Data Privacy Policy

1.0  DATA PRIVACY PRINCIPLES

1.1  ASEC Development and Construction Corporation process personal data in pursuance and accordance with the Data Privacy Act of 2012 and subject to the principles of transparency, legitimate purpose, and proportionality.

1.1.1  Transparency. The data subject must be aware of the nature, purpose, and extent of the processing of his or her personal data, including the risks and safeguards involved, the identity of personal information controller, his or her rights as a data subject, and how these can be exercised. Any information and communication relating to the processing of personal data should be easy to access and understand, using clear and plain language.

1.1.2  Legitimate purpose. The processing of personal information shall be compatible with a declared and specified purpose which must not be contrary to law, morals, or public policy.

1.1.3  Proportionality. The processing of personal information shall be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose. Personal data shall be processed only if the purpose of the processing could not reasonably be fulfilled by other means.

2.0  GUIDELINES FOR THE PROCESSING OF PERSONAL DATA

2.1  COLLECTION

2.1.1  Collection of personal information

1. 1. 1. ASEC is permitted to collect personal information only when it is reasonably necessary for, or directly related to, one or more of its functions or activities. The collection of personal information must be achieved only through lawful and fair means and must not be conducted in an unreasonably intrusive way
      2. When the collection of an individual’s personal information is reasonably necessary, ASEC employees are required to take reasonable steps to ensure that the individual is aware of the following:
         • The identity and contact details of ASEC as the organization collecting and storing the information.
         • The specific purposes for which the information is being collected.
         • The intended recipients or third parties to which the Company typically discloses information of that kind.
         • Any law that necessitates the collection of the particular information.
         • The main consequences, if any, for the individual if all or part of the information is not provided.
         • The period of retention of the individual’s personal information after processing.
         • The latest version of the Data Privacy Policy, accessible at ASEC’s website: asecconstruction.com/data-privacy-policy.
      3. Where it is reasonable and practical to do so, the Company’s policy is to collect personal information directly from the individual. However, if this information is collected from a third party, ASEC must still act reasonably to ensure the individual is or has been made aware of all the notification requirements listed in section (a).

• • 2.1.2  Collection of sensitive personal information

1. 1. 1. The Company must only collect sensitive personal information:
         1. Where the information is reasonably necessary for one or more of the Company’s functions or activities and with the individual’s explicit consent.
         2. if the collection is required by law (i.e. Bureau of Internal Revenue, Social Security System, Philippine Health Insurance Corporation, Home Development Mutual Fund, among others)
      2. The employees must take reasonable steps to ensure that the individual is aware of the collection of their sensitive personal information should the collection is reasonably necessary. Refer to the 6.1.1 Collection of Personal Information.

1. 1. 2.1.3  Receiving unsolicited personal data

Where employees receive unsolicited personal data about an individual, they must determine within a reasonable time whether they could have collected the information in accordance with sections 6.1.1 Collection of personal information, 6.1.2 Collection of sensitive personal information, and 6.1.6 Consent. If the collection is accordance with the said section, this policy shall apply to the processing of such information. Otherwise, the employees, to the extent allowed by law and to the extent reasonable and practicable, must either destroy or de-identify the personal data.

2.1.4  Collection of personal data for research and statistics

1. 1. 1. Employees may also collect personal information for research about an individual from a party other than the individual concerned if:
         • The personal data is publicly available; or
         • There is consent from the data subject for purpose of research
      2. Provided that adequate safeguards are in place and no decision directly affecting the data subject shall be made on the basis of the data collected or processed.

2.1.5  Collection of personal data for CCTV surveillance

1. 1. 1. Some of the Company’s premises, and sites use CCTV systems to monitor their exterior and interior 24 hours a day for security reasons. This data is recorded. The use of CCTV and recording of CCTV data is only carried in accordance with the Company’s approved guidelines.
      2. The Company shall take reasonable efforts to alert the individual that the area is under electronic surveillance (i.e., posting of Privacy Notices on conspicuous areas).

