Green Cross Inc.

Recognizing the importance of hygiene

Educating consumers on the many uses of Zonrox became the key to the brands success

Healthy and Hygiene

Personal Care
Fabric and Homecare

PRIVACY MANUAL

Last Reviewed November 5, 2021, Effective as of May 15, 2019


 

1. Introduction

As part of its ongoing business, Green Cross Inc.(“GCI”) (hereafter referred to as, the “Company”, “we”, “our”, or “us”), may collect, use, process, disclose, or transfer the Personal Data of our employees, clients, investors, partners, vendors, agents, contractors, third parties, and the employees of such clients, investors, partners, vendors, agents, contractors, and third parties (hereafter referred to as the “Data Subjects”, “you”, “your”, “they”, “their”, or “them”). We depend on this Personal Data to, among others, maintain our production and profitability, provide our clients and investors with innovative and reliable programs and services, develop new reserves and resources, drive acquisition and opportunities forward, and ultimately, manage our business effectively and efficiently.

In exchange, we understand that you expect us to protect your Personal Data and use it fairly and lawfully. Thus, this Privacy Manual (the “Privacy Manual”) is hereby adopted in compliance with Republic Act No. 10173, or the Data Privacy Act of 2012 (“DPA”), its Implementing Rules and Regulations (“DPA IRR”), and other relevant laws, rules, and regulations, including the issuances of the National Privacy Commission (“NPC”) (these shall collectively be referred to as the “Philippine Data Protection Laws”). GCI, as well as its employees and personnel, are committed to complying with its obligations under the Philippine Data Protection Laws and following the Privacy Manual to ensure that your Personal Data is secure.

The Privacy Manual is supplemented by the Company’s other privacy-related and security policies, i.e., privacy notices, data protection provisions, the Employee Personal Data Handling Policy, Security Incident and Data Breach Response Plan, the Company’s IT Security Policies, and the different consent forms (these policies, including the Privacy Manual, and forms shall be collectively referred to as the “GCI Privacy Policies”) insofar as Philippine data protection is concerned. The GCI Privacy Policies provide an overview of our data privacy and protection practices. It shall likewise inform you of our data security measures and shall serve as a guide in your exercise of the rights provided under the Philippine Data Protection Laws.

In case of conflict between or among the GCI Privacy Policies, the policy imposing a higher standard of protection to Personal Data shall govern.

2. Definition of Terms

2.1 Affiliates’ refer to the affiliates of GCI.

2.2 Business Asset Transaction’ refers to the purchase, sale, lease, merger or amalgamation, or any other acquisition, disposal, or financing of an organization or a portion of an organization or of any of the business or assets of an organization.

2.3 ‘Business Partners’ refer to GCI’s trusted companies that may provide information about products and services that may cater to clients and investors.

2.4 Compliance Officer for Privacy’ or ‘COP’ refers to an individual or individuals who shall perform some of the functions of a DPO as defined in Clause 2.6 of this Privacy Manual.

2.5 Data Breach Response Team’ refers to the set of individuals, at least five (5) in number, identified in GCI’s Security Incident and Data Breach Response Plan as responsible for ensuring immediate action in the event of a Security Incident or Personal Data Breach.

2.6 ‘Data Protection Officer’ or ‘DPO’ refers to the individual accountable for ensuring the compliance by the personal information controller or personal information processor with the Philippine Data Protection Laws.

2.7 ‘Data Sharing’ is the disclosure or transfer to a third party of Personal Data under the custody of a personal information controller or personal information processor. In the case of the latter, such disclosure or transfer must have been upon the instructions of the personal information controller concerned. The term excludes outsourcing as defined herein.

2.8 Data Subject’ refers to an individual whose personal, sensitive personal, or privileged information is being processed.

2.9 Information Technology’ or ‘IT’ refers to the function/department within GCI responsible for the design and implementation of information technology.

2.10 IT Security Policies’ refers to GCI’s different policies and guidelines issued by the Systems Department to manage its IT and communication systems, among others.

2.11 National Privacy Commission’ or ‘NPC’ refers to the agency mandated to administer and implement the Philippine Data Protection Laws, and to monitor and ensure the Philippines’ compliance with international standards for data privacy and protection.

