Data Privacy

Author / Prepared By: Jeffrey S. Maraño Data Privacy Officer
Reviewed by: Jhoedith D. Base QMS and Compliance Officer
Approved by: Julita O. Geronimo President & CEO

I. PURPOSE
In line with the requirements of Data Privacy Act of 2012 and other applicable laws of the Philippines, Globo Asiatico Enterprises, Inc. (company) is committed in protecting the privacy and confidentiality of information and data entrusted to it by its customers, business partners, suppliers, third party service providers, employees and other identifiable individuals. This privacy policy sets the guidelines that will help the public to understand how the company collects, process, use, store, share and protect the information and data received from all customers, business partners, vendors, service providers, suppliers, former and current employees and other entity or individuals.

II. SCOPE
This policy sets out rules on information and data protection and the legal conditions that must be satisfied in relation to the obtaining, handling, processing, storage, transportation and destruction of information and data adopted by Globo Asiatico Enterprises, Inc. and shall apply to all employees, business partners, vendors, service providers, suppliers, affiliates and subsidiaries of the company.

III. ASSOCIATED DOCUMENTS
GAE-MIS-POL-004 Information Security Policy and Procedure
GAE-QMS-POL-008 Records Management and Archiving Policy
GAE-MIS-POL-003 Security Incident and Management Policy and Procedures

IV. IMPLEMENTING GUIDELINES
      A. TYPE OF INFORMATION AND DATA
1. Personal Information - simply means any information or data that can be used to distinguish, identify or contact company’s customers, business partners, vendors, service providers, suppliers, former and current employees and other entity or individuals (Data Subject). Data Subject for the purpose of this policy includes all individuals and entities aforementioned about which the company holds personal information or data, such as; • Company’s business information, corporate data and other official documents; • Individual’s basic personal information like name, date of birth, gender, nationality, civil status, employment, educational and others; • Information indicated in supporting documents such as SSS, driver’s license ID or passport numbers; • Financial information such as bank details, accounts, credit card information, payment status etc. • Contact details like billing address, telephone number, mobile phone number, email address etc.;
2. Sensitive Information - are sensitive categories of information and data about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition, sexual life, or sexual orientation, including genetic and biometric data (where used for ID purposes), or Data Subject’s civil and criminal records, convictions and offences. It can only be processed under strict conditions, and requires the explicit consent of the concerned Data Subject.

     B. SOURCE OF INFORMATION AND DATA
There are several ways that the company may obtain data and information. The process can be through the ff.
• Corporate dealings and business transactions; • Distribution processes/activities (i.e. booking and sales transaction, delivery of products and services, opening of customer accounts, customer request and inquiry, product and service complaint, adverse event reporting, enrollment to patient access programs etc.) • Visiting accessing the company websites and other online applications (Usage of cookies, web browser, tracking pixels and other online technologies) • Public and commercial sources (i.e. published directories and public documents, third parties (credit agencies) and other sources wherein the Data Subject gave consent for disclosure of such relative information and where otherwise lawfully permitted. • Job application and employment

     C. USAGE OF INFORMATION AND DATA
Processing of information and data means any operation or set of operations which is performed on information or data or on sets of information and data, whether or not by automated means, such as collection, recording, holding, organizing, structuring, storage, adaptation, amending, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, transfer, restriction, erasure or destruction. The company gathered and process personal information in order to;
• Operate company’s business
• Deliver company’s product and services
• Process, complete and fulfill requested transactions
• Provide customer service and respond to customer requests or inquiries
• Assist customer, patients and healthcare provider in accessing patient oriented programs;
• Implement marketing programs and promotional campaigns
• Provide applicable newsletters, articles, alerts, announcements, invitations, and other information about products, brands, health topics and disease

