Data Protection Policy 1.2

OBJECTIVE:

Our business is founded on data and information. They are the basis by which we are able to serve the needs of all our clients. With that in mind, it is imperative that we ensure that the data and information we collect, store, and process are protected against unauthorized access and use. Further, once the data and information are no longer required by our business, we are to ensure that they are disposed of in a manner that retains the security and protection of such data and information.

With that in mind, the objective of this policy is to lay down the guidelines in the protection and security of the data and information collected, stored, processed, and disposed of by the Company. Thus, this DATA PROTECTION POLICY is adopted in compliance with Republic Act No. 10173 of the Data Privacy Act of 2012 (the DPA), its implementing rules and regulations, and other relevant policies, including issuances of the National Privacy Commission of the Philippines.

SCOPE:

This policy covers all data and information that the Company collects, stores, processes, and disposes of irrespective of their source.

All employees, regardless of rank and job description, are required to abide by this policy.

PROCESSING OF DATA

  1. Collection of Data

    1. From Clients

      1. The Company collects the basic contact information of clients and customers, including their name, address, email address, contact number, names of relevant employees and their contact details, including information regarding the service or product purchased or sought to be purchase. The Company collects this from the documents and/or contracts signed by such client or customer.

    2. From the Public

      1. In order to undertake the services and products it offers to its clients, the Company collects, by itself or through third parties, the following data: cookies, usage data, unique device identifiers for advertising (Google Advertiser ID or IDFA, for example), email address and geographic position.

    3. From its Employees

      1. Upon application and for the entire duration of employment, the Company collects data on its employees which include, but not limited to, personal data such as the employee’s name, date of birth and personal identification credentials with photograph; contact details such as address, email, landline and mobile phone number; employment data or information regarding previous or current employment, salary and benefits, academic information, professional practice and training; sensitive data such as age, date of birth, marital status, number of children, children's names, gender and religion; personal references such as name, occupation and contact details; judicial investigations, non-criminal records and family history; medical examination, physical examination, blood pressure, chronic, temporary and pre-existing conditions, weight, height, sexual activity and/or sexual behavior, and other medical data such as blood type, allergies, that are relevant to the employee’s care, care and treatment.

  2. Use

    1. Data from Clients

      1. The Company shall use the data its collected and received from its clients primarily for: identification and contact purposes; sales of products that the Company sells; delivery of products; Assistance through the use of our Customer Support System, ; to market and promote our products; carry out any or all of the activities necessary for the development and fulfillment of the obligations that arise and derive from the contractual and / or commercial relationship with the Company including billing, collection; for internal administration; and/or for the purposes of analysis and / or research and periodic monitoring.

      2. The Company may likewise use Client data to carry out any or all of the secondary purposes such as: to contact the Client in order to respond to the Client’s requirements and monitor its use of our products and for statistical purposes; marketing, advertising and/or commercial prospecting related to products and services, which can be carried out by the Company or third parties with which the Company has entered into agreements or contracts; and to inform the Client of the launch or changes of new products, promotions and / or offers according to their interests.

    2. Data from Third Parties

      1. The Company shall use the data collected and received from Third Parties for purposes of undertaking the activities, services, and products it offers and sells to its clients. Use of said data shall include, but are not limited to: advertising; analytics; displaying content from external factors; interaction with external social networks and platforms; managing contacts and sending messages; remarketing and behavioral targeting; advertising serving infrastructure; commercial affiliation; hosting and backend infrastructure; location-based interactions; platform services and hosting; tag management; profiling; and automated decision-making.

    3. Data from Employees

      1. The Company shall use the data it collected and received from its employees for the accomplishment of the process of recruiting, selecting, and on-boarding of an employee; research, identification and validation purposes regarding the veracity of the information provided to the Company; medical evaluation; incorporation and updating of employee information; integration of physical and digital records aimed at creating and administering employee portfolios; and comply with the obligations arising from the applicable legislation or at the request of a competent authority;

  3. Storage, Retention, and Destruction

    To carry out the processing of your personal data, the Company has implemented a series of procedures and policies to manage and ensure the security of information, whether of a technological, physical or administrative nature. Any measure, procedure, and/or policy in relation to the availability, integrity, confidentiality, and/or authorized use of personal data, are also required to be complied with by the service providers we hire, third parties, and by affiliated companies and subsidiaries of the Company.

