GENERAL DATA PRIVACY POLICY

I. OVERVIEW

We, Monde Nissin Corporation (‘the Company’) provide a whole host of food-related services to our clients. In providing such support and services, we rely heavily on personal information, whether it be the information of our clients, our employees, or any other individual in connection with any matter that we handle.

Given the importance of privacy to all concerned parties, we are committed to the highest standards of privacy and data protection compliance and expect everyone in our Company to adhere to these standards. We demand highest standards of ethics and compliance with applicable laws and rules from our management, employees, and third-party suppliers and service providers.

This Privacy Policy will help you understand: (i) what Personal Information we collect; (ii) how we collect, hold, use and disclose that information; and (iii) the purposes of such collection, holding, use and disclosure.

II. TO WHAT DOES THIS PRIVACY POLICY APPLY?

This Policy applies to all of our facilities, as well as all the services that we offer.

This Policy does not apply to any website, product or service of any third-party organization even if the website links to (or from) our Website. Please always review the privacy practices of any third-party organization before deciding whether to provide any information.

By using our services, you accept the practices described in this Policy. If you do not agree with this Policy, you should immediately cease and desist from using our Services. Continued use of our Services will signify your acceptance of this Policy.

III. WHAT INFORMATION DO WE COLLECT?

When you use our Services, we collect your Personal Information.

The term “Personal Information”, as used in this Policy, refers to any data (whether by itself or when linked with other information) in the possession of, or likely to come into the possession of the Company, that can be used to identify a specific living person.

Personal Information does not include information that has been aggregated or made anonymous such that it can no longer be reasonably associated with a specific person.

For a detailed list of the Personal Information that we do collect, please refer to the various Notices and Consent Forms that we use, with such Notices and Consent Forms classified according to the kind of data subject.

IV. Why do we collect your Personal Information?

We collect your Personal Information for the following purposes:

• To receive customer complaints or feedback; 
• To allow MNC to take the necessary action in response to the complaint or feedback; 
• To maintain constant communication with our clients;
• To manage the process of billing our clients for services rendered; and
• To assert and defend any legal claims by or against the Company.

Subject to the Data Privacy Act and with your consent, we may share, preserve, transfer, and disclose your Personal Information to the following:

• Third party suppliers and service providers that help us provide our services, to the extent needed to perform their duties and their functions; and
• Government authorities and such entities that may have a legitimate and legal interest in the information, in response to a legal request such as a search warrant, court order or subpoena, if we believe in good faith that we are required to do so under the law.

V. How do we collect your information?

Whenever you use our Services, we collect your Personal Information.

Broadly speaking, we collect information in three ways: (1) when you provide it directly to us, (2) when we obtain verification information about you or your company through trusted third parties, and (3) passively through technology such as “cookies”.

Specifically, we collect Personal Information from you through contracts, notes taken and prepared by our lawyers and staff, physical or electronic communication (e.g. electronic mail), verification information from trusted third parties, passive technologies (e.g. cookies), and documents or forms bearing your personal information that you submitted or was acquired by us with your authorization.

VI. WHAT ARE YOUR RIGHTS AS A DATA SUBJECT AND HOW DO YOU EXERCISE THEM?

As a data subject whose Personal Information will be collected and processed by us, you are entitled to the following rights, pursuant to Section 16 of Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012, and Section 34 of its Implementing Rules and Regulations:

1. Right to be informed

You have a right to be informed whether Personal Information pertaining to you shall be, are being, or have been processed, including the existence of automated decision-making and profiling.

2. Right to object

You shall have the right to object to the processing of your Personal Information, including processing for direct marketing, automated processing or profiling. You shall also be notified and be given an opportunity to withhold consent to the processing in case of changes or any amendment to the information supplied or declared to the data subject.

3. Right to Access

You have a right to be given access to specific kinds of information identified in the Data Privacy Act upon reasonable written demand.

4. Right to Rectification

The data subject has the right to dispute the inaccuracy or error in the Personal Information and have us correct it immediately and accordingly, unless the request is vexatious or otherwise unreasonable.

5. Right to Erasure or Blocking

You shall have the right to suspend, withdraw or order the blocking, removal or destruction of your Personal Information from our filing system.

6. Right to Damages

Upon presentation of a valid decision, we recognize your right to be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of Personal Information, taking into account any violation of your rights and freedoms as data subject.

