Updated: 25 May 2025

This Privacy Notice applies to Environmental & Risk Management Services Philippines Inc., and all of its affiliates and subsidiaries (collectively, “we,” “our,” “us,” or “ERM”). A full list of affiliates and subsidiaries is available here.

In this Privacy Notice, we identify the personal data that we collect about you and how we use that data. This Privacy Notice applies to any personal data you provide to ERM and any personal data we collect from other sources, unless you are provided a more specific privacy statement at the time of data collection. This Privacy Notice does not apply to any third-party websites, applications or portals (“Sites”) linked to ERM’s Sites, or to any ERM Sites that have their own privacy notices. If you provide personal data to us about other people, you must provide them with a copy of this Privacy Notice and obtain any consent required for the processing of that person’s data in accordance with this Privacy Notice.

If you have any questions about this Privacy Notice, please contact us using the details set out in the Contact Us section. When using our Sites, you should read this Privacy Notice alongside the Site’s Terms of Use.

The following sections will guide you through our practices for the collection, usage, disclosure and retention of your personal data:

  1. Who we are
  2. How we process your personal data
  3. How we protect your personal data
  4. How we protect your personal data when sending it abroad
  5. Marketing activities
  6. Profiling and automated decision-making
  7. How long we keep your personal data
  8. Your personal data rights
  9. Contact us
  10. Updates to this Privacy Notice
  11. Philippines Addendum (“Addendum”) to the Environmental & Risk Management Services Philippines Inc. Privacy Notice

 

  1. Who we are

We are a global company providing a range of professional services including insurance, (re)insurance brokerage, risk and claims management, employee benefits and human resources consulting and administration, financial, pension administration and actuarial services through our various affiliates and subsidiaries.

 

  1. How we process your personal data

2.1 Individuals in scope of this Privacy Notice

This Privacy Notice provides information for those individuals whose personal data we process, including:

  • Business contacts, such as brokers, (re)insurers, managing agents (MGAs), loss adjusters, experts instructed in relation to claims, service providers, suppliers, professional advisors, conference attendees, visitors to our offices, government officials and authorities.
  • Customers, claimants and plan beneficiaries, such as those in respect of insurance policies we place as part of our core insurance business activities (e.g., parties covered under the policies, potential beneficiaries of the policies, claimants and other parties involved in claims in respect of the policies), and any other customers in relation to our various service offerings (e.g., employers sponsoring health and benefit plans, pension trustees, premium financing services, current, former and retired plan members, spouses and other beneficiaries entitled to payment from pension and/or benefit plans for whom we provide administrative services).
  • Users of our Sites.
  • Other individuals, such as those requesting or receiving our marketing information, making general inquiries, entering competitions or promotions, or whose images we use in marketing or are captured on CCTV.

2.2 How we collect your personal data

We collect your personal data in a number of ways, which vary based on how you interact with us and as allowed by applicable law. The following summarizes our various collection points:

  • Directly from you or your authorized representative, such as when you provide your personal data to us, including from any of our Sites, surveys, live events, market research, and other direct communications and/or solicitations.
  • From our clients and partners, such as commercial clients, (re)insurers, network partners, brokers, employers, benefit plan sponsors, benefit plan administrators, premium finance companies, health service providers, pension trustees, data/marketing list providers and third-party service providers.
  • Publicly available sources, such as social media platforms, property and assets registers, and claims and convictions records.
  • ERM affiliate companies.
  • Government authorities, such as police and regulators.
  • Background checks and screening tools, such as insurance industry fraud prevention and detection databases, credit agencies and sanctions screening tools.
  • Other third parties.