    All information gathered shall not be retained for a period longer than one (1) year counted from the time the data is deemed unnecessary or unrequired. Provided, that employee data shall be retained for a period no longer than four (4) years from the time of the separation of the employee from his/her employment. After the period herein specified, all hard and soft copies of personal information shall be disposed and destroyed, through secured means.

    For more information, please refer to:

    1. Data Acquisition and Processing Policy;
    2. Data Analytics and Insights Policy;
    3. Asset Management Policy;
    4. Server Room Policy;

  4. Access

    Due to the sensitive and confidential nature of the personal data under the custody of the company, only its clients, their authorized representatives, and the authorized representative/s of the Company shall be allowed to access such personal data, for any purpose, except for those contrary to law, public policy, public order or morals.

    For your information, please refer to:

    1. Acceptable Use Policy;
    2. Data Analytics and Insights Policy;
    3. Asset Management Policy;
    4. Access Control Policy;
    5. Accounts Policy;
    6. IT Network Access Policy;
    7. Password Policy;
    8. Server Room Policy;

  5. Disclosure and Sharing

    1. Data from Employees

      1. The Company may send and share your personal data, including employee’s sensitive personal data only to its subsidiary and affiliated companies; its suppliers with whom KOF enters into contracts in order to fulfill the purposes described in item II (c) (i); and the Company may disclose or allow access to the personal data that provided in order to comply with the applicable legislation or at the request of the competent authority.

    2. Data from Clients and Third Parties

      1. The Company may share your information with one or more third parties, with whom we have previously entered into agreements with confidentiality and personal data protection clauses, as well as with selected service providers to support the marketing, promotion of our products, software development, as well as for the purpose of verifying that the information provided to the Company is correct and current. The Company may even transfer your personal data to such third party(s) for commercial use. Likewise, the Company may share or transmit your personal data to its Controllers, Subsidiaries, related parties and/or its Business Units for purposes of product and service improvement, promotions, statistical purposes, internal management, and for purposes of analysis. Any transfer of personal data that the Company performs, will be solely for the purposes permitted by the laws and the recipients of the personal data, are obliged to observe this Notice.

    All employees and personnel of the Company shall maintain the confidentiality and secrecy of all personal data that come to their knowledge and possession, even after resignation, termination of contract, or other contractual relations. Personal data under the custody of the Company shall be disclosed only pursuant to a lawful purpose, and to authorized recipients of such data.

    For more information, please refer to:

    1. Acceptable Use Policy;
    2. Data Analytics and Insights Policy;

SECURITY MEASURES

  1. Organizational Security Measures

    1. The Data Protection Officer

      1. Functions.

        • The Data Protection Officer shall oversee the compliance of the Company with the DPA, its IRR, and other related policies, including the conduct of a Privacy Impact Assessment, implementation of security measures, security incident and data breach protocol, and the inquiry and complaints procedure.

    2. Trainings and Seminars

      1. The Company shall sponsor a mandatory training on data privacy and security at least once a year. For personnel directly involved in the processing of personal data, management shall ensure their attendance and participation in relevant trainings and orientations, as often as necessary.

    3. Privacy Impact Assessment

      1. The Company shall conduct a Privacy Impact Assessment (PIA) relative to all activities, projects and systems involving the processing of personal data. It may choose to outsource the conduct a PIA to a third party.

    4. Duty of Confidentiality

      1. All employees will be asked to sign a Non-Disclosure Agreement. All employees with access to personal data shall operate and hold personal data under strict confidentiality if the same is not intended for public disclosure.

    5. Review of Data Protection Policy

      1. This Policy shall be reviewed and evaluated annually. Privacy and security policies and practices within the organization shall be updated to remain consistent with current data privacy best practices.

