Privacy Policy - Strategic Research and Development Center, Inc.

1. PRIVACY STATEMENT
Strategic Research and Development Center, Inc. (“STRAND-Asia”) values the privacy rights of
individuals under Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012
(“DPA”), including its Implementing Rules and Regulations (“IRR”) and all other applicable
privacy laws, rules, and regulations. Thus, as reflected in this Privacy Policy, we are firmly
committed to protect all personal data we collect and process through adequate organizational,
technical, and physical measures and in accordance with the principles of transparency,
legitimate purpose and proportionality enshrined in the DPA. We also abide by other principles
in collection, processing and retention of personal data as required by applicable laws, including
the International Code on Market, Opinion and Social Research and Data Analytics of the
International Chamber of Commerce (ICC) / European Society for Opinion and Marketing
Research (ESOMAR).
2. SCOPE
2.1.This Privacy Policy enumerates STRAND-Asia’s organizational policy in relation to the
collection and processing of all personal data.
2.2.STRAND-Asia reserves the right to amend and/or modify its Privacy Policy to comply
with any future developments in local and/or foreign data privacy regulations where
applicable.
2.3.This Privacy Policy applies to all personal data processing activities conducted by
STRAND-Asia, its subsidiaries and/or affiliates, including, but not limited to, the
collection, use, storage, sharing and disposal of all personal data about their customers
and employees.
3. DEFINITION OF TERMS
Data refers to any and all information, including personal information and sensitive
personal information, among others, collected by, or submitted to STRAND-Asia
from clients or non-clients, employees or any data subject, individual and entities.

Data Subject refers to an individual whose personal information is processed.
Data Sharing Agreement refers to the disclosure or transfer to a third party of
personal data under the control or custody of a personal information controller. The
term excludes outsourcing, or the disclosure or transfer of personal data by a
personal information controller to a personal information processor.

Processing refers to any operation or any set of operations performed upon
personal information including, but not limited to, the collection, recording,
organization, storage, updating or modification, retrieval, consultation, use,
consolidation, blocking, erasure or destruction of data.