2.12 ‘Outsourcing’ refers to the disclosure or transfer of Personal Data by a personal information controller to a personal information processor.

2.13 Personal Data’ refers to all types of personal information.

2.14 Personal Data Breach’ refers to a breach of security leading to the accidental or
unlawful destruction, loss, alteration, unauthorized disclosure of, or access to,
Personal Data transmitted, stored, or otherwise processed. A Personal Data breach may be in the nature of:

2.14.1 an availability breach resulting from loss, accidental or unlawful destruction of Personal Data;

2.14.2 integrity breach resulting from alteration of Personal Data; and/or

2.14.3 a confidentiality breach resulting from the unauthorized disclosure of or access to Personal Data.

2.15 Personal Information’ is defined as any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.

2.16 ’Personal Information Controller’ or ‘PIC’ refers to a natural or juridical person, or any other body who controls the processing of Personal Data or instructs another to process Personal Data on its behalf.

2.17 Personal Information Processor’ or ‘PIP’ refers to any natural or juridical person or any other body to whom a personal information controller may outsource or instruct the processing of Personal Data pertaining to a data subject.

2.18 Processing’ refers to any operation or any set of operations performed upon Personal Data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Processing may be performed through automated means, or manual processing, if the Personal Data are contained or are intended to be contained in a filing system.

2.19 ‘Products’ refer to the goods or articles being offered for sale by GCI to the market.

2.20 Recipient’, in relation to Personal Data, means any person to whom Personal Data is disclosed.

2.21 Security Incident’ is an event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity, and confidentiality of Personal Data. It shall include incidents that would result to a Personal Data breach, if not for safeguards that have been put in place.

2.22 Sensitive Personal Information’ refers to:

2.22.1 personal information about an individual’s race, ethnic origin, marital status, age, color and religious, philosophical or political affiliations;

2.22.2 personal information about an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings;

2.22.3 personal information issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation and tax returns; and

2.22.4 personal information specifically established by an executive order or an act of Congress to be kept classified.

2.23 ‘Service Providers’ refer to companies that provide services for and on behalf of GCI;

2.24 ‘Services’ refer to GCI’s services, projects, activities, programs, acquisitions, developments, operations, websites, events, promotions, marketing activities, market research, surveys and/or the business. These include customer support for such services, projects, activities, programs, acquisitions, developments, operations, websites, events and/or business transactions.

Capitalized terms used but not otherwise defined herein shall have the meaning and context given to them in the other GCI Privacy Policies.

For the purposes of this Privacy Manual, reference to the singular form of any of the above-defined terms shall be construed to include the plural and vice-versa, unless the context otherwise requires. Pronouns in masculine, feminine, and neutral genders shall be construed to include any other gender.

3. Scope

3.1 This Privacy Manual applies to any and all Personal Data collected, used, processed, and disclosed by or for and on behalf of GCI including, but not limited to, those relating to the Products and Services and GCI’s conduct of its business.

3.2 All GCI employees and personnel must abide by the terms set out in this Privacy Manual.

3.3 Please note that the GCI Privacy Policies may apply regardless of whether you use a computer, mobile phone, tablet, printed forms, or other official means to avail of our Products and Services. It is thus important that you read the GCI Privacy Policies carefully because anytime you avail our Products and Services and consent to our terms and conditions, this includes the practices we describe in the GCI Privacy Policies.

4. Collection of Personal Data

4.1 We only collect Personal Data if there is a reasonable business purpose for such collection. In this regard, we only collect and process Personal Data that is reasonably necessary to fulfill the identified purpose(s) of processing. This means that we do not collect Personal Data that is not relevant and/or potentially excessive in light of our planned data processing. Further, we also refrain from collecting Personal Data if the business purpose can be achieved by using anonymized or pseudonymized data.

4.2 Except in cases allowed by the Philippine Data Protection Laws, we shall ensure that your consent has been properly and lawfully obtained prior to the collection, processing, and disclosure of Personal Data. This consent shall be time-bound and in relation only to the legitimate purposes for which Personal Data was collected.

