LICA MANAGEMENT INC. (LICALAND) DATA PRIVACY POLICY

INTRODUCTION

This Data Privacy Policy (POLICY) is hereby adopted in compliance with Republic Act No. 10173 or the Data Privacy Act of 2012 (DPA), its Implementing Rules and Regulations, and other relevant policies, including issuances of the National Privacy Commission. LICA MANAGEMENT INC. (LICALAND) respects and values your data privacy rights, and makes sure that all personal data collected from you, our clients and customers, are processed in adherence to the general principles of transparency, legitimacy, proportionality, and confidentiality. This Policy shall inform you of our data protection and security measures that apply to any personal data we collect including via our websites. When accessing our websites and/or availing our services from outside the Philippines, you acknowledge and agree that your information may be transferred to and processed in the Philippines following legal and regulatory standards for data protection that may differ from your current or home jurisdiction.

1.0 DEFINITIONS OF TERMS

1.1 Data Privacy Act (DPA) refers to Republic Act 10173 or the Data Privacy Act of 2012 and its Implementing Rules and Regulations.

1.2 Data Subject refers to an individual whose personal, sensitive personal or privileged information is processed by LICA. It refers to consultants, customers, clients, and/or any person which LICA may have transacted. It may also refer to employees, staff, officers or representatives of LICA.

1.3 LICA LAND refers to the corporation, Lica Management, Inc. It may also refer to officers, employees, staff, or representatives.

1.4 Personal Data refers to all types of personal information, sensitive personal information, and privileged information.

1.5 Personal information refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent and can be reasonably and directly ascertained by the entity holding the information or when to put together with other information would directly and certainly identify an individual;

1.6 Processing refers to any operation or set of operations performed upon personal data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Processing may be performed through automated means, or manual.

1.7 Privileged information refers to any and all forms of personal data, which, under the Rules of Court and other pertinent laws constitute privileged communication.

1.8 Security incident is an event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity, and confidentiality of personal data. It includes incidents that would result in a personal data breach, if not for safeguards that had been put in place.

1.9 Sensitive Personal Information refers to personal data:

1.9.1 About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
1.9.2 About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings;
1.9.3 Issued by the government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous and current health records, licenses or its denials, suspension or revocation, and tax returns; and
1.9.4 Specifically established by an executive order or an act of Congress to be kept classified.

2.0 DATA PRIVACY PRINCIPLES

2.1 All processing of personal data on LICA’s website are conducted in compliance with the following data privacy principles of transparency, legitimacy, and proportionality as enunciated in the DPA;

3.0 DATA PROCESSING RECORDS

3.1 Adequate records of LICA’s personal data processing activities are maintained and updated at all times. It ensures that these records are kept up-to-date. These records shall include:

3.1.1 Information about the purpose of the processing of the personal data, including any intended future processing or data sharing;
3.1.2 A description of all categories of data subjects, personal data and recipients of such personal data that will be involved in the processing;
3.1.3 General information about the data flow on LICA’s website, from the time of collection, processing, disclosure, use, retention, including the time limits for disposal or erasure of personal data;
3.1.4 A general description of the organizational, physical, and technical security measures in place within LICA’s website; and
3.1.5 The name and contact details of staff members in charge for monitoring compliance with the applicable laws and regulations for the protection of data privacy subject and security.

4.0 DATA WE COLLECT

4.1 On the categories of personal data we collect and process, this would be the data that you or other data subjects provide to us, such as your name, address, email address, telephone number, age, marital status, information issued by government agencies, and other information that may be used to enter into or help perform a contract we have with you, provide you with products and services, communicate with you, or meet any of the purposes set out in schedule.
4.2 Credit History, bank account, and credit card information provided in our website in availing our products or services;
4.3 Employment history, educational background and income information when you apply a job with LICA;
4.4 Insofar as you disclose personal data when accessing or visiting LICA’s website and digital platforms, we may process such personal data as well. We may collect and process information that is normally collected as a standard part of your browsing activity. This may include your IP-address, access times, system activity, cookies, device identifier and hardware information, and other log information that is collected when you browse or visit our sites and accounts including but not limited so social media profile information, IP addresses, your browsing behavior on our digital assets, and session lengths that are collected by website analytic tools and cookies.
4.5 Where personal data is publicly available, we may be able to collect the data from such public sources, including any online presence you may have.

