1.1. It is the policy of the Company to protect the security and privacy of the personal data of its customers, clients and employees. To address this and in compliance with the requirements of the Data Privacy Act (R.A. 10173), the Company hereby formulates and implements its own Data Privacy and Protection Policy specifically crafted to conform with its operations.
1.2. This Policy shall supplement all rights and obligations of parties as laid out in R.A. 10173.
1.3. The Company is committed to comply not only with the national regulation but also international standards on data privacy and protection. This Data Privacy and Protection Policy applies to all areas where the Company operates and shall cover all its employees. The policy is based on globally accepted, basic principles on data protection.
1.4. R.A. 10173 will take precedence if it conflicts with the Company’s Data Privacy and Protection Policy.
2.1. This policy shall cover all personal data obtained by the company in its capacity as a Personal Information Controller or as a Personal Information Processor.
3.1. Company - refers to EQI Delivery Serve, Inc.
3.2. Personal Information Controller – refers to the company or person who controls the processing of personal data or instructs another to process personal data on its behalf.
3.3. Personal Information Processor – refers to the company or person to whom a personal information controller may outsource or instruct the processing of personal data.
3.4. Data Privacy Officer – refers to the person appointed by the Company whether he is an employee or not to undertake the following functions:
3.4.1 Monitor the PIC’s or PIP’s compliance with the DPA, its IRR, issuances by the NPC and other applicable laws and policies. You may:
3.4.1.1. Collect information to identify the processing operations, activities, measures, projects, programs, or systems of the PIC or PIP, and maintain a record thereof.
3.4.1.2. Analyze and check the compliance of processing activities, including the issuance of security clearances to and compliance by third-party service providers;
3.4.1.3. Inform, advise, and issue recommendations to the PIC or PIP;
3.4.1.4. Ascertain renewal of accreditations of certifications necessary to maintain the required standards in personal data processing; and
3.4.1.5. Advise the PIP or PIP as regards the necessity of executing a Data Sharing Agreement with third parties, and ensure its compliance with the law;
3.4.2. Ensure the conduct of Privacy Impact Assessments relative to activities, measures, projects, programs, or systems of the PIC or PIP;
3.4.3. Advise the PIC or PIP regarding complaints and/or the exercise by data subjects of their rights (e.g., requests for information, clarifications, rectification or deletion of personal data);
3.4.4. Ensure proper data breach and security incident management by the PIC or PIP, including the latter’s preparation and submission to the NPC of reports and other documentation concerning security incidents or data breaches within the prescribed period;
3.4.5. Inform and cultivate awareness on privacy and data protection within your organization, including all relevant laws, rules and regulations and issuances of the NPC;
3.4.6. Advocate for the development, review and/or revision of policies, guidelines, projects and/or programs of the PIC or PIP relating to privacy and data protection, by adopting a privacy by design approach;
3.4.7. Serve as the contact person of the PIC or PIP vis-à-vis data subjects, the NPC and other authorities in all matters concerning data privacy or security issues or concerns and the PIC or PIP;
3.4.8. Cooperate, coordinate and seek advice of the NPC regarding matters concerning data privacy and security; and
3.4.9. Perform other duties and tasks that may be assigned by the PIC or PIP that will further the interest of data privacy and security and uphold the rights of the data subjects.
3.4.10. Except for items (a) to (c), a COP shall perform all other functions of a DPO. Where appropriate, he or she shall also assist the supervising DPO in the performance of the latter’s functions.
3.5. Data Subject – refers to an individual whose personal, sensitive personal, or privileged information is processed.
3.6. Consent of the Data Subject – refers to any freely given, specific, informed indication of the will, whereby the data subject agrees to the collection and processing of his or her personal, sensitive personal, or privileged information. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of a data subject by a lawful representative, or an agent specifically authorized by data subject to do so.
3.7. Personal Information/Data – refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained such as birth date, gender, race, height, home address, civil status, government numbers (SSS, Philhealth, HDMF, TIN, Driver’s License, Passport), name of parents, spouse or children.
