Book a Free Consultation
Logo



Book a Free Consultation
© 2024 Royale Cold Storage | Privacy Policy

PERSONAL DATA
PRIVACY POLICY

I. Definitions

  • Data Privacy Act or DPA: Refers to Republic Act No. 10173 or the Data Privacy Act of 2012 and its implementing rules and regulations.
  • Data Subject: Refers to an individual whose Personal Information, Sensitive Personal Information, or Privileged Information is processed.
  • Company: Refers to Royale Cold Storage North Inc.
  • Personal Data: Collectively refers to Personal Information, Sensitive Personal Information, and Privileged Information.
  • Personal Information: Refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
  • Processing: Refers to any operation or set of operations performed upon Personal Data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Processing may be performed through automated means, or manual processing, if the Personal Data are contained or are intended to be contained in a filing system.
  • Privileged Information: Refers to any and all forms of Personal Data, which, under the Rules of Court and other pertinent laws constitute privileged communication.
  • Security Incident: An event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity, and confidentiality of Personal Data. It includes incidents that would result in a personal data breach, if not for safeguards that have been put in place.
  • Sensitive Personal Information: Refers to Personal Data:
    • About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
    • About an individual’s health, education, genetic or sexual life, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings;
    • Issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
    • Specifically established by an executive order or an act of Congress to be kept classified.

II. Organizational Security Measures

  • Data Protection Officer: A Data Protection Officer (“DPO”) shall be appointed by the Company. The DPO is responsible for ensuring the Company’s compliance with applicable laws and regulations for the protection of data privacy and security. The functions and responsibilities of the DPO shall particularly include, among others:
    • Monitoring the Company’s Personal Data Processing activities to ensure compliance with applicable Personal Data privacy laws and regulations, including conducting periodic internal audits and reviews;
    • Acting as a liaison between the Company and regulatory and accrediting bodies;
    • Developing and reviewing policies and procedures for the exercise of Data Subjects’ rights;
    • Acting as the primary point of contact for Data Subjects for all concerns relating to their Personal Data;
    • Formulating capacity-building, orientation, and training programs for employees regarding Personal Data privacy and security policies; and
    • Preparing and filing the annual report on documented security incidents and Personal Data breaches, as required under the Data Privacy Act.
  • Data Privacy Principles: All Processing of Personal Data within the Company should be conducted in compliance with the following principles:
    • Transparency: The Data Subject must be aware of the nature, purpose, and extent of the Processing of his or her Personal Data by the Company.
    • Legitimate purpose: The Processing of Personal Data by the Company shall be compatible with a declared and specified purpose which must not be contrary to law, morals, or public policy.
    • Proportionality: The Processing of Personal Data shall be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose.
  • Data Processing Records: Adequate records of the Company’s Personal Data Processing activities shall be maintained at all times. The DPO, with the cooperation of all the concerned business and service units involved, shall ensure these records are kept up-to-date.
  • Management of Human Resources: The DPO, with the Company’s Human Capital Department, shall implement measures to ensure that all staff with access to Personal Data strictly process such data in compliance with the law.
  • Data Collection Procedures: The DPO, with the Company’s HCD, shall document the Company’s Personal Data Processing procedures and ensure they are updated and compliant with the DPA.
  • Data Retention Schedule: Personal Data shall not be retained by the Company for a period longer than necessary and/or proportionate to the purposes for which such data was collected.

III. Physical Security Measures

The DPO, with the assistance of HCD and the Information and Technology Department (“ITD”), shall develop and implement policies and procedures for the Company to monitor and limit access to, and activities in, the offices of HCD, as well as any other departments and/or workstations in the Company where Personal Data is processed, including guidelines that specify the proper use of, and access to, electronic media.

The design and layout of the office spaces and workstations of the abovementioned departments, including the physical arrangement of furniture and equipment, shall be periodically evaluated and readjusted in order to provide privacy to anyone Processing Personal Data, taking into consideration the environment and accessibility to unauthorized persons.

