A. PRIVACY STATEMENT
Ayala Corporation (“AC”) values an individual’s right to privacy. As such, we ensure that all personal data collected from our customers, vendors, partners, employees, agents and other stakeholders and processed by the organization, our subsidiaries and affiliates are protected at all times in accordance with Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012 (“Data Privacy Act”), its corresponding Implementing Rules and Procedures (“IRR”), and the existing Memorandum Circulars and Advisories issued by the National Privacy Commission (“NPC”). Likewise, we make it a point to inform individuals from whom we collect such data of our personal data processing activities and to respect and enforce their rights as data subjects.
1. This document enumerates AC’s organizational policy in relation to the collection, use, storage, sharing and disposal of all personal data processed by the organization in accordance the Data Privacy Act, its IRR, and all related issuances of the NPC.
2. AC maintains the right to amend and/or modify this document to comply with any future developments in local and/or foreign data privacy regulations where applicable and to reflect any changes in the organization’s policies and/or personal data processing activities.
C. DEFINITION OF TERMS
• Data Subject refers to any individual whose personal data is processed.
• Data Sharing refers to the disclosure or transfer to a third party of personal data under the control or custody of a personal information controller. The term excludes outsourcing, or the disclosure or transfer of personal data by a personal information controller to a personal information processor.
• Processing refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.
• Personal Information refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
• Personal Information Controller refers to any person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf.
• Personal Information Processor refers to any natural or juridical person qualified to act as such under this Act to whom a personal information controller may outsource the processing of personal data pertaining to a data subject.
• Sensitive Personal Information refers to personal information (a) About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; (b) About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings; (c) Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and (d) Specifically established by an executive order or an act of Congress to be kept classified.
• Personal Data collectively refers to all categories of personal information.
D. COLLECTION AND USE OF PERSONAL DATA
1. INFORMATION WE COLLECT AND FOR WHAT PURPOSE
We collect and process the following types of personal data, among others:
a. Contact Information and employment and/or business affiliation of our customers and individuals representing or affiliated with our vendors, partners, investors and other business contacts
b. Personal details, credit history, government issued identification, bank account and credit card information of our customers
c. Shareholder information found in publicly available Securities and Exchange Commission (“SEC”) documents
d. Contact information, employment history, educational background, biometric information, organizational affiliation, filial relations, gender, date of birth, religion, ethnicity, civil status citizenship, physical medical history, past criminal and/or administrative records, government issued identifying information (such as Pag-IBIG, SSS, TIN, PhilHealth, Professional IDs, Passport, and Birth Certificates), payroll information, company identification of our prospective job applicants, current employees, agents and stakeholders.
e. Information about visitors to our website and social media profiles as well as individuals who use our digital platforms and/or mobile applications. Such information may include, among others, social media profiles, browsing activities, IP Addresses, services procured, and links visited.
2. PURPOSE OF COLLECTION
In general, we collect and process personal data for purposes of service fulfilment, the achievement of strategic corporate objectives and development, fostering investor relations, internal operations, communications and administration, human resource and financial management, and compliance to applicable laws, rules and regulations.
a. Vendors, Partners, Investors and other Business Contacts
i. For purposes of conducting appropriate and necessary due diligence;
ii. For purposes of verification, assessment and accreditation;
iii. For purposes of communication and maintenance of continues business relations;
iv. To exercise or defend any legal claims of the organization; and
v. To fulfill and enforce any contractual terms and obligations we may have with them
i. To administer, monitor and manage the relationship between AC and its shareholders, including the protection of their rights under the applicable laws and regulations; and
ii. To communicate to shareholders all relevant information regarding the organization’s performance, activities, polices, management and operations.
We collect, process personal data from and about our employees for administrative and human resource development purposes as well as in compliance to applicable regulations and/or laws, including, but not limited to: identity verification; pre-qualification and post-qualification assessment; processing of employment compensation and benefits; internal security; compliance to regulatory requirements; for the protection of lawful rights and interests of the organization in internal administrative and court proceedings, or the establishment, exercise or defense of legal claims of the organization.
