media, the protection applied as well as recording the times of transfer.
When sending portable Media, the Employee sending the same, must ensure that the same is packed in such a way that its contents are protected from any physical damage, which might arise during transit. The packaging should have security features such as a security seal.
All information contained in the Media, shall as far as practicable, be encrypted before sending Media.
ACCESS CONTROL
Access Control Policy
The Company must limit the access to information within its premises and ensure that only authorized individuals or personnel are allowed access to its network, and especially its database.
For this purpose, all Employees of the Company must observe the following guidelines:
All access to the Company’s network is prohibited unless expressly allowed by the Company.
All Employees understand that they may only be given access to certain information on a need-to-know basis.
Employees are further only allowed to use equipment which are necessary for the performance of their functions within the Company.
An Employee shall be designated to give access to other Employees.
Access to any Personal Data shall be subject to the written approval of the Management, and the Data Protection Officer.
An Employee may only be given access to Personal Data to which he or she has the duty, job, or function to process.
If an Employee seeks to have access to any Personal Data, which he or she is not entitled access to, the Employee must first seek written permission from the Data Protection Officer, who must record the request and thoroughly review the validity of the Request.
Any act of unauthorized access to Personal Data shall be a ground for termination.
Access to Networks and Network Services
The Company shall only allow access to its network to authorized individuals, whose identities have been verified by the Company.
Should it be necessary to provide access to individuals who are not connected with the Company, such as visitors and guests the following guidelines must be observed:
Individuals who are not connected to the Company may only be given limited access to networks such as wifi.
The access point which shall be made available for individuals not connected to the Company should be separate from the access point used by the Company’s employees, and should not have access to other devices within the Company’s premises.
The Company shall further develop methods to restrict access of employees to its network, which must conform with the following guidelines.
An employee may only be given access to the Company’s network, using two (2)-factor identification.
An employee must be given a device registered to their name, which would allow them to access the Company’s network.
An employee may only be allowed to access the Company’s network, by using the device, together with a secure password.
User Registration
All users of the Company’s network must be registered through a system which ensures the security of the entire network. In ensuring the security of the network, the following guidelines must be observed:
Each Employee shall be assigned a unique user ID which shall enable the Company to identify the Employee when accessing its network.
An Employee shall not allow any person to use his or her user ID to any other person or Employee.
Upon resignation of the Employee, the Company shall immediately revoke the user ID of the Employee and review the accounts where the user ID has been used.
Privileged access rights
The Company shall control access to Personal Data and other privileged or confidential information, and shall create passwords for each type of information. The Company shall observe the following guidelines towards this end:
The Company shall allocate a password for each information system.
Only Employees who have legitimate purposes for accessing each type of information shall be granted access to an information system.
The Company shall allocate user IDs, different from user IDs given for regular business activities, for information systems containing privileged or confidential information, or Personal Data.
An employee may be given a generic user ID and a generic password to access certain types of information systems. However, once the purpose for the provision of the access is done, the Company must immediately change the password or user ID.
Review of user access rights
User access rights, especially for those involving Personal Data, must be periodically reviewed by the Company at regular intervals.
The Company shall conduct a review of all user access rights every three (3) months.
Should an Employee be transferred from one department to another, or be promoted to another position, thereby abandoning his previous position, he must immediately inform the Management of the status of his user ID, and ask that steps be taken to change the details of his user ID and password.
User IDs and passwords used by Employees to access Personal Data must be reviewed every two (2) months.
Access control to program source codes
The Company shall maintain control over its programs source codes, especially those which are used in the Website. To ensure the security of the program source codes, the Company must comply with the following guidelines:
Program source codes should be stored in program source libraries.
Program source codes shall be considered confidential information.
Only Employees tasked with maintaining the integrity of the source codes, or conduct programming, are allowed to access the program source codes.
In order to ensure that the integrity of the program source code is kept, the Company shall assign a member of the Management to manage its source codes.
No Employee shall have access to the program source code without the authorization or directives of the Management.
The Company shall maintain a log of all instances where the program source code has been accessed.
CRYPTOGRAPHY
Enactment of a Policy on the use of cryptographic controls
The Company shall enact a policy for the use of cryptographic controls across its organization, for the protection, not only of Personal Data, but also of the Company’s business information.
Use of Cryptographic Controls for Personal Data
The Company shall use encryption for the protection of Personal Data which it has access to. For such purposes, the Company shall continue to follow the following guidelines:
The Company shall continue to use Secure Sockets Layer (SSL) for its Website, until such time that a more secure technology is developed.
The Company’s Information Technology (IT) department shall periodically conduct an audit of its encryption and security systems to ensure the continuous protection of its network and database.
PHYSICAL SECURITY MEASURES
Physical Security Perimeter
The Company shall, at all times, secure the perimeter of its office to ensure that all its Personal Data, as well as other confidential information are safe from physical security breaches. All Employees of the Company must comply with the following guidelines to ensure that the Company’s premises are safe from any intrusions:
The Company shall employ the use of locks which may only be accessed using Employee biometrics.
No person shall be granted access inside Company premises, without the proper authorization, and assistance of an Employee.
The Company shall continue to maintain Security Cameras, which serve as deterrents to possible security breaches, as well as evidence, in case of breach.
Fire doors, should be monitored to ensure that the said access point could not be used to gain access to the Company’s premises.
Pedestals shall likewise be locked by Employees, before leaving their workstations and Company’s premises.
All rooms must be locked, if there is no one else left inside.
Before leaving the Company’s premises, all employees must turn off all electronic or electrical devices, save for those which are necessary for the Company’s operation.
The Company shall conduct a periodic review of all of its security measures to ensure prevention of any security breach.
Physical Entry Controls
The Company shall ensure that only authorized personnel will have access to the Company’s premises. The Company shall employ the following guidelines to maintain control over the security of its premises:
The Company shall assign an employee who will monitor all persons who enter or attempt to enter its premises.
The Company shall likewise employ the use of a logbook to log all the persons who enter and exit the Company’s premises.
Before entering the Company’s premises, visitors shall be made to log in and provide sufficient Identification for Recording. Personal Information gathered during this process shall be limited to the name, Company name, and purpose of the Visitor. The Company shall not make any copies of the Identification Cards of its Visitors, and shall only copy as much information as may be needed to record the visit. After recording, the Company shall provide the visitor with a badge which must be worn by the Visitor to readily identify him or her.
The Company’s logbook shall, at the end of the business day, be kept in a secure pedestal, which shall be locked by the Employee concerned.
External third-party support services, shall only be granted restricted access to secure areas, and shall always be accompanied, or monitored by an Employee.
Securing offices, rooms, and facilities
The Company shall maintain the security of all its working areas. To this end, all Employees must comply with the following guidelines:
All desks should be kept clean and without any document left, before an Employee leaves his or her work station.
Blinds to External windows shall be kept closed to prevent any person from seeing what is inside the office.
The Company must exert all efforts to ensure that no person would have any idea that confidential information is kept within the Company premises.
Should an employee take short breaks, he or she must lock the screen of his or computer which must be password protected to prevent any person from gaining access to the same, as well as lock his/her pedestal.
Protection against environmental threats
The Company shall conduct a periodic check of all the corners of its premises. For this purpose, the Company shall:
Check for any leaks in its windows, which may be the source of water damage to any of its files and electronic equipment.
Check for any leaks in the plumbing to ensure avoidance of destruction of electrical equipment and files.
The Company must brief its employees about which files or how to secure confidential information, in case of emergencies.
Equipment
The Company must comply with the following guidelines, to ensure the safety of its equipment, as well as the information they contain:
All equipment must be positioned in the areas of the Company’s premises, where they are safe from the elements, or any other cause of equipment failure and destruction, such as leaks from the plumbing, overheating, fire, and such other causes.
Equipment containing Personal Data or information must be kept in secure areas, which are not accessible to the public.
Employees shall be required to comply with the Equipment’s manufacturer specifications, to ensure the proper use and function.
The Company must provide for emergency lights, and emergency back up power in case of power outages.
Electric, data, and communication cables must as far as practicable be kept separate, and must be placed in corners or areas which are inaccessible to the general public.
In case of transfer of equipment, the policies governing the transfer of assets and media shall likewise be applied to transfer of equipment.
Equipment and media taken off the Company premises should not be left in public places.
In case of reuse of electronic equipment, all Employees must make sure that any sensitive information belonging to the Company are backed up and deleted, and overwritten in such a way that they could no longer be accessed, recovered or used by the subsequent user.
In case of disposal of electronic equipment containing sensitive or personal information, all sensitive information must first be deleted in such a way that they are unrecoverable, and the equipment must be destroyed in such a way that the same could no longer be used.
Unattended user equipment
The Company shall impose strict compliance with the rules governing unattended user equipment.
All employees shall ensure that they terminate active sessions after they have finished working in their Computers. Employees must lock their computers with a password protected screensaver, or put their Computer units to sleep mode, whenever they leave their terminals.
Clear desk and clear screen policy
The Company shall implement a clear desk and clear screen policy with the following guidelines:
All documents which contain Personal Data, and sensitive or critical business information must be locked away in secured pedestals accessible only to their users.
Computers and terminals should be logged off, or protected with a screen and keyboard locking mechanism controlled by a password, or any other means of securing the same.
Measures to control the unauthorized use of photocopiers and other reproduction technology should be strictly imposed.
Data Format
Personal Data in custody of the Company may be in digital or electronic format and paper based or physical format.
The Company must impose strict guidelines in ensuring the security of each type of format, to ensure avoidance of any type of breach.
Data Room
The Company shall employ the use of a Data Room, where all Personal Information, as well as confidential company information shall be kept, whether as back ups or as primary documents. Use of a Data Room shall be under the following guidelines:
Only authorized personnel, whose access has been permitted by the Management may be allowed to enter the Data Room.
The Company shall keep a logbook, as well as an online registration platform to monitor persons who access the Data Room.
OPERATIONS SECURITY
Operational Procedures and Responsibilities
The Company shall ensure that all of its operational procedures are well documented to ensure preparedness for any changes in the Company’s organization or set up.
The Company must keep a logbook of all of its processes the changes effected upon the same, to ensure that the successors have a background of the history of the changes effected upon the processes.