From time to time, the company uses information and data to help complete a transaction or order, to facilitate communication, to market and sell its products and services, to deliver products/services, to bill for purchased products/services, and to provide ongoing service and support. Processing also of information and data from or about customers, business partners, vendors, service providers, suppliers, and others employees/third parties help the company to better understand the needs and interests of the Data Subjects. Likewise, information and data is vital to contact customers, business partners, vendors, service partners and suppliers for marketing, completion/reporting of adverse event, product and service complaint or for quality assurance purposes. In such instance, the company may share personal information with its business partners, vendors, service providers and suppliers to the extent needed to support the customers' business needs. Aforementioned, third parties and entities are strictly bound and required to keep confidential personal information received from the company and shall not use it for any purpose other than as originally intended or subsequently authorized or permitted.

     D. RESPONSIBLE PERSONS
• Data Controllers - are the employees or departments which determine the purposes for which, and the manner in which, any information or data is processed. They have a responsibility to establish practices and policies in line with relevant laws (i.e. Department Heads, Supervisors and Managers, etc.).
• Data Users – include all employees whose work involves using information and data. Data Users have a duty to protect the information and data they handle by following data protection and security policies of the company at all times. The employees have a responsibility, when using information and data, to comply with any security safeguards and procedures this policy put in place (i.e. customer service representative, administrative staff, product specialist/medical representative, etc.)
• Data Privacy Officers (DPO) - designated personnel responsible for ensuring compliance with this policy. Any questions or concerns about the operation of this policy should be referred to the DPO.

V. PROCEDURES
     A. INFORMATION AND DATA PROTECTION PRINCIPLES
Processing of information or data must comply with the following enforceable principles:

     (1) Information and data must be processed fairly, lawfully, and in a transparent manner. (Fairness, Lawfulness and Transparency) The purpose data protection laws to ensure that processing of information or data is done fairly and without adversely affecting the rights of the Data Subject. The Data Subject must be told who the Data Controller is (in this case the Company), who are the Data User and Data Controller, the purpose for which the data is to be processed by the company and the legal basis for doing so, and the identities of anyone to whom the information or may be disclosed or transferred. Data Controller/User, shall only process information or data on the basis of one or more of the lawful bases (i.e. performance of a contract; comply with a legal obligation to pursue legitimate or public interests etc.)

For Sensitive Information where consent is required, it is only effective if freely given, specific, informed and unambiguous. The Data Subject must be able to withdraw consent easily at any time and any withdrawal will be promptly honored. The company must provide all required, detailed and specific information to Data Subjects about the use of their information or data through appropriate communication/notice that is concise, transparent, intelligible, and easily accessible and in clear and plain language.

     (2) Information and data must be processed for specified, explicit, relevant, and legitimate purposes and in an appropriate way. (Purpose Limitation) Information or data may only be processed for the specific purposes notified to the Data Subject. This means that Information or data must not be collected for one purpose and then used for another. If it becomes necessary to change the purpose for which the information or data is processed, the Data Subject must be informed of the new purpose through clear communication or appropriate notice before any processing occurs. Any information or data which is not necessary for those purposes should not be collected from the Data Subject.

     (3) Information and data must be accurate and up to date. (Accuracy)
Information or data must be accurate, complete and kept up-to-date. Information or data which is incorrect is not accurate and steps should therefore be taken to check the accuracy of any information or data at the point of collection and at regular intervals afterwards. Inaccurate or out-of-date Information or data should be amended or destroyed.

     (4) Information and data must not be kept longer than necessary for the stated purpose. (Storage Limitation)
Information or data should not be kept longer than is necessary to carry out the specified purposes. This means that information or data should be destroyed or erased from company’s systems when it is no longer required in accordance with company policies.

