Privacy Statement for vendors, suppliers or contractors, and consultants
We value the privacy of all our individual vendors, suppliers, contractors and consultants as well as the officers, employees, attorneys-in-fact, and authorized representatives of our corporate service providers. We request for the personal data of sole proprietors and other individual persons representing our corporate contractors mostly for purposes of accreditation and official correspondences. At the point of data collection, we give them an opportunity to review our Privacy Statement and sign acknowledgment forms to signify that they have understood how we uphold their rights as data subjects and how we secure copies of their personal data that are in our possession.
We collect your personal data in the course of, or incidental to the conduct of, our business with you. These data include any other information that you voluntarily provide to us for any legitimate purpose declared at the point of collection as well as information about you that we received from third parties and other sources where the disclosure was subject of a consent that you gave separately or a legal requirement.
We will be collecting the following information from you:
Information you submit to MERALCO in your application for accreditation, use of supply chain application system, and/or processing of payments, such as your name, tax identification number, government-issued identification information, address, contact details, educational attainment, work experience and banking information;
Information we collect and maintain about you and your employees in relation to the preparation, execution, or fulfilment of your contract with us, and to the development of a single contact directory that may guide MERALCO, its subsidiaries and affiliates in coordinating with your representatives for upcoming business partnerships or engagements;
Information we collect and maintain about you in relation to your Certified by Meralco (CBM) membership, such as when you apply for accreditation and participate in the CBM selection process in its website;
Information that your employees submit to have access to or perform your services or deliver your products within the premises of the Company.
We store, process, and/or analyze the personal data collected for some legitimate purpose, related or incidental to the conduct of our business, including maintaining safety and security within the Company premises.
Specifically, we may store, process, and/or analyze your personal data for the following and any other legitimate purposes related to the fulfillment thereof:
To establish our business relationship or consultancy engagement. We process your personal data to evaluate your application for accreditation or as basis for our engagement.
To conduct business with you. We process your data to enforce our legal and contractual obligations including evaluating or auditing the provision of goods and/or services you provide, and facilitating the payment of your invoices in various payment methods (i.e., Fund Transfer, Corporate Check, Outsourced Check); informing you of our requirements, programs, or advisories; referring you as a potential service provider to our customers; and responding to your questions, comments, and feedback by letter, e-mail, telephone, or other media for internal administrative purposes, such as auditing, data analysis, and database records management. Your data may also be processed to comply with statutory, legal, and regulatory requirements related to our business.
To maintain your account with us and establish potential business relationship with our Subsidiaries and Affiliates. We maintain and update your vendor account information and establish details of your authorized contact persons for the goods and/or services you provide. We may also process your data for procurement synergy initiatives, including referring you as a potential vendor to our subsidiaries and affiliates and maintaining a directory as a single point of reference in the pursuit of these initiatives.
1Data Subject - vendors, suppliers or contractors, and consultants
2 As needed / as applicable
3 When applicable, data sharing or outsourced processes are covered by DSA, NDA, and/or OAs
Note: Privacy Notice is process specific while the Privacy Statement is a public commitment to data privacy
Employees, Authorized Representatives, Trainees, and Consultants
We ensure that our employees and trainees commit to observe the privacy policies of the Company. We require our Authorized Representatives and Consultants to sign a Non-Disclosure Agreement (NDA), to ensure that they process your data confidentially in a manner consistent with the purpose of their employment or engagement.
Contractors, and Business Partners, including Auditors
We require our contractors, subsidiaries, and business partners, through a Data Processing, Data Sharing, or Outsourcing Agreements, as applicable, and/or Non-Disclosure Agreement (NDA), to secure and keep your data confidential. We take your privacy seriously so punitive or legal action will be initiated in case of proven misdeed. Moreover, we do not allow our contractors, subsidiaries, and business partners to disclose or share your data to others, or to use it for their own purposes, without your consent.
Your information may also be disclosed to government entities pursuant to and in compliance with applicable laws and regulations, subpoena or court order.
