1.

The name of the Information and

count Name of Company communications system or filing
Process/Department system

1
2
3

RESTRICTED
 4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

RESTRICTED
 3.
Processing 4. If the system is outsourced or
is being
2. Purpose or purposes of the processing; subcontracted, the name and
done as a contact details of the PIP;
PIC, PIP, or
both;

PIC
PIC
PIC

RESTRICTED
 PIC
PIC
PIC
PIC
PIC
PIC
PIC
PIC
PIC
PIC
PIC
PIC
PIC
PIC
PIC
PIC

RESTRICTED
 5.a. Categories of Data 5.b. Categories of Data Relating to Data Subjects
Subjects what information is being collected/processed
who are the data subjects (Refer to tab 'Categories of Personal Data')
(Employee, Customer, etc)

RESTRICTED
RESTRICTED
6. The recipients or categories of recipients to whom 7. Is personal 8. Does the
the data might be disclosed; processing
data transferred system
(Examples:Officers/directors, HR manager, HR administration staff, IT involve
outside of the
administrators, application developers, external IT maintenance automated
company, facility management staff, department xyz, etc.) Philippines? decision-making?

RESTRICTED
RESTRICTED
 Comments

RESTRICTED
RESTRICTED
Personal information

Data processing systems

Information and
communications system

Filing system

Control

Processing

Automated Decision-making

Personal information
controller
Personal information
processor

*For the purpose of our registration with the National Privacy Commission and compliance with R.A. 10173 (Data Privacy A
● Company X is the Personal Information Controller (PIC) of all personal data relating to its current and previous employees
providers, contractors and other third parties. .
● Company X is the Personal Information Processor (PIP) of all personal data relating to customers of HCompany Y wherein
Company Y to Company X.
● Any third party involved in processing personal information of Company X employees is considered a Personal Informatio

RESTRICTED
 “Personal information” refers to any information, whether recorded in a material form or not, from which the identity of an
apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with o
information would directly and certainly identify an individual;

“Data processing systems” refers to the structure and procedure by which personal data is collected and further processed
information and communications system or relevant filing system, including the purpose and intended output of the proce

“Information and communications system” refers to a system for generating, sending, receiving, storing, or otherwise proce
electronic data messages or electronic documents, and includes the computer system or other similar device by which data
transmitted, or stored, and any procedure related to the recording, transmission, or storage of electronic data, electronic m
electronic document;

“Filing system” refers to any set of information relating to a natural or juridical person to the extent that, although the infor
processed by equipment operating automatically in response to instructions given for that purpose, the set is structured, e
reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to
person is readily accessible;

There is control if the natural or juridical person or any other body decides on what information is collected, or the purpose
its processing;

“Processing” refers to any operation or any set of operations performed upon personal data including, but not limited to, th
recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or d
data. Processing may be performed through automated means, or manual processing, if the personal data are contained o
to be contained in a filing system;

“Automated Decision-making” refers to a wholly or partially automated processing operation that serves as the sole basis f
decisions that would significantly affect a data subject. It includes the process of profiling based on an individual’s economi
political or religious beliefs, behavioral or marketing activities, electronic communication data, location data, and financial d
others;

"Personal information controller” refers to a natural or juridical person, or any other body who controls the processing of p
or instructs another to process personal data on its behalf.
“Personal information processor” refers to any natural or juridical person or any other body to whom a personal informatio
may outsource or instruct the processing of personal data pertaining to a data subject.

our registration with the National Privacy Commission and compliance with R.A. 10173 (Data Privacy Act of 2012),
Personal Information Controller (PIC) of all personal data relating to its current and previous employees, contingent workers, visitors, se
rs and other third parties. .
Personal Information Processor (PIP) of all personal data relating to customers of HCompany Y wherein the business process is outsour
any X.
volved in processing personal information of Company X employees is considered a Personal Information Processor(PIP)

RESTRICTED
Personal details

Employment details

Financial details

Education and training details

Medical and Health

Family, lifestyle and social

circumstances

RESTRICTED
Included in this category are classes of data which identify the data subject and their personal characteristics. Examples are
addressees, contact details, age, sex, date of birth, physical descriptions, identifiers issued by public bodies, eg Passport Nu
Security Number, Tax ID number.

Included in this category are any matters relating to the employment of the data subject. Examples are employment and ca
recruitment and terminations details, attendance record, health and safety records, performance appraisals, training record
records.

Included in this category are any matters relating to the financial affairs of the data subject. Examples are income, salary an
details, bank account numbers and credit card numbers and transaction details, assets and investments, payments, creditw
loans, benefits, grants, insurance details, pension information.
Included in this category are any matters which relate to the education and any professional training of the data subject. Ex
academic records, qualifications, skills, training records, professional expertise, student records.
Information that describes an individual’s health, medical conditions or health care, physical and mental health, drug test r
disabilities, family or individual health history, health records, blood type, DNA code, prescriptions

Included in this category are any matters relating to the family of the data subject and the data subject’s lifestyle and social
circumstances. Examples are details about current marriage and partnerships and marital history, details of family and othe
members, habits, housing, travel details, leisure activities, membership of charitable or voluntary organisations.

RESTRICTED
Internal-Individual

Internal-Department

External

RESTRICTED
An individual or group of individuals within the organization who is either the intended recipient or otherwise has authorit
data subjects processed personal data. Examples are: Company Director/president/CEO, Department heads, Process heads
Administration staff,
Departments or sub groups within the organization that have authorized access to the processed data. Examples are Huma
IT, Finance,
Any third party not belonging to the organization (whether an individual, public authority, government agency or another b
which the personal data are disclosed. Examples are: Consultants, Service providers, Health Maintenance Organizations (HM
Government agencies (BIR, DOLE, Bureau of Immigration, PEZA)

RESTRICTED