2.3 Personal data we collect

We collect the following types of personal data depending on the purpose of your interaction with us (e.g., as business contact, customer, claimant, insured) and as allowed by applicable law:

  • Basic personal and demographic information, such as your name, date of birth, age, gender and marital status.
  • Contact information, such as your address, telephone number and email address.
  • Unique identifiers, such as identification numbers issued by government bodies or agencies (e.g., your national identifier number or social security number, passport number, ID number, tax identification number, driver’s license number, birth, death and marriage certificates, military passbook, and copies of official documents).
  • Beneficiary information, such as details of relationships, family members and dependents.
  • Employment information, such as your job title, employer, employment status, salary information, employment benefits, pensionable service periods, employment history and professional certifications and training.
  • Financial information, such as your bank account numbers and statements, credit card numbers, brokerage account numbers, transaction information, tax information, details of your income, property, assets, investments and investment preferences, pension and benefits, debts, and creditworthiness.
  • Policy information, such as your policy number, policy start and end dates, premiums, individual terms, mid-term adjustments, reasons for cancellation, risk profile, details of policy coverage, enrolment, eligibility for insurance or benefits, benefit amounts and underwriting history.
  • Claim information, such as a claimant’s relationship to a policyholder/insured, claims history and claims data, and the date and particulars of a claim, including causes of death, injury or disability and claim number.
  • Plan information, such as contributions levels and benefit options
  • Commercial information, such as records of your personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
  • Events or meeting information, such as details about your visits to our offices (including CCTV), your interest in and attendance at events or meetings, audio recordings, photographs or videos captured during meetings, events or calls with you.
  • Lifestyle information, such as travel history and plans and general health data.
  • Special category data and sensitive personal data, such as data relating to your health (including protected health information), genetic or biometric data, sex life, sexual orientation, gender identity, racial or ethnic origin, political opinions, religious or philosophical beliefs and trade union membership.
  • Criminal records information, such as criminal charges or convictions, including driving offences, or confirmation of clean criminal records.
  • Professional disciplinary information.
  • Personal information received from background checks and sanctions screenings, including status as a politically exposed person.
  • Marketing information, such as your consent to or opt out from receiving marketing communications from us and/or third parties, your marketing preferences, or your interactions with our marketing campaigns and surveys, including whether you open or click links in emails from us or complete our surveys.
  • Sites and communication usage information, such as your username, your password, other information collected by visiting our Sites or collected through cookies and other tracking technologies as described in our cookie policy, including your IP address, domain name, your browser version and operating system, traffic data, location data, browsing time, and social media information, such as interactions with our social media presence.

2.4 How we use your personal data

Depending on the purpose of your interaction with us (e.g., as business contact, customer, claimant, insured, pension member), we use your personal data to:

  • Perform services for you or our clients
  • Provide services and fulfill our contractual obligations, including providing services that you may not have personally requested but were requested by our client(s) and require us to interact, directly or indirectly, with you.
  • Facilitate and enable placement of policies and assist in the ongoing management of such policies, including premium management, renewals, adjustments, cancellations, claims management and settlement.
  • Provide various consulting, administration, financial, pension and actuarial services and claims administration.
  • Advise on the management of our clients’ business risks and opportunities, affairs and insurance arrangements and on the administration of claims.
  • Manage our business operations
  • Enter into business relationships and perform due diligence and background checks, such as fraud, trade sanctions screening, and credit and anti-money laundering checks.
  • Create, maintain, customize and secure your account with us.
  • Maintain accounting records, analyze financial results, comply with internal audit requirements, receive professional advice, apply for and make claims on our own insurance policies, manage or dispute a claim and recover a debt.
  • Conduct data analytics, surveys, benchmarking, and risk modelling to understand risk exposures and experience, for the purposes of creating de-identified and/or aggregate industry or sector-wide reports, to share within ERM’s group of companies and with third parties.
  • Communicate and market to you
  • Communicate with you regarding your account or changes to our policies, terms and conditions, respond to any inquiries you may have, and send you invitations for events or meetings.
  • Advertise, market and promote our services or the services of others, including by email, LinkedIn, SMS, post or telephone.
  • Send you newsletters, offers or other information we think may interest you, as well as offer and administer promotions.
  • Monitor usage of our Sites and personalize your experience with our Sites and the messages we send you to deliver content, product and service offerings relevant to your interests, including targeted offers and ads through our Sites, third-party Sites, and via email, SMS or text (with your consent, where required by law).
  • Comply with legal obligations
  • Comply with national security or law enforcement requirements, discovery requests, or where otherwise required or permitted by applicable laws or regulations, court orders or regulatory authorities.
  • Exercise and defend ours, yours or third parties’ legal rights.
  • Monitor and prevent fraud or wrongdoing
  • Maintain the safety, security, quality, integrity and availability of our products, services, systems and data, detect security incidents, protect against inadvertent data loss, malicious, deceptive, fraudulent, or illegal activity, and debug or identify and repair errors that impair existing intended functionality.
  • Monitor and ensure the safety and security of our premises, property, employees and visitors.
  • Improve our services
  • Develop, enhance, expand or modify our services through research and development.
  • Monitor, review, assess and improve our technology systems, including any Sites, and our content on social media platforms.
  • Improve and develop systems and algorithms involving machine learning and artificial intelligence.
  • Improve quality, training and security (for example, with respect to recorded calls).
  • Mergers and acquisitions
  • Facilitate commercial transactions, including a reorganization, merger, sale of all or a portion of our assets, a joint venture, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock (including in connection with any bankruptcy or similar proceedings). Should such a sale or transfer occur, we will use reasonable efforts to ensure the entity to which we transfer your personal data agrees to use it in a manner consistent with this Privacy Notice.

