Modern Slavery & Human Trafficking Statement
The respect for human rights is an integral part of the corporate culture of KMC Group as a group of companies that acts with responsibility and integrity. Modern slavery and human trafficking are considered as a crime and a violation of fundamental human rights to which the KMC Group openly and continuously condemns. KMC Group is committed to improving our practices to combat modern slavery and human trafficking. Our statement outlines the steps we have taken to prevent Modern Slavery and Human Trafficking within our Group and our supply chains and sets out our plans for future improvements.
This statement aligns with the provisions set forth under the Republic Act No. 10364 or otherwise known as “Expanded Anti-Trafficking in Persons Act of 2012” and is consistent with the global Modern Slavery Laws implemented across different jurisdictions worldwide. This constitutes our Group's slavery and human trafficking statement for the financial year ending 2021 and onwards unless otherwise amended.
KMC Solutions and KMC Community are part of the KMC Group of Companies operating as a premium offshore services and flexible workspace provider in the Philippines, USA, Singapore, and Hong Kong. The KMC Group has worldwide customer base with 2,343 employees and is composed of 19 subsidiaries and equity investments as of 31 December 2020.
KMC Group has an experienced cross-cultural management team composed of Filipinos and expatriates with years of experience in the Business Processing Outsourcing (BPO) industry, consultancy, and real estate.
KMC is committed to adhere to the principles of the Expanded Anti-Trafficking in Persons Act of 2012 and the Modern Slavery Act and ensures that the organization, its employees, and suppliers avert any or such acts that promotes the practice of modern slavery within its conduct of its entire business operations. As such, KMC have adapted its own Anti-Slavery and Human Trafficking Policy that encompasses the entire business of the company, its employees, partners, and suppliers. This is further supplemented by company policies that adhere to rights of the employee in its workforce in accordance to the guidelines set forth by the Department of Labor and Employment.
Companies within the KMC Group are obliged to identify human rights risks and report the type and number of suspicious incidents. Employees of the KMC Group can also report to their manager, human resources department or the employee representatives. A works agreement with regard to grievance procedures is already in place for all employees in Germany.
Risk Manaqement and Other Safeguards
KMC operates within the sphere of the IT/BPO industry and the provision of facilities conducive to IT/BPO companies with a diverse workforce catering to a wide array of services for clients across Asia-Pacific, North America, and Europe. It is for this reason that the company has identified the risks involving human rights in the conduct of its operations;
- Workplace Safety
- Hours of Work
- Workplace discrimination and exclusion
- Facility Safety and Security
- Data Privacy and Information Security
The existence of these policies in place within the organization together with the commitment of the leaders of the organization to act with integrity and ethical practice towards its conduct of business towards its partners and suppliers help support the aim of the organization to mitigate any form of act that would prevent the practice of anti-slavery.
- To include a resource reference for the Expanded Anti-Trafficking in Persons Act of 2012 and the Modern Slavery Act in the company's New Hire Orientation to ensure that the employee population shall adhere to the organization's drive in eliminating any form of slavery in the workplace.
- We will continuously monitor, amend, and update our company’s policies and procedures which will reinforce its commitment to anti-slavery and human trafficking in the workplace.
- We will continue to spread awareness on Modern Slavery and Human Trafficking risks across our supplier base and cease any business relationships with suppliers if they are found to be in the practice (whether direct or indirect) of slavery or any equivalent thereof.
This statement, its implementation, monitoring, updating, and revision shall be the responsibility of the Country Manager of the company. A committee to be determined by the Country Manager will be formed with participation by the Chief Executive Officer and support of its local leadership.
Approval for this Statement
This statement was approved by the Board of Directors of KMC Group.
This Whistleblowing Policy is applicable to Employees of KMC Solutions and its sister-companies, Third- Party Business Partners, and other stakeholders.
It is of primary importance that a business, in all of its activities, must operate in full compliance with applicable laws, rules, and regulations. Therefore, all Employees must exemplify the behavior and professional demeanor consistent with such laws, rules, and regulations, as well as the Company’s applicable policies and procedures. Also, Third-Party Business Partners must share and embrace the spirit of commitment to these sets of standards.
All Employees, Third-Party Business Partners, or other stakeholders are encouraged and empowered to report their concerns should they suspect or become aware of any illegal or unethical activities. This can be done through the KMC Action Center (KMCAC).
KMC Audit and Risk Committee - assists the KMC Board of Directors in the fulfillment of its oversight responsibility relating to the accuracy of KMC’s financial statements and the soundness of its financial reporting process, the robustness of its internal control and risk management systems and processes, internal audit activities, the annual independent audit of the financial statements, and compliance with legal and regulatory matters.
KMC Board of Directors - approves the vision, strategic objectives and key policies for management of the Corporation. The Board also ensures the adequacy of internal controls and risk management practices, accuracy and reliability of financial reporting, and compliance with applicable laws and regulations.
Employee - refers to any person who works in the service of KMC and its Subsidiaries under an express or implied contract of hire.
Operator - can refer to the KMC Internal Audit Division (KMC IAC), KMC Legal, Colleagues, or Management, depending on the Reporting Channel that the Whistleblower used to file a Reportable Condition, in accordance with Section 10.2.
Reportable Condition - covers any of the following concerns: (1) Conflicts of Interest; (2) Misconduct or Policy Violations; (3) Theft, Fraud or Misappropriation; (4) Falsification of Documents; (5) Financial Reporting Concerns, (6) Bribery and Corruption and; (7) Retaliation Complaints.
Reporting Channel – exclusively via email at [email protected]
Respondent - the person who is the subject of the complaint in the Whistleblowing Report.
Sister Companies - refers to any entity over which KMC has at least 3 common shareholders
Third-Party Business Partner - refers to a potential or existing supplier, contractor, buyer, customer, or any other business partner who has existing and/or intended business dealings with KMC and its Subsidiaries.
Third-Party Service Provider - refers to an independent company that KMC shall engage to handle the operations of KMC in relation to this Policy.
Whistleblower - an Employee, Third-Party Business Partner, or other stakeholder who tells about alleged Reportable Conditions using the KMC Business Integrity Channels.
Whistleblowing Report - refers to a complaint filed by a Whistleblower about a Reportable Condition.
The KMC Action Center are communication facilities that enable individuals to freely report fraud, violations of laws, rules and regulations, or misconduct to people of authority without fear of Retaliation.
The ultimate goal is to give Employees, Third-Party Business Partners and other stakeholders every possible means for coming forward, so that they report information to top management or to the Board of Directors, rather than turning to the media.
The KMC Action Center shall be spearheaded by the KMC Ethics Committee (the “Committee”).
The Committee shall be chaired by any appointed member (manager) of KMC Legal (“KMC Legal”) while the members shall be composed of two appointees from a) KMC Internal Audit Committee (‘KMC IAC”), and; b) KMC HR (“KMC HR”), respectively.
The Committee shall investigate Whistleblowing Reports received through Reporting Channel. KMC Legal as the Committee’s prosecution arm, shall coordinate with KMC IAC. It shall provide legal advice to aid the Committee during the investigation process.
KMC HR, as the administrator of Committee decisions, shall ensure that the decisions made by the Committee on every investigation are enforced. It shall coordinate with KMC Legal.
The KMC IAC shall use final reports of investigations as inputs during their implementation of improvements in KMC’s control processes.
The Committee shall report to KMC Audit and Risk Committee in accordance with the provisions of Section 10.10.2.
6.1 Reportable Conditions
The KMC Action Center shall receive all reports from Whistleblowers about the following:
- Conflicts of Interest
Conflicts of interest, subject to KMC’s or Subsidiary’s policies, may refer to situations which may impair the objectivity of a person because of the possible incompatibility of the person’s self-interest and professional or public interest (e.g., inappropriate relations or questionable transactions with clients or suppliers, misuse of client/company information, etc.).
- Misconduct or Policy Violations
Misconduct or policy violations refer to acts that violate moral or civil law, Code of Ethics, policies of KMC/Subsidiary, and/or contractual agreements (e.g., violation of Code of Ethics, control overrides, acting under false/insufficient authority, etc.).
- Theft, Fraud, or Misappropriation
Theft, fraud, or misappropriation refers to fraudulent appropriation of funds or properties entrusted to the Employee’s care but actually owned by the employer or someone else in the organization (e.g., stealing, misappropriation of funds, false representation, etc.).
- Falsification of Documents Falsification of documents refers to counterfeiting, forging, falsifying or making fraudulent changes to any document (e.g., forgery, alteration, tampering, etc.).
- Financial Reporting Concerns
Financial Reporting Concerns refer to deliberate misstatements in recording and/or reporting business transactions or result of operations (e.g., incorrect recording of financial transactions, irregularities in application of accounting standards, misleading reports, etc.).