Please note that this is not an exhaustive discussion of your rights as a data subject. If you wish to know more, please see our Data Subject Rights Policy.

VII. WHAT THE PRINCIPLES DO WE FOLLOW WHEN WE COLLECT YOUR INFORMATION?

In compliance with the applicable laws and regulations, we pledge to observe the following principles:

1. Principle of Transparency

We are committed to ensuring that you know why we collect Personal Information, as well as how much of it we collect. As we seek to ensure the security of your Personal Information, we make sure that you know what risks are involved when we collect and use your Personal Information, as well as the measures we have established to ensure that those risks are lessened or eliminated.

2. Principle of Legitimate Purpose

We are committed to ensuring that your Personal Information will only be used for specified, legitimate purposes. No Personal Information shall be used for a purpose other than that which has been told to you and have been consented to by you.

No Personal Information shall be collected without your consent. If you wish to withdraw consent to the collection of your Personal Information, kindly give us reasonable written notice so we may have time to cease any and all processing

3. Principle of Proportionality

We are committed to ensuring that we do not collect Personal Information more than what is necessary from you. Personal Information shall be collected only to the extent that is needed for the purposes specified in this Policy.

4. Principle of Lawful Processing

We pledge that we shall uphold your right as a Data Subject. You shall have the right to refuse, withdraw, consent, or object to the use and collection of your Personal Information.

In the event that you refuse to give consent, your Personal Information shall no longer be processed, unless:

• The Personal Information is needed pursuant to a subpoena;
• The collection and processing are for obvious purposes, including, when it is necessary for the performance of or in relation to a contract or service to which the customer is a party; or
• The information is being collected and processed as a result of a legal obligation.

Any information to be provided by you shall always be in clear and plain language, to ensure that the information is easy to understand and access.

5. DATA RETENTION

Whatever Personal Information given to us by you or pertaining to you shall only be retained for as long as necessary:
• For the fulfillment of the declared, specified, and legitimate purpose, or when the processing relevant to the purpose has been terminated;
• For the establishment, exercise, or defense of legal claims; or 
• For legitimate business purposes, which must be consistent with standards followed by the applicable industry or approved by the appropriate government agency.

Personal Information provided to us by you shall be disposed or discarded in a secure manner that would prevent further processing, unauthorized access, or disclosure to any other party, or prejudice the interests of our customers.

For a more detailed discussion regarding the retention of your Personal Information, please refer to our Data Retention Policy.

VII. WHY DO WE RETAIN YOUR PERSONAL INFORMATION?

We will retain Personal Information for the period necessary to fulfill the purposes outlined in this Privacy Policy unless a longer retention period is required or permitted by the Data Privacy Act of 2012. Please note that we have a variety of obligations to retain the Data that you provide to us, including to ensure that transactions can be appropriately processed, settled, refunded or charged-back, to help identify fraud and to comply with anti-money laundering, tax and other laws and rules that apply to us and to our financial service providers. There may also be residual Data that will remain within our databases and other records, which will not be removed.

VIII. HOW DO WE PROTECT YOUR PERSONAL INFORMATION?

The Company has put in place physical, electronic, and managerial procedures designed to help prevent unauthorized access, to maintain data security, and to use correctly the Information we collect online. These safeguards vary based on the sensitivity of the Information that we collect and store.

Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure. If the customer has reason to believe that his interaction with us is no longer secure (for example, if the customer feels that the security of his account has been compromised), please contact our Data Protection Officer immediately. His contact details are provided in Part XI below.

IX. WHAT ABOUT CHANGES TO THIS POLICY?

We may change this Privacy Policy. The “Last updated” legend at the top of this Privacy Policy indicates when this Privacy Policy was last revised. Any changes are effective when we post the revised Privacy Policy on the Services.

We may provide you with disclosures and alerts regarding the Privacy Policy or Personal Information collected by posting them on our website. By using our Services, you agree that electronic disclosures and notices have the same meaning and effect as if we had provided you with hard copy disclosures. Disclosures and notices in relation to this Privacy Policy or Personal Information shall be considered to be received by you within twenty-four (24) hours of the time they are posted to our website.

X. HOW CAN YOU REACH US?

If you have any questions or suggestions about this Privacy Policy or would like to access or seek correction of your Personal Information, or if you have any complaints regarding our privacy practices, please contact our Data Protection Officer:

          Data Protection Officer

          Monde Nissin Corporation
          21st Flr., 6750 Ayala Office Tower
          Tel. No.: +63 9178524044
          Email Address: your.privacy.matters@mondenissin.com

Please note that you, as the requesting party, would have to pay the reasonable costs and expenses incurred by the Company for producing as well as revising the requested information.

