Data Privacy Policy
1.0 OBJECTIVES
1.1 Pursuant to our commitment to comply with the provisions of the Data Privacy Act of 2012 under RA 10173, this policy is made for the information of the company’s customers, employees and stakeholders. The company respects and values the data privacy rights of our stakeholders and makes sure that all personal data collected are processed in adherence to the general principles of transparency, legitimate purpose and proportionality.
1.2 This privacy statement is provided to describe how we may collect, use, share, and otherwise process the personal information collected from our corporate clients or other individual to whom we offer or provide our services – travel, meetings and events, and related products and services -- via our websites, mobile applications, email communications or other online and offline means.
2.0 SCOPE
2.1 This policy applies to personal information we collect and process on all company forms, website and whenever applicable, online services.
2.2 All personnel of this organization, regardless of the type of employment or contractual arrangement, must comply with this policy.
3.0 EFFECTIVITY
3.1 This policy is effective February 1, 2024.
4.0 RESPONSIBILITIES
4.1 RMI Chief Legal and Admin Officer
4.1.1 Responsible for the administration, interpretation and enforcement of this procedure
4.1.2 Acts as Team Rayomar’s Data Privacy Officer
4.2 General Manager
4.2.1 Acts as STPI’s Compliance Privacy Officer
4.2.2 Responsible for implementation of this policy
4.3 Administrative Associate
4.3.1 Responsible for execution of functions as stated in this policy
4.4 Data Subjects
4.4.1 Responsible for observing and exercising their rights as stated in this policy
5.0 DEFINITION OF TERMS
5.1 Breach – is a security incident that leads to unlawful or unauthorized processing of personal, sensitive or privileged information, or that otherwise compromises the availability, integrity and confidentiality of personal data processed under the control of a personal information controller.
5.2 Consent of the data subject – refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of his personal, sensitive or privileged information. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of a data subject by a lawful representative or agent specifically authorized by the data subject to do so.
5.3 Data Subject – refers to an individual whose personal, sensitive personal or privileged information is processed by the organization (e.g. officers, employees, job applicants, consultants, clients)
5.4 Personal Information – as defined by law, this pertains to any information, whether recorded in material form or not, that will directly ascertain a person’s identity. This includes your address and contact information.
5.5 Personal Information Controller - refers to a natural or juridical person or any other body who controls the processing of personal data or instructs another to process personal data on his or her behalf. The term excludes:
a. A natural or juridical person or any other body who performs such functions on behalf of another; or
b. A natural person who processes personal data in connection with his or her personal, family or household affairs.
c. There is control if the natural or juridical person or any other body decides on what information is collected, or the purpose or extent of processing.
5.6 Personal Information Processor - refers to any natural or juridical person or any other body to whom a personal information controller may outsource or instruct the processing of personal data pertaining to a data subject.
5.7 Processing – refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.
5.8 Sensitive Personal Information - personal information that includes a person’s age, date of birth, marital status, social security and other government identification numbers, financial as well as health information.
6.0 POLICIES
6.1 PROCESSING OF PERSONAL DATA
6.1.1 What Information We Collect
We collect personal information about you in connection with your registration, use, purchase, or inquiries about our services and core business as a Travel and Tours company. These information are collected because they are needed to dispense travel services such as ticketing, hotel booking, tour packaging, processing of documents: visa, passport and the likes. More specifically, we collect the following information:
-
Account Information
This may include your name, email address, phone numbers, employer, and physical addresses. We may also require passport number, gender, date of birth for travelers and frequent traveler credentials. If we book travel for your travel companions, we may collect similar information about them. -
Travel Information
This may include your arrival and departure location; preferred airline, hotel and car rental; meal preferences and other travel assistance services. -
Payment Information
To pay for bookings and other transactions through our services, we collect payment card information and other details necessary to process payments.
6.1.2 When we Collect Information
We collect personal information directly when you:
-
Fill out a Client Profile Form
-
Email or call your booking and travel details
-
Submit your VISA, Passport and Apostille requirements
-
Fill out a Travel Service Agreement
-
Fill out a Credit Line Application Form
-
Fill out a Supplier Accreditation Form
-
Provide payment information
6.1.3 How we Use Your Information
We use your personal information to provide our services, process payments, operate our websites and mobile applications, market products and services, create business insights and comply with law. The information we collect may be used to:
-
To initiate booking of travel and documentation services
-
Update database or client records
-
provide to other government agencies which are entitled to the information under existing laws;
-
contact you, including sending you information electronically or otherwise.
6.1.4 How we Share Your Information
We only use and disclose your personal information in connection with our lawful functions and activities. We may share your information with our travel affiliates, travel partners, rrelated government agencies, suppliers and vendors to book travel arrangements and provide our services. We do not sell or share information with third parties so that they can independently market their own products or services directly to you.
