YGBC Logo BETA
YGBC Logo

YANSON GROUP OF BUS COMPANIES

LOVE CERES

DATA PRIVACY POLICY

I. Policy Statement

This Data Privacy Policy (“Policy”) is hereby adopted by the YANSON GROUP OF BUS COMPANIES (“Company,” “we,” “us,” or “our”) in accordance with Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012 (“DPA”), its Implementing Rules and Regulations (“IRR”), and all relevant issuances of the National Privacy Commission (“NPC”), as well as other applicable laws and regulations of the Republic of the Philippines.

The Company recognizes and upholds the fundamental right to privacy of all individuals and is committed to protecting personal data through lawful, fair, and transparent processing. The Company implements reasonable and appropriate organizational, physical, and technical security measures to safeguard personal data against accidental or unlawful destruction, alteration, unauthorized disclosure, misuse, or any other unlawful processing.

This Policy applies to all personal data processed by the Company in connection with its transportation, logistics, cargo handling, warehousing, booking systems, payment processing, fleet management, customer service, employment, and all related business operations.

In the event of any inconsistency between this Policy and internal issuances, this Policy shall prevail.

II. Definition of Terms

“Personal Data”

Refers collectively to Personal Information, Sensitive Personal Information, and Privileged Information as defined under Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012 (DPA), and its Implementing Rules and Regulations (IRR). It includes any data that can directly or indirectly identify an individual, whether recorded in material form or not.

“Personal Information”

Refers to any information, whether recorded in material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained, or when put together with other information would directly and certainly identify an individual.

“Sensitive Personal Information”

Refers to personal information that is classified as sensitive under the DPA and includes, but is not limited to, government-issued identification numbers, personal health information, financial information such as bank account or payment details, biometric data, and any information relating to age, marital status, race, ethnic origin, religion, or similar characteristics as may be determined by law or relevant issuances of the National Privacy Commission (NPC).

“Processing”

Refers to any operation or set of operations performed upon personal data, whether or not by automated means. This includes, but is not limited to, the collection, recording, organization, structuring, storage, updating, retrieval, consultation, use, consolidation, sharing, blocking, erasure, destruction, or any other form of data handling or treatment.

“Data Subject”

Refers to an individual whose personal data is processed by the Company, whether as a passenger, customer, employee, applicant, business partner, or any other individual interacting with the Company whose personal data is collected or processed.

“Personal Information Controller (PIC)”

Refers to any natural or juridical person, or any other body, who controls the processing of personal data or instructs another to process personal data on its behalf. The PIC determines the purposes and means of processing personal data.

“Personal Information Processor (PIP)”

Refers to any natural or juridical person, or any other body, to whom a PIC may outsource or instruct the processing of personal data pertaining to a data subject. A PIP processes personal data strictly on behalf of and according to the instructions of the PIC and does not determine the purposes or means of processing.

III. Scope and Coverage

This Policy applies to all data subjects whose personal data are processed by the Company, including passengers, customers, consignors, consignees, online users, employees, applicants, contractors, suppliers, agents, business partners, and visitors to Company premises and systems.

It covers all forms of processing, whether manual or automated, including processing through websites, mobile applications, booking systems, payment gateways, CCTV systems, GPS tracking systems, fleet monitoring tools, HR systems, customer support platforms, and other technologies used in Company operations.

IV. Data Protection Officer (DPO) and Governance

The Company shall designate a Data Protection Officer (“DPO”) who shall perform statutory functions under the Data Privacy Act of 2012 and relevant issuances of the National Privacy Commission (“NPC”). The DPO shall be responsible for monitoring and ensuring the Company’s continuous compliance with applicable data protection laws, rules, and regulations, including internal privacy policies and governance frameworks. The DPO shall act as the primary point of contact between the Company and the NPC, as well as data subjects, in matters relating to privacy concerns, compliance inquiries, and regulatory reporting.

The DPO shall also be responsible for conducting or overseeing Privacy Impact Assessments (“PIA”) for data processing systems, projects, or activities that involve high-risk processing, including but not limited to large-scale CCTV deployment, GPS tracking systems, profiling activities, payment systems, and other technologies that may affect the rights and freedoms of data subjects. Furthermore, the DPO shall advise senior management and relevant departments on privacy risks, mitigation measures, and compliance obligations, and shall ensure that appropriate organizational, physical, and technical safeguards are implemented across all business operations.

V. Information We Collect

The Company collects and processes various categories of personal data necessary for the efficient, safe, and lawful delivery of its transportation, logistics, operational, employment, and related services.

