Data Privacy Policy - Pito Axm Platform Inc. (PAPI)

The Company’s Data Privacy Policy

Policy Objectives:

This data privacy policy summarizes how Pito AxM Platform Inc. manages, protects, and ensures the confidentiality of its data, and its coverage extends to both internal and external customers and stakeholders through legal compliance, risk mitigation, and fostering trust and transparency.

Protecting Sensitive Data. The primary goal is to safeguard personal information from unauthorized access or misuse, preventing data breaches and cybercrimes.

Ensuring Compliance. This data privacy policy ensure adherence to Republic Act 10173 also known as Data Privacy Act of 2012 and its implementing rules and regulations, which carry significant material penalties and sanctions for non-compliance.

Building Trust. Transparent and robust policy demonstrate PAPI’s commitment to data privacy, which in turn builds invaluable trust and loyalty among employees, customers and partners.

Mitigating Risks. By defining clear procedures and guidelines, this data privacy policy helps reduce the risks associated with human error or malicious attacks, protecting PAPI’s reputation and financial stability.

In essence, a well-defined data privacy policy acts as a crucial safeguard, managing data responsibly and ethically for all parties involved in the data ecosystem.

Scope and Limitation:

This data privacy policy shall be applicable to all customers, employees (regardless of the type of employment or contractual arrangement), all official business transactions that PAPI or its authorized representatives may enter and including all other stakeholders of PAPI.

Definition of Terms:

Company refers to Pito-AxM Platform, Inc. (also known as “PAPI”).

Data Protection Officer (DPO) is a mandated position of the DPA who is responsible for ensuring compliance with the law, enforcement of the data privacy policies and effective data protection efforts.

Data Processing System refers to the structure, qwor any application that is used in processing personal information.

Transparency is a DPA requirement to provide clear and accessible information to data subjects about how their data is collected, purpose and conditions.

Legitimate Purpose is a principle that ensures the purpose of data collection and processing is lawful and aligns with the rights of the data subject.

Proportionality is a principle that ensures that only necessary information is collected and processing is not excessive. This provides balance between benefits of data collection and the risks to individual’s privacy.

Personal Information Controller (PIC) are entities that control the processing of personal data which may be a corporation, organization or individual. PICs are accountable for ensuring compliance with the DPA.

Personal Information Processor (PIP) refers to any person or entity that processes personal information on behalf of a PIC. They are responsible for handling personal data according to the instruction of the PIC.

Consent of the Data Subject means any freely given, specific, informed indication of will, whereby the Data Subject agrees to the collection and processing of personal information about and/or relating to him or her. The consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of the Data Subject by an agent specifically authorized by the Data Subject to do so.

Data Subject refers to an individual whose personal, sensitive personal or privileged information is processed by the organization. It may refer to officers, employees, consultants, and clients of the company.

NPC means the National Privacy Commission, which is a government agency created to administer and implement the provisions of the DPA.

NPC means the National Privacy Commission, which is a government agency created to administer and implement the provisions of the DPA.

Personal Information refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information or when put together with other information would directly and certainly identify an individual.

Processing refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking erasure, or destruction of data.

Sensitive Personal Information refers to Personal Information about:

Race, ethnic origin, marital status, age, color, and religious, philosophical, or political affiliations.
Health, education, genetic or sexual life, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings.
Data issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or their denials, suspension or revocation, and tax returns; and
Data specifically established by an executive order or an act of Congress to be kept

Policy Statement:

Pito AxM Platform Inc. shall endeavor to comply with all applicable provisions of Republic Act No. 10173, also known as the Data Privacy Act of 2012 (DPA), its Implementing Rules and Regulations and other National Privacy Commission (NPC) issuances. This policy aims to protect the personal information of our clients, employees and stakeholders, and shall be processed in adherence to the general principles of transparency, legitimate purpose and proportionality.

This Data Privacy Policy shall outline the Company’s handling practices of any information that is provided by any individual when using our services, our website, or when any form of information is collected in both digital and hardcopy format, availing services from Customer Care, entering our company premises or any channel where personal information is required.

This document shall communicate our data protection and security measures and shall serve as guide in exercising the Data Subject Rights under the law.

This data policy shall protect customers by ensuring:

Transparency. A clear, publicly available (on website) privacy policy shall inform customers exactly how their data is collected, used, shared, and stored.

