1. SCOPE
  2. POLICY STATEMENT
  3. PURPOSE
  4. POLICY SECTIONS AND CLAUSES
  5. ENFORCEMENT
  6. SPECIAL SITUATIONS AND EXPECTATIONS
  7. REFERENCES
  8. ACRONYMS
  9. DEFINITIONS

1. SCOPE

This policy is applicable to:

  • All the members and users of EVOX and Bamboo HR applications
  • All the Eastvantage employees including contract employees and temporary employees
  • All the third parties working with Eastvantage including but not limited to customers, suppliers, service providers, consultants etc. where personal data is made available to third party

2. POLICY STATEMENT

“This policy states that Eastvantage is dedicated to protect the privacy of personal data disclosed to us by customers, clients, third parties and employees or by Eastvantage. The policy mandates minimum data privacy and protection requirements of Eastvantage.”

3. PURPOSE

This policy addresses the requirement for protecting data privacy of any data subject. The policy lays down minimum requirements to meet compliance with applicable local and global data privacy regulations and to protect the personal data which Eastvantage collects, holds, processes or transmits.

4. POLICY SECTIONS AND CLAUSES

  • Data Privacy Principles

    • Personal data shall be processed fairly, lawfully and in a transparent manner:
      • Eastvantage shall have documented legitimate grounds for collecting and using the personal data.
      • Eastvantage shall not use the data in ways that have unjustified effects on the data subjects.
      • Eastvantage shall obtain consent in writing from the data subject before collecting personal data whenever possible.
      • Eastvantage shall be transparent about how it intends to use the data and give data subjects appropriate privacy notices when collecting their personal data.
      • Eastvantage shall handle data subject’s personal data only in ways they would reasonably expect.
      • Eastvantage shall make sure it does not do anything unlawful with the data.
    • Personal data shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes.
      • Eastvantage shall be clear from the outset about why they are collecting personal data and what it intends to do with it.
      • Eastvantage shall comply with the fair processing requirements including the duty to give privacy notices to data subjects when collecting their personal data.
      • Eastvantage shall comply with the requirements of notifying the Information Commissioner/National Privacy Commission and/or data controller.
      • Eastvantage shall ensure that if it wishes to use or disclose the personal data for any purpose that is additional to or different from the originally specified purpose, the new use or disclosure is fair.
    • Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
      • Eastvantage shall only collect or hold personal data about a data subject that is sufficient for the documented purpose.
      • Eastvantage shall not hold more information than it needs for the documented purpose.
    • Personal data shall be accurate and, where necessary, kept up to date.
      • Eastvantage shall take reasonable steps to ensure accuracy of personal data it holds.
      • Eastvantage shall have clearly documented sources of the personal data.
      • Eastvantage shall provide a mechanism to the data subject to challenge accuracy of personal data and shall consider updating the personal data where necessary.
    • Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
      • Eastvantage shall document and review the retention period of personal data.
      • Eastvantage shall securely delete personal data when its no longer needed for its documented purpose or when it exceeds the defined retention period.
    • Personal data shall be processed in accordance with the rights of the data subject.
      • Eastvantage shall have a process to inform the data subject whether any personal data is being processed.
      • Eastvantage shall give a description of the personal data, the reasons it is being processed, and whether it will be given or shared with any other organizations or people.
      • Eastvantage shall give a copy of the information comprising the data; and give details of the source of the data when a request is made by the data subject.
      • Eastvantage shall consider data subject’s objection to process personal data.
      • Eastvantage shall consider data subject’s request to prevent the personal data being processed for direct marketing.
      • Eastvantage shall have a documented reasoning for any decision taken by automated means using personal data of the data subject.
      • Eastvantage shall consider data subject’s request to rectify, block, correct or erase incorrect personal data.
      • If the data subject suffers damage because of breaching requirements of applicable regulation by Eastvantage, then Eastvantage shall consider the compensation request of the data subject. Such compensation can be only enforced through courts.
    • Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
      • Eastvantage shall design and organize data security to fit the nature of the personal data it holds and the harm that may result from a security breach.
      • Eastvantage shall perform periodic privacy impact assessments and information security risk assessments.
      • Eastvantage shall appoint a DPO (Data Protection Officer).
      • Eastvantage shall have a designated CISO (Chief Information Security Officer) who is responsible for ensuring information security in the organization.
      • Eastvantage shall make sure that the right physical and technical security, backed up by robust policies and procedures are in place and reliable, well-trained staff is available to maintain the security controls.
      • Eastvantage shall be ready to respond to any breach of security swiftly and effectively and shall have a documented breach/incident response plan in place.
      • Eastvantage shall have necessary business continuity and disaster recovery measures in place.
      • Eastvantage shall demonstrate compliance to well known industry accepted information security certifications such as ISO 27001.
  • Organizational framework

    • Management
      • The Managing director is ultimately responsible for ensuring that Eastvantage establishes policies and procedures consistent with this data privacy policy or use of personal data and applicable legal, contractual and regulatory requirements.