- Bribery and Corruption
The following shall be considered as prohibited acts of bribery and corruption:
- Directly or indirectly offering, giving, requesting, or receiving money, gifts, favors, benefits or anything of value for the purpose of influencing decisions or to gain unfair advantage in company transactions;
- Using or performing official functions for personal gain;
- Performing or neglecting to perform any official function in exchange for receiving money, gifts, favors, benefits or anything of value in the course of business or;
- Any actions similar to those stated above. Bribery and corruption may be committed even if the act is done with a person who is not a public official and is in the private sector. Any act, attempt, or allegation of bribery and corruption shall be treated as grave offenses that will be handled with dispatch and dealt with the full force of the applicable laws, rules or regulations. In handling any case alleging bribery or corruption, the Company shall be guided by the Company Manual for Corporate Governance, its Code of Business Conduct, the Company Code on Employee Discipline, the Revised Penal Code, and other relevant laws and regulations pertaining to the said subject.
- Retaliation Complaints
Retaliation complaints are those filed by a Whistleblower due to any undesirable action taken against him — and in direct response to the Whistleblowing — because he reported wrongdoing (e.g., job harassment, ostracism, unemployment, threat to security, etc.).
Any concern not relating to the above conditions shall be filed with the appropriate unit designated by KMC.
6.2 Reporting Channels
The following are dedicated reporting channels which the Whistleblower can use to file any Reportable Condition:
E-mail at [email protected]
6.3. Anonymous Reporting
The KMC Action Center shall accept reports made anonymously. The Whistleblower who files a report may choose to provide a manner by which he can be contacted without jeopardizing his/her anonymity. Such means shall include, but is not limited to using an e-mail address, a prepaid mobile number, etc.
If the Whistleblower chooses to identify himself, the recipient of the report from the Reporting Channel shall ask the Whistleblower if he is willing to be identified in the course of the investigation.
6.4 Withdrawal of Report by the Whistleblower
In the event that the Whistleblower withdraws his/her report, the investigation shall continue provided that the evidence gathered is sufficient in accordance with the provisions of Section 10.3.
6.5 Resignation of the Respondent Pending Completion of the Investigation
In the event that the Respondent resigns prior to the final resolution of the case, the investigation shall still continue provided that the evidence gathered is sufficient in accordance with the provisions of Section 10.3.
The Committee shall ensure confidentiality of information. It shall treat all reports, including the identity of the Whistleblower and the Respondent, in a confidential and sensitive manner. The identity of the Whistleblower will be kept confidential, unless compelled by law to be revealed.
By reporting to the KMC Action Center, a Whistleblower is protected from any Retaliation against him, provided that the report is made in good faith.
Cases of Retaliation against any Whistleblower may be reported to the KMC Action Center.
The Retaliation Complaint shall be dealt with in accordance with this Policy, or other relevant Company policies and procedures, and any applicable laws.
If a Whistleblower makes allegations that are determined to be fabricated or malicious and persists in making them, a possible disciplinary or legal action may be taken against him, subject to relevant Company policies and procedures, and any applicable laws.
10.1 Submission/Receipt of Reports Any report must be made through the appropriate reporting channel referred to in Section 6.2. The Whistleblower may choose to identify himself or remain anonymous, in accordance with Section 6.3.
In submitting a report, the Whistleblower shall disclose his relationship with KMC (e.g., Employee, Customer, Supplier, Concerned Citizen, Other). In addition, the Whistleblower shall state if the information has been reported to anyone outside KMC and provide details if it was. To support his report, the Whistleblower shall provide any information and any files or evidence (e.g., pictures, documents, etc.) that he thinks are relevant for the report.
10.2 Handling Initial Receipt of Whistleblowing Reports
The following Operators/Teams will handle initial receipt of Whistleblowing Reports from the different reporting channels:
Report Channel: [email protected]
Operator: KMC Legal (email recipients shall be exclusively the VP Legal & Compliance and the Chief Legal Officer
It is the responsibility of the Operator of face-to-face meetings to refer and fully disclose the Whistleblowing Report to the Committee.
10.3 Preliminary Evaluation of Whistleblowing Reports
The Operator shall evaluate whether the information provided by the Whistleblower is sufficient and within scope.
The information in a report, whether anonymously filed or not, shall be considered sufficient if:
- The Respondent is identified by his full name and position, and;
- Charges are specified, including the relevant and material facts (e.g., nature of the incident, time and places of the incident, persons involved, evidence, if any, and other important matters necessary to establish a case);
In case of insufficient information, the Operator shall notify the Whistleblower, if he is identified or can be communicated with in accordance with Section 6.3 paragraph 1, about such insufficiency. If the Whistleblower fails to provide additional information, the Operator may recommend to close the case and not take further action.
10.4 Safe Keeping and documentation of Whistleblowing Reports
All Whistleblowing Reports shall be recorded in electronic and paper copy and the same shall be kept by KMC Legal in strictest confidence. Operators shall forward all initial reports to KMC Legal for safekeeping. Only the Committee Members shall have the right to access the Whistleblowing Reports.
10.5 Communicating with Whistleblowers
Operators shall communicate all received reports to the IAC that will collate all reports and submit the paper copies to the Committee.
Operators who received the report shall be the only point of contact to the Whistleblower and shall be responsible for updating the Whistleblower of the status of his/her report.
10.6 Submission of Reports to the Committee
The Operator shall inform the Committee:
- Whistleblowing Reports that are ripe for Committee investogation based on sufficiency and scope, and;
- Whistleblowing Reports that are recommended to be Closed, including the justification
KMC IAC appointees shall profile all Whistleblowing Reports received and recommend the appropriate Investigating Unit to conduct the Preliminary Investigation. Reporting to the Committee shall be done within a reasonable period, depending on the nature and urgency of the Whistleblowing Reports received.
10.8 Preliminary Investigation
KMC IAC shall conduct Preliminary Investigation in a discreet manner and in accordance with existing laws, rules, and regulations, applicable policies and procedures of KMC and Subsidiaries. During the preliminary investigation, the IAC shall search for evidence or probable cause that would support the case against the Respondent.
Nevertheless, the Committee may assign any of its members or any other Investigating Committees existing in the Group (e.g., Compliance or Legal Manager for complaints on Bribery and Corruption, etc.) the task of further investigating the reports escalated to them. Such classifications may depend on the nature of the report.
In the event that a report involves an Employee who is a member of the Committee or his/her subordinate, the said member shall not be allowed to directly handle the investigation in order to avoid the appearance of bias and conflict of interest.
10.8 Full Investigation
After the investigation has been completed, and the report is substantiated, the Committee shall inform the Respondent’s Company HR about the report for appropriate action. The Respondent’s Company HR shall coordinate with the Committee in conducting full investigation in accordance with applicable Company policies and procedures.
The Respondent’s Company HR and other Investigating Committees shall provide the Committee a report of the findings and resolution of the case.
Upon approval of the final resolution, the case records, shall be closed and the Whistleblower shall be notified of the update.
10.10.1 Visibility of Reports
The Committee shall have visibility of reports from all channels. In order to ensure that reports from such channels are not overlooked or mishandled, dual dissemination shall be employed. An e-mail notification shall be sent to KMC IAC Lead Auditor and KMC’s Legal as Primary and Secondary recipients, respectively.
10.10.2 Quarterly Reporting
KMC IAC shall maintain a log of all reports received and shall submit a quarterly report to the EXECOM (cc KMC Legal) on:
- All reports received;
- Status of outstanding reports, and; e Final resolution of reports.
KMC IAC shall log and maintain a case file for each of the reports. The KMC HR of KMC/Sister Company shall maintain a copy of the final resolution of each case. Those cases entailing disciplinary actions must be filed in the 201 Files of the Respondents.
Reports, including case files shall be retained in accordance with the archiving policies of KMC and Subsidiaries.
All cases within the scope of the KMC Action Center must be resolved within a reasonable time as determined by KMC/Sister Company from the time all relevant documents have been obtained.
Anti-Corruption and Bribery Policy
KMC SOLUTIONS HONG KONG LIMITED and its subsidiaries
- Policy Statement
1.1 Our policy is to conduct all of our business in an honest and ethical manner. We take a zero-tolerance approach to bribery and corruption and are committed to acting professionally, fairly and with integrity in all our business dealings and relationships wherever we operate and implementing and enforcing effective systems to counter bribery.
1.2 We will uphold all laws relevant to countering bribery and corruption in all the jurisdictions in which we operate including all Applicable Anti-Corruption Laws.
1.3 This policy sets out our responsibilities, as well as the responsibilities of those working for us, in observing and upholding our position on bribery. It also provides information and guidance to those working for us on how to recognise and deal with bribery and corruption issues.
1.4 Bribery and corruption are punishable in the Philippines for individuals by up to eight to ten years’ imprisonment (under the Revised Penal Code and Anti-graft and Corrupt Practices Act.) and if we are found to have taken part in corruption we could be exposed to civil and criminal penalties, including an unlimited fine, be excluded from tendering for public contracts and face damage to our reputation. We therefore take our legal responsibilities very seriously.
1.5 We have identified that the following are particular risks for our business:
EXTERNAL Country Risks Philippines has been perceived worldwide as a country with high levels of corruption and an absence of effectively implemented anti-corruption legislation, among other factors EXTERNAL Business opportunity risks such as those associated with third party brokers and subcontractors and other persons acting on behalf of KMC Group in relation to the Group’s ongoing expansion projects. INTERNAL Business compliance risks Interactions with various government agencies having jurisdiction over the company in terms of legal compliance. INTERNAL Bids and Awards risks Vendors, suppliers, or subcontractors that participate in the bidding process of KMC Group.