6.1.5 How we Store, Retain and Protect Your Information
Our company follows a Records Matrix in protecting and storing our files and records. All personal information we gathered shall not be retained for a period longer than the identified retention in our Records Matrix unless we are required by law or regulation or for litigation and regulatory investigations to keep it for longer periods of time. After that period, all hard and softcopies of personal information shall be disposed and destroyed, through secure means. We maintain reasonable administrative, technical, and physical security measures to protect your personal information from unauthorized access and use such as:
-
Keeping your hardcopy files in a secured vault
-
Installing passwords and access restrictions in our computers
-
Installing appropriate firewall protection in our computers
6.1.6 Access on Personal Data
Due to the sensitive and confidential nature of the personal data under the custody of the company, only the client and the authorized representative of the company shall be allowed to access such personal data, for any purpose, except for those contrary to law, public policy, public order or morals.
6.1.7 Disclosure and Sharing
All employees and personnel of the company shall maintain the confidentiality and secrecy of all personnel data that come to their knowledge and possession, even after resignation, termination of contract, or other contractual relations. Personal data under the custody of the company shall be disclosed only in pursuant to a lawful purpose, and to authorized recipients of such data.
6.1.8 Marketing and Communication
We may use your personal information to tell you about our products and services or those from related businesses such as restaurants, consumer products, tours, and entertainment, to help us determine whether you may be interested in new products or services, and to present travel and advertising content that is tailored to your interests, location or itinerary. We will do so with your consent and as permitted by law.
We may send you marketing on our websites or mobile applications, and through email and other channels, in accordance with applicable law and your choices. If you’d like us to stop sending you marketing messages, you can follow the instructions in our communications or email us any time.
We will also use your personal information to send you messages that are essential for our services; for example, we communicate with you about your travel, to service your account, to fulfill your requests, or otherwise as required by law.
6.2 SECURITY MEASURES
We give utmost premium and importance to every person’s privacy. Consequently, we respect your privacy and keep your information confidential unless we are lawfully required or allowed to disclose it or that you give your written consent to such disclosure by accomplishing a Consent Form.
The Data Privacy Act of 2012 clearly provides that personal data of an individual shall never be collected and processed without his or her consent, unless otherwise provided by law.
Towards to our commitment for utmost security, we have created and maintained an environment for the protection of your personal information and records. When we collect this information, it is kept safe and secure. We will ensure that personal data under our custody are protected against any accidental or unlawful destruction and alteration. If data owners wish to correct their information submitted to us, they should accomplish the Request for Erasure and Correction Form.
We use reasonable security safeguards to protect information from loss, unauthorized access, use or disclosure.
6.2.1 Organizational Measures
6.2.1.1 Conduct of Privacy Impact Assessment (PIA)
The company shall conduct a Privacy Impact Assessment (PIA) relative to all activities, projects and systems involving the processing of personal data.
6.2.1.2 Data Privacy Officer (DPO)
The designated Data Privacy Officer is Atty. Glenn Mangaoil, who is currently the Chief Legal and Admin Officer and Corporate Secretary of Team Rayomar. His deputy designated for STPI as the Compliance Privacy Officer is Mr. Diego Xavier Garcia, currently the company’s General Manager.
6.2.1.3 Functions of DPO
The Data Privacy Officer shall oversee the compliance of the organization with the DPA, its IRR and other related policies including the conduct of PIA, implementation of security measures, security incident and data breach protocol, and the inquiry and complaints procedure.
6.2.1.4 Duty of Confidentiality
We further require our processors to execute a Confidentiality Undertaking/Non-Disclosure Agreement to ensure fool-proof security. All employees with access to personal data shall operate and hold personal data under strict confidentiality if the same is not intended for public disclosure.
6.2.1.5 Conduct of trainings and seminars to keep updated
The company shall sponsor a mandatory training on data privacy and security at least once a year. The management shall ensure attendance and participation of our personnel directly involved in the processing of personal data in relevant trainings as often as necessary.
6.2.1.6 Review of this policy
This policy shall be reviewed and evaluated annually to align with changes in the business and legal requirements. Privacy and security policies and practices within the organization shall be updated to remain consistent with current data privacy best practices.
Link on our forms and socials will be updated as soon as we revise the policy. If we make material changes to this Privacy Statement, we will post a notice on our website before the changes go into effect, and notify you as otherwise required by applicable law.
6.2.1.7 Recording and Documentation of activities to ensure compliance with DPA
The detailed and accurate documentation of the processing system of the company can be found in our Quality Manual. Management and security of all records and information can be found in our Documents and Records Control Procedures and Records Matrices. Other activities and projects of the DPO to ensure compliance with the DPA shall be detailed and documented in a report. Compliance with the DPA and with this policy shall also be checked annually by our designated Compliance Privacy Auditors.
6.2.2 Physical Measures
6.2.2.1 Format of data to be collected
Personal data in the custody of the company maybe in digital/electronic format and paper-based/hardcopy format.
6.2.2.2 Storage type and location
All personal data being processed by the company in hard/paper copy are kept in locked filing cabinets while digital/electronic files are stored in computers provided by the company.
6.2.2.3 Access and limitation of access
Only authorized personnel shall be given keys to the filing cabinets. All computers and workstations installed by the company shall be protected with passwords and user access restrictions.
