INTRODUCTION

Philippine Transmarine Carriers, Inc. (PTC) is a leader in the Philippine maritime industry and one of the largest Philippine-based global crew management and diversified maritime service companies in the country, deploying more than 50,000 seafarers annually to over 1,000 vessels worldwide.

Today, PTC has emerged beyond crew management to offer an integrated value chain of services which include Shipping, Real Estate, Energy, Hospitality & Leisure, Aviation and International Professional Placement.

Part of PTC’s day-to-day operations is to collect, manage, process and store large quantities of personal data whether offline or online. Transparency in data collection, handling and storage while ensuring its compliance within the legal and moral boundaries of Republic Act No.10173’s, also known as The Data Privacy Act of 2012, rules and provisions are of utmost importance.

DEFINITION OF TERMS

Data Privacy Act or DPA refers to Republic Act No. 10173 or the Data Privacy Act of 2012 and its implementing rules and regulations;

Data Subject refers to an individual whose Personal Information, Sensitive Personal Information, or Privileged Information is processed;

Company refers to Philippine Transmarine Carriers Inc.; or PTC Inc.

Personal Data collectively refers to Personal Information, Sensitive Personal Information, and Privileged Information;

Personal Information refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual;

Processing refers to any operation or set of operations performed upon Personal Data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Processing may be performed through automated means, or manual processing, if the Personal Data are contained or are intended to be contained in a filing system;

Privileged Information refers to any and all forms of Personal Data, which, under the Rules of Court and other pertinent laws constitute privileged communication;

Security Incident is an event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity and confidentiality of Personal Data. It includes incidents that would result to a personal data breach, if not for safeguards that have been put in place;

Sensitive Personal Information refers to Personal Data:

1. About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;

2. About an individual’s health, education, genetic or sexual life, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings;

3. Issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and

4. Specifically established by an executive order or an act of Congress to be kept classified.

SCOPE AND LIMITATIONS

PTC Inc.’s Data Privacy Policy shall be bounded by and limited to the following areas:

• All personal data and information that PTC Inc. collects processes, and stores as necessary for the company to execute its business operations

• All PTC Inc. employees, shareholders, consultants, and third-party service providers that process personal data and information for on behalf of PTC Inc. and/or is provided personal data and information by PTC Inc. as necessary or required by PTC Inc. to operate its business processes.

• All Data Subjects from whom PTC Inc. requests for personal data or information as necessary or required by PTC Inc. to operate its business processes. This includes clients, principals, recruits, and applicants as well as all PTC Inc. employees, shareholders, consultants, and third-party service providers.

• All physical areas that PTC Inc. owns or under their control, where data subjects congregate or share their personal data and information or where that data is processed, stored, or disposed.

• Such data and information construed and elucidated in Republic Act No. 10173 or also known as the “Data Privacy Act of 2012” or on its Implementing Rules and Regulations. However, personal, whether or not sensitive, data and information will not include information that is in the public domain, or information that falls into the public domain, unless such information falls into the public domain by disclosure or other acts of the violator, or through the fault of the violator.

POLICY ON THE PROCESSING OF PERSONAL DATA

PTC Inc. shall adhere and comply to the prescribed principles of Data Privacy as mandated by the Data Privacy Act. All Processing of Personal Data within the Company should be conducted in compliance with the following data privacy principles as espoused in the Data Privacy Act:

a. Transparency. The Data Subject must be aware of the nature, purpose, and extent of the processing of his or her Personal Data by the Company, including the risks and safeguards involved, the identity of persons and entities involved in Processing his or her Personal Data, his or her rights as a Data Subject, and how these can be exercised. Any information and communication relating to the Processing of Personal Data should be easy to access and understand, using clear and plain language.

b. Legitimate purpose. The Processing of Personal Data by the Company shall be compatible with a declared and specified purpose which must not be contrary to law, morals, or public policy.

c. Proportionality. The Processing of Personal Data shall be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose. Personal Data shall be processed by the Company only if the purpose of the Processing could not reasonably be fulfilled by other means.

POLICY ON DATA SECURITY MEASURES

PTC Inc. shall implement organizational, physical and technical security measures and personal data privacy policies intended to prevent or minimize the occurrence of a personal data breach and assure the timely discovery of a security incident. The security measures shall be categorized as follows:

• Organizational

• Physical

• Technical

Organizational Security Measures

PTC Inc. shall create, implement, and enforce a “Data Privacy Policy” that will be the basis for its commitment to data privacy principles and its compliance to the IRR of the Data Privacy Act of 2012. The Data Privacy Policy will also serve as PTC Inc.’s Data Privacy Manual which will serve as the basis for its “code of practice” of how it will operate its data privacy security measures

PTC Inc.’s Data Privacy Policy shall be aligned and cross referenced with the following PTC Holdings Policies

• Cyber Security Policy

• Human Resource Policy on Disciplinary Actions

PTC Inc. shall appoint a Data Privacy Officer who is responsible for ensuring the Company’s compliance with applicable laws and regulations as well as the implementation of the provisions of this policy

The DPO’s functions and responsibilities shall particularly include, among others:

1. Monitoring the Company’s Personal Data Processing activities in order to ensure compliance with applicable Personal Data privacy laws and regulations, including the conduct of periodic internal audits and review to ensure that all the Company’s data privacy policies are adequately implemented by its employees and authorized agents;

2. Acting as a liaison between the Company and the regulatory and accrediting bodies, and is in charge of the applicable registration, notification, and reportorial requirements mandated by the Data Privacy Act, as well any other applicable data privacy laws and regulations;

3. Developing, establishing, and reviewing policies and procedures for the exercise by Data Subjects of their rights under the Data Privacy Act and other applicable laws and regulations on Personal Data privacy;

4. Acting as the primary point of contact whom Data Subject may coordinate and consult with for all concerns relating to their Personal Data;

5. Formulating capacity building, orientation, and training programs for employees, agents or representatives of the Company regarding Personal Data privacy and security policies;

6. Preparing and filing the annual report of the summary of documented security incidents and Personal Data breaches, if any, as required under the Data Privacy Act, and of compliance with other requirements that may be provided in other issuances of the National Privacy Commission.

