TITLE: DATA SUBJECT ACCESS REQUEST POLICY OBJECTIVE: To ensure that any personal information collected by the Company is used fairly, stored safely and not disclosed unlawfully. 1. PURPOSE 2. DATA SUBJECT RIGHTS Personal Information must be: Collected for specified and legitimate purposes determined and declared before, or as soon as reasonably practicable after collection, and later processed in a way compatible with such declared, specified and legitimate purposes only; Process fairly and lawfully: Accurate, relevant and, where necessary for purposes for which it is to be used the processing of personal information, kept up to date inaccurate or incomplete data must be rectified, supplemented, destroyed or their further processing restricted; Adequate and not excessive in relation to the purposes for which they are collected and processed; Retained only for as long as necessary for the fulfillment of the purposes for which the data was obtained or for the establishment, exercise or defense of legal claims, or for legitimate business purposes, or as provided by law; and Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected and processed: Provided, That personal information collected for other purposes may lie processed for historical, statistical or scientific purposes, and in cases laid down in law may be stored for longer periods: Provided further, That adequate safeguards are guaranteed by said laws authorizing their processing. 3. POLICY STATEMENT EquiServe has one month (30 calendar days) starting from when the DPO received the information and the time needed to identify the data subject, to identify the information requested, and provide the data subject with the information (or explain why EquiServe is unable to provide the information). Wherever possible, EquiServe will aim to complete the request in advance of the deadline. 4. PROCEDURE How to Make a subject access request A subject access request is a written request for personal and sensitive information held about you by EquiServe. A data subject has the right to see what personal/sensitive information EquiServe holds about them. They are entitled to be given confirmation as to whether EquiServe holds or processes personal/sensitive information of a data subject, and if he/she is entitled to access his/her personal/ sensitive information as well as details of: 1. The purposes for which EquiServe process personal data; If the data subject is not satisfied with how EquiServe store or process personal/sensitive data, the data subject have a right to lodge a complaint with EquiServe, by contacting our Data Protection Officer with the following contact details: DPO Name: Ramil Yabyabin What is personal and Sensitive Information Personal Information any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual. Sensitive Information is information as enumerated below: Race Health Ethnic origin Education Marital Status Genetic Age Sexual life Color Any Proceeding for any offense committed Religion It’s disposal/sentence of any court proceedings Philosophical beliefs Government issuances to an individual 1. SSS 2. Collating information – EquiServe will gather any manual or electronically held information and identify any information provided by a third party or which identifies a third party. 3. Third parties – before sharing information that relates to third parties, EquiServe will, where possible, anonymize or edit information that might affect another party’s privacy. EquiServe may also summarize information rather than provide a copy of the whole document. RA 10173 requires us to provide information, not documents. 4. Unit Head or MANCOM Approval – The DPO shall release information to the subject only upon the approval of the Unit Head who has custody of the data or by the EquiServe Management in cases where the request would have serious impact to the business. Issuing a response 1. Once any queries around the information requested have been resolved and appropriate approvals acquired, copies of the information will be sent to the data subject electronically wherever possible or, if this is not technically possible, by mail Will EquiServe Charge a fee 1. If the data subjects access request is excessive or manifestly unfounded we will charge Php 150.00 to cover the administrative cost involved in dealing with your request and the Mail fees if we cannot deliver the required information by electronic mail. In extreme circumstances, we reserve the right to refuse the request of the data subject. What is the timeframe for responding to subject access request? 1. Once any queries around the information requested have been resolved and appropriate approvals acquired, copies of the information will be sent to the data subject electronically wherever possible or, if this is not technically possible, by mail TITLE: DATA PRIVACY AND PROTECTION POLICY PURPOSE • Protecting the security and privacy of customers, clients, and employee personal data is important to Equicom Services (“EquiServe”). Through this policy, which will be known as the “Data Privacy and Protection Policy”, EquiServe operates in compliance with applicable laws on data privacy protection and data security, specifically, to Republic Act 10173 (“R.A. 10173”) of the Republic of the Philippines. The Data Privacy and Protection Policy supplements this national law and its implementing rules. • EquiServe is committed to local and international compliance with data protection laws. This Data Privacy and Protection Policy applies to all EquiServe sites and employees and is based on globally accepted, basic principles on data protection. • Ensuring data protection is the foundation of trustworthy business relationships and the reputation of EquiServe as a vendor, client, partner and employer. The Data Privacy and Protection Policy provides one of the necessary framework conditions for usage, collection, storage, control, and destruction of confidential personal information whether in electronic or physical form. • R.A. 10173 will take precedence in the event that it conflicts with EquiServe’s Data Privacy and Protection Policy, or in cases where it has stricter requirements than this Policy. 