ARPAN AIR INC.
DATA PRIVACY POLICY

I. BACKGROUND

Republic Act No. 10173, also known as the Data Privacy Act of 2012 (DPA), aims to protect personal data in information and communications systems both in the government and the private sector.

It ensures that entities or organizations processing personal data establish policies, and implement measures and procedures that guarantee the safety and security of personal data under their control or custody, thereby upholding an individual’s data privacy rights. A personal information controller or personal information processor is instructed to implement reasonable and appropriate measures to protect personal data against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.

To inform its personnel of such measures, each personal information controller or personal information processor is expected to produce a Privacy Manual. The Manual serves as a guide or handbook for ensuring the compliance of an organization or entity with the DPA, its Implementing Rules and Regulations (IRR), and other relevant issuances of the National Privacy Commission (NPC). It also encapsulates the privacy and data protection protocols that need to be observed and carried out within the organization for specific circumstances (e.g., from collection to destruction), directed toward the fulfillment and realization of the rights of data subjects.


II. INTRODUCTION

This Privacy Manual is hereby adopted in compliance with Republic Act No. 10173 or the Data Privacy Act of 2012 (DPA), its Implementing Rules and Regulations, and other relevant policies, including issuances of the National Privacy Commission. This organization respects and values your data privacy rights, and makes sure that all personal data collected from you, our clients and customers, are processed in adherence to the general principles of transparency, legitimate purpose, and proportionality. 
This Manual shall inform you of our data protection and security measures, and may serve as your guide in exercising your rights under the DPA.


III. DEFINITION OF TERMS

•    Commission shall refer to the National Privacy Commission created by virtue of this Act.

•    Consent of the data subject refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so.

•    Data Subject refers to an individual whose personal, sensitive personal or privileged information is processed by the organization. It may refer to officers, employees, consultants, and clients of this organization.

•     Direct marketing refers to communication by whatever means of any advertising or marketing material which is directed to particular individuals.

•    Filing system refers to any act of information relating to natural or juridical persons to the extent that, although the information is not processed by equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular person is readily accessible.

•    Information and Communications System refers to a system for generating, sending, receiving, storing or otherwise processing electronic data messages or electronic documents and includes the computer system or other similar device by or which data is recorded, transmitted or stored and any procedure related to the recording, transmission or storage of electronic data, electronic message, or electronic document.

•    Personal information refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.

•    Personal information controller refers to a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf. The term excludes:

•    A person or organization who performs such functions as instructed by another person or organization; and

•    An individual who collects, holds, processes or uses personal information in connection with the individual’s personal, family or household affairs.

•    Personal information processor refers to any natural or juridical person qualified to act as such under this Act to whom a personal information controller may outsource the processing of personal data pertaining to a data subject.
•    Processing refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.

•    Privileged information refers to any and all forms of data which under the Rules of Court and other pertinent laws constitute privileged communication.

•    Sensitive personal information refers to personal information:
•    About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
•    About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
•    Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
•    Specifically established by an executive order or an act of Congress to be kept classified.


IV. SCOPE & LIMITATIONS

All personnel of ARPAN AIR, INCORPORATED (AAI), regardless of the type of employment or contractual arrangement, must comply with the terms set out in this Privacy Manual.

Processing of Personal Data

Personal Data received by AAI undergoes the following processing system:

•    Collection 

AAI collects the basic contact information of clients and customers, including their full name, address, email address, contact number, together with the travel products that they would like to purchase. The sales representative attending to customers will collect such information through accomplished order forms. 
•    Use

Personal data collected shall be used by AAI for identification, documentation, reservations for accommodations, booking and arranging land/sea/air transportation, monitoring of flights, booking of travel and tour itineraries & visa support services.

•    Storage, Retention and Destruction 

The Company will ensure that Personal Data under its custody are protected at all times, against any accidental or unlawful destruction, alteration, disclosure and/or against any other unlawful processing.

The Company will implement appropriate security measures in storing collected Personal Information, depending on the nature of the information.

All Personal Data of Data Subjects such as current employees and regular clients are to be systematically up-dated by the Company on a regular basis.

All information gathered from inactive clients shall not be retained for a period longer than one (1) year. After one (1) year, all hard and soft copies of personal information of inactive clients shall be disposed and destroyed, through secured means. 

•    Access 

Due to the sensitive and confidential nature of the personal data under the custody of the company, only the client and the authorized representative of the company shall be allowed to access such personal data, for any purpose, except for those contrary to law, public policy, public order or morals. 

•    Disclosure and Sharing 

All employees and personnel of the company shall maintain the confidentiality and secrecy of all personal data that come to their knowledge and possession, even after resignation, termination of contract, or other contractual relations. Personal data under the custody of the company shall be disclosed only pursuant to a lawful purpose, and to authorized recipients of such data. 


V. SECURITY MEASURES

Organization Security Measures


The designated Data Protection Officer is Joseph Alex J. Yaptangco, who is concurrently serving as the Head of Administration & Travel Technology of AAI. 

•    Functions of the DPO, COP and/or any other responsible personnel with similar functions

The Data Protection Officer shall oversee the compliance of the organization with the DPA, its IRR, and other related policies, including the conduct of a Privacy Impact Assessment, implementation of security measures, security incident and data breach protocol, and the inquiry and complaints procedure. 

