SCOPE2.1This Policy describes CIC’s program in relation to the collection and processing of all personal data.2.2CIC reserves the right to amend and/or modify its Policy in case of changes to personal data processing activities or to comply with any future developments in data privacy regulations, provided that CIC shall exert reasonable efforts to effectively notify affected data subjects, and appropriately obtain their consent where applicable.2.3This Policy applies to all personal data processing activities conducted by CIC, including, but not limited to, the collection, use, storage, sharing and disposal of all personal data about the organization’s employees customers, business partners, and other data subjects.
POLICY PROVISIONS3.1Personal Data Collection and Use3.1.1Employees' Personal DataWe collect and process personal data from our employees to comply with relevant laws and regulations in relation to their employment and for administrative purposes (identification, pre-employment processing, payroll, security).3.1.2Customers' Personal DataWe collect and process personal data from past, current and prospective customers for (1) business/client development, (2) for improvement of our products and services, (3) for communicating with our customers, (4) for sales, marketing, aftermarket and research and development purposes, (5) the achievement of corporate objectives and business endeavors, and (6) compliance to applicable laws, rules and regulations.3.1.3Personal Data of Other Data SubjectsWe collect and process personal data from past, current and prospective business partners, third-party suppliers and service providers, sub-contractors, and the like for (1) business/client development, (2) for improvement of our products and services, (3) for communications relating to past, ongoing and future business, (4) for sales, marketing, aftermarket and research and development purposes, (5) the achievement of corporate objectives and business endeavors, and (6) compliance to applicable laws, rules and regulations.3.2Rights of Data SubjectsCIC recognizes that data subjects, whether employees or customers or other data subjects, are accorded the following rights:Right to be informed-CIC should always secure the express consent of the Data Subject before collecting, processing or storing any Personal Data of the Data Subject.-CIC should immediately notify the Data Subject in the event that the latter’s Personal Data is breached.Right to accessThe Data Subject has the right to request for access to his/her Personal Data. Whenever there is such a request, CIC should:-Provide the Data Subject a written description, and a copy, of the information CIC has about the Data Subject as well as the purposes for holding them-Provide the Data Subject access to the following:
Right to object-The Data Subject has the right to object to any use of his/her Personal Data if the Data Subject did not give express consent. As such, CIC should always secure the consent of the Data Subject before it uses the Personal Data of the latter.-In case CIC decides to update its Personal Data Collection Notice, CIC should notify the Data Subject and secure the latter’s express consent again.Right to erasure or blocking-The Data Subject has the right to suspend, withdraw or order the blocking, removal or destruction of his/her Personal Data upon discovery or substantial proof of the following:
- The contents of the Personal Data that were processed;
- Sources from which Personal Data were obtained;
- Names and addresses of the recipients of the Personal Data;
- Manner by which Personal Data was processed;
- Reasons for disclosure to recipients, if any;
- Information on automated systems where the Personal Data is or may be available and how it will affect the Data Subject;
- Date when the Personal Data was last accessed or modified;
- Identity and address of the personal information controller.