If we intend to use your personal data for any other purpose not described in this Privacy Notice or which is not compatible with the purpose for which your personal data was collected, we will contact you and let you know of that purpose, which may include the need to satisfy our legal and regulatory obligations. Where we require your consent to the processing, we will request it in advance.

2.5 Legal basis for processing personal data

Local law and regulation may require us to have a legal basis to process your personal data. In most cases, our legal basis for processing your personal data will be one of the following:

  • Legitimate Business Interest, such as seeking to and entering into or performing our contractual duties, maintaining our business records, keeping records of insurance policies or other products we place, and analyzing and improving our business model, services, systems and algorithms. When using your personal data for these purposes, we ensure our business need does not conflict with the rights afforded to you under applicable laws.
  • For the performance of a contract with you or in order to take steps at your request prior to entering into that contract.
  • Compliance with legal obligations, such as when you exercise your rights under data protection laws and make requests, for compliance with legal and regulatory requirements and related disclosures and for the establishment and defense of legal rights.
  • Fraud detection or prevention.
  • Consent, such as when we have to obtain your consent to process your personal data.

When we process sensitive personal data, sometimes referred to as special category data, in most cases our legal basis will be one of the following:

  • As required to establish, exercise or defend legal claims.
  • As necessary for insurance operations when it is in the substantial public interest, where applicable under local data protection laws.
  • As necessary for the prevention or detection of an unlawful act and/or fraud when it is in the substantial public interest, where applicable under local data protection laws.
  • You have given us your explicit consent-where we receive sensitive personal data or special category data indirectly, the third party is responsible for obtaining your explicit consent to enable us to collect and use your data for the purposes described in this Privacy Notice.

2.6 Who we share your personal data with

We share your personal data within ERM’s group of companies for the purpose of your interaction with us, such as for the provision of our services, general business operations and controls, marketing, data analytics, systems and algorithm improvements, surveys, benchmarking, and compliance with applicable laws.

We may also share your personal data with the following third parties for the purpose of your interaction with us:

  • Your employer, as part of our provision of the services to you or your employer.
  • Professional Advisors, such as underwriters, actuaries, claims handlers and investigators, surveyors, loss adjustors/assessors, accident investigators, specialist risk advisors, pension providers or trustees, banks and other lenders (including premium finance providers), health professionals, health service providers, lawyers (including third party legal process participants), accountants, auditors, tax advisors, financial institutions, investment advisors and other fiduciaries and consultants.
  • Business partners, such as customers, (re)insurance companies, MGAs, brokers, other insurance intermediaries, claims handlers or other companies who act as insurance distributors and premium financing companies.
  • Providers of insurance broking and other platforms we use.
  • Service providers, such as IT software, security and cloud suppliers, finance and payment providers, marketing agencies, external venue providers, address tracers, printers, document management providers, telephony providers, debt collection agencies, background check and credit reference agencies.
  • Fraud detection agencies and credit bureaus which operate and maintain fraud detection or credit registers.
  • Industry bodies.
  • Insurers who provide you with insurance and us with our own insurance.
  • Regulators, public authorities and law enforcement agencies, such as police, judicial bodies, governments, quasi-governmental authorities, financial and pension regulators and workers’ compensation boards, where we are required or requested to do so by law.
  • Asset purchasers, such as those who may purchase or to whom we may transfer our assets and business.
  • Other third parties, where we have your consent or are required by law.