3. HOW WE COLLECT AND PROCESS PERSONAL DATA
We collect both electronic and physical personal data from the following sources:
a. Directly from customers when they avail of any of our products and/or services. We also collect such information when customers, among others, contact us through our agents and representatives, and sign up to receive communications from us, respond to our surveys, participate in our events, and/or receive queries, requests and complaints from them; and indirectly through third-party sources such as social media sites, publicly available databases and government repositories and/or from other customers.
b. We also obtain such information when customers visit our website and social media profiles as well as when they use our digital platforms and/or mobile applications.
c. When individuals representing or affiliated with our vendors, partners, investors and other business contacts voluntarily provide us with their contact information in order to develop business relations and/or complete legitimate transactions with them.
d. Directly from our employees and job applicants through their curriculum vitae, personal information sheets, submitted medical records and government documents, and interview and training assessment results conducted by authorized personnel, and pre-employment health screening and indirectly from the verification efforts of third-party employee background/screening service providers, job search sites and/or other social media sites and references from previous employers and other third parties.
E. DISCLOSURES OF INFORMATION
We generally do not sell or disclose the personal data we process to third parties without the consent of data subjects unless we are legally required to do so; if it is necessary to fulfill the purposes for which we process personal data as mentioned above; or if such action is necessary to protect, defend and/or enforce our rights, property or the personal safety of our employees and other individuals.
We allow access to personal data to authorized third-party service providers/suppliers/ subcontractors/consultants who provide outsourced functions including, among others:
1. Automated payroll processing and management to ensure timely and proper compensation as well as compliance to existing employment regulations;
2. Automated human resource database, loans and benefits management systems;
3. Cloud storage systems to meet the company’s storage management requirements;
4. Online Portal/Application-based services facilities;
5. Systems integration software for the various business management systems, productivity tools and/or applications, and such other products and/or services;
6. External professional advice and consultation including audits, legal assessments, comparative compensation studies and evaluations; and
7. Other financial, technical, architectural and administrative services such as information technology, payroll, accounting, sales administration, procurement, training and other services.
The Company remains responsible over the personal data disclosed to such third parties. As such, we ensure that such third parties are contractually obligated to comply with the requirements of the Data Privacy Act and shall process your data strictly in accordance with the purposes enumerated above. You may request for additional information on the identities of these parties from the Office of the Data Protection Officer.
F. THE RIGHTS OF DATA SUBJECTS
AC fully recognizes that under the Data Privacy Act, our customers, employees vendors, partners, investors, shareholder and other business contacts and employees, as data subjects, are accorded the following rights:
• Right to be informed
They have the right to demand and be informed of the details about the type of personal data, the purpose of processing, and how they are being processed by AC, including its sources, recipients, methods, disclosures to third parties and their identities, automated processes, manner of storage, period of retention, manner of disposal and any changes to such processing activities before the same is undertaken.
• Right to access
They have the right to have reasonable access to their personal data, sensitive or otherwise, upon demand. They have the right to review and amend their personal data processed by AC in case there are errors.
• Right to dispute
They have the right to dispute inaccuracy or error in personal data processed by AC.
• Right to object
They have the right to reject further processing of their personal data, including the right to suspend, withdraw, and remove their personal data in possession of AC which are falsely collected or unlawfully processed.
G. POLICY ON THE COLLECTION AND USE OF PERSONAL DATA
In relation to the rights of Data Subjects, it is AC’s policy to:
1. Ensure that data subjects affected by the organization’s personal data processing activities are fully and adequately informed of their rights;
2. Ensure that they are fully and adequately informed of all processing activities performed by AC with respect to their personal data;
3. Ensure that their consent is obtained in accordance with the requirements set forth in the Data Privacy Act, its Implementing Rules and Regulations, and Memorandum Circulars issued by the NPC where applicable. Where the processing does not require consent from our customers and employees in the instances set forth in Sections 12 and 13 of the Data Privacy Act pertaining to the Criteria for the Lawful Processing of Personal Information and the Criteria for the Lawful Processing of Sensitive Personal Information, respectively, such rules and procedures will ensure that our customers and employees are fully and adequately informed of the bases of such processing other than consent;
4. Ensure that they have the facility to reasonably access, review and amend their personal data and to request for copies thereof in a commonly portable format;
5. Ensure that they have the facility to: dispute any inaccuracy or error in their personal data, object to any changes in the manner and purpose by which they are processed, withdraw consent where applicable, and to suspend, withdraw, block, destroy, or remove any unnecessary, falsely collected or unlawfully processed personal data;
6. Ensure that such personal data are proportional, necessary and limited to the declared, specified and legitimate purpose of the processing;
7. Ensure that such personal data are retained for only a limited period or until the lawful purpose of the processing has been achieved;
8. Ensure that such personal data are destroyed or disposed of in a secure manner;
9. Ensure that they have the facility to lodge complaints to AC relating to any violations to their rights as data subjects and that such complaints are adequately and timely addressed.
