INTRODUCTIONDigital Assets Exchange Corporation (the Exchange) is adopting this Data Privacy Manual (DPM) in compliance with the requirements of Republic Act No. 10173 or the Data Privacy Act of 2012 (DPA), including its implementing rules and regulations, and other policies, circulars, or issuances by the National Privacy Commission.
The Exchange recognizes and respects the value of data privacy rights, and is committed in ensuring that all data, personal or sensitive, collected from clients, employees, and third-parties are processed in adherence to the general principles of the law, this manual, and other relevant rules and regulations. This manual shall enumerate the data protection and security measures that the Company shall observe in ensuring that the rights of all clients, employees, and third parties are protected as required by DPA.
DEFINITION OF TERMS
- Authorized personnel refer to employees or officers of the Exchange specifically authorized to collect and/ or to process personal information either by the function of their office or position, or through specific authority given in accordance with the policies of the Company.
- Access shall refer to permission to obtain or retrieve information.
- Company refers to Fyntegrate Inc. dba the Philippine Digital Assets Exchange.
- Consent of the data subject refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so.
- Data subject refers to an individual whose personal information is processed.
- Direct marketing refers to communication by whatever means of any advertising or marketing material which is directed to particular individuals.
- Data Privacy Act (DPA) refers to Republic Act 10173, the governing law of this Manual.
- Filing system refers to any act of information relating to natural or juridical persons to the extent that, although the information is not processed by equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular person is readily accessible.
- Information and Communications System refers to a system for generating, sending, receiving, storing or otherwise processing electronic data messages or electronic documents and includes the computer system or other similar device by or which data is recorded, transmitted or stored and any procedure related to the recording, transmission or storage of electronic data, electronic message, or electronic document
- Personal data breach refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
- Personal Data Classification refers to the categories of personal information collected and processed by THE EXCHANGE. Personal data is classified as follows:
- Public Data refer to information readily available and may be disclosed to the public
- Confidential Data refer to information declared confidential by law or policy of THE EXCHANGE and which may only be processed by authorized personnel, and if disclosed may cause material harm to the Company, or information is sensitive in nature as will affect the health or well-being of the individual.
- Classified Data refer to information the access of which is highly restricted, and if disclosed may cause severe or serious harm or injury to the employee, student or third party.
- Personal information refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
- Personal information controller refers to a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf. The term excludes:
- A person or organization who performs such functions as instructed by another person or organization; and
- An individual who collects, holds, processes or uses personal information in connection with the individual’s personal, family or household affairs.
- Personal information processor refers to any natural or juridical person qualified to act as such under this Act to whom a personal information controller may outsource the processing of personal data pertaining to a data subject.
- Privacy Statement refers to a notification or statement provided to an individual informing them of the use(s) and purpose(s) for collecting or processing the information, and/or which allow such individual to consent such processing information.
- Privileged information refers to all forms of data which under the Rules of Court and other pertinent laws constitute privileged communication.
- Processing refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.
- Security Incident refers an event or occurrence that affects or may affect data protection, or may compromise the availability, integrity and confidentiality of Personal Data.
- Sensitive personal information refers to personal information:
- About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
- About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
- Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or cm-rent health records, licenses or its denials, suspension or revocation, and tax returns; and
- Specifically established by an executive order or an act of Congress to be kept classified.
SCOPE AND LIMITATIONSThe provisions of this Manual shall apply to all employees regardless of rank or classification, clients, and third-parties to whom data are collected, and whose information are required to be kept and secured by the Exchange. The data covered by this manual is limited to Personal Information as defined herein.
PROCESSING OF PERSONAL DATA
- GENERAL PRINCIPLES OF THE EXCHANGE
THE EXCHANGE Data Privacy Manual shall be governed three guiding principles as provided by DPA which are:
- Transparency wherein the Exchange will ensure that the processing of personal data shall be known to the data subject by informing them of the nature, purpose, method and extent of the processing. Data subject shall also be informed of their rights and how it can be exercised, as well as the contact details of the Data Privacy Officer.
- Proportionality wherein the Exchange will ensure that personal information being collected is reasonably necessary or directly related to the business of the Company.