      • Management shall ensure that collection, processing, transfer, retention of personal data complies with applicable regulatory, legal, contractual requirements and established policies of Eastvantage.

      • Eastvantage shall appoint a DPO (Data Protection Officer).
      • Management shall appoint a Data Protection Officer who operates independently with and reports to the highest level of management.
      • Management shall provide appropriate authority to Data Protection Officer to meet their responsibilities.
      • Management shall provide adequate resources to enable the DPO to meet their responsibilities.
      • Management shall have regular exchanges with DPO to keep him/her aware of relevant organizational developments which may have an impact on data privacy.
      • Management shall ensure that staff, facilities, and IT processing assets with appropriate security clearances are available in Eastvantage.
    • Data Protection Officer Responsibilities
      • DPO shall oversee, define, plan, budget, and implement the data privacy program of Eastvantage.

      • DPO shall supervise all data privacy related projects.

      • DPO shall ensure that the data privacy program integrates fully into enterprise architecture and capital planning and investment control processes.
      • DPO shall coordinate with Information Security, HR, Admin, IT, Finance and Development for data privacy matters.
      • DPO shall develop data privacy policy and keep it up to date.
      • DPO shall conduct annual gap assessment against documented and established data privacy policy.
      • DPO shall ensure that information assets are developed and operated in full compliance with Eastvantage’s policies.
      • DPO shall keep a formal record of personal data which is collected, processed, transferred and/or retained by Eastvantage.
      • DPO shall inform and advise the organization and its employees about their respective obligations to comply with the GDPR and other applicable data protection laws.
      • DPO shall develop and implement adequate policies and procedures to meet the requirements of this data privacy policy and applicable legal, contractual and regulatory requirements.
      • DPO shall monitor compliance with the GDPR and other applicable data protection laws, including managing internal data protection activities, advise on data protection impact assessments.
      • DPO shall train staff and facilitate internal audits and evaluate effectiveness on assurance of data privacy controls.
      • DPO shall review and monitor vendor contracting to ensure that data privacy requirements are in place.
      • DPO shall be the first point of contact for National Privacy Commission, supervisory authorities/data controllers and for data subjects whose data is processed (employees, customers etc.).
      • DPO shall coordinate and manage responses to incidents which involve personal data.
      • DPO shall monitor local and global regulations for all the developments and modify the data privacy policy accordingly.
      • DPO shall manage the relationship with other regional DPOs.
      • DPO shall coordinate with appropriate person or team for addressing requests from data subject to meet compliance with data subject’s rights.
      • DPO shall manage reporting data privacy requirements to regulators, stakeholders, external parties.
      • DPO shall support and document external and internal confidentiality agreements.
      • DPO shall address queries raised by any regulatory or legal body.
      • DPO shall provide guidance on how employees can exercise their rights under local law to complain about how their personal data is being handled by Eastvantage.
    • Internal Auditor Responsibilities
      • Internal Auditor shall perform internal audits to assess security practices and procedures against established policies.

      • Internal Auditor shall examine, evaluate and report on the adequacy and reliability of existing internal controls.

      • Internal Auditor shall report non-conformities to senior management and follow up on actions to close non-conformities.
      • Internal Auditor shall provide information, analyses, and counsel to assist in effectively and efficiently handling the data privacy.
    • Data Owners Responsibilities
      • Data Owner shall coordinate with appropriate system administrators to ensure that personal data is being adequately protected commensurate with its sensitivity level.

      • Data Owner shall ensure that the personal data is being used and accessed in a secure manner.

      • Data Owner shall ensure the security of any applications that interface the personal data and that are controlled by the data owner.
      • Data Owner shall assist system owners in developing and maintaining required security documentation as it pertains to how personal data is accessed and used by the data owner.
      • Data Owner shall be knowledgeable of the personal data for which they are directly responsible, which applications use personal data, and who administers those applications.
    • System Administrators Responsibilities
      • System Administrator shall ensure that technical and operational security controls are being implemented and maintained according to the sensitivity level of the system and the personal data being processed.

      • System Administrator shall assist in the development and maintenance of required security documentation and related activities (e.g., system administration and operational procedures and manuals).