     (5) Information and data shall be processed in a manner that ensures appropriate security of information or data, including protection against unauthorized or unlawful processing, accidental loss, destruction or damage, by using appropriate technical or organizational measures. (Security, Integrity and Confidentiality) The company must ensure that appropriate technical and organizational security measures are taken against unlawful or unauthorized processing of information or data, and against the accidental loss of, or damage to, information or data. It must place procedural and technological safeguards appropriate to its size, scope and business, available resources and the amount of information and data it holds, to maintain the security of all information or data from the point of collection to the point of destruction. The company must use, where appropriate, the safeguards of encryption, anonymisation and pseudonymisation (replacing identifying information with artificial information so that the Data Subject cannot be identified without the use of additional information which is kept separately and secure). All employees have a responsibility to comply with any safeguards the company put in place. Maintaining data security means guaranteeing the confidentiality, integrity and availability of the information and data, defined as follows:
(a) Confidentiality means that only employees or Data User/Controller/Processor who are authorized to use the information or data can access it.
(b) Integrity means that information or data should be accurate and suitable for the purpose for which it is processed.
(c) Availability means that authorized users should be able to access the information or data if they need it for authorized purposes.

     (6) Information and data must not be transferred without appropriate safeguards being in place. (Transfer Limitation)
Information or data must not be transferred to unauthorized recipient.

     (7) Information and data must be processed in line with Data Subjects’ rights. (Data Subject’s Rights and Requests)
Data Subjects have the following rights which apply in certain circumstances:
• The right to be informed about processing of information or data.
• The right of access to their own information or data.
• The right for any inaccuracies to be corrected (rectification).
• The right to have information and data deleted (erasure).
• The right to restrict the processing of information or data.
• The right to object to the inclusion of information or data
• The right to withdraw consent when the only legal basis for processing information or data is consent.
• The right to be notified of Information or Data Breach which is likely to result in high risk to their rights and freedoms.

A formal request from a Data Subject for details of information or data that the company hold about them must be made in writing. Any employee/staff who receives such a written request should forward it to concerned Department Head/Manager and DPO immediately.

     B. NOTICE AND CONSENT GUIDELINES
1. Ensure that data privacy notice is properly place in the area visible to the Data Subject (e.g. company lobby, reception area, customer service area, and places were prone to heavy traffic by the data user). The data privacy notice must have clearly indicated the purpose and type of information to be gathered by the Data Controller and Data User.
Data privacy noticed should clearly state the following:
• Type of information to be gathered.
• Process on how to obtain the data.
• Purpose and usage of the information collected.
• Measures and protection for the confidentiality of the data collected.
2. Data User must be properly informed by the Data Controller and Data User of what type of information they will obtain and the purpose of collecting the information in accordance with the current this policy and the Data Privacy Act being implemented by the National Privacy Commission.
3. In line with the guidelines, Data User shall ensure that necessary consent is secured to collect, process, handle and stored the information and data shared by the Data Subject.

     C. INFORMATION AND DATA PRIVACY MEASURES
The integrity, confidentiality and security of information and data are particularly important hence requirement of data privacy policy must be strictly enforce within the company. In order to do so, the company has implemented technological, organizational and physical security measures that are designed to protect data and information from unauthorized access, use, storage, alteration, dissemination and disclosure. To realize this, the following safeguards have been put into effect:
1. Data and information are kept and stored using a secured server behind a firewall, encryption and security controls;
2. Restriction on the accessibility of data and information. Only those qualified and authorized personnel shall hold the information and data with strict confidentiality;
3. Regular audit and rigorous testing of company’s infrastructure’s security protocols to ensure that the information and data is always protected; and
4. Right of the Data Subject to update the information and data securely in order to keep the records accurate. As well as the right to object to processing, the right to access the data being provided, the right to modify any inaccurate data, and the right to request deletion/erasure or blocking of information data.
5. Access to information and data, in case of modification, updating or when information/data are incomplete or inaccurate, shall be made through the company’s Data Privacy Officers with contact details below.

