2024CORSea-removebg-preview

HKR EQUIPMENT CORPORATION
PRIVACY POLICY

HKR EQUIPMENT CORPORATION (Company) is committed to protecting and safeguarding all  Data Subject’s privacy in any event where the processing of Personal Information and Sensitive  Personal Information is necessary to avail of the Company’s products and services. The Company aims to be transparent on how it collects, uses, and stores Personal Information and Sensitive  Personal Information, and thus shall enforce this Privacy Policy to protect the rights of Data Subjects.

I. DEFINITIONS 

A. Consent of the Data Subject refers to any freely given, specific, informed indication of will,  whereby the Data Subject agrees to the collection and Processing of Personal Information  about and/or relating to him or her. Consent shall be evidenced by written, electronic or  recorded means. It may also be given on behalf of the Data Subject by an agent specifically  authorized by the Data Subject to do so. 

B. Data Privacy Act or DPA refers to Republic Act No. 10173 or the Data Privacy Act of 2012  and its implementing rules and regulations. 

C. Data Subject refers to an individual whose Personal Information, Sensitive Personal  Information, or Privileged Information is processed, which includes customers and/or  customer representatives. 

D. Personal Data collectively refers to Personal Information, Sensitive Personal Information,  and Privileged Information. 

E. Personal Information refers to any information, whether recorded in a material form or  not, from which the identity of an individual is apparent or can be reasonably and directly  ascertained by the entity holding the information, or when put together with other  information would directly and certainly identify an individual. 

F. Processing refers to any operation or set of operations performed upon Personal Data  including, but not limited to, the collection, recording, organization, storage, updating or  modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of  data. Processing may be performed through automated means, or manual processing, if  the Personal Data are contained or are intended to be contained in a filing system. 

G. Privileged Information refers to any and all forms of Personal Data, which, under the  Rules of Court and other pertinent laws constitute privileged communication. 

H. Security Incident is an event or occurrence that affects or tends to affect data protection,  or may compromise the availability, integrity and confidentiality of Personal Data. It includes  incidents that would result to a personal data breach, if not for safeguards that have been  put in place. 

I. Sensitive Personal Information refers to Personal Data:

1. About an individual’s race, ethnic origin, marital status, age, color, and religious,  philosophical or political affiliations;

2. About an individual’s health, education, genetic or sexual life, or to any proceeding for  any offense committed or alleged to have been committed by such individual, the  disposal of such proceedings, or the sentence of any court in such proceedings;

3. Issued by government agencies peculiar to an individual which includes, but is not  limited to, social security numbers, previous or current health records, licenses or its  denials, suspension or revocation, and tax returns; and

4. Specifically established by an executive order or an act of Congress to be kept  classified.

II. ORGANIZATIONAL SECURITY MEASURES

A. Data Protection Officer

A Data Protection Officer (DPO) shall be appointed by the Company.  

The DPO is primarily responsible for ensuring the Company’s compliance with applicable  laws and regulations for the protection of data privacy and security. The functions and  responsibilities of the DPO shall particularly include, among others: 

          1. Monitoring the Company’s Personal Data Processing activities in order to ensure  compliance with applicable Personal Data privacy laws and regulations, including the  conduct of periodic internal audits and review to ensure that all the Company’s data  privacy policies are adequately implemented by its employees and authorized agents; 
          2. Acting as a liaison between the Company and the regulatory and accrediting bodies,  and is in charge of the applicable registration, notification, and reportorial requirements  mandated by the Data Privacy Act, as well any other applicable data privacy laws and  regulations; 
          3. Developing, establishing, and reviewing policies and procedures for the exercise by  Data Subjects of their rights under the Data Privacy Act and other applicable laws and  regulations on Personal Data privacy; 
          4. Acting as the primary point of contact whom Data Subjects may coordinate and consult  with for all concerns relating to their Personal Data; 
          5. Formulating capacity building, orientation, and training programs for employees, agents  or representatives of the Company regarding Personal Data privacy and security  policies; and 
          6. Preparing and filing the annual report of the summary of documented security incidents  and Personal Data breaches, if any, as required under the Data Privacy Act, and of  compliance with other requirements that may be provided in other issuances of the  National Privacy Commission.
    1.  B. Data Privacy Principles

All Processing of Personal Data within the Company should be conducted in compliance  with the following data privacy principles: 