4.3 We may collect Personal Data directly from information you provide us. For example, when you:

4.3.1 provide Personal Data through purchase of our Products and/or participation in our Services for the purpose of availing of, assisting in, or otherwise, making use of the same;

4.3.2 participate in GCI promotions, website, surveys, meetings, forums, events or feedback forms;

4.3.3 request for information on any of our Products and Services or to receive any marketing, promotional, or other types of communications;

4.3.4 communicate through our Services;

4.3.5 make enquiries or comments through our websites, email, Human Resources, or other Departments; and/or

4.3.6 interact with our staff or employees.

4.3.7 submit resume, fill out any electronic forms, and providing information during interviews for recruitment purposes

4.4 We may receive information about you from publicly and commercially available sources, as permitted by the Philippine Data Protection Laws and other applicable laws, which we may combine with other information we receive from or about you.

4.5 You shall be notified of the Personal Data that GCI will collect and the purposes for which such Personal Data will be collected. In this regard, prior to the collection of your Personal Data, we shall furnish you with a notice, disclosure, or comparable statement which may include, among others:

4.5.1 the purposes for which Personal Data is collected and processed;

4.5.2 the categories of Personal Data collected and processed;

4.5.3 the identity of the PIC or PIP responsible for the processing of the Personal Data;

4.5.4 how you can contact the PIC to exercise any rights to access or correct your own data;

4.5.5 any disclosure or transfer of Personal Data; and

4.5.6 any and all Recipients of Personal Data.

5. Purpose for the Collection, Use, Disclosure, and Processing of Personal Data

5.1 We shall identify the purposes for which Personal Data will or may be used prior to collecting that Personal Data. These purposes shall be clearly and specifically identified to determine the kind of processing necessarily included within these specified purposes. In this regard, GCI will/may collect, use, disclose and/or process Personal Data for any one or more of the following purposes (collectively the “Purposes”):

5.1.1 to register you as a user of Products or participant in the Services;

5.1.2 to register you as a provider of supplies or services to GCI;

5.1.3 monitoring, processing and/or tracking the use of our Services to better facilitate or administer the use of these Services, and/or assist us in improving the Services;

5.1.4 assessing and processing requests with respect to the Products and Services;

5.1.5 administering, facilitating, processing, and/or dealing with your relationship with us, any transactions or activities carried out by us in relation to our Products and Services. This shall include processing applications, orders, and payment transactions; and implementing the transactions and supply of the Products and/or Services requested;

5.1.6 carrying out your instructions or responding to any inquiry given by (or purported to be given by) you or on your behalf;

5.1.7 contacting you or communicating with you via phone/voice call, text message and/or fax message, email and/or postal mail, or through messaging applications and other electronic means, among others, for the purposes of administering and/or managing your use of the Products and Services. You acknowledge and agree that such communication by us could be by way of the mailing of correspondence, documents, or notices to you, which could involve disclosure of certain Personal Data about you to bring about delivery of the same as well as on the external cover of envelopes/mail packages;

5.1.8 providing Products and Services to you as our investor, client, stakeholder, or when requested by you;

5.1.9 carrying out human resources and other functions as identified in the GCI Employee Consent Form, Job Applicant Consent Form, and Employee Personal Data Handling Policy;

5.1.10 carrying out due diligence, accreditation/validation, verification or other screening activities in accordance with legal or regulatory obligations applicable to us, the requirements or guidelines of governmental authorities which we determine are applicable to us, and/or our risk management procedures that may be required by law or that may have been put in place by us;

5.1.11 to prevent or investigate any fraud, unlawful activity, omission, or misconduct and/or investigating complaints;

5.1.12 complying with or as otherwise required by any applicable law, court order, order of a regulatory body, governmental or regulatory requirements of any jurisdiction applicable to us, including meeting the requirements to make disclosure under the requirements of any law binding on us, and/or for the purposes of any guidelines issued by regulatory or other authorities (whether in the Philippines or elsewhere), with which we are expected to comply;

