TOTAL (PHILIPPINES) CORPORATION DATA PRIVACY MANUAL
For its lawful business purposes, Total (Philippines) Corporation (“TPC; hereafter referred to as the “Company”, “we”, “our”, or “us”), may collect, use, process, disclose, or transfer the Personal Data of our employees, clients, investors, partners, vendors, agents, contractors, third parties, and the employees of such clients, investors, partners, vendors, agents, contractors, and third parties (hereafter referred to as the “Data Subjects”, “you”, “your”, “they”, “their”, or “them”). This Data Privacy Manual (the “Privacy Manual”) is hereby adopted in compliance with Republic Act No. 10173, or the Data Privacy Act of 2012 (“DPA”), its Implementing Rules and Regulations (“DPA IRR”), and other relevant laws, rules and regulations, including the issuances of the National Privacy Commission (“NPC”) (these shall collectively be referred to as the “Data Protection Laws”). TPC respects and values data privacy rights and makes sure that all personal data collected from our employees, our clients and customers, are processed in adherence to the general principles of transparency, legitimate purpose, and proportionality.
This Manual shall inform you of our data protection and security measures and may serve as your guide in exercising your rights under the DPA and the DPA IRR. The handling of personal information of specific third persons who deal with TPC, i.e., suppliers, customers, and employees, are more specifically detailed in separate and more specific Data Policies.
- Definition of Terms
2.1 ‘Affiliates’ refers to the affiliates of TPC;
2.2 ‘Data Protection Officer’ or ‘DPO’ refers to the individual accountable for ensuring the compliance by the personal information controller or personal information processor with the Data Protection Laws.
2.3 ‘Data Sharing’ is the disclosure or transfer to a third party of Personal Data under the custody of a personal information controller or personal information processor. In the case of the latter, such disclosure or transfer must have been upon the instructions of the personal information controller concerned. The term excludes outsourcing as defined herein.
2.4 ‘Data Subject’ refers to an individual whose personal, sensitive personal, or privileged information is being processed.
2.5 ‘National Privacy Commission’ or ‘NPC’ refers to the agency mandated to administer and implement the Data Protection Laws, and to monitor and ensure the Philippines’ compliance with international standards for data protection.
2.6 ‘Outsourcing’ refers to the disclosure or transfer of Personal Data by a personal information controller to a personal information processor.
2.7 ’Personal Data’ refers to all types of personal information.
2.8 ‘Personal Data Breach’ refers to a breach of security leading to the accidental or
unlawful destruction, loss, alteration, unauthorized disclosure of, or access to,
Personal Data transmitted, stored, or otherwise processed. A Personal Data breach may be in the nature of:
2.8.1 an availability breach resulting from loss, accidental or unlawful destruction of Personal Data;
2.8.2 integrity breach resulting from alteration of Personal Data; and/or
2.8.3 a confidentiality breach resulting from the unauthorized disclosure of or access to Personal Data.
2.9 ‘Personal Information’ is defined as any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
2.10 ’Personal Information Controller’ or ‘PIC’ refers to a natural or juridical person, or any other body who controls the processing of Personal Data or instructs another to process Personal Data on its behalf.
2.11 ‘Personal Information Processor’ or ‘PIP’ refers to any natural or juridical person or any other body to whom a personal information controller may outsource or instruct the processing of Personal Data pertaining to a data subject.
2.12 ‘Processing’ refers to any operation or any set of operations performed upon Personal Data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Processing may be performed through automated means, or manual processing, if the Personal Data are contained or are intended to be contained in a filing system.
2.13 ‘Recipient’, in relation to Personal Data, means any person to whom Personal Data is disclosed.
2.14 ‘Security Incident’ is an event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity, and confidentiality of Personal Data. It shall include incidents that would result to a Personal Data breach, if not for safeguards that have been put in place.
2.15 ‘Sensitive Personal Information’ refers to:
2.15.1 personal information about an individual’s race, ethnic origin, marital status, age, color and religious, philosophical or political affiliations;
2.15.2 personal information about an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings;
2.15.3 personal information issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation and tax returns; and
2.15.4 personal information specifically established by an executive order or an act of Congress to be kept classified.