PTC Inc. shall conduct periodic Privacy Impact Assessments to assure that their data privacy security measures are adequate, valid, current, and effective

PTC Inc. shall conduct periodic Data Security Breach Incident Management Drills to assure that their data privacy breach incident management protocols including their Incident Reporting and Communication to NPC are adequate, valid, current, and effective (See Security Incident Management Policy)

Privacy Policy for Human Resources

PTC Inc’s Human Resources Department (HRD) shall also collect and share personal data from PTC Inc’s Staff, employees, consultants, and third-party providers by applying the prescribed data privacy principles as well as in compliance with the IRR of the Data Privacy Act and other relevant and related laws or regulations PTC Inc.’s HRD shall also create and implement a screening and background verification process to check on all candidates for employment in positions that will give them access to personal data or information, in accordance with any and all relevant laws, regulations and ethics to assess for qualifications and perceived risks PTC Inc.’s HRD will also include in the terms and conditions of PTC Inc,’s Contract of Employment the employee’s duties and responsibilities in relation to Data Privacy including compliance to this Data Privacy Policy and any protocols or procedures that protect data privacy PTC Inc.’s HRD shall conduct awareness, education and training for data privacy to all employees as appropriate to their position and to the classification of personal data and information that they will have access to.

PTC Inc.’s HRD shall implement and enforce a formal and communicated disciplinary process that specifies penalties and sanctions for violations against this Data Privacy Policy (See HRD Policy on Disciplinary Actions)

Physical Security Measures

PTC Inc. shall create and define physical security perimeters in areas where personal data and information is shared, processed, and stored. These secured areas shall likewise be protected by physical access controls to ensure that only authorized personnel are allowed access to those areas PTC Inc. shall control access points (i.e. delivery areas, visitor areas, etc.) where unauthorized personnel may gain access to the organizations data processing facilities PTC Inc. shall create physical security measures for its data processing facilities to protect it against natural disasters, intentional attacks, and accidents to assure the confidentiality, integrity and availability of personal data within its control.

PTC Inc. shall create procedures on working in secure areas to assure compliance with data privacy principles PTC Inc. shall implement a “Clear Desk, - Clear Screen Policy” wherein all users and staff of data processing terminals and other similar devices will log-out of their terminals when they leave their desk and make sure that no documents or devices containing personal information is left on their desk when they leave. (NOTE: the data terminal can likewise be configured to automatically log-off when it is left idle for a specified amount of time)

Technical Security Measures

PTC Inc.’s Information Technology Department or ITD shall create, implement, and enforce an IT Security Policy that is aligned and cross referenced to PTC Holdings own Cyber Security Policy and Data Governance Policy.

PTC Inc.’s Information Technology Security Policy shall take into consideration the specific needs and requirements for compliance with the Data Privacy Act and all other relevant and related laws and regulations.

PTC Inc.’s Information Technology Security Policy shall take into consideration the specific needs and requirements for the PTC Inc. to operate their business processes.

SECURITY INCIDENT MANAGEMENT POLICY

PTC Inc. shall create a data breach response team, with members that have clearly defined responsibilities, to ensure timely action in the event of a security incident or personal data breach

PTC Inc. shall create an incident response procedure intended to contain a security incident or personal data breach and restore integrity to the information and communications system;

PTC Inc. shall report all incidents of a data security breach to the NPC most especially If the data breach involves:

a. Information that would likely affect national security, public safety, public order, or public health;

b. At least one hundred (100) individuals;

c. Information required by all applicable laws or rules to be confidential; or

d. Personal data of Global Maritime Professionals and their allottees/dependents.

PTC Inc. shall report all incidents of a data security breach to the NPC & the data subjects shall be notified within seventy-two (72) hours upon knowledge of or the reasonable belief by PTC Inc. or their employee that a personal data breach has occurred.

PTC Inc. shall submit a full report via written or electronic form, of the personal data breach within 5 days, unless granted additional time by the NPC to comply.

POLICY ON INQUIRIES AND COMPLAINTS

Any data subject may inquire about the nature and extent of processing that PTC Inc. will do to his or her personal data or if they would like to file a complaint due to the mishandling of their personal data they may do so by employing one of the following options:

• Submitting a formal letter of inquiry or complaint addressed to the Data Protection Officer of PTC Inc. and submit it to PTCI QA Department

• Submitting an inquiry or complaint through email to be sent to data.privacy.officer@ptc.com.ph

All inquiries and complaints will be forwarded to PTC Inc.’s Committee on Data Privacy for proper disposition, evaluation, and final resolution within receipt and acknowledgement of the inquiry or complaint.

LIABILITIES/PENALTIES

Any violation of this policy and/or the Data Privacy Act may be liable for penalties set forth and prescribed under Chapter VIII (Penalties) of the Republic Act No. 10173 or also known as the “Data Privacy Act of 2012”, whatever is applicable.

This Policy in part or as a whole shall be documented and communicated to all PTC Inc. employees, consultants, shareholders, partners, or relevant third-party service providers to inform them of PTC Inc.’s Commitment and Compliance to Data Privacy and the Data Privacy Act of 2012.

Authorized and Approved by:

Capt. Estanislao C. Santiago
Data Protection Officer

Mr. Edgar Dominic Milla
Chief Operations Officer