Control. Customers shall be given governance over their data, including the right to know what information is held and the ability to request its deletion, as mandated by many modern regulations.

Responsible Handling. The policy shall specify that only necessary data is collected and used for legitimate, stated purposes, limiting potential misuse.

Our stakeholders, including employees, investors, and partners, shall be covered through:

Clear Guidelines. This policy shall provide internal stakeholders (employees) with strict guidelines and procedures for data handling, storage, and access controls, reducing internal risks.

Legal & Financial Protection. This policy shall ensure regulatory compliance and shall implement security measures (like data encryption). This policy shall protect the organization from legal repercussions, fines, and financial losses that would impact investors.

Reputation Management. A strong data privacy stance shall enhance the company’s reputation, an important asset for all stakeholders.

Defined Accountability. The policy shall define roles, such as the appointment of a Data Protection Officer (DPO), who shall be responsible for enforcing the rules and managing incidents.

Processing Personal Information:

Collection

PAPI shall collect the basic personal information of its clients, partners and employees, including:

Full name
Contact Number

For clients, any transactions or services availed in the ATM units shall be kept on record by PAPI. All concerns reported using any of the available channels of the Customer Care Unit shall require additional information not limited to email address, card number, date of birth, address, CCTV footage, and all the other pertinent information required to resolve the concern or verify identity.

For employees, personal information required shall include work experience, educational background, name of dependents, and other sensitive personal information such as medical records and history to establish the background required to commence or maintain employer-employee relationship. Sensitive personal information shall also be collected and maintained while PAPI manages the health maintenance benefits of employees including their enrolled dependents and life insurance coverage of all regular employees.

Corresponding groups who have direct access to collected data shall be responsible for safekeeping of the data until its disposal subject to approval.

Use

Personal information collected shall be used by PAPI for internal data processing, facilitate transactions, marketing strategies, promotions, conduct research, improvement of services, address complaints, compliance with regulatory bodies, and other official business transactions.

Storage, Retention and Disposal

PAPI through its Data Protection Officer (DPO) shall ensure that the personal information under its custody is protected against any accidental or unlawful access and processing.

In the absence of the law requirement for retaining records, all information gathered shall be retained for as long as necessary on the purposes mentioned. There are data records that may need retention for as long as 10 years following some regulatory bodies’ requirement for records retention.

Disposal of personal information shall follow the company policies and industry’s best practices and shall be retained for a maximum of 10 years. Digital records shall be disposed of by ensuring complete deletion of files in all databases in following information security policy on data disposal. Printed copies shall be physically destructed using cross-cut shredders.

Personal information collected from customers from complaints through our Customer Care Unit and other social media platforms shall be disposed of including but not limited to customer name, phone numbers, bank account details, email address etc. based on the following schedule:

Viber logs – 30 days. Deleted by Viber 3rd party provider.
Messenger – weekly every Friday. Deleted by CCU Lead thru the FB Application.
Captured Card – every two days from receipt thru shredding.
Captured Card transmittals – every Friday thru shredding.

Access

Access to personal information shall be limited to data subjects and internal processors that may include employees and third-party services hired for data processing. The DPO shall oversee the granting of access to personal information whenever necessary.

Data Disclosure and Sharing

All employees and personnel shall maintain confidentiality and secrecy of personal information in their possession, even after cessation of employment from PAPI. PAPI may share the collected information with third-party vendors whom the company contracted for information processing services, as needed.

All contracts to be carried out shall be supported with strict confidentiality/data sharing agreement. Responsibilities, limitations to the vendor for subcontracting and other restrictions shall also be defined in the agreement.

The DPO shall ensure presence of compliant and robust Data Processing System for any data sharing agreement that PAPI may enter. The data sharing agreement shall be in accordance with the requirements of the Data Privacy Act and shall not in any way violate applicable provisions of this law.

Security Measures:

Organizational Measures – Consideration of the human aspect of data protection.