In relation to passengers: The Company collects personal information such as full name, address, contact details, email address, nationality, date of birth, emergency contact information, travel itineraries, boarding details, booking references, seat assignments, passenger manifests, accessibility requirements, and special assistance requests. These data are necessary to facilitate booking, ticket issuance, boarding, transport safety, customer support, and compliance with transportation regulations.

For cargo and logistics operations: The Company processes sender and recipient information, shipping and delivery details, cargo descriptions, delivery instructions, warehouse transaction records, proof of delivery, customs-related documents, and insurance documentation. These are required for proper handling, tracking, delivery, and regulatory compliance of goods and cargo services.

In relation to financial transactions: The Company collects billing details, bank account information, payment references, e-wallet details, credit or debit card information processed through secure third-party payment gateways, refund records, and transaction histories. The Company ensures that full payment card details are not stored unless strictly necessary and legally permitted, and relies on secure third-party processors for payment handling.

For identification and verification purposes: The Company may collect government-issued identification documents, driver’s licenses, passports, tax identification numbers, company IDs, and other verification documents as required for compliance, fraud prevention, and identity authentication.

Operational and telematics data: May also be collected, including GPS location data, vehicle routes, driver behavior data, dispatch logs, fleet monitoring information, fuel monitoring records, delivery timestamps, and route optimization data. These are processed to ensure operational efficiency, safety, monitoring, and logistics management.

CCTV and surveillance systems: The Company operates CCTV systems in terminals, offices, warehouses, vehicles, parking areas, and other operational facilities. Such systems may capture facial images, vehicle information, timestamps, and location-related data. These are used strictly for safety and security purposes, fraud prevention, incident investigation, operational monitoring, and compliance with legal obligations.

For employment and recruitment purposes: The Company processes employee and applicant data including employment records, educational background, payroll information, attendance records, biometrics, medical clearances, performance evaluations, disciplinary records, government contributions, and benefits information. These are necessary for human resource management, payroll administration, compliance with labor laws, and employee welfare.

Digital and technical information: Such as IP addresses, browser and device information, mobile application identifiers, cookies, login credentials, access logs, and security logs. These are used for system security, authentication, fraud prevention, analytics, and improvement of digital services.

VI. Methods of Collection

The Company collects personal data through multiple lawful and legitimate channels depending on the nature of its services and interactions with data subjects. These include online booking systems, mobile applications, official websites, physical ticketing offices, cargo offices, customer service channels, telephone communications, electronic mail, and official social media platforms. In addition, data may be collected through CCTV systems, GPS devices, fleet monitoring systems, employment application processes, corporate agreements, APIs and system integrations, third-party booking partners, and other lawful publicly available sources where permitted under applicable law.

VII. Legal Basis for Processing

The Company processes personal data only upon the existence of lawful criteria recognized under the DPA and other applicable laws. Processing may be based on the consent of the data subject, contractual necessity, compliance with legal obligations, protection of vital interests, fulfillment of public authority functions, legitimate interests pursued by the Company or third parties, or other lawful grounds permitted under Philippine law. Where consent is required, the Company shall ensure that consent is freely given, specific, informed, and evidenced by written, electronic, or recorded means. The Company reserves the right to deny services or transactions where certain personal data are required by law, regulation, or operational necessity and the data subject refuses to provide such information.

VIII. Purposes of Processing

The Company processes personal data for legitimate and lawful purposes related to its transportation and logistics operations. Such purposes include processing transportation bookings and reservations, managing passenger manifests, handling cargo and shipment transactions, coordinating dispatch and routing activities, facilitating delivery and logistics services, processing payments and refunds, verifying identities, addressing customer concerns and complaints, conducting fraud prevention and security investigations, monitoring fleet operations, complying with transportation and regulatory requirements, administering employment and payroll functions, maintaining operational records, conducting internal audits, improving services, performing analytics and operational assessments, enforcing Company policies, protecting Company assets and interests, and complying with legal, regulatory, contractual, and governmental obligations.

The Company may likewise process personal data for marketing, promotional, customer engagement, and service advisory purposes where permitted by law and supported by the necessary consent or lawful basis. Data subjects may opt out of receiving marketing communications subject to reasonable processing requirements and legal limitations.

IX. Consent Management

Where consent is required as a lawful basis for processing personal data, the Company shall ensure that such consent is obtained in a manner that is freely given, specific, informed, and evidenced by clear affirmative action. Consent may be obtained through written forms, electronic checkboxes, digital signatures, recorded verbal confirmation, or other lawful means appropriate to the context of data collection.

