Emsavvil Privacy Policy

1. INTRODUCTION

This Privacy Policy (“Policy”) is hereby adopted by Escudero Marasigan Vallente & E.H. Villareal Law (“EMSAVVIL”) in compliance with Republic Act No. 10173 or the Data Privacy Act of 2012 (“DPA”), its Implementing Rules and Regulations (“IRR”), and other relevant policies including issuances of the National Privacy Commission (the “Commission”). EMSAVVIL respects and values the data privacy rights of its clients and employees, and makes
sure that all personal data collected from them are processed in adherence to the the DPA, its IRR, and the general principles of transparency, legitimate purpose, and proportionality. This Privacy Policy aims to inform the public of its data protection and security measures, and may serve as a guide for the public’s exercise of their privacy rights under the DPA and its IRR. Any matter not otherwise covered under this Policy, but is covered by the DPA, its IRR, or any subsequent issuance by the Commission, shall be deemed incorporated into this Policy.

II. DEFINITION OF TERMS

1. “Applicant” refers to those who submitted applications for employment with EMSAVVIL.
2. “Apprentice” refers to law students who are undergoing apprenticeship or internship with EMSAVVIL, as may be required by the curriculum of the school in which the student is enrolled.
3. “Clients” refers to persons who have already executed a retainer proposal with EMSAVVIL.
4. “Commission” refers to the National Privacy Commission created by virtue of the DPA.
5. “Consent of the data subject” refers to any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of Personal Information about and/or relating to him or her. Consent shall be evidenced by written, electronic or recorded means.
6. “Data Protection Officer” refers to the employee of EMSAVVIL who shall oversee the compliance of EMSAVVIL with the DPA, its IRR, and other related policies.
7. “Data subject” refers to an individual whose Personal Information is processed.
8. “DPA” refers to Republic Act No. 10173 or the Data Privacy Act of 2012.
9. “Employee” refers to all persons employed by EMSAVVIL, regardless of the specific nature of their employment.
10. “EMSAVVIL” refers to the law firm Escudero Marasigan Vallente & E.H. Villareal Law.
11. “IRR” refers to the Implementing Rules and Regulations of the Data Privacy Act of 2012.
12. “Miscellaneous persons” refers to persons dealing, transacting, or otherwise engaging in business with EMSAVVIL, which may include suppliers, service providers, third party data processors, messengers or liaison officers of other law firms or companies, or other similar persons.
13. “Person” refers to either a natural or juridical person as defined by law.
14. “Personal information” refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
15. “Personal information controller” refers to a person or organization who controls the collection, holding, processing or use of Personal Information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose Personal Information on his or her behalf. The term excludes:
    1. A person or organization who performs such functions as instructed by another
       person or organization; and
    2. An individual who collects, holds, processes or uses Personal Information in
       connection with the individual’s personal, family or household affairs.
16. “Personal information processor” refers to any natural or juridical person qualified to act
    as such under this Act to whom a Personal Information controller may outsource the
    processing of personal data pertaining to a data subject.
17. “Policy” refers to the Privacy Policy of EMSAVVIL.
18. “Processing” refers to any operation or any set of operations performed upon Personal
    Information including, but not limited to, the collection, recording, organization, storage,
    updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or
    destruction of data.
19. “Privileged information” refers to any and all forms of data which under the Rules of
    Court and other pertinent laws constitute privileged communication.
20. “Sensitive personal information” refers to personal information:
    1. About an individual’s race, ethnic origin, marital status, age, color, and religious,
       philosophical or political affiliations;
    2. About an individual’s health, education, genetic or sexual life of a person, or to
       any proceeding for any offense committed or alleged to have been committed by
       such person, the disposal of such proceedings, or the sentence of any court in such
       proceedings;
    3. Issued by government agencies peculiar to an individual which includes, but not
       limited to, social security numbers, previous or current health records, licenses or
       its denials, suspension or revocation, and tax returns; and
    4. Specifically established by an executive order or an act of Congress to be kept
       classified.

III. SCOPE AND LIMITATIONS

All Employees, regardless of the type of employment or contractual arrangement, must comply with the terms set out in this Policy.

All Clients, all persons applying for a position with EMSAVVIL, and any and all third parties who shall henceforth deal, transact, or otherwise engage in business with EMSAVVIL, may likewise be subject to the terms set out in this Policy, in accordance with the terms herein below.

IV. PROCESSING OF PERSONAL DATA

A. COLLECTION
EMSAVVIL collects data differently for the different types of data subjects, as follows:

1. Referral-based data subjects

EMSAVVIL may be engaged by clients through its EMSAVVIL helpdesk or through referrals. After the initial consultation and/or initial study of the referral, EMSAVVIL sends to the potential client a retainer proposal. At this stage, EMSAVVIL already collects personal information of client such as their full name, e-mail address, address, etc. though the potential client formally becomes a client of EMSAVVIL only upon his assent to the retainer proposal and the payment of the applicable fees, including the acceptance fee.