Conduct a Privacy Impact Assessment (PIA) – PAPI DPO shall assess which processes, systems, or applications will need to undergo the PIA to be assessed for possible risks and its impact to the personal information. A template for the PIA shall be established by the DPO.
Data Protection Officer (DPO) – PAPI shall designate its DPO and shall register with the NPC.
Responsibilities of the DPO include the following as mandated by the DPA:
- Monitor PAPI’s compliance with the DPA and its IRR. The DPO shall collect information on the company’s processes and systems that use personal information including sensitive personal information and maintain required standards in personal data processing.
- Ensure conduct of the PIA as assessed to be necessary relative to the guidelines set.
- Advice the PIC/PIP regarding complaints or requests of the Data Subjects to exercise their rights.
- Ensure proper data breach and security incident policies are followed by the relevant departments e.g., Information Technology Group, Human Resources Group, Governance Group, etc.
- Inform and cultivate awareness on data privacy protection within the organization through training and privacy programs.
- Advocate for revision of policies and procedures to integrate privacy measures in operations.
- Act as the contact person for privacy concerns of the Data Subjects and other organizations or authorities.
- Coordinate with the NPC on matters of data security and concerns.
Confidentiality – all employees and agency personnel shall agree to a Non-Disclosure Agreement through their employment contracts care of the HR Group. All other contemplated business relationships with other 3rd parties shall go through a mutual Non-Disclosure Agreement before any sharing of data and information commences.

Physical Measure – intended to monitor and limit access to the facility of personal info for both virtual and physical formats.

Format of the collected information shall be recommended through an electronic format e.g., emails, soft/scanned copies, converted or encoded personal information, phone recordings, etc. Storage of electronic files shall be cloud-based and shall be subscribed from reputable vendors. Physical printed copies, if any, shall be stored in a locked cabinet or drawers.
Access to the electronic files shall be limited to authorized personnel accounts and logs shall be traceable. Cabinet keys for printed files shall be kept and secured by designated key custodians.
Work areas of employees shall be positioned with considerable spaces to maintain privacy, and screens shall be locked when leaving the area.
Electronic transfers of personal information shall be secured with encryption. While printed copies shall be prohibited from being brought outside the company premises.

Technical Measures – IT Group shall ensure that there are sufficient detection procedures for intrusions, vulnerabilities are tested through penetration testing and security breaches shall be monitored and reported for any attempts.

Data Breaches & Security Incidents:

Data Breach Response Team

PAPI shall identify the specific personnel to respond to a data breach aiming to manage or minimize the damage and ensure compliance with the required breach response. The team shall be headed by the Data Protection Officer (DPO). The identified team shall activate the Data Breach Response when breach has occurred. At the minimum, the team shall be comprised of the following:

Information Technology Group Head – shall focused on identifying causes, investigating, and resolving network security issues, including what data was compromised and how to restore them.
Governance Group Head – shall ensure compliance to the regulatory requirements during the response process and manage external communications.
Human Resources Group Head – shall ensure internal investigations are carried out, and any involvement of personnel, if any, are dealt accordingly.

Notification Protocol

All employees and agents of PAPI shall be tasked with regularly monitoring for signs of a possible data breach or security incident. If such signs are discovered, the employee or agent shall immediately report the facts and circumstances for verification as to whether a breach requiring notification under the DPA has occurred.

The DPO shall notify the NPC and the affected Data Subjects within 72 hours of discovering the breach. Notification shall be required when sensitive personal information is compromised, or the information acquired by the unauthorized person is reasonably believed to enable identity theft/fraud, and the PIC or NPC believes that such information is likely to give real risk or serious harm to the Data Subject.

The notification to the NPC and the affected Data Subjects shall at least describe the nature of the breach, the Personal Information possibly involved, and the measures taken by the Company to address the breach. The notification shall also include measures taken to reduce the harm or negative consequences of the breach and the name and contact details of the DPO. The form and procedure for notification shall conform to the regulations and circulars issued by the NPC, as may be updated from time to time.

Breach Reports

All security incidents and Personal Information breaches shall be documented through written reports, including those not covered by the notification requirements. A general summary of the reports shall be submitted by the DPO to the NPC annually.

Inquiries and Complaints:

Data subjects may inquire or request information regarding any matter relating to the processing of personal data under the custody of PAPI, including the data privacy and security policies implemented to ensure the protection of personal data. For any concerns or to exercise the Data Subject rights, they may contact the Data Protection Officer at dpo@papi-axm.com.ph or reach out to any channels of our Customer Care Unit.