POLICY STATEMENT

T One Project Management, Inc. (the “Company”) is committed to providing an honest and transparent service. Hence, through this policy, the Company affirms its commitment and rightful duty to collect, store, process and dispose personal information in accordance with the applicable laws and regulations on data privacy.

This Policy is hereby adopted in compliance with Republic Act No. 10173 or the Data Privacy Act of 2012 (DPA), its Implementing Rules and Regulations, and other relevant policies, including issuances of the National Privacy Commission.

PURPOSE

This policy aims to draw out the process as well as the terms and conditions under which the Company collects, store, processes and dispose of personal data. The Company ultimately seeks to exude transparency in any and all of its processes, and aims to adhere to the general principles of transparency, legitimate purpose, and proportionality, in the collection, storage processing, and disposal of data as required by applicable law. 

SCOPE

This policy shall apply to the Company’s operations worldwide, including offices apart from the head office. All Company directors, officers and employees share the responsibility to prevent and/or counter bribery and corruption in the Company by adhering to this policy. 

This policy shall apply to all employees of the Company, regardless of employment status.

All directors, officers and employees are hereby obliged to make sure that any and all interactions with both private entities and their representatives, and the Government and other public officials complies with all relevant foreign and local legislations. It is also reasonable for the Company to expect the suppliers, contractors and dealers to uphold the same standards as set out in this policy.

DEFINITION OF TERMS

1. Business Day means any day that Philippine banks are open for business in Taguig City.
2. Confidential Information means all information, of any nature and in any form, whether written, oral, recorded or transmitted electronically or in any other manner (regardless of whether such information is marked as “Confidential” or “Proprietary,” or by other similar designation), provided to the Company, through themselves or their respective representatives, including, without limitation, to information that relates to: (a) the Purpose; (b) the Data Subject or its affiliates and related companies, or their respective affairs including of any of their clients or customers; or (c) the business, production, processes and services of the Data Subject or its affiliates and related companies, including, but not limited to, information related to products, customers, suppliers, know-how, trade secrets, market opportunities, business plans, prospects, operations, systems, computer software in source code and object code form, documentation, techniques, procedures, designs, drawings, specifications, the existence and terms of certain agreements, schematics, intellectual property, research, development, inventions, products under development, purchasing, accounting, information technology, engineering, marketing, merchandising, pricing, selling, and lists of employees and customers.  The term “Confidential Information” shall be deemed to include, in addition to the information described above, all notes, analyses, compilations, summaries, studies, interpretations or other materials or documents prepared by the Company or its representatives to the extent that these contain, reflect or are based upon, in whole or in part, the Confidential Information furnished to the Company or its representatives pursuant hereto.  
3. Data Subject refers to an individual whose personal, sensitive personal or privileged information is processed by the Company. It may refer to officers, employees, consultants, and clients of this organization.
4. DPA means the Data Privacy Act of 2012 and its implementing rules and regulations, as well as the circulars issued by the National Privacy Commission from time to time.
5. Personal Information refers to any information from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information, would directly and certainly identify an individual;
6. Processing refers to any operation or any set of operations performed upon personal data including, but not limited to, the collection, recording, organization, storage, updating, or modification, retrieval, consultation, use, consolidation, blocking, erasure, or destruction of data. Processing may be performed through automated means, or manual processing, if the personal data are contained or are intended to be contained in a filing system.
7. Personal Information refers to any information from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information, would directly and certainly identify an individual;
8. Processing refers to any operation or any set of operations performed upon personal data including, but not limited to, the collection, recording, organization, storage, updating, or modification, retrieval, consultation, use, consolidation, blocking, erasure, or destruction of data. Processing may be performed through automated means, or manual processing, if the personal data are contained or are intended to be contained in a filing system.
9. Sensitive Personal Information refers to personal information: (1) about an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; (2) about an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings; (3) issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; or (4) specifically established by an executive order or an act of Congress to be kept classified.

