CLIENT DATA PRIVACY & INFORMATION SECURITY POLICY

 

“The safety of your privacy is important to us”

TRU29 Solutions is in the business of delivering solutions that enable our Clients to meet their strategic goals. We offer business process and IT outsourcing solutions, along with advisory services. Core to our commitment to putting Clients first is to ensure that Client Personal Information that our Clients entrust to us, including sensitive personal information, is safe, and that the privacy of our Clients’ End Users is respected.

 

INTRODUCTION

TRU29 Solutions is in the business of delivering solutions that enable our Clients to meet their strategic goals. We offer outsourcing solutions categorized as front office, back office, knowledge process, and customized solutions to the global market. An important part of our commitment providing a true outsourcing partnership and solutions is to ensure that all Client Personal Information, including sensitive personal information is safe, and that the privacy of our Clients is highly respected.

TRU29 Solutions’s privacy practices are developed in accordance with applicable legislation relating to privacy and information security, which may include, but is not limited to the Personal Information Protection and Electronic Documents Act (“PIPEDA”), the EU General Data Protection Regulation (Regulation (EU) 2016/679), as nationally implemented, supplemented, amended and replaced from time to time (“GDPR”), the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Children’s Online Privacy Protection Act of 1998 (“COPPA“), the Video Privacy Protection Act of 1988, the Cable Television Protection and Competition Act of 1992, the Fair Credit Reporting Act (“FCRA”), the California Consumer Privacy Act of 2018 (“CaCPA”), the Philippine Data Privacy Act of 2012, and a variety of provincial and state privacy laws, all together the “Applicable Privacy Laws”.

TRU29 Solutions is committed to ensuring that our privacy management practices comply with the Applicable Privacy Laws as well as with our contractual commitments in the various countries we or our Clients operate. Our commitment to our Clients is that we will work with them to protect privacy and safety measures applied on any data in all our dealings.

This TRU29 Solutions Client Privacy Policy (this “Privacy Policy”) outlines the responsibilities of TRU29 Solutions concerning the protection of Personal Information entrusted to TRU29 Solutions by our Clients.

 

DEFINITIONS

 

For the purpose of this Privacy Policy the following terms shall have the following meanings. Terms defined elsewhere in this Privacy Policy shall have those meanings.

  • Business Contact Information: refers to the business contact details of our Clients’ representatives.
  • Client: means a Client or potential Client of TRU29 Solutions who is a business, enterprise, sole proprietor or other organization.
  • Client Personal Information: means Business Contact Information and/or End User Personal Information.
  • Data Controller: The organization that determines the purposes and means of the processing of Personal Information.
  • Data Processor: The organization that processes Personal Information on behalf of the Data Controller.
  • End User: means the users of Clients’ products or services, or clients, Clients or patients of Clients.
  • End User Information: means the Personal Information of End Users.
  • Personal: means any information relating to an identified or identifiable natural person.
  • Processing: means the recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, collection, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Information.

 

SCOPE & APPLICATION

 

This Privacy Policy applies to Client Personal Information that is in TRU29 Solutions’s custody for the purposes of providing services to the Client. It includes Client Personal Information that is in the possession of service providers who have been contracted to provide services on TRU29 Solutions’s behalf.

The application of this Privacy Policy is subject to the requirements or provisions of any applicable legislation, regulations, agreements or the ruling of any court or other lawful authority.

All TRU29 Solutions employees, contractors and agents with access to Client Personal Information are required to comply with this Privacy Policy.

 

OUR ACCOUNTABILITY PRINCIPLES

 

Our Accountability Commitment

TRU29 Solutions is responsible to our Clients for Client Personal Information in TRU29 Solutions’s possession or custody, including information that has been transferred for processing by TRU29 Solutions to a service provider or a third party in the course of conducting TRU29 Solutions’s business.