2.16 ‘Business’ refers but is not limited to TPC’s sales of products and other related services, projects, activities, marketing programs, acquisitions, developments, operations, websites, events and other business transactions.
3.1 All personnel of this organization, regardless of the type of employment or contractual arrangement, are expected to read and comply with the terms set out in this Privacy Manual.
3.2 This Privacy Manual applies to data processing through any means (i.e., mobile phone, laptop, printed forms, etc.).
3.3 Privacy Impact Assessments of all TPC departments/processes shall be conducted once every three (3) years or when there is a new process or system put in place.
- Collection of Personal Data
4.1 We only collect Personal Data if there is a reasonable business purpose for such collection. In this regard, we only collect and process Personal Data that is reasonably necessary to fulfill the identified purpose(s) of processing. This means that we do not collect Personal Data that is not relevant and/or potentially excessive in light of our planned data processing. Further, we also refrain from collecting Personal Data if the business purpose can be achieved by using anonymized or pseudonymized data.
4.2 TPC collects the basic contact information of recruitmentcandidates, employees, clients, customers, and all other persons it deals with in the regular course of business, including their full name, address, email address, contact number. For employment, HR collects data using its employment application forms and documents submitted as part of the recruitment process such as government IDs. For clients or customers, the company representative attending to customers will collect such information through the company’s account opening forms. During events and for marketing promotions, the company’s Marketing teams may collect customer information through raffle stubs, guest lists, and enrollment forms for business owners. For vendors and suppliers, the company representative liaising with the supplier (the Purchasing team) will collect the information through the company’s supplier accreditation forms. The company’s Internal Control and Purchasing team may also collect other information and personal date through the company’s due diligence forms.
4.3 Except in cases allowed by the Data Protection Laws, we shall ensure that your consent has been properly and lawfully obtained prior to the collection, processing, and disclosure of Personal Data.This consent shall be time-bound and in relation only to the legitimate purposes for which Personal Data was collected.
4.4 We may collect Personal Data directly from the following:
4.4.1 When you provide Personal Data through the participation in our Business for the purpose of supplying, availing of, assisting in, or otherwise, making use of the same, whether as a vendor, lessor, customer, dealer, employee, or in any other business capacity;
4.4.2 When you participate in TPC promotions, website, surveys, etc.;
4.4.3 When you request for information on any of our products or related Business or to receive any marketing, promotional or other types of communications; and
4.4.4 When you make enquiries or comments online or through any of our Departments or staff.
4.5 We may also receive information about you from publicly and commercially available sources, as permitted by the Data Protection Laws and other applicable laws.
- Use, Storage, Retention, Destruction, Access, Disclosure, and Sharing.
5.1 TPC may collect, use, disclose and/or process Personal Data for any one or more of the following purposes (collectively the “Purposes”):
5.1.1 to register you as a supplier, customer or client of our Business;
5.1.2 monitoring and processing the various aspects of our sales and Business in order to better facilitate orders or assist us in improving our Business;
5.1.3 assessing and processing requests with respect to our Business;
5.1.4 administering, facilitating, processing and/or dealing with your relationship with us, any transactions or activities carried out by in relation to our Business. This shall include processing orders and payment transactions, supplying products, and other aspects of our Business;
5.1.5 carrying out your instructions or responding to any inquiry or request given by (or purported to be given by) you or on your behalf;
5.1.6 Contacting you or communicating with you via phone/voice call, text message and/or fax message, email and/or postal mail for the purposes of administering and/or managing your availment of our products, our contractual engagements with you, or other aspects of our Business. You acknowledge and agree that such communication by us could be by way of the mailing of correspondence, documents or notices to you, which could involve disclosure of certain Personal Data about you to bring about delivery of the same as well as on the external cover of envelopes/mail packages;
5.1.7 carrying out human resources and other functions as identified in the TPC Employee Consent Form (HR uses Agil, HR4U, Sprout, and Click and Learn);
