A. Purposes of collection and processing; recipients of personal data
The Firm collects and processes personal data for the purposes (i) for which data subjects have provided the data or made it otherwise available to the Firm or to the public, and to enable the Firm to fully and efficiently achieve those purposes, (ii) as allowed by applicable law, and (iii) specified in Schedule C (collectively, the "Purposes").
Recipients of personal data that the Firm collects include persons within the Firm (including any affiliates or related companies), third parties to whom the Firm have outsourced or may outsource certain business or operating activities, advisers, suppliers, and service providers, in order to achieve the Purposes. Some of these entities may be outside the Philippines, so that transfer of data will be cross-border. The Firm may also disclose information, whether intended to be kept confidential or not, upon lawful request by a governmental authority, in response to a court order, or when required by applicable law. Please see Schedule C for more information about persons to whom personal data may be transferred or shared.
B. Scope and method of collection and processing
The Firm utilizes standard manual and computerized methods and systems to file, store and process personal data. Collection and processing of personal data will be undertaken in accordance with the principles set out in this Policy and as required by law.
The Firm will store and retain personal data for such period as may be required by applicable law or as may be needed to enable the Firm to fully and efficiently achieve the Purposes.
The Firm observes three (3) levels of destruction: Clear, Purge and Destroy.
- CLEAR - A method of sanitization that applies programmatic, software-based techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques; typically applied through the standard Read and Write commands to the storage device, such as by rewriting with a new value or using a menu option to reset the device to the factory state (where rewriting is not supported).
- PURGE - A method of sanitization that applies physical or logical techniques that render Target Data recovery infeasible using state of the art laboratory techniques.
- DESTROY - A method of sanitization that renders Target Data recovery infeasible using state of the art laboratory techniques and results in the subsequent inability to use the media for storage of data.
C. Data collection through the Firm website
The Firm may automatically (i.e. not by registration) collect non-personal data (e.g. type of Internet browser and operating system used, domain name of the website visited, number of visits, average time spent on the site, pages viewed) from viewers of its website. This data may be used and shared with the Firm’s worldwide affiliates/subsidiaries to monitor the attractiveness of the websites and improve performance or content.
Further, the Firm may store some data on the data subject’s computer in the form of a “cookie”, to enable the website to automatically recognize the specific computer upon the next visit made through such computer. A cookie is a small text file that is stored on a person’s computer for record-keeping purposes which may contain information about that person. Cookies can help the Firm in many ways, for example, by allowing them to tailor a website to better match interests or to store passwords to save re-entering it each time. The Firm has no access to or control over these cookies. Those who do not wish to receive cookies can configure their internet browser to erase all cookies from their computer’s hard drive, block all cookies, or to receive a notification before a cookie is stored.
Data Privacy for Third Party Websites addresses the use and disclosure of information the Firm collects on the www.grantthornton.com.ph website. Other websites that may be accessible through the Firm’s website have their own privacy policies and data collection, use, and disclosure practices. As such, the Firm’s responsibility is limited only to the use of its website and consequently, it is not responsible for the policies or practices of third parties.
D. Consent and other lawful criteria for collection and processing
Where data subjects have provided the Firm or made available to the Firm their personal data, including through any of the interactions mentioned in Section IV and Section VII, they agree and consent to the Firm’s collecting, using, disclosing, sharing and otherwise processing the personal data, for the Purposes, and in the manner and under the terms and conditions in this Policy.
By accepting employment with the Firm, an employee agrees and consents to the processing and use of his personal data in accordance with this Policy and applicable laws.
All employees must adhere to this Policy and applicable laws in respect of the privacy and protection of personal data. Non-compliance is a ground for disciplinary action and may constitute a criminal offense.
All employees shall sign and adhere to the Employee Personal Information Collection Statement set out in Schedule D.
By agreeing to contract the services of the Firm, a client agrees and consents to the processing and use of its personal data in accordance with this policy and applicable laws.
A client acknowledges and fully understands and accepts the terms of the Firm’s Data Privacy including the Client Personal Information Collection Statement as provided in Schedule E.
This supplements but does not supersede or replace any other consents data subjects may have previously provided or will provide to us in respect of their personal data, or the existence of a lawful basis or bases for the collection and processing of their personal data.
Applicable law allows the Firm to process data subjects’ personal data in accordance with other criteria or where the data is not covered by the DPA.