1.6 To address those risks we have to: a) institutionalize and strengthen the internal policies against Bribery and Corruption and make everyone understand that the organization as a whole, has zero tolerance against Bribery and Corruption; b) adopt measures towards ensuring compliance with all Applicable Anti-Corruption Laws; and c) employ preventive approach against corruption by implementing the following: Training and communication; Risk assessments; Integrity due diligence; Whistle blowing encouragement; Monitoring; and Follow up on non-compliance.
In this policy, third party means any individual or organisation you come into contact with during the course of your work for us, and includes actual and potential clients, customers, suppliers, distributors, business contacts, agents, advisers, and government and public bodies, including their advisors, representatives and officials, politicians and political parties.
- Who is covered by the Policy?
This policy applies to all individuals working at all levels and grades, including senior managers, officers, directors, employees (whether permanent, fixed-term or temporary), consultants, contractors, trainees, seconded staff, homeworkers, casual workers and agency staff, volunteers, interns, agents, sponsors, or any other person associated with us, or any of our subsidiaries or their employees, wherever located (collectively referred to as workers in this policy).
- What is Bribery?
3.1 A bribe is an inducement or reward offered, promised or provided in order to gain any commercial, contractual, regulatory or personal advantage.
3.2 A bribe can include money, or any offer, promise or gift of something of value or advantage. It need not necessarily be of large value. It might include incentive programs, signing bonuses or overpaying government suppliers. It might also include intangible benefits such as the provision of information or advice or assistance in arranging a business transaction.
3.3 If you arrange for the Company to pay an additional payment to a foreign official to speed up an administrative process, the offence of bribing a foreign Public Official has been committed as soon as the offer is made. This is because the offer is made to gain a business advantage for us. We may also be found to have committed an offence.
3.4 In summary, a bribe is any financial or other advantage which is offered, provided, authorised, requested or received as an inducement or reward for the improper performance of a person’s relevant function or the receipt of which is in itself improper.
3.5 For these purposes, a ‘relevant function’ can include any function of a public nature, any activity connected with a business, any activity performed in the course of a person’s employment and any activity performed by or on behalf of a body of persons (e.g. a company). Any such function is performed ‘improperly’ by a person if they perform it in breach of what would be expected of them by a reasonable person by reference to any applicable requirements of good faith, impartiality or any position of trust which that person may hold.
- General Prohibitions and Requirements
4.1 You shall not engage in bribery of any type and shall comply with all aspects of this Policy, including the specific prohibitions and guidelines set out here as well as all Applicable Anti-Corruption Laws.
4.2 Payments to Public Officials
(a) You shall not directly, or indirectly through another person or entity, give, offer or promise any Financial or Other Advantage to a Public Official or to a Family Member of a Public Official knowing or intending that in exchange for some or all of the Financial or Other Advantage the Public Official will use his or her influence or office 3 to assist the Company in obtaining or retaining business, directing business to another person or entity or obtaining any other business advantage.
(b) You should take extra care when interacting with Public Officials and their Family Members to avoid even an appearance of impropriety.
4.3 Payments to Private Parties
In connection with Company business, you shall not directly, or indirectly through another person or entity, give, offer or promise any Financial or Other Advantage to any private party intending to induce or reward a breach of trust, impartiality or good faith.
4.4 Receiving Improper Payments
In connection with Company business, you shall not directly, or indirectly through another person or entity, request, agree to receive or accept a Financial or Other Advantage intending to induce or reward a breach of trust, impartiality or good faith.
- Gifts and Hospitality
5.1 The giving or receipt of gifts of insignificant value is not prohibited, if the following requirements are met:
(a) it is not made with the intention of influencing a third party to obtain or retain business or a business advantage, or to reward the provision or retention of business or a business advantage, or in explicit or implicit exchange for favours or benefits;
(b) it is in good faith, occasional and reasonable;
(c) it complies with local law;
(d) it is given in our name, not in your name;
(e) it does not include cash or a cash equivalent (such as gift certificates or vouchers);
(f) it is appropriate in the circumstances. For example, in the Philippines it is customary for small gifts to be given at Christmas time;
(g) taking into account the reason for the gift, it is of an appropriate type and value and given at an appropriate time;
(h) it is given openly, not secretly;
(i) gifts should not be offered to, or accepted from, government officials or representatives, or politicians or political parties, without the prior approval of the compliance manager; and
(j) it is approved in advance as required below.
5.2 We appreciate that the practice of giving business gifts varies between countries and regions and what may be normal and acceptable in one region may not be in another. The test to be applied is whether in all the circumstances the gift or hospitality is reasonable and justifiable. The intention behind the gift should always be considered.
5.3 This policy does not prohibit normal and appropriate hospitality (given and received) to or from third parties.
(a) You may host meals and receptions for clients and prospective clients of the Company and their respective representatives, provided:
(i) Appropriate workers are present for the meal and/or reception;
(ii) The meal or reception is reasonable in amount and not extravagant;
(iii) The venue is not inappropriate or disrespectful;
(iv) As guided by the Company Policies; and
(v) The meal or reception is directly related to the promotion or explanation of the Company’s services or, with respect to meals or receptions for Public Officials, to the execution or performance of a contract with a government or agency thereof.
(a) You may host clients and prospective clients of the Company and their respective representatives at sporting and cultural events such as concerts or other live performances, provided:
(i) If Public Officials are being entertained, appropriate workers are present for the entertainment;
(ii) The total per person value of the entertainment is reasonable in amount and not extravagant;
(iii) The event is not inappropriate or disrespectful; and
(iv) If Public Officials are being entertained, the entertainment is directly related to the promotion or explanation of the Company’s services or to the execution or performance of a contract with a government or agency thereof.
5.6 Family Members and Guests
You shall not provide gifts, entertainment, meals, travel or accommodations for any Family Members or guests of any Public Official unless approved in advance in writing by the Company’s General Counsel.
5.7 Approval Limits
(a) In addition to the general guidance outlined above, no gifts, hospitality or entertainment of value of more than PHP 5,000 per individual shall be offered, provided or accepted unless they have been suitable approved in advance by Compliance Manager who shall maintain a record of all such requests and approvals and regularly review such records.
(b) If you are in any doubt as to the appropriateness of the offer of a gift, hospitality or entertainment you should seek further guidance from Compliance Manager
- What is not acceptable?
6.1 It is not acceptable for you (or someone on your behalf) to:
(a) give, promise to give, or offer, a payment, gift or hospitality with the expectation or hope that a business advantage will be received, or to reward a business advantage already given;
(b) give, promise to give, or offer, a payment, gift or hospitality to a government official, agent or representative to “facilitate” or expedite a routine procedure;
(c) accept payment from a third party that you know or suspect is offered with the expectation that it will obtain a business advantage for them;
(d) accept a gift or hospitality from a third party if you know or suspect that it is offered or provided with an expectation that a business advantage will be provided by us in return;
(e) threaten or retaliate against another worker who has refused to commit a bribery offence or who has raised concerns under this policy; or
(f) engage in any activity that might lead to a breach of this policy.
- Facilitation Payments and Kickbacks
7.1 A facilitation payment (or “grease payment”) is a modest payment made directly or indirectly to a Public Official to prompt the Public Official to perform or expedite a routine, non-discretionary act that the Public Official is otherwise required to perform as part of his or her ordinary duties. Examples of facilitation payments include payments to obtain permits, licenses or visas, to obtain police protection or to load and unload cargo.
7.2 Kickbacks are typically payments made in return for a business favour or advantage. You must avoid any activity that might lead to, or suggest, that a facilitation payment or kickback will be made or accepted by us.
7.3 You shall not make or accept facilitation payments or “kickbacks” of any kind except in exigent circumstances (e.g., imminent threats to health or safety).
7.4 If you are asked to make a payment on our behalf, you should always be mindful of what the payment is for and whether the amount requested is proportionate to the goods or services provided. You should always ask for a receipt which details the reason for the payment. If you have any suspicions, concerns or queries regarding a payment, you should raise these with the compliance manager.
8.1 It is our policy that the Company and its officers, employees, and Associated Persons shall reject any direct or indirect request by any third party (including but not necessarily limited to a public official) for a bribe (including a facilitation payment), even if by rejecting such a
request, the Company is consequently threatened with adverse actions.
8.2 We do, however, recognise that in some cases an individual’s own welfare and safety could be at risk if they do not respond to such requests. If you find yourself in this situation, you should never put yourself in danger but should promptly report the request to Compliance Manager.
8.3 As with other violations of this Policy, the offering or making of any facilitation payment and/or the failure to fulfil any reporting obligations under this Policy shall be a disciplinary matter subject to the Company’s disciplinary process. However, we shall not take disciplinary action against any officer or employee who makes a payment in such circumstances if they genuinely believe that they or their family members would have been put in danger if they had not done so.