Because email communications are not always secure, you are asked to not include credit card or other sensitive data (such as racial or ethnic origin, political opinions, religion, government IDs, health, or the like) in emails sent to us.

XI . EFFECTIVITY OF THE POLICY

This policy takes effect on June 21, 2019. The Company reserves the right to modify, amend, replace or revoke this policy at any time.

DATA SUBJECT RIGHTS POLICY

I. Purpose of the Policy

In keeping with the commitment of Monde Nissin Corporation (the ‘Company’) in ensuring that the rights of its data subjects are adequately protected, this Data Subject Rights Policy (the ‘Policy’) is intended to guide the company in protecting and recognizing the rights of the data subject in relation to their personal information being processed by the company.

II. Rights of the Data Subject

Data subjects whose personal information will be collected and processed by the Company are entitled to the following rights:

  1. Right to be Informed.
  2. Right to Object.
  3. Right to Access.
  4. Right to Rectification.
  5. Right to Erasure or Blocking.
  6. Right to Damages.

The abovementioned rights shall be discussed in detail in the subsequent sections.

III. Common Provisions

A. Modes of Communication

The data subject may direct any of his questions, complaints, or concerns to:

           Data Protection Officer

           Monde Nissin Corporation
           21st Flr., 6750 Ayala Office Tower
           Tel. No.: +63 9178524044
           Email Address: your.privacy.matters@mondenissin.com

Communication may be by mail or e-mail. The mode of communication to be employed by the Data Protection Officer (‘DPO’) of the Company in replying to the data subject will depend on the purpose of communication, as may be gleaned from the policy.

B. Identity Verification

The data subject may only exercise these rights in relation to his own personal information. Prior to addressing the concern of the data subject, his identity must be verified. The verification shall be made through telephone/mobile phone, depending on the contact information provided by the data subject.

The request handler shall ask the requester two (2) questions based on the personal information on hand. If the requester answers any of the questions incorrectly, the request handler shall ask the data subject to e-mail a scan of any government issued ID. If the requester refuses to answer the questions or e-mail his ID, his request will be rejected. Verification must be made within seven (7) working days from receipt of the notice of objection.

C. Processing Fees

 The DPO shall determine reasonable processing fees and publish the same.

 If the requester’s identity has been verified, the requester must send payment to cover the fees for processing his request within seven (7) working days. Once payment has been confirmed, the DPO has thirty (30) working days from date of confirmation to respond. The requester shall be notified of the due date.

D. Encryption

All electronic communications must be securely encrypted. Emails between the Company and the data subject, which contain personal information, must be encrypted. If personal information is received without encryption, the DPO must be immediately informed for proper action.

E. Waiver of Liability

After the data subject’s concern has been addressed by the company, he waives all liability related to it, to the extent allowed by law. Failure to raise any objection one (1) month after resolution shall amount to a waiver of liability.

Upon resolution, the data subject’s consent to this provision on Waiver of Liability shall be obtained by the request handler. 

IV. Right to be Informed

The data subject has a right to be informed whether personal data pertaining to him or her shall be, are being, or have been processed, including the existence of automated decision-making and profiling.

A. What to Inform the Data Subject

At all times, prior to the entry of his or her personal information into the processing system, the data subject shall be notified and furnished with information indicated hereunder. If it is impractical to do so, or if the information has already been entered, he must be informed at the next practical opportunity:

  1. Description of the personal data to be entered into the system
  2. Purposes for which they are being or will be processed, including processing for direct marketing, profiling or historical, statistical or scientific purpose;
  3. Basis of processing, when processing is not based on the consent of the data subject;
  4. Scope and method of the personal data processing;
  5. The recipients or classes of recipients to whom the personal data are or may be disclosed;
  6. Methods utilized for automated access, if the same is allowed by the data subject, and the extent to which such access is authorized, including meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;
  7. The identity and contact details of the personal data controller or its representative;
  8. The period for which the information will be stored; and
  9. The existence of their rights as data subjects, including the right to access, correction, and object to the processing, as well as the right to lodge a complaint before the Commision

B. Form of Notice

The information listed above shall be contained in a consent form, or in a notice to be furnished the data subject.

