POLICY STATEMENT 

This Privacy Manual is hereby adopted in compliance with Republic Act No. 10173 also known as the Data Privacy Act of 2012 (DPA), its Implementing Rules and Regulations, and other relevant policies, including the issuances of the National Privacy Commission. Metro Pacific Tollways Corporation (MPTC) organization, which includes MPTC and its subsidiaries, such as but not limited to Metro Pacific Tollways North Corporation (MPT North), NLEX Corporation (NLEX), NLEX Ventures Corporation (NVC), Metro Pacific Tollways South Corporation (MPT South), Metro Pacific Tollways South Management Corporation (MPTSMC), Cavite Infrastructure Corporation (CIC), MPCALA Holdings, Inc. (MPCALA), Metro Pacific Tollways Management Services, Incorporated (MPTMSI), Cebu-Cordova Link Expressway Corporation (CCLEC),  Easytrip Services Corporation (ESC), and Southbend Express Services Inc., respects and values it’s Data Subject’s  privacy rights, and makes sure that all personal data collected from the Data Subject/s, like our clients and customers, are processed in adherence to the general principles of transparency, legitimate purpose, and proportionality. 

This Manual shall inform the Data Subject of MPTC’s data protection and security measures and may serve as guide in exercising Data Subject’s rights under the DPA. 

OBJECTIVE 

To support the enforcement of  the DPA within MPTC organization and adopt generally accepted international principles and standards for personal data protection.  

To safeguard the fundamental human right of every individual to privacy while ensuring free flow of information for innovation, growth, and national development.  

To recognize the vital role of information and communications technology in nation-building and to ensure that personal data information and communications system in MPTC and its subsidiaries are secured and protected. 

Policy 

2.1  Data Subject Rights 

2.1.1 The Right to be Informed. 

2.1.1.1  MPTC and its subsidiaries treat a Data Subject’s personal data in the same way as a Data Subject treats his/her own personal property. Thus, MPTC and its subsidiaries shall not collect, process and store any personal data without the Data Subject’s explicit consent, unless otherwise provided by law. MPTC and its subsidiaries shall usually solicit the Data Subject’s consent through a privacy notice. Aside from protecting Data Subjects against unfair means of personal data collection, this right also requires MPTC and its subsidiaries as PICs to notify Data Subjects if their data have been compromised, in a timely manner. 

2.1.1.2  To protect the Data Subject’s privacy, MPTC and its subsidiaries shall notify and furnish Data Subjects the following information before entering Data Subject’s personal data into any processing system (or at the next practical opportunity at least): 

2.1.1.2.1 Description of the personal data to be entered into the system; 
exact purposes for which they will be processed (such as for direct marketing, statistical, scientific etc.); 

2.1.1.2.2  Basis for processing, especially when it is not based on Data Subject’s consent; 

2.1.1.2.3 Scope and method of the personal data processing; 

2.1.1.2.4 Recipients, to whom data may be disclosed; 

2.1.1.2.5  Methods used for automated access by the recipient, and its expected consequences for Data Subject; 

2.1.1.2.6  Identity and contact details of the PIC; 

2.1.1.2.7  The duration for which Data Subject’s data will be kept; and 

2.1.1.2.8  Data Subject also have to be informed of the existence of his/her rights. 

2.1.2  The Right to Access. 

2.1.2.1  MPTC and its subsidiaries shall inform Data Subjects with the description of the kind of information that the organization have about Data Subject as well as their purpose/s for holding them. 

2.1.2.2  Under the DPA, Data Subjects have a right to obtain from an organization a copy of any information relating to the Data Subject that MPTC and its subsidiaries have on their computer database and/or manual filing system. It should be provided in an easy-to-access format, accompanied with a full explanation executed in plain language. 

Data subject may demand to access the following: 

  • The contents of personal data that were processed; 
  • The sources from which they were obtained; 
  • Names and addresses of the recipients of your data; 
  • Manner by which they were processed; 
  • Reasons for disclosure to recipients, if there were any; 
  • Information on automated systems where personal data is or may be available, and how it may affect the Data Subjects; 
  • Date when Data Subject’s data was last accessed and modified; and 
  • The identity and address of the PIC (MPTC and/or its subsidiaries). 