9.1 No donation must be offered or made without the prior approval of the compliance manager.
9.2 Political Contributions
(a) We do not make contributions to political parties and endeavour to remain apolitical.
(b) Contributions to political parties or candidates by employees, acting solely in their personal capacities, may not involve the use of any Company funds or office space and must be made in accordance with all Applicable Anti-Corruption Laws.
We do not engage in lobbying Public Officials and we do not hire or engage lobbyists.
- Intermediaries, Business Partners and Other Associated Persons
11.1 The prohibition against offering, providing, authorising, requesting or receiving bribes includes bribes which are given or received by any Associated Persons acting on the Company’s behalf or otherwise providing any services to it. Companies can be prosecuted for the actions of such
Associated Persons and it is therefore not possible to avoid liability by permitting an associated person to pay or receive a bribe.
11.2 We aim to implement, so far as practicable, procedures to prevent third party Associated Persons from engaging in bribery. The framework for doing so is set out below. If you are in any doubt as to the appropriate procedures to follow when dealing with third parties please contact Compliance Manager.
11.3 Intermediaries and Business Partners
(a) We will only appoint intermediaries (including sales agents, introducers and other consultants) and engage with business partners who demonstrate at all times business integrity and who practice ethical conduct which meets the standards expected by the Company and all applicable laws and regulations.
(b) The appointment of intermediaries are subject to the approval of Compliance Manager in accordance with the due diligence procedure outlined below. These procedures apply to all intermediaries. However, special attention will be given to the appointment of intermediaries who are expected to interact with or make introductions to public officials, assisting developing business with governmental entities or obtaining non-routine government approvals or action.
(c) Prior to entering into any contract or business relationship with any intermediary, the officer or employee responsible for the appointment must complete and submit to Compliance Manager an Engagement Form setting out all relevant details of such proposed appointment.
(d) Compliance Manager will then consider the proposal and carry out further due diligence as they consider necessary before confirming whether the appointment is approved. The extent of any further due diligence required and the ultimate decision as to whether to approve an appointment will be informed by the existence of any of the following “red flags”:
(i) location risk such as where the intermediary has no physical presence in the relevant country or where business is to be transacted in a country with a poor corruption record;
(ii) transactional risk such as transactions or proposed appointments which do not make economic sense or which are opaque and difficult to understand;
(iii) financial risk such as where the intermediary requires the payment of cash or offshore or unusually high payments;
(iv) general risk such as suspiciously close ties to government officials, previous allegations of corruption or unethical behaviour or a lack of proportionality between the proposed work and fees.
(e) The engagement in any joint venture or other business combination with any business partners are also subject to approval by Compliance Manager. The extent of any further due diligence required and the ultimate decision as to whether to approve an appointment will be informed by the existence of any of the “red flags” above.
(f) Intermediaries and business partners are expected to participate in appropriate training (which will at a minimum include reviewing this Policy) and to enter into a written agreement with the Company that includes standard form anti-corruption provisions
11.4 Other Associated Persons
Third party Associated Persons other than intermediaries and business partners are expected to act with integrity at all times and should also refrain from paying or receiving bribes on behalf of or to the Company or as part of their normal business operations. The Company’s officers and employees must support and encourage all business partners to develop and implement anti-corruption policies consistent with this Policy.
- Your Responsibilities
12.1 You must ensure that you read, understand and comply with this policy.
12.2 The prevention, detection and reporting of bribery and other forms of corruption are the responsibility of all those working for us or under our control. All workers are required to avoid any activity that might lead to, or suggest, a breach of this policy.
12.3 Any transaction, no matter how seemingly insignificant, that might give rise to a violation of this Policy and/or any Applicable Anti-Corruption Laws must be reported promptly to the compliance manager. For example, if a client or potential client offers you something to gain a business advantage with us, or indicates to you that a gift or payment is required to secure their business. Further “red flags” that may indicate bribery or corruption are set out in Schedule 2.
12.4 Any employee who breaches this policy will face disciplinary action, which could result in dismissal for gross misconduct. We reserve our right to terminate our contractual relationship with other workers if they breach this policy.
- Maintenance of Accurate Books & Records
13.1 We must keep financial records and have appropriate internal controls in place which will evidence the business reason for making payments to third parties. We shall make and keep books, records and accounts which, in reasonable detail, accurately and fairly reflect any transactions involving expenditures on our behalf and the reasons or justifications for such expenditures, and all contracts, invoices and receipts relating to the purchase of goods and services. Misleading or false entries that conceal the source or nature of expenditures or receipts are prohibited.
13.2 You must declare and keep a written record of all hospitality or gifts accepted or offered, which will be subject to managerial review.
13.3 You must ensure all expenses claims relating to hospitality, gifts or expenses incurred to third parties are submitted in accordance with its expenses policy and specifically record the reason for the expenditure.
13.4 All accounts, invoices, memoranda and other documents and records relating to dealings with third parties, such as clients, suppliers and business contacts, should be prepared and maintained with strict accuracy and completeness. No accounts must be kept “off-book” to facilitate or conceal improper payments.
13.5 All officers and employees must assist the Company, where appropriate, in maintaining a system of internal accounting controls to provide reasonable assurances that:
(a) all transactions of the Company and its related parties are executed in accordance the management’s general or specific authorisation;
(b) all transactions are recorded as necessary and where appropriate to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements and to maintain accountability of assets;
(c) access to assets is permitted only in accordance with management’s general or specific authorisation; and
(d) the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences.
- How to Raise a Concern
You are encouraged to raise concerns about any issue or suspicion of malpractice at the earliest possible stage. Any uncertainties as whether a particular act constitutes bribery or corruption, or any other queries, should be raised with the compliance manager. Concerns should be
reported by following the procedure set out in our whistle-blowing policy.
- What to do if you are a victim of Bribery or Corruption
If you are offered a bribe by a third party, are asked to make one, suspect that this may happen in the future, or believe that you are a victim of another form of unlawful activity it is important that you tell the compliance manager as soon as possible.
16.1 Workers who refuse to accept or offer a bribe, or those who raise concerns or report another’s wrongdoing, are sometimes worried about possible repercussions. We aim to encourage openness and will support anyone who raises genuine concerns in good faith under this policy, even if they turn out to be mistaken.
16.2 We are committed to ensuring no one suffers any detrimental treatment as a result of refusing to take part in bribery or corruption, or because of reporting in good faith their suspicion that an actual or potential bribery or other corruption offence has taken place, or may take place in the future. Detrimental treatment includes dismissal, disciplinary action, threats or other unfavourable treatment connected with raising a concern. If you believe that you have suffered any such treatment, you should inform the compliance manager immediately. If the matter is not remedied, and you are an employee, you should raise it formally using our grievance procedure, which can be found at Code of Employee Discipline and at the Code of Business Conduct.
- Training and Communication
17.1 Workers shall receive training on this policy as part of their induction process. All existing workers will receive regular, relevant training on how to implement and adhere to this policy.
17.2 Our zero-tolerance approach to bribery and corruption must be communicated to all suppliers, contractors and business partners at the outset of our business relationship with them and as appropriate thereafter.
- Who is responsible for the Policy?
18.1 The board of directors has overall responsibility for ensuring this policy complies with our legal and ethical obligations, and that all those under our control comply with it.
18.2 The compliance manager has primary and day-to-day responsibility for implementing this policy, and for monitoring its use and effectiveness and dealing with any queries on its interpretation. Management at all levels are responsible for ensuring those reporting to them are made aware of and understand this policy and are given adequate and regular training on it.
- Monitoring and Review
19.1 The compliance manager will monitor the effectiveness and review the implementation of this policy, regularly considering its suitability, adequacy and effectiveness. Any improvements identified will be made as soon as possible. Internal control systems and procedures will be subject to regular audits to provide assurance that they are effective in countering bribery and corruption.
19.2 All workers are responsible for the success of this policy and should ensure they use it to disclose any suspected danger or wrongdoing.
19.3 Workers are invited to comment on this policy and suggest ways in which it might be improved. Comments, suggestions and queries should be addressed to the compliance manager.
19.4 This policy does not form part of any employee’s contract of employment and it may be amended at any time.
- Obligation and Procedure to Report Integrity Concerns
All of the Company’s officers and employees who suspect that violations of law or this Policy may be occurring or are about to occur or become aware of suspicious, risky or evidently corrupt conduct by any person are expected to immediately report their suspicions to Compliance Manager/ Head of Legal.
21.1 The violations of Applicable Anti-Corruption Laws may result in individuals or the Company receiving civil and/or criminal fines and punishment. Individuals may also be subject to imprisonment for bribery and corruption offences. The Company may also be disbarred from bidding for contracts with government and other public organisations in certain jurisdictions if it is convicted.
21.2 The Company considers a breach of this Policy as a serious offence. Any violation will result in disciplinary action, up to and including dismissal of an individual in appropriate circumstances. The business relationship with non-officers/non-employees of the Company who violate this Policy may also be terminated.
21.3 The Company’s officers and employees must therefore ensure that they are familiar with the content of this Policy and adhere to it at all times. If you have any questions as to the requirements or scope of this Policy, please consult Compliance Manager.