The duties, responsibilities, and schedules of individuals involved in the Processing of Personal Data shall be clearly defined to ensure that only the individuals actually performing official duties shall be in the room or workstation, at any given time. Further, the rooms and workstations used in the Processing of Personal Data shall, as far as practicable, be secured against natural disasters, power disturbances, external access, and other similar threats.IV. Technical Security Measures

The DPO, with the cooperation and assistance of the Information and Technology Department (ITD), shall continuously develop and evaluate the Company’s security policy with respect to the Processing of Personal Data. The security policy should include the following minimum requirements:

  • Safeguards to protect the Company’s computer network and systems against accidental, unlawful, or unauthorized usage, any interference which will affect data integrity or hinder the functioning or availability of the system, and unauthorized access;
  • The ability to ensure and maintain the confidentiality, integrity, availability, and resilience of the Company’s data processing systems and services;
  • Regular monitoring for security breaches, and a process both for identifying and accessing reasonably foreseeable vulnerabilities in the Company’s computer network and system, and for taking preventive, corrective, and mitigating actions against security incidents that can lead to a Personal Data breach;
  • The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
  • A process for regularly testing, assessing, and evaluating the effectiveness of security measures; and
  • Encryption of Personal Data during storage and while in transit, authentication processes, and other technical security measures that control and limit access thereto.

IV. Technical Security Measures

The DPO, with the cooperation and assistance of the Information and Technology Department (ITD), shall continuously develop and evaluate the Company’s security policy with respect to the Processing of Personal Data. The security policy should include the following minimum requirements:

  • Safeguards to protect the Company’s computer network and systems against accidental, unlawful, or unauthorized usage, any interference which will affect data integrity or hinder the functioning or availability of the system, and unauthorized access;
  • The ability to ensure and maintain the confidentiality, integrity, availability, and resilience of the Company’s data processing systems and services;
  • Regular monitoring for security breaches, and a process both for identifying and accessing reasonably foreseeable vulnerabilities in the Company’s computer network and system, and for taking preventive, corrective, and mitigating actions against security incidents that can lead to a Personal Data breach;
  • The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
  • A process for regularly testing, assessing, and evaluating the effectiveness of security measures; and
  • Encryption of Personal Data during storage and while in transit, authentication processes, and other technical security measures that control and limit access thereto.

V. Rights of the Data Subject

As provided under the Data Privacy Act (DPA), Data Subjects have the following rights in connection with the Processing of their Personal Data:

  • Right to be Informed: The Data Subject has the right to be informed whether Personal Data pertaining to him or her shall be, are being, or have been processed. The Data Subject shall be notified and furnished with the following information before the entry of his or her Personal Data into the records of the Company:
    • A description of the Personal Data to be entered into the system;
    • The purposes for which they are being or will be processed, including Processing for direct marketing, profiling, or historical, statistical, or scientific purposes;
    • The basis of Processing, when Processing is not based on the consent of the Data Subject;
    • The scope and method of the Personal Data Processing;
    • The recipients or classes of recipients to whom the Personal Data are or may be disclosed or shared;
    • Methods utilized for automated access, if the same is allowed by the Data Subject, and the extent to which such access is authorized;
    • The identity and contact details of the DPO;
    • The period for which the Personal Data will be stored; and
    • The existence of the Data Subject’s rights, including the right to access, rectification, objection, and erasure, as well as the right to lodge a complaint before the National Privacy Commission (NPC).
  • Right to Object: The Data Subject has the right to object to the Processing of his or her Personal Data, including for direct marketing, automated Processing, or profiling. When the Data Subject objects or withholds consent, the Company shall no longer process the Personal Data unless:
    • The Personal Data is needed pursuant to a subpoena;
    • The Processing is necessary for the performance of or in relation to a contract or service to which the Data Subject is a party; or
    • The Personal Data is being collected and processed to comply with a legal obligation.
  • Right to Access: The Data Subject has the right to reasonable access to, upon demand, the following:
    • The contents of his or her Personal Data that were processed;
    • The sources from which Personal Data were obtained;
    • The names and addresses of recipients of the Personal Data;
    • The manner by which his or her Personal Data were processed;
    • The reasons for the disclosure of the Personal Data to recipients, if any;
    • Information on automated processes where the Personal Data will be or is likely to be used as the sole basis for any decision that significantly affects the Data Subject;
    • The date when Personal Data concerning the Data Subject were last accessed and modified; and
    • The designation, name or identity, and address of the DPO.
  • Right to Rectification: The Data Subject has the right to dispute inaccuracies or rectify errors in his or her Personal Data, and the Company shall correct it immediately unless the request is vexatious or unreasonable. If the Personal Data has been corrected, the Company shall ensure that the new and the retracted data are accessible, and third parties who have previously received such data are informed of the rectification.
  • Right to Erasure or Blocking: The Data Subject shall have the right to suspend, withdraw, or order the blocking, removal, or destruction of his or her Personal Data from the Company’s filing system upon discovery and substantial proof of any of the following:
    • The Personal Data is incomplete, outdated, false, or unlawfully obtained;
    • The Personal Data is being used for a purpose not authorized by the Data Subject;
    • The Personal Data is no longer necessary for the purposes for which they were collected;
    • The Data Subject withdraws consent or objects to the Processing, and there is no other legal ground for the Processing;
    • The Personal Data concerns private information that is prejudicial to the Data Subject;
    • The Processing is unlawful; or
    • The Data Subject’s rights have been violated.
  • Right to Data Portability: Where his or her Personal Data is processed through electronic means and in a structured and commonly used format, the Data Subject has the right to obtain a copy of such data in an electronic or structured format that allows for further use by the Data Subject. This takes into account the right of the Data Subject to control over his or her Personal Data processed for commercial purposes or through automated means.

