Philippines

Yusen Logistics Philippines Data Protection Policy

This document covers basic information on how Yusen Philippines adheres to the Data Privacy Act 10173 and other related international laws

1. Introduction

As a leading global logistics company, Yusen Logistics provide services of outstanding quality and safety with careful attention to fairness and integrity in our business activities to win the trust and satisfaction of our customers.  We are engaged in international business activities, as such, we observe and honor the word and spirit of all applicable laws and regulations of the countries in which we operate.

At Yusen Logistics, we highly value privacy in our relationships with customers, suppliers and our employees. As part of our corporate responsibility, we are committed to compliance with Data Protection Laws.  This Privacy Policy provides a framework of conditions and principles on how we use and process personal data and how we ensure an adequate level of data protection.

We believe that ensuring adequate data protection is the foundation of trustworthy business relationships.  Therefore, this Privacy Policy not only applies to Yusen Logistics Philippines  head office (hereafter YLPH), but to all our branches in the Philippines.

All YLPH employees will be responsible for compliance with this Privacy Policy. If there is any reason to believe that legal obligations or local legislation contradict with the principles of this Privacy Policy, Yusen Logistics Philippines will work closely with the relevant company to find a practical solution that meets the legislative requirements as well as the purposes of this Privacy Policy.

As part of our compliance program, we will continue reviewing and updating our corporate policies, internal processes and contractual relationships where required and monitor regulatory guidance to ensure compliance with data protection regulations.

The latest version of this Privacy Policy can be found on Yusen Philippines website and will be provided upon request.  For more information, please contact the Legal and Compliance Department of Yusen Logistics Philippines at Amvel Business Park, San Dionisio Road Paranaque.

2. Basic Principles for using and processing personal data

This Privacy Policy establishes a framework of rights and duties which are designed to safeguard personal data. It aims to balance the legitimate need of Yusen Logistics to collect and use personal data for business or other purposes with the right of individuals to retain the privacy of their personal details.

This Data Protection Policy is based on 8 principles which define how personal data may be lawfully used and processed.

1. Fairness and Lawfulness

We will use and process personal data lawfully, fairly and in a transparent manner only to the extent necessary for providing our services or performing our contractual obligations.

2.Legitimate Purpose

We will only use personal information for one or more specified and legitimate purposes. Personal data will not be used or further processed in any manner incompatible with those purposes. When we need to use personal information beyond the scope of such purposes, we shall obtain your (additional) consent, unless extended use would be permitted by law or regulation;

3. Data minimization

Personal data should be adequate, relevant and limited to what is necessary in relation to the purpose for which it was provided. This means that we will not collect personal data in advance or store personal data for (potential) future purposes, unless required or permitted by law;

4. Accuracy

We will keep personal data accurate and up-to-date and shall take all reasonable steps to ensure that personal data that is inaccurate will be removed or rectified without delay;

5. Limited retention 

We will keep personal data no longer than is necessary for the purposes for which the personal data was provided. Unless otherwise prescribed by law, personal data that is no longer needed or relevant will be purged or deleted. This will apply to both electronic and non-electronic personal data;

6. General Data Protection Regulation

We will honor and respect your (data subject’s) rights under the Data Privacy Act or Republic Act 10173.  This means that you will have the right to know which personal information we store, why we need it and how we use or process it. Furthermore, you will have the right to access your personal data, ask for rectification, removal or object to the processing of it;

7. Integrity and Confidentiality

Your personal data is subject to data secrecy. This means that we will take appropriate technical and organizational measures against unauthorized or unlawful use or processing of your personal data and against accidental loss, destruction or damage of your personal data.

8. Data Transfer outside the Philippines

We will not transfer your personal data to a country or a territory outside the Philippines unless that country or territory ensures an adequate level of data protection in relation to the processing of your personal data;

3. Processing of Customer and Third-Party Data

Collecting, using and processing personal data of customers, suppliers and/or other third-parties will only be permitted under the following conditions

1. Data Processing for a Contractual Relationship

We will only use and process personal data of relevant prospects, customers, suppliers and/or other third-parties in order to establish, execute or terminate a contract. Prior to entering into a contract, personal data may be processed to prepare bids, Requests For Quotations (RFQs) or purchase orders and/or to fulfill other requests of the customer. We may contact customers in a pre-contractual phase by using the information that it has provided. Where appropriate, we will observe any restrictions requested by the customer relating to the use and/or processing of personal data.