5.1.8 carrying out compliance or due diligence or other screening in accordance with legal or regulatory obligations (whether in the Philippines or foreign country) applicable to us, the requirements or guidelines of governmental authorities (whether in the Philippines or foreign country) which we determine are applicable to us, and/or our risk management procedures that may be required by law (whether in the Philippines or foreign country) or that may have been put in place by us;
5.1.9 to prevent or investigate any fraud, unlawful activity or omission or misconduct, and/or investigating complaints;
5.1.10 complying with or as otherwise required by any applicable law, court order, order of a regulatory body, governmental or regulatory requirements of any jurisdiction applicable to us, including meeting the requirements to make disclosure under the requirements of any law binding on us, and/or for the purposes of any guidelines issued by regulatory or other authorities (whether in the Philippines or elsewhere), with which we are expected to comply;
5.1.11 complying with or as required by any request or direction of any governmental authority (whether in the Philippines or foreign country) which we are expected to comply with; or responding to requests for information from government agencies, local government units or other similar authorities (whether in the Philippines or foreign country). For the avoidance of doubt, this means that we may/will disclose your Personal Data to such parties upon their request or direction;
5.1.12 conducting research (including customer research), surveys, market surveys, analysis and/or development activities (including but not limited to data analytics, surveys and/or profiling) to improve our Business, or to improve our understanding of your interests, concerns and preferences, in order to enhance any continued interaction between yourself and us connected or in relation to our Business;
5.1.13 storing, hosting, backing up of your Personal Data, whether within or outside the Philippines, through SAP, Lift or associated Microsoft Office Applications, or the Group Shared Drive;
5.1.14 facilitating, dealing with and/or administering external audit(s) or internal audit(s) of the business of TPC;
5.1.15 dealing with and/or facilitating asset transactions where TPC is a party;
5.1.16 to implement and maintain our IT systems, including to store and process Personal Data in computer databases and servers located within and outside the Philippines;
5.1.17 record-keeping purposes and producing statistics and research for internal and/or statutory reporting and/or record-keeping requirements, of TPC; and
5.1.18 TPC’s reporting purposes including, but not limited to, reporting on TPC’s Business performance.
5.2 TPC may not use, process, or disclose sensitive personal information except when:
5.2.1 you have expressly consented to the use, processing, or disclosure of such sensitive personal information as evidenced by written, electronic, or recorded means;
5.2.2 such use, processing, or disclosure is necessary to establish, exercise, or defend legal claims or for TPC to conduct due diligence with third parties that it contracts or deals with, in which case, the sensitive personal information is limited to that provided in TPC’s due diligence forms; and/or
5.2.3 if such use, processing, or disclosure is necessary for medical purposes, in which case the sensitive personal information may be processed by a health professional subject to professional secrecy.
5.3 In some instances, we may want to use or share Personal Data collected in a way that is materially different from what was disclosed in the TPC Privacy Policies, consent forms and other applicable documents at the time of collection. In these circumstances, you shall be notified and given an opportunity to object or withhold consent to processing unless the change refers to processing or disclosure of Personal Data in the following instances:
5.3.1 The Personal Data is needed pursuant to a subpoena;
5.3.2 When the collection and processing are for obvious purposes, including when it is necessary for the performance of or in relation to a contract or service to which you are a party, such as credit insurance or audits, or when necessary or desirable in the context of an employer-employee relationship between you and TPC; or
5.3.3 When the information is being collected and processed as a result of a legal obligation or for TPC to exercise, defend, establish legal claims.
5.4 For the avoidance of doubt, you acknowledge and consent to TPC sharing anonymized information such as aggregate information where we may share anonymized aggregate information about our customers with advertisers and marketing partners.
5.5 TPC will ensure that Personal Data under its custody are protected against any accidental or unlawful destruction, alteration and disclosure as well as against any other unlawful processing. Only the client and the authorized representatives of the company shall be allowed to access such personal data, for any purpose, except for those contrary to law, public policy, public order or morals.TPC will implement appropriate security measures in storing collected Personal Data, depending on the nature of the information. All information gathered shall be retained in compliance only the Total Group document retention policy.