During the initial consultation stage, EMSAVVIL may require certain information from the potential client, in order to properly address their legal query(ies) and formulate the retainer proposal. During consultation stage and as mentioned in the preceding paragraph, EMSAVVIL may already collect the basic contract information of these potential clients, including their full name, address (either or both home and work addresses), e-mail address, contact number, marital status, copies of government-issued identification cards or licenses, and any other
information EMSAVVIL would deem necessary for the legal study and the drafting of the retainer proposal. Further, similar information may be collected insofar as the personal circumstances of any other potential party to the case,
including co-parties to the case referral, provided that such information is necessary for the case referral.

For potential clients who submitted a legal query or referred a case through the EMSAVVIL helpdesk, they will receive an automated response form, which would include a Template Consent Form (“TCF”). The TCF is essentially
EMSAVVIL’s request for the potential client’s consent that his or her Personal Information may be collected and stored, for purposes of conducting the legal study and the drafting of the retainer proposal.

For potential clients with whom an initial consultation will be conducted and where personal or sensitive information may already be collected, they will be given a TCF before said consultation, in which the potential clients shall give
their consent for EMSAVVIL to collect and store their Personal Information. After the legal study, EMSAVVIL sends to the potential client the retainer proposal. Included in such retainer proposal is a “Privacy Clause,” whereby
EMSAVVIL requests for the potential client’s consent to collect, use, transmit, process, and store information, insofar as such collection, use, transmittal, procedure, and storage is necessary for the case referral. The “Privacy Clause”
shall also contain a stipulation stating that EMSAVVIL shall store such information, even after the closure of the case, strictly for reference, academic, and statistical purposes.

Once a potential client formally becomes a client, additional information pertinent to the case may thereafter be collected. Any and all information collected from the client are privileged communications, and will be kept with utmost confidentiality, pursuant to the rule on lawyer-client privilege.

2. Employees, apprentices, and applicants

EMSAVVIL shall also collect Personal Information from its Employees, Apprentices, as well as persons applying for a position with EMSAVVIL. These information shall be limited to their full name, address (either or both home and work addresses), e-mail address, contact number, marital status, tax identification numbers, copies of government-issued identification cards or licenses, and any other information EMSAVVIL would deem necessary for documentation and employment purposes. EMSAVVIL also has the right to collect information from the employees and applicants as regards the contact details of emergency contact persons. They shall likewise be made to sign a Non-Disclosure Agreement (“NDA”), with the understanding that any and all Personal Information obtained are not intended for public disclosure.

For Apprentices, should they come into contact with Personal Information coming from EMSAVVIL, including sensitive information regarding Clients and cases, they shall likewise be made to sign an NDA, with the understanding that any and all Personal Information obtained are not intended for public disclosure.

3. Miscellaneous Persons

EMSAVVIL may also collect information from Miscellaneous persons. These persons may include suppliers, service providers, third party data processors, messengers or liaison officers of other law firms or companies, or other similar persons. The information to be collected shall be limited only to the full name, employer name, and contact details of the person involved, and shall be used only for identification purposes. Should the person, by virtue of his or her business, come into contact with sensitive information coming from EMSAVVIL, such as information of Employees, Clients and cases, he or she shall be made to sign an NDA.

B. USE
Unless otherwise specified above, personal data collected shall be used by EMSAVVIL for identification purposes.

C. STORAGE, RETENTION, AND ACCESS
EMSAVVIL ensures that personal data and information under its custody are protected against accidental or unlawful destruction, alteration, and disclosure, as well as any other unlawful processing. EMSAVVIL will implement appropriate security measures in storing collected Personal Information, depending on the nature of the information.

For information collected by EMSAVVIL from Clients, Employees, Apprentices, applicants, and miscellaneous persons, there shall be a list of authorized persons who can access the specific files. A physical space within the office premises shall be designated as an area where the hard copies of such information, if any, shall be stored. Security measures against fire, pests, rain, and flooding shall be enforced to prevent damage to such hard copies.

In addition, all physical files shall be digitized by scanning. Access to such documents shall be restricted, and in cases of more sensitive information, these will be password-encrypted. Authorization from the Partner or Officer-in-Charge of such information shall be required before a non-authorized person can be granted access to such digital information. Authorization from the designated Data Protection Officer shall be obtained first before any digital file may be deleted.