When required by applicable law, we will obtain your explicit consent before sharing your data with any third parties. We will also require third parties (where applicable) to maintain a comparable level of protection of personal data as set out in this Privacy Notice by the use of contractual requirements or other means. On request and where required by law, we will confirm the name of each third party to which your personal data has, or will be, transferred. To the extent permitted by applicable law, we disclaim all liability for the use of your personal data by third parties.

2.7 Children

Our Sites are not intended for children and we do not knowingly collect, use, or disclose information about children.  If you are a minor, please do not provide any personal data even if prompted to do so. If you believe that you have inadvertently provided personal data, please ask your parent(s) or legal guardian(s) to notify us. In the event that we learn that we have inadvertently collected personal data via our Sites from a child, we will delete that information as quickly as possible.

 

  1. How we protect your personal data

We use a range of organizational and technical security measures to protect your personal data, including, but not limited to, the following:

  • Restricted access to those who need to know for the purposes set out in our underlying agreement or this Privacy Notice, and who are subject to confidentiality obligations.
  • Firewalls to block unauthorized traffic to servers.
  • Physical servers located in secure locations and accessible only by authorized personnel.
  • Internal procedures governing the storage, access and disclosure of your personal data.
  • Additional safeguards as may be required by applicable laws in the country where we process your personal data.

Please note that where we have given you (or you have chosen) a password, you are responsible for keeping the password confidential. Please do not share your password with anyone.

 

  1. How we protect your personal data when sending it internationally

We operate as a global business and may transmit your personal data across borders, including within ERM’s group of companies and to certain third parties, including our partners and service providers. This sharing of data allows us to provide you services as set out in our underlying agreement or as otherwise indicated in this Privacy Notice. When required by applicable law, we will obtain your explicit consent before transferring your data.

The laws that apply to the country where the data is transferred may not be equivalent to that in your local country (or in the country in which we provide the services). Transfers of personal data will comply with applicable law and be subject to suitable safeguards to ensure an adequate level of protection, including, where required, the use of standard contractual clauses approved by the local data protection regulator, that require each party to ensure that the personal data receives an adequate and consistent level of protection. Please contact us using the details provided under the Contact Us section if you would like further information regarding our international transfers and the steps we take to protect your personal data when sending it internationally.

 

  1. Marketing activities

From time to time, we may provide you with information about our products or services or those of our partners that we think will be of interest to you. We may send you this information by email, LinkedIn, SMS, text, post or we may contact you by telephone. We may also share your personal data with other ERM group companies so that they can provide you with information about their products and services we believe will be of interest to you. We ensure that our marketing activities comply with all applicable legal requirements. In some cases, this may mean that we ask for your consent in advance of sending you marketing materials

You can opt out of receiving marketing communications from us at any time. Please use the “unsubscribe” link in our marketing emails to opt out of receiving those emails. Alternatively, please contact us using the details provided under the Contact Us section. In such circumstances, we will continue to send you service-related communications where necessary.

 

  1. Profiling and automated decision-making

Insurance market participants benchmark insured, beneficiary and claimant attributes and risk factors, and insured event likelihoods in order to determine insurance limits, insurance premiums and fraud patterns. This means that we compile and analyze data in respect of insureds, beneficiaries and claimants to model such likelihoods. In doing so, we use personal and commercial data in order to create the models and/or match that data against the models (profiling) to determine both the risk and the premium price based on similar exposures and risks. We also use this information to help us advise insurance companies about the typical levels of insurance coverage that our clients may have in place.

We will only make automated decisions about you where:

  • Such decisions are necessary for entering into a contract (e.g., we may decide not to offer services to you, the types or amount of services that are suitable for you, or how much to charge you for services based on your credit history or financial or related information we have collected about you);
  • Such decisions are required or authorized by law (e.g., fraud prevention purposes); or
  • You give your consent for us to carry out automated decision-making. You may withdraw your consent at any time by contacting us.

