Our Company
Track Here
Talk to Experts
Sign In
Our Company
Track Here
Talk to Experts
Sign In

PERSONAL DATA PRIVACY POLICY

  1. INTRODUCTION

    This Data Privacy Policy (the “Policy”) is issued in compliance with Republic Act No. 10173 or the Data Privacy Act of 2012, its Implementing Rules and Regulations, and other relevant policies, including issuances of the National Privacy Commission (NPC).

    It is the policy of Courier Express (CE) to respect and uphold data privacy rights, and to ensure that all personal data collected from CE’s data subjects – clients, employees and other third parties - are processed pursuant to the general principles of transparency, legitimate purpose, and proportionality espoused in the Data Privacy Act.

    As a repository and processor of personal data, CE endeavors to institute fair information practices as part of its commitment to product and service quality that conforms to the expectations of its data subjects.

  2. OBJECTIVES

    This Policy is hereby adopted to:

    1. Ensure fair and lawful processing of the personal data of data subjects, including employees, clients, customers, shareholders, and other individuals;
    2. Ensure the confidentiality, integrity, and availability of personal data under the control of CE;
    3. Protect CE from reputational and legal risks that may result from non-compliance with the Data Privacy Act; and
    4. Comply with the statutory obligations set forth under the Data Privacy Act and the regulations of the National Privacy Commission (NPC).
  3. SCOPE
    1. All personnel of CE, regardless of the type of employment or contractual arrangement, must comply with the terms set out in this Policy;
    2. This policy covers consultants or employees of third parties under a contractual obligation with CE (including sub-contracting and outsourcing arrangements);
    3. The Policy applies to all personal data held by CE relating to identifiable information of individuals in whatever form (e.g. physical or digital), and the processing of personal data in whatever manner (e.g. manual or automated).
    4. This Policy shall be subject to limitations provided under Section 5 (Special Cases) of the Data Privacy Act’s Implementing Rules and Regulations (IRR).
  4. DEFINITION OF TERMS

    The following terms used in this Policy are defined for consistency, uniformity in usage and in accordance with the Data Privacy Act of 2012:

    1. Act
      The Act refers to Republic Act No. 10173, also known as the Data Privacy Act of 2012.
    2. Courier Express
      Courier Express (CE) shall refer to the entity which gathers, collects, and process personal data in compliance with pertinent Philippine laws.
    3. Commission
      The Commission refers to the National Privacy Commission.
    4. Consent of the Data Subject
      Consent of the data subject refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of his or her personal data, sensitive personal data and privileged information. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of a data subject by a lawful representative or an agent specifically authorized by the data subject to do so.
    5. Data Subject
      Data subject refers to an individual whose personal, sensitive personal and/or privileged information is processed and includes CE’s employees, clients, shareholders, job applicants and other individuals whose personal data is collected by CE.
    6. Data Processing Systems
      Data processing systems refer to the structure and procedure by which personal data is collected and further processed in an information and communications system or relevant filing system, including the purpose and intended output of the processing.
    7. Data Sharing
      Data sharing is the disclosure or transfer to a third party of personal data under the custody of a personal information controller or personal information processor. In the case of the latter, such disclosure or transfer must have been upon the instructions of the personal information controller concerned. The term excludes outsourcing or the disclosure or transfer of personal data by a personal information controller to a personal information processor.
    8. Direct Marketing
      Direct marketing refers to communication by whatever means, of any advertising or marketing material which is directed to a particular individual/s.
    9. Filing System
      Filing system refers to any set of information relating to a natural or juridical person/s to the extent that, although the information is not processed by any equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to a criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible.
    10. Information and Communications System
      Information and communications system refers to a system for generating, sending, receiving, storing or otherwise processing of electronic data messages or electronic documents, and includes the computer system or other similar device by which data is recorded, transmitted or stored, and any procedure related to the recording, transmission or storage of electronic data, electronic message or electronic document.
    11. Personal Data
      Personal data refers to all types of personal information as defined by pertinent laws and regulations.
    12. Personal Data Breach
      Personal data breach refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to the personal data transmitted, stored or otherwise processed.
    13. Personal Information
      Personal information refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information or when put together with other information would directly and certainly identify an individual.
    14. Personal Information Controller
      Personal information controller refers to any natural or juridical person, or any other body who controls the processing of personal data or instructs another to process personal data on its behalf. The term excludes:
      1. A natural or juridical person or any other body, who performs such functions as instructed by another person or organization; or
      2. A natural person who processes personal data in connection with his or her personal, family or household affairs.