2.1.2.3  Requesting Access to Personal Data 

Data subject must execute a written request to MPTC or its subsidiaries, addressed to its DPO or COP, as the case may be. Such written request must mention that the request is being made in exercise of Data Subject’s right to access under the DPA. The DPO/COP is required to respond to the written request. Data Subject shall prepare to provide evidence of his/her identity, which the DPO/COP shall require of Data Subject to make sure that Personal Information is not given to the wrong person. 

2.1.3  Right to Object 

2.1.3.1  Data Subject can exercise his/her right to object if the personal data processing involved is based on consent or on legitimate interest. When Data Subject object or withhold consent, the PIC should no longer process the personal data, unless the processing is pursuant to a subpoena, for obvious purposes (contract, employer-employee relationship, etc.) or a result of a legal obligation. In case there is any change or amendment to the information previously given to Data Subject, they should be notified and given an opportunity to withhold consent. 

2.1.3.2  Exercising the Right to Object 

Whenever Data Subject has the chance, he/she may assert his/her right to object verbally, be it in person or via a phone call. To have it formally documented, however, Data Subject must execute a written request to MPTC or its subsidiaries, addressed to its DPO/COP, and have it received. In the letter, mention that the request is being made in exercise of Data Subject’s right to object under the DPA. The DPO/COP must act on the written request.  

2.1.4  Right to Erasure or Blocking 

2.1.4.1  Under the law, Data Subjects have the right to suspend, withdraw or order the blocking, removal or destruction of his/her personal data. The Data Subject can exercise this right upon discovery and substantial proof of the following: 

  • Data subject’s personal data is incomplete, outdated, false, or unlawfully obtained; 
  • It is being used for purposes the Data Subject did not authorize; 
  • The data is no longer necessary for the purposes for which they were collected; 
  • Data subject decided to withdraw consent, or the Data Subject object to its processing and there is no overriding legal ground for its processing; 
  • The data concerns information prejudicial to the Data Subject — unless justified by freedom of speech, of expression, or of the press; or otherwise authorized (by court of law); 
  • The processing is unlawful; 
  • The PIC violated Data Subject’s rights. 
  1.  Exercising the Right to Erasure (Blocking) 
  1. Execute a written request to MPTC or its subsidiaries, addressed to its DPO/COP, and have it received. In the letter, mention that Data Subject’s request is being made in exercise of his/her right to erasure under the DPA. Documents to support the request must be attached. The DPO/COP must act on the written request.  
  1. The Right to Rectify 
  1.  
  1.  
  1.  
  1.  
  1. Data subject has the right to dispute and correct any inaccuracy or error in the data that MPTC or its subsidiaries hold. MPTC shall act on it immediately and accordingly unless the request is vexatious or unreasonable. Once corrected, MPTC or its subsidiaries shall ensure that Data Subject’s access and receipt of both new and retracted information. MPTC or its subsidiaries shall also furnish third parties with said information, should Data Subject request it. 
  1. Exercising the Right to Rectify 

Execute a written request to MPTC or its subsidiaries, addressed to its DPO/COP, and have it received. In the letter, mention that Data Subject’s request is being made in exercise of his/her right to Rectify under the DPA. Documents to support the request must be attached. The DPO/COP must act on the written request.  