These automated decisions may have a legal or similar effect on you, namely, your eligibility for or access to products or services.

We may also make automated decisions based on your personal data or browsing history to send you personalized offers, discounts or recommendations, subject to any applicable local laws and regulations. These automated decisions will not have legal or similar effects for you.

Subject to local laws and regulations, you can contact us to request further information about our automated decision-making, object to our use of automated decision-making, or request that an automated decision be reviewed by a human being.

 

  1. How long we keep your personal data

We keep your personal data for as long as reasonably necessary to fulfil the purposes set out in this Privacy Notice based on our business needs and legal requirements.

When we no longer need your personal data, we de-identify or aggregate the data or securely destroy it based on our retention policy. Please note that de-identified or aggregated data is not treated as personal data under this Privacy Notice and may be used for analytics purposes.

We have a detailed retention policy that governs how long we hold different types of information. Please contact us using the details provided under the Contact Us section for further information regarding how long we keep your personal data.

 

  1. Your personal data rights

Based on the country in which you reside, and subject to permitted exemptions, you may have certain rights in relation to your personal data. We are committed to respecting your personal data rights. Please refer to your country-specific addendum for information on the rights that apply to individuals in your country.

 

You can exercise your rights by contacting us using the details provided in the Contact Us section. We will usually not charge you for processing these requests. There may be cases where we are unable to comply with your request (e.g., via a permitted exemption or where the request would conflict with our obligation to comply with other legal requirements). We will tell you the reason if we cannot comply with your request and we will always respond to any request you make.

 

  1. Contact us

Please contact us if you have any questions about how we collect and process your personal data. You may contact us by writing to GlobalPrivacyOffice@ajg.com.

 

  1. Updates to this Privacy Notice

We may update this Privacy Notice from time to time. When we make updates, we will post the current version on our Sites and will revise the version date located at the bottom of the Privacy Notice. We encourage you to review this Privacy Notice periodically so that you will be aware of our current privacy practices.

 

  1. Philippines Addendum (“Addendum”) to the Environmental & Risk Management Services Philippines Inc. Privacy Notice

 

Updated: 25 May 2025

This Addendum supplements ERM Privacy Notice and applies to personal data collected and/or processed in the Philippines. ERM Privacy Notice together with this Addendum shall be considered ERM Privacy Policy pursuant to the Data Privacy Principles set out under Republic Act No. 10173 or the Data Privacy Act of 2012 (“Data Privacy Act”), and the implementing rules and regulations, advisories, and issuances of the National Privacy Commission (Republic of the Philippines).

For clarity, a reference to ‘personal data’ in the Privacy Notice and this Addendum includes a reference to ‘personal information’ and ‘sensitive personal information’ as defined in the Data Privacy Act.

Processing of Personal Information and Sensitive Personal Information

Notwithstanding Sections 2.5 and 2.6 of the Privacy Notice, this Addendum provides additional information on the differentiation in the processing of personal information and sensitive personal information. Processing of personal information is permitted, unless otherwise prohibited by law and where at least one of the lawful criteria are present. On the other hand, processing of sensitive personal information is generally prohibited, except where one of the lawful criteria are present.

The processing of your personal information shall be permitted only if not otherwise prohibited by law, and when at least one of the following conditions exists:

(a) You have given your consent;

(b) The processing of personal information is necessary and is related to the fulfilment of a contract with the data subject or in order to take steps at your, as data subject, request prior to entering into a contract;

(c) The processing is necessary for compliance with a legal obligation to which the ERM is subject;

(d) The processing is necessary to protect your vitally important interests, including life and health;

(e) The processing is necessary in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfil functions of public authority which necessarily includes the processing of personal data for the fulfilment of its mandate; or

(f) The processing is necessary for the purposes of the legitimate interests pursued by ERM, or by a third party or parties to whom the data is disclosed, except where such interests are overridden by your fundamental rights and freedoms which require protection under the Philippine Constitution.