5.1.13 complying with or as required by any request or direction of any governmental authority (whether in the Philippines or foreign country) which we are expected to comply with; or responding to requests for information from government agencies, local government units or other similar authorities (whether in the Philippines or foreign country). For the avoidance of doubt, this means that we may/will disclose your Personal Data to such parties upon their request or direction;

5.1.14 conducting research (including customer research), surveys, market surveys, analysis and/or development activities (including but not limited to data analytics, surveys and/or profiling) to improve our Products and Services as well as facilities, or to improve our understanding of your interests, concerns, and preferences, in order to enhance any continued interaction between yourself and us connected or in relation to our Products and Services, or improve any of our Products and Services;

5.1.15 storing, hosting, backing up of your Personal Data, whether within or outside the Philippines;

5.1.16 facilitating, dealing with, and/or administering external audit(s) or internal audit(s) of the business of GCI;

5.1.17 dealing with and/or facilitating a Business Asset Transaction or a potential Business Asset Transaction where GCI is a party;

5.1.18 to implement and maintain our IT systems, including to store and process Personal Data in computer databases and servers;

5.1.19 anonymization or pseudonymization of your Personal Data;

5.1.20 record-keeping purposes and producing statistics and research for internal and/or statutory reporting and/or record-keeping requirements of GCI;

5.1.21 GCI’s reporting purposes including, but not limited to, reporting on GCI’s business performance; and/or

5.1.22 any other purpose upon your consent as may be provided in notice and consent forms that may be provided by us.

5.2 Subject to Clause 14.2, we may not use, process, or disclose sensitive personal information except when:

5.2.1 you have expressly consented to the use, processing, or disclosure of such sensitive personal information as evidenced by written, electronic, or recorded means;

5.2.2 such use, processing, or disclosure is necessary to establish, exercise, or defend legal claims; and/or

5.2.3 if such use, processing, or disclosure is necessary for medical purposes, in which case the sensitive personal information may be processed by a health professional subject to professional secrecy.

5.3 In some instances, we may want to use or share Personal Data collected in a way that is materially different from what was disclosed in the GCI Privacy Policies, consent forms, and other applicable documents at the time of collection. In these circumstances, you shall be notified and given an opportunity to object or withhold consent to processing unless the change refers to processing or disclosure of Personal Data in the following instances:

5.3.1 The Personal Data is needed pursuant to a subpoena;

5.3.2 When the collection and processing are for obvious purposes, including when it is necessary for the performance of or in relation to a contract or service to which you are a party, or when necessary or desirable in the context of an employer-employee relationship between you and GCI; or

5.3.3 When the information is being collected and processed as a result of a legal obligation.

5.4 For the avoidance of doubt, you acknowledge and consent to GCI sharing anonymized or pseudonymized data such as aggregate information where we may share anonymized aggregate information about our customers with advertisers and marketing partners.

5.5 For the further avoidance of doubt, the Philippine Data Protection Laws shall not apply to anonymized or pseudonymized data that does not identify an individual and the Philippine Data Protection Laws do not provide you with a right to object to an organization handling, processing, or disclosing anonymized or pseudonymized data.

6. Sharing and Disclosure of Personal Data

6.1 GCI may need to disclose or transfer your Personal Data to third parties, for any one or more of the above Purposes. In this regard, the disclosure or transfer of Personal Data shall be made only upon your consent and, when required by law, in accordance with a data sharing agreement between GCI and such third parties. The data sharing agreement or other agreement with such third parties shall establish adequate safeguards to maintain the integrity, availability, and confidentiality of Personal Data and uphold your rights as data subjects. Without limiting the generality of the foregoing, such third parties shall include:

6.1.1 Affiliates;

6.1.2 Investors;

6.1.3 Business Partners;

6.1.4 Service Providers;

6.1.5 Third parties when required by law or necessary to protect our services;

6.1.6 Other parties in connection with corporate transactions; and

6.1.7 Other parties with your consent or at your direction.

6.2 In case Personal Data will be transferred to third parties for processing, we shall use contractual or other reasonable means to ensure the integrity, availability, and confidentiality of Personal Data and to provide a comparable level of protection to the Personal Data disclosed or transferred while it is being processed by a personal information processor or any other third party.