“Associated Persons” means an individual or company that acts on behalf of the Company or otherwise performs any services for or on behalf of the Company in any capacity whatsoever. A typical example is a sales agent, intermediary or introducer, but this can also include, for example, advisers, consultants, joint venture partners and contractors.
“Applicable Anti-Corruption Laws” means the Prevention of Bribery Ordinance (Chapter 201 of the Laws of Hong Kong), the Republic Act No. 3019 or the Anti-Graft and Corrupt Practices Act of the Philippines, the United States Foreign Corrupt Practices Act of 1977, the United Kingdom Bribery Act
2010 or any other anti-corruption or anti-bribery laws or regulations applicable to us all . Additionally, the following:
1. Articles 201 to 212 of the Revised Penal Code
2. The Anti Graft and Corrupt Practices Act (R.A.3019)
3. The Code of Conduct and Ethical Standards for Public Officials and Employees
4. Presidential Decree No. 46
5. Republic Act 7080 Plunder
6. Omnibus Election Code BP 881
7. Anti-Red Tape Act Republic Act 9485 as amended by Republic Act 11032 or the Ease of Doing Business Act
“Company” or “us” means KMC Solutions Hong Kong Limited and its subsidiaries in any jurisdiction.
“Company’s General Counsel” means any of the in-house Corporate Legal Counsels of the KMC Group
“Family Member” means a parent, spouse, spousal equivalent, child, sibling, uncle or aunt.
“Financial or Other Advantage” means any offer, promise, or payment of any money, gift, service, status, right, interest or any other thing to which economic value could attach, including hospitality and entertainment.
“Public Official” means (a) an officer or employee of a government or any department, agency or instrumentality thereof, an officer or employee of any public enterprise, including any person who holds a legislative, administrative or judicial position of any kind whether appointed or elected, an officer or employee of a public international organization (e.g., the World Bank, the International Monetary Fund, the World Trade Organization and the United Nations) or any person acting in an official capacity or exercising a public function for or on behalf of any such government or department, agency, instrumentality or public enterprise or for or on behalf of any such public international organization; or (b) any political party, party official, or candidate for political office; or (c) officers, employees, representatives or agents of any entity owned or controlled directly or indirectly by a government, including a sovereign wealth fund or any entity owned by a sovereign wealth fund.
Potential Risk Scenarios: “Red Flags”
The following is a list of possible red flags that may arise during the course of you working for us and which may raise concerns under various Applicable Anti-Corruption Laws. The list is not intended to be exhaustive and is for illustrative purposes only.
If you encounter any of these red flags while working for us, you must report them promptly using the procedure set out in the whistle-blowing policy:
(a) you become aware that a third party engages in, or has been accused of engaging in, improper business practices;
(b) you learn that a third party has a reputation for paying bribes, or requiring that bribes are paid to them, or has a reputation for having a “special relationship” with foreign government officials;
(c) a third party insists on receiving a commission or fee payment before committing to sign up to a contract with us, or carrying out a government function or process for us;
(d) a third party requests payment in cash and/or refuses to sign a formal commission or fee agreement, or to provide an invoice or receipt for a payment made;
(e) you learn of private meetings being undertaken between parties involved in public procurement or with public officials;
(f) you encounter unexpected or illogical decisions being made accepting projects or contracts outside of the Group’s normal risk management procedures;
(g) an unusually smooth process of matters exists where an individual does not have the expected level of knowledge or expertise;
(h) a lack of transparency exists in expense and counting records of an associated person or other relevant third party;
(i) you learn of missing documents or records regarding meetings or decisions;
(j) you learn of a departure from usual tendering/contracting processes where applicable;
(k) you learn that Company procedures or guidelines are not being followed;
(l) there is a refusal to agree non-corruption provisions in agreements;
(m) statements that should put one on notice, such as an agent boasting about his connections or recommending that the Company not ask how he/she is able to get things accomplished;
(n) a third party requests that payment is made to a country or geographic location different from where the third party resides or conducts business;
(o) a third party requests an unexpected additional fee or commission to “facilitate” a service;
(p) a third party demands lavish entertainment or gifts before commencing or continuing contractual negotiations or provision of services;
(q) a third party requests that a payment is made to “overlook” potential legal violations;
(r) a third party requests that you provide employment or some other advantage to a friend or relative;
(s) you receive an invoice from a third party that appears to be non-standard or customised;
(t) a third party insists on the use of side letters or refuses to put terms agreed in writing;
(u) you notice that we have been invoiced for a commission or fee payment that appears unusual or large given the service stated to have been provided;
(v) a third party requests or requires the use of an agent, intermediary, consultant, distributor or supplier that is not typically used by or known to us; or
(w) you are offered an unusually generous gift or offered lavish hospitality by a third party.
KMC Gift Policy
To establish a uniform policy relating to the acceptance of gifts, including gratuities or rewards
This policy applies to all officers, as well as all employees and Consultants of KMC MAG SOLUTIONS, INC and its affiliate companies (Collectively, the Company“)
“Affiliates” include all sister companies of KMC MAG SOLUTIONS namely: a) KMC-RUFINO, INC.; b) APEX 9V, INC.; c) APEX 16 UB, INC.; d) APEX 8 SL, INC.; e) APEX FIVE E-COM, INC.; f) APEX 5678 ROCKWELL, INC.; g) APEX BGC UPTOWN, INC.; h) APEX C SIGMA, INC.; i) APEX ZETA, INC., j) APEX GAMMA, INC.
“Employees” include all permanent, part-time, temporary and contract employees, including volunteers.
“Business with the KMC MAG SOLUTIONS, INC.“ means that, within 12 months of offering a gift, the would-be gift-giver 1) has or will submit a bid or proposal to the KMC MAG SOLUTIONS or affiliates to perform services or provide supplies or equipment, or 2) has or will submit an application for a permit, license or regulatory approval of any kind.
“Gift” means any bestowal of money, commission, any item of value, service, loan, thing or promise, discount or rebate for which something of equal or greater value is not exchanged. Payments for travel, entertainment and food are gifts. “Gift” does not include 1) any discount or
rebate made in the regular course of business and offered to the general public without regard to the individual’s connection with the Company, 2) inheritances, 3) plaques or trophies, 4) Company event sponsorships or x-deals.
Gift Ban from Those with Business with the Company: No Company official/employee may accept any gift from those who have, or are likely to have, business with the Company. In determining whether someone is likely to have business with the Company, officials and employees are encouraged to err on the side of caution.
1) Company officials and employees may accept gifts of nominal value (less than PHP5,000) that are shared with a wide range of colleagues at the Company except that no person from the Purchasing Division shall be allowed to receive gifts of any kind even of nominal value from Suppliers.
2) Company officials and employees may accept items that can be displayed in public areas of Company’s building (such as flowers, plaque, painting, etc).
3) Company officials and employees may accept handmade items by and from supported charitable organizations or any other ethnic or civic organizations. This policy does not affect the authority of Company to accept gifts (for example, donations or bequests) in furtherance of its legitimate business purposes or when the gift is for the purpose of supporting the Company’s activities such as outreach, Christmas Party, marketing event sponsorship, etc. provided that such offer of sponsorship or gift shall be in writing and addressed to the President, stating therein the intention or purpose of the gift.
Company, and its officials and employees, will take steps to publicize this policy to the suppliers, vendors and others partners.
Upon being offered or receiving a gift prohibited by this policy, an individual must notify the gift giver of this policy and graciously decline or return the gift which must be attested by a witness. If despite the decline or return of the gift, the same is not accepted by the gift-giver, then the officer/employee shall declare the same in writing and address to the Company’s Chief Executive Officer who shall decided on the matter.
If the gift is anonymous, the recipient must deliver the gift to the Company’s Chief Executive Officer who will convey the gift to a charitable organization or repurpose the same as a raffle prize in any future Company events.
Vendors, Suppliers or Contractors violating this Policy shall be given temporary or permanent ban to enter into a competitive bidding in all existing and future projects of the Company.
Employees caught receiving gifts- whether in the form of money (as recurring or ad hoc commission) or in kind- in violation of this Policy shall be terminated immediately.
DECLARATION FOR 2017
Vendors, Suppliers, & Contractors shall declare in a sworn affidavit, all gifts given to any employee or officer of the Company during the year 2017 to date in the manner and form as specified in Annex A. Any vendor, supplier or contractor caught misrepresenting or lying in the sworn affidavit, shall, apart from the temporary or permanent ban, be liable for perjury under the Revised Penal Code.
Employees who have received gifts from 2017 to date shall likewise state under oath all gifts received from suppliers, contractors or vendors in the manner and form as specified in Annex B. Any misdeclaration or deliberate statement of falsehood shall be meted with a penalty of termination of employment and such employee shall be made liable for perjury under the Revised Penal Code.
All gifts received for the year 2017 shall not be recovered from the officer or employee of the Company.
EFFECTIVE: 1 January 2018
Safeguarding your privacy is important to us. KMC is committed to maintaining your trust by protecting personal information that we collect and use.