V. Right to Object

The data subject shall have the right to object to the processing of his or her personal data, including processing for direct marketing, automated processing or profiling.

A. Exceptions:

The data subject cannot object to the processing of his personal information in the following circumstances: 

  1. The personal data is needed pursuant to a subpoena;
  2. The collection and processing are for obvious purposes, including, when it is necessary for the performance of or in relation to a contract or service to which the data subject is a party, or when necessary or desirable in the context of an employer-employee relationship between the collector and the data subject; or
  3. The information is being collected and processed as a result of a legal obligation

B. How right is exercised

Data subjects who wish to object to the processing of their information may avail of the following options:

  1. If applicable, by availing of the opt-out option upon collection of their personal information; or
  2. By notifying the Data Protection Officer through e-mail or telephone.

C. Protocol upon receipt of notice of objection or withdrawal of consent

  1. Identity Verification. Refer to the Identity Verification Protocol above.
  2. Payment of Processing Fees. Refer to the Processing Fees Protocol above.
  3. Assessment of Validity of Objection. The DPO has thirty (30) working days to determine whether the request falls under any of the exceptions to the exercise of the right to objection.
  4. Unless the data subject exercises his right to suspend, withdraw or order the blocking, removal or destruction of his or her personal information, the data shall be anonymized within thirty (30) working days from approval by the DPO of the request. This is in order to ensure that their preferences are respected in the future, where for example, in case the company obtains a new marketing list, matching details will exclude the data subject from being contacted.
  5. Deletion of Identity Verification Documents. After the data has been anonymized, the scanned ID e-mailed by the data subject will be deleted.

D. Protocol in Case of Amendment of Information Provided to Data Subject

The data subject shall also be notified and given an opportunity to withhold consent to the processing in case of changes or any amendment to the information supplied or declared to the data subject (See list of information in Sec. IV.A).

VI. Right to Access

A. Information That May Be Accessed

The data subject has the right to reasonable access, upon written demand, to the following: 

  1. Contents of his or her personal data that were processed;
  2. Sources from which personal data were obtained;
  3. Names and addresses of recipients of the personal data;
  4. Manner by which such data were processed;
  5. Reasons for the disclosure of the personal data to recipients, if any;
  6. Information on automated processes where the data will, or is likely to, be made as the sole basis for any decision that significantly affects or will affect the data subject;
  7. Date when his or her personal data concerning the data subject were last accessed and modified; and
  8. The designation, name or identity, and address of the personal information controller.

B. Information That Cannot Be Accessed

The following information cannot be disclosed:

  1. Legal advice, which may include
    1. Records which contain advice from the company’s lawyers
    2. Records which contain the company’s requests for legal advice
    3. Records which were written as part of obtaining legal advice
  2. Negotiations—information which is being used, or may be used in future, in negotiations with the data subject, if the information gives away the company’s negotiating position and disclosing the information would weaken the company’s negotiating position.
  3. Information which would prejudice the prevention or detection of a crime. However, if the investigation is closed or if the data subject has been informed that there is an investigation underway, then the information can be disclosed at the option of the Company.

C. How right is exercised

The data subject may request for access to his personal information and information about its processing by submitting a Subject Access Request Form to the Data Protection Officer through this e-mail address your.privacy.matters@mondenissin.com

 

Subject Access Request Form

Name of Data Subject:

 

Information Requested:

 

Further Details:

 

 

D. Protocol upon receipt of request

  1. Identity Verification. Refer to the Identity Verification Protocol above.

  2. Payment of Processing Fees. Refer to the Processing Fees Protocol above.

  3. When to Redact. The DPO must verify that the request will not breach any confidentiality owed to third parties. Moreover, only information which is about the person making the subject access request shall be disclosed. Where a document contains personal data about a number of individuals, including the data subject, information about the third parties shall not be disclosed.
    1. If the record is primarily about the data subject, with incidental information about others, blank out the third-party information.
    2. If the record is primarily about third parties, withhold it if blanking out is not possible.
    3. Contact the third party to obtain consent to disclose the document if possible.
  1. Redaction Procedure. The following procedures shall be followed in blanking out information which are not liable for disclosure:
    1. Hard copy documents
      • Print out the document or, if it is a paper record, make a photocopy.
      • Using a black marker pen, blank out the exempt information.
      • Make a photocopy of the blanked-out version. This is the copy that will go to the person making the request.
    2. Electronic documents
      • Using the highlighter tool, highlight the exempt information in black.
      • Save the blanked-out version as a separate copy.
      • Print out the document and send to the data subject – the Company will not send the document in electronic format as it is possible the highlighting could be removed.
  1. Reply to Request. Once all these steps have been satisfied, the DPO shall reply to the requester, either enclosing all information eligible for disclosure and/or an explanation as to why the information requested cannot be disclosed. The DPO has thirty (30) working days from confirmation of receipt to determine the merits of the request. The procedure in disclosing the requested information must conform to the Company’s Data Portability Policy.
  1. Deletion of Identity Verification Documents. After the request has been satisfied, the scanned ID e-mailed by the data subject must be deleted.