Capacity Management
The Company shall make sure that it has sufficient capacity to take on future roles as well as probable contingencies. To take on such task, the Company shall abide by the following guidelines:
The Company shall monitor its resources and shall conduct an inventory from time to time.
The Company must make sure to maintain foresight on the availability of its resources, and must make sure that it has sufficient resources to cover future endeavors.
The Company must make sure that not one of its processes are highly dependent upon a single person to ensure the continuation of its activities in case of absence.
Separation of development, testing, and operational environments
The Company shall make sure that not all of its resources and processes are stored on a single system, to this end, all Employees are directed to comply with the following guidelines.
Development and operational software should run on different systems or computer processors and in different domains and directories.
Changes to operational systems and applications should be tested in a testing or staging environment, before being applied to operational systems.
Testing shall not be done on operational systems.
Compilers, editors, and other development tools or system utilities shall not be accessible from operating systems.
Users or Employees must use different user profiles for operational and testing systems.
Actual Personal Data shall not be copied into testing system environment.
Protection from Malware
The Company must ensure that its system, network, as well as equipment are free from malware. To this end, all Employees must comply with the following guidelines:
Employees are prohibited from installing any software into Company owned equipment, without authorization from Management.
The Company may only allow the installation of software which has active or valid security certificates, and recent updates.
The Company shall invest in malware detection software which track and eliminate any form of malware.
Employees shall not be allowed to install software which allows for remote access to Company owned equipment, unless the situation calls for such installation.
The Company shall make sure that all of its anti-malware software including their libraries are up to date.
Back ups
The Company shall ensure that all of its information are backed up in secure media, under the following guidelines:
The Company shall ensure that it creates an accurate and complete back up of all of its records.
The Company shall likewise ensure the creation and recording of restoration procedures in case of data loss.
If possible, the Company shall make multiple back ups to ensure continuity of operations in case of contingencies.
Back ups shall be stored in a secure and remote location away from the Company premises, to ensure their safety and to escape any damage from a disaster at the main site.
Backup information shall be tested regularly to ensure reliability in case of emergencies.
Logging and Monitoring
The Company shall keep a record of all of its events and generate evidence. Towards this end, the Company shall implement the following guidelines for logging and monitoring:
The Company shall record all user activities, exceptions, faults and information security events.
Event logs shall include the following:
User IDs;
System Activities;
Dates, times, and details of key events;
Device identity and location;
Records of successful and rejected system access attempts;
Records of successful and rejected data and other resource attempts;
Changes to system configuration;
Use of privileges;
Use of system utilities and applications;
Files accessed and the kind of access;
Network addresses and protocols;
Alarms raised by the access control system;
Activation and deactivation of protection systems such as anti-virus, anti-malware, and intrusion detection systems;
Records of transactions executed by users in applications.
Considering that the event logs may contain Personal Data, the Company shall ensure that only key personnel, who have signed Non Disclosure Agreements should have access to the logs.
Clock synchronization
To ensure the accuracy of all information recorded by the Company, the Company must set a standard time reference for use within the organization. Such standard time shall be used for all the Company’s records, and documents.
COMMUNICATIONS SECURITY
Security of Network Services
The Company shall implement security mechanisms, for all network services. To accomplish this, the Company must ensure that its service providers, execute agreements for data security, laying down terms which are consistent with this Privacy Policy.
Information Transfer
To ensure that all information transferred by the Company are secured, complete, and available the following guidelines should be followed by all employees:
In case information is transferred through removable media, Employees shall observe the guidelines for transfer of equipment and media.
In case information, including Personal Data is transferred through the internet, the Company must create a database of verified email addresses of all its intended recipients, to which any communication or information from the Company must be sent.
Employees must only send information and Personal Data to verified email addresses.
Information sent through email shall be encrypted, and password protected.
In case of separation of employees, for any reason, the Company shall create back ups of the contents of the email of its employees before deletion.
In case of exchanges of information to another party, the Company shall execute Non-disclosure Agreements, as well as Data Sharing Agreements to ensure the confidentiality of all information shared.
SYSTEM DEVELOPMENT
Securing Application Services on Public Networks
The Company must ensure the security of all of its information, including Personal Data when access to its networks are done through public networks.
As a general rule, all Employees of the Company shall not be allowed to access the Company’s network using public networks.
Protection of application service transactions
The Company shall make sure that all application service transactions are protected and complete, and received by the proper recipient. The Company must thus comply with the following guidelines in the conduct of its transaction done electronically:
The Company shall develop policies involving the use of electronic signatures as defined by the Rules on Electronic Evidence Promulgated by the Supreme Court of the Philippines.
The Company may use two factor identification, or One Time Passwords, to ensure the identity of the Data Subjects using its Website.
Restrictions on changes to software packages
Modifications to software packages which the Company has acquired from third party vendors shall be discouraged. Such modifications may constitute acts of infringement for which the Company can be made liable for. Further, such modifications may result in failure of the software to properly perform. To avoid any untoward results, the Company must perform the following:
Before any modifications, the Company must make sure that the user license agreements of the software allow the Company to make any further modification.
In case of open source software, the Company must make sure that the modifications done are done within the limits set by the license.
Testing of Security Systems
The Company must ensure that its Security Systems are tested during their development stage, before using the same in actual operations.
Test Data
Test data used in the development of the Company’s network and system, shall be carefully selected, protected and controlled. All Employees charged with the development of the Company’s systems must observe the following:
All Employees may not use actual Personal Data when conducting its testing.
A separate authorization procedure shall be made, each time actual operational information is copied and used for a test environment.
Operational information shall be erased from a test environment immediately after testing is complete.
The Company shall maintain a log of all actual information used for testing to ensure the complete deletion of the same in testing environments.
COMPLIANCE WITH LAWS AND GOVERNMENT ISSUANCES
Intellectual Property Rights
The Company upholds and respects the intellectual property rights of persons, and promulgates the following guidelines to be observed in the use of Intellectual Property:
The Company shall only use software from known and reputable sources, for its equipment.
The Company shall conduct trainings and seminars about intellectual property to its employees.
The Company shall maintain proof and evidence of ownership of licenses, master disks, and manuals of software.
The Company shall not share any license with any other user outside of its organization.
Employees may not alter the source codes of third party software without the authorization of the Company.
Employees shall not duplicate, convert, or extract from commercial recordings, any type of literature, unless otherwise permitted by the copyright laws.
Employees shall likewise not be allowed to copy, in full and in part, any books, articles, reports, or other literary documents, unless otherwise permitted by law.
BREACH AND SECURITY INCIDENTS
CREATION OF A DATA BREACH RESPONSE TEAM
The Company shall constitute a data breach response team composed of five (5) members, with at least one (1) member having the authority to make immediate decisions regarding critical and necessary action. The team may include the Company’s Data Protection Officer.
The Data Breach Response Team shall be responsible for the following:
Implementation of the Company’s security incident management policy;
Management of security incidents, and personal data breaches;
Facilitating the Company’s compliance with the relevant provisions of the Data Privacy Act of 2012, its Implementing Rules and Regulations, and all issuances of the National Privacy Commission on data breach management.
GUIDELINES FOR INCIDENT RESPONSE
Discovery of Security Incidents
The Company must periodically audit its security systems and check for any types of security breach which might have occurred. In order to timely discover any type of security incident, the Company must perform the following:
The Company must check its database, and network at least once a month to check for vulnerabilities.
The Company must formulate guidelines to assess whether an incident should be considered as a security incident or a security breach.
The Company’s Data Protection Officer shall be charged with ensuring compliance with this Policy as well as the conduct of an audit.
Internal Reporting
In case of a security breach or an incident which might be construed as a security breach, the following steps should be followed:
Immediately after being informed of the incident, the person who has discovered the same, shall immediately inform the Data Protection Officer, within twenty-four (24) hours from discovery. In the absence of the Data Protection Officer, the person who discovered the incident must immediately inform any member of the Management.
Upon receipt of the information about the incident, the Company must immediately call the Data Breach Response Team into action.
The Data Breach Response Team shall immediately investigate the incident, and shall identify the person responsible for the breach.
The Data Breach Response Team shall then verify the existence of the breach, and shall assess the type and extent of the breach.
Within twenty four (24) hours from notification, the Company, through its Data Breach Response Team, must complete its investigation, and assess whether there is a necessity to report the breach to the National Privacy Commission.
When to Notify the National Privacy Commission
The Company shall be required to notify the National Privacy Commission, upon knowledge of or when there is a reasonable belief that a personal data breach requiring notification has occurred under the following conditions:
The Personal Data involves sensitive personal information or any other information that may be used to enable identity fraud. Other information shall include, but not be limited to: a) data about the financial or economic situation of the Data Subject; b) usernames, passwords, and other login data; c) biometric data; d) copies of identification documents, licenses or unique identifiers like Philhealth, SSS, GSIS, TIN number; e) other similar information which may be made the basis of decisions concerning the data subject, including the grant of rights or benefits
There is reason to believe that the information may have been acquired by an unauthorized person;
The Company or the National Privacy Commission believes that the unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected Data Subject.
In case there is doubt as to whether there is a need to notify the National Privacy Commission, the Company must take into account as primary consideration, the likelihood of harm or negative consequences on the affected data subjects, and how notification, particularly of the data subjects, could reduce the risks arising from the personal data breach reasonably believed to have occurred. The Company shall also consider if the personal data reasonably believed to have been compromised involves:
Information that would likely affect national security, public safety, public order, or public health;
At least one hundred (100) individuals;
Information required by applicable laws or rules to be confidential; or
Personal data of vulnerable groups.
Notification of the Commission
In case the Company determines that it has been subject of an actual Data Security Breach, it must report the incident to the National Privacy Commission, and comply with Section 17, Rule V, of NPC Circular No. 2016-03, or the Personal Data Breach Management, issued by the National Privacy Commission, which provides as follows:
“SECTION 17. Notification of the Commission. The personal information controller shall notify the Commission of a personal data breach subject to the following procedures:
When Notification Should be Done. The Commission shall be notified within seventy-two (72) hours upon knowledge of or the reasonable belief by the personal information controller or personal information processor that a personal data breach has occurred.
Delay in Notification. Notification may only be delayed to the extent necessary to determine the scope of the breach, to prevent further disclosures, or to restore reasonable integrity to the information and communications system. The personal information controller need not be absolutely certain of the scope of the breach prior to notification. Its inability to immediately secure or restore integrity to the information and communications system shall not be a ground for any delay in notification, if such delay would be prejudicial to the rights of the data subjects. Delay in notification shall not be excused if it is used to perpetuate fraud or to conceal the personal data breach.