Information Collection and Use
While using our Sites, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you. Personally, identifiable information may include, but is not limited to your name, address, telephone number, email address, business name, a unique login name, and password ("Personal Information"). We use this information to contact you about the services on our Sites in which you have expressed interest, to verify your identity, in connection with a transaction that you or your company or organization has initiated, to deliver notifications and other operational communications, and for troubleshooting.
You also have the option to provide demographic information (such as type of business, size of business, locations, etc.). KMC Solutions uses this demographic information to understand your needs and interests and to provide you a more personalized experience on our Sites. The information is used by KMC Solutions to process your orders, enable participation in promotions, and facilitate your relationship with us.
In some cases, we collect billing and payment information you provide when you purchase products and services. We also collect information that you provide us when you participate in our surveys, sweepstakes or events.
To the extent that you disclose to us any personal information of another individual, we assume that you have obtained such individual’s consent for the disclosure of such personal information as well as the processing of the same in accordance with the terms of this Policy.
Like many site operators, we collect information that your browser sends whenever you visit our Sites ("Log Data").
This Log Data may include information such as your computer's Internet Protocol ("IP") address, browser type, browser version, the pages of our Sites that you visit, the time and date of your visit, the time spent on those pages, whether you have opened or forwarded our e-mails or connected to offers or links that we send you, your general or specific geographic location, such as through GPS, Bluetooth or WiFi signals to the extent permitted by the settings of your devices, and other statistics.
If you use our internet connection, networks, telecommunications systems or information processing systems, your activity and any files or messages on those systems may also be monitored by KMC Solutions at any time, in accordance with applicable law, for purposes of an investigation or to ensure compliance with company policies.
Information From Third-Party Sources
We receive information about you from publicly and commercially available sources and other third parties as permitted by law. We may combine this information with other information we receive from or about you, where necessary to provide the Services you requested.
We also may partner with the following categories of third parties to collect, analyze, and use some of the personal information described in this Policy:
- Third-parties that provide features and functionality on the services by means of plug-ins. Even if you do not click on or interact with social networking services or other plug-ins, they may collect information about you, such as your IP address and the pages that you view.
- Advertising providers help us and our advertisers provide advertisements on our services or elsewhere, including advertisements that are targeted based on your online behaviour, and analytics companies help us measure and evaluate the usage of our services.
- Other content providers may offer products and services on our services and may operate contents, sweepstakes, or surveys on our services.
We may use your contact information to send you information about KMC Solutions products and services as well as promotional material that may be of interest to you. For example, we may periodically contact you with offers and information about our products, services, features, and events; to send you newsletters or other information about topics that we believe may be of interest; to conduct online surveys; and to otherwise promote our products, services, features, and events. We also may deliver targeted advertisements to you, both on and off the Services.
Cookies, Web Beacons and other Internet Technologies
Cookies are files with small amount of data, which may include an anonymous unique identifier. Cookies are sent to your browser from a web site and stored on your computer's hard drive.
Like many sites, we use "cookies" to collect information. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Site.
Web beacons and similar technologies are small bits of code, which are embedded in web pages, advertisements, and e-mail, that communicate with third parties. We use web beacons, for example, to count the number of users who have visited a particular web page, to deliver or communicate with cookies, and to understand usage patterns. We also may include web beacons in e-mails to understand whether messages have been opened, acted on, or forwarded.
There are other local storage and internet technologies, such as Local Shared Objects (also referred to as “Flash cookies”) and HTML5 local storage, that operate similarly to the cookies discussed above in that they are stored on your device and can be used to store certain information about your activities and preferences across different services and sessions.
Our websites use these technologies for the following purposes:
- Administering our Services.
- Improving our Services, including helping us measure and research the effectiveness of our content, features, advertisements, and other communications. For example, we measure which pages and features website visitors are accessing and how much time they are spending on our webpages. We may include web beacons in e-mails, for example, to understand whether messages have been opened, acted on, or forwarded.
- Storing your sign-in credentials and preferences so that you do not have to enter those credentials and preferences every time you log on to a Service.
- Helping us and third parties provide you with relevant content and advertising by collecting information about your use of our Services and other websites.
The security of your Personal Information is important to us, but remember that no method of transmission over the Internet, or method of electronic storage, is 100% secure. While we strive to use commercially acceptable means to protect your Personal Information, we cannot guarantee its absolute security.
Accessing, Reviewing, and Updating Your Personal Information
To the extent provided for under Republic Act No. 1073, otherwise known as the Data Privacy Act of 2012, you may have the right to access your personal information and to update or correct inaccuracies in your personal information.
You may have rights to revoke consent you previously granted us with respect to processing personal information and to object to the use of your personal information for direct marketing or for other purposes that are not necessary in light of the nature of our legal relationship. Note that if you revoke your consent to such processing, we may be unable to provide you with certain aspects of the services.
If you would like to exercise any of your rights under the Data Privacy Act, please send an e-mail to [email protected]
KMC MAG Solutions, Inc. 25th Floor, Picadilly Star Building, 4th Avenue, corner 27th Street,
Bonifacio Global City, Taguig 1634, Metro Manila, Philippines. Email: [email protected]
DATA PRIVACY MANUAL
KMC respects and values data privacy rights, and makes sure that all personal data collected from employees, clients and vendors, are processed following the general principles of transparency, legitimate purpose, and proportionality. This Manual provides information on the KMC’s data protection and security measures and may serve as a guide for the exercising of a Data Subject’s rights under the Republic Act No. 10173, also known as the Data Privacy Act of 2012 (DPA) and when applicable, the European Union’s General Data Protection Regulation 2016/679 (GDPR).
Privacy laws aim to protect personal data in information and communications systems. Under the DPA and the GDPR, KMC is processing personal data and has policies, and implements measures and procedures that guarantee the safety and security of personal data under control
or custody, thereby upholding an individual’s data privacy rights. KMC takes reasonable and appropriate measures to protect personal data against dangers such as accidental loss or destruction, unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.
To inform its personnel of such measures, KMC has prepared this Privacy Manual. This Manual guides personnel for compliance with the DPA, its Implementing Rules and Regulations (IRR), other relevant issuances of the National Privacy Commission (NPC) and if applicable, the GDPR. It also describes the privacy and data protection protocols to be observed and carried out for specific circumstances (e.g., from collection to destruction), to protect the rights of data subjects.
Definition of Terms
“Data Subject” – refers to an individual whose personal, sensitive personal or privileged information is processed by the organization. It may refer to officers, employees, consultants, vendors and clients of this organization.
“Personal Information” – refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
“Processing” refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.
Scope and Limitations
All personnel of this organization, regardless of the type of employment or contractual arrangement, must comply with the terms set out in this Privacy Manual.
This Manual shall be read in conjunction with the following:
- Privacy Statement for Clients and/or Vendors; and
- Privacy Statement for Human Resources.
Processing of Personal Data
A. Collection (e.g. type of data collected, mode of collection, person collecting information, etc.)
KMC collects the basic contact information of clients, vendors and employees, including their full name, address, email address, contact number, and other necessary personal information.
Personal data collected shall be used by KMC for documentation purposes, compliance with
legal obligations and governmental regulations.
C. Storage, Retention and Destruction (e.g. means of storage, security measures, form of information stored, retention period, disposal procedure, etc.)
KMC will ensure that personal data under its custody are protected against any accidental or unlawful destruction, alteration and disclosure as well as against any other unlawful processing. KMC will implement appropriate security measures in storing collected personal information, depending on the nature of the information. All information gathered shall not be retained for a period longer than five (5) to ten (10) years. After the five (5) to ten (10) year period, all hard and soft copies of personal information shall be disposed and destroyed, through secured means.
D. Access (e.g. personnel authorized to access personal data, purpose of access, mode of access, request for amendment of personal data, etc.)
Due to the sensitive and confidential nature of the personal data under the custody of the KMC, only the client and the authorized representative of KMC shall be allowed to access such personal data, for any purpose, except for those contrary to law, public policy, public order or morals.
E. Disclosure and Sharing (e.g. individuals to whom personal data is shared, disclosure of policy and processes, outsourcing and subcontracting, etc.)
All employees and personnel of KMC shall maintain the confidentiality and secrecy of all personal data that come to their knowledge and possession, even after resignation, termination of contract, or other contractual relations. Personal data under the custody of KMC shall be disclosed only pursuant to a lawful purpose, and to authorized recipients of such data.
KMC implements reasonable and appropriate physical, technical and organizational measures for the protection of personal data. Security measures aim to maintain the availability, integrity and confidentiality of personal data and protect them against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination. This section generally describes those measures.
A. Organization Security Measures
- Data Protection Officer (DPO)
The designated Data Privacy Officers for KMC are Jonathan S. Toledo and Atty. Nancy B. Martinez- Arce.
- Functions of the Data Protection Officer
The DPO shall oversee the compliance of the organization with the DPA, its IRR, and other related policies, including the conduct of a Privacy Impact Assessment, implementation of security measures, compliance with the GDPR and data protection laws, security incident and data breach protocol, and the inquiry and complaints procedure.
- Conduct of trainings or seminars to keep personnel, especially the Data Protection Officer updated vis-à-vis developments in data privacy and security
The organization shall sponsor a mandatory training on data privacy and security at least once a year. For personnel directly involved in the processing of personal data, management shall ensure their attendance and participation in relevant trainings and orientations, as often as necessary.