      • System Administrator shall be knowledgeable of assets or parts of assets they are directly responsible for (e.g., network equipment, servers, and LANs).
    • Database, Application and Account Administrators Responsibilities
      • Database, Application and Account Administrator shall coordinate with appropriate system administrators to ensure that their databases and applications are being adequately protected commensurate with the sensitivity level of the personal data being processed.

      • Database, Application and Account Administrator shall operate databases and applications in a secure manner.

      • Database, Application and Account Administrator shall manage user accounts in a timely and secure manner (e.g., disabling accounts);
      • Database, Application and Account Administrator shall assist in the development and maintenance of required security documentation and related activities (e.g., application administration and operational procedures and manuals).
      • Database, Application and Account Administrator shall be knowledgeable of applications and databases for which they are directly responsible for.
    • Department Heads and System Owners Responsibilities
      • Department Head and System Owner shall ensure that appropriate levels of security are applied to the information system in the department and that sufficient resources are planned and assigned to maintain this level of security.

      • Department Head and System Owner shall ensure the system is developed and operated in full compliance with department and Eastvantage’s policies.

      • Department Head and System Owner shall determine the system sensitivity levels (high, medium, or low) with respect to personal data privacy concerns.
      • Department Head and System Owner shall ensure that data privacy is planned and implemented throughout all phases of the System Development Life Cycle.
      • Department Head and System Owner shall ensure that appropriate security requirements and disclosure agreements are included in the specifications for the acquisition of information security and related services and certify that awarded contracts comply with security and privacy requirements.
      • Department Head and System Owner shall ensure that the information security system is meeting all applicable certification and accreditation requirements.
      • Department Head and System Owner shall ensure that breaches are reported in accordance with Eastvantage’s policy and procedure.
      • Department Head and System Owner shall ensure that users receive appropriate security training.
      • Department Head and System Owner shall determine the appropriate position sensitivity designations for critical and sensitive employee positions (e.g., system administrators) and ensure that staff and associates under their jurisdiction have undergone appropriate background investigations. Inform staff and associates of the level of security that must be maintained given their position sensitivity.
      • Department Head and System Owner shall ensure system specific security responsibilities are properly identified and documented. Ensure that duties are separated among multiple employees whenever necessary to prevent a single person from performing malicious or illegal activities undetected.
      • Department Head and System Owner shall ensure that system positions with significant security responsibilities are held by staff with sufficient training and education qualifications as well as by staff who have had appropriate background checks.
      • Department Head and System Owner shall ensure that interconnected assets have equivalent or greater levels of security.
    • All Authorized Users Responsibilities
      • All Authorized Users shall operate information assets in a secure and responsible manner.

      • All Authorized Users shall abide by all applicable policies and procedures. This includes reading and understanding Eastvantage’s and system-specific rules of behavior regarding inappropriate use or abuse of Eastvantage’s resources and personal data.

      • All Authorized Users shall participate in awareness and training activities.
      • All Authorized Users shall be knowledgeable of assets or parts of assets for which they are directly responsible for (e.g., printer, desktop, specific support service, etc).
      • All Authorized Users shall be knowledgeable of the sensitivity of the personal data they handle and take appropriate measures to protect it.
      • All Authorized Users shall report incidents to their DPO using the method devised.
      • All Authorized Users shall report incidents to their DPO using the method devised by emailing data.privacy@eastvantage.com
  • Data Subject Rights

    As per this policy, a data subject is entitled to the following rights:

    • The right to be informed

    • The right of access
    • The right to rectification
    • The right to erasure
    • The right to restrict processing
    • The right to data portability
    • The right to object
    • The rights in relation to automated decision making and profiling
    • The right to file a complaint
    • The right to damages/compensation

For queries or concerns regarding data privacy, data subjects may contact the DPO through email address data.privacy@eastvantage.com

  • Data Security Controls

    Eastvantage is committed to deploy appropriate technical and organizational measures against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Such controls are but are not limited to:

    • Strong physical and logical access control to prevent unauthorised access to personal data or to system processing or holding personal data.