  2. Physical Security Measures

    1. Format of Data

      1. Personal data in the custody of the organization may be in digital/electronic format and paper-based/physical format.

    2. Storage Type and Location

      1. The digital/electronic files are stored in computers provided and installed by the company.

    1. Monitoring and Limitation of Access to Room or Facility

      1. Persons involved in processing shall always maintain confidentiality and integrity of personal data.

    2. Modes of Transfer of Data

      1. Transfer of personnel data shall be sent via email as a compressed file with password protection. Password can be sent via SMS or any mode of communication other than email.

  1. Technical Security Measures

    1. Monitoring for Security Breaches

      1. The Company shall use an intrusion detection system such as, but not limited to, CCTV monitoring and biometrics access monitoring, to ensure that security breaches are avoided and to alert the organization of any attempt to interrupt or disturb the system.

    2. Security Features of the Software/s and Application/s Used

      1. The Company shall first review and evaluate software applications before the installation thereof in computers and devices of the organization to ensure the compatibility of security features with overall operations.

    3. Process for regularly testing, assessment and evaluation of effectiveness of security measures

      1. The organization shall first review and evaluate software applications before the installation thereof in computers and devices of the organization to ensure the compatibility of security features with overall operations.

BREACH AND SECURITY INCIDENTS

  1. Data Breach Response Team

    1. A Data Breach Response Team headed by the Data Protection Officer together with four (4) officers of the Company shall be responsible for ensuring immediate action in the event of a security incident or personal data breach. The team shall conduct an initial assessment of the incident or breach in order to ascertain the nature and extent thereof. It shall also execute measures to mitigate the adverse effects of the incident or breach.

  2. Measures to Minimize Occurrence of Breach and Security Incidents

    1. The Company shall regularly conduct a Privacy Impact Assessment to identify risks in the processing system and monitor for security breaches and vulnerability scanning of computer networks. Personnel directly involved in the processing of personal data must attend trainings and seminars for capacity building. There must also be a periodic review of policies and procedures being implemented in the organization.

  3. Procedure for Recovery and Restoration of Data

    1. The Company shall always maintain a backup file for all personal data under its custody. In the event of a security incident or data breach, it shall always compare the backup with the affected file to determine the presence of any inconsistencies or alterations resulting from the incident or breach.

  4. Notification Protocol

    1. The Head of the Data Breach Response Team shall inform the management of the need to notify the NPC and the data subjects affected by the incident or breach within the period prescribed by law. Management may decide to delegate the actual notification to the head of the Data Breach Response Team.

  5. Documentation and Reporting Procedure

    1. The Data Breach Response Team shall prepare a detailed documentation of every incident or breach encountered, as well as an annual report, to be submitted to management and the NPC, within the prescribed period.

RIGHTS OF DATA SUBJECTS; INQUIRIES AND COMPLAINTS

Data Subjects may exercise certain rights regarding their Data processed by the Company.

In particular, Users have the right to do the following:

  1. Withdraw their consent at any time.
  2. Object to the processing of their data.
  3. Access their data.
  4. Verify and seek rectification.
  5. Restrict the processing of their data.
  6. Have their personal data deleted or otherwise removed.
  7. Receive their data and have it transferred to another Controller.
  8. Lodge a complaint

Data subjects may exercise their rights, inquire or request for information regarding any matter relating to the processing of their personal data under the custody of the Company, including the data privacy and security policies implemented to ensure the protection of their personal data. They may write to the organization at contactus@spectrumone.co and briefly discuss the inquiry, together with their contact details for reference.

Complaints shall be filed in three (3) printed copies or sent to contactus@spectrumone.co. The concerned department or unit shall confirm with the complainant its receipt of the complaint.

COMPLIANCE AND ENFORCEMENT

All Company employees are enjoined to faithfully comply with this policy. Any deviation or violation shall be subject to the provisions of the SPECTRUM ONE I.T. SOLUTIONS CORP. EMPLOYEE CODE OF CONDUCT. Provided that any deviation or violation of this policy shall be classified as a Major Offense and the appropriate penalty under the SPECTRUM ONE I.T. SOLUTIONS EMPLOYEE CODE OF CONDUCT shall be imposed.