  1. The Right to Data Portability 
  1. This right assures that Data Subject remains in full control of his/her data. Data portability allows Data Subject to obtain and electronically move, copy or transfer his/her data in a secure manner, for further use. It enables the free flow of Personal Information across the internet and organizations, according to Data Subject’s preference.  
  1. Data portability allows Data Subject to manage his/her personal data in MPTC’s or its subsidiaries’ private device, and to transmit personal data from one Personal Information controller to another.  
  1. Exercising the Right to Portability 
  1. Data subject must execute a written request to MPTC or its subsidiaries, addressed to its DPO/COP, and have it received. In the letter, mention that request is being made in exercise of the right to data portability under the DPA. Documents to support the request must be attached. The DPO/COP must act on the written request.  
  1. Transmissibility of Rights of Data Subject 
  1. Data subject can assign their rights as a data subject to his/her legal assignee or lawful heir. Similarly, he/she may assert another person’s rights as a data subject, provided he or she authorized the data subject as a “legal assignee” 
  1. Data subjects who are alive but incapacitated, for some reason unable to  assert their own personal privacy rights and wish to authorize a “legal assignee” to act as their proxy may do so by executing a legal notice to the effect, such as through a Special Power of Attorney. 
  1. In case of a deceased data subject, the legal heir must be prepared to show legal evidence to back their claim. Parents or guardians automatically assume the responsibility of protecting the privacy rights of minors under their care. 
  1. Limitation on Rights 
  1. The provisions of the law regarding transmissibility of rights and the right to data portability will not apply if the processed personal data are used only for the needs of scientific and statistical research and, based on such, no activities are carried out and no decisions are taken regarding the Data Subject. There should also be an assurance that the personal data will be held under strict confidentiality and used only for the declared purpose. 
  1. The rights will not also apply the processing of personal data gathered for investigations in relation to any criminal, administrative or tax liabilities of a Data Subject, including other limitations as may be allowed by law or regulation. Any limitations on the rights of the Data Subject should only be to the minimum extent necessary to achieve the purpose of said research or investigation. 
  1. It is the responsibility of MPTC and/or its business units and subsidiaries to ensure that data subject/s were provided facilities to exercise their rights to privacy. If in case Data Subject’s request to exercise their privacy right was not sufficiently addressed, he/she may file a formal complaint with the NPC. Before doing so, however, MPTC or its subsidiaries recommends that the Data Subject inform MPTC and its DPO/COP of the intention to formally complain to the NPC. The MPTC organization might be able to take the opportunity to apologize, better explain the organization’s position, or reconsider Data Subject’s request. 

2.2 Processing of Personal Data  

The MPTC organization adheres to the principle of transparency, proportionality, and legitimate purpose in processing personal data. Data Subject/s shall be made aware of the nature, purpose, and extent of the Processing of his or her Personal Data by the MPTC organization, including the risks and security measures involved, the identity of persons, and entities involved in Processing his or her Personal Data, his or her rights as a Data Subject, and how these can be exercised. Any information and communication relating to the Processing of Personal Data shall be easy to access and understand, using clear and plain language. Processing shall be compatible with a declared and specified purpose which must not be contrary to law, morals, or public policy. And shall be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose. Personal Data shall be processed by the MPTC organization only if the purpose of the Processing could not reasonably be fulfilled by other means. 

2.2.1  Collection 

2.2.1.1  A Data Subject’s consent is required prior to any collection of personal data, subject to exemptions provided by the Act and other applicable laws and regulations.  

2.2.1.2  Personal Data Consent guidelines 

2.2.1.2.1  Identity of the PICs that will be given access to the personal data; 

2.2.1.2.2  Purpose of data sharing or processing of the personal data;  

2.2.1.2.3 Categories of personal data concerned; (Personal / Sensitive Personal); 

2.2.1.2.4  Intended recipients or categories of recipients of the personal data;  

2.2.1.2.5  Existence of the rights of Data Subjects, including the right to access and correction, and the right to object; and  

2.2.1.2.6  Other information that would sufficiently notify the Data Subject of the nature and extent of data sharing and the manner of processing. 

2.2.1.3  The Data Subject must be provided with information regarding the purpose of collection, extent of processing, including, where applicable, the automated processing of his or her personal data such as for profiling, marketing, and data sharing to 3rd party or PIP. 

2.2.1.4  Personal data that are necessary for processing for a specific purpose shall only be collected. 

2.2.1.5 Data Subject shall have the right to withdraw his/her consent at any time by sending a consent withdrawal email to the appropriate Business Unit Data Privacy Office described in 6.6.1. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. 

2.2.1.5.1 If the data was being processed for several purposes, MPTC or the affected business unit can’t use the personal data for the part of the processing for which consent has been withdrawn or for any of the purposes, depending on the nature of the withdrawal of consent. 

2.2.3  Use 

Personal data collected by the MPTC organization shall be used by the MPTC and its subsidiaries for documentation purposes, and other purpose, which are declared during the personal data collection, relevant to the business operations of the MPTC organization. 

2.2.4  Storage, Retention, and Destruction 

The MPTC organization shall ensure that personal data under its custody are protected against any accidental or unlawful destruction, alteration and disclosure as well as against any other unlawful processing. The organization shall implement appropriate security measures in storing collected Personal Information, depending on the nature of the information. Generally, information gathered, unless otherwise necessary or with business or legal obligation, shall not be retained for a period longer than two (2) years. After such period, all hard and soft copies of Personal Information shall be disposed and destroyed, through secured means. 