Personal Information refers to any information whether recorded in a material form
or not, from which the identity of an individual is apparent or can be reasonably and
directly ascertained by the entity holding the information or when put together with
other information would directly and certainly identify an individual.
Personal Information Controller refers to a person or organization who controls the
collection, holding, processing or use of personal information, including a person or
organization who instructs another person or organization to collect, hold, process,
use, transfer or disclose personal data on his or her behalf.
Personal Information Processor refers to any natural or juridical person qualified to
act as such under this Act to whom a personal information controller may outsource
the processing of personal data pertaining to a data subject.
Sensitive Personal Information refers to personal information:
a. About an individual’s race, ethnic origin, marital status, age, color, and
religious, philosophical or political affiliations;
b. About an individual’s health, education, genetic or sexual life of a person, or
to any proceeding for any offense committed or alleged to have been
committed by such person, the disposal of such proceedings, or the sentence
of any court in such proceedings;
c. Issued by government agencies peculiar to an individual which includes, but
not limited to, social security numbers, previous or current health records,
licenses or its denials, suspension or revocation, and tax returns; and
d. Specifically established by an executive order or an act of Congress to be
kept classified
Personal Data refers to refer to all types of personal information, including those
pertaining to agency personnel.
4. COLLECTION AND USE OF PERSONAL DATA
4.1.Client and Participant Personal Data
We collect personal data from our clients and participants through the following channels:
1. Voluntary registration and submission of any application/registration form, request,
notice or some other printed and/or electronic documents and forms submitted by
data subjects, such as online community members, employees and clients, among
others;
2. Inquiry or post from data subjects and online community members, among others;
3. From subsidiaries, affiliates or clients, subject to permissible data sharing/outsourcing
under applicable laws and/or other printed or electronic documents/materials
submitted to us or publicly available; and
4. Data that may be collected directly by our subsidiaries, affiliates or clients through
data gathering tools, such as survey links where data subjects are re-directed to the
respective websites of these subsidiaries, affiliates or clients.
All the data that we collect are not and shall never be sold for economic and proprietary
purposes. The data shall be used for the following purposes:
a. To provide consumer opinions and activities through market research or study, which is
achieved through the collection and analysis of personal data from our online community
members;
b. To provide statistical and market research data with the use of our online survey
platforms including SurveyReal;
c. To perform functions vital and necessary to the provision of our services, including,
among others, providing consumer opinions and activities through statistical analysis
and market research with the use of surveys and polls study, market assessment and
evaluation;
d. To register willing customers in our survey platforms and online community as well as in
bidding projects with government agencies;
e. To verify the identities of our online community members, and other individuals, as well
as to determine their qualification to participate in our surveys, polls, and/or other market
research activities;
f. To prevent, detect and/or investigate the safety and security of data collected, services
provided and/or data breach;
g. To ensure quality of personal data we received;
h. To market other products, software, licenses or services as well as to provide technical
support and training in relation thereto;
i. To facilitate customer billing and collection;
j. Customer preparation and execution in relation to client-commissioned studies;
k. Business monitoring, evaluation/review and development, including, among others,
creation and maintenance of an online community membership who participate in our
market studies;
l. Compliance with applicable laws, rules and regulations;
m. The achievement of corporate objectives and business endeavors and compliance to
applicable laws, rules and regulations.
4.2.Applicant and Employees Personal Data
We collect and process personal data from our applicants and employees for Administrative and
Human Resource Development purposes as well as in compliance with applicable labor laws,
rules and regulations, including, but not limited to:
a) Identity verification;
b) Pre-qualification and post-qualification assessment;
c) Performance evaluation and career development;
d) Processing of employment compensation and benefits, including health and life
insurance coverage;
e) Internal Security;
f) Compliance to labor and other regulatory requirements;
g) For the protection of lawful rights and interests of the organization in internal
administrative and court proceedings, or the establishment, exercise or defense of legal
claims against prospectively malfeasant employees.
4.3.Affiliates and Service Providers
We collect and process personal data from our affiliates and service providers for the following
purposes:
a) Preparation and execution of contracts pertaining to outsourced services; and
b) Maintenance of our online platform tools.
5. Rights of Data Subjects
STRAND-Asia fully recognizes and respects that each data subject is accorded the following
privacy rights:
Right to be informed
Our customers, participants, employees, affiliates and service providers have the right to
demand and be informed of the details about how and why we collect and process their
personal data including its sources, recipients, methods, disclosures to third parties and their
identities, automated processes, manner of storage, period of retention, manner of disposal and
any changes to such processing activities before the same is undertaken.
Right to Object
They have the right to object to the sharing of their data. Should there be any changes in the
information provided to them under this policy, they shall be informed of such changes and their
consent thereto, where applicable, obtained before such changes are implemented.
Right to withdraw consent anytime
They have the right to withdraw their consent to the processing of their personal data anytime
subject to any lawful basis for which such data is processed other than by consent.
Right to access
They have the right to have reasonable access to their personal data, upon demand and in a
machine-readable and/or data portable format.
Right to dispute/rectify
They have the right to review and amend their personal data as processed by the organization
should there be any inaccuracies.
Right to object/block/erase
They have the right to reject further processing of their personal data, including the right to