6.3 We will provide our preferred Service Providers with the information they need to perform their services and work with them to respect and protect your Personal Data. We shall enter into data sharing agreements or outsourcing agreements, as may be applicable, or agreements containing provisions on data protection, with our Service Providers, which will adhere to the GCI Privacy Policies and the Philippine Data Protection Laws to prevent the use of Personal Data for unauthorized purposes. Should you require more information in relation to the transfer or disclosure of your personal data, you may contact us at the information provided below.

7. Security Measures

7.1 We shall implement reasonable and appropriate organizational, physical, and technical security measures to ensure the availability, integrity, and confidentiality of Personal Data. These security measures should be in addition to and in line with the measures provided in the other GCI’s Privacy Policies and the specific directives of the GCI departments, if any.

7.2 These security measures shall guard against risks such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration, and contamination of Personal Data. We cannot, however, assume responsibility for any unauthorized use of your Personal Data by third parties which are wholly attributable to factors beyond our control.

7.3 Apart from the foregoing measures and those enumerated below, GCI shall implement such other organizational, physical, and technical security measures as may be necessary to ensure that the integrity, availability, and confidentiality of Personal Data is maintained.

Organizational Security Measures

7.4 Unless otherwise allowed or approved by the NPC, GCI shall designate at least one (1) DPO in the Philippines who shall be accountable for compliance with the provisions of the Data Protection Laws. In this connection, the DPO shall have the following functions:

7.4.1 monitor GCI’s compliance with the Philippine Data Protection Laws;

7.4.2 ensure the conduct of privacy impact assessments relative to activities, measures, projects, programs, or systems of GCI;

7.4.3 advise GCI on complaints and/or the exercise by data subjects of their rights, e.g., requests for information, clarifications, rectification or deletion of Personal Data;

7.4.4 ensure proper data breach and security incident management by GCI, including the preparation and submission to the NPC of reports and other documentation concerning security incidents or data breaches within the prescribed period;

7.4.5 inform and cultivate awareness on privacy and data protection within GCI on the Philippine Data Protection Laws;

7.4.6 advocate for the development, review and/or revision of policies, guidelines, projects, and/or programs of GCI relating to privacy and data protection, by adopting a privacy by design approach;

7.4.7 serve as the contact person of GCI vis-à-vis the data subjects, NPC, and other authorities in all matters concerning data privacy or security issues or concerns;

7.4.8 cooperate, coordinate, and seek advice of the NPC regarding matters concerning data privacy and security; and

7.4.9 perform other duties and tasks that may be assigned by GCI that will further the interest of data privacy and security and uphold your rights as data subjects.

Except for the items listed in Clauses 7.4.1 to 7.4.3, a COP may perform all the other functions of a DPO if deemed appropriate by GCI, and as approved by the NPC. Where appropriate, the COP shall also assist the DPO in the performance of his or her functions.

7.5 GCI shall ensure that records of its processing activities, which sufficiently describe its data processing systems, shall be reviewed regularly and kept up to date.

7.6 GCI shall regularly sponsor mandatory trainings and orientations on data privacy and security. For employees and personnel directly involved in the processing of Personal Data, management shall ensure their attendance and participation in these trainings and orientations.

7.7 From time to time, GCI shall conduct privacy impact assessments to identify risks in its processing systems, monitor security breaches, and scan the vulnerability of computer networks. Personnel directly involved in the processing of Personal Data must attend trainings and seminars for capacity building. There must also be a periodic review of policies and procedures being implemented in the organization.

Physical Security Measures

7.8 GCI shall implement physical security measures in its offices including, but not limited to, the following:

7.8.1 all files containing Personal Data shall be arranged in designated cabinets which are securely locked at all times;

7.8.2 all personnel shall, as far as practicable, use only GCI issued devices (such as laptops, computer units, or mobile phones) in collecting and processing personal data. All personnel shall comply with the relevant policies for the use of such devices and shall ensure that all devices issued to them by GCI shall be regularly updated and monitored by the relevant department to ensure that technical security measures are complied with.