-Upon receipt of a request to suspend, withdraw, block, remove or destroy Personal Data based on the above grounds, and provided there is substantial proof of the same, CIC should comply with the request of the Data Subject within a reasonable time and notify the Data Subject of its compliance to the request.Right to damages-CIC should ensure that all Personal Data collected are accurate, complete, updated, true, and obtained and used lawfully.-Failure of CIC to comply with the above may result in the right of the Data Subject to collect damages from CIC as a result of the latter’s violation of the rights of the Data Subject.Right to file a complaint with the National Privacy Commission (NPC)-CIC should properly use data collected and should not improperly disclose or dispose such data.-Failure of CIC to comply with the above will be a ground for the Data Subject to file a complaint with the NPC.Right to rectify-The Data Subject has the right to dispute and have corrected any inaccuracy or error in the data that CIC holds about the former.-CIC should immediately and accordingly act on the request of the Data Subject, unless such request is unreasonable.-Once corrected, CIC should ensure that the Data Subject receives, and has access to, both the new and retracted information.-CIC should also inform its third party processors, if any, should the Data Subject request it.Right to data portability-The Data Subject has the right to obtain and electronically move, copy or transfer his/her data in a secure manner, for further use.-CIC should make data portability an available and instant option for its Data Subjects.3.3General Policy on Collection and UseIt is the policy of CIC to:3.2.1Adequately inform data subjects of their rights;3.2.2Ensure that data subjects, are fully informed of all processing activities of CIC as controller including the scope, purpose and means for such processing, its sources, recipients, methods, disclosures to third parties and their identities, manner of storage, period of retention, manner of disposal and any changes thereto before the same is implemented;3.2.3Obtain the express, informed and properly documented consent of data subjects, where applicable, for CIC’s data processing activities. Where the processing does not require consent from data subjects, CIC shall endeavor, to fully inform data subjects of the basis under law and rules of such processing;3.2.4Ensure that data subjects have the facility to reasonably exercise their rights and that the organization can respond to such requests within reasonable time, including the provision of personal data in data portable format in response to a request for information;3.3.5Ensure that data subjects have the facility to dispute any error in their personal data, to object to any changes in the manner and purpose by which their personal data is being processed, to withdraw consent where applicable, and to suspend, withdraw, block, destroy, or remove any unnecessary, falsely collected or unlawfully processed personal data;3.3.6Ensure that the personal data obtained from data subjects are proportional, necessary and limited to the declared, specified and legitimate purpose of the processing;3.3.7Ensure that the personal data of data subjects are retained for only a limited period or until the lawful purpose of the processing has been achieved;3.3.8Ensure that the personal data of data subjects are disposed of in a secure manner;3.4Governance
- The Personal Data is incomplete, outdated, false or unlawfully obtained;
- The Personal Data is being used for unauthorized purposes;
- The Personal Data is no longer necessary for the purposes for which they were collected;
- The Data Subject withdrew consent or objected to its processing and there is no overriding legal ground for its processing;
- The data collected concerns information prejudicial to the Data Subject;
- The processing of data is unlawful;
- The personal information controller or processor violated the rights of the Data Subject.
CIC appointed Data Protection Officers (DPO) and Compliance Officers (CO) for each of its subsidiaries/affiliates who all report to and are managed by the Group Data Protection Officer. These officers are tasked to monitor compliance with any and all applicable data privacy laws, rules and regulations.
The Data Privacy Officers/Compliance Officers may be reached through the following contact information should there be concerns on CIC’s privacy practices, policies, and requests concerning data subjects’ rights:
The Data Protection Office
Office Address: Concepcion Industrial Corporation (CIC Corporate) Km. 20 East Service Road SLEX, Alabang, Muntinlupa City, 1771 Data Protection Office3.5Policy on Personal Data Security3.5.1Storage and AccessPersonal data (in whatever form) shall be stored in a secure data center covered by appropriate data security standards. Transfers of personal data internally or externally from CIC shall only be made in accordance with strict security protocols and under modes of transfer compliant to the appropriate data security standards.3.5.2Retention and DisposalPersonal data can only be retained for a limited period, which shall be ten (10) years or until the lawful and legitimate purpose of the processing is achieved. To that effect, we have established procedures for securely disposing files that contain personal data (in whatever form).3.5.3Management of Third-Party RisksWhen all or a portion of the personal data processing is outsourced to a third-party, CIC will make sure that such third party shall be covered by the appropriate contracts that will enforce adequate data security standards under terms and conditions compliant with the requirements of both local and/or foreign law, where necessary.3.5.4Personal Information ControllersCIC shall ensure that any disclosures or transfers of personal data to controllers shall be governed by legally-compliant data sharing agreements and in accordance with the rights of data subjects. Data subjects shall be duly informed and consent from them obtained, where applicable, before such data sharing activities are performed.3.6Personal Data Breach
Personal Data Breach refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. Personal Data Breaches shall be subject to notification and remediation requirements.3.7Continuous Personnel Training
CIC requires its employees to undergo periodic and mandatory training privacy and data protection in general and in areas reflecting job-specific content. Likewise, it will ensure that all employees, representatives, and agents exposed to personal data pursuant to their function are adequately bound by strict confidentiality.
Any non-conformance with this Policy by an employee of CIC or any CIC Subsidiary shall be dealt with as a violation of the Discipline Policy, punishable by up to termination.