Privacy Policy
Last updated: October 2, 2024
This policy sets out how Via Mare handles the Personal Data of our customers, suppliers, employees, workers and any other third parties.
This policy applies to all Via Mare Personnel (“you”, “your”). You must read, understand and comply with this policy when processing Personal Data on Via Mare’s behalf and attend training on its requirements and strictly implement the process and guidelines as per this policy.
Any breach on this policy may result in disciplinary action
Scope
This policy applies to all Personal Data that Via Mare processes regardless of the media on which that data is stored or whether it relates to past or present or potential employees, workers, customers, clients or supplier contacts, shareholders, website users or any other Data Subject.
Interpretation
- Data Controller means the entity that determines when, why and how to process Personal Data.
- Data Processor is the entity that processes data on behalf of the Data Controller.
- Data Protection Authority means the National authorities tasked with the protection of data and privacy as well as monitoring and enforcement of the data protection regulations.
- Data Protection Officer (DPO) is the person required to be appointed in specific circumstances under Republic Act 10173.
- Data Subject is a living, identified or identifiable individual about whom we hold Personal Data.
- Via Mare Personnel are all employees, workers, contractors, agency workers, consultants, directors, suppliers.
- Personal Data is any information identifying a Data Subject or information relating to a Data Subject that we can identify(directly or indirectly) from that data alone or in combination with other identifiers we possess or can reasonably access. Personal Data does not include anonymous data or data that has had the identity of an individual permanently removed.
- Processing or Process means Any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data, including organizing, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.
- Personal Data Breach refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. Collecting and Using Your Personal Data
Data Controller and Processor
Via Mare is the data processor (insofar as it relates to customer data processed in catering projects and restaurant operations) as well as data controller (collecting Employee, Supplier, Existing and Prospective clients) as per the Data Privacy Act of 2012.
Republic Act 10173 or the Data Privacy Act of 2012
The Individual/Service User will be made aware in most circumstances how and with whom their information will be shared. Data can also be shared to perform a contract between the data subject and Via Mare. There are circumstances where the law allows Via Mare to disclose data (including sensitive data) without the data subject’s consent. These are:
a) Carrying out a legal duty.
b) Protecting vital interests of an Individual/Service User or other person.
c) The Individual/Service User has already made the information public.
d) Conducting any legal proceedings, obtaining legal advice or defending any legal rights.
e) Monitoring of equal opportunities purposes – i.e. race, disability or religion.
Via Mare regards the lawful and correct treatment of personal information as very important to successful working, and to maintaining the confidence of those with whom Via mare deals.
Via Mare intends to ensure that personal information is treated lawfully and correctly.
Via Mare adheres to the principles relating to the Processing of Personal Data, as set out in the Data Privacy Act of 2012, which require:
a) Lawful, Fair and Transparent processing.
b) Collection only for specified, explicit and legitimate purposes (Purpose Limitation)
c) Data Minimization (adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed).
d) Accurate and Up-to-date processing.
e) Not kept in a form which permits identification of Data Subjects for longer than is necessary for the purposes for which it is Processed (Storage and Retention Limitation).
f) Processing in a manner that ensures its security using appropriate technical and organizational measures to protect against unauthorized or unlawful Processing and against accidental loss, destruction or damage. (Confidentiality Security and Integrity).
g) No transfers of Personal Data to another country without appropriate safeguards being in place (Transfer Limitation).
h) Data Subject’s be allowed to exercise certain rights in relation to their Personal Data (Data Subject’s Rights and Requests).
i) We are responsible for and must demonstrate compliance with the data protection principles listed above (Accountability).
Via Mare will, through appropriate management and strict application of criteria and controls:
a) Observe fully conditions regarding the fair collection and use of information.
b) Collect and process appropriate information, and only to the extent that it is needed to fulfill its operational needs or to comply with any legal requirements.
c) Ensure that quality of information used.
d) Ensure that the rights of people about whom information is held, can be fully exercised under the Act. These include:
- The right to be informed that processing is being undertaken;
- The right of access to one’s personal information;
- The right to prevent processing in certain circumstances; and
- The right to correct, rectify, block or erase information which is regarded as wrong information
e) Take appropriate technical and organizational security measures to safeguard personal information
f) Process data of people justly and fairly whatever their age, religion, disability, gender, sexual orientation or ethnicity when dealing with request for information.
Data Collection
Via Mare collects employee and supplier data to perform our contract with you. We also take your concent:
- By clearly stating why their information is needed, who it will be shared with, the possible consequences of them agreeing or refusing the proposed use of the data.
Personal Identifiable information (PII) data in catering projects or in the restaurant operations is processed only if there is a Data Transfer Agreement between Via Mare and the Client.
Via Mare will ensure that data is collected within the boundaries defined in this policy.
When collecting data, Via Mare will ensure that the Individual/Service user:
a) Clearly understands why the information is needed.
b) Understands what it will be used for and what the consequences are should the Individual/Service User decide not to give consent to the processing.
c) As far as reasonably possible, grants explicit consent or consent obtained through a legal basis for data to be processed
d) Is, as far as reasonably practicable, competent enough to give consent and has given so freely without any duress.
e) Has received sufficient information on how data will be used.