2. Data Processing for Advertising Purposes

Personal or customer data may be processed for advertising purposes or market and opinion research, provided that this is consistent with the purpose for which the data was originally collected or provided. Where appropriate, we will inform our customer about the use if his/her personal data for advertising purposes. If the customer objects to the use of its personal data for advertising purposes, we will no longer use the data and block it from being used.

3. Consent to Data Processing

Personal Data will only be processed following consent of the customer or data subject. We will duly inform the customer and data subjects about the use and purpose of its personal data before giving consent. Although consent may be withdrawn at any time, withdrawal will not affect the lawfulness of processing based on consent before its withdrawal.

4. Data Processing pursuant to Legal Authorization

Customers should be aware that the processing of personal data may (also) be permitted if national legislation requires to do so. The type and extent of such data processing should be necessary for the lawful and authorized data processing activity and we will, in such a case, observe all relating and relevant statutory provisions.

5. Data Processing pursuant to Legitimate Interest

We will be allowed to process personal data if we have a legitimate interest. Legitimate interests are generally of a legal or commercial nature and may include the collection of outstanding receivables or to avoid a ‘breach of contract’. However, we will not process personal data for the purposes of a legitimate interest if, in any individual case, there is reason to believe or evidence that the interests of a data subject merits protection.

6. Processing of Highly Sensitive Data

We will not process highly sensitive personal data unless the law requires to do so or the data subject has given explicit consent. We may also process highly sensitive personal data if that would be required for asserting, exercising or defending legal claims regarding or relating to that data subject

7. User Data and Internet

We will inform customers and data subjects if we collect, use or process personal data on websites.

The information we use will be easy to identify and access and be made available for data subjects upon request. If user profiles are created to evaluate and identify the use of websites, the data subjects will be properly informed and asked for consent. We will not use personal data for personal tracking, unless permitted by law.

4. Processing of Employee data

Collecting, processing and using personal data of Employees will only permitted under the following conditions:

1. Data Processing for the Employment Relationship

Personal data may be processed in the employment relationship between Yusen Logistics and its employees to establish, execute or terminate the employment agreement. When establishing an employment relationship, the applicants’ personal data may be processed. If the candidate is rejected, we will, where appropriate, purge his/her personal data with observance of the statutory retention period, unless the applicant has agreed and consented to remain on file for future selection processes (maximum one year).

In the existing employment relationship - and to the extent none of the following circumstances for authorized data processing would apply - data processing should always relate to the purpose of the employment relationship or the execution of the employment agreement. If it would be necessary to collect information of an applicant from a third-party (e.g. employment agency) the requirements of the corresponding local laws should be observed. In cases of doubt, we will obtain consent from the applicant or data subject.

2. Data Processing pursuant to Legal Authorization

The processing of personal data of employees will also be permitted if national legislation requests, requires or authorizes this. The type and extent of data processing should, in such a case, be necessary for the lawful and authorized data processing activity and we will make sure to observe the relevant statutory provisions. If there is some legal flexibility, the interests of the employee that merit protection will be taken into consideration.

3. Collective Agreements on Data Processing

If a data processing activity exceeds the purposes of fulfilling an individual employment agreement, it may still be lawful on the basis of a collective employment agreement. Collective employment agreements are pay scale agreements or agreements between employers and employee.

representatives within the scope allowed under the relevant (national) employment laws. In such a case we will make sure that the agreements will cover the specific purpose of the intended data processing activity and will reflect the requirements of (national) Data Protection legislation.

4. Consent to Data Processing

We will duly inform our employees about our personal data activities. Where appropriate, we will ask our employees for consent to use and process personal data. Confirmations of consent must be given voluntarily. Consent will be obtained in writing or electronically for the purposes of documentation. If consent will be given verbally, we will confirm and document it in writing. The Employee may withdraw consent at any time, however, such withdrawal will not affect the lawfulness of processing based on consent before its withdrawal.

5. Data processing pursuant to Legitimate Interest

We will be allowed to process personal data if we have a legitimate interest. Legitimate interests are generally of a legal or financial nature and may include, amongst others, filing, enforcing or defending against legal claims and restructuring, or redundancy procedures.

We will not process personal data if, in any individual case, there is reason to believe or evidence that the interests of the employee merit protection. The legitimate interest of the company and any interests of the employee meriting protection shall, in such a case, be identified and documented before any measures are taken.

6. Processing of Sensitive Information

The Data Privacy defines Sensitive Personal information

- About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical    or political affiliations;

- About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;

- Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and

- Specifically established by an executive order or an act of Congress to be kept classified.