Where the GDPR applies to TRU29 Solutions’s processing of Personal Information:

  • TRU29 Solutions acts as a Data Processor for its Clients, which effectively means that it processes End User Personal Information on behalf of its Clients in order to provide services to those Clients.
  • TRU29 Solutions acts as a Data Controller in respect of Business Contact Information that it collects and processes in order to develop its business and sell services to its Clients.

TRU29 Solutions acts as a Business Associate (as such term is defined in HIPAA) for certain of its Clients, which effectively means that it processes Personal Health Information on behalf of its HIPAA covered-entity Clients in order to provide services to those Clients.

Executive Responsibility

Protecting privacy is an integral part of our services and all members of TRU29 Solutions’s executive team have a responsibility to enable and oversee operational compliance with TRU29 Solutions’s privacy policies and procedures within their own areas of responsibility, ensuring all business units are properly aware of and resourced to meet our privacy obligations.

Employee Accountability

As a core commitment of TRU29 Solutions, all members of the TRU29 Solutions team undergo mandatory annual privacy training to ensure their continued awareness of and compliance with applicable laws and our policies, including this Privacy Policy; we recognize that all employees play a role in earning and maintaining Client trust and we undertake ongoing privacy awareness activities to create a culture of privacy at TRU29 Solutions.

 

SAFETY MEASURES

 

TRU29 Solutions maintains an information security governance program to protect Client Personal Information.

TRU29 Solutions, in compliance with its security policy, employs security measures appropriate to the sensitivity of the information in an effort to protect Client Personal Information against such risks as loss or theft, unauthorized access, disclosure, copying, use, modification or destruction. TRU29 Solutions maintains security compliances with the following international standards such as PCI-DSS 3.0., SSAE16 SOC1 and SOC2 as part of its governance program.

TRU29 Solutions’s security measures include but are not limited to the following:

  • using appropriate administrative, physical and technical security controls designed to prevent and detect unauthorized access to Client Personal Information;
  • employing encryption for data at rest and in transit, tokenization, de-identification and other mechanisms to protect Client Personal Information as appropriate;
  • limiting access to Client Personal Information to a need-to-know basis and applying the principles of least privilege and role-based access control;
  • requiring secure disposal of any media containing Client Personal Information;
  • prohibiting the use of Client Personal Information in non-production or demonstration environments except with the express consent of the Client;
  • implementing a Secure by Design methodology in our work processes;
  • identifying and assessing reasonably foreseeable risks to the integrity, confidentiality or availability of Client Personal Information that we hold and taking reasonable steps to mitigate those risks through the implementation of safety measures; and
  • regular testing of our safety measures and our overall security program.

TRU29 Solutions protects Client Personal Information shared with service providers by employing contractual or other means in an effort to ensure that any such service provider will provide a comparable level of protection while Client Personal Information is being processed by that service provider.

TRU29 Solutions employment agreements include contractual provisions for the safety measureing and proper usage of confidential information (including Client Personal Information) accessible to our employees in the course of their employment. TRU29 Solutions takes appropriate disciplinary measures where necessary to enforce this Privacy Policy.

 

INCIDENT MANAGEMENT

 

TRU29 Solutions has developed a comprehensive incident readiness and response plan designed to identify the cause, extent and nature of an incident involving Client Personal Information and to allow timely reporting to the Client in accordance with Applicable Privacy Laws and our contractual terms.

TRU29 Solutions will provide reasonable assistance to our Clients to investigate and assist in the reporting of the incident to regulatory authorities or other required parties to prevent or minimize any loss or harm arising from such an incident.

 

LIMITATION OF PROCESSING OF CLIENT PERSONAL INFORMATION

 

We want to be transparent with our Clients about the purposes for which we collect and use Client Personal Information. TRU29 Solutions receives Client Personal Information from its Clients and End Users and collects Client Personal Information from other entities or individuals on behalf of its Clients. We limit the collection of Client and End User Personal Information to that which is necessary to fulfill the purposes identified herein and in accordance with the contractual agreement with the Client. TRU29 Solutions requires its Clients to share Client and End User Personal Information with TRU29 Solutions only to the extent that such information is lawfully obtained and necessary and sufficient for the purposes identified in this Privacy Policy and any contractual agreement.