- Conduct of Privacy Impact Assessment (PIA)
The organization shall conduct a Privacy Impact Assessment (PIA) relative to all activities, projects and systems involving the processing of personal data. It may choose to outsource the conduct of a PIA to a third party.
- Recording and documentation of activities carried out by the DPO, or the organization itself, to ensure compliance with the DPA, its IRR and other relevant policies.
The organization shall sponsor a mandatory training on data privacy and security at least once a year. For personnel directly involved in the processing of personal data, management shall ensure their attendance and participation in relevant trainings and orientations, as often as necessary.
- Duty of Confidentiality
All employees will be asked to sign a Data Consent Form and Non-Disclosure Agreement (NDA). All employees with access to personal data shall operate and hold personal data under strict confidentiality if the same is not intended for public disclosure.
- Review of Privacy Manual
This Manual shall be reviewed and evaluated annually. Privacy and security policies and practices within the organization shall be updated to remain consistent with current data privacy best practices.
B. Physical Security Measures
Physical security measures monitor and limit access to the facility containing the personal data, including the activities therein. It provides the actual design of the facility, the physical arrangement of equipment and furniture, the permissible modes of transfer, and the schedule and means of retention and disposal of data, among others. The following provisions are included to ensure that mechanical destruction, tampering and alteration of personal data under the custody of the organization are protected from man-made disasters, power disturbances, external access, and other similar threats:
- Format of data to be collected.
Personal data in the custody of the organization may be in digital/electronic format and paperbased/physical format.
- Storage type and location (e.g. filing cabinets, electronic storage system, personal data room/separate room or part of an existing room).
All personal data being processed by the organization shall be stored in a data room, where paper-based documents are kept in locked filing cabinets while the digital/electronic files are stored in computers provided and installed by KMC.
- Access procedure of agency personnel
Only authorized personnel shall be allowed inside the data room. For this purpose, they shall each be given an exclusive access to the room. Other personnel may be granted access to the room upon filing of an access request form with the Data Protection Officer and the latter’s approval thereof.
- Monitoring and limitation of access to room or facility
All personnel authorized to enter and access the data room or facility must fill out and register with the online registration platform of the organization, and a logbook placed at the entrance of the room. They shall indicate the date, time, duration and purpose of each access.
- Design of office space/work station
The computers are positioned with considerable spaces between them to maintain privacy and protect the processing of personal data.
- Persons involved in processing, and their duties and responsibilities
Persons involved in processing shall always maintain confidentiality and integrity of personal data. They are not allowed to bring their own gadgets or storage device of any form when entering the data storage room.
- Modes of transfer of personal data within the organization, or to third parties
Transfers of personal data via electronic mail shall use a secure email facility with encryption of the data, including any or all attachments.
- Retention and disposal procedure
The organization shall retain the personal data of a client for five (5) to ten (10) years from the date of transaction. Upon expiration of such period, all physical and electronic copies of the personal data shall be destroyed and disposed of using secure technology.
C. Technical Security Measures
KMC implements technical security measures to make sure that there are appropriate and sufficient safeguards to secure the processing of personal data, particularly the computer network in place, including encryption and authentication processes that control and limit access. These include the following, among others:
- Monitoring for security breaches
KMC shall use an intrusion detection system to monitor security breaches and alert the KMC of any attempt to interrupt or disturb the system.
- Security features of the software/s and application/s used
KMC shall first review and evaluate software applications before the installation thereof in computers and devices of KMC to ensure the compatibility of security features with overall operations.
- Process for regularly testing, assessment and evaluation of effectiveness of security measures
The organization shall review security policies, conduct vulnerability assessments and perform penetration testing within KMC on regular schedule to be prescribed by the appropriate department or unit.
- Encryption, authentication process, and other technical security measures that control and limit access to personal data
Each personnel with access to personal data shall verify his or her identity using a secure encrypted link and multi-level authentication.
Breach and Security Incidents
KMC has developed and is implementing policies and procedures for the management of a personal data breach, including security incidents. This section describes or outlines such policies and procedures, including the following:
- Creation of a Data Breach Response Team
A Data Breach Response Team comprising of five (5) officers shall be responsible for ensuring immediate action in the event of a security incident or personal data breach. The team shall conduct an initial assessment of the incident or breach in order to ascertain the nature and extent thereof. It shall also execute measures to mitigate the adverse effects of the incident or breach.
- Measures to prevent and minimize occurrence of breach and security incidents
KMC shall regularly conduct a Privacy Impact Assessment to identify risks in the processing system and monitor for security breaches and vulnerability scanning of computer networks. Personnel directly involved in the processing of personal data must attend trainings and seminars for capacity building. There must also be a periodic review of policies and procedures being implemented in the organization.
- Procedure for recovery and restoration of personal data
KMC shall always maintain a back-up file for all personal data under its custody. In the event of a security incident or data breach, it shall always compare the back-up with the affected file to determine the presence of any inconsistencies or alterations resulting from the incident or breach.
- Notification protocol
The Head of the Data Breach Response Team shall inform the management of the need to notify the NPC and the data subjects affected by the incident or breach within the period prescribed by law. Management may decide to delegate the actual notification to the head of the Data Breach Response Team.
- Documentation and reporting procedure of security incidents or a personal data breach
The Data Breach Response Team shall prepare a detailed documentation of every incident or breach encountered, as well as an annual report, to be submitted to management and the NPC, within the prescribed period.
Inquiries and Complaints
Every data subject has the right to reasonable access to his or her personal data being processed by KMC. Other available rights include: (1) right to dispute the inaccuracy or error in the personal data; (2) right to request the suspension, withdrawal, blocking, removal or destruction of personal data; and (3) right to complain and be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal data.
Accordingly, KMC has procedures for inquiries and complaints that will specify the means through which concerns, documents, or forms submitted to the organization shall be received and acted upon.
Data subjects may inquire or request for information regarding any matter relating to the processing of their personal data under the custody of the organization, including the data privacy and security policies implemented to ensure the protection of their personal data. They may write to the organization at [email protected] and briefly discuss the inquiry, together with their contact details for reference.
Complaints shall be filed in three (3) printed copies, or sent to [email protected] The data privacy team shall confirm with the complainant its receipt of the complaint.
The provisions of this Manual - Second Version are effective this 11th day of June 2018, until revoked or amended by KMC.
This Privacy Statement sets out how KMC collects, uses, manages and protects the personal data or information (Personal Data) that it collects whether as a controller or processor.
KMC is committed in processing Personal Data in accordance with the required laws such as Republic Act Number 10173, otherwise known as the Philippine Data Privacy Act of 2012, Regulation (EU) 2016/679 otherwise known as the European Union General Data Protection Regulation (GDPR) and other personal data security and protection laws. Before using and providing Personal Data for the purposes set out in this Privacy Statement, KMC is required by law to obtain written consent, and in such cases, only after having obtained such written consent, KMC can use Personal Data in the manner specified.
KMC can collect and use Personal Data. For the purposes of carrying our business (including the verification of the identity to detect, prevent and address fraud, security or technical issues, the registration, activation and management of the Client and/or Vendor’s account with KMC, and the billing and charging of KMC’s services and complying with laws, rules, guidelines, regulations and/or requests issued by applicable government authorities, courts, law enforcement or other authorities or regulatory bodies, you may be requested to provide Data such as, but not limited to:
- the name, date of birth and other details documented on your Passport or other government issued competent proof of identity;
- contact details including name, address, phone number, mobile telephone number and/or email address;
- Personal Data that you have shared with our app for guests entering our facilities;
- payment details including account number and other electronic banking Data;
- all Data requested by applicable government authorities, courts, law enforcement or other authorities or regulatory bodies to enable us to comply with or in connection with any law, rule, regulation, judgment or court order (whether within or outside the Philippines); and
- any other Data as may be required, necessary and applicable on the corresponding availed Service Agreement.
In some instances, we may seek your consent to process the following “Sensitive Personal Information” (SPI) in order from KMC to further improve our Services and/or better tailor the type of information or content that we present to you and improve our business relationship:
- gender and ethnicity;
- marital status;
- employment details;
- education and profession;
- hobbies and leisure activities; and
- family and household demographics.
Personal Data supplied by you will be held by one or more members of KMC’s Sales Team and/or the KMC team dealing with your Company that is working on a particular Service Agreement.
How We Collect Personal Data
We collect Data in a number of ways, including from:
- you directly, for example, when you provide Personal Data by phone or via email, attend our functions, complete an agreement for one of our Services, or when you submit your Data through our website, or over any customer service hotlines, or when you contact us with a query or request, or during the ordinary course of our business relationship with you, or when we are legally required to do so; and/or
- your participation in surveys or marketing promotions organized by us or on our behalf.
