Privacy Policy

DATA PRIVACY MANUAL

I. Introduction

This Privacy Manual is hereby adopted in compliance with Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012 (“DPA”), its Implementing Rules and Regulations (“IRR”), and other relevant policies, including issuances of the National Privacy Commission. 

Exchange Equity Partners Group Corporation (“EEPGC”) respects and values your data privacy rights, and makes sure that all personal data collected from you, our members, and our customers, are processd in adherence to the general principles of transparency, legitimate purpose, and proportionality.

This Manual shall inform you of our data protection and security measures, and may serve as your guide in exercising your rights under the DPA.

II. Definition of Terms

Data Subject refers to an individual whose personal, sensitive personal, or privileged information is processed by EEPGC. It may refer to officers, employees, consultants, and members of this corporation.

Personal Information  refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.

Processing refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure, or destruction of data.

Privileged Information refers to any and all forms of data which under the Rules of Court and other pertinent laws constitute privileged communication. Under the Rules of Court, the following are considered privileged information:

1. communication between husband and wife (Sec. 24(a), Rule 130);

2. communication between an attorney and his or her client (Sec. 24(b), Rule 130);

3. communication between a doctor and his or her patient (Sec. 24(c), Rule 130);

4. communication between a minister and a confessant (Sec 24(d), Rule 130); and

5. communication made to a public officer in official confidence, when the court finds that public interest would suffer by the disclosure (Sec. 24(e), Rule 130).

Sensitive Personal Information refers to personal information:

1. about an individual's race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliation;

2. about an individual's health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;

3. issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation and tax returns; and

4. specifically established by an executive order or an act of Congress to be kept classified.
   
   

III. Scope and Limitations

All personnel of EEPGC, regardless of the type of employment or contractual arrangement, must comply with the terms set out in this Manual.

IV. Processing of Personal Data

A. Collection

EEPGC collects the basic contact information of its clients, including their name, address, e-mail address, contact number, together with the services they would like to avail. The EEPGC associate attending to clients will collect such information upon engagement of service.

B. Use

Personal data collected shall be used by EEPGC for the following:

Personal data received from employees will be used for the employees’ 201 file for human resources and documentation purposes, which includes payroll and payment of benefits under Philippine law. 

Personal data received from clients will be used for standard KYC (Know Your Client) to continuously provide the offered services. The EEPGC associate also uses the personal data of the client for purposes of accounting and billing services.

C. Storage, Retention, and Destruction

EEPGC will ensure that personal data under its custody are protected against any accidental or unlawful destruction, alteration, and disclosure as well as against any other unlawful processing. EEPGC will implement appropriate security measures in storing collected personal information, sensitive personal, and privileged information, depending on the nature of the information.

All information gathered shall not be retained for a period longer than two (2) years unless a longer period is provided in any agreement between EEPG and third parties, or as determined necessary by EEPGC management. After said period, all hard and soft copies of personal information, sensitive personal, or privileged information, as the case may be, shall be disposed and destroyed, through secured means.

D. Access

Due to the sensitive and confidential nature of the personal data under the custody of EEPGC, only the client and the authorized representative of the client shall be allowed to access such personal data, for any purpose, except for those contrary to law, public policy, public order or morals.

E. Disclosure and Sharing

All employees and personnel of EEPGC shall maintain confidentiality and secrecy of all personal data, sensitive personal, or privileged information, that come to their knowledge and possession, even after resignation, termination of contract, or other contractual relations. Personal data under the custody of EEPGC shall be disclosed only pursuant to a lawful purpose, and to authorized recipients of such data.

V. Security Measures

A. Organizational Measures

1. Conduct of Privacy Impact Assessment (“PIA”)

2. Data Protection Officer (“DPO”) or Compliance Officer for Privacy (“COP”)

3. Duties and Responsibilities of the DPO, COP and/or any other responsible personnel with similar functions
   

   The DPO shall oversee the compliance of EEPGC with the DPA, its Implementing Rules and Regulations (IRR), issuances by the National Privacy Commission (NPC) and other applicable laws and policies, including the conduct of a PIA, implementation of security measures, security incident and data breach protocol, and the inquiry and complaints procedure.

   
   Moreover, the DPO:

   • Collects information to identify the processing operations, activities, measures, projects, programs, or systems of EEPGC, and maintain a record thereof;

   • Analyzes and checks the compliance of processing activities, including the issuance of security clearances to and compliance by third-party service providers;

   • Informs, advises, and issues recommendations to EEPGC;

   • Ascertains renewal of accreditations or certifications necessary to maintain the required standards in personal data processing; and

   • Advices EEPGC as regards the necessity of executing a Data Sharing Agreement with third parties, and ensure its compliance with the law;

   • Ensures proper data breach and security incident management EEPGC, including the preparation and submission to the NPC of reports and other documentation concerning security incidents or data breaches within the prescribed period;

   • Informs and cultivates awareness on privacy and data protection within EEPGC, including all relevant laws, rules and regulations and issuances of the NPC;

   • Advocates for the development, review and/or revision of policies, guidelines, projects and/or programs of EEPGC relating to privacy and data protection, by adopting a privacy by design approach;

   • Serves as the contact person of EEPGC vis-à-vis data subjects, the NPC and other authorities in all matters concerning data privacy or security issues or concerns and EEPGC;

   • Cooperates, coordinates and seeks advice of the NPC regarding matters concerning data privacy and security; and

   • Perform other duties and tasks that may be assigned by EEPGC that will further the interest of data privacy and security and uphold the rights of the data subjects.

   The DPO must have due regard for the risks associated with the processing operations of EEPGC, taking into account the nature, scope, context and purposes of processing. Accordingly, he or she must prioritize his or her activities and focus his or her efforts on issues that present higher data protection risks.
   