2. SCOPE The privacy protection standards and requirements contained in this Policy shall apply to all EquiServe sites that deal with the processing, collection, storing, or transfer of personal data, acting as a Personal Information Controller or as a Personal Information Processor. 3. DEFINITION OF TERMS Personal Information Controller – refers to the company or person who controls the processing of personal data, or instructs another to process personal data on its behalf. Personal Information Processor – refers to the company or person to whom a personal information controller may outsource or instruct the processing of personal data. Data Subject – refers to an individual whose personal, sensitive personal, or privileged information is processed. Consent of the Data Subject – refers to any freely given, specific, informed indication of the will, whereby the data subject agrees to the collection and processing of his or her personal, sensitive personal, or privileged information. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of a data subject by a lawful representative or an agent specifically authorized by data subject to do so. Personal Information/Data – refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained such as birth date, gender, race, height, home address, civil status, government numbers (SSS, Philhealth, HDMF, TIN, Driver’s License, Passport), name of parents, spouse or children. Processing – refers to any operation or any set of operations performed upon personal data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Processing may be performed through automated means, or manual processing if the personal data are contained or are intended to be contained in a filing system. 4. PROCESSING OF PERSONAL DATA 4.1 Purpose of Processing Personal Data EquiServe may process Personal Information and Data that is reasonably adequate for and relevant to the following applicable purposes: 4.2 Rules To Follow While Processing Personal Data Each EquiServe Center Site and its employees, including its suppliers, in processing personal information/data must observe the following principles: 4.3 Additional rules to follow when EquiServe act as Data Controller EquiServe, when acting as a Data Controller, must comply with the following additional requirements: 5.TRANSFER OF DATA TO THIRD PARTY PROVIDERS In all cases, EquiServe must ensure that the transfer or processing of Personal Data is done with proper and reasonable security and protection. It must be ensured that the receiving entity or any third party provider provides the same adequate level of protection. 6. RETENTION OF DATA Storage of Personal Data by EquiServe must be made in accordance with the following rules: The “Document Retention and Destruction Policy (HR-2017-035) contains the breakdown of the detailed retention periods of all files and/or documents which contain personal data. Upon the lapse of the designate retention period, said files and/or documents are disposed of accordingly. 7. DATA DESTRUCTION EquiServe shall destroy / dispose of, in a manner rendering data unreadable and inaccessible, all information or data after it has been retained for the period specified in the “Document Retention and Destruction Policy” (HR-2017-035). As to the process of destruction or disposal, kindly refer to HR-2017-035 for its details. No personal data or information shall be destroyed or disposed of without first acquiring the approval of EquiServe’s Data Protection Officer and Information Security Officer. Any form of destruction or disposal of data or information without the aforementioned approval shall subject the party performing the disposal and destruction to disciplinary action. 8. INFORMATION SECURITY a. EquiServe must ensure that only authorized people can access, alter, disclose or destroy Personal Data and that those people only act within the scope of their authority in relation to Personal Data. A system must be created to: 9. DATA BREACH LOG Personal data breach may occur deue to different causes (e.g, unauthorized access, accidental deletion, etc,). EquiServe shall keep and maintain a record of all incidents relating to personal data breaches. The Data Breach Log shall be the main basis of the breach incident reports that have to be submitted to the National Privacy Commission annually. As such, the Data Breach Log must contain the following: a. Name of respondent/person reporting the incident; 9. COMPLIANCE OF EMPLOYEES Every employee of EquiServe is mandated to be aware of and to comply with all actions necessary to ensure compliance with the Data Privacy Act. As such, the following must be a compulsory undertaking for every employee prior deployment to production: 1. FOR HEW HIRES AND RETURNING EMPLOYEES – during their onboarding, they must: a. Attend Data Privacy and Information Security (InfoSec) Awareness Training 2. FOR EXISTING / OLD EMPLOYEES - Undertake the same above-mentioned tasks on an annual basis. A memorandum regarding this matter has been released and cascaded by the Human Resource Department whereby the following actions can be made in case of non-compliance of employees: 1. IT Department can temporarily disable the accounts of the employees who have not yet passed their exams; 10. SCHEDULE OF REVIEW OF POLICIES All policies pertinent to the compliance to the Data Privacy Act shall be reviewed annually by the Data Privacy Management Team. Said review shall be conducted January of each year. Any significant changes should be noted on the Policy Revision History of each policy. Should there be no significant changes on a particular policy, the team shall simply note the date of its review. 