TRU29 Solutions does not use Client Personal Information for purposes other than as set out in this Privacy Policy and in accordance with the contractual agreement with the Client, except as otherwise required or permitted by applicable law.

For further details on what personal information we collect and process, please see the End User Personal Information & Business Contact Information sections below.

CONTACT US

 

For the purposes of the GDPR and other applicable laws, TRU29 Solutions shall be the Data Processor in respect of End User Personal Information and the relevant Client shall be the Data Controller. TRU29 Solutions is the Data Controller in respect to the Business Contact Information.

TRU29 Solutions maintains procedures for addressing and responding to all inquiries or complaints about TRU29 Solutions’s handling of Personal Information. These can be forwarded on a confidential basis to our Privacy Office at itmis@tru29.com

TRU29 Solutions has appointed Data Protection Officers to oversee data privacy compliance in its Philippine operations. They may be contacted at:

itmis@tru29.com and/or admin@tru29.com

TRU29 Solutions will investigate all complaints concerning compliance with this Privacy Policy. If a complaint is found to be justified, TRU29 Solutions will take appropriate measures to resolve the complaint including, if necessary, amending its policies and procedures.

 

END USER PERSONAL INFORMATION

 

What End User Personal Information Do We Process?

In order to provide services to Clients, we process Personal Information that relates to End Users and which is entrusted to TRU29 Solutions by Clients in order for TRU29 Solutions to provide services to Clients which may be used by or otherwise affect the End Users. Such Personal Information consists of amongst others:

  • names;
  • email addresses;
  • mailing addresses;
  • telephone numbers;
  • information for account administration (such as usernames and passwords);
  • IP addresses;
  • behavioural information (such as interactions, preferences, habits, feedback, needs and problems);
  • voice recordings, images and video;
  • financial information (such as credit card numbers, bank account names and details and account histories); and
  • special categories of data (such as personal health information and other health data).

How is End User Personal Information processed?

We process End User Personal Information as instructed by our Clients in order to:

  • provide products and services that are tailored to Clients’ and End Users’ requirements as defined in our Client contracts;
  • ensure that our products and services continue to be responsive to Clients’ and End Users’ requirements, including by providing technical support and training, and improve functionality;
  • investigate and resolve incidents and Client or End User complaints;
  • promote or sell products or services to End Users as directed by our Clients, in accordance with any applicable marketing or telemarketing legislation; and
  • write or modify software applications and computer code, on behalf of TRU29 Solutions Clients.

How May We Disclose End User Personal Information?

1) Third Party Service Providers

We may disclose End User Personal Information to certain vendors to provide us with services, such as information technology services, legal, consulting, auditing and related services.

We may also subcontract certain of our services to subcontractors, subject to the terms of our contracts with Clients.

Where we enter into a relationship with any vendor or subcontractor, we will have contracts in place in order to ensure that End User Personal Information is protected in accordance with Applicable Privacy Laws.

2) Group Companies

We may disclose some End User Personal Information between two or more of our group companies; including companies in other countries, in order to ensure that we are dedicating the appropriate group resources to Client requirements, and complying with our Client contract.

3) Legal Obligations

There may be certain legal reasons for disclosing End User Personal Information:

  • to enforce our terms and conditions and contracts with Clients
  • to protect our group operations and rights
  • to protect the rights and safety of our Clients and End Users
  • to comply with court orders, enforcement actions by regulators or any other legal proceedings
  • to pursue any remedies available to us or limit damages that we may suffer
  • to respond to requests from public and governmental authorities, including public and governmental authorities outside of Clients’ countries of establishment
  • to comply with any other relevant aspects of applicable laws from time to time, including applicable laws outside of Clients’ countries of establishment.

