Individual or Any Legal Entity
Individual or Any Legal Entity
Individual or Any Legal Entity
DEFINITIONS
1. Data Privacy Act or DPA refers to Republic Act No. 10173 or the Data Privacy
Act of 2012 and its Implementing Rules and Regulations.
2. Data Subject refers to an individual whose Personal Information, Sensitive
Personal Information, or Privileged Information is processed.
3. Company refers to One Touch Communications, Inc.
4. Personal Data collectively refers to Personal Information, Sensitive Personal
Information, and Privileged Information.
5. Personal Information refers to any information, whether recorded in a material
form or not, from which the identity of an individual or any legal entity is
apparent or can be reasonably and directly ascertained by the entity holding the
information, or when put together with other information would directly and
certainly identify an individual.
6. Processing refers to any operation or set of operations performed upon Personal
Data including, but not limited to, the collection, recording, organization,
storage, updating or modification, retrieval, consultation, use, consolidation,
blocking, erasure or destruction of data. Processing may be performed through
automated means, or manual processing, if the Personal Data are contained or
are intended to be contained in a filing system.
7. Privileged Information refers to any and all forms of Personal Data, which,
under the Rules of Court and other pertinent laws constitute privileged
communication.
8. Security Incident is an event or occurrence that affects or tends to affect data
protection, or may compromise the availability, integrity and confidentiality of
Personal Data. It includes incidents that would result to a personal data breach,
if not for safeguards that have been put in place.
9. Sensitive Personal Information refers to Personal Data:
2
a. About an individual’s race, ethnic origin, marital status, age, color, and
religious, philosophical or political affiliations;
b. About an individual’s health, education, genetic or sexual life, or to any
proceeding for any offense committed or alleged to have been committed by
such individual, the disposal of such proceedings, or the sentence of any
court in such proceedings;
c. Issued by government agencies peculiar to an individual which includes, but
is not limited to, social security numbers, previous or current health records,
licenses or its denials, suspension or revocation, and tax returns; and
d. Specifically established by an executive order or an act of Congress to be kept
classified.
The DPO is responsible for ensuring the Company’s compliance with applicable
laws and regulations for the protection of data privacy and security. The
functions and responsibilities of the DPO shall particularly include, among
others:
b. acting as a liaison between the Company and the regulatory and accrediting
bodies, and is in charge of the applicable registration, notification, and
reportorial requirements mandated by the Data Privacy Act, as well any
other applicable data privacy laws and regulations;
2
d. acting as the primary point of contact whom Data Subject may coordinate
and consult with for all concerns relating to their Personal Data;
a. Transparency. The Data Subject must be aware of the nature, purpose, and
extent of the Processing of his or her Personal Data by the Company,
including the risks and safeguards involved, the identity of persons and
entities involved in Processing his or her Personal Data, his or her rights as
a Data Subject, and how these can be exercised. Any information and
communication relating to the Processing of Personal Data should be easy
to access and understand, using clear and plain language.
3
3. Data Processing Records
c. general information about the data flow within the Company, from the time
of collection and retention, including the time limits for disposal or erasure of
Personal Data;
e. the name and contact details of the DPO, Personal Data processors, as well as
any other staff members accountable for ensuring compliance with the
applicable laws and regulations for the protection of data privacy and
security.
The DPO, with the assistance of HRD, shall ensure that Company shall obtain
the employee’s informed consent, evidenced by written, electronic or recorded
means, to:
4
a. The Processing of his or her Personal Data, for purposes of maintaining
the Company’s records; and
The DPO, with the assistance of the Company’s HRD and any other
departments of the Company responsible for the Processing of Personal Data,
shall document the Company’s Personal Data Processing procedures. The DPO
shall ensure that such procedures are updated and that the consent of the Data
Subjects (when required by the DPA or other applicable laws or regulations) is
properly obtained and evidenced by written, electronic or recorded means.