11. PRIVACY IMPACT ASSESSMENT (PIA) UPDATES EquiServe conducts a Privacy Impact Assess (PIA) to be able to identify its risk areas in the conduct of its day-to-day business. Each department and campaign from both the support and operations team shall conduct its own PIA and ensure that the PIA is up to date. A department or campaign head shall be a member of the Data Privacy Committee and each head shall serve as the “Process Owner” for their respective Department or Campaign. Any changes on the Process Owners must be communicated to the Data Privacy Management Team for the appropriate action (e.g. revision of DP Committee Members Memo) to be taken. For new campaigns, a PIA Briefing must first be conducted prior to the accomplishment of its PIA Form / Report. The PIA Forms / Reports are to be reviewed on an annual basis, March of each year for purposes of monitoring and mitigating identified risks. 12. WEBSITE CONTENT In relation to Data Privacy Compliance, EquiServe’s official website must contain the following: 1. Privacy Notice; The IT department shall ensure that the above-mentioned items are easily and conveniently found by all website visitors. 13. COOPERATION WITH DATA PROTECTION AUTHORITIES It is a duty for EquiServe and employees to co-operate with and to respond diligently and appropriately to any inquiry or request made by appropriate local data protection authorities. Such request may include an audit inquiry or a request for EquiServe to be audited, if deemed necessary, and to comply with the advice of Data Protection Authorities on any issue regarding these standards or compliance with privacy laws. 14. SANCTIONS Any employee who has attempted to breach, or allegedly or has in fact breached, this Policy, whether by negligence or willful misconduct, will be subject to disciplinary sanctions upon EquiServe’s sole discretion up to and including termination of employment, in accordance with Company Data Privacy Table of Offenses, Code of Conduct, RA 11073, and/or its implementing rules and regulations. DPO CONTACT DETAILS BREACH FORM A personal data security breach is any event that has the potential to affect the confidentiality, integrity or availability of personal data held by the EquiServe in any format In case of knowledge of any actual or potential breach, please report the incident by sending an email to datasecuritybreach@equicomservices.com If you wish to report a breach, be it actual or a potential one, please click the link below:
SCOPE: This policy applies to all EquiServe employees across all sites.
• This document sets out EquiServe’s Policy for responding to subject access requests under the RA 10173 (Data Privacy Act of 2012), which comes into force in September 2016. This document explains the rights of the data subject in relation to a data subject access request and EquiServe’s responsibilities when dealing with that request.
A data subject has the right to know what information is held about them. RA 10173 provides a general framework to ensure that personal information is handled properly.
2. The categories of your personal data that EquiServe processes;
3. The recipients, or categories or recipient to whom personal data has been or will be
disclosed, in particular recipients of data by third party service providers, and
government regulators
4. The retention period of data
5. If personal data is not submitted to EquiServe, the source from which EquiServe collected the
personal data and;
6. Whether EquiServe uses any automated decision making in relation to the processing of
personal data.
The data subject is entitled to have their personal/sensitive data rectified in case of errors, and to have the data deleted if the data subject does not want EquiServe to further store or process their personal/sensitive data, or to request restriction of EquiServe’s processing of personal/sensitive data.
Contact Details: ramil.yabyabin@equicomservices.com
2. previous or current health records
3. Licenses or its denials, suspension or revocation
4. Tax returns
What do we do when EquiServe receives a subject access request?
1. Verifying your identity – if EquiServe has cause to doubt the data subject’s identity, EquiServe will ask for information to verify it. For example, EquiServe may ask the data subject for a piece of information held in your records that might be reasonably expected to be known by the subject. EquiServe cannot disclose personal/sensitive information to anyone other than the individual in question.
1. For human resources and personnel management processes which may include recruitment, workforce planning, training and performance management, compensation and benefits, leave and benefits management, pay slip distribution, employee information and skill management, employee survey, exit interviews and processed record, and health and safety. In such a case, EquiServe acts as a Personal Information Controller.
2. For Personal Data from personnel of suppliers and vendors, contributors, clients and prospects and visits. In such a case, EquiServe also acts as a Personal Information Controller.
3. For business process execution and management processes which may include any activities or services done by EquiServe on behalf of or for the client. In such a case, EquiServe acts as a Personal Information Processor.
1. Personal information must be processed fairly and lawfully.
2. Processing should ensure data quality.
3. Personal Information must be processed with transparency. The data subject must be aware of the nature, purpose and extent of the processing of his or her personal data, including the risks involved, the identity of personal information controller, his or her rights as a data subject and how these can be exercised.
4. Personal Information must be processed for one or more, declared, specified and lawful purpose(s) and may not be processed incompatibly with those purposes. Further processing of the data for historical, statistical or scientific purposes shall not be considered incompatible.
5. The processing of Personal Data must be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purposes for which the data is processed.