Contact Details:
Information and Data Privacy Officer
Name Department Contact No.
Jeffrey S. Maraño Data Privacy Office (02) 982-7089
Address: 127 JDK Bldg. Maginhawa St. Teachers Village East
Diliman, Quezon City 1101
Email: dataprivacy@globoasiatico.com.ph
Contact No. (02) 982-7000; Fax No. (02) 441-0282

     D. RETENTION OF INFORMATION AND DATA
Information and data of the Data Subject shall be retained for as long as needed or permitted in light of the purpose(s) for which it was obtained or the length of time the company has an ongoing relationship with the Data Subject. In case, it cannot be determined, for at least a minimum period of five (5) years afterwards (GAE-QMS-POL-008, Records Management and Archiving Policy) or in accordance with company’s existing contractual obligations/agreements entered into or as prescribe by enabling legal or statutory laws, whichever is stricter.

VI. BREACH NOTIFICATION AND PENALTIES
Information or data breach is any act or omission in violation of the policy which compromises the security, confidentiality, integrity or availability of information or data, or the safeguards that the company or a third party put in place to protect the information or data, including losing the information or data or disclosing it to unauthorized people. Where information or data breach is likely to result in a risk to the rights and freedoms of the Data Subjects concerned, the company through its DPO must conduct immediate investigation and come with a written report.
     A. DATA BREACH REPORTING
i. The Data User must notify the Data Controller and DPO immediately if a data breach is suspected.
ii. Under the Data Privacy Act of 2012, if an employee discover or suspects a data breach, it must be reported immediately to the Data Privacy Officer (DPO)
iii. The data breach report must contain the following information:
i. A description of the data breach.
ii. Categories and approximate number of data records affected.
iii. Categories of data subject affected and approximate number of individual affected.
iv. A description of likely consequences of the data breach.

     B. PROCESS FOR HANDLING DATA BREACH
(i) If the DPO come to its knowledge or suspect that an information or data breach has occurred, the DPO will immediately create the data breach response team, which shall be composed of the DPO, IT Head, QMS and one (1) member of the executive management with the authority to make immediate decisions regarding critical actions.The team shall be responsible for the following:
• Compliance of security management policy
• Management of security incidents and personal data breach
• Compliance with the data privacy law and other issuances
The Data breach response team must immediately conduct a thorough investigation of the suspected or reported data breach within 24 hours. Concerned Department Head/Manager and personnel must be involved in the investigation. The company must preserve all evidence relating to the potential Information or data breach.
(ii) When security incident occurs (e.i. computer security incident - loss of confidentiality of information, unauthorized access to systems, misuse of systems or information, theft and damage to systems, virus attacks, missing correspondence etc.) as define under GAE-MIS-POL-004, Information Security Policy and Procedure and GAE-MIS-POL-003, Security Incident and Management Policy and Procedures, the DPO shall conduct risks assessment and investigation to determine possible data breach and impact on all data subject affected by such breach.
     C. GOVERNMENT REPORTING PROCESS
(i) Status/result of investigation must be made in writing by the designated DPO and submitted to NPC within 72 hours upon discovery or awareness of the breach. Data Subject will be informed directly and assess if the breach is likely to result in a high risk to their rights and freedoms. If the breach is sufficient to warrant notification to the public, the company must do so without undue delay.
     D. PENALTY FOR DATA BREACH
Breach of this policy shall be taken seriously and may result in disciplinary action and/or liability for damages. Penalties for employees’ non-compliance and violation of this policy shall termination/dismissal due to the gravity of the offense and in consonance with the company’s existing Employee Handbook without due regard for legal action and liability for any incurred damages, if applicable.

VII. TRAINING

All employees concerned must read and understand the policy and shall receive appropriate training covering basic information about confidentiality, data protection and the actions to take upon identifying a potential information or data breach. They must be are trained to protect Data Subject’s information or data to which they have access, to ensure data security and to understand the consequences of any potential breaches of the provisions of this policy.

REVISION
EFFECTIVE DATE
SUMMARY OF CHANGE
00 20-Jul-2018 New Release
01 11-Feb-2019 Update designated DPO and list of responsible persons. Added procedure for handling data privacy breach