3.8. Processing – refers to any operation or any set of operations performed upon personal data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Processing may be performed through automated means, or manual processing if the personal data are contained or are intended to be contained in a filing system.
4.1. Purpose of Processing Personal Data: The following are the instances where Personal Information and Data may be processed by the Company that is reasonably adequate for and relevant to the following applicable purposes:
4.1.1. For human resources and personnel management processes which may include recruitment, workforce planning, training and performance management, compensation and benefits, leave and benefits management, pay slip distribution, employee information and skill management, employee survey, exit interviews and processed record, and health and safety. In such a case, the Company acts as a Personal Information Controller.
4.1.2. For Personal Data from personnel of suppliers and vendors, contributors, clients and prospects and visitors. In such a case, the Company also acts as a Personal Information Controller.
4.1.3. For business process execution and management processes which may include any activities or services done by the Company on behalf of or for the client.
In such a case, the Company acts as a Personal Information Processor.
4.2. Governing Rules While Processing Personal Data: The Company and its employees, including its suppliers, in processing personal information/data must observe the following principles:
4.2.1. Personal information must be processed fairly and lawfully.
4.2.2. Processing shuld ensure data quality.
4.2.3. Personal Information must be processed with transparency. The data subject must be aware of the nature, purpose and extent of the processing of his or her personal data, including the risks involved, the identity of personal information controller, his or her rights as a data subject and how these can be exercised.
4.2.4. Personal Information must be processed for one or more, declared, specified and lawful purpose(s) and may not be processed incompatibly with those purposes. Further processing of the data for historical, statistical or scientific purposes shall not be considered incompatible.
4.2.5. The processing of Personal Data must be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purposes for which the data is processed.
4.2.6. Personal Information must be accurate and kept up to date in such a way as to give a true picture of the current situation of the data subject.
4.2.7. Any authorized further processing shall have adequate safeguards.
4.2.8. Personal Information must not be kept for longer than is necessary. Information shall be erased when they have ceased to be necessary or relevant for the purpose for which they were obtained or recorded.
4.2.9. Personal information shall be disposed or discarded in a secure manner that would prevent further processing, unauthorized access, or disclosure to any other party or the public or prejudice the interests of the data subjects..
4.2.10. Appropriate technical and organizational measures must be taken against unauthorized or unlawful processing of Personal Information as well as against accidental loss, destruction of or damage to that information.
4.2.11. The collection of information by fraudulent, unfair or illicit means is prohibited.
4.3. Governing rules when the Company acts as Data Controller: The Company, when acting as a Data Controller, must comply with the following additional requirements:
4.3.1. The registration requirement with the National Privacy Commission required by RA 10173.
4.3.2. Consent to process Personal Information must first be given by the Data Subject before collection, processing, or storage of any Personal Data, unless laid down otherwise by law. Every Data Subject must be informed of the purpose for which Personal Data is collected, stored, or processed;
4.3.3. The Company shall provide the Data Subject with the identity and address of the Data Controller or his representative, if any; the purposes of the processing, the recipients or categories of recipients of the data, the existence of the right of access to and the right to rectify, erasure and objection the data concerning him/her.
5.1. In all cases, the Company must ensure that the transfer or processing of Personal Data is done with proper and reasonable security and protection. It must be ensured that the receiving entity or any third-party provider provides the same adequate level of protection.
6.1. The reasonable length of time a Personal Data is kept must be reviewed periodically;
6.2. Such retention must conform to the purpose/s for which it was taken and must not be kept after the purpose/s has/have been accomplished;
6.3. All Personal Data must be deleted or anonymized in a secured manner ensuring protection from unlawful or wrongful access;
6.4. Retained Personal Data must be accurate, archived and updated and it must be securely deleted once it goes out of date. It is the responsibility of the Data Subject to inform the Company of any inaccuracy or update to his/her personal data. However, the Company will exert reasonable effort to maintain its database as accurate and updated as possible. Where the Company shares Personal Data among its subsidiaries, those subsidiaries must agree what to do with such Personal Data once they no longer need to share the information.