- Sharing and Disclosure of Personal Data
6.1 TPC may need to disclose or transfer your Personal Data to third parties, whether located within or outside the Philippines, for any one or more of the above Purposes. In this regard, the disclosure or transfer of Personal Data shall be made only upon your consent and, when required by law, in accordance with a data sharing agreement between TPC and such third parties. The data sharing agreement or other agreement with such third parties shall establish adequate safeguards to maintain the integrity, availability, and confidentiality of Personal Data and uphold your rights as data subjects. Without limiting the generality of the foregoing, such third parties shall include:
6.1.3 Business Partners;
6.1.4 Service Providers, including but not limited to External Auditors and background and credit investigation companies, for verification, risk assessment, credit evaluation, background checking, fraud detection.
6.1.5 Insurance companies including Health Maintenance Organizations and Credit Insurance;
6.1.6 third parties when required by law or necessary to protect our Business;
6.1.7 other parties in connection with corporate transactions (ex. banks, payroll service providers and pension managers); and
6.1.8 other parties with your consent or at your direction.
6.2 In case Personal Data will be transferred to third parties, we shall use contractual or other reasonable means to ensure the integrity, availability, and confidentiality of Personal Data and to provide a comparable level of protection to the Personal Data disclosed or transferred while it is being processed by a personal information processor or any other third party.
6.3 We will provide our preferred Service Providers with the information they need to perform their services and work with them to respect and protect your Personal Data. We shall enter into data sharing agreements or outsourcing agreements, as may be applicable, or agreements containing provisions on data protection, with our Service Providers, which will adhere to the TPC Privacy Policies and prevent the use of Personal Data for unauthorized purposes. Should you require more information in relation to the transfer of disclosure of your personal data, you may contact us at the information provided below.
6.4 All employees and personnel of the company shall maintain the confidentiality and secrecy of all personal data that come to their knowledge and possession, even after resignation, termination of contract, or other contractual relations. Personal data under the custody of TPC shall be disclosed only pursuant to a lawful purpose, and to authorized recipients of such data.
- Security Measures
7.1 TPC implements reasonable and appropriate physical, technical and organizational measures for the protection of personal data. Security measures aim to maintain the availability, integrity and confidentiality of personal data and protect them against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination. In this section, you give a general description of those measures.
7.2 Apart from the foregoing measures and those enumerated below, TPC shall implement such other organizational, physical, and technical security measures as may be necessary to ensure that the integrity, availability, and confidentiality of Personal Data is maintained.
Organizational Security Measures
7.3 TPC shall form a Data Privacy Committee composed of the relevant management representatives for businesses and functions handling employee, supplier, and customer data.
7.4 The Data Privacy Committee shall be responsible for the oversight of the Data Privacy Program for TPC which includes:
7.4.1 Establish a management system for Data Privacy,
7.4.2 planning of activities,
7.4.3 review of Data Privacy policies and procedures,
7.4.4 conduct of privacy impact assessment,
7.4.5 conduct training and awareness sessions,
7.4.6 recommend the appropriate security measures to support the Data Privacy Program,
7.4.7 responding to security incidents,
7.4.8 handling of inquiry and complaints,
7.4.9 operation of the Data Privacy management system,
7.4.10 improvement of the Data Privacy Program, and
7.4.11 Regular audits on compliance to the Data Privacy Program
7.4.12 Review annual reports to be submitted by the DPO to the National Privacy Commission
7.5 The Committee shall meet at twice a year (or more frequently if urgent updates to the Data Privacy Program are needed) to ensure sufficient attention and focus to the operation of the TPC Data Privacy Program. These meetings shall cover at the minimum the following agenda:
7.5.1 Planning the Data Privacy Program
7.5.2 Improvement of the Data Privacy Program
7.5.3 Review of the Security Incidents and its corresponding preventive and corrective measures
7.5.4 Review of reports to be submitted to the National Privacy Commission
7.6 The Data Privacy Committee shall be authorised to utilize any TPC resource and personnel in order to establish, operate, and sustain the Data Privacy Program.
7.7 TPC shall designate one (1) DPO in the Philippines who shall be accountable for compliance with the provisions of the Data Protection Laws. The DPO shall also be a member of the Data Privacy Committee. In this connection, the DPO shall oversee the compliance of the organization with the DPA, its IRR, and other related policies, including the conduct of a Privacy Impact Assessment, implementation of security measures, security incident and data breach protocol, and the inquiry and complaints procedure. The DPO may also perform other duties and tasks that may be assigned by TPC that will further the interest of data privacy and security and uphold your rights as data subject.