2.2.5  Access  

2.2.5.1  Authorized individual, group, or process owner shall have the access to personal data being processes by the MPTC organization for any purpose, except for those contrary to law, public policy, public order or morals. 

2.2.5.2  Request for access to personal data shall be approved by the process owner and DPO/COP. Requestors shall submit the signed and approved copy of ISMS-FO.010 Personal Data Access Request to DPO/COP office. If access shall be conducted through the internet, the transmission must be secured/encrypted. 

2.2.6  Disclosure and Sharing 

2.2.6.1 All employees and personnel of MPTC organization shall maintain the confidentiality and secrecy of all personal data that come to its knowledge and possession, even after resignation, termination of contract, or other contractual relations. Personal data under the custody of the MPTC organization shall be disclosed only pursuant to a lawful purpose, and to authorized recipients of such data. 

2.2.6.2  Legal requests for personal data must be submitted in writing to the DPO/COP of the involved business unit. The request shall be coordinated with the process owner by the DPO/COP for verification. When information has been approved for release, a copy of the relevant data will be provided. MPTC and/or its subsidiaries will only release original records if a court order is received requiring such release. Release of data requires the approval of the division head/s of the process involved. 

2.2.6.3  Media/Public. MPTC organization may publish information pertaining to its operation or other purpose such as results of scientific/statistic researches on its websites or other media. MPTC organization makes statistical information publicly available in an aggregate way. In responding to requests from the media or to the public, MPTC and/or its subsidiaries shall only release aggregate data. All data released to the media/public can be distinguished as aggregate data, customized aggregate data. For the use of data/footage made available by MPTC organization with acknowledgement of copyright or trademark of MPTC or its subsidiaries may include conditions for use and/or reproduction of the data. Data requests by the media/public shall be addressed to the communication department (CSM) of MPTC or its subsidiary. Release of customized aggregate data requires the approval of the CSM’s Division head. 

2.3  Personal Data Security Measures 

2.3.1  Administrative / Organizational Security Measures 

2.3.1.1  DPOs and COPs. 

The DPO shall oversee the compliance of the MPTC organization with the DPA, its IRR, and other related policies, including the conduct of a Privacy Impact Assessment, implementation of security measures, security incident and data breach protocol, and the inquiry and complaints procedure. 

2.3.1.2  Legal consultant. The internal legal team provides the general legal guidance for DPA compliance. 

2.3.1.3  Conduct of trainings, seminars, awareness, or orientation to keep personnel, especially the DPO and COP updated vis-à-vis developments in data privacy and security. 

2.3.1.4 Conduct of Privacy Impact Assessment (PIA) 

 
The MPTC organization shall conduct a PIA relative to all activities, projects and systems involving the processing of personal data. It may choose to outsource the conduct a PIA to a third party. 

2.3.1.5  Recording and documentation of activities carried out by the DPO and COPs, or the MPTC organization itself, to ensure compliance with the DPA, its IRR and other relevant policies. 
 

2.3.1.6 Duty of Confidentiality 

 
All employees with access to personal data shall operate and hold personal data under strict confidentiality if the same is not intended for public disclosure. 

2.3.1.7 Review of Data Privacy Manual 

 
This Manual shall be reviewed and evaluated annually. Privacy and security policies and practices within the MPTC organization shall be updated to remain consistent with current data privacy best practices. 

2.3.1.8 Data Privacy Notices 

 
MPTC and its subsidiaries shall embed Data Privacy notices on its data processing systems, websites, forms, and other media if applicable. The notice shall be made available to the public and the organization’s stakeholders. 

2.3.2  Physical Security Measure 

2.3.2.1 Format of Data to be collected 

 
Personal data in the custody of MPTC organization may be in digital/electronic format and paper-based/physical format. 

2.3.2.2 Storage type and location (e.g. filing cabinets, electronic storage system, personal data room/separate room or part of an existing room). 

 
All paper-based documents containing personal data being processed by the MPTC organization shall be stored in a data room or kept in locked filing cabinets while the digital/electronic files are stored in computers provided and installed by MPTC or its subsidiaries.  

2.3.2.3 Access procedure of company personnel. 

 
Only authorized personnel shall be allowed inside the data/server room. For this purpose, they shall each be given a duplicate of the key to the room. Other personnel may be granted access to the room upon filing of an access request form with the DPO/COP, depending on the location of the data/server room, and the latter’s approval thereof. 