For the Privacy Policy for camera surveillance, refer to Annex 13.4 CCTV Privacy Policy

2.1.6  Collection of personal data for website

1. 1. 1. The Company’s website that does any of the following should have a Privacy Notice:
         • Collects personal data (e.g., guests filling in web forms, feedback forms, applications for employment, and so on),
         • Uses cookies and/or web beacons, and
         • Covertly collects personal data (e.g., IP addresses, e-mail addresses, and so on).
      2. Websites, if performing any of the items mention in (a) above, shall obtain the website guest’s prior permission and providing the website guest with access to information about and where the data will be used. The websites shall comply with sections 6.1.1 Collection of personal information, 6.1.2 Collection of sensitive personal information, and 6.1.6 Consent of this Manual.
      3. The Privacy Notice shall be placed in a reasonably obvious position on the homepage (in the sub navigation menu which is normally situated in a bottom position on the homepage, and should be separate from the Terms and Conditions document).
      4. The Privacy Notice shall be placed on pages where personal data is collected or, if the website uses cookies and/or web beacons, this could effectively mean, on all pages.

For the Privacy Policy for websites, accessible at ASEC’s website: www.asecconstruction.com/privacy-policy.

2.1.7  Consent

1. 1. 1. In circumstances where consent is needed, the Company shall obtain the explicit consent of the data subject as evidenced by any of the following modes: written, electronic or recorded means, subject to the rules on authentication provided under existing laws and regulations (e.g., the DPA, the Rules of Court and the Rules on Electronic Evidence).
      2. When consent is required, it must be time-bound in relation to the declared, specified and legitimate purpose.
      3. When necessary, provide the data subject a mechanism through which they can subsequently rescind the permission(s) earlier provided and opt-out.

2.2  STORAGE

2.2.1 All employees and authorized personnel who store personal data—whether on-site or off-site, and regardless of the medium (paper, film, optical, or magnetic)—must take the following actions:

• • • Use due diligence to keep the data safe and secure.
    • Implement a combination of organizational, technical, and physical security measures.

2.3  USAGE

2.3.1  Personal data maintained by the Company must be processed fairly and lawfully. The information collected and processed must be adequate and not excessive in relation to its intended purposes. The Company is responsible for ensuring that all personal information is accurate, relevant, and, when necessary, kept up to date. Any data that is found to be inaccurate or incomplete must be rectified, supplemented, destroyed, or have its further processing restricted.

2.3.2  As a general rule, ASEC management and employees must not use personal data for any purpose other than the primary purpose for which it was collected, unless one of the following exceptions applies:

• • • The individual (data subject) has consented to the specific use or disclosure.
    • The use or disclosure of non-sensitive information is for a secondary purpose related to the primary purpose, and the data subject would reasonably expect the Company to use or disclose it that way.
    • The Company has reason to suspect unlawful activity and uses or discloses the information as required by law, as part of its investigation, or in reporting concerns to relevant authorities.
    • The use or disclosure is required or authorized by or under law.
    • The Company reasonably believes the use or disclosure is necessary for a specified purpose by an enforcement body.
    • The Company reasonably believes the use or disclosure is necessary to prevent or lessen a serious and imminent threat to public health, public safety, or the life or health of a data subject.
    • The use or disclosure is conducted in a manner consistent with any Privacy Notice previously provided to the data subject.

2.3.3 Government-Related Identifiers

The Company is prohibited from using or disclosing government-related identifiers unless such usage is reasonably necessary to verify the identity of the individual for the purpose of the Company’s activities, or if the use is required or authorized under law.

2.4  ACCESS AND CORRECTION

2.4.1  As a general rule, the Data Protection Officer (DPO) is obligated to provide the data subject with access to their personal data upon request. This access must be granted within a reasonable time after the request is made. The DPO is also required to consider a request from the data subject for the correction of that information.

2.4.2  The Company will not impose any charge to cover the cost of verifying a request for information or for locating, retrieving, reviewing, and copying any material requested.