When delay is prohibited. There shall be no delay in the notification if the breach involves at least one hundred (100) data subjects, or the disclosure of sensitive personal information will harm or adversely affect the data subject. In both instances, the Commission shall be notified within the 72-hour period based on available information. The full report of the personal data breach must be submitted within five (5) days, unless the personal information controller is granted additional time by the Commission to comply.
Content of Notification. The notification shall include, but not be limited to:
Nature of the Breach
description of how the breach occurred and the vulnerability of the data processing system that allowed the breach;
a chronology of the events leading up to the loss of control over the personal data;
approximate number of data subjects or records involved;
description or nature of the personal data breach;
description of the likely consequences of the personal data breach; and
name and contact details of the data protection officer or any other accountable persons.
Personal Data Possibly Involved
description of sensitive personal information involved; and
description of other information involved that may be used to enable identity fraud.
Measures Taken to Address the Breach
description of the measures taken or proposed to be taken to address the breach;
actions being taken to secure or recover the personal data that were compromised;
actions performed or proposed to mitigate possible harm or negative consequences, and limit the damage or distress to those affected by the incident;
action being taken to inform the data subjects affected by the incident, or reasons for any delay in the notification;
the measures being taken to prevent a recurrence of the incident.
The Commission reserves the right to require additional information, if necessary.
Form. Notification shall be in the form of a report, whether written or electronic, containing the required contents of notification: Provided, that the report shall also include the name and contact details of the data protection officer and a designated representative of the personal information controller: Provided further, that, where applicable, the manner of notification of the data subjects shall also be included in the report. Where notification is transmitted by electronic mail, the personal information controller shall ensure the secure transmission thereof. Upon receipt of the notification, the Commission shall send a confirmation to the personal information controller. A report is not deemed filed without such confirmation. Where the notification is through a written report, the received copy retained by the personal information controller shall constitute proof of such confirmation.”
Notification of Data Subjects
In case of breach, the Company must likewise inform the Data Subjects of the said breach, and comply with Section 18, Rule V, of NPC Circular No. 2016-03, or the Personal Data Breach Management, issued by the National Privacy Commission, which provides as follows:
“SECTION 18. Notification of Data Subjects. The personal information controller shall notify the data subjects affected by a personal data breach, subject to the following procedures:
When should notification be done. The data subjects shall be notified within seventy-two (72) hours upon knowledge of or reasonable belief by the personal information controller or personal information processor that a personal data breach has occurred. The notification may be made on the basis of available information within the 72-hour period if the personal data breach is likely to give rise to a real risk to the rights and freedoms of data subjects. It shall be undertaken in a manner that would allow data subjects to take the necessary precautions or other measures to protect themselves against the possible effects of the breach. It may be supplemented with additional information at a later stage on the basis of further investigation.
Exemption or Postponement of Notification. If it is not reasonably possible to notify the data subjects within the prescribed period, the personal information controller shall request the Commission for an exemption from the notification requirement, or the postponement of the notification. A personal information controller may be exempted from the notification requirement where the Commission determines that such notification would not be in the public interest or in the interest of the affected data subjects. The Commission may authorize the postponement of notification where it may hinder the progress of a criminal investigation related to a serious breach, taking into account circumstances provided in Section 13 of this Circular, and other risks posed by the personal data breach.
Content of Notification. The notification shall include, but not be limited to:
nature of the breach;
personal data possibly involved;
measures taken to address the breach;
measures taken to reduce the harm or negative consequences of the breach;
representative of the personal information controller, including his or her contact details, from whom the data subject can obtain additional information regarding the breach; and
any assistance to be provided to the affected data subjects.
Where it is not possible to provide the foregoing information all at the same time, they may be provided in phases without undue delay.
Form.Notification of affected data subjects shall be done individually, using secure means of communication, whether written or electronic. The personal information controller shall take the necessary steps to ensure the proper identity of the data subject being notified, and to safeguard against further unnecessary disclosure of personal data. The personal information controller shall establish all reasonable mechanisms to ensure that all affected data subjects are made aware of the breach: Provided, that where individual notification is not possible or would require a disproportionate effort, the personal information controller may seek the approval of the Commission to use alternative means of notification, such as through public communication or any similar measure through which the data subjects are informed in an equally effective manner: Provided further, that the personal information controller shall establish means through which the data subjects can exercise their rights and obtain more detailed information relating to the breach.”
RECOVERY AND RESTORATION OF PERSONAL DATA
Upon discovery of the breach, the Company must turn to its backups of the affected information and compare the same with its operational data to determine the presence of any inconsistencies or alterations resulting from the incident.
The Company shall comply with the following guidelines in restoring Personal Data:
The Company must immediately isolate the Personal Data which has been involved in the Security Breach, and identify whether the breach has affected the Personal Data’s availability, integrity, or confidentiality.
In case the breach has affected the Integrity of the Personal Data, the Company shall compare the operational data to the data stored in its backups to ensure that no alterations have resulted from the breach.
In case the breach has affected the availability of Personal Data, the Company must refer to its backups, and find means of verifying that the information contained therein are up to date.
In case the breach has affected the confidentiality of Personal Data, the Company must ensure that it exert all reasonable measures to inform the affected Data Subjects of the said breach, and provide instructions to curtail the possible fraudulent use of their Personal Data.
DOCUMENTATION
The Company must document all the incidents related to the security breach, under the following guidelines:
The Company must maintain a log of all information in relation to the security breach, and must document the incident in a chronological order.
All information in relation to the breach must be recorded, from the time of discovery, until resolution.
The Company must keep a record of all incident reports submitted by the concerned Employees, as well as all the communications which it has made or received to and from the National Privacy Commission.
INQUIRIES AND COMPLAINTS
Data Subjects may inquire or request for information regarding any matter relating to the processing of their Personal Data under the custody of the Company, including the Privacy Policy of the Company implemented to ensure protection of their Personal Data.
Data subjects may write to the Company through its email address: swm.sales@solidwineonline.com.ph, and briefly discuss the inquiry, together with their contact details for reference.
In case of Complaints, the Company must verify the identity of the Data Subject who filed the Complaint, and respond to the Data Subject within three (3) days from receipt of the Complaint.
EFFECTIVITY
The provisions of this Privacy Policy shall be effective this 1st day of September 2022, until revoked or amended by the Company, through a Board Resolution.
INTRODUCTION
This Data Privacy Policy (“Privacy Policy”) is hereby adopted in compliance with Republic Act No. 10173, or the Data Privacy Act of 2012, its implementing Rules and Regulations, and other relevant policies, including issuances of the National Privacy Commission. Solid Wine Marketing, Inc. respects and values your data privacy rights, and makes sure that all the personal data collected are processed in adherence to the general principles of transparency, legitimate purpose, and proportionality, and the appropriate laws and regulations.
OBJECTIVES
The primary objective of this Privacy Policy is to provide the management direction and support for information security in accordance with its business requirements and Republic Act No. 10173 or the Data Privacy Act of 2012, as well as its Implementing Rules and Regulations, policies, and issuances of the National Privacy Commission.
POLICY STATEMENT
The Company is committed to protect the privacy rights of the individuals’ personal information pursuant to the provisions of Republic Act No. 10173 or the Data Privacy Act of 2012 and its Implementing Rules and Regulations.
All concerned are enjoined to comply with and to share in the responsibility of securing and protecting personal information collected and processed by the Company in pursuit of legitimate purposes.
General Privacy Policy Statements
The Company adheres to the general principles of transparency, legitimate purpose and proportionality in the collection, processing, securing, retention and disposal of personal information.
The Clients and Employees, or Third Parties whose personal information is being collected shall be considered as Data Subjects for purposes of these policies.
Data subjects shall be informed of the reason or purpose of collecting and processing of their respective personal data.
The Data Subjects shall have the right to correct the information especially in cases of erroneous or outdated data, and to object to the collection of personal information within the bounds allowed by privacy and other relevant laws.
The Data Subject has the right to file a complaint in case of breach or unauthorized access of his personal information.
The Company shall secure the personal information of Clients and Employees, or Third Parties from whom personal information is collected and shall take adequate measures to secure both physical and digital copies of the information.
The Company shall ensure that personal information is collected and processed only by authorized personnel for legitimate purposes of the Company.
Any information that is declared obsolete based on the internal privacy and retention procedures of the Company shall be disposed of in a secure and legal manner, as provided for under this Privacy Policy in consonance with the provisions of the Data Privacy Act and its Implementing Rules and Regulations.
Any suspected or actual breach of the Company’s Data Privacy Policy must be reported to any member of the Data Privacy Response Team in accordance with the procedures of this Privacy Policy.
Data subjects may inquire or request for information from the Data Privacy Response Team, regarding any matter relating to the processing of their personal data under the custody of the Company, including the data privacy and security policies implemented to ensure the protection of their personal data.
DEFINITION OF MATERIAL TERMS
“Authorized personnel” refers to employees or officers of Solid Wine Marketing Inc. specifically authorized to collect, store, access, and/ or to process personal information either by their function of their office or position, or through specific authority given in accordance with the policies of the Company.
“Candidate” refers to the prospective employee or jobseeker, who submits his or her curriculum vitae or résumé online.
“Company” refers to Solid Wine Marketing, Inc.
“Consent of the Data Subject” refers to any freely and voluntarily given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of his or her personal, sensitive personal, or privileged information. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of a data subject by a lawful representative or an agent specifically authorized, via a written or sufficiently established authorization, by the data subject to do so.
“DPA” or “Data Privacy Act” refers to Republic Act No. 10173 or the Data Privacy Act of 2012.
“Data Subject” refers to an individual whose personal, sensitive personal, or privileged information is processed by the Company. It refers to officers, employees, consultants, and clients of the Company.
“Data Privacy Officer or DPO” refers to the Company’s officer designated to monitor and ensure the implementation of the Data Privacy policies of the Company. The DPO is also the de facto head of the Data Privacy Response Team.
