Privacy Statement for prospective and existing customers, including customers with terminated services
We value the privacy of our individual customers and their authorized representatives as well as the officers, employees, attorneys-in-fact, and authorized representatives of our corporate customers. We commonly collect their personal data in business centers during service application and in official social media accounts of MERALCO for inquiries. Recently, we have been collecting their personal data in digital platforms for bills payment.
Whenever we collect their personal data, we provide privacy notices and consent forms, whichever is applicable, at the point of collection, and also ask for information that are relevant and necessary for us to perform our services to them.
We collect your personal data in the course of, or incidental to the conduct of, our business with you. These data include any other information that you voluntarily provide to us for any legitimate purpose declared at the point of collection as well as information about you that we received from third parties and other sources where the disclosure was subject of a consent that you gave separately, a legal requirement or any legitimate purpose declared in this statement.
We will be collecting the following information from you:
Information you provide to us when you apply for service, such as your name, address (i.e. postal address, geographical coordinates, and open location codes), phone number, email address, Tax Identification Number (TIN), government-issued identification information, evidence of authority to occupy (e.g., contract of lease, Transfer Certificate of Title, Special Power of Attorney (SPA), Undertaking / Authorization from owner of the premises) and, if applicable, details of your authorized representative and other documentary requirements;
Information you provide in relation to the conduct of our business such as regarding retail electricity supply or embedded generation;
Billing and payment information used to process payment for your electric consumption and other liabilities, such as your banking (for auto debit arrangement) and credit card (for auto charge arrangement) information. However, details of the payment instrument (like prepaid card, debit card, credit card) used to pay your bills via the MERALCO Customer Portal are captured and processed by the payment gateway service provider;
Information to determine your eligibility and creditworthiness to participate in certain energy programs or services, such as peak-off-peak rates (POP), net metering, Interruptible Load Program (ILP), demand side management (DSM), etc.;
Information you provide us when you visit or use our company website, mobile and online applications, as well as our official social media accounts, such as when you contact us to lodge your concerns, register at our customer portal, or avail of our online application, outage notifications, and billing and/or payment services, including information generated through such activities or, more specifically, your device details: location, internet protocol address, transaction time stamp, device identification, device type, network identification, browser type, and operating software type;
Information you give us when you communicate with MERALCO and/or any of our representatives whether in our business centers (e.g. Relationship Managers), through our hotline (e.g. Call Center Representatives) or through our official social media accounts (e.g. Digital Agents), such as with respect to inquiries and complaint details on the quality and reliability of electric service;
Meralco-related information that you post in your social media accounts, such as your posts in Twitter, Facebook, YouTube, etc. that talk about your experience in transacting with Meralco and/or any of our representatives;
Responses you or your representative provide when you participate in our customer surveys, promos, and loyalty programs and when you interact with posts published in Meralco’s official social media accounts; and
Information you provide for verification purposes (e.g., to facilitate refunds), such as photocopy of a valid / government-issued identification card; and
Information you provide when you visit or use the Certified by Meralco (CBM) Platform to reach out to and tap energy service providers, contractors, developers, and designers to assist you in complying with various technical requirements before Meralco energizes your premises.
We store, process, and/or analyze the personal data collected for some legitimate purpose, related or incidental to the conduct of our business, including maintaining safety and security within the Company premises.
Specifically, we may store, process, and/or analyze your personal data for the following and any other legitimate purposes related to the fulfillment thereof:
To perform our contractual and legal obligations to you. We process your personal data to evaluate your eligibility and creditworthiness for electric and other related services; to provide you quality, reliable and regular supply of electricity; and to continuously improve our business and operations as well as our products and services;
To enhance your customer experience. We process your personal data to respond to your inquiry, concern, or complaint; to provide you information about our programs, service offerings, and any other programs or promos that may be of interest to you; to provide you assistance in complying with various technical requirements for energization; to send you messages related to your services including outage notifications, updates, alerts, and other information that you request; to understand your needs and preferences by analyzing your use of our products and services, your participation in our surveys and research activities, and your browsing behavior in our mobile and digital applications, company website, including its webpages, and official social media accounts; to address root causes of common concerns by analyzing Meralco-related information that you post in your social media accounts, so we can serve you better.
Information collected from social media will not be used against you or to hold you in a negative light, except if the social media activity promotes fraud or any illegal act that can hurt others.
To manage your account with us. We process your data to administer and update your customer data; to compute your electric consumption and facilitate your payment or claims, including acceptance of bill payments according to your enrolled payment mode (e.g., automatic debit from your bank account); to verify your identity when you access your account through the various customer engagement channels (e.g., e-mail, website, mobile application, via phone call, walk-in) and/or your eligibility to our programs, or entitlement to refunds and other claims; and to conduct meter-reading and meter installation.
For our non-portal enrolled customers, we process your data to facilitate non-portal service notifications, including bill notifications, payment confirmation, payment reminders (Due Date, Overdue, Disconnection Notice), and outage notifications through your preferred engagement channel/s.