2.4.3  The DPO, on behalf of the Company, may choose not to provide the data subject with access to their information in specific circumstances. These exceptions include cases where:

• • • • Safety. Giving access would reasonably pose a serious threat to the life, health, or safety of any individual, or to public health or public safety.
      • Privacy & Impact. Providing access would have an unreasonable impact on the privacy and affairs of other individuals.
      • Request Nature. The request for access is frivolous, vexatious, or the information requested is trivial.
      • Legal Proceedings. The information relates to anticipated or existing legal proceedings and would not be discoverable in those proceedings.
      • Negotiations. Providing access would reveal the Company’s intentions in relation to negotiations with the data subject in a way that would prejudice those negotiations.
      • Unlawful Acts. Providing access would be unlawful, or denying access is authorized under law or a court/tribunal order.
      • Prejudice to Investigation. Providing access would likely prejudice an investigation of possible unlawful activity, or compromise security, defense, or international relations.
      • Enforcement. Providing access would likely prejudice activities carried out by the Company on behalf of an enforcement body.
      • Prior Refusal. The data subject has previously been refused access to their personal data, and/or their request for correction has been refused.

2.4.4  Notification of Refusal

In any case where the DPO refuses a data subject’s request for access or correction, the DPO will provide the data subject with a written notice. This notice must clearly set out:

• • • • The reasons for the refusal, provided it is reasonable to disclose them.
      • The mechanism by which the data subject may make a complaint about the refusal.

2.4.5  Required Forms and Templates

The Company utilizes specific templates for managing data subject requests, which include:

• • • • Annex A_ Access Request Form
      • Annex C_ Inquiry Complaints Access and Deletion Request summary Report
      • Annex E_ Request For Correction and Deletion Form

2.5 RETENTION

The Company only keeps the personal data it collects, uses, and discloses for a limited time. It stops retaining data when any of the following conditions are met:

• • • The purpose for which the data was collected has been fulfilled, or the related data processing has ended.
    • The data is needed for the establishment, exercise, or defense of a legal claim.
    • The data is required for legitimate business purposes, provided these are consistent with the Company’s standards or approved by an appropriate government agency.
    • A specific law requires the Company to keep it.

Unless a different period is provided by law, the following retention schedules apply:

Type of Data	Retention Period	Reason/Notes
Financial Data	10 years	Required by Philippine law.
Personnel Records	5 years after termination	For former employees.
CCTV Recordings	60 days in the system	If there is a security breach, the relevant video footage will be kept for 10 years by the Administration department.

2.6 DESTRUCTION/DISPOSAL

To ensure complete and irrecoverable disposal of personal data after the retention period, ASEC adheres to stringent destruction protocols designed for both physical and digital media. The destruction process must be logged, verified, and supervised by an authorized member of the Data Protection Team.

2.6.1 Destruction of Physical Records (Hard Copies)

• • • Authorization: The Department Head shall submit a Record Disposal Request Form to the DPO, listing the specific files, dates, and legal basis for destruction.
    • Method: All documents containing personal data, sensitive personal information, or privileged information must be destroyed using a cross-cut shredder (meeting at least Security Level P-4 or better, as per DIN 66399) or via pulping/incineration through an accredited third-party vendor.
    • Witness and Certification: Destruction, particularly in bulk, must be witnessed by two (2) personnel: one from the originating department and one from the Data Protection Team. A Certificate of Destruction must be issued by the shredding/disposal vendor (if outsourced) and counter-signed by the DPO.
    • Logging: All Certificates of Destruction must be filed and retained for a period of five (5) years as proof of compliance.

2.6.2 Destruction of Digital Records (Soft Copies)

• • • System Segregation: Data slated for destruction must first be migrated to a segregated holding area within the server environment, preventing accidental access or recovery.
    • Method: Simple deletion or formatting is strictly prohibited. ASEC must employ industry-standard methods:
      • Data Wiping/Sanitization: For magnetic media (hard drives), employ software utilities that overwrite the data multiple times (e.g., using the DoD 5220.22-M standard or similar, ensuring at least 3 passes).
      • Cryptographic Erasure: For encrypted solid-state drives (SSDs), the encryption key must be securely and irrevocably deleted, rendering the data inaccessible.
      • Degaussing: For high-security destruction of magnetic media, a degausser may be used to render the drive entirely inoperable and the data unrecoverable.
    • Cloud/Offsite Data: When utilizing cloud storage, ASEC shall secure a written confirmation from the cloud service provider that the deletion process meets the contractual standards for secure disposal and that all backup copies have also been purged.
    • Verification and Audit: The IT Department must run a software verification log after data wiping to certify that the data has been successfully rendered unrecoverable. This log must be submitted to the DPO for final sign-off.