The Company shall maintain verifiable records of consent, including the date, manner, and scope of consent given by the data subject. Data subjects shall be informed of their right to withdraw consent at any time, subject to legal or contractual limitations, and such withdrawal shall be processed through established internal procedures. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

X. Data Sharing and Third-Party Processing

The Company may share personal data with affiliates, subsidiaries, contractors, service providers, payment processors, logistics partners, insurers, auditors, legal advisers, and government authorities where necessary and lawful.

Data sharing with independent controllers shall be governed by Data Sharing Agreements (“DSA”), while engagement of service providers acting as processors shall be governed by Data Processing Agreements (“DPA”). All third parties shall be required to implement appropriate safeguards and maintain confidentiality in accordance with applicable laws.

The Company shall not sell personal data for independent commercial purposes without lawful authority.

XI. Data Protection Impact Assessment (DPIA)

The Company shall conduct Privacy Impact Assessments (“PIA”) or Data Protection Impact Assessments (“DPIA”), as applicable, prior to the deployment, implementation, or significant modification of systems, processes, or technologies that involve the processing of personal data and are likely to result in high risks to the rights and freedoms of data subjects. This includes, but is not limited to, systems involving CCTV surveillance, GPS tracking, employee monitoring, automated profiling, payment processing systems, and large-scale data processing operations.

The DPIA shall identify and assess potential privacy risks, evaluate the necessity and proportionality of data processing activities, and determine appropriate safeguards and mitigation measures to reduce such risks. No high-risk processing activity shall be implemented without prior review and recommendation by the DPO, and approval by the appropriate management authority.

XII. Automated Processing and Profiling

Where the Company utilizes automated processing, profiling, artificial intelligence systems, or algorithmic decision-making—such as for route optimization, fraud detection, driver performance evaluation, dynamic pricing, or risk scoring—the Company shall ensure that such processing is conducted fairly, transparently, and in accordance with applicable law.

Data subjects shall be informed of the existence of such automated processing where it significantly affects their rights or interests, and appropriate safeguards shall be implemented to prevent unjust, discriminatory, or arbitrary decisions. Where required, data subjects shall have the right to request human intervention, express their point of view, or contest decisions based solely on automated processing.

XIII. Privacy Notice and Transparency

The Company shall provide clear and accessible Privacy Notices at all points of data collection, including websites, mobile applications, terminals, offices, and vehicles. Notices shall explain the nature, purpose, and scope of data processing, including CCTV and GPS monitoring.

Cookie notices shall be implemented on digital platforms, with appropriate controls for non-essential tracking technologies.

XIV. Security of Personal Data

The Company implements appropriate organizational, physical, and technical security measures including access controls, encryption, firewalls, authentication systems, audit logs, monitoring tools, training programs, confidentiality agreements, and secure storage systems.

The Company regularly reviews and updates its security measures to address evolving risks but does not guarantee absolute protection against all threats.

XV. CCTV, GPS, and Monitoring Systems (REVISED)

The Company may utilize CCTV systems, GPS tracking devices, telematics systems, access monitoring systems, and related surveillance technologies in its offices, terminals, warehouses, parking facilities, operational areas, and vehicles for purposes including safety, security, operational monitoring, fraud prevention, incident investigation, driver management, route optimization, cargo monitoring, and compliance with transportation and regulatory requirements.

Data collected through such systems may include video recordings, timestamps, geolocation information, route histories, driving behavior data, access logs, and other related operational information.

b. CCTV Data Retention

All CCTV footage shall be retained for a minimum period of thirty (30) days, unless:

  • A longer retention period is required for investigation, legal proceedings, or compliance with applicable laws; or
  • The footage is preserved as evidence in relation to an incident, complaint, or legal claim.

After the retention period, CCTV recordings shall be securely deleted, overwritten, or otherwise disposed of in a manner that prevents unauthorized access or recovery.

c. CCTV Access and Request Procedure

Requests for access, review, or disclosure of CCTV footage by a data subject or third party shall be governed by the Data Privacy Act of 2012 and applicable National Privacy Commission (NPC) issuances.

All requests must:

  • Be made in writing through an official request letter or Company-approved request form;
  • Clearly specify the date, time, location, and purpose of the request;
  • Include valid proof of identity of the requesting party; and
  • Be subject to verification and evaluation by the Company and its Data Protection Officer.