To comply with applicable laws & regulations. We collect and process your personal data to comply with the existing laws, rules and regulations, as well as ordinances, issued or mandated by the government, all or any of its agencies and instrumentalities, national or local, e.g., submit reportorial requirements to regulatory bodies; initiate and/or facilitate various electricity programs; cooperate with law enforcement; and commit to the legal obligation of the Company in the protection of its customers: industrial, commercial, and residential, including those still applying for electric service. We shall, if summoned, disclose necessary information, subject to careful review by Company authorities and as mandated by law.
1Data Subject - Prospective, Existing, and Terminated Customers
2 As needed / as applicable
3 When applicable, data sharing or outsourced processes are covered by DSA, NDA, and/or OAs
Note: Privacy Notice is process specific while the Privacy Statement is a public commitment to data privacy
Employees, Authorized Representatives, Trainees, and Consultants
We ensure that our employees and trainees commit to observe the privacy policies of the Company. We require our Authorized Representatives and Consultants to sign a Non-Disclosure Agreement (NDA), to ensure that they process your data confidentially in a manner consistent with the purpose of their employment or engagement.
Contractors, and Business Partners, including Auditors
We require our contractors, subsidiaries, and business partners, through a Data Processing, Data Sharing, or Outsourcing Agreements, as applicable, and/or Non-Disclosure Agreement (NDA), to secure and keep your data confidential. We take your privacy seriously so punitive or legal action will be initiated in case of proven misdeed. Moreover, we do not allow our contractors, subsidiaries, and business partners to disclose or share your data to others, or to use it for their own purposes, without your consent.
Your information may also be disclosed to government entities pursuant to and in compliance with applicable laws and regulations, subpoena or court order.
Unless you provide specific consent or except in instances allowed under the DPA, we will not:
Share your personal data with our business partners and other third parties for their own commercial purpose or benefit;
Use your personal data to enable third-party targeted advertisements which are not related to our business.
In case data sharing, including cross-border transfer, is allowed, we shall ensure the protection of your data through appropriate Data Sharing Agreements and commit to give you prior notice to any such transfer and processing of your data.
We are committed to ensure the integrity, confidentiality, availability, and security of your information. We implement reasonable organizational, physical, and technical security measures in collecting, processing, transmitting, storing, and disposing your personal data such as using secure servers, firewalls and security controls and ensuring regular conduct of audit and testing of our security protocols. We only store your personal data in Meralco-owned and/or controlled data storage solutions.
For an enhanced online experience, our services are available through compatible devices, such as laptops, PCs, tablets, and mobile phones. For your added security, we recommend that you install anti-virus software on any such device before accessing the internet.
You are responsible for the security of your information once it reaches you or your representative in any medium, including but not limited to written correspondences, bills, emails, system applications, and on-line accounts. You should take appropriate measures to ensure that any medium or device you use to monitor or manage your account is secure and not accessible to anyone without permission.
We keep your personal data only for as long as necessary:
for the fulfillment of the declared, specified, and legitimate purposes provided above, or when the processing relevant to the purpose has been completed or terminated;
for the establishment, exercise, or defense of legal claims; or
for other business purposes, that are consistent with standards established or approved by regulatory agencies governing Meralco.
For further information on our retention rules for documents with personal data, you may refer to our Retention and Disposal Rules for Service Application and Billing-Related Documents with Personal Data and Retention and Disposal rules for Payments-Related Documents with Personal Data.
Thereafter, your personal data shall be disposed of or discarded in a secure manner that would prevent further processing, unauthorized access, or disclosure to any other party or the public.
Since the outbreak of the coronavirus disease in 2019 (COVID-19), Meralco has actively cooperated and coordinated with government authorities in containing the spread of the virus and ensuring the safety and well-being of the persons it services, employs, and otherwise transacts with. The occupational safety of its employees and the general well-being of its data subjects are now among the primary concerns of Meralco, which prompted the Company to formulate policies and develop solutions for health monitoring of all its data subjects, as necessary. In collecting health information from its data subjects, Meralco shall always inform them about why, how, and where they will be used and shared, as discussed below.
We will be collecting the following health information from you as well as other relevant information:
Information you provide in Health Declaration Forms and Contact Tracing Forms as required by the Department of Trade and Industry (DTI) and Department of Labor and Employment (DOLE) Joint Memorandum Circular (JMC) No. 20-04-A Series of 2020, such as your full name, complete address, contact information, signature, COVID-19 exposure, health conditions, and travel history;
Information you provide in interviews to determine close contacts of a probable or confirmed COVID-19 case, including yourself; and
Information you give us when you visit the establishment or when you engage with Meralco and/or any of our representatives, through attendance records, CCTV footages, calendar of client meetings, and logbooks in facilities of exposure
We store, process, and/or analyze your personal data for the following purposes:
To conduct effective contact tracing and prevention and management of the spread of COVID-19 and other infectious diseases in Meralco offices and establishments;
To assist the government in providing effective response during the COVID-19 pandemic and other health crises that may be declared as a cause for state emergency including case investigations, treatment, and control and containment; and
To provide accurate and timely health information about notifiable diseases, and health-related events and conditions.