H. DATA PROTECTION OFFICER
To oversee our privacy compliance efforts, AC has appointed a Data Privacy Officer (“DPO”) to manage and safeguard the handling of our personal data processing activities. Likewise, our subsidiaries have appointed individual Compliance Officers for Privacy (“COP”) to ensure that such efforts are sustained throughout the AC family.
Our DPO and COPs are fully committed to protecting the privacy rights of data subjects affected by AC’s personal data processing activities and to ensuring that AC as an organization promotes a culture of privacy. Should you have any concerns regarding AC’s privacy practices and policies, you may reach the DPO through the following contact information:
Data Privacy Officer
Tel: (632) 908-3346
34/F Tower One and Exchange Plaza, Ayala Triangle
I. PERSONAL DATA SECURITY POLICY
1. STORAGE OF AND ACCESS TO PERSONAL DATA
It is the policy of AC to ensure all personal data stored by the organization, whether in manual or electronic form, are kept in secure data centers with appropriate physical, technical and organizational security measures and accessed in accordance with the data security standards of the organization.
We adopt appropriate data collection, storage and processing practices and security measures to protect against unauthorized access, alteration, disclosure or destruction of your personal data, username, password, transaction information and data stored and processed by AC, including appropriate encryption tools, firewalls and security incident management systems and procedures.
Transfers of personal data internally and externally shall only be made in accordance with strict security protocols and under modes of transfer compliant to the requirements and standards of the Data Privacy Act, its Internal Rules and Regulations, and the relevant issuances of the NPC
We also ensure that only authorized individuals within the organization shall be allowed to process personal data in accordance with AC’s access control policies and procedures.
2. RETENTION AND DISPOSAL OF PERSONAL DATA
It is the policy of AC to ensure that personal data is only retained for a limited period or until the lawful and legitimate purpose of the processing is achieved. To that effect, we have established procedures for securely disposing files that contain personal data whether the same is stored on paper, film, optical or magnetic media, personal data stored offsite, and computer equipment, such as disk servers, desktop computers and mobile phones at end-of-life.
3. THIRD-PARTY DISCLOSURES
a. PERSONAL INFORMATION PROCESSORS
AC shall ensure, in instances where any processing of personal data is outsourced to a third-party processor, that such third party shall be compliant to the organization’s security standards through the appropriate contractual documents and that it regularly conducts due diligence efforts on such third party’s data processing activities through appropriate independent certification and verification procedures.
b. PERSONAL INFORMATION CONTROLLERS
AC shall ensure that any disclosures or transfers of personal data controllers shall be governed by legally-compliant data sharing agreements and in accordance with the rights of data subjects. Data subjects shall be duly informed and consent from them obtained, where applicable, before such data sharing activities are performed.
4. HUMAN RESOURCE POLICY
AC will implement periodic and mandatory training for all its personnel, representatives, and agents training on privacy and data protection in general and in areas reflecting job-specific content. Likewise, it will ensure that all employees, representatives, and agents exposed to personal data pursuant to their function are adequately bound by strict confidentiality.
5. INTERNATIONAL DATA TRANSFERS
While AC generally does not transfer its personal data outside of the Philippines, the organization, its subsidiaries and affiliates utilize cloud technology in the storage and processing of personal data resulting in transfers of such data to data centers outside of the country. To ensure the protection of such data, we’ve made it a point to instruct our cloud service providers to limit the location of data servers housing the personal data we process in countries with similar data protection standards and regulations.
6. WEB BROWSER COOKIES
Effective Date: October 2017
Last Updated: November 16, 2018