The DPO is responsible for ensuring the Company’s compliance with applicable laws and regulations for the protection of data privacy and security. The functions and responsibilities of the DPO shall particularly include, among others:
monitoring the Company’s personal data processing activities in order to ensure compliance with applicable Personal Data privacy laws and regulations, including the conduct of periodic internal audits and review to ensure that all the Company’s data privacy policies are adequately implemented by its employees and authorized agents;
acting as a liaison between the Company and the regulatory and accrediting bodies, and is in charge of the applicable registration, notification, and reportorial requirements mandated by the DPA, as well any other applicable data privacy laws and regulations;
developing, establishing, and reviewing policies and procedures for the exercise by Data Subjects of their rights under the DPA and other applicable laws and regulations on Personal Data privacy;
acting as the primary point of contact whom Data Subject may coordinate and consult with for all concerns relating to their personal data;
formulating capacity building, orientation, and training programs for employees, agents or representatives of the Company regarding personal data privacy and security policies;
preparing and filing the annual report of the summary of documented security incidents and personal data breaches, if any, as required under the DPA, and of compliance with other requirements that may be provided in other issuances of the National Privacy Commission.
“The Management” refers to top level officers of the Company, which may include its Directors, Officers, and Managerial employees, who are tasked with the preparation and execution of Company policies.
“Personal Data” as used in this notice refers to all types of personal information.
“Personal data breach” refers to a breach of security leading to the willful, accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed within the Company.
“Personal Data Classification” refers to the categories of personal information collected and processed by the Company. Personal data is classified as follows
“Public” refers to information readily available and may be disclosed to the public. Examples: The Company’s Articles of Incorporation, General Information Sheet, office directory, names of corporate officers, and other information stated in the Company’s website.
“Confidential” refers to those which are declared confidential by law or policy of the Company, and which may only be processed by authorized personnel, and if disclosed may cause material harm to the Company, or information that is sensitive in nature as will affect the health or well-being of the individual. Examples: Employee and candidate names, educational attainment, addresses, contact numbers, SSS, PhilHealth, Passport numbers, employee’s health information, employee 201 files and the information contained therein determined confidential by the Labor Code.
“Classified” are those information the access of which is highly restricted, and if disclosed may cause severe or serious harm or injury to the Employee, Recruiter, Candidate or Third Party. Examples: Employee and Candidate and Recruiter’s Company account, computer passwords, bank account numbers, PIN numbers of employees.
“Personal Information” refers to any information, whether recorded in material form or not, from which the identity of an individual is apparent or can be reasonably ascertained by the entity holding information, or when put together with other information would directly and certainly identify the individual.
“Sensitive Personal Information” refers to personal information pertaining to:
An individual’s race, ethnic origin, marital status, age, color, and religious philosophical or political affiliations;
An individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings;
Any personal information issued by government agencies peculiar to an individual which includes but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
Any personal information established by an executive order or an act of Congress to be kept classified.
“Personal Information Controller” refers to natural or juridical persons, or any other body who controls the processing of personal data, or instructs another to process personal data on its behalf. The terms exclude:
A natural or juridical person, or any other body, who performs such functions as instructed by another person or organization; or
A natural person who processes personal data in connection with his or her personal, family, or household affairs.
“Personal Information Processor” refers to any natural or juridical person or any other body whom a personal information controller may outsource or instruct the processing of personal data pertaining to a data subject;
“Policy” or “Privacy Policy” refers to the instant Internal Data Privacy Policy;
“Privacy Notice” refers to the Privacy Notice as reflected on the Company’s website, and/or made known to the general public to promulgate public awareness about the Company’s goals to ensure the protection of their Personal Data, and their rights as Data Subject.
“Processing” refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating, or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.
“Recruiter” as used in this notice, means a prospective employer, who has used the Website to gain access to Clients, or has applied for the Company’s services.
“Website” means any website under the Company’s control, including:
www.solidwine.com.ph
SCOPE AND LIMITATIONS
The provisions of this Privacy Policy, whether mandatory or prohibitive, shall be applicable to all Directors, Stockholders, Officers, and Employees of the Company. Accordingly, all the Company’s personnel must always comply with the terms set out in this Policy.
MANAGEMENT PARTICIPATION
The Company’s Management understands the importance of complying with the provisions of the Data Privacy Act of 2012, and takes a proactive approach towards ensuring that all processing of Personal Data done by the Company is done in lawful manner, for legitimate purposes, proportionate to the purposes for which they are collected, and accurate.
The Management likewise understands and values the rights of Data Subjects to privacy, and that the Company has a responsibility towards ensuring that the rights of Data Subjects are respected.
Towards this understanding, the Management must strive to ensure that it would actively participate in crafting information security policies which are adequate to address requirements created by business strategies, regulations, legislation, and contracts, as well as the current and projected information security threat environment.
The Management, thus, has the responsibility to revisit, review, and revise this Policy from time to time, in order to ensure its timeliness, applicability, and adequacy. Further, Management has the responsibility to commit to the strict implementation of this Policy.
PROCESSING OF PERSONAL DATA
Collection
The Company collects Personal Data, from its Clients, users of the Website, and its employees.
Company Name;
Name of Contact Person or representative;
Email;
Website;
Industry;
Company Size;
Mobile Number;
Contact Details;
Location; and
Company Logo.
From Employees
The Company may collect information from its Employees for purposes of their employment:
Name;
Gender;
Email;
Mobile Number;
Current Job Title;
Current Salary;
Date of Birth;
Civil Status;
Address, current location;
Nationality;
Professional Summary;
Curriculum Vitae;
Educational Background;
Previous Work Experience;
Skills;
Languages spoken and understood; and
Images;
The information collected from Clients and Employees, may be classified as follows:
Data Subjects
Personal Information
Sensitive Personal Information
Clients
Name;
Gender;
Email;
Mobile Number;
Current Job Title;
Current Salary;
Date of Birth;
Civil Status;
Address, current location;
Nationality;
Professional Summary;
Curriculum Vitae;
Educational Background;
Previous Work Experience;
Skills;
Languages spoken and understood; and
Images;
Gender;
Date of Birth;
Civil Status;
Nationality;
Educational Background;
Skills;
Languages Spoken or Understood;
Images;
Employees
Name;
Gender;
Email;
Mobile Number;
Current Job Title;
Current Salary;
Date of Birth;
Civil Status;
Address, current location;
Nationality;
Professional Summary;
Curriculum Vitae;
Educational Background;
Previous Work Experience;
Skills;
Languages spoken and understood; and
Images;
Gender;
Date of Birth;
Civil Status;
Nationality;
Educational Background;
Skills;
Languages Spoken or Understood;
Images;
Use of Personal Data
Use of Personal Data of Clients
The Company may use the Personal Data of the Clients only for the following legitimate purposes:
Use of Personal Data of Employees
The Company uses the information it collects from its Employees for the following purposes:
For purposes of pursuing their employment with the Company;
Identify an Employee’s strengths, areas for improvement, and development of a suitable career path;
Ensure compliance with the labor laws, and other laws governing the provision of other employee benefits;
To ensure exertion of due diligence in the selection and management of its employees.
STORAGE
Storage of Personal Data of Clients
Since information gathered from Clients are primarily gathered through the website, all information from the Clients shall be stored in a secured database server based in Singapore.
In storing such information from Clients, the Company must ensure that it undertakes all appropriate technological, organizational, and physical security measures to protect any and all information it has gathered from its Clients, from unauthorized access, unauthorized alterations, and unauthorized disclosure.
Storage of Personal Information of Employees
Personal Information gathered from Employees must be stored, using the “HR Tool” and a company-owned computer which is encrypted using a secure password.
Any hard copies of Personal Data coming from Employees must be stored in lockers which could only be accessed by authorized personnel.
RETENTION
Retention of Personal Data of Clients
The Company may store personal information of Clients so long as the said Clients’ profiles remain active.
If ever a Clients’ profile becomes inactive or has been deactivated, the Company shall only store the information for a maximum period of five (5) years.
A Candidate’s profile shall be considered inactive if the Candidate fails to update or access his or her account for a period of ________.
A Candidate’s profile shall be considered deactivated if the Candidate ______________________.
The Company shall immediately stop processing any information from a Candidate upon the Candidate’s explicit instructions, and destroy any and all Personal Data collected from the Candidate, upon the latter’s demand.
Retention of Personal Data of Employees
The Company may store Personal Data of its employees as long as they remain employed by the Company.
Should an employee’s relationship with the Company be severed, for any reason, the Company may keep the said employee’s Personal Data for a maximum period of ten (10) years.
An employee may request for the deletion of his or her Personal Data, only after his or her separation from the Company.
DESTRUCTION
After the periods stated for storage of Personal Data, as stated in the previous subsection have lapsed, or upon instructions of the Data Subject, the Company must dispose and destroy all hard and soft copies of the Personal Data, through secured means.
For purposes of destruction, the Company may designate a team of its employees charged with the destruction of Personal Data.
After Personal Data has been destroyed, the person who has been charged with the conduct of the same, must issue a certification under oath, certifying that Personal Data of the said Data Subject has been destroyed. The Company shall keep such certification, and shall make such certification available to the Data Subject whose Personal Data has been destroyed, upon written request.
ACCESS
Considering the sensitive and confidential nature of the Personal Data under the custody of the Company, only the Data Subjects, and authorized representatives of the Company shall be allowed to access any Personal Data under its custody, for any purpose, except for those contrary to law, public policy, public order, or morals.
The Management shall promulgate rules governing the access of its employees to Personal Data under its custody.
The Company’s Management, including all its officers, and employees, shall have limited, and only necessary, access to Personal Data of the Clients and Employees.
The Company shall select and designate personnel who shall be in charge of processing, storage, and destruction of Personal Data, for Personal Data collected from each group of Data Subjects.
Only Employees or Officers of the Company, who are designated to process, store, or destroy Personal Data, for each group of Data Subjects, shall have access to Personal Data assigned to them.
Officers, Employees, or other personnel of the Company, who are not designated to process, store, or destroy Personal Data, from each group of Data Subjects, shall not be allowed access to Personal Data, except for valid reasons, and for lawful purposes.
DISCLOSURE AND SHARING
All Employees, and personnel of the Company, shall maintain the confidentiality and secrecy of all personal data that come to their knowledge and possession, even after resignation, or separation from the Company for whatever reason.
Personal Data under the custody of the Company shall be disclosed only pursuant to a lawful purpose, upon written consent of its Data Subjects, and to authorized recipients of such data.
