The purpose of this DATA PRIVACY MANUAL (hereinafter referred to as the “MANUAL) is to serve as a guide or handbook for ensuring compliance of the Data Privacy Act of 2012 by UBX PH (hereinafter referred to as “UBX”). This MANUAL defines the Company’s Privacy Management Program and enumerates its internal rules, policies, and procedures in relation to the protection and security in the data lifecycle of personal information of UBX Data Subjects. This shall be developed to reflect up-to- date changes in the Philippine laws on data protection, pertinent laws, regulations, and global industry standards.
This applies to all internal and external parties who conduct business with UBX. Internal parties include, but are not limited to the Board of Directors, Senior Management, Executives, and all regular UBX Employees. External parties include, but are not limited to, contractors, vendors, consultants, independent services contractors, on-the-job trainees and other third parties considered by the Bank.
Section 1. Mission Statement
Data Privacy Office aims to protect the privacy of UBX Data Subjects and ensures the proper use and disclosure of their personal data. DPO fosters a corporate culture that values privacy through awareness and meaningful guidance on data protection based on international standards.
Section 2. Jurisdiction of the National Privacy Commission
UBX recognizes that the National Privacy Commission may conduct compliance audit and inspection to the Company’s internal and external operations, as well as its mandatory documentary submissions. The Commission may review and inspect data sharing agreements, outsourcing agreements, and such other similar contracts involving processing of personal data. The Commission may also subject the company to investigation on an ad hoc basis on grounds of any reported violation of the rights and freedoms of data subjects and other matters necessary to ensure effective implementation of the Data Privacy Act and this MANUAL.
Section 3. Registration with the National Privacy Commission
Data Protection Officer
UBX shall identify a Data Protection Officer who shall be duly authorized by the Board of Directors to function and take such role and responsibilities as provided in this MANUAL. The appointed Data Protection Officer shall be registered with the National Privacy Commission. The Data Protection Officer shall be accountable for the registration requirements and other regulatory orders by the National Privacy Commission.
Data Processing Systems
UBX shall register with the National Privacy Commission its data processing systems. All information and communication technology and network systems that store and process Personal Data shall be compiled by the Data Privacy Office for documentation.
Section 4. Data Privacy Office
There shall be a Data Privacy Office composed of Data Protection Officer (DPO) as its head. The DPO may be assisted by Compliance Officer/s for Privacy (COP).
Section 5. Functions of the Data Protection Office
The Data Privacy Office shall oversee the compliance of the organization with the DPA, its IRR, and other pertinent data protection standards, with the following roles and responsibilities under the law:
Section 1. Legitimate Purpose
Personal Data shall only be processed only if not otherwise prohibited by law, and when at least one of the following conditions exists:
Section 2. Consent
If processing of Personal Data of UBX Data Subjects is necessary and it is beyond what they have initially consented to, the Company shall acquire affirmative consent through an opt-in mechanism or platform. Consent shall include the following:
Section 3. Transparency
UBX shall notify the Data Subjects how their Personal Data are being processed. Data Subjects shall be granted access to data concerning them and the Data Subject has the right to demand the correction of inaccurate or misleading data.
Section 4. Proportionality
UBX shall only collect Personal Data of the Data Subjects to the extent necessary for achieving determined purposes.
Section 5. Accuracy
Personal Data shall be up-to-date, complete and necessary for the achievement of the purpose of data processing.
Section 6. Rights of Data Subjects
Section 1. Defining Information
UBX shall maintain a comprehensive and up-to-date database containing details of its information assets for defining its value, criticality, sensitivity and legal implications.
Section 2. Classifying Information
All corporate business units, process owners, and project teams shall adhere to the Information Classification Framework of UBX whether as Confidential, Public, Internal Use Only, or Private, as defined in this Manual.
Section 3. Personal Data Classification
Section 4. Personal Data Classification Matrix
Personal Data Attribute
Full Name
Gender or Sex
Place of Birth
Date of Birth
Mother’s Maiden Name
Citizenship or Nationality
Alien Certificate of Registration
Passport Number
Present Address
Permanent Address
Home Number
Mobile Number
Email Address
Civil Status
Tax Identification Number
SSS or GSIS Number
Health Information
Job Position or Rank
Source of Funds
Other transactional data
Category
Personal Information
Sensitive Personal Information
Sensitive Personal Information
Sensitive Personal Information
Personal Information
Sensitive Personal Information
Sensitive Personal Information
Sensitive Personal Information
Personal Information
Personal Information
Personal Information
Personal Information
Personal Information
Sensitive Personal Information
Sensitive Personal Information
Sensitive Personal Information
Sensitive Personal Information
Personal Information
Sensitive Personal Information
Sensitive Personal Information
This Chapter lays out the various data lifecycles or processing systems in existence within the organization – from the collection of Personal Data, to their actual use, storage, disclosures, retention, and destruction. Personal Data is to be safeguarded using a combination of technical access controls and robust procedures, with all changes supported by Data Privacy and Internal Audit controls.
Section 1. Collection
UBX collects Personal Data of Data Subjects from the following sources: 1) information the Company collects about the Data Subjects when they contact the Company through authorized representatives and channels; and 2) information the Company collects about Data Subjects from public records and from other available sources authorized to disclose their Personal Data.
Section 2. Use
UBX processes Personal Data of the Data Subjects only when there is lawful basis under the law, upon their express consent, and/or to fulfill contractual obligations.