As regards information pertinent to the cases being handled by EMSAVVIL, these shall be stored by EMSAVVIL even after the closure of the matter or termination or withdrawal of the client, strictly for reference, academic, and
statistical purposes.

D. DISCLOSURE AND SHARING
All Employees and Apprentices shall maintain confidentiality and secrecy of all Personal Information that come to their knowledge and possession, even after resignation, termination of contract, or other contractual relations. Personal Information under the custody of EMSAVVIL shall be disclosed only pursuant to a lawful purpose, and to authorized recipients of such data. Moreover, these persons are also required to be bound by the confidentiality of all the information which they have access to by requiring them to comply with any and all laws, rules and regulations governing the data privacy protection of Clients and Employees.

E. DESTRUCTION
All information regarding the Employees, Apprentices, and applicants of EMSAVVIL, as well as Personal Information collected from miscellaneous persons, shall be disposed of and destroyed within a period not longer than one (1) year from their resignation, termination, or severance of contract with EMSAVVIL.

All other information collected which are not otherwise pertinent or necessary for the handling of cases shall not be retained for a period longer than one (1) year. After such period, all hard copies shall be disposed and destroyed, by shredding or other secured means.

F. RIGHT TO BE FORGOTTEN
Upon the resignation, termination or severance of contract of the EMPLOYEE, but before the clearance is given by EMSAVVIL, the Employee, Apprentice, or applicant must be given the opportunity in writing to exercise his or her right to be forgotten. This right, however, shall not be applicable to works made or executed by the Employee or Apprentice during the course of his or her employment with EMSAVVIL.

Miscellaneous persons from whom EMSAVVIL collected Personal Information may also be given the opportunity in writing to exercise his or her right to be forgotten.

V. SECURITY MEASURES

A. ORGANIZATIONAL MEASURES

1. Conduct of Privacy Impact Assessment

EMSAVVIL regularly conducts a Privacy Impact Assessment relative to all processes, activities, projects, and systems involving the processing of personal data. EMSAVVIL likewise regularly conducts such assessments to identify risks
in the processing system, and to monitor for security breaches and vulnerability scanning of computer networks. During Privacy Impact Assessments, policies and procedures being implemented by EMSAVVIL in relation to the Personal Information collected shall be reviewed, evaluated, or revised, as the case may be.

2. Data Protection Officer 

The designated Data Protection Officer as of the date hereof is Atty. Marieta E. Nieto, Junior Partner of EMSAVVIL.
The Data Protection Officer shall oversee the compliance of EMSAVVIL with the DPA, its IRR, and other related policies, including the conduct of a PIA, implementation of security measures, security incident and data breach protocol, and the procedure in handling inquiries and complaints.

3. Risk Management Officer

There shall be appointed a Risk Management Officer who, in coordination with the Data Protection Officer, shall keep a detailed and accurate documentation of all activities, projects, and processing systems of EMSAVVIL.

4. Duty of Confidentiality

All Employees and Apprentices shall be made to sign an NDA, with the understanding that any and all Personal Information obtained is not intended for public disclosure.

5. Conduct of trainings or seminars

EMSAVVIL may sponsor a mandatory training on data privacy and security at least once a year. For employees directly involved in the processing of personal data, the management of EMSAVVIL shall ensure their attendance and participation in relevant trainings and orientations as may be sponsored by EMSAVVIL, the Commission, or other third parties.

6. Review of Privacy Policy

This Policy shall be evaluated and reviewed annually, or as circumstances so require. Privacy and security policies and practices within EMSAVVIL shall be updated to remain consistent with current data privacy best practices.

B. PHYSICAL MEASURES

1. Format and storage of data to be collected
Personal Information and data in the custody of EMSAVVIL may be in digital or electronic format, and/or paper-based or physical format. Further, all documents physical files shall be digitized by scanning.

All paper-based documents or information in the physical format shall be stored in locked filing cabinets, and properly classified and organized by client. All documents in the digital or electronic format shall be stored in the computers of EMSAVVIL.

Those documents of a more sensitive nature shall be in the possession and custody of the Data Protection Officer.

2. Access

Only authorized personnel shall be allowed access to the filing cabinets containing all paper-based documents or information in the physical format. Any other person who wishes to access these documents must secure prior written authorization from the Data Protection Officer.

Access to documents in the digital or electronic format shall be limited only to authorized personnel as well. Documents of a more sensitive nature shall be password-encrypted, and prior written authorization shall be required from the Data Protection Officer in order to gain access to such documents.

All written authorizations issued by the Data Protection Officer shall indicate the date, time, duration, and purpose of the access of the documents. The Data Protection Officer shall thereafter compile and register all the issued written
authorizations in a logbook for reference and inspection purposes.