VI. Data Breaches & Security Incidents

All employees and agents of the Company involved in the Processing of Personal Data are tasked with regularly monitoring for signs of a possible data breach or Security Incident. In the event that such signs are discovered, the employee or agent shall immediately report the facts and circumstances to the DPO within twenty-four (24) hours from his or her discovery for verification as to whether or not a breach requiring notification under the Data Privacy Act has occurred, as well as for the determination of the relevant circumstances surrounding the reported breach and/or Security Incident.

The DPO shall notify the National Privacy Commission and the affected Data Subjects pursuant to requirements and procedures prescribed by the DPA.

The notification to the National Privacy Commission and the affected Data Subjects shall at least describe the nature of the breach, the Personal Data possibly involved, and the measures taken by the Company to address the breach. The notification shall also include measures taken to reduce the harm or negative consequences of the breach and the name and contact details of the DPO. The form and procedure for notification shall conform to the regulations and circulars issued by the National Privacy Commission, as may be updated from time to time.

Breach Reports: All Security Incidents and Personal Data breaches shall be documented through written reports, including those not covered by the notification requirements. In the case of Personal Data breaches, a report shall include the facts surrounding an incident, the effects of such incident, and the remedial actions taken by the Company. In other security incidents not involving Personal Data, a report containing aggregated data shall constitute sufficient documentation. These reports shall be made available when requested by the National Privacy Commission. A general summary of the reports shall be submitted by the DPO to the National Privacy Commission annually.

VII. Outsourcing and Subcontracting Agreements

Any Personal Data Processing conducted by an external agent or entity (third-party service provider) on behalf of the Company should be evidenced by a valid written contract with the Company. Such contract should expressly set out the subject matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects, the obligations and rights of the Company, and the geographic location of the Processing under the contract.

The fact that the Company entered into such a contract or arrangement does not give the said external agent or entity the authority to subcontract to another entity the whole or part of the subject matter of said contract or arrangement unless expressly stipulated in writing in the same contract or evidenced by a separate written consent/agreement of the Company. The subcontracting agreement must also comply with the standards/criteria prescribed by the immediately preceding paragraph.

In addition, the contract and the subcontracting contract shall include express stipulations requiring the external agent or entity (including the subcontractor) to:

  • Process the Personal Data only upon the documented instructions of the Company, including transfers of Personal Data to another country or an international organization, unless such transfer is required by law;
  • Ensure that an obligation of confidentiality is imposed on persons and employees authorized by the external agent/entity and subcontractor to process the Personal Data;
  • Implement appropriate security measures;
  • Comply with the Data Privacy Act and other issuances of the National Privacy Commission, as well as other applicable laws;
  • Not engage another processor without prior instruction from the Company, ensuring that the same obligations for data protection under the contract are implemented;
  • Assist the Company, by appropriate technical and organizational measures, to fulfill the obligation to respond to requests by Data Subjects relative to the exercise of their rights;
  • Assist the Company in ensuring compliance with the Data Privacy Act and other issuances of the National Privacy Commission;
  • At the choice of the Company, delete or return all Personal Data to it after the end of the provision of services relating to the Processing, unless storage is authorized by the Data Privacy Act;
  • Make available to the Company all information necessary to demonstrate compliance with the obligations laid down in the Data Privacy Act and allow for audits, including inspections, conducted by the Company or another auditor mandated by the Company;
  • Immediately inform the Company if, in its opinion, an instruction violates the Data Privacy Act or any other issuance of the National Privacy Commission.