Collection and Processing of Personal Data

A.    Purposes of collection and processing; recipients of personal data

The Company collects and processes personal data for the purposes (i) for which data subjects have provided the data or made it otherwise available to the Company or to the public, and to enable the Company to fully and efficiently achieve those purposes, (ii) as allowed by applicable law, and (iii) specified in Schedule C (collectively, the "Purposes").

Recipients of personal data that the Company collects include persons within the Company (including any affiliates or related companies), third parties to whom the Company have outsourced or may outsource certain business or operating activities, advisers, suppliers, and service providers, in order to achieve the Purposes. Some of these entities may be outside the Philippines, so that transfer of data will be cross-border. The Company may also disclose information, whether intended to be kept confidential or not, upon lawful request by a governmental authority, in response to a court order, or when required by applicable law. Please see Schedule C for more information about persons to whom personal data may be transferred or shared.

B.    Scope and method of collection and processing

The Company utilizes standard manual and computerized methods and systems to file, store and process personal data. Collection and processing of personal data will be undertaken in accordance with the principles set out in this Policy and as required by law.

The Company will store and retain personal data for such period as may be required by applicable law or as may be needed to enable the Company to fully and efficiently achieve the Purposes.

The Company observes three (3) levels of destruction: Clear, Purge and Destroy.

• CLEAR - A method of sanitization that applies programmatic, software-based techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques; typically applied through the standard Read and Write commands to the storage device, such as by rewriting with a new value or using a menu option to reset the device to the factory state (where rewriting is not supported).

• PURGE - A method of sanitization that applies physical or logical techniques that render Target Data recovery infeasible using state of the art laboratory techniques.

• DESTROY - A method of sanitization that renders Target Data recovery infeasible using state of the art laboratory techniques and results in the subsequent inability to use the media for storage of data.

C.    Data collection through the Company website

The Company may automatically (i.e. not by registration) collect non-personal data (e.g. type of Internet browser and operating system used, domain name of the website visited, number of visits, average time spent on the site, pages viewed) from viewers of its website. This data may be used and shared with the Company’s worldwide affiliates/subsidiaries to monitor the attractiveness of the websites and improve performance or content.

Further, the Company may store some data on the data subject’s computer in the form of a “cookie”, to enable the website to automatically recognize the specific computer upon the next visit made through such computer. A cookie is a small text file that is stored on a person’s computer for record-keeping purposes which may contain information about that person. Cookies can help the Company in many ways, for example, by allowing them to tailor a website to better match interests or to store passwords to save re-entering it each time. The Company has no access to or control over these cookies. Those who do not wish to receive cookies can configure their internet browser to erase all cookies from their computer’s hard drive, block all cookies, or to receive a notification before a cookie is stored.

Data Privacy for Third Party Websites addresses the use and disclosure of information the Company collects on the www.grantthornton.com.ph website. Other websites that may be accessible through the Company’s website have their own privacy policies and data collection, use, and disclosure practices. As such, the Company ’s responsibility is limited only to the use of its website and consequently, it is not responsible for the policies or practices of third parties.

D.    Consent and other lawful criteria for collection and processing

Where data subjects have provided the Company or made available to the Company their personal data, including through any of the interactions mentioned in Section IV and Section VII, they agree and consent to the Company ’s collecting, using, disclosing, sharing and otherwise processing the personal data, for the Purposes, and in the manner and under the terms and conditions in this Policy.

By accepting employment with the Company, an employee agrees and consents to the processing and use of his personal data in accordance with this Policy and applicable laws.

All employees must adhere to this Policy and applicable laws in respect of the privacy and protection of personal data.  Non-compliance is a ground for disciplinary action and may constitute a criminal offense.

All employees shall sign and adhere to the Employee Personal Information Collection Statement set out in Schedule D.

By agreeing to contract the services of the Company, a client agrees and consents to the processing and use of its personal data in accordance with this policy and applicable laws.

A client acknowledges and fully understands and accepts the terms of the Company’s Data Privacy including the Client Personal Information Collection Statement as provided in Schedule E.

This supplements but does not supersede or replace any other consents data subjects may have previously provided or will provide to us in respect of their personal data, or the existence of a lawful basis or bases for the collection and processing of their personal data.

Applicable law allows the Company to process data subjects’ personal data in accordance with other criteria or where the data is not covered by the DPA.

Back to top