Unless you provide specific consent or except in instances allowed under the DPA, we will not:
Share your personal data with our business partners and other third parties for their own commercial purpose or benefit;
Use your personal data to enable third-party targeted advertisements which are not related to our business.
In case data sharing, including cross-border transfer, is allowed, we shall ensure the protection of your data through appropriate Data Sharing Agreements and commit to give you prior notice to any such transfer and processing of your data.
We are committed to ensure the integrity, confidentiality, availability, and security of your information. We implement reasonable organizational, physical, and technical security measures in collecting, processing, transmitting, storing, and disposing your personal data such as using secure servers, firewalls and security controls and ensuring regular conduct of audit and testing of our security protocols. We only store your personal data in Meralco-owned and/or controlled data storage solutions.
For an enhanced online experience, our services are available through compatible devices, such as laptops, PCs, tablets, and mobile phones. For your added security, we recommend that you install anti-virus software on any such device before accessing the internet.
You are responsible for the security of your information once it reaches you or your representative in any medium, including but not limited to written correspondences, bills, emails, system applications, and on-line accounts. You should take appropriate measures to ensure that any medium or device you use to monitor or manage your account is secure and not accessible to anyone without permission.
We keep your personal data only for as long as necessary:
for the fulfillment of the declared, specified, and legitimate purposes provided above, or when the processing relevant to the purpose has been completed or terminated;
for the establishment, exercise, or defense of legal claims; or
for other business purposes, that are consistent with standards established or approved by regulatory agencies governing Meralco.
For further information on our retention rules for documents with personal data, you may refer to our DP FAQ 2021-01 Retention of Documents Containing Personal Data.
Thereafter, your personal data shall be disposed of or discarded in a secure manner that would prevent further processing, unauthorized access, or disclosure to any other party or the public.
Since the outbreak of the coronavirus disease in 2019 (COVID-19), Meralco has actively cooperated and coordinated with government authorities in containing the spread of the virus and ensuring the safety and well-being of the persons it services, employs, and otherwise transacts with. The occupational safety of its employees and the general well-being of its data subjects are now among the primary concerns of Meralco, which prompted the Company to formulate policies and develop solutions for health monitoring of all its data subjects, as necessary. In collecting health information from its data subjects, Meralco shall always inform them about why, how, and where they will be used and shared, as discussed below.
We will be collecting the following health information from you as well as other relevant information:
Information you provide in Health Declaration Forms and Contact Tracing Forms as required by the Department of Trade and Industry (DTI) and Department of Labor and Employment (DOLE) Joint Memorandum Circular (JMC) No. 20-04-A Series of 2020, such as your full name, complete address, contact information, signature, COVID-19 exposure, health conditions, and travel history;
Information you provide in interviews to determine close contacts of a probable or confirmed COVID-19 case, including yourself; and
Information you give us when you visit the establishment or when you engage with Meralco and/or any of our representatives, through attendance records, CCTV footages, calendar of client meetings, and logbooks in facilities of exposure
We store, process, and/or analyze your personal data for the following purposes:
To conduct effective contact tracing and prevention and management of the spread of COVID-19 and other infectious diseases in Meralco offices and establishments;
To assist the government in providing effective response during the COVID-19 pandemic and other health crises that may be declared as a cause for state emergency including case investigations, treatment, and control and containment; and
To provide accurate and timely health information about notifiable diseases, and health-related events and conditions.
DTI-DOLE JMC No. 20-04-A
The DTI-DOLE JMC No. 20-04-A requires all private establishments to implement all necessary workplace safety and health programs, including COVID-related programs, at no cost to the employees. This includes remote management of cases and close contacts, isolation and referral, contact tracing, COVID-19 testing, occupational safety and health committees, notification and reporting, and disinfection and closure of buildings/workplaces.
Republic Act No. 11332
Under RA 11332, all public and private physicians, allied medical personnel, professional societies, hospitals, clinics, health facilities, laboratories, institutions, workplaces, schools, prisons, ports, airports, establishments, communities, other government agencies, and NGOs are required to accurately and immediately report notifiable diseases and health events of public health concern as issued by the DOH.