2.3.2.4 Monitoring and limitation of access to room or facility 

 
All personnel authorized to enter and access the data/server room or facility must fill out a logbook placed at the entrance of the room. They shall indicate the date, time, duration and purpose of each access. 

2.3.2.5 Design of office space/workstation 

 
The computers are positioned with considerable spaces between them to maintain privacy and protect the processing of personal data. 

2.3.2.6  Persons involved in processing personal data, and their duties and responsibilities 

 
Persons involved in processing shall always maintain confidentiality and integrity of personal data. They are not allowed to bring their own gadgets or storage device of any form when entering the data storage room. 

2.3.2.7  Modes of transfer of personal data within the organization, or to third parties 
 

Transfers of personal data via electronic mail shall use a secure email facility with the capability of data encryption, including any or all attachments. Facsimile technology shall not be used for transmitting documents containing personal data. 

2.3.2.8 Retention and disposal procedure 

 
MPTC organization shall retain the personal data of its Data Subjects. Refer to Information Classification and Handling Policy for details of the retention and disposal procedures. 

2.3.3  Technical Security Measure 

2.3.3.1  Monitoring for security breaches 

MPTC organization shall use an intrusion detection system (IDS) and intrusion prevention system (IPS) to monitor security breaches and alert the organization of any attempt to interrupt or disturb the system. 

2.3.3.2 Security features of the software/s and application/s used 
MPTC organization shall first review and evaluate software applications before the installation thereof in computers and devices of the organization to ensure the compatibility of security features with overall operations. 

2.3.3.3 Process for regularly testing, assessment and evaluation of effectiveness of security measures 

 
The MPTC organization shall review security policies, conduct vulnerability assessments and perform penetration testing within the organization on regular schedule to be prescribed by the appropriate unit or by the organization’s Information security team. 

2.3.3.4 Encryption, authentication process, and other technical security measures that control and limit access to personal data 
 

Each personnel with access to personal data shall verify his or her identity using a secure encrypted link or a monitored VPN access. 

2.4 Breach and Security Incidents 

2.4.1  Creation of a Data Breach Response Team 

A Data Breach Response Team comprising of DPO, COP, and Process Owner of the involved business unit shall be responsible for ensuring immediate action in the event of a security incident or personal data breach. The team shall conduct an initial assessment of the incident or breach to ascertain the nature and extent thereof. It shall also execute measures to mitigate the adverse effects of the incident or breach. Refer to ISMS-0.004 Information Security and Data Privacy Incident Management for details. 

2.4.2  Measures to prevent and minimize occurrence of breach and security incidents 
MPTC organization shall regularly conduct, annually and if there’s a new or change in the business process and/or project, a PIA to identify risks in the processing system and monitor for security breaches and vulnerability scanning of computer networks. Personnel directly involved in the processing of personal data must attend trainings and seminars for capacity building. An annual review of policies and procedures shall be implemented in the organization. 

2.4.3 Notification protocol 

 
The Head of the Data Breach Response Team shall inform the management of the need to notify the NPC and the Data Subjects affected by the incident or breach within the period prescribed by law. Management may decide to delegate the actual notification to the head of the Data Breach Response Team. 

2.4.4  Documentation and reporting procedure of security incidents or a personal data breach 

 
The Data Breach Response Team shall prepare a detailed documentation of every incident or breach encountered, as well as an annual report, to be submitted to management and the NPC, within the prescribed period. 

2.5  Inquiries and Complaints 

2.5.1  Data subjects may inquire, file complaints, or request for information regarding any matter relating to the processing of their personal data under the custody of the MPTC organization, including the data privacy and security policies implemented to ensure the protection of their personal data. They may write to the organization at the following Data Privacy Office emails and briefly discuss the inquiry, together with their contact details for reference.  

Business Unit DPO Email 
MPTC & MPTMSI dataprivacyoffice@mptc.com.ph 
MPT North, NLEX Corp, NVC dataprivacyoffice@nlex.com.ph 
MPT South, MPTSMC, CIC, & MPCALA dataprivacyoffice@mptsouth.com 
MPT Vismin, CCLEC dataprivacyoffice@cclex.com.ph 
Easytrip (ESC) privacy@easytrip.ph 
SESI dataprivacyoffice@sesi.com.ph