          1. Transparency. The Data Subject must be aware of the nature, purpose, and extent of  the Processing of his or her Personal Data by the Company, including the risks and  safeguards involved, the identity of persons and entities involved in Processing his or  her Personal Data, his or her rights as a Data Subject, and how these can be exercised.  Any information and communication relating to the Processing of Personal Data should  be easy to access and understand, using clear and plain language. 
          2. Legitimate purpose. The Processing of Personal Data by the Company shall be  compatible with a declared and specified purpose which must not be contrary to law,  morals, or public policy. 
          3. Proportionality. The Processing of Personal Data shall be adequate, relevant,  suitable, necessary, and not excessive in relation to a declared and specified purpose.  Personal Data shall be processed by the Company only if the purpose of the Processing  could not reasonably be fulfilled by other means. 
  1.  C. Data Processing Records

Adequate records of the Company’s Personal Data Processing activities shall be  maintained at all times. The Company, through the cooperation of all the concerned  business and service units/departments involved in the Processing of Personal Data, such  as but not limited to the Administration Department, Engineering, Finance and Accounting  Department (FAD), Human Resources (HR), Management Information System (MIS), Sales, and Trade Assets Logistics (TAL), shall be responsible for ensuring that these  records are kept up-to-date. These records shall include, at the minimum: 

          1. Information about the purpose of the Processing of Personal Data, including any  intended future Processing or data sharing; 
          2. A description of all categories of Data Subjects, Personal Data, recipients of such  Personal Data, time of collection, and intended retention period, that will be involved in  the Processing; 
          3. General information about the data flow within the Company, from the time of collection  and retention, including the time limits for disposal or erasure of Personal Data; 
          4. A general description of the organizational, physical, and technical security measures  in place within the Company; and 
          5. The name and contact details of the DPO, Personal Data processors, as well as any  other staff members accountable for ensuring compliance with the applicable laws and  regulations for the protection of data privacy and security.
  3. D. Management of Human Resources 

The Company shall develop and implement measures to ensure that all the Company’s  staff who have access to Personal Data will strictly process such data in compliance with  the requirements of the Data Privacy Act and other applicable laws and regulations. These  measures may include drafting new or updated relevant policies of the Company and  conducting training programs to educate employees and agents on data privacy related  concerns. 

The Company shall ensure that it shall obtain each employee’s informed consent,  evidenced by written, electronic or recorded means, to: 

      1. The Processing of his or her Personal Data, for purposes of maintaining the Company’s  records; and 
      2. A continuing obligation of confidentiality on the employee’s part in connection with the  Personal Data that he or she may encounter during the period of employment with the  Company. This obligation shall apply even after the employee has left the Company for  whatever reasons

E. Data Collected

The information the Company can collect are: 

      1. Those given by Data Subjects voluntarily, such as the names, address, mobile number,  Identification Cards, image/picture, position/official designation; 
      2. Those which may be collected through automated means, such as data provided by  interaction of Data Subjects with the Company’s Sites or Mobile Apps, using a variety  of technologies which may be downloaded to a Data Subject’s device, and which may  include the Internet Protocol (IP) address, computer/mobile device operating system  and browser type, type of mobile device, the characteristics of the mobile device, the unique device identifier (UDID) or mobile equipment identifier (MEID) for a Data  Subject’s mobile device, the address of a referring web site (if any), and the pages a  Data Subject visit on our Sites and Mobile Apps, and the times of visit. The Company  may use various new and hereafter developed technologies to collect Personal Data; and
      3. Those which may be collected from other sources such as, but not limited to, public  profile information available when customers interact with the Company through social  media, to the minimum extent necessary to achieve the specific business purposes,  functions, or activities.
  1.  F. Data Collection Procedures

The Company shall be responsible for the Processing of Personal Data, shall document  the Company’s Personal Data Processing procedures. The DPO shall ensure that such  procedures are updated and that the consent of the Data Subjects (when required by the  DPA or other applicable laws or regulations) is properly obtained and evidenced by written,  electronic or recorded means. Such procedures shall also be regularly monitored, modified,  and updated to ensure that the rights of the Data Subjects are respected, and that  Processing thereof is done fully in accordance with the DPA and other applicable laws and  regulations. 

G. Data Retention Schedule 

Subject to applicable requirements of the DPA and other relevant laws and regulations,  Personal Data shall not be retained by the Company for a period longer than necessary  and/or proportionate to the purposes for which such data was collected. The Company shall  develop measures to determine the applicable data retention schedules, and procedures  to allow for the withdrawal of previously given consent of the Data Subject, as well as to  safeguard the destruction and disposal of such Personal Data in accordance with the DPA  and other applicable laws and regulations. 