The processing of sensitive personal information and privileged information shall be prohibited, except in the following cases:

(a) You have given your consent, specific to the purpose prior to the processing, or in the case of privileged information, all parties to the exchange have given their consent prior to processing;

(b) The processing of the same is provided for by existing laws and regulations: Provided, That such regulatory enactments guarantee the protection of the sensitive personal information and the privileged information: Provided, further, That the consent of the data subjects are not required by law or regulation permitting the processing of the sensitive personal information or the privileged information;

(c) The processing is necessary to protect your life and health or another person, and the you are not legally or physically able to express his or her consent prior to the processing;

(d) The processing is necessary to achieve the lawful and non-commercial objectives of public organizations and their associations: Provided, That such processing is only confined and related to the bona fide members of these organizations or their associations: Provided, further, That the sensitive personal information are not transferred to third parties: Provided, finally, That consent of the data subject was obtained prior to processing;

(e) The processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal information is ensured; or

(f) The processing concerns such personal information as is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise or defense of legal claims, or when provided to government or public authority.

Disclosure of your personal data to third parties and entities overseas

We may need to disclose your personal data to third parties, including, without limitation, insurers, underwriting agencies, insurance brokers, and ERM’s foreign counterpart entities so that they may perform services for us or on our behalf, assist us in providing our services and administering our business or as otherwise set forth in the Privacy Notice. The countries in which these third-party recipients may be located are the United States of America, the United Kingdom, countries within the European Union, New Zealand, Singapore or India. We may also need to disclose your personal data to our affiliated companies, including our parent company Arthur J. Gallagher & Co. located in the United States of America, and its subsidiaries located in Canada, the United Kingdom, countries within the European Union, New Zealand, Malaysia, Singapore or India, to assist in providing our services to you. For each such disclosure of personal data outside the Philippines, ERM shall take such steps as are reasonable in the circumstances to ensure the overseas recipient does not breach applicable data protection laws, including the Data Privacy Act.

The data sharing between these entities, which shall each have control as to the processing of the personal information, thus, each considered a personal information controller, may be supported by Data Sharing Agreements, and records of its cross-border data sharing arrangements shall be duly and regularly maintained.

Each party to a data-sharing arrangement will be responsible for any personal data under its control or custody, which extends to personal data each party shares with or transfers to a third party located outside the Philippines, subject to cross-border arrangement and cooperation. The terms and conditions of these agreements shall comply with the Model Contractual Clauses governing cross-border transfers of personal data.

 

Your personal data rights

You have certain rights in respect of your personal data under Data Privacy Act.

Right to be informed whether your personal information shall be, are being or have been processed

Right to be provided the following information before the entry of personal information into the processing system of ERM, or at the next practical opportunity, which shall not be amended without prior notification of the data subject:

(1) Description of the personal information to be entered into the system;

(2) Purposes for which they are being or are to be processed;

(3) Scope and method of the personal information processing;

(4) The recipients or classes of recipients to whom they are or may be disclosed;

(5) Methods utilized for automated access, if the same is allowed by the data subject, and the extent to which such access is authorized;

(6) The identity and contact details of the personal information controller or its representative;

(7) The period for which the information will be stored; and

(8) The existence of their rights, i.e., to access, correction, as well as the right to lodge a complaint before the Commission.

Right to access your personal data

You have a right to ask us for copies of your personal data and certain details of how we use it, as well as information on the following:

(1) Contents of your personal information that were processed;

(2) Sources from which personal information were obtained;

(3) Names and addresses of recipients of the personal information;

(4) Manner by which such data were processed;

(5) Reasons for the disclosure of the personal information to recipients;

(6) Information on automated processes where the data will or likely to be made as the sole basis for any decision significantly affecting or will affect the data subject;

(7) Date when his or her personal information concerning the data subject were last accessed and modified; and

(8) The designation, or name or identity and address of the personal information controller;

Right to rectification

You have a right to ask us to amend or update your personal data if you believe the personal data we hold about you is inaccurate or incomplete, and to request the immediate correction thereof. If the personal information has been corrected, ERM shall ensure the accessibility of both the new and the retracted information and the simultaneous receipt of the new and the retracted information by recipients. Third parties who have previously received such processed personal information shall he informed of its inaccuracy and its rectification upon your reasonable request

Right to erasure

You have a right to ask us to suspend, withdraw, or order the blocking, removal or destruction of your personal information from the ERM’s system upon discovery and substantial proof that the personal information is incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes or are no longer necessary for the purposes for which they were collected. This includes discontinuing the sending of direct marketing messages, upon request. In this case, the personal information controller may notify third parties who have previously received such processed personal information.