5.0 HOW WE COLLECT AND PROCESS PERSONAL DATA

5.1 We may be able to obtain personal data in various ways, including when you –

5.1.1 enters into an agreement with us, whether or not written, including an employment contract, project agreement or other contracts when you avail of our products or services; use our digital platforms;
5.1.2 submits to us any application, form, request, notice, or some other document either manually or online thru our digital assets;
5.1.3 interact with our sales or customer care agents, reservation officers, and specialists through email, phone, chat services or face-to-face meetings;
5.1.4 inquires after or applies for employment, request and/or complaints;
5.1.5 Becomes an employee, officer, consultant, agent, supplier or service provider of the corporation;
5.1.6 Accesses, browses, visits, or uses any of our websites, platforms, social media presence, and other online presence including responding to surveys, promotions and other marketing and sales initiatives; or
5.1.7 Visit our premises such as malls, offices, hotels, and resorts equipped with CCTV surveillance camera;
5.1.8 Otherwise provides us with personal data, whether directly or through another Person.

6.0 USE OF PERSONAL INFORMATION

6.1 General Uses of Personal Information – Data Subject personal information maybe use in a variety of ways including but not limited to;

6.1.1 comply with and exercise our rights under contracts and agreements, and the law, as may be required by our operations and in pursuit of our legitimate business and commercial objectives;
6.1.2 perform and improve our services, and address concerns, request or questions about those services;
6.1.3 enhance customer experience by delivering products and services that match clients/customers preference and needs;
6.1.4 obtain services and advice for our operations and business;
6.1.5 implement efficiencies and best practices;
6.1.6 conduct surveys, research, and data gathering exercises;
6.1.7 market, promote and share information about the company and our services;
6.1.8 communicate with you; and
6.1.9 allow audits and diligence for compliance and other review by advisers or third parties. In this regard, we will require such advisers or third parties to enter into a confidentiality agreement.

6.2 OTHER USES BY NATURE OF OUR DEALINGS

6.2.1 Inquiry or purchase of property/application for a tenancy on property.

6.2.1.1 Conduct of appropriate due diligence background checks for identification and verification;
6.2.1.2 Registration of inquiry and processing your application;
6.2.1.3 Preparation of necessary documentation as may be requested;
6.2.1.4 Financial transactions related to sale or lease;
6.2.1.5 Managing unit turn-over activities;
6.2.1.6 Communication of advisories and changes in relation to the sale or changes in the terms and conditions related to a lease contract.

6.2.2 Being a guest or resident in our hotels and residences.

6.2.2.1 Providing the services requested such as to facilitate reservations, identity verification, send confirmations; assist you with meetings, events or celebrations; and confirm details of your accommodation;
6.2.2.2 Facilitate applications to our partner reward and membership clubs;
6.2.2.3 Providing you with value-added services such as processing for your seamless arrival and departure, resident cards, babysitting, and spa and fitness requirements, and performing all financial processes related to the transaction; and
6.2.2.4 Personalizing client’s entire hotel and residences experience with tailor-fit products, services, and offers, including those performed by third parties such as courier and transportation services;

6.2.3 Being a guest or shopper in our malls.

6.2.3.1 Monitoring security, crime, and emergency incidents and situations within mall premises through camera recording and surveillance;
6.2.3.2 Determining whether eligibility to participate in any offer, service, event, or activity in our malls or can avail of any discount or privilege;
6.2.3.3 Generation of data insights from customer feedback and/or mall traffic;
6.2.3.4 Communication in relation to queries, requests, and complaints, and conducting any follow-up as may be necessary.

6.2.4 Use any of digital platform.

6.2.4.1 Registration, verification, and maintenance of account, as applicable;
6.2.4.2 Assessing your eligibility for certain rewards and programs, and informing you of products, services, events, promotions, and initiatives that may be of interest to you;
6.2.4.3 Providing personalized customer experience by maintaining personal profile/dashboard and by showing targeted advertisements that may match preference and needs;
6.2.4.4 Giving our third-party service providers the necessary information to implement our rewards programs and access to any advanced features of our digital platform, as applicable;

6.2.5.5 Being a vendor, prospective vendor, or contractor.

6.2.5.1 Evaluation of proposal and conduct of corresponding background checks;
6.2.5.2 Assessing vendor’s viability and processing of accreditation;
6.2.5.3 Communicating the matters related to our required products and services; and performing other actions necessary or desirable in the implementation of our contract.