7.8.3 In some instances, personal devices of GCI’s personnel may be used due to unforeseen circumstances or for justifiable reasons. In which case, GCI personnel shall ensure that they apply all necessary safety features, technical security measures, IT policies and practices, as well as GCI’s data privacy policies and practices in relation to personal data collected and processed through their personal devices. Personal data collected through personal or GCI-issued devices will be covered by GCI Employee Obligations and Employee Personal Data Handling Policy

7.8.4 all personnel should ensure that their laptops and other electronic devices containing Personal Data are physically secure or kept inside their designated cabinets and pedestals when necessary;

7.8.5 passwords and access controls must be updated regularly;

7.8.6 require two factor authentication for high-risk and confidential applications; and

7.8.7 the unique identification and adequate authentication rule.

7.9 GCI shall limit access to Personal Data only to authorized employees and third party Service Providers, each of whom is held to GCI’s standards of privacy. GCI shall also maintain physical, electronic and procedural safeguards to protect Personal Data against loss, misuse, damage, modification, and unauthorized access or disclosure.

Technical Security Measures

7.10 GCI shall implement safeguards to protect their computer network against accidental, unlawful or unauthorized usage, any interference that will affect data integrity or hinder the functioning or availability of the system, and unauthorized access through an electronic network. For this purpose, GCI shall implement and/or the install an intrusion detection system to monitor security breaches and alert the organization of any unauthorized access, use, modification, processing, disclosure, or destruction of Personal Data under its control.

7.11 GCI shall regularly monitor for security breaches, and conduct processes to identify and access reasonably foreseeable vulnerabilities in their computer networks, and for taking preventive, corrective and mitigating action against security incidents that can lead to a personal data breach.

7.12 GCI shall implement measures to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.

7.13 GCI shall implement the necessary encryption and authentication process that will control and limit access to Personal Data.

7.14 GCI shall abide by the provisions of its IT Security Policies and relevant directives which shall ensure and maintain the confidentiality, integrity, availability and resilience of GCI’s processing systems and services, among others. It shall likewise regularly review, test, and assess the effectiveness of its IT Security Policies and technical security measures on a regular schedule to be prescribed by the DPO.

8. Third Party Personal Data Provided by You

8.1 Should you provide GCI with Personal Data of individual(s) other than yourself, you represent and warrant to GCI and you hereby confirm that:

8.1.1 where required by the Philippine Data Protection Laws, prior to disclosing such Personal Data to us, you would have and had obtained consent from the individuals whose Personal Data are being disclosed to us, to:

8.1.1.1 permit you to disclose the individuals’ Personal Data to GCI for any one or more of the Purposes; and

8.1.1.2 permit GCI to collect, use, disclose and/or process the individuals’ Personal Data for the Purposes;

8.1.2 any Personal Data of individuals that you disclose to us is accurate; and

8.1.3 you are validly acting on behalf of such individuals and that you have the authority of such individuals to provide their Personal Data to GCI and for GCI to collect, use, disclose, and process such Personal Data for the Purposes.

9. Your Rights and Freedoms as Data Subjects

9.1 GCI understands and recognizes your rights as data subjects in accordance with the Philippine Data Protection Laws, which includes your rights to information, object, access, rectification, erasure or blocking, lodging a complaint, damages, and data portability. Due to the sensitive and confidential nature of Personal Data under our custody, only authorized GCI personnel shall be allowed to access such Personal Data. That being said, you may exercise any of your rights as recognized by the Data Protection Laws, upon written demand.

9.2 We may need enough information from you in order to ascertain your identity as well as the nature of your request. In this regard, please submit your written request to the DPO through any of the following modes:

· Mail at 14th Floor Common Goal Tower Finance corner Industry Streets Madrigal Business Park, Alabang, Muntinlupa City, Metro Manila, Philippines 1770

· Call at +63 2 877 8888 local 1261 or +63 917 832 2626

· Email at privacy@greencross.com.ph

9.3 GCI reserves the right to deny access to Personal Data upon belief in good faith that such disclosure is either exempted under the Philippine Data Protection Laws, prohibited by law, or will result in the violation of another individual’s rights. GCI also reserves the right to develop and implement a fee structure for reasonable administrative fees as may be allowed by the Philippine Data Protection Laws.