3. Persons involved in processing information

Persons involved in processing information shall always maintain confidentiality. They shall also maintain the integrity of the Personal Information collected by EMSAVVIL.

4. Transfer of information

Transfers of Personal Information via e-mail shall use a secure e-mail facility with encryption of the information, including any and all attachments. For reference and security purposes, EMSAVVIL may cause the printing of e-mail threads, and the print-outs shall be stored with the secure folder corresponding to the client.

C. TECHNICAL MEASURES

EMSAVVIL shall implement the following technical security measures to ensure the existence of appropriate, sufficient, and effective safeguards to secure the processing of Personal Information, particularly through the computer network, including the encryption and authentication processes.

1. Monitoring for security breaches 

EMSAVVIL shall use an intrusion detection system to monitor security breaches. The system shall be programmed in a way that it will alert EMSAVVIL of any attempt to interrupt or disturb the system.

2. Security features 

EMSAVVIL shall first review and evaluate software applications before the installation thereof in the computers and devices of EMSAVVIL, and that of its employees, to ensure the compatibility of security features with overall
operations.

3. Review of security policies

EMSAVVIL shall review security policies, conduct vulnerability assessments, and perform penetration testing on a regular basis to be prescribed by the Data Protection Officer, or to be required by the Commission.

4. Authentication process

Each employee of EMSAVVIL with access to Personal Information collected by EMSAVVIL shall verify his or her identity using a secure encrypted link and multi-level authentication.

VI. BREACH AND SECURITY INCIDENTS

A. DATA BREACH RESPONSE TEAM

A Data Breach Response Team (the “Team”), comprising of the Data Protection Officer as Head of Team, the Office Administrator, and three (3) other employees to be appointed by EMSAVVIL, shall be created. The Team shall be responsible for immediate action in the event of a security incident or personal data breach. The Team shall conduct
an initial assessment of the incident or breach in order to ascertain the nature and extent thereof. It shall also execute measures to mitigate the adverse effects of the incident or breach.

B. PRIVACY IMPACT ASSESSMENT

EMSAVVIL shall regularly conduct Privacy Impact Assessments in order to identify risks in the processing system, update the system if necessary according to the assessment, and to regularly monitor the same for security breaches.

C. RECOVERY AND RESTORATION OF PERSONAL DATA

EMSAVVIL shall always maintain a backup file for all personal data or information under its custody. In the event of a security incident or data breach, the Team or any member thereof to be designated by the Data Protection Officer shall cause the comparison of the backup file with the affected file, to determine the presence of any inconsistency or alteration that may have resulted from the security incident or data breach.

D. NOTIFICATION PROTOCOL

The Data Protection Officer shall inform the management of EMSAVVIL of the need to notify the Commission and the data subjects affected by the security incident or data breach within the period prescribed by law or regulation by the Commission. EMSAVVIL may decide to delegate the actual notification to any member of the Team.

E. DOCUMENTATION AND REPORTING

The Team shall prepare a detailed documentation of every security incident or data breach encountered, as well as an annual report, to be submitted to the management of EMSAVVIL and the commission, within the period prescribed by law or regulation by the Commission.

VII. INQUIRIES AND COMPLAINTS

A. RIGHTS OF DATA SUBJECTS

Every data subject has the right to reasonable access to his or her personal data being processed by EMSAVVIL. Other rights include the right to dispute the inaccuracy or error in the personal data; the right to request the suspension, withdrawal, blocking, removal, or destruction of personal data; and the right to complain and be indemnified for damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or
unauthorized use of personal data. Moreover, employees and apprentices who have resigned, been terminated, or whose contract with EMSAVVIL expired, as well as applicants of EMSAVVIL and other miscellaneous persons may exercise their right to be forgotten.

B. PROCEDURE FOR INQUIRY

Data subjects may inquire or request information regarding any matter relating to the processing of their Personal Information and data under the custody of EMSAVVIL, including the data privacy and security policies implemented to ensure the protection of their Personal Information. They may write to EMSAVVIL at helpdesk@emsavvil.com
and briefly discuss the inquiry, together with their contact details for reference. EMSAVVIL may invite data subjects who have sent inquiries to a meeting in order to fully discuss the matter.

C. PROCEDURE FOR COMPLAINTS

Complaints regarding the handling by EMSAVVIL or any of its employees of Personal Information of data subject may be brought up with the Data Protection Officer. Complainants may fill out a written form in three (3) printed copies, which shall be furnished the Data Protection Officer. They may likewise send their complaint at
helpdesk@emsavvil.com. In case of clients, they may course their complaint through the lawyer/s handling their matter.

VIII. EFFECTIVITY

The provisions of this Policy are effective this 1st day of July 2018.