6.2.6 Application for employment or becoming our employee

6.2.6.1 Conduct of appropriate background investigation, reference
checks, pre-employment medical examination and interviews;
6.2.6.2 Communication of the status of applicant’s candidacy;
6.2.6.3 Processing of compensation, allowances, expense reimbursement and monitoring of attendance and leaves;
6.2.6.4 enrollment in our benefit programs which may include health insurance, medical insurance, retirement plan and social security;
6.2.6.5 Assisting employee’s professional development through performance management, career development, seminars, workshops, and training;
6.2.6.6 Becoming part of our employee engagement activities and programs, such as events, employee surveys, and incentives and discounts offered subject to approval of management;
6.2.6.7 Compliance with our obligations under the law as required by government organizations and local government units; and
6.2.6.8 Facilitation, upon separation with the company, of employee’s exit interview, clearances, and other procedures necessary to process the final pay.

7.0 HOW WE PROTECT PERSONAL INFORMATION

7.1 The integrity, confidentiality, and security of your information are important to us. That’s why we strictly enforce our privacy statement within LICA and have implemented technical, organizational, and physical security measures that are designed to protect your information from unauthorized or fraudulent access, alteration, disclosure, misuse, and other unlawful activities. These are also designed to protect your information from other natural and human dangers.

7.2 We also put in effect the following safeguards:

7.2.1 We keep and protect your information using a secured server behind a firewall, encryption and security controls;
7.2.2 We restrict access to your information only to qualified and authorized personnel who are trained to handle your information with strict confidentiality;
7.2.3 We undergo regular audits and rigorous testing of our infrastructure’s security protocols to ensure your data is always protected;
7.2.4 We promptly notify the data subject and the competent data protection authority, when sensitive personal data that may, under the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized person;
7.2.5 We let you update your information securely to keep our records accurate.

8.0 DATA RETENTION SCHEDULE

8.1 Subject to applicable requirements of the DPA and other relevant laws and regulations, personal data shall not be retained by LICA for a period longer than necessary and/or proportionate to the purposes for which such data was collected to (a) provide the products and services that you avail from us, (b) for our legitimate business purposes, (c) to comply with pertinent laws, and (d) for special cases that will require the exercise or defense of legal claims and for a maximum retention period of twelve (12) years from your service’s permanent deactivation.

Whenever you provide information, we retain said information for the amount of time necessary in order for us to complete the declared purposes for which your personal data was collected (e.g., to respond to your inquiry, process your unit reservations, manage your bookings, facilitate payment or establish and fulfill our contract with you).

When we no longer need to use your information, we will remove it from our systems and records or take steps to anonymize it so that you can no longer be identified from it (unless we need to keep your information to comply with legal or regulatory obligations to which we are subject).

10. WHEN WE DISCLOSE YOUR PERSONAL INFORMATION

10.1 There are a variety of circumstances where we may need to share some of the information that you have provided to us. In these cases, we ensure that your personal data is disclosed on a confidential basis, through secure channels, and only in compliance with applicable privacy laws and regulations.
10.2 We will never share, rent, or sell your personal data to third parties outside of LICA except in special circumstances where you may have given your consent for, and as described in this policy.
10.3 In some instances, we may be required to disclose your personal data to our agents, subsidiaries, affiliates, business partners, contractors, and other third-party agencies and service providers as part of our regular business operations and for the provision of our products and services. This means we might share your information with:

10.3.1 Our service providers, contractors, and professional advisers who help us provide our products and services. This includes partner companies, their subsidiaries or affiliates, contractors, their sub-contractors, suppliers, auditors, lawyers, insurers, credit providers such as banks, and consultants who provide technical, financial, administrative, and other support necessary for the operation.
10.3.2 Our subsidiaries and affiliates with whom you have also signed-up with. We do so only for the improvement of each other’s legitimate business and operations.
10.3.3 Other companies to whom you have also given consent for us to share your information with. For example, when you sign-up for products and services offered by other companies, they may request for information from us in order for them to validate your identity; and
10.3.4 Law enforcement and government agencies, but only when required by-laws and regulations and other lawful orders and processes.