      There is control if the natural or juridical person or any other body decides on what information is collected or the purpose or extent of its processing.

    15. Personal Information Processor
      Personal information processor refers to any natural or juridical person or any other body to whom a personal information controller may outsource or instruct the processing of personal data pertaining to a data subject.
    16. Processing
      Processing refers to any operation or any set of operations performed upon personal data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking and erasure or destruction of data. Processing may be performed through automated means, or manual processing, if the personal data are contained or are intended to be contained in a filing system.
    17. Profiling
      Profiling refers to any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular, to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
    18. Privileged Information
      Privileged information refers to any and all forms of data, which, under the Rules of Court and other pertinent laws constitute privileged communication.
    19. Public Authority
      Public authority refers to any government entity created by the Philippine Constitution and all relevant laws, vested with law enforcement or regulatory authority and functions.
    20. Security Incident
      Security incident is an event or occurrence that affects or tends to affect data protection, or that which may compromise the availability, integrity and confidentiality of personal data. It includes incidents that would result to a personal data breach if not for safeguards that have been put in place.
    21. Sensitive Personal Information
      Sensitive personal information refers to:
      1. An individual’s race, ethnic origin, marital status, age, color and religious, philosophical or political affiliations;
      2. An individual’s health, education, genetic, sexual life, or proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings or the sentence of any court in such proceedings;
      3. Information issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
      4. Information specifically established by an executive order or an act of Congress to be kept classified.
  5. POLICIES

    CE shall establish a regulatory compliant organic framework to protect the rights of its data subjects and preserve the confidentiality, integrity and availability of personal data, ensuring that CE’s personal data processing systems are reasonably secured, protected, selectively accessible and processed or utilized for valid purposes only with internal measures on detecting and monitoring breaches and security incidents.

    1. Data Privacy Governance

      a. Oversight
      CE’s Management shall have overall oversight on the compliance with the Act and the implementation of this Policy and other related policies of CE.

    2. Data Protection Officer
      A Data Protection Officer (DPO) shall be appointed to oversee compliance with the Act and other similar regulations.The DPO shall have the following duties and responsibilities:
      1. Ensure compliance with the Act and its IRR as well as this Policy and other related policies of CE;
      2. Ensure the regular review (at least annually) of the privacy related policies, guidelines and procedures of CE;
      3. Coordinate with the relevant officer/s of CE responsible for information security management for the effective implementation of the CE’s information security measures to ensure confidentiality, integrity and availability of personal data;
      4. Organize data privacy awareness seminars;
      5. Coordinate with CE’s Data Breach Response Team in the management of security incidents related to data privacy;
      6. Oversee and coordinate the conduct of Privacy Impact Assessments (PIA) to identify privacy risks of CE;
      7. Develop and implement remediation plans for privacy and information security risks in coordination with the information security office and process owners;
      8. Monitor compliance with CE’s privacy standards for third party providers and other entities with access to personal data under the control of the CE; and
      9. Ensure compliance by CE with the reportorial, registration and other regulatory requirements of the Commission.
    3. Personal Data Processor
      Each employee that processes or handles personal data shall have the following duties and responsibilities:
      1. Understand CE’s compliance obligations under the Act and related regulations;
      2. Understand and comply with privacy and information security policies and procedures in the processing of personal data;
      3. Report immediately to his/her respective supervisor any personal data security incident or personal data breach in accordance with the CE’s incident response policy and procedure;
      4. Regularly implement controls and mitigation plans to address privacy risks; and
      5. Regularly attend or undergo privacy trainings and other learning activities.
    4. Data Processing System
      To ensure effective privacy compliance and risk management, CE shall document the following:
      1. CE units, employees or third parties with functions relating to personal data processing;
      2. The categories of and inventory of data subjects and the types of personal data being processed;
      3. A description of the information flow from the point of collection up to the disposal of personal data, including any processing done in between, as well as the manner and extent of processing;
      4. The purposes for processing including any intended future processing or data sharing; and
      5. The recipients or intended recipients of personal data
    5. Data Collection
      The data subject is hereby informed in that his personal data will be collected and processed as needed and in full compliance to relevant laws and regulations.
    6. Retention
      Personal data shall be retained only for as long as necessary for the fulfillment of the purposes for which it was obtained, or for the establishment, exercise or defense of legal claims, for legitimate business purposes or as provided for by law.
    7. Data Sharing
      Any data sharing arrangement must be covered by a data sharing agreement which shall provide, among others, the data privacy and security standards to be observed.
    8. Rights of Data Subjects