NON-APPLICABILITY

This Policy shall not apply to:

1. Information processed for the purpose of allowing public access to information that fall within matters of public concern, pertaining to:
   1. Information about any individual who is or was an officer or employee of government that relates to his or her position or functions;
   2. Information about an individual who is or was performing a service under contract for a government institution, but only insofar as it relates to such service, including his name and the terms of his contract; and
   3. Information relating to a benefit of a financial nature conferred on an individual upon the discretion of the government, such as the granting of a license or permit, including the name of the individual and the exact nature of the benefit: Provided, that they do not include benefits given in the course of an ordinary transaction or as a matter of right.
2. Personal information processed for journalistic, artistic or literary purpose, in order to uphold freedom of speech, of expression, or of the press, subject to requirements of other applicable law or regulations;
3. Personal information that will be processed for research purpose, intended for a public benefit, subject to the requirements of applicable laws, regulations, or ethical standards;
4. Information necessary in order to carry out the functions of public authority, in accordance with a constitutionally or statutorily mandated function pertaining to law enforcement or regulatory function, including the performance of the functions of the independent, central monetary authority, subject to restrictions provided by law. Nothing in this Act shall be construed as having amended or repealed Republic Act No. 1405, otherwise known as the Secrecy of Bank Deposits Act; Republic Act No. 6426, otherwise known as the Foreign Currency Deposit Act; and Republic Act No. 9510, otherwise known as the Credit Information System Act (CISA);
5. Information necessary for banks, other financial institutions under the jurisdiction of the independent, central monetary authority or Bangko Sentral ng Pilipinas, and other bodies authorized by law, to the extent necessary to comply with Republic Act No. 9510 (CISA), Republic Act No. 9160, as amended, otherwise known as the Anti-Money Laundering Act, and other applicable laws;
6. Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.  The burden of proving the law of the foreign jurisdiction falls on the person or body seeking exemption.  In the absence of proof, the applicable law shall be presumed to be the Act and these Rules:

Provided, that the non-applicability of this policy shall not extend to personal information controllers or personal information processors, who remain subject to the requirements of implementing security measures for personal data protection; 

Provided further, that the processing of the information provided in the preceding paragraphs shall be exempted from the requirements of the Act only to the minimum extent necessary to achieve the specific purpose, function, or activity.

COLLECTION AND PROCESSING OF PERSONAL DATA

The following are the ways on how one acquires data:

1. Through publicly available data from public sources, including any online presence in social media platforms, news clippings, etc.
2. When an entity or person enters into an agreement with the Company, whether or not written;
3. When an entity or person becomes an employee, officer, consultant, agent, supplier or service provider of the Company;
4. When an entity or person submits to the Company any application, form, request, notice, or some other document;
5. When a person inquires or applies for employment;
6. When an entity or person attends any of the Company’s events, webinars, meetings, etc.
7. When an entity or person accesses, browses, visits, or uses any of the Company’s websites, platforms, social media presence, and other online presence; or
8. When an entity or person provides us with personal data, whether directly or through another.

PURPOSE OF DATA COLLECTION

The Company collects and processes personal data for the purposes as stated in the agreement, contract, application and any other related form, to enable the Company to achieve the purposes for which such agreement is executed. In particular, the personal data may be used to:

1. comply with the rights and obligations under the agreements entered into, by law, and such other acts as may be required by our operations and in pursuit of the Company’s legitimate business and commercial objectives;
2. improve the Company’s services and address issues and concerns regarding the issues raised;
3. implement protocols and best practices;
4. obtain insights regarding the Company’s services and operations;
5. conduct surveys, research, and other data gathering activity;
6. market, promote and share information about the Company and the services it offers;
7. keep in touch with connections;
8. performance of audits and due diligence for compliance and other review by advisers or third parties. 

RECIPIENTS OF DATA

The recipients of personal data under the Company’s custody include persons within the company itself and third parties to whom we have or may outsource activities, advisers, suppliers, and service providers. 