6.2.2.4 Design of office space/work station
Computers shall be positioned with considerable spaces between them to maintain privacy and protect the processing of personal data.
6.2.2.5 Modes of transfer of personal data
Transfers of personal data will be done via electronic mail. An encryption software will be use to secure our email facility. Transmitting of documents containing personal data via facsimile and hardcopy will not be allowed.
6.2.3 Technical Measures
6.2.3.1 Measures against External Threats and Security Breaches
The company’s network shall be protected at all time with Corporate Firewall to monitor, prevent and detect security breaches and external threats such as intrusions and unauthorized access. The firewall should automatically filter and block unauthorized access and removes malicious contents. The company shall enrol in annual subscription to ensure timely updates of the firewall.
6.2.3.2 Measures against Internal Threats and Security Breaches
The company shall install anti-virus software to prevent, detect and remove malwares and computer threats.
The company must always maintain a backup file for all personal data under its custody.
Employees are not allowed to bring personal storage devices such as USB, external hardrives or CDs to prevent unauthorized transfer or copying of personal and official business data.
Each email account and workstation are protected by password to prevent unauthorized access of data. Employees will also sign Asset Accountability Agreement which details their responsibilities in taking care of their laptops while outside the office premise.
6.2.3.3 Security features of softwares and applications used
All software applications should undergo careful review, evaluation and testing before installation to ensure compatibility of security features.
6.2.3.4 Regular testing, assessment and evaluation of security measures
IT Department shall review security policies, conduct vulnerability assessments and perform penetration testing within the company on a regular schedule.
6.3 BREACH AND SECURITY INCIDENTS
6.3.1 Creation of Data Breach Response Team
Our Data Breach Response Team will be comprised of two (2) members: the Compliance Privacy Officer and the Compliance Privacy Auditor. The team shall conduct an initial assessment of the incident or breach in order to ascertain the nature and extent thereof. It shall also execute measures to mitigate the adverse effects of the incident or breach.
6.3.2 Measures to prevent and minimize occurrence of breach and security incidents
The organization shall regularly conduct a Privacy Impact Assessment to identify risks in the processing system and monitor for security breaches and vulnerability scanning of computer networks. Personnel directly involved in the processing of personal data must attend trainings and seminars for capacity building. There must also be annual review of the policies and procedures being implemented by the organization.
6.3.3 Procedure for recovery and restoration of personal data
In the event of security incident or data breach, processors shall always compare the back up file with the affected file to determine any inconsistencies or alterations as a result of breach.
6.3.4 Notification protocol and documentation and reporting of security incidents and breach
The team shall document in a Data Breach Report the details of every incident or breach encountered. The report will be submitted to the management. The Head of the Data Breach Response Team shall inform the management of the need to notify the NPC and data subjects affected by the incident or breach within the period prescribed by law. Management may decide to delegate the actual notification to the head of the Data Breach Response Team. Annual report will also be submitted to the management and NPC.
6.4 YOUR RIGHTS
Our company is duty bound to observe, uphold and respect the privacy rights of our data subjects which are the following:
-
The Right to be informed
-
The Right to Access
-
The Right to Object
-
The Right to Erasure or Blocking
-
The Right to Damages
-
The Right to File a Complaint with the National Privacy Commission
-
The Right to Rectify
-
The Right to Data Portability
-
Transmissibility of Data Subject Rights subject to certain limitations
If you would like to update the information you have provided to us, you have the right to access the form previously filled out and make changes or corrections to your information. You may also have the right to be informed of whether we are processing your information and to access, correct, delete or object, upon request and free of charge, to our use of your information.
Subject rights have limitations as provided by the Data Privacy Act of 2012.
6.5 INQUIRIES AND COMPLAINTS
Data subjects may inquire or request for information regarding any matter relating to the processing of their personal data under the custody of the organization, including the data privacy and security policies implemented to ensure the protection of their personal data. They may also report any complaints regarding data privacy. They may email the Compliance Privacy Officer at diego@swire-travel.com.
SUBJECT: COMPLAINT_DATA PRIVACY_Date
6.6 OUR WEBSITE
6.6.1 Web Browser Cookies of our Website
Our website www.swire-travel.com may use “cookies” where a small data file is sent to your browser to store and track information about you when you enter our website. Usage of cookies is not linked to any personally identifiable information on our website. You can choose to accept or decline cookies. You can modify your browser setting to decline cookies because most web browsers automatically accept cookies. This, however, may prevent you from taking full advantage of the website.
6.6.2 Link to Other Websites
Our website may contain links to and from websites of other companies and other organizations. This Privacy Policy, only applies to www.swire-travel.com. Websites other than the said website may have privacy and user policies that deviate fromthis one. We encourage you to likewise take time to read their site policies. Also,we recommend that you familiarize yourself with the Data Privacy Act of 2012.
7.0 RELATED DOCUMENTS
Quality Manual
Documents and Records Control Procedures
Records Matrix
Asset Accountability Agreement
Privacy Consent Statement