      The rights of a data subject as provided in the Act should be observed when processing personal data, which shall include the following:

      8.1 Right to be informed
      The data subject has the right to be informed on the following. matters:

      1. Whether his personal data shall be, are being or have been processed;
      2. The type of personal data to be entered into the data processing system;
      3. The purpose/s for the processing;
      4. The scope and method of processing;
      5. The parties to whom the personal data may be disclosed;
      6. Methods utilized for automated access if allowed by the data subject;
      7. Contact details of the CE or its representative;
      8. Period for which the personal data will be stored; and
      9. Existence of their rights as data subject.

      8.2. The right to object

      The data subject has a right to object to the processing of his/her personal data which may cause him damage or distress, as well as to the processing for direct marketing, automated processing or profiling. The data subject’s objection to any of these purposes shall be made in writing and duly received by the CE.

      8.3. Right to access
      The data subject has the right to reasonable access, upon demand, to the following:

      1. Sources from which the personal information were obtained;
      2. Name and address of the recipients of the personal data;
      3. Manner by which the personal data was processed;
      4. Reasons for the disclosure of the personal data to the recipients;
      5. Information on automated processes where the personal data will or likely to be made as the sole basis for any decision significantly affecting or that will affect the data subject;
      6. Date when his personal data was last accessed or modified; and
      7. Name, address and contact details of CE or its representative.

      8.4. Right to rectification
      The data subject has the right to dispute the inaccuracy or error in his/her personal data and have the CE correct it immediately and accordingly, unless the request is vexatious or unreasonable.

      8.5. Right to erasure or blocking
      The data subject has the right to suspend, withdraw or order the blocking, removal or destruction of his personal data from the CE’s filing system upon discovery and substantial proof that the personal data are incomplete, outdated, false, unlawfully obtained, used for unauthorized purpose or no longer necessary for the purposes for which they were collected.

      8.6. Right to be indemnified
      The data subject has a right to be indemnified for any damages sustained due to inaccurate, incomplete, false, unlawfully obtained or unauthorized use of personal data.

      8.7. Right to lodge a complaint
      The data subject has the right to lodge a complaint before the Commission for any violation of his or her rights granted under the Act.

      8.8. Right to data portability
      The data subject shall have the right to obtain from CE a copy of his or her personal data in an electronic or structured format that allows for further use, should his or her personal data be processed in an electronic or structured format subject to the specifications, technical standards, modalities, procedures and other rules for the transfer of such personal data in an electronic or structured format to be issued by the Commission.

      The foregoing rights may be invoked by the data subject’s lawful heirs or assigns in case of the data subject’s incapacity or death.

  6. CONTROLS

    As a Personal Information Controller (PIC), CE imposes reasonable and appropriate physical, technical and organizational security measures which must be implemented to maintain the availability, integrity and confidentiality of personal data and protect them against natural dangers such as accidental loss or destruction and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.

  7. BREACH AND SECURITY INCIDENTS

    CE implements policies and procedures for the management of a personal data breach, including security incidents and shall:

    1. As part of CE’S information security management system, it shall establish administrative, preventive and detective controls to detect potential or actual security incidents or data breaches as well as complaints, non-compliances or misconducts relating to privacy and data protection;
    2. Establish and implement a security incident management policy, which shall include the following:
      1. Creation of a data breach response team to ensure that timely and appropriate action is taken in the event of a security incident or personal data breach;
      2. Implementation of an incident response procedure including the execution;
      3. The conduct of internal investigation to understand facts, circumstances, root cause and appropriate resolution;
      4. The procedure for contacting law enforcement authorities in case a possible criminal act was committed.
      5. Compliance with the notification and reporting requirements of the Commission in the event of occurrence of personal data breach or security incident.
  8. NON-COMPLIANCE

    Violation of this Policy, the Act and its IRR, will be dealt with in accordance with an established disciplinary action and appropriate responses for potential legal actions, including civil and criminal actions.

  9. CONSENT

    By using CE’s services, you agree to this Privacy Policy.

  10. MISCELANEOUS

    If you have any questions or concerns about this Privacy Policy, or if you wish to exercise your rights regarding your personal data, please contact CE at:
    Courier Express
    Email: info@courierexpress.ph
    Phone: +639190771608
    Address: 48 Scout de Guia St, Diliman, Quezon City, Metro Manila