The Company reserves the right to deny, limit, or defer access to CCTV footage where:

  • The request violates the rights and privacy of other individuals;
  • The request may compromise security or ongoing investigations;
  • The request is excessive, unreasonable, or not compliant with law; or
  • Disclosure is not permitted under the Data Privacy Act or other applicable regulations.

Approved requests shall be processed within a reasonable period in accordance with NPC guidelines and internal operational procedures.

d. Acknowledgment of Monitoring

By entering Company premises, using Company services, boarding Company vehicles, or interacting with Company systems, data subjects acknowledge that CCTV, GPS, and related monitoring systems are in operation for legitimate business, safety, and security purposes, and that such processing is conducted in accordance with the Data Privacy Act of 2012 and applicable regulations.

XVI. Data Retention and Disposal

The Company shall retain personal data only for as long as necessary to fulfill the purposes for which such data were collected, to comply with legal, regulatory, tax, accounting, labor, transportation, contractual, and operational requirements, or to establish, exercise, or defend legal claims. Retention periods may vary depending on the nature of the information, the applicable legal or regulatory requirements, and operational needs of the Company.

Upon expiration of the applicable retention period or once personal data are no longer necessary for legitimate purposes, the Company shall securely destroy, anonymize, archive, or dispose of such data using reasonable and appropriate methods designed to prevent unauthorized access, disclosure, reconstruction, or recovery.

XVII. Security Measures

The Company implements reasonable and appropriate organizational, physical, and technical security measures intended to protect personal data from accidental or unlawful destruction, alteration, disclosure, misuse, unauthorized access, or other unlawful processing. Such measures may include privacy management programs, data breach response procedures, confidentiality agreements, employee training programs, restricted access controls, role-based permissions, encryption technologies, secure storage systems, firewalls, antivirus systems, endpoint protection, multi-factor authentication, logging and audit trails, vulnerability assessments, data backup procedures, disaster recovery systems, and periodic security reviews.

The Company regularly reviews and updates its privacy and security practices to address evolving operational, technological, and cybersecurity risks. However, while the Company exerts reasonable efforts to protect personal data, no security system or electronic transmission method can be guaranteed to be completely secure, and the Company does not warrant absolute protection against all possible threats or incidents beyond its reasonable control.

XVIII. Data Breach Management

The Company maintains policies and procedures for the identification, reporting, assessment, management, and mitigation of personal data breaches. In the event of a personal data breach likely to result in a real risk to the rights and freedoms of affected data subjects, the Company shall undertake reasonable and appropriate measures to contain, investigate, assess, and address the incident, including notification to the NPC and affected data subjects within the periods and under the conditions prescribed by law. The Company reserves the right to withhold, delay, or limit notifications where legally permitted, including where disclosure may interfere with lawful investigations, security operations, or other legally protected activities.

XIX. Cross-Border Data Transfers

The Company may transfer personal data outside the Philippines where necessary for business operations, provided that appropriate safeguards are implemented to ensure a level of protection comparable to Philippine standards, including contractual clauses, confidentiality obligations, encryption, and access controls.

XX. Data Protection Training

The Company shall implement a mandatory Data Privacy and Security Training Program for all employees, officers, contractors, and relevant personnel. Such training shall be conducted upon hiring as part of onboarding requirements and shall be reinforced through regular refresher sessions conducted at least annually or as may be necessary based on updates in laws, regulations, or internal policies. Training shall cover key topics including data privacy principles, lawful processing, security best practices, data subject rights, incident reporting procedures, and confidentiality obligations. The Company shall maintain proper documentation of all training activities, including attendance records and training materials. Failure to comply with mandatory training requirements or violations of privacy policies may result in disciplinary action in accordance with Company rules and applicable law.

XXI. Employee and Personnel Responsibilities

All employees, officers, contractors, consultants, agents, and authorized personnel of the Company who process personal data are required to maintain strict confidentiality and comply with all applicable privacy, security, and information management policies of the Company. Personnel shall access personal data only to the extent necessary for authorized business purposes and shall be prohibited from unauthorized disclosure, sharing, copying, extraction, misuse, or processing of personal data. Violations of this Policy may result in disciplinary action, termination of employment or engagement, civil liability, criminal liability, and other legal consequences under applicable laws and Company policies.

XXII. Data Breach Notification

In the event of a personal data breach that is likely to result in a real risk to the rights and freedoms of data subjects, the Company shall implement appropriate measures to contain, investigate, and mitigate the breach. Where required under the Data Privacy Act and NPC regulations, the Company shall notify the National Privacy Commission and affected data subjects within seventy-two (72) hours from knowledge of or reasonable belief that a breach has occurred.