2.7 DISCLOSURE AND DISTRIBUTION/DATA SHARING TO THIRD PARTIES

2.7.1 Personal data may only be shared or released to external parties when a specific and legally permissible business objective has been clearly identified. This disclosure must be carried out only after the appropriate express permission or consent has been secured from the individuals whose data is concerned, with the exception of situations where a governing statute or regulatory mandate either permits or explicitly necessitates such a release.

In instances where it is practically achievable, the management is responsible for ensuring that any outside entities that gather, retain, or otherwise manage personal data on the Company’s behalf have put into place the following protective measures:

• • • They have formally executed contractual arrangements that commit them to safeguard the personal information. These agreements must adhere to the standards outlined within this operational Manual, comply with the established Privacy Notices, align with existing information security protocols, or alternatively, implement safeguards as mandated by current legislation.
    • They have entered into legally binding non-disclosure or confidentiality contracts that incorporate and specifically detail clauses dedicated to data privacy protection within the body of the agreement.
    • They have developed and established internal operational procedures designed to consistently fulfill the obligations and terms set forth in their agreement with the Company concerning the preservation and protection of personal data.
    • They have clearly defined the corrective steps or remedial actions that will be promptly initiated should any third party entrusted with the collection, storage, or processing of personal information for the Company engage in the misuse or unauthorized disclosure of that data.

2.7.2 Cross-border Data Flows

1. 1. 1. The transmission of any personal data to an organization or person located outside the territorial jurisdiction of the Philippines is only permissible when one of the following conditions is met:
         • The data subject (the individual the data is about) has provided their explicit agreement to this transfer; or
         • The Company reasonably believes that the recipient is subject to laws or a contract enforcing information handling principles substantially similar to applicable privacy laws in the Philippines (i.e. DPA); or
         • Such a transfer is required for the successful execution of an agreement established between the individual and the organization; or
         • The transfer is essential for an agreement made in the best interest of the data subject between the company and a separate, third-party entity; or
         • The transfer is for the benefit of the data subject; or
         • It would be unfeasible to secure the data subject’s consent; or
         • To the maximum extent achievable, it is probable that the data subject would willingly give their consent.
      2. The Company is obligated to implement suitable measures to ensure that the data being transmitted will be maintained, utilized, and disclosed in a manner that is in strict compliance with the relevant Philippine privacy legislation (the DPA).

2.7.3 All employees and personnel of the company shall maintain the confidentiality and secrecy of all personal data that come to their knowledge and possession, even after resignation, termination of contract, or other contractual relations. Personal data under the custody of the company shall be disclosed only pursuant to a lawful purpose, and to authorized recipients of such data.

Refer to Appendix 2: Suggested Wording under the General Terms and Conditions for a ASEC Contract

3. SECURITY MEASURES

ASEC is mandated to implement reasonable and appropriate physical, technical and organizational measures for the protection of personal data.

3.1 Organization Security Measures

Data Protection Officer (DPO)

The DPO has autonomous and independent authority to oversee all personal data protection, privacy, and security measures within ASEC.

The DPO’s responsibilities include:

• • • • Ensuring ASEC’s compliance with the Data Privacy Act (DPA), its Implementing Rules and Regulations (IRR), and related policies.
      • Conducting Privacy Impact Assessments (PIAs).
      • Implementing security measures and protocols for security incidents and data breaches.
      • Managing the inquiry and complaints procedure.

Personnel Training and Updates

• • • Mandatory training on data privacy and security will be sponsored by ASEC at least once a year.
    • Management must ensure personnel directly involved in personal data processing attend relevant trainings and orientations as often as necessary to stay updated on data privacy and security developments.

Privacy Impact Assessment (PIA)

• • • A PIA must be conducted for all activities, projects, and systems that involve processing personal data.
    • ASEC has the option to outsource the PIA to a third party.

Refer to Appendix 3: Guidelines in Conducting Privacy Impact Assessment

Duty of Confidentiality

• • • All employees must sign a Non-Disclosure Agreement (NDA).
    • Employees with access to personal data must maintain strict confidentiality, especially for data not intended for public disclosure.