The Company shall ensure that all of its personnel, including those of the Management, execute Non-Disclosure Agreements, to ensure the confidentiality and secrecy of all Personal Data under its possession.
In case the Company decides to share Personal Data, it shall ensure that it executes the necessary Data Sharing Agreement with the other party, in case of mutual sharing of Personal Data. The Company must also execute a Sub-Contracting Agreement containing the necessary provisions governing privacy and confidentiality of Personal Data, in case it decides to outsource the processing of Personal Data to any third party. At all times, the Company shall ensure that the written consent of the relevant Data Subjects shall be secured for such disclosure or sharing.
GENERAL GUIDELINES IN THE PROCESSING OF PERSONAL DATA
Consent
Whenever the Company processes Personal Data, from any Data Subject, it shall ensure that the Data Subject concerned signs a Consent Form which allows the Company to process his or her Personal Data.
The Consent Form shall, as much as possible, be broad enough to cover all types of Personal Data Processing, such as, collection, use, storage, retention, destruction, provision of access, and sharing.
Such Consent Form shall, likewise be, at all times, compliant with the provisions of the Data Privacy Act of 2012, and its Implementing Rules and Regulations.
Processing
The Company must ensure that it only processes Personal Data, lawfully, for each category.
The Company must take note that it may only process Personal Data, when it is not prohibited by law, and at least one of the following conditions are prevalent:
The Data Subject has given his or her consent, or the same has been validly acquired by the Company through the Consent Form;
The Processing of Personal Information is necessary and is related to the fulfillment of a contract with the Data Subject, or in order to take steps at the request of the Data Subject prior to entering into a contract;
The processing is necessary to protect vitally important interests of the Data Subject, including life and health;
The processing is necessary in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate; or
The processing is necessary for the purposes of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.
On the other hand, the Company must take note, that it may only Process Sensitive Personal Information, in the following purposes:
The Data Subject has given his or her consent, specific to the purpose prior to the processing, or in the case of privileged information, all parties to the exchange have given their consent prior to processing;
The processing of the same is provided for by existing laws and regulations: Provided, that such regulatory enactments guarantee the protection of the sensitive personal information and the privileged information: Provided, further, That the consent of the Data Subjects are not required by law or regulation permitting the processing of the sensitive personal information or the privileged information;
The processing is necessary to protect the life and health of the Data Subject or another person, and the Data Subject is not legally or physically able to express his or her consent prior to the processing;
The processing is necessary to achieve the lawful and noncommercial objectives of public organizations and their associations: Provided, That such processing is only confined and related to the bona fide members of these organizations or their associations: Provided, further, That the Sensitive Personal Information are not transferred to third parties: Provided, finally, That consent of the Data Subject was obtained prior to processing;
The processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal information is ensured; or
The processing concerns such personal information as is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise or defense of legal claims, or when provided to government or public authority.
The Company may follow the following table as a guide in complying with the Provisions of the Data Privacy Act, in terms of processing of Personal Information and Sensitive Personal Information and Privileged Information:
Personal Information
Sensitive Personal Information and Privileged Information
Processing is allowed if not prohibited by law and subject to conditions
Processing is prohibited except for certain cases
Processing is allowed if Data Subject Provides his or her consent
Processing is allowed if Data Subject has given his or her consent:
specific to the purpose,
done prior to the processing;
In case of privileged information, all parties to the exchange have given consent prior to processing;
Processing is necessary and is related to the fulfillment of a contract with the Data Subject or in order to take steps at the request of the data subject prior to entering into a contract
Is generally not allowed if the only basis is the fulfillment of a contract.
The processing must be provided for by existing laws and regulations, and such regulatory enactments guarantee the protection of sensitive personal information and privileged information, and the consent of the Data Subject are not required by law or regulation permitting the processing of the sensitive personal information or the privileged information
The processing is necessary for compliance with a legal obligation to which the Company is subject; i.e. compliance with SSS law, etc.
Is generally not allowed if the only basis is the fulfillment of a contract.
The processing must be provided for by existing laws and regulations, and such regulatory enactments guarantee the protection of sensitive personal information and privileged information, and the consent of the Data Subject are not required by law or regulation permitting the processing of the sensitive personal information or the privileged information
The Processing is necessary to protect vitally important interests of the Data Subject, including life and health
The processing is necessary to protect the life and health of the data subject or another person, and:
The Data Subject is not legally or physically able to express his or her consent prior to processing;
The processing is necessary for purposes of medical treatment, is carried out by a medical practitioner, or a medical treatment institution, and an adequate level of protection or personal information is ensured
The Processing is necessary in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal date for the fulfillment of its mandate
The processing concerns such personal information as is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise or defense of legal claims, or when provided to government or public authority.
The Processing is necessary for the purposes of legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.
The Processing is necessary to achieve the lawful and non-commercial objectives of public organizations and their associations provided
Such Processing is only confined and related to the bona fide members of these organizations or their associations
The Sensitive Personal Information are not transferred to third parties
The consent of the Data Subject was obtained prior to processing.
SECURITY MEASURES
Organizational Security Measures
Internal Organization
The Company understands that each of its employees have access to information which may or may not include Personal Data. The Company must define and allocate the Personal Data security responsibilities of all its personnel.
The duties of the Company’s employees in relation to Personal Data of Data Subjects may be summarized as follows
Data Subject
Employees/Team In Charge
Clients
The Marketing Department shall be primarily in charge of collecting Personal Data of Clients.
Their duties include:
_______________
_______________
_______________
The Audit Team shall be in charge of ensuring the security of the Personal Data, as well as its storage.
The duties of the Audit Team Includes:
_________________
_________________
_________________
Employees
Not one team or individual must be able to access or control Personal Data without detection.
Data Protection Officer
The Company has designated Mr./Ms. ________________ as its Data Protection Officer.
The Data Protection Officer shall oversee the compliance of the Company with the DPA, its IRR, and other related policies, including the conduct of a Privacy Impact Assessment, implementation of security measures, security incident and data breach protocol, and the inquiry and complaints procedure.
The Data Protection Officer shall at all times, keep abreast with the current laws and policies related to Data Privacy, and shall keep in constant communication with the National Privacy Commission.
Trainings
The Company shall sponsor a mandatory training on data privacy and security at least once a year. For personnel directly involved in the processing of personal data, management shall ensure their attendance and participation in relevant training and orientations as often as necessary.
Conduct of Privacy Impact Assessment
The Company shall conduct a Privacy Impact Assessment (PIA) relative to all activities, projects and systems involving the processing of personal data.
In conducting the Privacy Impact Assessment, the Company may seek the assistance of third-parties, which may include its counsel. In all instances, the PIA must be conducted through the leadership of the Company’s DPO.
Recording of Data Privacy Activities
The Company shall make a record of all activities carried out by the Company to ensure Compliance with the Data Privacy Act of 2012, its Implementing Rules and Regulations and other relevant policies.
Duty of Confidentiality
The Company shall ask all members of its organizations to sign Non-Disclosure Agreements.
Employees with access to Personal Data shall operate and hold personal data under strict confidentiality.
Review of the Privacy Policy
The Company must ensure that the Privacy Policy is aligned with existing laws and current issuances of the National Privacy Commission.
For this purpose, the Company must review and evaluate its Privacy Policy every year.
The Company must likewise align the contents of its Privacy Policy with the results of its Privacy Impact Assessment.
Mobile Device Usage
Company employees may only be allowed to use their personal Mobile Devices on areas specifically designated by the Company.
No Employee of the Company may use his or her Mobile Device, while on duty, and especially while working in his or her desk.
Employees must register all of their Mobile Devices with the Company, which shall keep a record of all the cellular phones’ International Mobile Equipment Identity (IMEI), and their Media Access Control (MAC) addresses.
Mobile Devices, which IMEIs may be altered or changed by the user, shall be prohibited from Company premises.
Company employees shall be required to make sure that their Mobile Devices have remote disabling, in case of theft.
Teleworking
In case an employee chooses to work remotely, the said employee shall only be required to register his or her location, and shall be given access to the Company’s database using a secured and encrypted portal.
An employee working remotely shall only be allowed to access the Company’s database using a device which has been registered with the Company.
An employee working out of the office shall be in charge of his or her physical security, and shall be liable to the Company, in case of any security breach arising out of his or her activities outside of the office.
HUMAN RESOURCE SECURITY
Screening
Before employment, the Company, through its Human Resources Department, must ensure that the Employees who join the organization are well screened not only in relation to their capabilities, but also as to their moral fitness.
For such purposes the Company must seek for a prospective employee’s character references, from which the completeness and accuracy of the prospective employee’s representations in his or her application.
The Company must also require other verification documents such as clearances from the National Bureau of Investigation, and the Philippine National Police. The Company must avoid hiring employees who have been charged with crimes involving moral turpitude.
In screening its prospective employees, the Company must make sure that it complies with the provisions of the Data Privacy Act of 2012, and ask the prospective employee to sign a Data Privacy Consent Form.
Terms of Employment
The Company must also make sure that the terms of employment are clear, and that the employee has been well informed of his or her security role in the organization.
All Employees should be made to sign Non-Disclosure Agreements, and Non-Competition Agreements, which could serve as deterrent to future information breaches. Such Contracts must contain provisions laying down the consequences of breach.
Training and Education
The Company has the duty to spread awareness about the roles of its employees in data privacy.
For such purpose, the Company must conduct training on data security for all of its employees at least once a year.
Disciplinary Process
Should an Employee be subjected to any disciplinary sanctions due to a security breach, the Company shall conduct the same through the following guidelines:
Any part of the disciplinary process, in relation to a security breach may not be undertaken unless it has been verified that a security breach has occurred.
Any form of disciplinary proceedings must comply with the twin-notice rule requirement provided for by the Labor Code of the Philippines.
In case a security breach occurs, and it has been verified to be traceable to an employee, the Company must provide the concerned employee a First Notice, informing the employee of the particular acts which he or she has committed, and further informing him of the violations which he or she has committed. The First Notice must also contain the particular ground for termination which he or she is charged with violating.
Under the First Notice, the employee must further be given a period of at least five (5) days within which to submit a written explanation, as well as an invitation to an administrative hearing wherein he may further explain his or her side.