III. PHYSICAL SECURITY MEASURES 

The Company, with the assistance of HR and the HR-MIS departments, shall develop and  implement policies and procedures for the Company to monitor and limit access to, and  activities in, the offices of HR, as well as any other departments and/or workstations in the  Company where Personal Data is processed, including guidelines that specify the proper use  of, and access to, any electronic media, software, artificial intelligence (AI), and other forms of  information technology. 

The design and layout of the office spaces and workstations of the abovementioned  departments, including the physical arrangement of furniture and equipment, shall be  periodically evaluated and readjusted in order to provide privacy to anyone Processing  Personal Data, taking into consideration the environment and accessibility to unauthorized  persons. 

The duties, responsibilities, and schedules of individuals involved in the Processing of Personal  Data shall be clearly defined to ensure that only the individuals actually performing official  duties shall be in the room or work station, at any given time. Further, the rooms and  workstations used in the Processing of Personal Data shall, as far as practicable, be secured  against natural disasters, power disturbances, external access, and other similar threats of  data loss. In any case, the Company shall develop and implement measures to ensure that  there will be adequate data recovery in case of loss.

IV. TECHNICAL SECURITY MEASURES 

The Company, through the cooperation and assistance of MIS, shall continuously develop and  evaluate the Company’s security policy with respect to the Processing of Personal Data. The security policy should include the following minimum requirements: 

a. Safeguards to protect the Company’s computer network and systems against accidental,  unlawful, or unauthorized usage, any interference which will affect data integrity or hinder  the functioning or availability of the system, and unauthorized access;

b. The ability to ensure and maintain the confidentiality, integrity, availability, and resilience of  the Company’s data processing systems and services;

c. Regular monitoring and safeguarding the Company’s systems for security breaches, and a  process both for identifying and accessing reasonably foreseeable vulnerabilities in the  Company’s computer network and system, and for taking preventive, corrective, and  mitigating actions against security incidents that can lead to a Personal Data breach;

d. The ability to restore the availability and access to Personal Data in a timely manner in the  event of a physical or technical incident;

e. A process for regularly testing, assessing, and evaluating the effectiveness of security  measures; and

f. Encryption of Personal Data during storage and while in transit, authentication process,  and other technical security measures that control and limit access thereto.

V. RIGHTS OF THE DATA SUBJECT 

As provided under the DPA, Data Subjects have the following rights in connection with the  Processing of their Personal Data: right to be informed, right to object, right to access, right to  rectification, right to erasure or blocking, and right to damages. Employees and agents of the  Company are required to strictly respect and obey the rights of the Data Subjects. The  Company shall monitor such compliance and develop the appropriate disciplinary measures  and mechanism.

A. Right to be Informed

The Data Subject has the right to be informed whether Personal Data pertaining to him or  her shall be, are being, or have been processed. 

The Data Subject shall be notified and furnished with information indicated hereunder  before the entry of his or her Personal Data into the records of the Company, or at the next  practical opportunity, taking into consideration the exigencies of business: 

      1. description of the Personal Data to be entered into the system; 
      2. purposes for which they are being or will be processed, including Processing for direct  marketing, profiling or historical, statistical or scientific purpose; 
      3. basis of Processing, when Processing is not based on the consent of the Data Subject;
      4. scope and method of the Personal Data Processing; 
      5. the recipients or classes of recipients to whom the Personal Data are or may be  disclosed or shared; 
      6. methods utilized for automated access, if the same is allowed by the Data Subject, and  the extent to which such access is authorized, including meaningful information about  the logic involved, as well as the significance and the envisaged consequences of such  Processing for the Data Subject; 
      7. the identity and contact details of the DPO; 
      8. the period for which the Personal Data will be stored; and
      9. the existence of their rights as Data Subjects, including the right to access, correction,  and to object to the Processing, as well as the right to lodge a complaint before the  National Privacy Commission.

B. Right to Object

The Data Subject shall have the right to object to the Processing of his or her Personal  Data, including Processing for direct marketing, automated Processing or profiling. The  Data Subject shall also be notified and given an opportunity to withhold consent to the  Processing in case of changes or any amendment to the information supplied or declared  to the Data Subject in the preceding paragraph. 