Republic Act No. 11058
RA 11058 requires all establishments, projects, sites, and all other places where work is being undertaken in all branches of economic activity to ensure a safe and healthful workplace for all working people by affording them full protection against all hazards in their work environment. This includes submitting all safety health reports, and notifications prescribed by the DOLE.
Unless you provide specific consent or except in instances allowed under the DPA, we will not:
Department of Health (DOH) and its partner agencies
We will share your information with DOH and its partner agencies for purposes of conducting contact tracing or management of probable, suspected, and confirmed COVID-19 patients. Meralco is mandated to report COVID-19 test results in the workplace in accordance with DOH Administrative Order No. 2020-0013, entitled “Revised Guidelines for the Inclusion of COVID-19 in the List of Notifiable Diseases for Mandatory Reporting to the Department of Health.”
Local government units (LGUs) or other authorized persons
We will also share your information to the local health office having jurisdiction over the workplace and the Barangay Health Emergency Team (BHERT) of your place of residence, in accordance with DOH DM No. 2020-0189.
We submit monthly reports of illness, diseases and injuries in the workplace to the Regional Office of the DOLE in accordance with the DTI-DOLE Interim Guidelines on Workplace Prevention and Control of COVID-19 using the Work Accident/Illness Report (WAIR) COVID-19 form.
We may share your information to our affiliate hospitals if, during health screening prior to your entry to any of the Company’s establishments or at any point that you voluntarily declare your health condition to us, we determine that you may need immediate medical assistance.
We may collect personal data and other information electronically through digital or online forms with privacy notices that provide a link to this Statement or a copy thereof placed at the point of data collection in a readable font and in an easy-to-understand presentation.
All personal data collected for contact tracing shall be retained only for the period allowed by existing government issuances. The DTI-DOLE JMC provides that personal data collected through the health declaration form or the contact tracing form shall be stored only for thirty (30) days from date of accomplishment.
All other personal data collected for the management of probable, suspected, and confirmed COVID-19 patients shall be stored only for as long as necessary or when the purpose for processing still exists. Thereafter, your personal data shall be disposed of or discarded in a secure manner that would prevent further processing, unauthorized access, or disclosure to any other party or the public.
As an individual whose information we collect and store to fulfill our legitimate purposes, you have rights as a data subject under the DPA.
You have the right to be informed about how and why we collect your personal data. You also have the right to access a copy of your personal information in our possession; the right to withdraw consent that you previously gave; the right to have your information corrected if you believe that it is inaccurate or incomplete; and the right to erase or block your information from our databases.
We also recognize your right to data portability, also known as your right to obtain and electronically move, copy, or transfer personal data for further use. Furthermore, we also respect your right to file a complaint with the National Privacy Commission and your right to be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of your personal information.
If you wish to request for a copy of your personal data, or have it corrected or deleted, or to exercise your rights as data subject, you may reach out to us through our Data Privacy Office. Meralco DPO will promptly respond to your request or questions, and also review any feedback that you may have about our Privacy Statement.
Data Privacy Office
Office: Lopez Building, Meralco Center, Ortigas Avenue, Brgy. Ugong, Pasig City, 1600
We uphold your right to be informed whenever we provide a link to or a copy of this Statement prior to collecting your personal data or as soon as reasonably practicable after collection. In processing your data for the specific purposes we discussed in this Statement and those that may be related to such purposes, we shall endeavor to prepare privacy notices that remind you how we collect, use, disclose, and process your personal data in the manner described in this Statement, including our procedures relating to cookies, IP addresses and log files. As to any other purpose that you may not find or cannot infer from this Statement, we shall take all reasonable efforts to obtain your permission through a separate consent form that may either require your signature or contain a button that you could click as proof of your consent.
From time to time, we may update this Statement to comply with applicable laws, rules, and regulations; to reflect any changes to the foregoing; to align with industry practices; or for other legitimate purpose.
You may view past versions of the Statement here.
This Statement shall be reviewed annually or as necessary, in light of the following:
changes to the DPA and its IRR
new issuances from the NPC
changes to the Company’s data processing activities
others that may impact this Statement