•    Conduct of trainings or seminars to keep personnel, especially the Data Protection Officer updated vis-à-vis developments in data privacy and security 

The organization shall sponsor a mandatory training on data privacy and security at least once a year. For personnel directly involved in the processing of personal data, management shall ensure their attendance and participation in relevant trainings and orientations, as often as necessary. 

•    Conduct of Privacy Impact Assessment (PIA) 

The organization shall conduct a Privacy Impact Assessment (PIA) relative to all activities, projects and systems involving the processing of personal data. It may choose to outsource the conduct a PIA to a third party. 

•    Recording and documentation of activities carried out by the DPO, or the organization itself, to ensure compliance with the DPA, its IRR and other relevant policies.


The organization shall sponsor a mandatory training on data privacy and security at least once a year. For personnel directly involved in the processing of personal data, management shall ensure their attendance and participation in relevant trainings and orientations, as often as necessary. 

•    Duty of Confidentiality

All employees will be asked to sign a Non-Disclosure Agreement. All employees with access to personal data shall operate and hold personal data under strict confidentiality if the same is not intended for public disclosure. 

•    Review of Privacy Manual

This Manual shall be reviewed and evaluated annually. Privacy and security policies and practices within the organization shall be updated to remain consistent with current data privacy best practices. 


VI. PHYSICAL SECURITY MEASURES

The DPO, with the assistance of the HR Manager and the Division Managers shall develop and implement policies and procedures for the Company to monitor and limit access to rooms and workstations in the Company where Personal Data is processed, including guidelines that specify the proper use of, and access to, electronic media; including the policy of limiting the processing of personal data for compliance and legal matters to duly authorized employees under the supervision of the DPO.

The design and lay-out of the office spaces and workstations of these mentioned Divisions, including the physical arrangement of furniture and equipment, shall be periodically evaluated and readjusted in order to provide privacy to anyone Processing Personal Data, taking into consideration the environment and accessibility to unauthorized persons.
The Company shall clearly define the duties, responsibilities, and schedules of individuals involved in the Processing of Personal Data to ensure that only the said individuals, actually performing official duties shall be in the room or workstations, at any given time. Further, the rooms and workstations used in the Processing of Personal Data shall be secured against natural disasters, external stress, and other similar threats.


VII. TECHNICAL SECURITY MEASURES 


The DPO, shall continually develop and evaluate the Company’s security policy with respect to the Processing of Personal Data. The security policy should include the following minimum requirements:

•    Safeguards to protect the Company’s computer network and systems against accidental, unlawful, or unauthorized usage, any interference which will affect data integrity or hinder the functioning or availability of the system, and unauthorized access.

•    The ability to ensure and maintain the confidentiality, integrity, availability, and resilience of the Company’s data processing systems and services.

•    Regular monitoring for security breaches, and a process both for identifying and accessing reasonably foreseeable vulnerabilities in the Company’s computer network and system and for taking preventive, corrective, and mitigating actions against security incidents that can lead to a Personal Data breach.

•    The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident.

•    A process for regularly testing, assessing, and evaluating the effectiveness of security measures.

•    Encryption of Personal Data during storage and while in transit, authentication process, and other technical security measures that control and limit access thereto.


VIII. BREACH & SECURITY INCIDENTS

•    Creation of a Data Breach Response 

A Data Breach Response Team comprising of Three (3) officers shall be responsible for ensuring immediate action in the event of a security incident or personal data breach. The team shall conduct an initial assessment of the incident or breach in order to ascertain the nature and extent thereof. It shall also execute measures to mitigate the adverse effects of the incident or breach. 

•    Measures to prevent and minimize occurrence of breach and security incidents 

The organization shall regularly conduct a Privacy Impact Assessment to identify risks in the processing system and monitor for security breaches and vulnerability scanning of computer networks. Personnel directly involved in the processing of personal data must attend trainings and seminars for capacity building. There must also be a periodic review of policies and procedures being implemented in the organization. 

•    Procedure for recovery and restoration of personal data 

The organization shall always maintain a backup file for all personal data under its custody. In the event of a security incident or data breach, it shall always compare the backup with the affected file to determine the presence of any inconsistencies or alterations resulting from the incident or breach. 

•    Notification protocol 

The Head of the Data Breach Response Team shall inform the management of the need to notify the NPC and the data subjects affected by the incident or breach within the period prescribed by law. Management may decide to delegate the actual notification to the head of the Data Breach Response Team. 

•    Documentation and reporting procedure of security incidents or a personal data breach 

The Data Breach Response Team shall prepare a detailed documentation of every incident or breach encountered, as well as an annual report, to be submitted to management and the NPC, within the prescribed period. 


IX. INQUIRY & COMPLAINTS

Data subjects may inquire or request for information regarding any matter relating to the processing of their personal data under the custody of the company, including the data privacy and security policies implemented to ensure the protection of their personal data. They may write to the company at rylcaribbean@arpanair.com.ph and briefly discuss the inquiry, together with their contact details for reference. 
Complaints shall be filed in three (3) printed copies, or sent to the DPO. The concerned division shall confirm with the complainant its receipt of the complaint.


X. EFFECTIVITY

The provisions of this Manual are effective this 1st day of February, 2019, until revoked or amended by this company, through a Board Resolution.