Data Storage Limitation
Records of all data processing activities will be maintained. This includes processing of client data, employee data, prospective client data and supplier data.
Information shall be stored for only as long as it is needed or required statute and will be disposed-of appropriately in accordance with Via Mare’s Backup Data Retention guidelines.
Via Mare will take appropriate measures to ensure secure disposal of the PII upon receiving a request for disposal or after the purpose for which the data collected is oIt is Via Mare’s responsibility to ensure all persoanl and company data is non-recoverable from any comuter system previously used within the organization (or those deemed obsolete).
The Data Retention Policy ensures the elimination of data pile up. Unless requested by Via Mare clients archive data has a default retention period of 5 years except per separate client archival and/or regulatory requirements. Once the timeframe is reached a mail requesting permanent deletion of relevant confidential data is sent to IT Head. Upon approval the data is destroyed.
Employee and Supplier data will be stored for a period of 6 + current year in sync with regulatory requirements.
Data Access and Accuracy
Personal Data must be accurate and, where necessary, kept up to date. It must be corrected or deleted without delay when inaccurate (based on the inputs received from Individual/Service User). Via Mare is required to ensure that the Personal Data it uses and holds is accurate, complete, kept up to date and relevant to the purpose for which it was collected. Via Mare must check the accuracy of any Personal Data at the point of collection and at regular intervals afterwards and that it must take all reasonable steps to destroy or amend inaccurate or out-of-date Personal Data.
Via Mare will take reasonable steps to ensure that Personal Data it holds is accurate and kept up to date which may include asking Data Subjects to confirm whether there have been any changes in their Personal Data.
In addition, Via Mare will ensure that:
a) It has a Data Protection Officer with specific responsibility for ensuring compliance with Data Protection Regulation.
b) Everyone processing personal information understands that they are contractually responsible for following the process and policies.
c) Everyone processing personal information is appropriately trained to do so.
d) Everyone processing personal information is appropriately supervised.
e) Anybody wanting to make inquiries about handling personal information knows what to do.
f) It deals promptly and courteously with any inquiries about handling personal information.
g) It describes clearly how it handles personal information.
h) It will regularly review and audit the ways it stores, mange and use personal information.
i) It regularly assesses and evaluates its methods and performance in relation to handling personal information.
j) All staff are aware that a breach of the rules and procedures identified in this policy may lead to disciplinary action being taken against them
Data Breach Response
Via Mare shall notify the respective data controller/data subjects/authority without undue delay after becoming aware of a personal data breach. Where, and in so far as, it is not possible to provide the information at the time of notification, the information may be provided in phases without undue further delay.
A Personal Data Breach is any act or omission that compromises the security, confidentiality, integrity or availability of Personal Data or the physical, technical, administrative or organizational safeguards that we or our third-party service providers put in place to protect it. The loss or unauthorized access, disclosure or acquisition of Personal Data is a Personal Data Breach.
If you know or suspect that a Personal Data Breach has occurred, do not attempt to investigate the matter yourself. Immediately contact the person or team designated as the key point of contact for personal data breaches (the DPO at dpo@viamare.com.ph). Via Mare should preserve all evidence relating to Personal Data Breaches.
How We Secure Your Personal Data
We take precautions which include security process, technical and physical measures to help safeguard your information against any accidental or unlawful destruction, alteration and unauthorized access or disclosure of the personal data we process. The PII data in possession is encrypted under storage with controlled access only to authorized individuals. Once the requirement of storing or processing PII data is complete, it is securely deleted and recorded.
While we follow generally accepted security standards to protect your data, we also expect to protect your password, limiting access to your device and sign out of websites after your sessions.
Data Sharing
Via Mare will share the data collected to the following parties for further processing.
Employee data
The data collected from the onboarding process is for Via Mare recording-keeping and it may be shared with third parties for official purpose. The employee documents are maintained securely with restricted access by the HR team.
Via Mare and its affiliates and/or subsidiaries may process the personal data of its employees for the purposes set forth in this Privacy Policy. Data sharing refers to the disclosure of transfer of personal data to third parties, other than those classified as personal information processors.
Catering Engagement Data
PII data if collected during project execution will be safely kept with restricted access until the catering project completion. PII data may be shared with suppliers, after an MSA (with Data Privacy compliance requirements being addressed to the level that Via Mare follows) is mutually agreed upon by Via Mare and the customer.
Supplier Data
Supplier PII data is stored with restricted access on internal systems.
Data Protection Officer
We have appointed a data protection officer to oversee compliance with this privacy notice. If you have any questions about this policy or how we handle your personal information, please contact dpo@viamare.com.ph. You have the right to make a complaint at any time to the National Privacy Commission for data protection issues.
Changes to this Data Privacy Policy
Via Mare reserves the right to update this policy at any time, and we will provide you with a new policy when we make any updates. We may also notify you in other ways from time to time about the processing of your personal information.
If you have any questions about this privacy policy, please contact dpo@viamare.com.ph, email address of the DPO.