After determination of the outcome of the investigation, and in cases where a disciplinary sanction is warranted, the Company must issue the concerned employee a notice of decision stating clearly the facts of his case, and the Company’s findings.
Termination
In case an employee is separated from the Company for any reason, the Company must make sure that the Employee is aware of the fact that his or her obligations to maintain the confidentiality of all information made known to him during his employment persists even until after he has left the Company.
The provisions of the Non-Disclosure Agreement should contain a continuing obligation to keep in confidence all information which the employee has gathered or learned during the period of his or her employment with the Company, even after employment.
In case the Employee violates the provisions of his or her Non-Disclosure Agreement, the Company may pursue all legal actions against the employee.
ASSET MANAGEMENT
Conduct of an Inventory
The Company must conduct a regular inventory of all of its assets which are related to Data Privacy.
In conducting its inventory, the Company must identify the IMEI and/or MAC addresses, as well as any other identifiers of its devices to immediately ascertain whether it has been subject of an intrusion using unauthorized devices.
Ownership of Assets
To maintain effective control over the security of Personal Data, the Company must, as much as possible, own all the assets used by its personnel, especially electronic devices.
Through such measures, the Company would have effective ownership and control over all the information stored in the said assets.
Should an asset be assigned to an Employee, the said employee must sign an accountability form for the said asset, and the Company must register the device associated with the Employee.
Use of Assets
Company-owned assets which have been assigned to Employees may only be used by Employees exclusively for purposes of performing their work.
The Company shall conduct a periodic review of the Assets assigned to its employees. Should the asset be an electronic device, the Company shall audit the contents of the said device, and monitor the activity logs of the said device.
Return of Assets
The following guidelines must be observed in the return and use of the Company’s assets:
Upon separation of an Employee from the Company, for any reason, the Employee must return all assets assigned to or registered to him or her, to the Company.
The Company shall not allow the issuance of a clearance for an Employee who has failed to return a Company-owned asset which has been assigned to him or her.
If an Employee has been allowed by the Company to bring his or her own device, the Company shall have the right to delete all Company owned information stored in the said device before the Employee can be cleared.
Upon termination or separation of an Employee for any purpose, the said Employee shall not be allowed to access any of the Company’s devices.
Media Handling
The Company shall ensure that all types of storage media are secured regardless of whatever information has been stored in them. Employees are therefore directed to observe the following in handling of Media.
In case of reusable media, such as flash drives, the Company shall make sure that any information contained therein, which are no longer required by the Company should be deleted and made unrecoverable.
All types of media should be stored in safe, secure environments, free from the elements, and in accordance with the manufacturer’s specifications.
All Employees using removable media, must use encryption techniques to ensure the confidentiality, and integrity of the information stored in the said removable media.
Secured back-ups of information which the Company classifies as critical, should be made in different sets of Media to reduce any risk of loss of information.
All Employees of the Company are prohibited from bringing their own removable media, and flash drives at work.
In case the Company allows the use of Removable Media, it shall maintain a record of the custody of the said Removable Media.
Disposal of Media
In case of disposal, media containing Personal Data, or which may have contained Personal Data, must be disposed of securely, by completely destroying the drive and ensuring that none of the destroyed data may be recovered, accessed or used by any other person or entity.
The Company shall keep a record of all the Media it has disposed to ensure the security of Personal Data.
Transfer of Media
The Company must ensure that Media containing information should be protected against unauthorized access, misuse or corruption during transportation.
To this end, all Employees must observe the following in transporting Media, such as USB drives, and other portable Media:
Only reliable transportation carriers should be utilized in sending Media from one point to another.
Employees may only utilize transportation service providers or common carriers, which the Company has already evaluated to be trustworthy, and capable of ensuring the safe transportation of Media and its contents.
When transporting Media, all Employees of the Company should make sure that they have identified the common carrier or transportation provider, and that they have recorded or logged the transfer. Logs should be kept identifying the content of the Media, the protection applied as well as recording the times of transfer.
When sending portable Media, the Employee sending the same, must ensure that the same is packed in such a way that its contents are protected from any physical damage, which might arise during transit. The packaging should have security features such as a security seal.
All information contained in the Media, shall as far as practicable, be encrypted before sending Media.
ACCESS CONTROL
Access Control Policy
The Company must limit the access to information within its premises and ensure that only authorized individuals or personnel are allowed access to its network, and especially its database.
For this purpose, all Employees of the Company must observe the following guidelines:
All access to the Company’s network is prohibited unless expressly allowed by the Company.
All Employees understand that they may only be given access to certain information on a need-to-know basis.
Employees are further only allowed to use equipment which are necessary for the performance of their functions within the Company.
An Employee shall be designated to give access to other Employees.
Access to any Personal Data shall be subject to the written approval of the Management, and the Data Protection Officer.
An Employee may only be given access to Personal Data to which he or she has the duty, job, or function to process.
If an Employee seeks to have access to any Personal Data, which he or she is not entitled access to, the Employee must first seek written permission from the Data Protection Officer, who must record the request and thoroughly review the validity of the Request.
Any act of unauthorized access to Personal Data shall be a ground for termination.
Access to Networks and Network Services
The Company shall only allow access to its network to authorized individuals, whose identities have been verified by the Company.
Should it be necessary to provide access to individuals who are not connected with the Company, such as visitors and guests the following guidelines must be observed:
Individuals who are not connected to the Company may only be given limited access to networks such as wifi.
The access point which shall be made available for individuals not connected to the Company should be separate from the access point used by the Company’s employees, and should not have access to other devices within the Company’s premises.
The Company shall further develop methods to restrict access of employees to its network, which must conform with the following guidelines.
An employee may only be given access to the Company’s network, using two (2)-factor identification.
An employee must be given a device registered to their name, which would allow them to access the Company’s network.
An employee may only be allowed to access the Company’s network, by using the device, together with a secure password.
User Registration
All users of the Company’s network must be registered through a system which ensures the security of the entire network. In ensuring the security of the network, the following guidelines must be observed:
Each Employee shall be assigned a unique user ID which shall enable the Company to identify the Employee when accessing its network.
An Employee shall not allow any person to use his or her user ID to any other person or Employee.
Upon resignation of the Employee, the Company shall immediately revoke the user ID of the Employee and review the accounts where the user ID has been used.
Privileged access rights
The Company shall control access to Personal Data and other privileged or confidential information, and shall create passwords for each type of information. The Company shall observe the following guidelines towards this end:
The Company shall allocate a password for each information system.
Only Employees who have legitimate purposes for accessing each type of information shall be granted access to an information system.
The Company shall allocate user IDs, different from user IDs given for regular business activities, for information systems containing privileged or confidential information, or Personal Data.
An employee may be given a generic user ID and a generic password to access certain types of information systems. However, once the purpose for the provision of the access is done, the Company must immediately change the password or user ID.
Review of user access rights
User access rights, especially for those involving Personal Data, must be periodically reviewed by the Company at regular intervals.
The Company shall conduct a review of all user access rights every three (3) months.
Should an Employee be transferred from one department to another, or be promoted to another position, thereby abandoning his previous position, he must immediately inform the Management of the status of his user ID, and ask that steps be taken to change the details of his user ID and password.
User IDs and passwords used by Employees to access Personal Data must be reviewed every two (2) months.
Access control to program source codes
The Company shall maintain control over its programs source codes, especially those which are used in the Website. To ensure the security of the program source codes, the Company must comply with the following guidelines:
Program source codes should be stored in program source libraries.
Program source codes shall be considered confidential information.
Only Employees tasked with maintaining the integrity of the source codes, or conduct programming, are allowed to access the program source codes.
In order to ensure that the integrity of the program source code is kept, the Company shall assign a member of the Management to manage its source codes.
No Employee shall have access to the program source code without the authorization or directives of the Management.
The Company shall maintain a log of all instances where the program source code has been accessed.
CRYPTOGRAPHY
Enactment of a Policy on the use of cryptographic controls
The Company shall enact a policy for the use of cryptographic controls across its organization, for the protection, not only of Personal Data, but also of the Company’s business information.
Use of Cryptographic Controls for Personal Data
The Company shall use encryption for the protection of Personal Data which it has access to. For such purposes, the Company shall continue to follow the following guidelines:
The Company shall continue to use Secure Sockets Layer (SSL) for its Website, until such time that a more secure technology is developed.
The Company’s Information Technology (IT) department shall periodically conduct an audit of its encryption and security systems to ensure the continuous protection of its network and database.
PHYSICAL SECURITY MEASURES
Physical Security Perimeter
The Company shall, at all times, secure the perimeter of its office to ensure that all its Personal Data, as well as other confidential information are safe from physical security breaches. All Employees of the Company must comply with the following guidelines to ensure that the Company’s premises are safe from any intrusions:
The Company shall employ the use of locks which may only be accessed using Employee biometrics.
No person shall be granted access inside Company premises, without the proper authorization, and assistance of an Employee.
The Company shall continue to maintain Security Cameras, which serve as deterrents to possible security breaches, as well as evidence, in case of breach.
Fire doors, should be monitored to ensure that the said access point could not be used to gain access to the Company’s premises.
Pedestals shall likewise be locked by Employees, before leaving their workstations and Company’s premises.
All rooms must be locked, if there is no one else left inside.
Before leaving the Company’s premises, all employees must turn off all electronic or electrical devices, save for those which are necessary for the Company’s operation.
The Company shall conduct a periodic review of all of its security measures to ensure prevention of any security breach.
Physical Entry Controls
The Company shall ensure that only authorized personnel will have access to the Company’s premises. The Company shall employ the following guidelines to maintain control over the security of its premises:
The Company shall assign an employee who will monitor all persons who enter or attempt to enter its premises.
The Company shall likewise employ the use of a logbook to log all the persons who enter and exit the Company’s premises.
Before entering the Company’s premises, visitors shall be made to log in and provide sufficient Identification for Recording. Personal Information gathered during this process shall be limited to the name, Company name, and purpose of the Visitor. The Company shall not make any copies of the Identification Cards of its Visitors, and shall only copy as much information as may be needed to record the visit. After recording, the Company shall provide the visitor with a badge which must be worn by the Visitor to readily identify him or her.
The Company’s logbook shall, at the end of the business day, be kept in a secure pedestal, which shall be locked by the Employee concerned.
External third-party support services, shall only be granted restricted access to secure areas, and shall always be accompanied, or monitored by an Employee.
