I. Introduction
QBE GROUP SHARED SERVICES LIMITED – PHILIPPINE BRANCH or “QBE Group Shared Services Centre,” or “GSSC”) is committed to respecting our affiliates, employees’, job applicants’, third-party personnel deployed at GSSC premises, and third-party provider's representative’s privacy, protecting their personal data from misuse or unauthorised disclosure, and complying with privacy laws.
GSSC values its reputation and aims to maintain high ethical standards in the conduct of its business affairs. The actions and conduct of employees as well as others acting on GSSC’s behalf, such as agents and third parties, are key to maintaining these standards.
Failure to ensure adequate privacy compliance exposes GSSC to the risk of breaching privacy laws, and may result in significant fines and penalties, reputational damage, and other adverse regulatory impacts, additional costs, and third-party damages claims.
II. Definition
For purposes of this GSSC Privacy Policy Statement, the following terms are defined as follows:
“personal data” refers to either:
- “personal information”, which means any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information, would directly and certainly identify an individual; or
- “sensitive personal information”, which refers to personal information (1) about an individuals’ race, ethnic origin, marital status, age, color, and religious, philosophical, or political affiliations; (2) about an individual’s health, education, genetic, or sexual life, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings; or (3) issued by government agencies peculiar to an individual, which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension, or revocation, and tax returns.
“processing” or “process” refers to any operation or any set of operations performed upon personal data, including, but not limited to, the collection, recording, organisation, storage, updating, or modification, retrieval, consultation, use, consolidation, blocking, erasure, or destruction of data. Processing may be performed through automated means or manual processing if the personal data are contained or are intended to be contained in a filing system.
“profiling” refers to any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
III. GSSC Privacy Policy Statement
The confidentiality of the personal data you have entrusted is important to GSSC. This GSSC Privacy Statement provides how QBE values and protects your personal data in accordance with the Data Privacy Act of 2012 (DPA), its Implementing Rules and Regulations (IRR), other issuances of National Privacy Commission (NPC), and other relevant laws of the Philippines.
This GSSC Privacy Statement outlines how we collect, use, disclose, and safeguard your data when you interact with our services. We value your trust and are dedicated to being transparent about our practices.
Why does GSSC collect your personal data?
It is important that GSSC collects, uses, processes, stores, and retains your personal data when it is reasonable and necessary. This applies to affiliates, employees, job applicants, and third-party service providers, for the following reasons where applicable:
Purpose | Job Candidates | Third Party Personnel Deployed at GSSC Premises | Third Party Provider's Representative | Affiliates | Employees |
To track the progress of job applications and manage the recruitment process and strategy | X | ||||
For data analytics to determine trends pertaining to recruitment processes and strategies. | X | ||||
To comply with legal and regulatory requirements now existing or subsequently issued, including GSSC’s contractual obligations. | X | X | X | X | |
To manage and maintain relationships with affiliates and third-party service providers effectively. | X | X | X | ||
To comply with legal and regulatory requirements as it relates to your employment, such as to meet the requirements of the Social Security System (SSS), Bureau of Internal Revenue (BIR), Department of Labor and Employment (DOLE), National Labor Relations Commission (NLRC), Philippine Economic Zone Authority (PEZA), Philippine Health Corporation (PhilHealth), Home Development and Mutual Fund (HDMF), Bureau of Immigration, Securities and Exchange Commission (SEC), Board of Investments (BOI), relevant local government units, local enforcement agencies, and such other government agencies as QBE may later be required to deal with; | X | ||||
To fulfill GSSC’s obligations under the law and the terms of any contracts, including employment contracts. | X | X | |||
To enable GSSC to process your payroll, deliver your employment benefits (e.g., HMO benefits, life insurance coverage), and remittance of your income taxes and mandatory government contributions (e.g., to BIR, SSS, PhilHealth, and HDMF); | X | ||||
To track the progress of your work performance or provide you career development opportunities, including training and development, as part of GSSC’s performance management framework | X | X | |||
For purposes of workforce management and optimization as part of GSSC’s recruitment process and talent management; | X | X | |||
For data analytics to enable GSSC to determine trends pertaining to work performance and environment, as well as in the insurance business market; | X | X | X | ||
To enable GSSC to comply with its corporate policies. | X | X | X | X | X |
To comply with legal and regulatory requirements now existing or subsequently issued, including GSSC’s contractual obligations. | X | X | X | X | X |
To perform GSSC’s legitimate interests as an organisation. | X | X | X | X | X |
To set up provisions to respond to your health emergency; | X | X | X | X | |
To monitor quality of QBE’s service delivery; | X | X | X | X | |
For emergency purposes and as part of GSSC’s crisis management/ response efforts during business continuity or disaster recovery events; | X | X | X | X | |
To allow QBE to promote and maintain work health and safety including:
| X | ||||
To determine your compliance with QBE’s attendance policy and to validate the appropriateness of your availment of sick leave credits; | X | ||||
To implement corporate information security measures to secure GSSC’s proprietary information and IT assets | X | X | X | X | |
For corporate security management and monitoring to maintain the safety of GSSC employees, third-party providers, and guests while within GSSC premises and security of GSSC corporate assets; | X | X | X | X | |
To monitor employees’ compliance with GSSC corporate policies, such as GSSC’s Code of Ethics and Conduct; | X | X | X | X | |
For process improvement initiatives, which may involve the use of artificial intelligence (AI). | X | X | X | X | |
For organising and managing social events initiated by GSSC; and | X | X | X | X | |
For mass media communications | X | X | X | X |
Notwithstanding any other provisions contained herein, the applicability of the listed activities to any data subject shall be determined based on the specific circumstances at the time. The inclusion of any activity in this list does not guarantee its application in every instance, and the company reserves the right to assess and apply these activities on a case-by-case basis, in accordance with relevant laws and regulations.
In the processing of your personal data, QBE may carry out wholly or partly automatic processing operations that may involve a series or structure set of processing operations performed on your personal data, which is intended to serve a single purpose or several related purpose as set forth in this GSSC Privacy Policy Statement, including passive collection of data; or use automated decision-making and profiling systems, including artificial intelligence (AI) technology.
What type of personal data does GSSC collect?
As a GSSC employee, affiliate, job applicant, or third-party service providers’ GSSC receives or collects your personal information and sensitive personal information for the duration of your relationship with GSSC. Please note that you are responsible for ensuring that all such personal data you submit to GSSC are accurate, complete, and up-to-date.
The personal information we collect depends on the circumstances of your interactions with us. The table below lists examples of the type of personal information we collect.
Type of personal information | Examples of what personal information this may include |
Identity information and contact details | Name, date of birth, mailing and residential address, telephone numbers, and email address. |
Demographic information | Age, gender, country of birth, citizenship or residency status, relationship status and family circumstances, education, whether you have children, dependents, or are as a carer. |
Philippine Government related identifiers or copies of identity documents |
|
Employment information | Employment status, employer or employees, role, workers employment history, salary, workplace performance, workplace injuries, accidents, and misconduct. |
Health or medical information |
|
Biometric Data:
|
|
Interaction and behavioural information | Your interactions with us, including your queries or complaints, opt-ins to receive marketing surveys and communications, as well as information collected at the point of application and claims processing. See also websites and app tracking section in this table. |
Website and app tracking | When you visit our websites or use one of our applications we, or third parties acting on our behalf, use cookies to collect information which may include personal information. We use both 'persistent' and 'session' cookies. We also use other technologies similar to cookies, including those which are embedded into, or which accompany emails sent by us or on our behalf. The information we collect includes
|
Vulnerability | Information which may indicate vulnerability such as age, disability, mental health conditions, physical health conditions, family violence, language barriers, literacy barriers, cultural background, remote location, or financial distress. |
Other sensitive information |
|
How does QBE acquire or maintain your personal data?
QBE acquires or receives your personal data from the time you applied for a job with QBE and for the duration of your employment through any of the following means:
- directly from the data subjects;
- from third-party service providers;
- from publicly available sources of information such as social media websites;
- from your dealings with our business/project owners due to new initiatives or updates on existing program;
- During the recruitment and onboarding process, you will submit recruitment/job application forms through hard copies, electronic documents, or an online recruitment system, along with any additional documents required during the hiring process. Necessary background and health checks will be conducted. You will also need to provide documents for opening a payroll account with GSSC’s designated bank. Additionally, you will provide or update your information using QBE’s HRMS tool (e.g., Workday).
- The forms that you fill/filled-up, whether through hard copies, electronic documents, or an online system, including the documents that you submitted in the course of your hiring process:
- Patient medical record
- Clinic consultation record
- Clinic visitation report
- during pre-employment medical examination;
- during annual physical examination;
- When you disclose your personal data to QBE by submitting your medical records generated by or
provided by a third party (e.g., your physician., third party HMO provider, or former employer); and - When you disclose your personal data to QBE through online services such as Teleconsult.
- When you disclose your personal data or your personal data is captured through phone calls, mobile devices, instant messaging systems (e.g., Viber, WhatsUp, Skype, MS Teams, text messaging, etc.) e-mails, or when you otherwise use and access GSSC facilities and network;
- When you disclose your personal data while accessing or using GSSC tools and facilities, or when accessing GSSC premises in the course of your employment, official business engagement, or other interactions with GSSC, this includes using GSSC-provided laptops, mobile phones, or wireless devices, shared drives, network drives allocated for your use, instant messaging systems, productivity software, collaboration systems, enterprise social networking services, HRMS tools, productivity and workflow systems, email systems, insurance operations-related tools, online survey systems, corporate and network security systems, workforce optimisation tools, workforce management and allocation systems, quality control and assurance processing systems, communication systems, incident and crisis management systems, whistleblowing systems, governance, risk, and compliance systems, internal audit systems, contract management systems, travel and expenses management systems, learning and training systems, payroll systems, data analytics tools, desktop virtualisation, networking systems, and other IT and networking systems (collectively, “GSSC Tools and Facilities”).
The GSSC Tools and Facilities that you are given accessed to or in place within GGSC premises are outsourced to GSSC’s valuable partners that have contractual obligations in place to secure personal data that the latter may acquire in the course of their delivery of outsourced services to GSSC.
Who does GSSC share data with?
As GSSC is the shared services centre to the Divisions, it is part of the offshore outsourcing arrangement that GSSC may share data with QBE located in Australia, New Zealand, North America, United Kingdom, Europe, , and Asia Pacific.
In order to be compliant with laws and fulfill its contractual obligations under your employment contract, QBE will be required to disclose data about you to the BIR, SSS, PhilHealth, HDMF, PEZA, Bureau of Immigration, SEC, DOLE, BOI, NLRC, relevant local government units, local enforcement agencies, and such other government agencies that have the legal authority to require the disclosure of your data.
As GSSC has outsourced payroll services and certain recruitment functions (including background and health checks), QBE will be providing data and information to GSSC’s payroll and recruitment processing outsourcing providers. For the purpose of promoting work health and safety, GSSC will be providing data and information to providers of corporate security, building maintenance, HMO services, life insurance cover, health and wellness, storage facility, and crisis management. GSSC will be providing data to its consultants, legal counsels/advisors, accountants, and job-contractors as required in the operation of shared services centre.
Any of the foregoing GSSC partners are contractually bound to secure any data that they receive from GSSC, which are intended to be used only for the purpose disclosed in this Privacy Statement.
GSSC will not share your personal data to a third party, except in instances when required by law, when it is necessary for GSSC to perform its legal, regulatory, and contractual obligations, or in order for GSSC to perform its legitimate interests as an organisation.
How does GSSC protect your personal data?
We take reasonable steps to protect your personal information from misuse, interference, loss, unauthorised access, modification, or disclosure. Our security measures include:
- Limiting physical access to our premises
- Restricting electronic and physical access to personal information we hold
- Monitoring staff access to your personal information
- Having standby systems and information backups to handle major business interruptions
- Maintaining information security products such as system firewalls, encryption tools, and secure file transfer services
- Implementing risk management processes to uphold policies, standards, and procedures that govern the protection of your personal information
Assessing third-party security measures
Consent to Collect, Use and Share Your Personal Information
For certain activities and types of personal information, such as sensitive information and credit-related information, we are required to obtain your consent to collect, use and disclose your personal information. In these circumstances, we make sure you:
- know the consequences of giving or not giving your consent
- understand that consent is voluntary in that you are not being forced to provide consent, and
- know that your consent is current and specific when given
There are benefits and risks to giving consent for handling your sensitive personal information. The main benefit is that it allows us to provide you with our services.
However, there are also risks. If there is a data breach, your personal information could be misused, interfered with, lost, or accessed, modified, or disclosed without authorisation. We take information security seriously and have measures in place to keep these risks low.
Where and how long do we keep your personal data?
The personal data will be stored in facilities located in the Philippines , its affiliated offsite storage, and in QBE servers of the QBE Division that you are supporting or associated with, that are located in Asia, Australia, United States of America, United Kingdom, and Europe, for the duration of your employment and for a period of 7 years post your employment, except for those record type with specific regulatory retention requirements.
Candidates:
The personal data will be stored in facilities located in the Philippines and in QBE servers of the QBE Division that you are supporting or associated with, that are located in Australia, United States of America, United Kingdom and Europe, and will be retained for a period of two (2) years from the date of submission of your job application or end date of your job application process, whichever comes first.
You have the right to have your data deleted and withdraw your consent to further use your personal data by QBE, unless QBE has a legal ground or overriding legitimate interest to keep and/or for the continued processing of your personal data or as required or justified by applicable law. Your consent to process your personal information may be required to progress your job application. If you withdraw your consent, QBE will be unable to process your job application.
Employees:
In the event that your job application progresses to the point you are offered a job at QBE, your personal data will be retained for the duration of your employment and for a period of seven (7) years from the termination of your employment except for those record type with specific regulatory retention requirements. Upon the expiration of the Retention Period, QBE will properly dispose your personal data.
Third-Party Personnel Deployed at GSSC Premises and Third-Party Provider's Representative
While the vendor/third party contract is in place + 10 years from contract termination), except for those record type with specific regulatory retention requirements.
Requesting Corrections to Our Records
Please let us know if you think your information captured in company records is incorrect. However, any request for rectification under the Data Privacy Act of 2012 does not extend to situations where a correction requires a court order, approval from a government agency, or is part of an official process mandated by other laws and regulations.
To request for correction or deletion, contact the following:
- If you’re a candidate or employee, email [email protected] .
- If you’re a third-party service provider, email [email protected] .
We reserve the right to impose charges if rectifying their data necessitates unreasonable costs and efforts.
For certain conditions, PIC (GSSC in this case) may deny, wholly or partially, the data subject’s request for erasure/deletion of their personal information. These are the following:
- Fulfillment of the purpose/s for which the data was obtained;
- Compliance with a legal obligation which requires personal data processing;
- Establishment, exercise, or defense of any legal claim;
- Legitimate business purposes of the PIC, consistent with the applicable industry standard for personal data retention;
- To apprise the public on matters that have an overriding public interest or concern, taking into consideration the activities listed in the collection of data table.
Your Rights
The National Privacy Commission (NPC) of the Philippines outlines several rights for data subjects under the Data Privacy Act of 2012. Here are your rights as a data subject:
Right to be Informed: As a data subject, you have the right to be informed whether your personal data shall be, are being, or have been processed, including the existence of automated decision-making and profiling.
Right to Damages: As data subject, you have the right to be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorised use of your personal data, taking into account any violation of your right and freedoms as data subject.
Right to Access: You can request access to your personal data and obtain information about how it is being used.
Right to File a Complaint: If you feel that your personal information has been misused, maliciously disclosed, or improperly disposed, or that any of your data privacy rights have been violated, you have a right to file a complaint with the National Privacy Commission.
Right to Object: As a data subject, you shall have the right to object to the processing of your personal data where such processing is based on consent or legitimate interest.
Right to Rectify: As a data subject, you have the right to dispute the inaccuracy or error in your personal data and have the PIC correct the same within a reasonable period of time.
Right to Erasure or Blocking: As the data subject, you have the right to request for the suspension, withdrawal, blocking, removal, or destruction of your personal data from the PIC’s filing system, in both live and backup systems.
Right to Data Portability: As a data subject, you have the right to obtain from the PIC a copy of your personal data and/or have the same transmitted from one PIC to another, in an electronic or structured format that is commonly used.
Source: https://privacy.gov.ph/data-subject-rights/
What if there are changes in this GSSC Privacy Statement?
From time to time, it may be necessary for GSSC to change this Privacy Statement. If there is any change to this Privacy Statement, GSSC will post/cascade the revised version in the GSSC Policy Register https://qbe.sharepoint.com/sites/q-gs-business-units/SitePages/gssc-policies-procedures.aspx, GSSC Intranet (QUBE), GSSC Media Boards, through e-mail communications, or you may also request for a copy from the GSSC Data Protection Officer. It is your responsibility to check the GSSC Policy Register or QUBE periodically or to contact the GSSC Data Protection Officer, GSSC Risk and Compliance, for the most up-to-date version of the GSSC Privacy Statement.
What you need to do in case of date breach incident?
If you see or know of any incident that you believe can result in data breach (e.g., physical security or network security incident), please report and contact the GSSC Data Protection Officer within twenty- four (24) hours from knowledge of the incident.
GSSC Data Protection Officer
If you have any questions about this Privacy Policy Statement, concerns, or want to report a data breach incident or a complaint, you can contact the GSSC Data Protection Officer (DPO):
Data Protection Officer
GSSC Compliance, QBE Group Shared Services Centre
24th Floor, Three/Neo Building, 30th Street corner 3rd Avenue
Bonifacio Global City, Taguig City, Philippines
[email protected]
We reserve the right to update or modify this Privacy Statement at any time. Any changes will be effective immediately upon posting the revised Privacy Statement on our website. We encourage you to review this Privacy Statement periodically to stay informed about how we are protecting your information.