This right will however be balanced against other factors.  For example, we may have regulatory and/or legal obligations which mean we cannot comply with your request.

Right to data portability

You have a right to ask that we transfer personal data that you have given us to another organization in certain circumstances.

Right to object to processing, including marketing

You have a right to object to your personal data being processed if we process your personal data in our legitimate interest. You may also ask us to stop sending you direct marketing messages at any time.

Rights related to automated decision-making

You have a right to ask not to be the subject to a decision based solely on automated processing, including profiling, which produces legal or similar effects.

Right to withdraw consent

You have a right to withdraw your consent for us to use your personal data where we have asked for your consent to do so.

Right to complain

You have the right to contact us or our data protection officer if you have any concerns with how we use your personal data and we will do our best to resolve your concerns. You also have a right to complain to the National Privacy Commission (NPC) if you believe that our use of your personal data is in breach of data protection laws and/or regulations. More information can be found on the NPC’s website. This will not affect any other legal rights or remedies you have.

Right to be indemnified

You have the right to be indemnified for any damages sustained due to such inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of personal information collected by ERM.

In order to exercise any of these rights, all requests, demands, complaints, or notices shall be transmitted electronically via email to the ERM’s Data Protection Officer’s email, as indicated in the Contact Us section below.

Transmissibility of Rights

The lawful heirs and assigns of the data subject may invoke the rights of the data subject for, which he or she is an heir or assignee at any time after the death of the data subject or when the data subject is incapacitated or incapable of exercising the rights as enumerated in the immediately preceding section

Non Applicability of Rights

The rights are not applicable if the processed personal information is used only for the needs of scientific and statistical research and, on the basis of such, no activities are carried out and no decisions are taken regarding the data subject: Provided, That the personal information shall be held under strict confidentiality and shall be used only for the declared purpose. Likewise, the immediately preceding sections are not applicable to the processing of personal information gathered for the purpose of investigations in relation to any criminal, administrative or tax liabilities of a data subject.

Automated Decision-Making

In compliance with the Data Privacy Act and the data protection regulatory frameworks of the Philippines, ERM shall register its Data Processing Systems, which it may use in the Philippines under Section 6 of the Global Policy. ERM shall obtain your consent in the event automated processing will be the sole basis for a decision that produces legal effects on or may significantly affect you.

Data Retention

The Data Privacy Act authorizes us to retain personal data based only on the foregoing periods:

  1. Retention of personal data shall be only for as long as necessary:

(a) for the fulfilment of the declared, specified, and legitimate purpose, or when the processing relevant to the purpose has been terminated;

(b) for the establishment, exercise or defense of legal claims; or

(c) for legitimate business purposes, which must be consistent with standards followed by the applicable industry or approved by appropriate government agency.

  1. Retention of personal data shall be allowed in cases provided by law.

ERM maintains its own record management policy which provide for retention periods and procedures for proper disposal of records containing personal data which shall be retained for as long as necessary for the fulfilment of any of the purposes in section 2.4 of the Global Policy, and shall continue to be retained for a period of five (5) years notwithstanding the termination of any of the purposes unless withdrawn in writing or withheld due to changes in the information supplied by ERM.

 

Contact us

You can contact us if you have any questions about how we collect, store or use your personal data or if you wish to exercise any of your rights with respect to your personal data.

Environmental & Risk Management Services Philippines Inc.

legal entity

 Contact details
Environmental & Risk Management Services Philippines Inc.

 

 Data Protection Officer

Centro Maximo 3/F Centro Maximo II Corner D. Jakosalem & V. Ranudo Streets, Cebu City, Philippines 600

 

Email: GlobalPrivacyOffice@ajg.com