VII. Right to Rectification

The data subject has the right to dispute the inaccuracy or error in the personal data and have the company correct it immediately and accordingly, unless the request is vexatious or otherwise unreasonable.

A. How right is exercised

The data subject must fill up the Request Form for Rectification of Personal Information and e-mail it to the DPO through your.privacy.matters@mondenissin.com

 

Request Form for Rectification of Personal Information

Name of Data Subject:

 

Information to be rectified:

 

Corrected Information:

 

Basis for correction (If basis is legal, please include scanned copy of court order):

 


B. 
Protocol upon receipt of request

  1. Identity Verification. Refer to the Identity Verification Protocol above.
  1. Payment of Processing Fees. Refer to the Processing Fees Protocol above.
  1. Assessment of Validity of Request. The DPO has thirty (30) working days from confirmation of receipt to determine the merits of the request. The DPO will respond to the data subject through e-mail confirming the request, or detailing the reasons for denial. If the request has been granted, the DPO will list down the databases or records that shall be rectified.
  1. Rectification Procedure. The DPO has thirty (30) days from the date of reply to the data subject to rectify all the records which contain the inaccurate information. If the personal data has been corrected, the DPO shall ensure the accessibility of both the new and the retracted information and the simultaneous receipt of the new and the retracted information by the intended recipients thereof. Within the same period, the recipients or third parties who have previously received such processed personal data shall be informed of its inaccuracy and its rectificati
  1. Reply to Request. The DPO has thirty (30) working days from confirmation of receipt to determine the merits of the request. Once all these steps have been satisfied, the DPO shall reply to the requester, either affirming the rectification and/or an explanation as to why the request cannot be processed.
  1. Deletion of Identity Verification Documents. After the request has been satisfied, the scanned ID e-mailed by the data subject must be deleted.

VIII. Right to Erasure or Blocking

The data subject shall have the right to suspend, withdraw, or order the blocking, removal or destruction of his or her personal data from the company’s filing system.

A. When right may be exercised

This right may be exercised upon discovery and substantial proof of any of the following: 

  1. The personal data is incomplete, outdated, false, or unlawfully obtained;
  2. The personal data is being used for purposes not authorized by the data subject;
  3. The personal data is no longer necessary for the purposes for which they were collected;
  4. The data subject withdraws consent or objects to the processing, and there is no other legal ground or overriding legitimate interest for the processing;
  5. The personal data concerns private information that is prejudicial to the data subject, unless justified by freedom of speech, of expression, or of the press or otherwise authorized;
  6. The processing is unlawful;
  7. The personal information controller or personal information processor violated the rights of the data subject.

B. How right is exercised

The data subject may request for access to his personal information and information about its processing by submitting a Request Form for Blocking, Removal, or Destruction of Personal Information to the Data Protection Officer through this e-mail address your.privacy.matters@mondenissin.com

 

Request Form for Blocking, Removal, or Destruction of Personal Information

Name of Data Subject:

 

Information to be blocked, removed, or destroyed:

 

Requested Action:

 

_____ Blocking

_____ Removal

_____ Destruction

 

Basis for Request:

 

 

 

C. Protocol upon receipt of request

  1. Identity Verification. Refer to the Identity Verification Protocol above.
  1. Payment of Processing Fees. Refer to the Processing Fees Protocol above.
  1. Assessment of Validity of Request. The DPO has thirty (30) working days from confirmation of receipt to determine the merits of the request. The DPO must respond to the data subject through e-mail confirming the request, or detailing the reasons for denial. If the request has been granted, the DPO must list down the databases or records where the information shall be blocked, removed, or destroyed.
  1. The DPO has thirty (30) days from the date of reply to the data subject to block, remove, or destroy all the records which contain the inaccurate information. If the personal data has been corrected, the DPO shall ensure the accessibility of both the new and the retracted information and the simultaneous receipt of the new and the retracted information by the intended recipients thereof. Within the same period, the recipients or third parties who have previously received such processed personal data shall be informed of the action taken.
  1. Deletion of Identity Verification Documents. After the request has been satisfied, the scanned ID e-mailed by the data subject will be deleted.