7.8 TPC shall regularly sponsor mandatory trainings and orientations on data privacy and security at least once every two (2) years. For employees and personnel directly involved in the processing of Personal Data, management shall ensure their attendance and participation in these trainings and orientations and that they understand their duty of confidentiality.TPC shall also regularly conduct Privacy Impact Assessments relative to all activities, projects and systems involving the processing of personal data. It may choose to outsource the conduct a PIA to a third party.Privacy and security policies and practices within the organization shall be updated to remain consistent with current data privacy best practices.
Physical Security Measures
7.9 TPC shall implement physical security measures in its offices including but not limited to the following:
7.9.1 Personal Data in TPC’s custody may be in digital/electronic format and paper-based/physical format. For electronic files, TPC personnel must ensure that only persons who need access to the files for regular TPC Business shall have access thereto. For those in paper-based formats, all files containing Personal Data shall be arranged in designated cabinets which are securely locked at all times. Archived documents are stored only in TPC’s designated and accredited warehouse;
7.9.2 All personnel should ensure that their laptops, cellphones, and other electronic devices containing Personal Data as well as their Total access cards are physically secure and their personal passwords are not disclosed to any other person. TPC computers are positioned with considerable spaces between them to maintain privacy and protect the processing of Personal Data.Persons involved in processing shall always maintain confidentiality and integrity of Personal Data. They are not allowed to bring their own gadgets or storage device of any form and store TPC files there.
7.9.3 Transfers of personal data via electronic mail shall use a secure email facility with encryption of the data and password access, including any or all attachments.Any migration of voluminous data should be done in coordination with TPC’s IT personnel in order to ensure the security thereof. Facsimile technology shall no longer be used for transmitting documents containing Personal Data. Uploading of data shall only be done to safe servers accredited by Total’s IT, such as Microsoft Office Onedrive or Sharepoint.
7.10 TPC shall limit access to Personal Data only to authorized employees and third-party Service Providers, each of whom is held to TPC’s standards of privacy. TPC shall also maintain physical, electronic and procedural safeguards to protect Personal Data against loss, misuse, damage, modification and unauthorized access or disclosure.
Technical Security Measures
7.11 TPC shall implement and/or install an intrusion detection system to monitor security breaches and alert the organization of any unauthorized access, use, modification, processing, disclosure, or destruction of Personal Data under its control.
7.12 TPC shall implement the Total Group Standard which shall provide adequate standards, from development to decommissioning of the applications, to ensure that software development for TPC is protected against system attacks.
7.13 TPC shall implement the necessary encryption and authentication process that will control and limit access to Personal Data based on the Total Global IT standards.
7.14 TPC shall abide by the provisions of the IT Security Policies. It shall likewise regularly review the IT Security Policies on a regular schedule to be prescribed by the DPO.
- Breach and Security Incidents
8.1 TPC’s procedures for Personal Data Breaches and Security Incidents shall be governed by a separate Security Incident Management Manual.
- Inquiries and Complaints
April 2019 Application Design Rules Standard found here: http://wat-social.corp.local/sites/bda5491e-4298-4b80-b56f-646ebf8c1114_...
9.1 TPC recognizes that every data subject has the right to reasonable access to his or her Personal Data being processed by the Personal Information Controller or Personal Information Processor. Other available rights include: (1) right to dispute the inaccuracy or error in the Personal Data; (2) right to request the suspension, withdrawal, blocking, removal or destruction of Personal Data; and (3) right to complain and be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of Personal Data. Accordingly, TPC sets forth the following procedure for inquiries and complaints on Personal Data:
9.1.1 Data subjects may inquire or request for information regarding any matter relating to the processing of their personal data under the custody of the organization, including the data privacy and security policies implemented to ensure the protection of their personal data. They may write to the organization at [email protected] and briefly discuss the inquiry, together with their contact details for reference.
9.1.2 If you have any inquiries or concerns related to this Privacy Manual or TPC’s privacy practices, if you need additional assistance, or if you have complaints please contact TPC’s DPO at [email protected] .
10.1 The provisions of this Manual are effective this 29th day of November 2019, until revoked or amended by TPC.