    • Deployment of least privilege and need to know principle to ensure that person authorized to process or use personal data is only authorised to access the personal data which they need.
    • Ensuring that personal data cannot be viewed, altered, copied, deleted, transferred without prior authorisation.
    • Ensure that appropriate records are maintained to check and ascertain whether any personal data has been collected, stored, altered or removed and if so by whom.
    • Ensure that appropriate records are maintained to check and ascertain where the personal data is transferred and using which transmission mechanism the personal data is transferred.
    • Ensuring the continuous availability of personal data so that it is protected from accidental loss or destruction.
    • Ensuring that strong perimeter security is deployed using latest firewall and intrusion detection and prevention systems.
    • Ensuring that systems collecting, holding, processing and transmitting personal data are configured only for necessary services and are hardened as per industry best practices.
    • Ensuring that strong encryption is used to protect data at rest and motion using strong cryptography.
    • Deploying antimalware protection and performing regular patching of systems dealing with personal data.
    • Continuous logging and monitoring of systems to identify potential intrusions or suspicious activity.
    • Performing regular vulnerability assessment and penetration testing of infrastructure and application.
  • Data Retention

    • Personal data shall not be retained in a form which permits identification of the data subject for longer than necessary for the documented purpose for which the personal data were collected.

    • Eastvantage shall document the retention period of personal data along with the justification for such retention period.

    • Personal data shall be securely erased when they have deemed to be unnecessary for the purpose which they were collected.
    • Personal data shall be securely erased and/or achieved after it exceeds the defined retention period.
    • Before securely erasing data, the personal data shall be stored in a way which permits the right to access to be exercised.
  • Awareness

    • Personal data shall not be retained in a form which permits identification of the data subject for longer than necessary for the documented purpose for which the personal data were collected.

    • Eastvantage shall document the retention period of personal data along with the justification for such retention period.

    • Personal data shall be securely erased when they have deemed to be unnecessary for the purpose which they were collected.
    • Personal data shall be securely erased and/or achieved after it exceeds the defined retention period.
    • Before securely erasing data, the personal data shall be stored in a way which permits the right to access to be exercised.
  • Outsourcing

    • Processing on behalf of third parties shall be regulated in writing via a valid signed contract.

    • Eastvantage shall only process the personal data for the purpose of data controller and as per the instructions of data controller.

    • Eastvantage shall not use the personal data for any purpose other than that set out in the signed contract.
    • The valid contract shall address confidentiality, data privacy, data security controls required and breach liability.
    • Eastvantage shall not subcontract or engage sub processors for any processing set out to Eastvantage by data controllers, unless Eastvantage has received an authorization to do so. If authorized to do so, all such sub processing shall be done in the name and on behalf of the data controller.
  • Monitoring

    • Eastvantage’ s DPO shall conduct an assessment against this policy on at least an annual basis.

    • Eastvantage shall only process the personal data for the purpose of data controller and as per the instructions of data controller.

    • Eastvantage shall not use the personal data for any purpose other than that set out in the signed contract.
    • The report of the assessment shall be submitted to senior management and other regional DPOs.
    • DPO shall take necessary steps to address the gaps to continually improve the implementation of this policy.
  • Reporting a breach

    • Data privacy breach is a breach of security which leads to accidental or unlawful disclosure, loss, modification, access to personal data which is collected, processed or transmitted.

    • Any dissemination of personal data without prior approval shall also be considered as data breach.

    • Eastvantage shall set out a data privacy breach reporting and response process to ensure that each breach is handled efficiently.
    • Eastvantage as required by applicable local and global regulations shall notify affected data subjects, respective regulators and media when privacy is breached without undue delay.
    • The departments and employees of Eastvantage shall report breach to DPO and the DPO in turn shall report the breach to senior management, other regional DPOs, regulators and other affected parties.

5. ENFORCEMENT

Necessary disciplinary action will be taken against any employee not following the policies and procedures laid down by Eastvantage. Similarly, action will be taken against those employees encouraging/observing such an activity and not reporting the same to the concerned authority. Any employee found to have violated or not practicing his/her role may be subject to disciplinary action, up to and including termination of employment as per the Eastvantage’s HR policies.

6. SPECIAL SITUATIONS AND EXPECTATIONS

Eastvantage’s top management, Philippines government or any other regulatory body or norms thereof may override Eastvantage’s policies / procedures at any time.

7. REFERENCES

  • Republic Act No. 10173 or the Data Privacy Act of 2012 of Philippines
  • General Data Protection Regulation (GDPR) 2016

8. ACRONYMS

Acronym Full Name
GDPR General Data Protection Regulation
DPO Data Protection Officer

9. DEFINITIONS

Term Explanation
Data Subject A natural person whose personal data is processed by a controller or processor
Data Controller The natural or legal person, public authority, agency or other body which alone or jointly with others, determines the purposes and means of the processing of personal data;
Personal Data Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Data Processor A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
Processing Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Restriction of processing The marking of stored personal data with the aim of limiting their processing in the future;
Profiling Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements;
Recipient A natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not
Third Party A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data;
Consent Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
Personal Data Breach A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;