9.4 We will take reasonable efforts to ensure that your Personal Data is accurate, complete, and up to date especially if your Personal Data is likely to be used by us to make a decision that affects you, or disclosed to another organization. However, this means that you must also update us of any changes in your Personal Data that you had initially provided us with. We will not be responsible for relying on inaccurate or incomplete Personal Data arising from you not updating us of any changes in your Personal Data that you had initially provided us with.

9.5 If the information GCI maintains is out of date, you may provide GCI with current and accurate data in order for GCI to correct its records. Please provide the updated information to the concerned GCI department.

10. Retention and Withdrawal of Consent

10.1 We will only retain Personal Data as long as it is still relevant for the Purposes for which it was collected and/or GCI remains to have a legal or business purpose to keep it. In this regard, we will put in place measures such that your Personal Data in our possession or under our control is properly destroyed and/or anonymized as soon as it is reasonable to assume that (a) the purpose for which that Personal Data was collected is no longer being served by the retention of such Personal Data; and (b) retention is no longer necessary for any other legal purposes.

10.2 You may also withdraw your consent for the collection, use, and/or disclosure of your Personal Data in our possession or under our control by submitting your request to the DPO through any of the following modes:

· Mail at 14th Floor Common Goal Tower Finance corner Industry Streets Madrigal Business Park, Alabang, Muntinlupa City, Metro Manila, Philippines 1770

· Call at +63 2 877 8888 local 1261 or +63 917 832 2626

· Email at privacy@greencross.com.ph

10.3 We will process your request within a reasonable time from such a request for withdrawal of consent being made, and will subsequently not collect, use, and/or disclose your Personal Data in the manner stated in your request, unless the Philippine Data Protection Laws or any other law or regulation allow us to still process your Personal Data.

10.4 However, your withdrawal of consent could result in certain legal consequences arising from such withdrawal. In this regard, depending on the extent of the withdrawal of your consent for us to process your Personal Data, it may mean that you may not be able to use or access the Services or may result in a breach of an obligation on your part.

11. Breach and Security Incidents

11.1 A Data Breach Response Team comprising of at least five (5) personnel shall be responsible for ensuring immediate action in the event of a Security Incident or Personal Data Breach.

11.2 The Data Breach Response Team shall have the following functions:

11.2.1 implement GCI’s Security Incident and Data Breach Response Plan;

11.2.2 manage Security Incidents and Personal Data Breaches; and

11.2.3 ensure GCI’s compliance with provisions of the Philippine Data Protection Laws relating to Security Incident and Personal Data Breach management.

12. Inquiries and Complaints

If you have any inquiries or concerns related to this Privacy Manual, the other GCI Privacy Policies, or GCI’s data privacy and protection practices, or if you need additional assistance or have complaints, please contact GCI’s DPO through any of the following modes:

· Mail at 14th Floor Common Goal Tower Finance corner Industry Streets Madrigal Business Park, Alabang, Muntinlupa City, Metro Manila, Philippines 1770

· Call at +63 2 877 8888 local 1261 or +63 917 832 2626

· Email at privacy@greencross.com.ph

13. Amendments

Our privacy practices will be continuously assessed against legal developments, new technologies, business practices, our processing systems, as well as our customers’ needs. As we update and diversify our Products and Services, this Privacy Manual may evolve. In the event we make changes to our privacy policies, we will publish such amendments and/or the amended policy on our website and notify you by email, through pop-up windows or other means.

14. General Provisions

14.1 Your consent that is given pursuant to this Privacy Manual is additional to and does not supersede any other consents that you have provided GCI in relation to the collection, use, processing, or disclosure of your Personal Data.

14.2 For the avoidance of doubt, in the event that the Philippine Data Protection Laws permit us to collect, process, use, or disclose your Personal Data without your consent, such permission granted by the law shall continue to apply.

In case any provision in this Privacy Manual shall be held invalid, illegal, or unenforceable, the validity, legality, and enforceability of the remaining provisions shall not in any way be affected or impaired thereby.