7.1. The Company must ensure that only authorized personnel can access, alter, disclose or destroy Personal Data and that those people only act within the scope of their authority in relation to Personal Data. A system must be created to:
7.1.1. Protect Personal Data from accidental loss, alteration, or destruction; and
7.1.2. Ensure that Personal Data recoverable to prevent any damage or distress to the Data Subjects concerned.
7.2. Safeguards must be placed to protect Personal Data which may include physical and environment security such as facilities, workstation and integrity access control; computer security such as security devices and encryption; employee security awareness such as new hire and annual training. The Company must also implement a risk assessment from time to time and must be accountable for the organizational, policies and procedures and documentation requirements.
7.3. Security requirements of local laws must be complied with. IT standards must conform to local and contractual requirements. Therefore, Information Security officers must always refer and keep up to date regarding applicable specific or local security standards when addressing security of Personal Data.
7.4. In case of any Personal Data breach, the Company must engage a breach-management plan which includes at least the following:
7.4.1. Breach Containment and recovery – The Company must resolve the incident by applying a recovery plan and, where necessary, procedures for damage limitation.
7.4.2. Breach Resolution and Safeguards – The Company must resolve the incident by applying a recovery plan and, where necessary, procedures for damage limitation.
7.4.3. Risk Assessment – The Company must assess associated risks, such as the adverse consequences for individuals; seriousness of the breach; and risk of repetition.
7.4.4. Breach Notification – The Company must inform the people concerned about an information security breach, the appropriate data protection authority, and other appropriate parties such as the police and the banks, as the case maybe.
7.4.5. Process Evaluation – An investigation must be conducted to determine the cause of the breach and evaluate the effectiveness of the response made. Policies and procedures must be addressed accordingly.
8.1. It is a duty of the Company and its employees to co-operate with and to respond diligently and appropriately to any inquiry or request made by appropriate local data protection authorities. Such request may include an audit inquiry or a request for the Company to be audited, if deemed necessary, and to comply with the advice of Data Protection Authorities on any issue regarding these standards or compliance with privacy laws.
9.1. Any employee who has attempted to breach, or allegedly or has in fact breached, this Policy, whether by negligence or willful misconduct, will be subject to disciplinary sanctions by the Company in accordance with Company Code of Conduct, R.A. 11073, and its implementing rules and regulation.
10.1. Data Collection
10.1.1. The Recruitment Personnel shall be responsible in collecting and processing information as part of the screening and hiring process where job applicants are required to submit their resume and input personal information through the recruitment portal.
10.1.2. Hard copies of data or documents collected during hiring process shall be endorsed to Employee and Labor Relations Specialist for creation of 201 file.
10.1.3. 10.1.3. The Compensation and Benefits Personnel shall also have access to the personal information of employees for processing of statutory and healthcare benefits such as government numbers, civil status, birthday and personal information of dependents.
10.1.4. The Compensation and Benefits Specialist shall be responsible in updating personnel information as necessary. Any document received or submitted subsequently by employees for update purposes shall go directly to the 201 File of the employee.
10.1.5. Personal data of employees including salary details is also shared with Payroll Officer as required in administering payout of salaries.
10.1.6. All personal information of employees being transferred to authorized personnel should be password protected if transmitted through email or removable media.
10.2. Information Update
10.2.1. 10.2.1. It is the employee’s obligation to inform the HR Department on any change in the information contained in the 201 file i.e., civil status, address, contact numbers and names of dependents or beneficiaries.
10.2.2. Notification to HR Department must be done within thirty days after the commencement date of any change in personal information of an employee.