Securing offices, rooms, and facilities
The Company shall maintain the security of all its working areas. To this end, all Employees must comply with the following guidelines:
All desks should be kept clean and without any document left, before an Employee leaves his or her work station.
Blinds to External windows shall be kept closed to prevent any person from seeing what is inside the office.
The Company must exert all efforts to ensure that no person would have any idea that confidential information is kept within the Company premises.
Should an employee take short breaks, he or she must lock the screen of his or computer which must be password protected to prevent any person from gaining access to the same, as well as lock his/her pedestal.
Protection against environmental threats
The Company shall conduct a periodic check of all the corners of its premises. For this purpose, the Company shall:
Check for any leaks in its windows, which may be the source of water damage to any of its files and electronic equipment.
Check for any leaks in the plumbing to ensure avoidance of destruction of electrical equipment and files.
The Company must brief its employees about which files or how to secure confidential information, in case of emergencies.
Equipment
The Company must comply with the following guidelines, to ensure the safety of its equipment, as well as the information they contain:
All equipment must be positioned in the areas of the Company’s premises, where they are safe from the elements, or any other cause of equipment failure and destruction, such as leaks from the plumbing, overheating, fire, and such other causes.
Equipment containing Personal Data or information must be kept in secure areas, which are not accessible to the public.
Employees shall be required to comply with the Equipment’s manufacturer specifications, to ensure the proper use and function.
The Company must provide for emergency lights, and emergency back up power in case of power outages.
Electric, data, and communication cables must as far as practicable be kept separate, and must be placed in corners or areas which are inaccessible to the general public.
In case of transfer of equipment, the policies governing the transfer of assets and media shall likewise be applied to transfer of equipment.
Equipment and media taken off the Company premises should not be left in public places.
In case of reuse of electronic equipment, all Employees must make sure that any sensitive information belonging to the Company are backed up and deleted, and overwritten in such a way that they could no longer be accessed, recovered or used by the subsequent user.
In case of disposal of electronic equipment containing sensitive or personal information, all sensitive information must first be deleted in such a way that they are unrecoverable, and the equipment must be destroyed in such a way that the same could no longer be used.
Unattended user equipment
The Company shall impose strict compliance with the rules governing unattended user equipment.
All employees shall ensure that they terminate active sessions after they have finished working in their Computers. Employees must lock their computers with a password protected screensaver, or put their Computer units to sleep mode, whenever they leave their terminals.
Clear desk and clear screen policy
The Company shall implement a clear desk and clear screen policy with the following guidelines:
All documents which contain Personal Data, and sensitive or critical business information must be locked away in secured pedestals accessible only to their users.
Computers and terminals should be logged off, or protected with a screen and keyboard locking mechanism controlled by a password, or any other means of securing the same.
Measures to control the unauthorized use of photocopiers and other reproduction technology should be strictly imposed.
Data Format
Personal Data in custody of the Company may be in digital or electronic format and paper based or physical format.
The Company must impose strict guidelines in ensuring the security of each type of format, to ensure avoidance of any type of breach.
Data Room
The Company shall employ the use of a Data Room, where all Personal Information, as well as confidential company information shall be kept, whether as back ups or as primary documents. Use of a Data Room shall be under the following guidelines:
Only authorized personnel, whose access has been permitted by the Management may be allowed to enter the Data Room.
The Company shall keep a logbook, as well as an online registration platform to monitor persons who access the Data Room.
OPERATIONS SECURITY
Operational Procedures and Responsibilities
The Company shall ensure that all of its operational procedures are well documented to ensure preparedness for any changes in the Company’s organization or set up.
The Company must keep a logbook of all of its processes the changes effected upon the same, to ensure that the successors have a background of the history of the changes effected upon the processes.
Capacity Management
The Company shall make sure that it has sufficient capacity to take on future roles as well as probable contingencies. To take on such task, the Company shall abide by the following guidelines:
The Company shall monitor its resources and shall conduct an inventory from time to time.
The Company must make sure to maintain foresight on the availability of its resources, and must make sure that it has sufficient resources to cover future endeavors.
The Company must make sure that not one of its processes are highly dependent upon a single person to ensure the continuation of its activities in case of absence.
Separation of development, testing, and operational environments
The Company shall make sure that not all of its resources and processes are stored on a single system, to this end, all Employees are directed to comply with the following guidelines.
Development and operational software should run on different systems or computer processors and in different domains and directories.
Changes to operational systems and applications should be tested in a testing or staging environment, before being applied to operational systems.
Testing shall not be done on operational systems.
Compilers, editors, and other development tools or system utilities shall not be accessible from operating systems.
Users or Employees must use different user profiles for operational and testing systems.
Actual Personal Data shall not be copied into testing system environment.
Protection from Malware
The Company must ensure that its system, network, as well as equipment are free from malware. To this end, all Employees must comply with the following guidelines:
Employees are prohibited from installing any software into Company owned equipment, without authorization from Management.
The Company may only allow the installation of software which has active or valid security certificates, and recent updates.
The Company shall invest in malware detection software which track and eliminate any form of malware.
Employees shall not be allowed to install software which allows for remote access to Company owned equipment, unless the situation calls for such installation.
The Company shall make sure that all of its anti-malware software including their libraries are up to date.
Back ups
The Company shall ensure that all of its information are backed up in secure media, under the following guidelines:
The Company shall ensure that it creates an accurate and complete back up of all of its records.
The Company shall likewise ensure the creation and recording of restoration procedures in case of data loss.
If possible, the Company shall make multiple back ups to ensure continuity of operations in case of contingencies.
Back ups shall be stored in a secure and remote location away from the Company premises, to ensure their safety and to escape any damage from a disaster at the main site.
Backup information shall be tested regularly to ensure reliability in case of emergencies.
Logging and Monitoring
The Company shall keep a record of all of its events and generate evidence. Towards this end, the Company shall implement the following guidelines for logging and monitoring:
The Company shall record all user activities, exceptions, faults and information security events.
Event logs shall include the following:
User IDs;
System Activities;
Dates, times, and details of key events;
Device identity and location;
Records of successful and rejected system access attempts;
Records of successful and rejected data and other resource attempts;
Changes to system configuration;
Use of privileges;
Use of system utilities and applications;
Files accessed and the kind of access;
Network addresses and protocols;
Alarms raised by the access control system;
Activation and deactivation of protection systems such as anti-virus, anti-malware, and intrusion detection systems;
Records of transactions executed by users in applications.
Considering that the event logs may contain Personal Data, the Company shall ensure that only key personnel, who have signed Non Disclosure Agreements should have access to the logs.
Clock synchronization
To ensure the accuracy of all information recorded by the Company, the Company must set a standard time reference for use within the organization. Such standard time shall be used for all the Company’s records, and documents.
COMMUNICATIONS SECURITY
Security of Network Services
The Company shall implement security mechanisms, for all network services. To accomplish this, the Company must ensure that its service providers, execute agreements for data security, laying down terms which are consistent with this Privacy Policy.
Information Transfer
To ensure that all information transferred by the Company are secured, complete, and available the following guidelines should be followed by all employees:
In case information is transferred through removable media, Employees shall observe the guidelines for transfer of equipment and media.
In case information, including Personal Data is transferred through the internet, the Company must create a database of verified email addresses of all its intended recipients, to which any communication or information from the Company must be sent.
Employees must only send information and Personal Data to verified email addresses.
Information sent through email shall be encrypted, and password protected.
In case of separation of employees, for any reason, the Company shall create back ups of the contents of the email of its employees before deletion.
In case of exchanges of information to another party, the Company shall execute Non-disclosure Agreements, as well as Data Sharing Agreements to ensure the confidentiality of all information shared.
SYSTEM DEVELOPMENT
Securing Application Services on Public Networks
The Company must ensure the security of all of its information, including Personal Data when access to its networks are done through public networks.
As a general rule, all Employees of the Company shall not be allowed to access the Company’s network using public networks.
Protection of application service transactions
The Company shall make sure that all application service transactions are protected and complete, and received by the proper recipient. The Company must thus comply with the following guidelines in the conduct of its transaction done electronically:
The Company shall develop policies involving the use of electronic signatures as defined by the Rules on Electronic Evidence Promulgated by the Supreme Court of the Philippines.
The Company may use two factor identification, or One Time Passwords, to ensure the identity of the Data Subjects using its Website.
Restrictions on changes to software packages
Modifications to software packages which the Company has acquired from third party vendors shall be discouraged. Such modifications may constitute acts of infringement for which the Company can be made liable for. Further, such modifications may result in failure of the software to properly perform. To avoid any untoward results, the Company must perform the following:
Before any modifications, the Company must make sure that the user license agreements of the software allow the Company to make any further modification.
In case of open source software, the Company must make sure that the modifications done are done within the limits set by the license.
Testing of Security Systems
The Company must ensure that its Security Systems are tested during their development stage, before using the same in actual operations.
Test Data
Test data used in the development of the Company’s network and system, shall be carefully selected, protected and controlled. All Employees charged with the development of the Company’s systems must observe the following:
All Employees may not use actual Personal Data when conducting its testing.
A separate authorization procedure shall be made, each time actual operational information is copied and used for a test environment.
Operational information shall be erased from a test environment immediately after testing is complete.
The Company shall maintain a log of all actual information used for testing to ensure the complete deletion of the same in testing environments.
COMPLIANCE WITH LAWS AND GOVERNMENT ISSUANCES
Intellectual Property Rights
The Company upholds and respects the intellectual property rights of persons, and promulgates the following guidelines to be observed in the use of Intellectual Property:
The Company shall only use software from known and reputable sources, for its equipment.
The Company shall conduct trainings and seminars about intellectual property to its employees.
The Company shall maintain proof and evidence of ownership of licenses, master disks, and manuals of software.
The Company shall not share any license with any other user outside of its organization.
Employees may not alter the source codes of third party software without the authorization of the Company.
Employees shall not duplicate, convert, or extract from commercial recordings, any type of literature, unless otherwise permitted by the copyright laws.
Employees shall likewise not be allowed to copy, in full and in part, any books, articles, reports, or other literary documents, unless otherwise permitted by law.