When a Data Subject objects or withholds consent, the Company shall no longer process  the Personal Data, unless: 

      1. the Personal Data is needed pursuant to a subpoena;
      2. the Processing is for obvious purposes, including, when it is necessary for the  performance of or in relation to a contract or service to which the Data Subject is a  party, or when necessary or desirable in the context of an employer-employee  relationship between the Company and the Data Subject; or
      3. the Personal Data is being collected and processed to comply with a legal obligation

C. Right to Access

The Data Subject has the right to reasonable access to, upon demand, the following:

      1. Contents of his or her Personal Data that were processed; 
      2. Sources from which Personal Data were obtained; 
      3. Names and addresses of recipients of the Personal Data; 
      4. Manner by which his or her Personal Data were processed; 
      5. Reasons for the disclosure of the Personal Data to recipients, if any; 
      6. Information on automated processes where the Personal Data will, or is likely to, be  made as the sole basis for any decision that significantly affects or will affect the Data  Subject; 
      7. Date when Personal Data concerning the Data Subject were last accessed and  modified; and 
      8. The designation, name or identity, and address of the DPO. 

D. Right to Rectification 

The Data Subject has the right to dispute the inaccuracy or rectify the error in his or her  Personal Data, and the Company shall correct it immediately and accordingly, unless the  request is vexatious or otherwise unreasonable. If the Personal Data has been corrected,  the Company shall ensure the accessibility of both the new and the retracted Personal Data  and the simultaneous receipt of the new and the retracted Personal Data by the intended  recipients thereof: Provided, That recipients or third parties who have previously received  such processed Personal Data shall be informed of its inaccuracy and its rectification, upon  reasonable request of the Data Subject.

E. Right to Erasure or Blocking

The Data Subject shall have the right to suspend, withdraw, or order the blocking, removal,  or destruction of his or her Personal Data from the Company’s filing system. 

      1. This right may be exercised upon discovery and substantial proof of any of the following: (a) The Personal Data is incomplete, outdated, false, or unlawfully obtained; (b) The Personal Data is being used for purpose not authorized by the Data Subject; 

(c) The Personal Data is no longer necessary for the purposes for which they were  collected; 

(d) The Data Subject withdraws consent or objects to the Processing, and there is no  other legal ground or overriding legitimate interest for the Processing by the  Company; 

(e) The Personal Data concerns private information that is prejudicial to Data Subject,  unless justified by freedom of speech, of expression, or of the press or otherwise  authorized; 

(f) The Processing is unlawful; or

(g) The Data Subject’s rights have been violated.

      1. The DPO may notify third parties who have previously received such processed  Personal Data that the Data Subject has withdrawn his or her consent to the Processing  thereof upon reasonable request by the Data Subject. 

F. Transmissibility of Rights of Data Subjects 

The lawful heirs and assigns of the Data Subject may invoke the rights of the Data Subject  to which he or she is an heir or an assignee, at any time after the death of the Data Subject,  or when the Data Subject is incapacitated or incapable of exercising his/her rights.

G. Data Portability

Where his or her Personal Data is processed by the Company through electronic means  and in a structured and commonly used format, the Data Subject shall have the right to  obtain a copy of such data in an electronic or structured format that is commonly used and  allows for further use by the Data Subject. The exercise of this right shall primarily take into  account the right of Data Subject to have control over his or her Personal Data being  processed based on consent or contract, for commercial purpose, or through automated  means. The Company shall regularly monitor and implement the National Privacy  Commission’s issuances specifying the electronic format referred to above, as well as the  technical standards, modalities, procedures and other rules for their transfer.

VI. DATA BREACHES & SECURITY INCIDENTS

A. Data Breach Notification

All employees and agents of the Company involved in the Processing of Personal Data are  tasked with regularly monitoring for signs of a possible data breach or Security Incident. In  the event that such signs are discovered, the employee or agent shall immediately report  the facts and circumstances to the DPO within twenty-four (24) hours from his or her  discovery for verification as to whether or not a breach requiring notification under the Data  Privacy Act has occurred as well as for the determination of the relevant circumstances  surrounding the reported breach and/or Security Incident. The DPO shall notify the National  Privacy Commission and the affected Data Subjects pursuant to requirements and  procedures prescribed by the DPA. 