Privacy Manual Review

• • • This manual will be reviewed and evaluated annually.
    • Privacy and security policies and practices will be updated regularly to align with current data privacy best practices.

3.2 Physical Security Measures

Data Format and Storage

• • • Personal data is stored in both digital/electronic and paper-based/physical formats.
    • All data is kept in a designated data room.
      • Paper documents are stored in locked filing cabinets.
      • Digital files are stored on company-provided and installed computers.

Access Control

• • • Authorized personnel are the only ones permitted to enter and access the data storage location, data room, or facility.
    • Other personnel or visitors require:
      • Filing an access request form with the DPO.
      • The DPO’s approval.
      • Accompanying by authorized personnel.
      • Filling out a logbook with the date, time, duration, and purpose of access.

Office Space Design

• • • Workspaces are designed to maintain privacy and restrict the view of personal documents to unauthorized individuals.
    • Computers are positioned with considerable space between them to protect data processing privacy.

Personnel Duties and Transfer of Data

• • • Personnel involved in processing must always maintain data confidentiality and integrity. They are not allowed to bring personal gadgets or storage devices into the data storage room.
    • Electronic transfer of personal data must use a secure email facility with encryption for the data and attachments.
    • Facsimile technology will not be used for transmitting documents containing personal data.

Data Retention and Disposal

• • • Personal data will be retained for one (1) year from the date of client purchase.
    • After this period, all physical and electronic copies will be destroyed and disposed of using secure technology. Please refer to section 6.6 Destruction/Disposal

3.3 Technical Security Measures

Security Monitoring and Assessment

• • • An intrusion detection system will be used to monitor for security breaches and alert the organization to any attempts to interrupt or disturb the system.
    • Security policies will be regularly tested, assessed, and evaluated through vulnerability assessments and penetration testing.

System and Software Security

• • • All software applications will be reviewed and evaluated before installation to ensure security features are compatible with overall operations.
    • For in-house software, all coding and configuration must be deployed in a secure manner in both test and production environments.
    • Secure authentication protocols and encryption tools will be deployed across the network and wireless connections.
    • A VPN must be configured for secure access from jobsites to the Head Office.
    • Anti-virus software will be updated as soon as updates are available, and the system will be periodically monitored for vulnerabilities.

Access Control and Authentication

• • • Personnel, third parties, or subcontractors accessing personal data must verify their identity using a secure encrypted link and multi-level authentication.
    • Third-Party Security controls must be included in the contract of all third-party providers (e.g., host providers, software vendors) before their utilization.

4.0 BREACH AND SECURITY INCIDENTS

Any personal data breach in whatever form must be reported to immediate head, Data Breach Response Team, and the DPO for appropriate assessment, investigation and remediation measures.

4.1 Creation of a Data Breach Response Team

A Data Breach Response Team comprising of five (5) officers shall be responsible for ensuring immediate action in the event of a security incident or personal data breach. The team shall conduct an initial assessment of the incident or breach in order to ascertain the nature and extent thereof. It shall also execute measures to mitigate the adverse effects of the incident or breach.

4.2 Measures to prevent and minimize occurrence of breach and security incidents

The Company shall regularly conduct a Privacy Impact Assessment to identify risks in the processing system and monitor for security breaches and vulnerability scanning of computer networks. Personnel directly involved in the processing of personal data must attend trainings and seminars for capacity building. There must also be a periodic review of policies and procedures being implemented in the organization.

4.3 Procedure for recovery and restoration of personal data

The Company shall always maintain a backup file for all personal data under its custody. In the event of a security incident or data breach, it shall always compare the backup with the affected file to determine the presence of any inconsistencies or alterations resulting from the incident or breach.

4.4 Notification protocol

The Head of the Data Breach Response Team shall inform the management of the need to notify the NPC and the data subjects affected by the incident or breach within the period prescribed by law.

4.5 Documentation and reporting procedure of security incidents or a personal data breach

The Data Breach Response Team shall prepare a detailed documentation of every incident or breach encountered, as well as an annual report, to be submitted to management and the NPC, within the prescribed period.