How do we Protect End User Personal Information that is Disclosed Internationally?

TRU29 Solutions complies with Applicable Privacy Laws when transferring End User Personal Information to and from different countries.

For transfers of Client Personal Information outside of the EU to a third country that does not afford an adequate level of protection of Personal Information according to the European Commission, TRU29 Solutions has appropriate safety measures in place, and such transfers are made on the condition that enforceable rights and remedies are available for individuals to which the Personal Information being transferred relates.

The appropriate safety measures that TRU29 Solutions put in place consist of standard contractual clauses in compliance with the European Commission and Privacy Shield. 

Consent

As TRU29 Solutions does not have a direct relationship with the End Users, TRU29 Solutions requires that every Client obtain any necessary consents or other authorizations required under Applicable Privacy Laws, so that TRU29 Solutions may process End User Personal Information for the purposes set out in this Privacy Policy on behalf of the Client.

Retention

TRU29 Solutions has a policy respecting records retention and an associated retention schedule and will keep End User Personal Information only as long as it remains necessary or relevant for the purposes of providing services to Clients and in accordance with the terms and conditions of the contractual agreement with the Client, unless longer retention is otherwise required to meet legal or regulatory requirements.

Accuracy

TRU29 Solutions does not verify the accuracy of End User Personal Information when it is received from a Client. TRU29 Solutions relies on its Clients to ensure the accuracy and completeness of the End User Personal Information that has been supplied to TRU29 Solutions for the identified purposes and in order for TRU29 Solutions to perform services for its Clients.

TRU29 Solutions will take reasonable steps to maintain the integrity of the End User Personal Information, and will ensure that appropriate safety measures are in place to protect any End User Personal Information in its custody (as described in the Safety Measures Section).

Individual Rights

Unless we specifically contract to do so as part of the provision of services to a Client, TRU29 Solutions will not generally respond directly to requests or inquiries from End Users with regards to the processing of their Personal Information. We will instead make reasonable efforts to direct inquiries and access requests made by End Users to the appropriate Client.

Clients should advise End Users to consult Clients’ own privacy policies to familiarize themselves with their rights under Applicable Privacy Laws.

 

BUSINESS CONTACT INFORMATION

 

What Business Contact Information Do We Collect?

In order to provide services to Clients, we collect and process Personal Information from Client representatives at various stages of our relationship with Clients, such as when Clients approach us to find out information about our services, and when we continue to work with Clients to provide tailored solutions to their requirements. Such Personal Information consists of, amongst others:

  • names;
  • email addresses;
  • mailing addresses;
  • telephone numbers; and
  • IP addresses.

How Do We Use Business Contact Information?

We use Business Contact Information in order to:

  • communicate with Clients throughout their relationship with TRU29 Solutions;
  • understand Client needs and preferences;
  • provide products and services that are tailored to Clients’ and End Users’ requirements;
  • ensure that our products and services continue to be responsive to Clients’ and End Users’ requirements;
  • bill Clients and process Client payments;
  • promote or sell products or services to Clients;
  • further our business objectives, such as to perform data analysis, audits, to enhance, improve or modify our services, to determine the effectiveness of our promotional campaigns and to operate and expand our business activities; and
  • meet any regulatory or legal requirements.

What Are Our Legal Bases for Processing Business Contact Information?

Where the GDPR applies to our processing of Business Contact Information, our legal bases under the GDPR for processing Business Contact Information are as follows:

  • Our legitimate interests: processing is necessary for us to develop our Client relationships, study how Clients use our products and services, develop our business and inform our marketing strategy. To find out more about the balancing test that we conduct to balance our interests against the privacy rights of our Client representatives please contact us.
  • In order to perform a contract with our Clients.
  • In order to comply with certain legal obligations that we may have, as further described in the next section.

How May We Disclose Business Contact Information?

1) Third Party Service Providers

We may disclose Business Contact Information to certain service providers that we use to provide us with services, such as information technology services, client management services, payment processing services, SAAS-based financial applications, legal, accounting, consulting, auditing and related services.