The notification to the National Privacy Commission and the affected Data Subjects shall  at least describe the nature of the breach, the Personal Data possibly involved, and the  measures taken by the Company to address the breach. The notification shall also include  measures taken to reduce the harm or negative consequences of the breach and the name  and contact details of the DPO. The form and procedure for notification shall conform to  the regulations and circulars issued by the National Privacy Commission, as may be  updated from time to time. 

The DPO shall be responsible for ensuring that all of the Company’s departments are aware and are capable of implementing of the proper breach notification procedures, as well as  the proper handling of data breaches and security incidents, which shall include but not be  limited to: preparation of the proper data breach or security incident report, a timeline of  events leading to the discovery of the data breach, and any immediate and proper action/s  to be taken to safeguard the rights of data subjects after discovery of the data breach or  security incident.

B. Breach Reports

All Security Incidents and Personal Data breaches shall be documented through written  reports, including those not covered by the notification requirements. In the case of  Personal Data breaches, a report shall include the facts surrounding an incident, the effects  of such incident, and the remedial actions taken by the Company. In other security incidents  not involving Personal Data, a report containing aggregated data shall constitute sufficient  documentation. These reports shall be made available when requested by the National Privacy Commission. A general summary of the reports shall be submitted by the DPO to  the National Privacy Commission annually. 

VII. OUTSOURCING AND SUBCONTRACTING AGREEMENTS 

Any Personal Data Processing conducted by an external agent or entity (third-party service  provider) on behalf of the Company should be evidenced by a valid written contract with the  Company, i.e. through a data sharing agreement (DSA) or data outsourcing agreement (DOA),  as may be applicable. Such contract should expressly set out the subject matter and duration  of the Processing, the nature and purpose of the Processing, the type of Personal Data and  categories of Data Subjects, the rights and obligations of the parties with respect to the  Processing of Personal Data, the security measures to be undertaken by both parties, a  representation of whether or not consent from the relevant Data Subjects have been secured,  and/or how such consent will be secured, and the geographic location of the Processing under  the contract. 

The fact that the Company entered into such contract or arrangement does not give the said  external agent or entity the authority to subcontract to another entity the whole or part of the  subject matter of said contract or arrangement, unless expressly stipulated in writing in the  same contract or evidenced by a separate written consent/agreement of the Company. In any  case, the department concerned should always ensure that the Company may be properly  indemnified in case of a security breach involving Personal Data shared with said external  agent or entity. The subcontracting agreement must also comply with the standards/criteria  prescribed by the immediately preceding paragraph.  

In addition, the contract and the subcontracting contract shall include express stipulations  requiring the external agent or entity (including the subcontractor) to:

A. process the Personal Data only upon the documented instructions of the Company,  including transfers of Personal Data to another country or an international organization, unless such transfer is required by law;

B. ensure that an obligation of confidentiality is imposed on persons and employees  authorized by the external agent/entity and subcontractor to process the Personal Data;

C. implement appropriate security measures;

D. comply with the Data Privacy Act and other issuances of the National Privacy Commission,  and other applicable laws, in addition to the obligations provided in the contract, or other  legal act with the external party;

E. not engage another processor without prior instruction from the Company; Provided, that  any such arrangement shall ensure that the same obligations for data protection under the  contract or legal act are implemented, taking into account the nature of the Processing;

F. assist the Company, by appropriate technical and organizational measures, and to the  extent possible, fulfill the obligation to respond to requests by Data Subjects relative to the  exercise of their rights;

G. assist the Company in ensuring compliance with the Data Privacy Act and other issuances  of the National Privacy Commission, taking into account the nature of Processing and the  information available to the external party who acts as a Personal Information Processor  as defined under the Data Privacy Act;

H. at the choice of the Company, delete or return all Personal Data to it after the end of the  provision of services relating to the Processing: Provided, that this includes deleting existing  copies unless storage is authorized by the Data Privacy Act or other applicable laws or  regulations;

I. make available to the Company all information necessary to demonstrate compliance with  the obligations laid down in the Data Privacy Act, and allow for and contribute to audits,  including inspections, conducted by the Company or another auditor mandated by the  latter; and

J. immediately inform the Company if, in its opinion, an instruction violates the Data Privacy  Act or any other issuance of the National Privacy Commission.

VIII. CONTACT INFORMATION 

The DPO shall ensure that the Company may be contacted by the Data Subjects and/or  the National Privacy Commission at hkrdpo@hkr.com.ph and +6328897-1569. Should  the contact information change, the DPO is responsible for giving notice to all concerned  the Data Subjects and/or the National Privacy Commission.