Such procedures shall also be regularly monitored, modified, and updated to
ensure that the rights of the Data Subjects are respected, and that Processing
thereof is done fully in accordance with the DPA and other applicable laws and
regulations.
Subject to applicable requirements of the DPA and other relevant laws and
regulations, Personal Data shall not be retained by the Company for a period
longer than necessary and/or proportionate to the purposes for which such
data was collected. The DPO, with the assistance of the Company’s HRD and
any other departments of the Company responsible for the Processing of
Personal Data, shall be responsible for developing measures to determine the
applicable data retention schedules, and procedures to allow for the
withdrawal of previously given consent of the Data Subject, as well as to
safeguard the destruction and disposal of such Personal Data in accordance
with the DPA and other applicable laws and regulations.
The DPO, with the assistance of HRD and the Information and Technology
Management Department (“IT”), shall develop and implement policies and
procedures for the Company to monitor and limit access to, and activities in, the
offices of HRD, as well as any other departments and/or
5
workstations in the Company where Personal Data is processed, including
guidelines that specify the proper use of, and access to, electronic media.
The design and layout of the office spaces and work stations of the
abovementioned departments, including the physical arrangement of furniture
and equipment, shall be periodically evaluated and readjusted in order to provide
privacy to anyone Processing Personal Data, taking into consideration the
environment and accessibility to unauthorized persons.
The DPO, with the cooperation and assistance of IT, shall continuously develop
and evaluate the Company’s security policy with respect to the Processing of
Personal Data. The security policy should include the following minimum
requirements:
6
6. encryption of Personal Data during storage and while in transit, authentication
process, and other technical security measures that control and limit access
thereto.
As provided under the DPA, Data Subjects have the following rights in connection
with the Processing of their Personal Data: right to be informed, right to object,
right to access, right to rectification, right to erasure or blocking, and right to
damages. Employees and agents of the Company are required to strictly respect
and obey the rights of the Data Subjects. The DPO, with the assistance of HRD
shall be responsible for monitoring such compliance and developing the
appropriate disciplinary measures and mechanism.
1. Right to be informed
The Data Subject has the right to be informed whether Personal Data pertaining
to him or her shall be, are being, or have been processed.
The Data Subject shall be notified and furnished with information indicated
hereunder before the entry of his or her Personal Data into the records of the
Company, or at the next practical opportunity:
b. purposes for which they are being or will be processed, including Processing
for direct marketing, profiling or historical, statistical or scientific purpose;
c. basis of Processing, when Processing is not based on the consent of the Data
Subject;
e. the recipients or classes of recipients to whom the Personal Data are or may
be disclosed or shared;
f. methods utilized for automated access, if the same is allowed by the Data
Subject, and the extent to which such access is authorized, including
meaningful information about the logic involved, as well
7
as the significance and the envisaged consequences of such Processing
for the Data Subject;
h. the period for which the Personal Data will be stored; and
i. the existence of their rights as Data Subjects, including the right to access,
correction, and to object to the Processing, as well as the right to lodge a
complaint before the National Privacy Commission.
2. Right to Object
The Data Subject shall have the right to object to the Processing of his or her
Personal Data, including Processing for direct marketing, automated
Processing or profiling. The Data Subject shall also be notified and given an
opportunity to withhold consent to the Processing in case of changes or any
amendment to the information supplied or declared to the Data Subject in the
preceding paragraph.
3. Right to Access
The Data Subject has the right to reasonable access to, upon demand, the
following:
8
c. Names and addresses of recipients of the Personal Data;
d. Manner by which his or her Personal Data were processed;
e. Reasons for the disclosure of the Personal Data to recipients, if any;
f. Information on automated processes where the Personal Data will, or is
likely to, be made as the sole basis for any decision that significantly affects
or will affect the Data Subject;
g. Date when Personal Data concerning the Data Subject were last accessed and
modified; and
h. The designation, name or identity, and address of the DPO.