- Utilization of Personal Information only for Legitimate Purpose wherein the Exchange will ensure that processing of information shall be compatible with the declared and specified purpose which are not contrary to law, morals, or public policy.
- COLLECTING OF PERSONAL INFORMATION
- Personal Information of Customers
The Exchange collects personal information from its customers for the purpose of identifying them in compliance with the requirements set under R.A. 9160 or the Anti-Money Laundering Act of 2001 as amended, its implementing rules and regulations, pertinent Circulars released by Bangko Sentral ng Pilipinas (BSP), and in accordance with the Company’s on-boarding and Know-Your-Customer Policy.
Prior to the collection of any information from customers, the Exchange, through its online platform, shall ask the data subjects to read and agree with the Company’s Data Privacy Statement. The customer’s agreement with such statement signifies their consent to the collection, processing, and storage of their personal information.
The Exchange’s Customer Service Department and Compliance Department shall collect and process any personal information. Only authorized personnel shall have access to any customer data. All personal information shall be kept confidential.
- Personal Information of the Exchange Employees
The Exchange’s Human Resources Department shall collect personal information from employees and applicants for the purpose of evaluating their eligibility for employment and/or for availing any employee benefits. All information shall be collated in the individual 201 files as required under the Labor Code of the Philippines and other pertinent Company Rules and Regulations. Employee records will be kept confidential at all time, and access to such are restricted to authorized personnel.
- Access to Personal Information by IT Department
The Exchange’s IT Department is tasked to process, secure, and store any information and database systems of the Company. All information collected by the Exchange shall be maintained and secured by IT Department.
Access to data shall be restricted to predetermined authorized personnel in relation to their specific function which requires them to access, process, or store any information from customers or employees. In all instances of access to personal information, consent of the customers or employees shall be obtained, and they shall be informed that such access is for a legitimate purpose. Access to any information shall be subject to the approval of Compliance Head and IT Head.
- Access to Personal Information by Other Departments
All other departments within the Exchange who collect, process, or store any personal information from Customers, Third-Parties, or Employees, are subject to the provisions of this Manual. All Department Heads shall be responsible in ensuring the compliance of their departments to the Exchange’s Data Privacy Manual.
- Personal Information of Customers
- USE AND DISCLOSURE OF INFORMATION
Sensitive Personal Information may not be disclosed or processed except in any of the following instances:
- The data subject has given his or her consent, specific to the purpose prior to the processing, or in the case of privileged information, all parties to the exchange have given their consent prior to processing.
- The processing of the same is provided for by existing laws and regulations: provided, that such regulatory enactments guarantee the protection of the sensitive personal information and the privileged information: Provided, further, That the consent of the data subjects are not required by law or regulation permitting the processing of the sensitive personal information or the privileged information.
- The processing is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his or her consent prior to the processing;
- The processing is necessary to achieve the lawful and noncommercial objectives of public organizations and their associations: Provided, that such processing is only confined and related to the bona fide members of these organizations or their associations: Provided, further, That the sensitive personal information are not transferred to third parties: Provided, finally, that consent of the data subject was obtained prior to processing;
- The processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal information is ensured; or
- The processing concerns such personal information as is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise or defense of legal claims, or when provided to government or public authority. The processing concerns sensitive personal information or privileged information necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise, or defense of legal claims, or when provided to government or public authority pursuant to a constitutional or statutory mandate.
- DATA RETENTION
Personal Data shall not be retained by the THE EXCHANGE for a period longer than what is required by DPA or other pertinent laws. Subject to R.A. 9160 or the Anti-Money Laundering Act, as amended, THE EXCHANGE shall retain all KYC documents of customers for a period of five (5) years from the termination or closure of account and shall retain such information for longer than the said period upon valid court order.
THE EXCHANGE shall ensure that personal data will be secured and kept confidential at all times.
Destruction of personal data that is no longer within the retention period shall be done by THE EXCHANGE in a secured manner.