IX. Right to Damages

Upon presentation of a valid final decision, the Company recognizes the right of the data subject to be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal data, taking into account any violation of his or her rights and freedoms as data subject. The exercise of this right shall conform to the company’s Complaints Investigation Policy. 

X. Effectivity of the Policy

This policy takes effect on June 21, 2019. The Company reserves the right to modify, amend, replace or revoke this policy at any time.

 

DATA RETENTION POLICY

I. Purpose of Policy

 This policy is intended to provide guidance on the retention of various types of data Monde Nissin (the “Company”) holds. This document strives to balance the need to store information with legal obligations to destroy the data safely when it has already served its purpose. 

II. Legal Basis for the Policy

 The legal basis for this policy may be found in the following sources:

 A. Data Privacy Act of 2012 (DPA)

SEC. 11. General Data Privacy Principles. – The processing of personal information shall be allowed, subject to compliance with the requirements of this Act and other laws allowing disclosure of information to the public and adherence to the principles of transparency, legitimate purpose and proportionality.

x x x

(e) Retained only for as long as necessary for the fulfillment of the purposes for which the data was obtained or for the establishment, exercise or defense of legal claims, or for legitimate business purposes, or as provided by law;

 B. Implementing Rules and Regulations of the Data Privacy Act of 2012 (DPA IRR)

Section 19. General principles in collection, processing and retention. The processing of personal data shall adhere to the following general principles in the collection, processing, and retention of personal data:

x x x

  1. Personal Data shall not be retained longer than necessary.
  2. Retention of personal data shall only for as long as necessary:
    1. for the fulfillment of the declared, specified, and legitimate purpose, or when the processing relevant to the purpose has been terminated;
    2. for the establishment, exercise or defense of legal claims; or
    3. for legitimate business purposes, which must be consistent with standards followed by the applicable industry or approved by appropriate government agency.
  3. Retention of personal data shall be allowed in cases provided by law.

III. Scope of Policy

This policy applies to information in all its forms. It may be on paper, stored electronically, held on film, microfiche, or other media. It includes text, pictures, audio, and video. It covers information transmitted by post, by electronic means, and by oral communication, including telephone and voicemail. It applies throughout the lifecycle of the information from creation, collection, storage, utilization, to disposal.

This policy applies to all officers and employees of the Company and to other users associated with the Company.

 IV. Data Retention Principles

  1. The Company shall inform the data subject of the period and purpose for which his personal information will be retained.
  2. The Company shall retain personal information only for as long as necessary:
    1. for the fulfillment of the declared, specified, and legitimate purpose, or when the processing relevant to the purpose has been terminated;
    2. for the establishment, exercise or defense of legal claims; or
    3. for legitimate business purposes, which must be consistent with standards followed by the applicable industry or approved by appropriate government agency.
  3. Other circumstances when personal information may be retained:
    1. In cases provided by law
    2. When the information is originally collected for a declared, specified, or legitimate purpose, it may be processed further for historical, statistical, or scientific purposes
    3. If the personal information is aggregated or kept in a form which does not permit identification of data subjects may be kept longer than necessary for the declared, specified, and legitimate purpose.
  4. Personal information shall not be retained in perpetuity in contemplation of a possible future use yet to be determined.
  5. The Company shall ensure the quality and accuracy of the data being retained.
  6. The Company shall ensure the security of the archived data.
  7. The Company shall ensure restricted access to the data.
  8. The Company shall give data subjects access to their personal information.

 V. Data Retention Audit

  1. The Company shall conduct an annual audit of all the personal information it holds. Any information no longer needed must be deleted. However, information that does not need to be accessed regularly, but which still needs to be retained, should be safely archived or put offline.
  2. Automated systems may be put in place to delete records after a pre-determined period, or flag records for the department head to assess whether it should still be retained, archived or deleted.

 VI. Data Archival

  1. Department heads may decide to archive or put offline data which does not need to be accessed regularly. This must be done with authorization of the Data Protection Officer (DPO).
  2. Data subjects whose personal information is archived must still be given the right to access such information.
  3. General data protection principles must still be respected with regard to information that has been archived.