The notification shall include available information on the nature of the breach, categories of personal data involved, potential consequences, and measures taken or proposed to address the breach. The Company may withhold or delay notification where permitted by law, including situations where disclosure may hinder law enforcement investigations or compromise security.

XXIII. Cookies and Website Tracking Policy

The Company may utilize cookies, web beacons, analytics tools, and similar technologies on its websites and digital platforms to enhance user experience, ensure system security, and analyze usage patterns for operational improvement. Users shall be informed of such use through a cookie notice banner or equivalent mechanism upon access to the website or application.

Where required, users shall be provided with the option to manage or disable non-essential cookies through browser settings or platform controls. The Company shall ensure that the use of tracking technologies is consistent with applicable privacy laws and shall not collect unnecessary or excessive personal data through such means without proper legal basis.

XXIV. Data Sharing and Outsourcing Distinction

The Company distinguishes between data sharing arrangements and outsourcing or data processing arrangements in accordance with applicable NPC guidelines. Data sharing occurs when personal data is disclosed or transferred to another entity acting as an independent personal information controller for its own legitimate purposes, and shall be governed by a Data Sharing Agreement (“DSA”) that clearly defines the scope, purpose, legal basis, and responsibilities of each party.

On the other hand, outsourcing or engagement of service providers acting as personal information processors shall be governed by a Data Processing Agreement (“DPA”) or similar contractual arrangement, whereby such processors shall process personal data strictly on behalf of the Company, in accordance with its instructions, and shall be required to implement appropriate security measures and confidentiality obligations. The Company shall ensure that all third-party relationships involving personal data processing are properly documented, legally supported, and compliant with applicable data privacy regulations.

XXV. Data Subject Rights

Data subjects may exercise rights under the Data Privacy Act, including the right to be informed, access, rectification, erasure or blocking, objection, data portability, and the right to file complaints.

Requests shall be submitted through official channels, verified for identity, and processed within a reasonable period, generally not exceeding thirty (30) days. Requests may be denied where legally justified, including security risks, legal obligations, rights of others, or ongoing investigations.

XXVI. Data of Minors

The Company recognizes the importance of protecting the personal data of minors. Where personal data of minors is collected or processed, the Company shall ensure that appropriate consent is obtained from the parent or legal guardian, except where otherwise allowed under applicable law. The Company shall limit the collection and processing of minors’ personal data to what is necessary, relevant, and proportionate for legitimate business or operational purposes, particularly in relation to transportation services.

Appropriate safeguards shall be implemented to ensure that the processing of minors’ data is conducted with a heightened level of care, security, and confidentiality.

XXVII. Data Subject Request Procedure

The Company shall implement a structured procedure for the handling of Data Subject Requests (“DSR”) in accordance with the rights granted under the Data Privacy Act of 2012. All requests shall be submitted through designated official channels and shall be subject to identity verification to prevent unauthorized disclosure of personal data.

Upon receipt of a valid request, the Company shall acknowledge and process such request within a reasonable period, generally not exceeding thirty (30) calendar days, subject to complexity and volume of requests. Requests may include the exercise of rights to access, rectification, erasure or blocking, objection, and data portability.

The Company reserves the right to deny or limit requests where allowed under law, including instances where compliance would adversely affect the rights of other individuals, compromise security or ongoing investigations, or violate legal or regulatory obligations. All denials shall be properly documented, justified, and communicated to the requesting party, who may elevate concerns to the National Privacy Commission if necessary.

XXVIII. Policy Review and Amendments

The Company reserves the right to amend, revise, supplement, or modify this Policy at any time to reflect changes in operational practices, legal requirements, regulatory issuances, technological developments, security standards, or business needs. Any amendments shall take effect upon publication, posting, or dissemination through appropriate channels unless otherwise stated by the Company.

XXIX. Effectivity

This Data Privacy Policy shall take effect upon approval by management and shall remain in force until amended, replaced, or revoked in accordance with applicable law.

XXX. Policy Hierarchy Clause

In the event of any inconsistency or conflict between this Data Privacy Policy and any internal memorandum, operational guideline, departmental policy, or similar issuance, this Data Privacy Policy shall prevail. All internal policies and procedures shall be interpreted and applied in a manner consistent with this Policy, applicable laws, and regulations issued by the National Privacy Commission.