Section 3. Storage
Personal Data of UBX Data Subjects shall only be stored in the well-managed environment, whether physical or electronic. The Company shall take the necessary, effective, and efficient mechanisms and precautions to protect Personal Data from loss, misuse, and unauthorized access, disclosure, alteration, and destruction while in the company’s control.
Section 4. Access
Due to the sensitive and confidential nature of the Personal Data under the custody of the Company, authorized representative of the UBX shall be allowed to access such Personal Data.
Section 5. Transfers and Disclosures
All data in whatever form and nature shall be transferred via UBX-approved medium through secure, encrypted means and/or password protection mechanism, subject to the Company’s policy and the corresponding approval of the Business Unit Head involved.
Section 6. Data Sharing
Data Sharing applies when Personal Data is disclosed by Personal Information Controller to another Personal Information Controller for purposes of enhancement, monetizing, providing public services as provided by law, or any legitimate business purposes.
Section 7. Retention
Retention of Personal Data shall only for as long as necessary for the following circumstances: 1) the fulfillment of the declared, specified, and legitimate purpose, or when the processing relevant to the purpose has been terminated; 2) the establishment, exercise or defense of legal claims; and 3) the legitimate business purposes, which must be consistent with the standards followed by the applicable industry or approved by appropriate government instrumentalities, agencies, or bureaus.
Section 8. Disposal
Data Disposal is mandatory upon the expiration of the retention period or when Data Subjects expressly requests for the disposal or deletion of their Personal Data, subject to the terms and conditions and contractual obligations of UBX.
As Personal Information Controller or Processor, UBX ensures reasonable and appropriate physical, technical and organizational measures for the protection of Personal Data. Security measures aim to maintain the availability, integrity and confidentiality of Personal Data and protect them against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.
Section 1. Organizational Security Measure
Section 2. Physical Security Measures
UBX shall establish procedures intended to monitor and limit access to the facilities containing the Personal Data, including the activities therein to ensure that mechanical destruction, tampering and alteration of Personal Data under the custody of the Company are protected from man-made disasters, power disturbances, external access, and other similar threats.
Section 3. Technical Security Measures
UBX shall implement technical security measures to make sure that there are appropriate and sufficient safeguards to secure the processing of Personal Data, particularly the computer network in place, including encryption and authentication processes that control and limit access. Available technological use and tools for encryption, masking, anonymization or pseudonymization of Personal Data should be used for data protection, subject to industry standards, policy and recommendations.
This Chapter enumerates the policies and procedure if and when the Company is subjected to Personal Data Breach and/or Security Incident, which shall complement Information Security Policies on Cyber-Attack Response and Security Incident Reporting and Personal Data Breach Notification, as well as the National Privacy Commission Circular No. 16-03 on Personal Data Breach Management.
Section 1. Data Breach Response Team
There shall be a Data Breach Response (hereinafter referred to as “DBR”) Team to ensure that Security Incidents and/or Personal Data Breach management are being handled with vigilance and diligence required by the Data Privacy Act. The DBR Team shall be co-headed by the Data Protection Officer (DPO)
Section 2. Mitigating Measures
Section 3. Procedure for Recovery and Restoration of Personal Data
UBX shall always maintain a backup file for all Personal Data under its custody. In the event of a Security Incident or Data Breach, it shall always compare the backup with the affected file to determine the presence of any inconsistencies or alterations resulting from the incident or breach.
Section 4. Personal Data Breach Notification
UBX shall notify the National Privacy Commission and Data Subjects affected when the following conditions occur:
Section 5. Investigation of a Breach or a Security Incident
Depending on the nature of the incident, or if there is failure or delay in the notification, the Commission may investigate the circumstances surrounding a Personal Data Breach, subject to the Rules of Procedure of the Commission.
Section 6. Documentation and Reporting Procedure of Security Incidents or a Personal Data Breach
The Data Breach Response Team shall prepare a detailed documentation of every incident or breach encountered, as well as an annual report, to be submitted to management and the Commission, within the prescribed period.
Section 7. Dealing with Personal Information Processor
In case a Personal Data Breach occurs in the Personal Information Processor of the Company, the Processor shall be mandated to notify the Company within twenty-four (24) hours from knowledge of Security Incident or Personal Data Breach to enable the Company to conduct necessary measures to assess the extent and scope of the compromised data, systems, and damage to the integrity, confidentiality, and availability of information. Data Protection Officer of the Processor shall immediately coordinate with the Data Protection Officer to comply with the notification requirements.
Section 1. Deviation
Deviation is any departure from approved and established UBX corporate policies and procedures.
Section 2. Deviation Request
A Deviation Request (DR) is initiated when deviation from policies, standards, processes, and procedures are needed by the Business. By signing the DR, the deviation proponent or owner acknowledges the information security and data privacy risks involved, which shall include the identity of the employees, agents or representatives, particularly those who will have access to Personal Data, subject to acts or omissions punishable by the Data Privacy Act and its Implementing Rules and Regulations, as well as pertinent regulations on data protection.
Section 3. Non-compliance
UBX employees and representatives who fail to comply with the stipulations of this MANUAL and fails to procure the required DR will have to submit a written explanation addressed to the Data Privacy Office indicating why non-compliance was committed. The Data Protection Officer and Human Resources will determine the merits of the case and will determine the necessary course of disciplinary action to pursue, subject to the Code of Conduct and internal policies of the Company.
If you have any questions, concerns, or disputes regarding our Privacy Policy, please feel free to contact our Data Protection Officer at dpo@ubx.ph