suspend, withdraw, and remove their personal data in our control which are falsely collected or
unlawfully processed
6. POLICY ON THE COLLECTION AND USE OF PERSONAL DATA
It is the policy of STRAND-Asia to:
I. Adequately inform our customers, participants, employees, affiliates and service
providers of their rights as data subjects;
II. Ensure that our customers, participants, employees, affiliates and service providers are
fully and adequately informed of all processing activities performed by the organization
with respect to their personal data including the scope, purpose and means used by
STRAND-Asia for such processing, its sources, recipients, methods, disclosures to third
parties and their identities, automated processes, manner of storage, period of retention,
manner of disposal and any changes thereto before the same is implemented;
III. Obtain the express, informed and properly documented consent of our customers,
participants, employees, affiliates and service providers, where applicable, to our data
processing activities. Where the processing does not require consent from our
customers, participants, and employees, we endeavor, nonetheless, to fully inform our
customers, participants, and employees of the bases of such processing other than
consent;
IV. Ensure that our customers, participants, employees, affiliates and service providers have
the facility to reasonably exercise their rights as data subjects and that the organization
can respond to such requests within reasonable time, including the provision of personal
data in a machine-readable or portable format in response to a request for information;
V. Ensure that our customers, participants, employees, affiliates and service providers have
the facility to dispute any inaccuracy or error in their personal data, to object to any
changes in the manner and purpose by which their personal data is being processed, to
withdraw consent where applicable, and to suspend, withdraw, block, destroy, or remove
any unnecessary, falsely collected or unlawfully processed personal data;
VI. Ensure that the personal data obtained from our customers, participants, employees,
affiliates and service providers are proportional, necessary and limited to the declared,
specified and legitimate purpose of the processing;
VII. Ensure that the personal data of our customers, participants, employees, affiliates and
service providers are retained for only a limited period or until the lawful purpose of the
processing has been achieved;
VIII. Ensure that the personal data of our customers, participants, employees, affiliates and
service providers are destroyed or disposed of in a secure manner;
IX. Ensure that our customers, participants, employees, affiliates and service providers have
the facility to lodge complaints to STRAND-Asia relating to any violations to the rights of
our customers and employees as data subjects and that such complaints are adequately
and timely addressed;
X. With respect to personal data collected and processed from foreign sources, we ensure
that their personal data, is collected and processed in accordance with the applicable
foreign law, if any.
7. PERSONAL DATA SECURITY POLICY
7.1.Storage of and Access to Personal Data
Access of data collected shall be limited to authorized officers or employees only. It is our policy
to store both paper-based and electronic personal data in a secure data center covered by
appropriate data security standards.
STRAND-Asia shall treat and keep all data collected strictly confidential, not intended for public
disclosure, except upon lawful request of governmental authority, court order, and such other
competent authorities or as required by law.
Transfers of personal data within and without the organization shall only be made in accordance
with strict security protocols and under modes of transfer compliant to the appropriate data
security standards. In such cases, we only share personal data we collect with our subsidiaries,
affiliates or clients, as necessary and in accordance with the purposes outlined in this policy;
upon the informed and express consent of concerned individuals, when required by law; and for
such other legitimate purposes permissible under applicable laws. We ensure that data
protection and confidentiality are maintained upon sharing and disclosure of said data.
7.2.Retention and Disposal of Personal Data
We only retain personal data for a limited period or until the lawful and legitimate purpose of the
processing is achieved. To that effect, we have established procedures for securely disposing
files that contain personal data whether the same is stored on paper, film, optical or magnetic
media, personal data stored offsite, and computer equipment, such as disk servers, desktop
computers and mobile phones at end-of-life.
7.3. Management of Third-Party Risks
a. Personal Information Processors
Where any processing of personal data is outsourced to a third-party processor, STRAND-Asia
will make sure that such third party shall be covered by the appropriate contracts that will
enforce adequate data security standards under terms and conditions compliant with the
requirements of the DPA, its Implementing Rules and Regulations, and other issuances of the
NPC.
b. Personal Information Controllers
STRAND-Asia shall ensure that any disclosures or transfers of personal data to controllers shall
be governed by legally compliant data sharing agreements and in accordance with the rights of
data subjects. Data subjects shall be duly informed and consent from them obtained, where
applicable, before such data sharing activities are performed.
8. PERSONAL DATA BREACH
Personal Data Breach refers to a breach of security leading to the accidental or unlawful
destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted,
stored, or otherwise processed. Personal Data Breaches shall be subject to notification and
remediation requirements as provided in the DPA, its IRR, and other issuances of the NPC.
9. HUMAN RESOURCE POLICY
STRAND-Asia requires its employees to undergo periodic and mandatory training privacy and
data protection in general and in areas reflecting job-specific content. Likewise, it will ensure
that all employees, representatives, and agents exposed to personal data pursuant to their
function are adequately bound by strict confidentiality.
10. POLICY REVIEW
STRAND-Asia will review and revise this policy on a periodic basis and as the need arises.
11. DATA PROTECTION OFFICER
Strand-Asia takes data privacy seriously and has appointed a Data Protection Officer (“DPO”)
tasked to monitor compliance with any and all applicable foreign and/or local data privacy laws,
rules, and regulations.
Should you have any inquiries or concerns pertaining to our Privacy Policy as well as the data
we collect, such as access to information, correction or rectification of data, erasure or blocking,
as well as to report any actual or suspected data breaches or security incidents, among others,
you may reach STRAND-Asia’s DPO through the following contact information:

STRAND-Asia DATA PROTECTION OFFICE
E-mail dpo@strandasia.com
Office Address STRAND-Asia
Room 424-425 Cityland Pasong Tamo Tower