4. Right to Rectification
The Data Subject has the right to dispute the inaccuracy or rectify the error in
his or her Personal Data, and the Company shall correct it immediately and
accordingly, unless the request is vexatious or otherwise unreasonable. If the
Personal Data has been corrected, the Company shall ensure the accessibility of
both the new and the retracted Personal Data and the simultaneous receipt of
the new and the retracted Personal Data by the intended recipients thereof:
Provided, That recipients or third parties who have previously received such
processed Personal Data shall be informed of its inaccuracy and its rectification,
upon reasonable request of the Data Subject.
The Data Subject shall have the right to suspend, withdraw, or order the
blocking, removal, or destruction of his or her Personal Data from the
Company’s filing system.
(b) The Personal Data is being used for purpose not authorized by
the Data Subject;
9
10
(c) The Personal Data is no longer necessary for the purposes for
which they were collected;
b. The DPO may notify third parties who have previously received such
processed Personal Data that the Data Subject has withdrawn his or her
consent to the Processing thereof upon reasonable request by the Data
Subject.
The lawful heirs and assigns of the Data Subject may invoke the rights of the
Data Subject to which he or she is an heir or an assignee, at any time after the
death of the Data Subject, or when the Data Subject is incapacitated or
incapable of exercising his/her rights.
7. Data Portability
10
V. DATA BREACHES & SECURITY INCIDENTS
The notification to the National Privacy Commission and the affected Data
Subjects shall at least describe the nature of the breach, the Personal Data
possibly involved, and the measures taken by the Company to address the
breach. The notification shall also include measures taken to reduce the harm
or negative consequences of the breach and the name and contact details of the
DPO. The form and procedure for notification shall conform to the regulations
and circulars issued by the National Privacy Commission, as may be updated
from time to time.
2. Breach Reports
11
subject matter and duration of the Processing, the nature and purpose of the
Processing, the type of Personal Data and categories of Data Subjects, the
obligations and rights of the Company, and the geographic location of the
Processing under the contract.
The fact that the Company entered into such contract or arrangement does not
give the said external agent or entity the authority to subcontract to another entity
the whole or part of the subject matter of said contract or arrangement, unless
expressly stipulated in writing in the same contract or evidenced by a separate
written consent/agreement of the Company. The subcontracting agreement must
also comply with the standards/criteria prescribed by the immediately preceding
paragraph.
In addition, the contract and the subcontracting contract shall include express
stipulations requiring the external agent or entity (including the subcontractor) to:
1. process the Personal Data only upon the documented instructions of the
Company, including transfers of Personal Data to another country or an
international organization, unless such transfer is required by law;
2. ensure that an obligation of confidentiality is imposed on persons and
employees authorized by the external agent/entity and subcontractor to process
the Personal Data;
3. implement appropriate security measures;
4. comply with the Data Privacy Act and other issuances of the National Privacy
Commission, and other applicable laws, in addition to the obligations provided
in the contract, or other legal act with the external party;
5. not engage another processor without prior instruction from the Company:
Provided, that any such arrangement shall ensure that the same obligations for
data protection under the contract or legal act are implemented, taking into
account the nature of the Processing;
6. assist the Company, by appropriate technical and organizational measures, and
to the extent possible, fulfill the obligation to respond to requests by Data
Subjects relative to the exercise of their rights;
7. assist the Company in ensuring compliance with the Data Privacy Act and other
issuances of the National Privacy Commission, taking into account the
12
nature of Processing and the information available to the external party who
acts as a Personal Information Processor as defined under the Data Privacy Act;
8. at the choice of the Company, delete or return all Personal Data to it after the
end of the provision of services relating to the Processing: Provided, that this
includes deleting existing copies unless storage is authorized by the Data
Privacy Act or other applicable laws or regulations;
9. make available to the Company all information necessary to demonstrate
compliance with the obligations laid down in the Data Privacy Act, and allow
for and contribute to audits, including inspections, conducted by the Company
or another auditor mandated by the latter; and
10. immediately inform the Company if, in its opinion, an instruction violates the
Data Privacy Act or any other issuance of the National Privacy Commission.
13