 VII. Data Retention Schedule

  1. The DPO shall create a data retention schedule for the various categories of information within the Company. This schedule shall be subject to review annually.
  2. In determining the appropriate length of a retention period, the DPO shall take into account the following considerations:
    1. The Data Retention Principles mentioned in this Policy
    2. The current and future value of the information;
    3. The costs, risks and liabilities associated with retaining the information; and
    4. the ease or difficulty of making sure it remains accurate and up to date
    5. Agreed industry practices
    6. Legal or regulatory requirements.

 

Table 1. Data Retention Schedule

 

Department

File Type

Records/Data

Retention Period

Accounting and Finance

Accounting and Finance

Accounting Records, including journals, ledgers, trial balances etc.

Permanent (*in case of fraud, prescription of action for tax assessment is 10 years from discovery of fraud)

Legal

 

Contracts

All agreements, memoranda of understanding, job orders, purchase orders, and similar documents

10 years after expiration or termination of the contract

Amendments and change orders

10 years after expiration or termination of the contract

Deliverables, reports, correspondence, and other documents pertinent to the contract

10 years after expiration or termination of the contract

Certificates of completion, warranties, and similar documents

10 years after expiration or termination of the contract

Corporate Files

Articles of incorporation and by-laws, general information sheet, and other corporate housekeeping files

Permanent

Permits, licenses, and similar documents

Permanent

Litigation Files

Complaints, pleadings, court orders, subpoenas, judgment and other case files

Permanent

Evidence submitted to the courts and tribunals

Permanent

Human Resources

 

Employment Records

Application Forms, CVs

 6 months after the resolution of the case

201 Files

 

Disciplinary cases

10 years after the resolution of the case

Sales and Marketing

Customer Files

Customer database

 

All

Correspondence

Contract-related letters and emails

10 years after expiration or termination of the contract

Routine communications

2 years

 

VIII. Anonymization

Anonymized data is data that has been rendered in such a way that the data subject is no longer identifiable. It then ceases to become personal information and falls outside the coverage of the DPA. Effective anonymization obscures the identifiable data items within the person’s records sufficiently such that the risk of potential identification of the data subject is minimized to acceptable levels.

 A. Purpose of Anonymization

Anonymization is undertaken to protect the privacy of individuals, while still making data available for statistical and analytical purposes.

 B. Risk of Re-identification of Anonymized Data

When anonymizing data, the Company must ensure that information is assessed and risks mitigated. This includes assessing whether other information is available that is likely to facilitate re-identification of the anonymized data.

  1. Motivated Intruder Test

The method to employ in determining the risk of re-identification is the motivated intruder test. This checks whether a reasonably competent individual who wishes to de-anonymize data could successfully do so. The test involves finding out whether information in the anonymized dataset could be combined with searches of easily available online or other information to reveal the identity of individuals.

  1. Issues to be considered are as follows:
    1. What is the risk of a “jigsaw attack”, piecing different items of information together to create a more complete picture of someone? Does the information have characteristics which facilitate data linkage?
    2. What other linkable information is easily available?
    3. What technical measures might be used to achieve re-identification?
    4. What re-identification vulnerabilities did the motivated intruder test reveal?
    5. How much weight should be given to individuals’ personal knowledge?
    6. If a penetration test has been carried out, what re-identification vulnerabilities did it reveal.
  2. Obvious sources of information:
    1. Libraries
    2. List of registered voters
    3. Church records
    4. Civil registrar records
    5. Genealogy websites
    6. Social media
    7. Internet searches
    8. Local and national press archives
    9. Anonymized data releases by other organizations, particularly public authorities
  1. Re-identification as a security risk

Re-identification would lead to the unintentional disclosure of personal or sensitive personal information and would therefore be an information security incident which must be reported to the National Privacy Commission.

C. Techniques for Anonymization

Depending on the information involved, the following are the techniques to be used by the Company in the anonymization of personal information:

  1. Aggregation so that data is only viewed as totals
  2. Removing person identifiers
  3. Using identifier ranges, for example: age ranges instead of age, full or partial postcode or general area instead of full address, age at activity instead of date of birth.

 

IX. EFFECTIVITY OF THE POLICY

This policy takes effect on June 21, 2019. The Company reserves the right to modify, amend, replace or revoke this policy at any time.