Some recipients may be from another country; hence, cross-border transfers may occur.
The personal data under the Company’s custody may be disclosed without the consent of the data subject: 

The personal data under the Company’s custody may be disclosed without the consent of the data subject: 

1. to the extent required by law or by lawful order of any court or tribunal (whether administrative, legislative or judicial), 
2. for purposes of dispute resolution or the enforcement of rights and obligations under this Agreement, 
3. to the extent such information has become generally available to the public other than as a result of a breach by the disclosing party of its obligations under this Agreement, 
4. by a party or any of its shareholders to its directors, officers, employees, agents and advisers who reasonably require such information in the course of their duties and responsibilities; and, 
5. disclosures required by any stock exchange.  In respect of items (i) and (ii), the Recipient shall advise the other party in writing of the need to disclose prior to disclosure. 

With respect to the above enumeration, the Company shall take all necessary steps to ensure that the person or persons to whom the Confidential Information will be disclosed, agrees to keep the information confidential and restrict its use in accordance with the purpose for which the data were collected.

CONSENT AND OTHER CRITERIA FOR PROCESSING OF DATA

In the event that the Company acquires the data subject’s personal data through any of the interactions mentioned in COLLECTION AND PROCESSING OF PERSONAL DATA, in providing or making available the personal data, the data subject agrees and consents to our collecting, using, disclosing, sharing and processing the personal data for the purposes as mentioned in the PURPOSE OF DATA COLLECTION, and in the manner and under the terms and conditions in this Policy.

For the purposes not mentioned in this policy, the applicable laws shall be the basis for the additional criteria for which the Company can process the personal data in its custody.

SCOPE AND METHOD OF COLLECTION AND PROCESSING

• The Company shall follow the standard manual and computerized methods and systems to file, store and process personal data. Handling, collection and processing of personal data shall be done in accordance with this policy and laws applicable.
• The storage and retention of personal data shall be for such period as may be required by applicable law or as may be needed to enable the Company to fully and efficiently achieve the Purposes.

AMENDMENTS TO THE POLICY

This policy may be amended or superseded at any time, which amendment or new policy shall be published and the concerned subjects shall be notified.

RIGHTS OF THE DATA SUBJECT

Under the DPA, data subjects have the following rights:

1. Right to be informed.

The data subject has a right to be informed whether personal data pertaining to him or her shall be, are being, or have been processed, including the existence of automated decision-making and profiling.

The data subject shall be notified and furnished with information indicated hereunder before the entry of his or her personal data into the processing system of the personal information controller, or at the next practical opportunity:

• Description of the personal data to be entered into the system;
• Purposes for which they are being or will be processed, including processing for direct marketing, profiling or historical, statistical or scientific purpose;
• Basis of processing, when processing is not based on the consent of the data subject;
• Scope and method of the personal data processing;
• The recipients or classes of recipients to whom the personal data are or may be disclosed;
• Methods utilized for automated access, if the same is allowed by the data subject, and the extent to which such access is authorized, including meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;
• The identity and contact details of the personal data controller or its representative;
• The period for which the information will be stored; and
• The existence of their rights as data subjects, including the right to access, correction, and object to the processing, as well as the right to lodge a complaint before the Commission.

2. Right to Object.

The data subject shall have the right to object to the processing of his or her personal data, including processing for direct marketing, automated processing or profiling. The data subject shall also be notified and given an opportunity to withhold consent to the processing in case of changes or any amendment to the information supplied or declared to the data subject in the preceding paragraph.

When a data subject objects or withholds consent, the personal information controller shall no longer process the personal data, unless:

• The personal data is needed pursuant to a subpoena;
• The collection and processing are for obvious purposes, including, when it is necessary for the performance of or in relation to a contract or service to which the data subject is a party, or when necessary or desirable in the context of an employer-employee relationship between the collector and the data subject; or
• The information is being collected and processed as a result of a legal obligation.

3. Right to Access.

The data subject has the right to reasonable access to, upon demand, the following:

• Contents of his or her personal data that were processed;
• Sources from which personal data were obtained;
• Names and addresses of recipients of the personal data;
• Manner by which such data were processed;
• Reasons for the disclosure of the personal data to recipients, if any;
• Information on automated processes where the data will, or is likely to, be made as the sole basis for any decision that significantly affects or will affect the data subject;
• Date when his or her personal data concerning the data subject were last accessed and modified; and
• The designation, name or identity, and address of the personal information controller.