4. Conduct of trainings or seminars to keep personnel, especially the DPO updated vis-à-vis developments in data privacy and security

   
   EEPGC shall sponsor a mandatory training on data privacy and security at least once a year. For personnel directly involved in the processing of personal data, management shall ensure their attendance and participation in relevant trainings and orientations, as often as necessary.
   

5. Recording and documentation of activities carried out by the DPO, or by EEPGC, to ensure compliance with the DPA, its IRR, and other relevant policies

   
   There shall be a detailed and accurate documentation of all activities, projects, and processing systems of the corporation, to be carried out by the DPO.
   

6. Duty of Confidentiality

   
   All employees will be asked to sign a Non-Disclosure Agreement. All employees with access to personal data shall operate and hold personal data under strict confidentiality if the same is not intended for public disclosure.
   

7. Review of Privacy Manual
   
   This Manual shall be reviewed and evaluated annually. Privacy and security policies and practices within EEPGC shall be updated to remain consistent with current data privacy best practices.

B. Physical Measures

1. Format to be collected

   
   Personal data in the custody of EEPGC may be in digital or electronic format and paper-based or physical format.
   

2. Storage type and location
   

   All personal data being processed by the corporation shall be stored in a data room, where paper-based documents are kept in locked filing cabinets while the digital or electronic files are stored in computers provided and installed by EEPGC.
   

3. Access procedure of agency personnel
   

   Only authorized personnel shall be allowed inside the data room. For this purpose, they shall each be given a duplicate of the key to the room. Other personnel may be granted access to the room upon filing of an access request form with the DPO and the latter’s approval thereof.
   

4. Monitoring and limitation of access to room or facility
   

   All personnel authorized to enter and access the data room or facility must fill out and register with the online registration platform of EEPGC, and a logbook placed at the entrance of the room. They shall indicate the date, time, duration, and purpose of each access.
   

5. Design of office space or work station

   
   The computers are positioned with considerable spaces between them to maintain privacy and protect the processing of personal data.
   

6. Persons involved in processing, and their duties and responsibilities
   

   Persons involved in processing shall always maintain confidentiality and integrity of personal data. They are not allowed to bring their own gadgets or storage device of any form when entering the data storage room.
   

7. Modes of transfer of personal data within the organization, or to third parties

   
   Transfers of personal data via electronic mail shall use a secure e-mail facility with encryption of the data, including any or all attachments. Facsimile technology shall not be used for transmitting documents containing personal data.
   

8. Retention and disposal procedure
   

   EEPGC shall retain the personal data of a client for two (2) years unless a longer period is provided in any agreement between EEPG and third parties, or as determined necessary by EEPGC management from the date when EEPGC’s services were rendered. Upon expiration of such period, all physical and electronic copies of the personal data shall be destroyed and disposed of using secure technology.
   

C. Technical Security Measures

1. Monitoring for security breaches
   

   EEPGC shall use an intrusion detection system to monitor security breaches and alert the organization of any attempt to interrupt or disturb the system.
   

2. Security features of the software/s and application/s used
   

   EEPGC shall first review and evaluate software applications before the installation thereof in computers and devices of EEPGC to ensure the compatibility of security features with overall operations.
   

3. Process for regularly testing, assessment, and evaluation of effectiveness of security measures
   

   EEPGC shall review security policies, conduct vulnerability assessments and perform penetration testing within the company on a regular schedule to be prescribed by the appropriate department or unit.
   

4. Encryption, authentication process, and other technical security measures that control and limit access to personal data
   

   Each personnel with access to personal data shall verify his or her identity using a secure encrypted link and multi-level authentication.
   

VI. Breach and Security Incidents

1. Creation of a Data Breach Response Team
   

   A Data Breach Response Team comprising of the Data Privacy Officer and Human Resources personnel shall be responsible for ensuring immediate action in the event of a security incident or personal data breach. The team shall conduct an initial assessment of the incident or breach in order to ascertain the nature and extent thereof. It shall also execute measures to mitigate the adverse effects of the incident or breach.
   

2. Measures to prevent and minimize occurrence of breach and security incidents
   

   EEPGC shall regularly conduct a PIA to identify risks in the processing system and monitor for security breaches and vulnerability scanning of computer networks. Personnel directly involved in the processing of personal data must attend trainings and seminars for capacity building. There must also be a periodic review of policies and procedures being implemented in the organization.
   

3. Procedure for recovery and restoration of personal data
   

   EEPGC shall always maintain a back-up file for all personal data under its custody. In the event of a security incident or data breach, it shall always compare the back-up with the affected file to determine the presence of any inconsistencies or alterations resulting from the incident or breach.
   

4. Notification protocol
   

   The DPO shall inform the management of the need to notify the NPC and the data subjects affected by the incident or breach within the period prescribed by law.
   

5. Documentation and reporting procedure of security incidents or a personal data breach
   

   The Data Breach Response Team shall prepare a detailed documentation of every incident or breach encountered, as well as an annual report, to be submitted to the management and the NPC, within the prescribed period.

VII. Inquiries and Complaints

Data subjects may inquire or request information regarding any matter relating to the processing of their personal data under the custody of the organization, including the data privacy and security policies implemented to ensure the protection of their personal data. They may write to the organization at jocmer@exchangeequity.com and briefly discuss the inquiry, together with their contact details for reference.

Complaints shall be filed in three (3) printed copies, or sent to jocmer@exchangeequity.com.

The concerned department or unit shall confirm with the complainant its receipt of the complaint.

VIII. Effectivity

The provisions of this Manual are effective this 30 October 2020, until revoked or amended by this company through a Board Resolution.