- GENERAL PRINCIPLES OF THE EXCHANGE
THE EXCHANGE DATA PRIVACY SECURITY MEASURES
- DESIGNATION OF A DATA PROTECTION OFFICER
A Data Protection Officer (DPO) shall be appointed by the Company. The DPO shall be responsible in ensuring the Company’s compliance with DPA, and other applicable laws and regulations pertinent to data privacy and security.
The duties and responsibilities of a DPO includes the following:
- Monitoring of THE EXCHANGE’s Personal Data Processing activities in order to ensues compliance with DPA and other laws and regulations pertinent to data privacy and security.
- Liaison between the THE EXCHANGE and regulating bodies, and in charge of the required registrations, notification, and reportorial obligations mandated by DPA and other laws and regulations pertinent to data privacy and security.
- Develop, establish, and review policies and procedures for the exercise of the rights of Data Subjects in accordance with DPA and other laws and regulations pertinent to data privacy and security.
- Primary point person to whom Data Subjects may coordinate and consult regarding concerns over their personal data.
- Formulate orientations and training programs for employees regarding Data Privacy and Security Policy.
- Prepare and File the annual reports of the summary of documented security incidents, Personal Data Breaches as required under DPA, and other reports that may be required by National Privacy Commission.
- PHYSICAL SECURITY MEASURES
The DPO shall develop and implement policies and procedures for THE EXCHANGE to monitor and limit access to offices where personal data are kept or stored, or workstations where personal data are being processed, including guidelines that specify the proper use of, and access to electronic media or devices.
The duties and responsibilities of employees involved in the processing of personal data shall be clearly defined to ensure that access to personal data is limited to employees who are performing official duties. Lastly, the workstations where personal data are processed shall be secured against natural disaster, power disturbances, external access, and other similar threats.
- TECHNICAL SECURITY MEASURES
The DPO together with the IT Head shall continuously develop and evaluate THE EXCHANGE’s security policy on the Processing of Personal Data. The security policy shall include the following:
- Safeguard mechanisms to protect the computer network and systems against accidental, unlawful, or unauthorized usage, or any interface which will affect data integrity or hinder the functions or availability of the system.
- Mechanism to ensure and maintain confidentiality, integrity, availability and resilience of data processing systems and services.
- Mechanism for the regular monitoring of security breaches.
- Mechanism for the identification of foreseeable vulnerabilities of the network and system.
- Mechanism to prevent, correct, and mitigate actions against security incidents that can lead to Personal Data breach.
- Process of testing, assessment and evaluation of the effectiveness of security measures; and
- Process of encrypting personal data during storage, while in transit, during authentication, and other technical security measures that control and limit access to data.
- DESIGNATION OF A DATA PROTECTION OFFICER
RIGHTS OF DATA SUBJECTSAs provided by DPA, data subjects have the following rights in connection with the processing of their Personal Data:
- Be informed that your personal information will be collected and processed;
- Be furnished information in relation to the processing of your personal information;
- Reasonable access to your personal information held by THE EXCHANGE;
- Dispute any error in your personal information and have it corrected,
- The erasure or blocking of your personal information from THE EXCHANGE’s system if said information is incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes or no longer necessary for the purposes for which they were collected,
- Object to the processing of your personal information,
- Lodge a complaint before the National Privacy Commission; and
- Damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of your personal information.
DATA BREACHES, SECURITY INCIDENTS AND BREACH REPORTSAll employees and officers of the Company involved in the processing of personal data shall regularly monitor signs of possible data breach or security incident. If signs of possible data breach are discovered, the employee or officer shall immediately report the fact and circumstances to the DPO within twenty-four (24) hours from discovery. The DPO shall verify if the incident is a breach which requires notification as provided und DPA. The DPO shall then notify NPC and affected data subject. The notification shall describe the nature of the breach, the Personal Data possibly involved, and the measures taken to reduce the consequences of the said breach. The form and procedure shall conform with the regulations and circulars issued by NPC.
All security incident and personal data breaches shall be documented through written reports, including those not discovered by notification requirements. Personal data breaches report shall include the facts surrounding the incident, its effects, and remedial actions taken by the company. Other security incidents not involving personal data, shall be documented and will be made available upon request by NPC. A general summary of reports shall be submitted by the DPO to NPC annually.