4. Right to Rectification.

The data subject has the right to dispute the inaccuracy or error in the personal data and have the personal information controller correct it immediately and accordingly, unless the request is vexatious or otherwise unreasonable. If the personal data has been corrected, the personal information controller shall ensure the accessibility of both the new and the retracted information and the simultaneous receipt of the new and the retracted information by the intended recipients thereof: Provided, That recipients or third parties who have previously received such processed personal data shall be informed of its inaccuracy and its rectification, upon reasonable request of the data subject.

5. Right to Erasure or Blocking

The data subject shall have the right to suspend, withdraw or order the blocking, removal or destruction of his or her personal data from the personal information controller’s filing system.

(a) This right may be exercised upon discovery and substantial proof of any of the following:

a. The personal data is incomplete, outdated, false, or unlawfully obtained;

b. The personal data is being used for purpose not authorized by the data subject;

c. The personal data is no longer necessary for the purposes for which they were collected;

d. The data subject withdraws consent or objects to the processing, and there is no other legal ground or overriding legitimate interest for the processing;

e. The personal data concerns private information that is prejudicial to data subject, unless justified by freedom of speech, of expression, or of the press or otherwise authorized;

f. The processing is unlawful;

g. The personal information controller or personal information processor violated the rights of the data subject.

(b) The personal information controller may notify third parties who have previously received such processed personal information.

6. Right to Damages.

The data subject shall be indemnified for any damages sustained due to such inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal data, taking into account any violation of his or her rights and freedoms as data subject.

TRANSMISSIBILITY OF RIGHTS OF THE DATA SUBJECT

The lawful heirs and assigns of the data subject may invoke the rights of the data subject to which he or she is an heir or an assignee, at any time after the death of the data subject, or when the data subject is incapacitated or incapable of exercising the rights as enumerated in the immediately preceding section.

EXERCISE OF RIGHTS AND LIMITATIONS; DATA PROTECTION OFFICER

The rights of the data subject are not applicable if the personal data are processed only for scientific and statistical research purposes, and without being used as basis for carrying out any activity or taking any decision regarding you as the data subject. 

The rights of the data subject are also subject to the limitations as set out by law.

The law further requires that the data subject may only exercise his/her rights in a reasonable and non-arbitrary manner, and with regard to rights of other parties.

All requests, demands or notices which the data subject may make under this policy or applicable law must be made in writing, and shall be made in accordance to the following:

• Any inquiry related to this policy, shall be made through contacting the Company’s Data Protection Officer through the following:
  • LEONID LEE C. SERRANO
    • Corporate Secretary/Data Protection Officer
    • T: (+632) 403 5519
    • M: (+63) 917 816 2001
    • E: leonidlee.serrano@kmcmaggroup.com
• All requests, demands or notices which a data subject may send or submit must be in writing, should be addressed to the Data Protection Officer using the contact details above, and will be deemed duly given (i) on the date of delivery if delivered personally, (ii) on the third Business Day following the date of sending if delivered by a nationally recognized next-day courier service and the service has confirmed delivery, or (iii) if given by electronic mail, when such electronic mail is transmitted to the email address specified above and the appropriate confirmation has been received by the sender via email.

SECURITY MEASURES

The Company shall remain true to its commitment of providing appropriate security measures to protect all personal data against unauthorized access or unauthorized alteration, disclosure, or destruction. These measures include internal reviews of the data collection, storage, and processing practices, as well as physical security measures to protect information against unauthorized access. 

In accordance to this policy, access to personal data is restricted and shall remain to be restricted to personnel who would need that information to perform their functions.

DATA BREACHES

The Company shall adhere with the relevant provisions of rules and circulars on handling personal data security breaches, including notification to the Data Subject or to the National Privacy Commission, where an unauthorized acquisition of sensitive personal information or information that may be used to enable identity fraud has been acquired by an unauthorized person, and is likely to give rise to a real risk of serious harm to the affected data subject.