We may also subcontract certain of our services to subcontractors, subject to the terms of our contracts with Clients.

Where we enter into a relationship with any service provider or subcontractor, we will have contracts in place with such service providers or subcontractor, in order to ensure that Business Contact Information is protected in accordance with Applicable Privacy Laws.

2) Group Companies

We may disclose some Business Contact Information between two or more of our group companies; including companies in other countries, in order to ensure that we are dedicating the appropriate group resources to Client requirements, as well as for certain of our business purposes, such as for internal record keeping, accounting and regulatory compliance.

3) Corporate Transactions or Events

We may disclose Business Contact Information to third parties in connection with a corporate reorganization, merger, restructuring, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stock, including in connection with any litigation, bankruptcy, insolvency or similar proceedings.

4) Legal Obligations

There may be certain legal reasons for disclosing Business Contact Information:

  • to enforce our terms and conditions and contracts with Clients
  • to protect our group operations and rights
  • to protect the rights and safety of our Clients
  • to comply with court orders, enforcement actions by regulators or any other legal proceedings
  • to pursue any remedies available to us or limit damages that we may suffer
  • to respond to requests from public and governmental authorities, including public and governmental authorities outside of Clients’ countries of establishment
  • to comply with any other relevant aspects of applicable laws from time to time, including applicable laws outside of Clients’ countries of establishment,

How do we Protect Business Contact Information that is Disclosed Internationally?

TRU29 Solutions complies with Applicable Privacy Laws when transferring Business Contact Information to and from different countries.

For transfers of Client Personal Information outside of the EU to a third country that does not afford an adequate level of protection of Personal Information according to the European Commission, TRU29 Solutions has appropriate safety measures in place, and such transfers are made on the condition that enforceable rights and remedies are available for individuals to which the Personal Information being transferred relates.

The appropriate safety measures that TRU29 Solutions has in place consist of standard contractual clauses in compliance with the European Commission and Privacy Shield.

Consent

When TRU29 Solutions collects Business Contact Information from the representatives of our Clients, we will advise through a notice the purpose for the collection of the Personal Information and its use in accordance with this policy.

Retention

TRU29 Solutions has a policy respecting records retention and an associated retention schedule and will keep Business Contact Information only as long as it remains necessary or relevant for the purposes of offering and providing services to Clients and in accordance with the terms and conditions of the contractual agreement with the Client, unless longer retention is otherwise required to meet legal or regulatory requirements.

Accuracy

TRU29 Solutions will make reasonable efforts to maintain the accuracy and integrity of Business Contact Information in its custody and will safety measures it as established in the relevant section of this policy.

Individual Rights

Client representatives may have the following rights to the extent permitted under Applicable Privacy Laws regarding access to the Business Contact Information in TRU29 Solutions’s custody:

  • the right to request access to Personal Information
  • the right to request correction of Personal Information
  • the right to request erasure of Personal Information
  • the right to object to processing of Personal Information
  • the right to request restriction of processing of Personal Information
  • the right to request transfer of Personal Information
  • the right to complain to their relevant national supervisory authority about the processing of their Personal Information

Please refer to the “Contact Us” section for further information.

 

COOKIES

 

When you visit this website, we may send one or more cookies — a small text file containing a string of alphanumeric characters — to your computer that uniquely identifies your browser. A cookie may also convey information to us about how you use the website (e.g., the pages you view, the links you click, or your preferred browsing language), and allow us to provide a better web browsing experience to you over time. The cookies we send do not give us access to your computer or allow us to collect or process any personal information. You can adjust your web browser’s settings to detect or disable cookies if you prefer, but this may affect the use of this site.

For more information about how we use any information that you may provide because of the use of this site and the terms of our privacy policy. If you proceed to use this website, you consent to us using, from time to time, information that we collect through our website cookies subject to the terms of this cookie policy and our privacy policy.