6. Personal Information must be accurate and kept up to date in such a way as to give a true picture of the current situation of the data subject.
7. Any authorized further processing shall have adequate safeguards.
8. Personal Information must not be kept for longer than is necessary. Information shall be erased when they have ceased to be necessary or relevant for the purpose for which they were obtained or recorded.
9. Personal information shall be disposed or discarded in a secure manner that would prevent further processing, unauthorized access, or disclosure to any other party or the public or prejudice the interests of the data subjects.
10. Appropriate technical and organizational measures must be taken against unauthorized or unlawful processing of Personal Information as well as against accidental loss, destruction of or damage to that information.
11. The collection of information by fraudulent, unfair or illicit means is prohibited
1. The registration requirement with the National Privacy Commission required by RA 10173.
2. Consent to process Personal Information must first be given by the Data Subject before collection, processing, or storage of any Personal Data, unless laid down otherwise by law. Every Data Subject must be informed of the purpose for which Personal Data is collected, stored, or processed;
3. EquiServe shall provide the Data Subject with the identity and address of the Data Controller or his representative, if any; the purposes of the processing, the recipients or categories of recipients of the data, the existence of the right of access to and the right to rectify, erasure and objection the data concerning him/her.
a. The reasonable length of time a Personal Data is kept must be reviewed periodically.
b. Such retention must conform to the purpose/s for which it was taken, and must not be kept after the purpose/s has/have been accomplished.
c. All Personal Data must be deleted or anonymized in a secured manner ensuring protection from unlawful or wrongful access.
d. Retained Personal Data must be accurate, archived and updated and it must be securely deleted once it goes out of date. It is the responsibility of the Data Subject to inform EquiServe of any inaccuracy or update to his/her personal data. However, EquiServe will exert commercially reasonable effort to maintain its database as accurate and updated as possible.
Where EquiServe shares Personal Data among its subsidiaries, those subsidiaries must agree what to do with such Personal Data once they no longer need to share the information.
(i) protect Personal Data from accidental loss, alteration, or destruction and
(ii) also make such Personal Data recoverable to prevent any damage or distress to the Data Subjects concerned.
b. Safeguards must be placed to protect Personal Data which safeguards may include physical and environment security such as facilities, workstation and integrity access control; computer security such as security devices and encryption; employee security awareness such as new hire and annual training. Every EquiServe site must implement a risk assessment and must be accountable for the organizational, policies and procedures and documentation requirements.
c. Security requirements of local laws must be complied with. IT standards must conform to local and contractual requirements. Therefore, Information Security officers must always refer and keep up-to-date regarding applicable specific or local security standards when addressing security of Personal Data.
d. In case of any Personal Data breach, EquiServe must engage a breach-management plan which includes at least the following:
i. Breach Containment and recovery – EquiServe must resolve the incident by applying a recovery plan and, where necessary, procedures for damage limitation.
ii. Breach Containment and Recovery – EquiServe must resolve the incident by applying a recovery plan and, where necessary, procedures for damage limitation.
iii. Risk Assessment – EquiServe must assess associated risks, such as the adverse consequences for individuals; seriousness of the breach; and risk of repetition.
iii. Breach Notification – EquiServe must inform the people concerned about an information security breach, the appropriate data protection authority, and other appropriate parties such as the police and the banks, as the case maybe.
iv. Process Evaluation – An investigation must be conducted to determine the cause of the breach and evaluate the effectiveness of the response made. Policies and procedures must be addressed accordingly.
b. Name of the erring maven/employee;
c. Client account (for operations)/department (for support) exposed;
d. Name of immediate supervisor of erring maven/employee;
e. Type/nature of breach;
f. Date of the breach incident;
g. Date of discovery of the incident;
h. Brief description of the incident;
i. List of personal information exposed;
j. Actions taken at the time of discovery of the breach;
k. Status of the incident
b. Pass BOTH the Data Privacy Assessment Exam and the InfoSec Assessment Exam.
c. Sign BOTH the Agreement to comply with EquiServe’s Data Privacy and InfoSec Policies.
- Awareness Training and Assessment Exams shall be given every third Monday of January.
2. HRD can impose the necessary sanctions for non-compliance in accordance with Section 21 Data Privacy Table of Offenses
2. Cookies Banner / Policy;
3. Data Protection Officer Contact Information;
4. Data Subject Request to Access / Modify Data Form;
5. Exercise of Data Subject Rights;
6. Breach Reporting MechanismData Protection Officer: Ramil Yabyabin Official Designation: Head, Information Technology Email Address ramil.yabyabin@equicomservices.com Contact No: +63(2)8548-4766 loc. 795 