11 PERSONAL DATA NOT COVERED

This Policy does not apply to the following information:

11.1.1 Information processed for the purpose of allowing public access to information that fall within matters of public concern, pertaining to;
11.1.2 Information about any individual who is or was an officer or employee of government that relates to his or her position or functions;
11.1.3 Information about an individual who is or was performing a service under contract for a government institution, but only insofar as it relates to such service, including his name and the terms of his contract;
11.1.4 Information relating to a benefit of a financial nature conferred on an individual upon the discretion of the government, such as the granting of a license or permit, including the name of the individual and the exact nature of the benefit: Provided, that they do not include benefits given in the course of an ordinary transaction or as a matter of right;
11.1.5 Personal information that will be processed for research purpose, intended for a public benefit, subject to the requirements of applicable laws, regulations, or ethical standards; and
11.1.6 Information necessary in order to carry out the functions of public authority, in accordance with a constitutionally or statutorily mandated function pertaining to law enforcement or regulatory function, including the performance of the functions of the independent, central monetary authority, subject to restrictions provided by law.

12.0 RIGHTS OF THE DATA SUBJECT

12.1 As provided under the DPA, Data Subjects have the following rights in connection with the processing of their personal data: 1) right to be informed, 2) right to object, 3) right to access, 4) right to rectification, 5) right to erasure or blocking, and 6) right to damages. Employees and agents of LICA are required to strictly respect and obey the rights of the Data Subjects.

12.1.1 Right to be informed- the Data Subject has the right to be informed whether personal data pertaining to him or her shall be, are being, or have been processed.
12.1.2 Right to Object- the Data Subject shall have the right to object to the processing of his or her personal data, including processing for direct marketing, automated processing or profiling. The Data Subject shall also be notified and given an opportunity to withhold consent to the processing in case of changes or any amendment to the information supplied or declared to the Data Subject in the preceding paragraph.
12.1.3 Right to Access- the Data Subject has the right to reasonable access to, upon demand, the contents of his or her personal data that were processed; sources from which personal data were obtained.
12.1.4 Right to Rectification- the Data Subject has the right to dispute the inaccuracy or error in the personal data, and LICA shall correct it immediately and accordingly, unless the request is vexatious or otherwise unreasonable.
12.1.5 Right to Erasure or Blocking- the Data Subject shall have the right to suspend, withdraw, or order the blocking, removal, or destruction of his or her personal data from LICA’s filing system.

12.2 Transmissibility of Rights of Data Subjects- the lawful heirs and assigns of the data subject may invoke the rights of the Data Subject to which he or she is an heir or an assignee, at any time, after the death of the data subject, or when the Data Subject is incapacitated or incapable of exercising his/her rights.

12.3 Data Portability- where his or her personal data is processed by LICA through electronic means and in a structured and commonly used format, the Data Subject shall have the right to obtain a copy of such data in an electronic or structured format that is commonly used and allows for further use by the data subject. The exercise of this right shall primarily take into account the right of the Data Subject to have control over his or her personal data being processed based on consent or contract, for commercial purpose, or through automated means.

12.4 LICA may charge a fee for processing the data subject request/s for access and/or update. Such a fee depends on the nature and complexity of the request. Information on the processing fee will be made available to the data subject prior to making the request.

13. NON-ADHERENCE TO POLICIES AND PROCEDURES

LICA acknowledges the violation and their corresponding penalties under the Data Privacy Act of 2012 and protects the Data Subjects from: Unauthorized Processing of Personal Information and Sensitive Personal Information; Accessing Personal information and Sensitive Personal Information Due to Negligence; Improper Disposal of Personal Information and Sensitive Personal Information; Processing of Personal Information and Sensitive Personal Information for Unauthorized Purposes; Unauthorized Access or Intentional Breach; Concealment of Security Breaches Involving Sensitive Personal Information; Malicious Disclosure; Unauthorized Disclosure; and Combination or Series of Acts.

14 CHANGES TO OUR DATA PRIVACY POLICY

LICA may modify or amend this policy from time to time to keep up with any changes in applicable laws and to comply with government regulatory requirements, to adapt to new technologies and protocols, to align with industry best practices and for business purposes. The data subject will always be provided notice if these changes are significant and, if we are required by law, we will ensure to obtain your updated consent.

15 REFERENCES

15.2 Data Privacy Act of 2012 (Republic Act No. 10173)

15.3 National Privacy Act Tool Kit: A Guide for Management and Data Protection Officers