How We Use Your Personal Data
We may collect, retain and use your Personal Data for the following purposes:
- to verify your identity;
- to process your application to avail our Services;
- to promote and market our Services to you;
- to conduct credit checks and detect fraudulent activities in compliance with the Anti-Money Laundering Act and in relation to other compliance purposes;
- to perform research or analyses so that we may improve and optimize the Services that can be made available to you;
- to conduct surveys and marketing, promotional, behavioral scoring for business operations and/or planning purposes;
- for vendors, to avail the Services that your Company would be providing to KMC;
- to enforce KMC’s contractual rights;
- to process any payment instructions;
- to maintain, enhance and develop our products and service offerings; and
- to comply with applicable laws in or outside the Philippines as may be required by applicable government authorities, courts, law enforcement, or regulatory or investigation bodies, in relation to the supply of Services/ availment of your Company’s Services, including to assist in the prevention, detection of crime or possible criminal activities.
Legal Basis for Using your Personal Data
KMC’s use of your personal data may be necessary for the performance of the Services that your Company may wish to avail. As for the vendors of KMC, the same is necessary for the availment of the Services that your Company may render. KMC may, to the extent permissible under applicable laws and regulations, disclose your Data to government and regulatory entities.
Importance of Safety of your Data
All required efforts are made to ensure that any Personal Data held by us is stored in a secure and safe place and is accessible only by our authorized employees.
When we pass your Data to third parties for them to process, we seek to ensure that they have appropriate security measures in place to keep your Personal Data safe and to comply with applicable principles in relation to data protection.
Retention of Personal Data
KMC will retain your Personal Data in accordance with KMC’s internal policies. Our policies are in compliance with the Data Privacy Act and the GDPR where applicable, and cover the following principles:
- Data will only be retained for as long as is necessary to fulfil the original or directly related purposes for which it was collected, unless the Data is also retained to satisfy any applicable legal, regulatory or contractual obligations; and
- Data are purged from our electronic, manual and other filing systems based on the above
criteria and our internal procedures.
Right to Access, Correct and Delete Personal Data
KMC takes all reasonable precautions to ensure that the Personal Data we collect, use and disclose is accurate, complete and up-to-date. However, the accuracy of that Personal Data depends to a large extent on the Data you provide. You have a right to request access to, and correction of, your Data and we recommend that you:
- let us know if there are any errors in your Data; and
- keep us up-to-date with changes to your Data.
If you wish to access or amend any of your Personal Data that we hold, or request that we delete any of your information that is no longer necessary for the provision of our Services, you may contact us in the manner as set forth under the “How to Contact Us” section.
You may decline to share Personal Data with us and/or withdraw any consent which you may have provided, in which case, we may not be able to provide you with some of our Services or we may discontinue availing your Company’s Services.
At any time, you may object to us holding or processing your Data, on legitimate grounds, save and except as otherwise permitted by the applicable law.
How to Contact Us
For all issues and enquiries regarding KMC’s compliance with our obligations under the Data Privacy Act of 2012 and the GDPR, and any request for access to, correction or deletion of your Data, please contact us in writing at:
Data Protection Officer
KMC MAG Solutions, Inc.
25F Picadilly Star Building
4th Avenue Corner 27th Street
Bonifacio Global City, Taguig
Or send an e-mail to: [email protected]
This Privacy Statement may be amended from time to time and the handling of Personal Data will be governed by the most recent version of this Privacy Statement.
This policy statement provides information on the obligations of KMC under the Philippine Data Privacy Act of 2012 (Data Privacy Act) and, when applicable, the European Union’s General Data Protection Regulation 2016/679 (GDPR). All individuals who submit an application to KMC in respect of a job vacancy and all employees of the KMC upon accepting offer of employment shall be deemed to have consented to their personal data to be processed, stored, transferred or used or handled in accordance with this Privacy Statement. To the extent the GDPR applies to the processing of such application, the processing of personal data is done in accordance with the legitimate interest of KMC.
This policy specifically addresses KMC’s obligations in respect of with the Philippine Data Privacy Act. This policy also addresses, when required, the requirements of the GDPR.
COMPANY CORPORATE POLICY
KMC shall fully comply with the obligations and requirements of the Data Privacy Act and, when applicable, the GDPR. KMC’s officers, management, and employees shall, at all times, respect the confidentiality and security of all personal data collected and/or stored and/or transmitted and/or used for, or on behalf of KMC.
KMC shall ensure all collection, storage, transmission and other handling or usage of personal data by KMC shall be done in accordance with the obligations and requirements of the Data Privacy Act and, when applicable, the GDPR.
Where an individual legitimately requests access to and/or correction of personal data relating him/her, held by KMC, KMC shall provide and/or correct that data in accordance with the data privacy laws.
STATEMENT OF PRACTICES
During the recruitment process, job applicants may be required to provide sufficient personal data so that KMC may, as appropriate and/or applicable:
- Assess the applicant's suitability for the position being applied for;
- Assess the applicant's suitability for other available vacant positions;
- Determine remuneration and benefit packages;
- Verification of credentials and/or experience; and/or
- Perform security vetting and/or integrity checking.
At a minimum, such personal data will include:
- The applicant's name and contact details, including address and telephone number(s);
- Previous employment and relevant experience; and
- Education and relevant training.
Additional information may also be required subject to the nature of the position being applied for.
The applicant is responsible for ensuring all personal data that he/she provide is accurate and complete. Any attempt to provide inaccurate information or withhold (or deliberately omit) essential requested information may cause one or more of the following consequences:
- Prevention of making any offer of employment;
- Invalidate any offer of employment made; or
- Termination of employment, if the employment has commenced.
The personal data so provided by the applicant may be shared, at the time of recruitment or after employment has commenced, to persons within KMC and its clients. Personal data would be shared with the corresponding Client since it is involved in the assessment of the applicant's suitability for the position applied for and/or other positions.
The data may also be shared to third parties, such as investigative agencies, as are necessary to satisfy purposes relating to human resources management such as background check. KMC shall retain the personal data of unsuccessful applicants for future recruitment purposes for a period of five years from the day on which the recruitment period ends. The personal data of successful applicants shall be retained for the duration of their employment by KMC and handled in such manner as described below under the heading of "Employment, Including Post Employment."
EMPLOYMENT, INCLUDING POST EMPLOYMENT
In the course of employment in KMC, personal data of employees and their family members, as appropriate, will be collected and used on an ongoing basis for various purposes relating to human resources management including but not limited to administering staffing, performance management, training, career development, salary and benefits administration, communication, medical benefits, insurance, taxation, welfare and providing information in compliance with legal requirements. Personal data will be transferred to internal departments, intra-company, and/or to other third parties as deemed necessary by KMC for the purposes of which the data are collected.
KMC retains certain personal data of employees when they cease to be employed by the KMC (and such data will be retained for no longer than five years after their cessation of employment). Such data are required for any residual employment-related activities of the former employee including, but not limited to:
- The provision of job references;
- Processing applications for re-employment;
- Matters relating to retirement benefits; and
- Allowing KMC to fulfill contractual or statutory obligations.
TRANSFER OF PERSONAL DATA OUTSIDE OF THE PHILIPPINES
At times it may be necessary and/or prudent for KMC to transfer certain personal data to places outside the Philippines in order to carry out the purposes, or directly related purposes, for which the personal data are collected. By submitting job applications or entering into employment relationship with KMC, candidates or employees have consented to such transfer which will be performed in compliance with the requirements of the Data Privacy Act and, when applicable, the GDPR.
SECURITY OF PERSONAL DATA
Physical records containing personal data are securely stored in locked areas when not in use.
Computer data are stored on computer systems and storage media to which access is strictly controlled and/or are located within restricted areas.
Access to records and data without appropriate management authorization are strictly prohibited. Authorizations are granted only on a "need to know" basis.
Where KMC holds, uses and/or transmits personal data, the data will be adequately protected from accidental and/or unauthorized disclosure, change and/or destruction.
ACCESS AND CORRECTION OF PERSONAL DATA
Under the terms of the Data Privacy Act and, when applicable, the GDPR, job applicants and employees (current or former) have the right to:
- Ascertain whether KMC holds any personal data relating to them and, if so, obtain copies of such data (“right of access”);
- Require KMC to correct personal data in its possession which is inaccurate for the purpose for which it is being used by means of a data access request (right of correction); and
- Ascertain the KMC's policies and practices in relation to personal data, which are those policies and practices set out in their entirety herein.
The said right to access personal data can be exercised by sending a request on the address given below.
KMC will, upon satisfying itself of the authenticity and validity of the access request, make every endeavor to comply with and respond to the request.
If the accessed data contains any incorrect information, KMC will accept written request for correction which can be sent to the KMC's Data Protection Officer at the address or e-mail listed below, specifying the data obtained through the Data Access Request mentioned above which needs to be corrected. Satisfactory proof and/or explanation of the inaccuracy is essential before KMC would consider correcting the specified data.
Data Protection Officer
KMC MAG Solutions, Inc.
25F Picadilly Star Building
4th Avenue Corner 27th Street
Bonifacio Global City, Taguig
Or send an e-mail to [email protected]
To raise an issue regarding our handling of your Personal Data, please contact us in order for us to resolve your issue.
This Privacy Statement may be amended from time to time and the handling of Personal Data will be governed by the most recent version of this Privacy Statement.