DTI-DOLE JMC No. 20-04-A
The DTI-DOLE JMC No. 20-04-A requires all private establishments to implement all necessary workplace safety and health programs, including COVID-related programs, at no cost to the employees. This includes remote management of cases and close contacts, isolation and referral, contact tracing, COVID-19 testing, occupational safety and health committees, notification and reporting, and disinfection and closure of buildings/workplaces.
Republic Act No. 11332
Under RA 11332, all public and private physicians, allied medical personnel, professional societies, hospitals, clinics, health facilities, laboratories, institutions, workplaces, schools, prisons, ports, airports, establishments, communities, other government agencies, and NGOs are required to accurately and immediately report notifiable diseases and health events of public health concern as issued by the DOH.
Republic Act No. 11058
RA 11058 requires all establishments, projects, sites, and all other places where work is being undertaken in all branches of economic activity to ensure a safe and healthful workplace for all working people by affording them full protection against all hazards in their work environment. This includes submitting all safety health reports, and notifications prescribed by the DOLE.
Unless you provide specific consent or except in instances allowed under the DPA, we will not:
Department of Health (DOH) and its partner agencies
We will share your information with DOH and its partner agencies for purposes of conducting contact tracing or management of probable, suspected, and confirmed COVID-19 patients. Meralco is mandated to report COVID-19 test results in the workplace in accordance with DOH Administrative Order No. 2020-0013, entitled “Revised Guidelines for the Inclusion of COVID-19 in the List of Notifiable Diseases for Mandatory Reporting to the Department of Health.”
Local government units (LGUs) or other authorized persons
We will also share your information to the local health office having jurisdiction over the workplace and the Barangay Health Emergency Team (BHERT) of your place of residence, in accordance with DOH DM No. 2020-0189.
We submit monthly reports of illness, diseases and injuries in the workplace to the Regional Office of the DOLE in accordance with the DTI-DOLE Interim Guidelines on Workplace Prevention and Control of COVID-19 using the Work Accident/Illness Report (WAIR) COVID-19 form.
We may share your information to our affiliate hospitals if, during health screening prior to your entry to any of the Company’s establishments or at any point that you voluntarily declare your health condition to us, we determine that you may need immediate medical assistance.
We may collect personal data and other information electronically through digital or online forms with privacy notices that provide a link to this Statement or a copy thereof placed at the point of data collection in a readable font and in an easy-to-understand presentation.
All personal data collected for contact tracing shall be retained only for the period allowed by existing government issuances. The DTI-DOLE JMC provides that personal data collected through the health declaration form or the contact tracing form shall be stored only for thirty (30) days from date of accomplishment.
All other personal data collected for the management of probable, suspected, and confirmed COVID-19 patients shall be stored only for as long as necessary or when the purpose for processing still exists. Thereafter, your personal data shall be disposed of or discarded in a secure manner that would prevent further processing, unauthorized access, or disclosure to any other party or the public.
As an individual whose information we collect and store to fulfill our legitimate purposes, you have rights as a data subject under the DPA.
You have the right to be informed about how and why we collect your personal data. You also have the right to access a copy of your personal information in our possession; the right to withdraw consent that you previously gave; the right to have your information corrected if you believe that it is inaccurate or incomplete; and the right to erase or block your information from our databases.
We also recognize your right to data portability, also known as your right to obtain and electronically move, copy, or transfer personal data for further use. Furthermore, we also respect your right to file a complaint with the National Privacy Commission and your right to be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of your personal information.
If you wish to request for a copy of your personal data, or have it corrected or deleted, or to exercise your rights as data subject, you may reach out to us through our Data Privacy Office. Meralco DPO will promptly respond to your request or questions, and also review any feedback that you may have about our Privacy Statement.
Data Privacy Office
Office: Lopez Building, Meralco Center, Ortigas Avenue, Brgy. Ugong, Pasig City, 1600
We uphold your right to be informed whenever we provide a link to or a copy of this Statement prior to collecting your personal data or as soon as reasonably practicable after collection. In processing your data for the specific purposes we discussed in this Statement and those that may be related to such purposes, we shall endeavor to prepare privacy notices that remind you how we collect, use, disclose, and process your personal data in the manner described in this Statement, including our procedures relating to cookies, IP addresses and log files. As to any other purpose that you may not find or cannot infer from this Statement, we shall take all reasonable efforts to obtain your permission through a separate consent form that may either require your signature or contain a button that you could click as proof of your consent.
From time to time, we may update this Statement to comply with applicable laws, rules, and regulations; to reflect any changes to the foregoing; to align with industry practices; or for other legitimate purpose.
You may view past versions of the Statement here.
This Statement shall be reviewed annually or as necessary, in light of the following:
changes to the DPA and its IRR
new issuances from the NPC
changes to the Company’s data processing activities
others that may impact this Statement