10.2.3. Supporting documentation is required prior to updating of some information in the system. Only upon receipt of these documents that any personal information change may take effect.
| Amendment | Requirement/s | Agency to be updated |
|---|---|---|
| 1. Civil Status/ Maiden Name to Married Name | Marriage Certicate | SSS, Philhealth, HDMF, BIR |
| 2. Additional Dependent | Birth Certicate | SSS, Philhealth, HDMF, BIR |
10.2.4. Update of some personal information of employees such as contact number, home address, and number of dependents shall be initiated by the Human Resource Department yearly to keep the information accurate and up to date.
10.3. Data Storage
10.3.1. HR Employees handling sensitive or confidential information should make sure documents and printouts are not left where unauthorized people could see it. Ensure to lock the monitor screen when leaving the workstation or when the computer is not in use.
10.3.2. All 201 files or any document which contains personal information of employees, trainees and job applicants should be kept and maintained inside a filing cabinet or drawer with lock inside the HR office wherein unauthorized people cannot see it.
10.3.3. Electronic files from the recruitment portal and HRIS (Human Resource Information System) must be stored in the central file server protected with strong password.
10.3.4. If data is stored on removable media (like flash drive), this should be locked away securely when not being used.
10.3.5. All filing cabinets and drawers containing 201 files and personnel records of active and separated employees of up to one (1) year must be placed inside the HR office.
10.3.6. Personnel records of separated employees of more than 1 year shall be transferred to the storage room for storage. Boxes containing the 201 files, or any personnel records must be properly labelled prior to turnover to the Storage Personnel:
10.3.6.1. Box Number;
10.3.6.2. List of separated employees posted outside the box (if 201 file or recruitment related files);
10.3.6.2. List of separated employees posted outside the box (if 201 file or recruitment related files);
10.3.7. Electronic inventory of all 201 files, recruitment files and statutory files transferred to the warehouse shall be maintained and kept by respective owners or responsible persons.
10.3.8. An acknowledgement receipt upon turnover to Administration Department must be properly filed in a folder for monitoring and control purposes.
10.4. Data Access
10.4.1. Any personal data of employees shall not be shared or disclosed to any person, within or outside the company.
10.4.2. The Company shall restrict internal access to employee records and only the HR personnel shall be authorized to retrieve certain information from the 201 file.
10.4.3. Only the following personnel under these sections are authorized to have access and process personal information of employees:
10.4.3.1 Recruitment;
10.4.3.2 Employee Relations;
10.4.3.3 Compensation and Benefits;
10.4.3.4 Payroll;
10.4.3.5 Legal.
10.4.4. Any request for retrieval of data should be made in writing and shall pass through the approval of the HR Head.
10.4.5. Retrieval of physical document shall only be allowed by the HR Head within the HR Office. Taking it outside the HR office is prohibited.
10.4.6. All approved information/data requests or retrieval shall be logged accordingly for monitoring and security purposes. This can be done either through a logbook or electronically by respective owners or responsible person.
10.5. Destruction
10.5.1. Data printouts should be shredded and disposed of securely when no longer required.
10.5.2. Personnel records shall be kept and maintained for a period of five (5) years after resignation or separation of the employee from the Company. All hard copies of personnel records of resigned employees shall be destroyed or shredded after this period. Electronics files or soft copies of personal or confidential information shall be deleted from the system as well.
10.5.3. All information and data collected from unsuccessful job applicants shall be retained for a period of 12 months. After this period, all files and information collected shall be destroyed.
10.6. Sanctions
10.6.1. Any employee who has violated this policy, whether by negligence or willful misconduct, will be subject to disciplinary action in accordance with Company’s Code of Conduct.
11.1. The Policy shall become effective upon approval of the President.
11.2. Within thirty (30) days from its approval, the Data Privacy Officer shall conduct an orientation to all the employees of the company in relation to the changes in the policy as well as updates on the law and rulings of the National Privacy Commission.
EDSI is engaged with warehousing and other services wherein clients across the country get to experience innovative services that helps different international clients manufacture their brands, products and maintain their systems to optimum level.