DATA PRIVACY POLICY

INTRODUCTION

Financial Executives Institute of the Philippines (“FINEX”) is a non-stock, non-profit, non-political association organized in 1968 to develop the financial knowledge and skills of its members, provide support via sound financial management to business and government, and encourage fellowship among its members.

FINEX’s privacy practices are developed in accordance with Republic Act No. 10173 or the Data Privacy Act of 2012 and its implementing rules and regulations (collectively, the “DPA”).

This privacy policy (“Policy”) explains how FINEX implements its commitment to collect and process personal data in accordance with the DPA. It sets out information that we must provide to the individuals (“data subjects”) whose personal data we collect and process.

When we use the term “personal data”, we mean data that constitutes personal information or sensitive personal information, as these terms are defined under the DPA.

WHAT PERSONAL DATA DO WE COLLECT AND PROCESS?

We collect and process personal data necessary for FINEX’s corporate and business purposes. We obtain most of this data directly from data subjects. Such personal data consists of, among others:

• Names;

• Age;

• Marital status;

• Email addresses;

• Mailing addresses;

• Telephone and cellphone numbers;

• Educational background;

• Photographs;

• Business and professional data;

• Information for account administration (such as usernames and passwords); and

• IP addresses.

WHAT DO WE USE THE PERSONAL DATA FOR? HOW DO WE USE IT?

We collect and process personal data for which data subjects have provided the data or made it otherwise available to us or to the public, and to enable us to fully and efficiently achieve those purposes.

Among these purposes are:

1. to review and process applications (whether for membership or employment);

2. to administer and monitor membership rights and duties;

3. to organize, conduct, provide information about, assess, and market membership; and other FINEX activities and programs;

4. to conduct studies, surveys, research and otherwise gather data;

5. to review, enter and perform contracts;

6. to comply with, and exercise our rights, under contracts and agreements, and the law;

7. to conduct operations, obtain services and advice, implement systems, and render and improve services;

8. to communicate with data subjects as may be necessary; and

9. other purposes comprising FINEX’s legitimate interest.

Thus, we would collect and process personal data where there is consent or a request from the data subject, it is necessary in order to perform a contract, it is needed to comply with a legal obligation or is otherwise required by law, there is a legitimate interest on the part of FINEX, or under such other basis as may be permitted by law. Where we need consent of a data subject, this would be obtained where the data subject provides it upon request, when the data subject signs a consent or similar form, or otherwise expresses it in accordance with the provisions of the DPA.

Processing will be conducted only as may be required by these purposes and in the ordinary course of FINEX’s operations. We utilize standard manual and computerized methods and systems to file, store and process personal data.

HOW MAY WE DISCLOSE PERSONAL DATA?

To achieve FINEX’s corporate and business objectives, it may need to transfer or provide Personal Data to persons and entities outside the association. These would include government and regulatory agencies, counterparties in contracts for goods and/or services, Finex members and applicants, and organizations and entities with which FINEX partners or cooperates with on projects and activities, from time to time. Some of these persons and entities may be outside the Philippines.

Where the law requires that we enter into certain contracts with recipients of Personal Data, FINEX will do so.

HOW LONG WILL WE RETAIN PERSONAL DATA?

FINEX will keep Personal Data only as long as it remains necessary or relevant for the purposes set out in this Policy and in accordance with the terms and conditions of the relevant agreement with the data subjects, unless longer retention is required to meet legal or regulatory requirements.

WHAT ARE THE RIGHTS OF DATA SUBJECTS?

Under the DPA, data subjects have the right to be informed of their data privacy rights. These rights are:

1. Right to be informed– prior to collection and processing of their personal data, data subjects have the right to be informed of the following:

2. 1. 1. The fact of collection and processing of personal data pertaining to the data subject;

      2. Description and categories of personal data being collected and processed;

      3. Purpose for the collection, and processing, including the purposes for data sharing or automated processing;

      4. Lawful basis of the collection and processing, when the data subject has not given consent;

      5. Scope and method of personal data processing;

      6. Identities of intended recipients of personal data;

      7. Methods and logic used for automated processing, if any;

      8. Identity and contact details of the personal data controller or its representative;

      9. Retention period; and

      10. Rights of a data subject.

This Policy sets out this information, where applicable.

2. Right to object – Data subjects have the right to indicate their refusal to the collection and processing of their personal data, including processing for direct marketing, automated processing, or profiling. They also have the right to be informed and to withhold their consent to further processing in case there are any changes or amendments to information given to them concerning the processing of their personal data. Once they have withheld consent, further processing of their personal data will no longer be allowed, subject to certain exceptions under the law.
3. Right to access – upon request in writing, data subjects should be given access to the following:
   1. Contents of their personal data that were processed;

   2. Sources from which their personal data were obtained;

   3. Identities and addresses of recipients of their personal data;

   4. Manner by which their personal data were processed;

   5. Purposes for granting access to the recipients of their personal data;

   6. Information on automated processing, in case the data was used as the sole basis for any decision that significantly affects or will significantly affect them as a data subject;

   7. Date when their personal data was last accessed or modified;

   8. The designation, identity, and address of the personal information controller.

4. Right to rectification – Data subjects have the right to dispute any inaccuracy or error in their personal data and may request the controller to immediately correct any such inaccuracy or error. Upon reasonable request, and after the correction has been made, the controller should then inform any recipient of their personal data of its inaccuracy and the subsequent rectification that was made.

5. Right to erasure or blocking – in the absence of any other legal ground or overriding legitimate interest for the lawful processing of personal data, or when there is substantial proof that personal data is incomplete, outdated, false, or has been unlawfully obtained, they may request the controller to suspend, withdraw, or order the blocking, removal, or destruction of personal data from its filing system. The controller may also notify those who have previously received their processed personal data.

6. Right to damages – they have the right to be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of their personal data, taking into account any violation of their rights and freedoms as a data subject.

7. Right to data portability – in case personal data was processed through electronic means and in a structured and commonly used format, they have the right to obtain a copy of their personal data in such electronic or structured format for their further use, subject to the guidelines of the National Privacy Commission (NPC) with regard to the exercise of such right.

8. Transmissibility of rights of the data subject – upon their death, or in case of their incapacity or incapability, their lawful heirs and assigns may invoke their rights as a data subject in their place and stead.

9. Right to lodge a complaint before the NPC – Data subjects also have the right to lodge a complaint before the NPC in accordance with their relevant rules of procedure.

   OUR DATA PRIVACY OFFICE

   We have appointed a Data Protection Officer to oversee data privacy compliance. He may be contacted at:
   Mr. Michael B. Vinluan
   Unit 1901, 19/F, 139 Corporate Center, Valero St., Salcedo Village, Makati City
   (+632) 8114052 / 8114189
   mbvinluan@finex.org.ph

   SECURITY MEASURES

   FINEX has taken appropriate security measures to protect Personal Data that it collects and processes against unauthorized access or unauthorized alteration, disclosure, or destruction, appropriate to the sensitivity of the data.

   FINEX protects Personal Data shared with third party service providers by employing contractual or other means in an effort to ensure that any such service provider will provide a comparable level of protection while Personal Information is being processed by that service provider.

   INCIDENT MANAGEMENT

   FINEX will comply with the relevant provisions of the DPA on addressing personal data breaches and security incidents, including notification to the NPC and the relevant data subjects, if necessary and required.

   AMENDMENTS

   FINEX may amend or update this Policy from time to time. Amendments and supplements will be made available at FINEX’s website at www.finex.org.ph, and data subjects are requested to check the website regularly.