BREACH AND SECURITY INCIDENTS
CREATION OF A DATA BREACH RESPONSE TEAM
The Company shall constitute a data breach response team composed of five (5) members, with at least one (1) member having the authority to make immediate decisions regarding critical and necessary action. The team may include the Company’s Data Protection Officer.
The Data Breach Response Team shall be responsible for the following:
Implementation of the Company’s security incident management policy;
Management of security incidents, and personal data breaches;
Facilitating the Company’s compliance with the relevant provisions of the Data Privacy Act of 2012, its Implementing Rules and Regulations, and all issuances of the National Privacy Commission on data breach management.
GUIDELINES FOR INCIDENT RESPONSE
Discovery of Security Incidents
The Company must periodically audit its security systems and check for any types of security breach which might have occurred. In order to timely discover any type of security incident, the Company must perform the following:
The Company must check its database, and network at least once a month to check for vulnerabilities.
The Company must formulate guidelines to assess whether an incident should be considered as a security incident or a security breach.
The Company’s Data Protection Officer shall be charged with ensuring compliance with this Policy as well as the conduct of an audit.
Internal Reporting
In case of a security breach or an incident which might be construed as a security breach, the following steps should be followed:
Immediately after being informed of the incident, the person who has discovered the same, shall immediately inform the Data Protection Officer, within twenty-four (24) hours from discovery. In the absence of the Data Protection Officer, the person who discovered the incident must immediately inform any member of the Management.
Upon receipt of the information about the incident, the Company must immediately call the Data Breach Response Team into action.
The Data Breach Response Team shall immediately investigate the incident, and shall identify the person responsible for the breach.
The Data Breach Response Team shall then verify the existence of the breach, and shall assess the type and extent of the breach.
Within twenty four (24) hours from notification, the Company, through its Data Breach Response Team, must complete its investigation, and assess whether there is a necessity to report the breach to the National Privacy Commission.
When to Notify the National Privacy Commission
The Company shall be required to notify the National Privacy Commission, upon knowledge of or when there is a reasonable belief that a personal data breach requiring notification has occurred under the following conditions:
The Personal Data involves sensitive personal information or any other information that may be used to enable identity fraud. Other information shall include, but not be limited to: a) data about the financial or economic situation of the Data Subject; b) usernames, passwords, and other login data; c) biometric data; d) copies of identification documents, licenses or unique identifiers like Philhealth, SSS, GSIS, TIN number; e) other similar information which may be made the basis of decisions concerning the data subject, including the grant of rights or benefits
There is reason to believe that the information may have been acquired by an unauthorized person;
The Company or the National Privacy Commission believes that the unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected Data Subject.
In case there is doubt as to whether there is a need to notify the National Privacy Commission, the Company must take into account as primary consideration, the likelihood of harm or negative consequences on the affected data subjects, and how notification, particularly of the data subjects, could reduce the risks arising from the personal data breach reasonably believed to have occurred. The Company shall also consider if the personal data reasonably believed to have been compromised involves:
Information that would likely affect national security, public safety, public order, or public health;
At least one hundred (100) individuals;
Information required by applicable laws or rules to be confidential; or
Personal data of vulnerable groups.
Notification of the Commission
In case the Company determines that it has been subject of an actual Data Security Breach, it must report the incident to the National Privacy Commission, and comply with Section 17, Rule V, of NPC Circular No. 2016-03, or the Personal Data Breach Management, issued by the National Privacy Commission, which provides as follows:
“SECTION 17. Notification of the Commission. The personal information controller shall notify the Commission of a personal data breach subject to the following procedures:
When Notification Should be Done. The Commission shall be notified within seventy-two (72) hours upon knowledge of or the reasonable belief by the personal information controller or personal information processor that a personal data breach has occurred.
Delay in Notification. Notification may only be delayed to the extent necessary to determine the scope of the breach, to prevent further disclosures, or to restore reasonable integrity to the information and communications system. The personal information controller need not be absolutely certain of the scope of the breach prior to notification. Its inability to immediately secure or restore integrity to the information and communications system shall not be a ground for any delay in notification, if such delay would be prejudicial to the rights of the data subjects. Delay in notification shall not be excused if it is used to perpetuate fraud or to conceal the personal data breach.
When delay is prohibited. There shall be no delay in the notification if the breach involves at least one hundred (100) data subjects, or the disclosure of sensitive personal information will harm or adversely affect the data subject. In both instances, the Commission shall be notified within the 72-hour period based on available information. The full report of the personal data breach must be submitted within five (5) days, unless the personal information controller is granted additional time by the Commission to comply.
Content of Notification. The notification shall include, but not be limited to:
Nature of the Breach
description of how the breach occurred and the vulnerability of the data processing system that allowed the breach;
a chronology of the events leading up to the loss of control over the personal data;
approximate number of data subjects or records involved;
description or nature of the personal data breach;
description of the likely consequences of the personal data breach; and
name and contact details of the data protection officer or any other accountable persons.
Personal Data Possibly Involved
description of sensitive personal information involved; and
description of other information involved that may be used to enable identity fraud.
Measures Taken to Address the Breach
description of the measures taken or proposed to be taken to address the breach;
actions being taken to secure or recover the personal data that were compromised;
actions performed or proposed to mitigate possible harm or negative consequences, and limit the damage or distress to those affected by the incident;
action being taken to inform the data subjects affected by the incident, or reasons for any delay in the notification;
the measures being taken to prevent a recurrence of the incident.
The Commission reserves the right to require additional information, if necessary.
Form. Notification shall be in the form of a report, whether written or electronic, containing the required contents of notification: Provided, that the report shall also include the name and contact details of the data protection officer and a designated representative of the personal information controller: Provided further, that, where applicable, the manner of notification of the data subjects shall also be included in the report. Where notification is transmitted by electronic mail, the personal information controller shall ensure the secure transmission thereof. Upon receipt of the notification, the Commission shall send a confirmation to the personal information controller. A report is not deemed filed without such confirmation. Where the notification is through a written report, the received copy retained by the personal information controller shall constitute proof of such confirmation.”
Notification of Data Subjects
In case of breach, the Company must likewise inform the Data Subjects of the said breach, and comply with Section 18, Rule V, of NPC Circular No. 2016-03, or the Personal Data Breach Management, issued by the National Privacy Commission, which provides as follows:
“SECTION 18. Notification of Data Subjects. The personal information controller shall notify the data subjects affected by a personal data breach, subject to the following procedures:
When should notification be done. The data subjects shall be notified within seventy-two (72) hours upon knowledge of or reasonable belief by the personal information controller or personal information processor that a personal data breach has occurred. The notification may be made on the basis of available information within the 72-hour period if the personal data breach is likely to give rise to a real risk to the rights and freedoms of data subjects. It shall be undertaken in a manner that would allow data subjects to take the necessary precautions or other measures to protect themselves against the possible effects of the breach. It may be supplemented with additional information at a later stage on the basis of further investigation.
Exemption or Postponement of Notification. If it is not reasonably possible to notify the data subjects within the prescribed period, the personal information controller shall request the Commission for an exemption from the notification requirement, or the postponement of the notification. A personal information controller may be exempted from the notification requirement where the Commission determines that such notification would not be in the public interest or in the interest of the affected data subjects. The Commission may authorize the postponement of notification where it may hinder the progress of a criminal investigation related to a serious breach, taking into account circumstances provided in Section 13 of this Circular, and other risks posed by the personal data breach.
Content of Notification. The notification shall include, but not be limited to:
nature of the breach;
personal data possibly involved;
measures taken to address the breach;
measures taken to reduce the harm or negative consequences of the breach;
representative of the personal information controller, including his or her contact details, from whom the data subject can obtain additional information regarding the breach; and
any assistance to be provided to the affected data subjects.
Where it is not possible to provide the foregoing information all at the same time, they may be provided in phases without undue delay.
Form.Notification of affected data subjects shall be done individually, using secure means of communication, whether written or electronic. The personal information controller shall take the necessary steps to ensure the proper identity of the data subject being notified, and to safeguard against further unnecessary disclosure of personal data. The personal information controller shall establish all reasonable mechanisms to ensure that all affected data subjects are made aware of the breach: Provided, that where individual notification is not possible or would require a disproportionate effort, the personal information controller may seek the approval of the Commission to use alternative means of notification, such as through public communication or any similar measure through which the data subjects are informed in an equally effective manner: Provided further, that the personal information controller shall establish means through which the data subjects can exercise their rights and obtain more detailed information relating to the breach.”
RECOVERY AND RESTORATION OF PERSONAL DATA
Upon discovery of the breach, the Company must turn to its backups of the affected information and compare the same with its operational data to determine the presence of any inconsistencies or alterations resulting from the incident.
The Company shall comply with the following guidelines in restoring Personal Data:
The Company must immediately isolate the Personal Data which has been involved in the Security Breach, and identify whether the breach has affected the Personal Data’s availability, integrity, or confidentiality.
In case the breach has affected the Integrity of the Personal Data, the Company shall compare the operational data to the data stored in its backups to ensure that no alterations have resulted from the breach.
In case the breach has affected the availability of Personal Data, the Company must refer to its backups, and find means of verifying that the information contained therein are up to date.
In case the breach has affected the confidentiality of Personal Data, the Company must ensure that it exert all reasonable measures to inform the affected Data Subjects of the said breach, and provide instructions to curtail the possible fraudulent use of their Personal Data.
DOCUMENTATION
The Company must document all the incidents related to the security breach, under the following guidelines:
The Company must maintain a log of all information in relation to the security breach, and must document the incident in a chronological order.
All information in relation to the breach must be recorded, from the time of discovery, until resolution.
The Company must keep a record of all incident reports submitted by the concerned Employees, as well as all the communications which it has made or received to and from the National Privacy Commission.
INQUIRIES AND COMPLAINTS
Data Subjects may inquire or request for information regarding any matter relating to the processing of their Personal Data under the custody of the Company, including the Privacy Policy of the Company implemented to ensure protection of their Personal Data.
Data subjects may write to the Company through its email address: swm.sales@solidwineonline.com.ph, and briefly discuss the inquiry, together with their contact details for reference.
In case of Complaints, the Company must verify the identity of the Data Subject who filed the Complaint, and respond to the Data Subject within three (3) days from receipt of the Complaint.
EFFECTIVITY
The provisions of this Privacy Policy shall be effective this 1st day of September 2022, until revoked or amended by the Company, through a Board Resolution.