The processing of highly sensitive information must be explicitly permitted by the employee or prescribed by national law. However, we will be allowed to process highly sensitive data if that would be required by the authorities to fulfill its rights and duties in the field of employment law or social security. In all other cases, processing of highly sensitive information is subject to prior approval of the Chief Compliance Officer of Yusen Logistics Philippines.

5. Transfer and External Processing of Personal Data

Transfer of personal data to recipients inside or outside Yusen Logistics is subject to the requirements for processing of personal data under articles 2, 3 and 4.

We will require the data recipient to (i) only use the personal data for specific and defined purposes; and (ii) ensure an adequate level of data protection in relation to the processing of your personal data, either by internal policies or by law.

If data processing will be carried out on behalf of Yusen Logistics, we will require the data recipient to enter into a Data Processing Agreement.

In such a case, the following recommendations should be observed:

- The data recipient should be selected on the basis of its ability to ensure an adequate level of data protection;

- The instructions and the responsibilities of the data recipient should be duly documented;

- Depending on the risks relating to data processing, privacy reviews should be undertaken on a regular basis;

6. Confidentiality and Safeguards

Personal data will be subject to data secrecy. We will provide our staff access to personal information on a ‘need-to-know’-basis only. Access will be provided to the extent appropriate for the execution of their functional tasks. Our staff will not be allowed to use personal data for private or commercial purposes, to disclose it to unauthorized persons or to make it available in any other way.

We will make sure that personal data will be properly safeguarded from unauthorized access and unlawful processing or disclosure, as well as accidental loss, modification or destruction. This principle applies regardless of whether data is processed electronically or in paper form.

Before the introduction of new methods of data processing, particularly new IT systems, we will define and duly implement technical and organizational measures to protect personal data. The technical and organizational measures for protecting personal data are included in Yusen Logistics’ IT Security Guidelines. These guidelines will be reviewed on a regular basis and will be amended to technical developments and organizational changes.

7. Data Protection Assessments

Yusen Logistics Philippines will check compliance with the National Privacy Commission and this Privacy Policy on a regular basis with Data Protection Impact Assessments, Internal Audits and other available and appropriate controls. The results and effectiveness of these data protection controls will be reported to Yusen Logistics Management. On request, the results of these data protection controls will be made available to the responsible Data Protection Authorities. We should note that the responsible Data Protection Authorities may perform their own controls of compliance with the data protection regulations and this Privacy Policy, as permitted under national law.

8. Data breach and Notification System

All Employees should inform their supervisor, manager and compliance officer immediately in case of a (potential) violation of this Privacy Policy, a personal data breach or any other regulations for the protection of personal data. Events considered to constitute to a data breach are, amongst others:

- improper transmission of personal data to third-parties;

- improper access by third-parties to personal data; or

- loss of personal data.

In case of a personal data breach, Yusen Logistics Philippines through its Compliance Officer and/or Data Privacy Officer shall without undue delay and, where feasible, not later than 72 hours after having become aware or notified of such a breach, notify the competent Data Protection Authorities. This notification should, amongst others, include:

- Description and nature of the personal data breach, including the categories and approximate number of Data Subjects;

- Name and Contact details of the responsible compliance officer;

Description of the likely (potential) consequences of the personal data breach;

Description of the measures taken to address the personal data breach and/or mitigate the consequences.

9. Responsibilities

Yusen Logistics Philippines will be responsible for compliance with this Privacy Policy and adhering to applicable (national) data protection regulations. Our local management will make sure all organizational, HR and technical measures are in place, such that processing of personal data may be carried out safely and in accordance with the Data Privacy Act and EU General Data Protection Regulation (or any other relevant data protection law) and this Privacy Policy.

The company will assign a Data Privacy Officer who will be responsible for (i) local implementation of this Privacy Policy; (ii) regular data protection (impact) assessments; and (iii) adequately training staff on data protection and awareness. Yusen Logistics Philippines will provide additional support where necessary or required.

We encourage any employee or data subject to approach the Data Privacy Officer (or the Legal and Compliance Department of Yusen Logistics Philippines) at any time to raise concerns, ask questions, request information or make complaints relating to data protection or data security issues. We will make sure that concerns and complaints will be handled adequately and in a confidential manner.

All should be aware that Improper processing of personal data, or other violations of Data Protection Laws, may be criminally prosecuted and result in (significant) claims for compensation of damages. Employees should know that violations for which individual employees are responsible may lead to sanctions under employment law, including termination of employment.

Useful Resources

Data Privacy Act or Republic Act 10173

https://www.privacy.gov.ph/data-privacy-act/

The EU General Data Protection Regulation, EU 2016/679:

http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG