This document contains Open Access BPO’s Privacy Principles and Privacy Policy. It governs and supports all of the business activities of the Company in our processing of personal information. Open Access BPO refers to OAMPI Inc. and other Open Access BPO entities (collectively “we”, “us”, “Company”) that: (1) is involved in providing or receiving services or products, (2) sends you communications, or (3) posted a position for which you are applying.
The Privacy Principles are the basic rules that guide the Company’s efforts as they relate to privacy and the handling and protection of personal information. These Privacy Principles is published for all internal and external audiences, including clients, associates, employees, and vendors.
The Privacy Policy is a document that expounds upon the Privacy Principles and provides guidance on actions Open Access BPO is to take relating to personal data. Compliance with the Privacy Policy and Principles is mandatory for all Open Access BPO personnel, other internal stakeholders, including external parties. The Privacy Policy includes common questions concerning the Company’s privacy program, its privacy practices, and areas of general privacy concern.
This document will govern all business activities that involve the processing of personal data undertaken by Open Access BPO and any person working under the Company’s direction or control.
This Policy is applicable to all Personal Data collected, received, possessed, owned, controlled, stored, dealt with, or handled by Open Access BPO in respect of an individual. Personal Data and information that Open Access BPO handles for its clients in the context of providing technology and outsourcing services shall be processed according to the contractual provisions and specific privacy practices agreed upon with each client, as applicable.
Open Access BPO has assigned a Data Privacy Officer who periodically reviews and approves the privacy policy and overall program. The Data Privacy Officer directs and maintains the principles, policy, standards and tools, provides solutions to privacy issues, facilitates implementation, and coordinates the response to major personal data breach incidents. The Data Privacy Officer advises, approves, and supports the policy’s implementations, and addresses stakeholders’ interests and concerns.
We have also put in place procedures to deal with any suspected personal data breach and will notify data subjects or the supervisory authority where we are legally required to do so. If you know or suspect that a personal data breach has occurred, you should immediately contact the Incident Response Team at irt_security@openaccessbpo.com. You must retain all evidence relating to personal data breaches in particular to enable the Company to maintain a record of such breaches, as required by relevant privacy laws and regulations.
At Open Access BPO, privacy is an inherent part of our values and are committed to cultivate organization-wide privacy culture to protect the rights and privacy of individuals. Open Access BPO’s Privacy Policy is an embodiment of our commitment to comply with the data processing principles and fundamental guidelines laid out in privacy laws and regulations. These principles require that all data be:
1 – PROCESSED LAWFULLY, FAIRLY AND IN A WAY THAT IS TRANSPARENT TO THE DATA SUBJECT
Open Access BPO must provide detailed, specific information to data subjects depending on whether the personal information was collected directly from data subjects or from elsewhere.
Whenever we collect personal data directly from data subjects, for example for the recruitment and employment of employee, at the time of collection, we must provide the data subject with all the prescribed information which includes:
When personal data is collected indirectly (for example, from a third party or publicly available source), we must provide information about the categories of personal data and any information on the source. The data subject will be provided with all the information required by privacy laws as soon as possible after collecting/receiving the data.
2 – COLLECTED, CREATED, OR PROCESSED ONLY FOR ONE OR MORE SPECIFIED, EXPLICIT, AND LAWFUL PURPOSES
These restrictions are not intended to prevent processing but ensure that we process personal data for legitimate purposes without prejudicing the rights and freedoms of data subjects. The legal bases for processing personal data are as follows:
3 – ADEQUATE, RELEVANT, AND LIMITED TO WHAT IS NECESSARY FOR THOSE PURPOSES
Personal data must be collected only for specified, explicit and legitimate purposes. It must not be further processed in any manner incompatible with those purposes.
Open Access BPO limits the collection of personal data to only that which is absolutely necessary to carry out our legal or business obligations. We will not therefore use personal data for entirely new, different, or incompatible purposes from those disclosed when it was first obtained unless we have informed the data subject of the new purposes.
4 – KEPT ACCURATE AND, WHERE NECESSARY, UP TO DATE
Personal data must be accurate and, kept up to date, and rectified as necessary. We should ensure that personal data is recorded in the correct files. Incomplete records can lead to inaccurate conclusions being drawn and in particular, where there is such a risk, we should ensure that relevant records are completed.
We must check the accuracy of any personal data at the point of collection and at regular intervals thereafter and take all reasonable steps to destroy or amend inaccurate records without. Where a data subject has required his/her personal data to be rectified, we must inform recipients of that personal data that it has been rectified.
5 – RETAINED NO LONGER THAN IS NECESSARY
We must not keep personal data in a form that allows data subjects to be identified for longer than needed for the legitimate operational/research or business purposes for which the Company collected it. Those purposes include satisfying any legal, accounting, auditing, or reporting requirements. Records of personal data can be kept for longer than necessary if anonymized.
Open Access BPO will take all reasonable steps to destroy or erase from the Company’s systems all personal data that we no longer require in accordance with all relevant Company records retention schedules and policies. We have a retention policy outlined in the Data Classification and Handling Policy.
We will ensure that data subjects are informed of the period for which their personal data is stored or how that period is determined in any relevant Privacy Notice.
6 – KEPT SAFE AND SECURE
Open Access BPO follows generally accepted industry standards to protect the personal information submitted, both during transmission, in use, and when data is at rest. The Company use appropriate measures to safeguard personal data, which measures are appropriate to the type of information maintained and follow applicable privacy laws regarding the safeguarding of any such information under its control. Safeguarding includes the use of encryption, pseudonymization, or anonymization where appropriate. It also includes protecting the confidentiality (e.g. principles of least privilege and need to know), integrity, and availability of the personal data. We will regularly evaluate and test the effectiveness of those safeguards to ensure security of our processing of personal data.
Employees are also responsible for protecting the personal data that is processed in the course of their duties. Employees must therefore handle personal data in a way that guards against accidental loss or disclosure or other unintended or unlawful processing and in a way that maintains its confidentiality.
Open Access BPO has adopted the principle of privacy by design and ensures that the definition and planning of all new or significantly changed systems that collect, or process personal data will be subject to due consideration of privacy issues, including the completion of data protection impact assessment.
Unless it is necessary for a reason allowable in the privacy law within which Open Access BPO operates, the Company will always obtain explicit consent from a data subject to collect and process their data. We obtain a data subject’s Consent if there is no other lawful basis for the processing. Consent requires genuine choice and genuine control.
Transparent information about the usage of their personal data will be provided to data subjects at the time that consent is obtained and their rights with regard to their data explained, such as the right to withdraw consent. This information will be provided in an accessible form.
Data subjects can withdraw Consent to processing at any time. Withdrawal of Consent will be promptly honored by the Company. Consent may need to be renewed if we intend to process personal data for a different and incompatible purpose which was not disclosed when the data subject first consented, or if the Consent is historic.
Evidence of Consent will be ensured, and a record of obtained Consent will be kept so that we can demonstrate compliance. Consent is also required for some electronic marketing and some research purposes.
WITHDRAWAL OF CONSENT
Individuals have the right to stop any processing which is based solely on your consent. Please fill-out the Data Subject Request Form and email it to dataprivacy_compliance@openaccessbpo.com.
Please note that there may be circumstances that we may not be able to fully grant all the requests where we have a legal and/or contractual obligations, it is used for freedom of expression, for public health purposes, historical research or statistical purposes where deleting the data would make it difficult or impossible to achieve the objectives of the processing, or it is necessary for legal claims.
We collect and use personal data to support and further our businesses. We will collect personal data directly from individuals wherever practical, and always in accordance with relevant laws and regulations.
FOR EMPLOYEES
Open Access BPO collects and uses personal data as needed for human resources and employment processes from current and prospective employees. Open Access BPO collects this information only in a reasonable and lawful manner.
The types of information that may be collected either directly or indirectly, includes but not limited to:
Open Access BPO uses such personal data only for relevant, appropriate, and customary purposes, such as:
FOR CLIENTS
Open Access BPO collects and uses personal data as needed to deliver its products and services and manage its business. We collect personal data consistent to the fulfilment of contracts and agreements. Open Access BPO uses such personal data only for relevant, appropriate, and customary purposes, such as:
FOR VENDORS, SUPPLIERS
Open Access BPO collects personal data about individuals who are employed by our suppliers and vendors. This contact information and other personal details are used to administer existing and future business arrangements.
OTHERS
Additional personal data may be collected, used, and disclosed for the purposes for which it was collected and for legal compliance purposes, including regulatory reporting, investigation of allegations of wrongdoing, and the management and defense of legal claims and actions, and compliance with subpoenas, court orders and other legal obligations.
INTERNAL DISCLOSURE
In general, personal data may be shared within Open Access BPO, where legally permitted for reasonable and appropriate business purposes. However, even within the Company, we restrict access to personal data to those teams who need to accomplish their assigned business functions.
EXTERNAL DISCLOSURE
Disclosure of personal data beyond the employees or contractors of Open Access BPO, may be made only pursuant to an agreement, business necessity, as permitted or required by law or legal process, or with the consent of the individual. The following examples illustrate some of the reasons that personal data is disclosed to third parties about:
We may disclose personal data about employees to a range of third parties who provide our employees with services, such as health care management. We may also disclose personal data to government entities where necessary in order to comply with labor requirements or income tax reporting.
Personal data may always be disclosed in connection with legal compliance initiatives, in response to a government request for information or as part of the Company’s due diligence for compliance purposes.
Under data privacy legislations, an individual has various rights to their personal data. These rights requests may be submitted through the Data Subject Request Form which will be sent automatically to dataprivacy_compliance@openaccessbpo.com to ensure a timely response. Data subjects have rights in relation to the way we handle personal data.
These include the following rights:
1 – RIGHTS TO BE INFORMED
An individual has the right to be informed that their personal data will be, are being, or were collected and processed. Open Access BPO will never collect, process, and store personal data without an individual’s consent unless otherwise provided by law.
For more information about the Consent process, refer to the Consent section of this policy.
2 – RIGHTS TO ACCESS
Open Access BPO shall generally provide individuals with an opportunity to examine their own personal data, confirm the accuracy and completeness of their personal data, if appropriate.
Individuals are also entitled to a copy of their personal information the Company holds about them, although they may not be able to receive information which identifies or relates to anybody else. If a data subject would like a copy of their personal record, the Data Subject Request Form must be filled out. In order to help us provide the information as quickly as possible, it would be very helpful that data subjects provide as much information as possible. Individuals will be required to provide proof of identity.
3 – RIGHTS TO CORRECTION
Individuals have the right to request to update their records for the purpose of accuracy. In order to exercise this right, please fill-out the Data Subject Request Form.
4 – PORTABILITY RIGHTS
Individuals have the right to move their personal data to another data controller: however this right is limited to the following circumstance:
Data which have been provided directly to the Company, data which is used in order to fulfil a contract or is in preparation for a contract, and the data is automated (e.g. this right does not apply to paper records).
In order to exercise this right, please fill-out the Data Subject Request Form.
5 – RIGHTS TO ERASURE
This enables individuals to delete or remove their personal data where there is no longer legal or legitimate basis for us continue to process it. In order to exercise this right, please fill-out the Data Subject Request Form.
6 – RIGHTS TO RESTRICT OR OBJECT TO PROCESSING
Relevant privacy laws gives individuals the right to object to processing of their personal data carried out by Open Access BPO and/or to ask the Company to restrict processing of your personal data. These are not absolute rights, except for the right to prevent use of your personal data for marketing and fundraising purposes and apply only in limited circumstances.
The rights of objection and restriction are complicated, and each instance will be assessed individually. If you wish to exercise either of these rights, please fill-out the Data Subject Request Form.
Transfer of personal data to a third country occurs when it is made available beyond European Economic Area boundaries or boundaries of the controller and/or processor (e.g. data transfer via e-mail), regardless of whether the data will then be actively used or only stored (e.g. when the transfer took place for storing them on servers located in different country).
As a general rule, transfer of personal data to countries may take place if these countries are deemed to ensure an “adequate” level of data protection. Once “adequacy” of a third country has been recognized, personal data can be transferred to this country without having to take further protective measures.
In some cases, viewing, accessing, and storing of personal data by Open Access BPO beyond its jurisdiction shall constitute cross border data transfer.
We may only transfer personal data outside the border if one of the following conditions applies:
Open Access BPO has a range of standard transfer agreements and clauses. Individuals should seek guidance from the Data Privacy Officer at dataprivacy_compliance@openaccessbpo.com before any transfer of personal data takes place.
It is Open Access BPO’s policy to be fair and proportionate when considering the actions to be taken to inform affected parties regarding breaches of personal data. In line with relevant privacy laws, where a personal data breach is known to have occurred which is likely to result in a risk to the rights and freedoms of individuals, the relevant supervisory authority will be informed within 72 hours.
This will be managed in accordance with the Information Security and Systems Breach Incident Response Plan, which sets out the overall process of handling information security incidents.
This policy shall not apply to the following specified information:
The Data Subject Rights request can be refused if it is manifestly unfounded or excessive. Data Subject Rights request is manifestly unfounded if:
A request may be excessive if:
This privacy policy may change from time to time in line with legislation or industry developments. Any changes we make will be communicated accordingly, and specific policy changes and updates will be mentioned in the privacy statement change log.