Data Privacy Manual: Privacy Impact Assessment (Pia)

Insert Logo DATA PRIVACY MANUAL
Date: Month Day Year Document No.: XXX-XXX-XXX
PRIVACY IMPACT ASSESSMENT (PIA)
i. INSTRUCTION
a. Complete this form when performing an overall privacy impact assessment of identified Program, Project,
Process, Measure, System or Technology (PPPMST). All fields must be accomplished, unless not
applicable. Provide all the necessary information or indicate “N/A” if not applicable.
i) Ensure to complete Section I: Program, Project, Process, Measure, System or Technology (PPPMST)
Summary and Section II: Threshold Analysis.
ii) If there is no personal data exposure based on your answers in Section II, no need to accomplish Sections
III-XI. Sign and submit this form (See item d below).
iii) If there is personal data exposure based on your answers in Section II, accomplish all succeeding
Sections. Sign and submit this form (See item d below).
b. Attach data flow diagram/ data map to illustrate flow of personal data in the data processing operation
covered by this privacy impact assessment (PIA).
c. To facilitate the review of the PIA, attach or email all relevant documents such, but not limited to, the following:
 Project charter
 Contract
 Presentation materials about the PPPMST
d. After completing this form, submit/ email to the following:
 Data Protection Officer (DPO) at Email
 Compliance Officer for Privacy (COP) at Email; cc DPO at Email
ii. DEFINITION OF TERMS

• Data Subject – refers to an individual whose personal, sensitive personal, or privileged information is
processed.
• De-identification of Personal Data – refers to the process of removing any personal information from a record
or data set, those information that identifies an individual, or for which there is a reasonable expectation that
the information could be used, either alone or with other information, to identify an individual.
• External Party – refers to all individuals and organizations – including, but not limited to subsidiaries, affiliates,
contractors, suppliers, vendors and service providers, that are not within the Company.
• Internal Party – includes all individuals, business units or groups that are within the Company.
• Natural Individual – a person (in legal meaning, one who has his own legal personality) that is an individual
human being, as opposed to a legal person, which may be a private (i.e., business entity or non-governmental
organization) or public (i.e., government) organization.
• Personal Data – refers to all types of personal information.
• Personal Information – refers to any information, whether recorded in a material form or not, from which the
identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the
information, or when put together with other information would directly and certainly identify an individual.
Page 1 of 17
• Personal Information Controller (PIC) – refers to a natural or juridical person, or any other body who controls
the processing of personal data, or instructs another to process personal data on its behalf. The terms
excludes (i) a natural or juridical person, or any other body, who performs such functions as instructed by
another person or organization; or (ii) a natural person who processes personal data in connection with his
personal, family, or household affairs.
• Personal Information Processor (PIP) – refers to any natural or juridical person or any other body to whom a
personal information controller may outsource or instruct the processing of personal data pertaining to a data
subject.
• PPPMST - Program, Project, Process, Measure, System or Technology
• Privacy Impact Assessment - is a process undertaken and used to evaluate and manage impacts on privacy
of a particular program, project, process, measure, system or technology product of a PIC or PIP. It takes
into account the nature of the personal data to be protected, the personal data flow, the risks to privacy and
security posed by the processing, current data privacy best practices, the cost of security implementation,
and, where applicable, the size of the organization, its resources, and the complexity of its operations.
• Sensitive Personal Information – refers to personal information about an individual’s race, ethnic origin,
marital status, age, color, and religious, philosophical or political affiliations; about an individual’s health,
education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to
have been committed by such individual, the disposal of such proceedings, or the sentence of any court in
such proceedings; issued by government agencies peculiar to an individual which includes, but is not limited
to, social security numbers, previous or current health records, licenses or its denials, suspension or
revocation, and tax returns; and specifically established by an executive order or an act of Congress to be
kept classified.
• Third Party – natural or legal person, public authority, agency or body, other than the data subject, the
controller, the processor and the persons who, under the direct authority of the controller or the processor
are authorized to process the data
• Unique Identifier – may refer to a numeric or alphanumeric string that provides the capability to uniquely
identify a wide variety of items. For example, an employee number matched with a corresponding unique
employee is considered as a unique identifier.
Page 2 of 17
I. PPPMST SUMMARY
If the following information is available in the project charter, contract, or other materials that you have submitted
together with the PIA Form, no need to fill out the table below. In each field, just indicate the reference
document(s).
PIA Reference Number
Name of Program, Project, Human Resources

Process, Measure, System or
Technology (PPPMST)
Project Manager / Department Nolly Bayran

Manager / Group Head
Date of PPPMST March 1, 2018
Objective of the PPPMST  To evaluate candidates’ qualifications for any job vacancies,
 To commence of deployment of employees,
 For performance evaluation and career development,
 To process data necessary for employment such as timekeeping and
benefits application,
 To assist loan application of employees, and
 To facilitate resignation and retirement of employees
Is this PPPMST part of No
(another/ a separate)
PPPMST?
If Yes, specify the following:

• PIA Reference
Number
• PPPMST Name
Name of outsourced party(ies) Personal Information Processors (PIPs):

and/ or third party(ies) involved  Partner Schools
in the PPPMST (if applicable)  Philippine National Bank
 Value Care Health Systems, Inc.
Data Sharing Parties

 Social Security System
 Home Development Mutual Fund
 Philippine Health Insurance Corporation
 Bureau of Internal Revenue
Internal Stakeholders (groups Human Resources group and all employees of ADI
that can affect or be affected
by the PPPMST)
Page 3 of 17
External Stakeholders (third Applicants, PIPs, and Data Sharing Parties

parties that can affect or be
affected by the PPPMST)
Page 4 of 17
II. THRESHOLD ANALYSIS

The objective of these questions is to determine whether the (PPPMST) collect, use, store, retain, disclose, and/
or dispose personal data about natural individuals. If you answered “Yes” to at least one of the questions below,
complete all succeeding Sections of this form. If you answered “No” to all of the questions below, sign and submit
this form. Mark “X” in the appropriate boxes.
Item
Question Yes No N/A Remarks
No.
1 Will the data processing involve the collection of ☒ ☐ ☐ Personal information are
personal data about natural individuals? collected from data
subject through
If Yes, answer the following regarding the personal resumes, CVs, and
data processing: application form during
 Specify the data subjects covered by this candidate’s qualification
data processing (e.g., COMPANY owners evaluation for any job
and employees, separated members/ vacancy.
employees of the COMPANY, outsourced
third party(s), former vendors/ suppliers, Further, sensitive
customers)? personal information are
 Is the personal data about individuals collected through
sensitive in nature and likely to raise privacy medical records,
concerns (e.g., health records, criminal government issues IDs,
records or other information which would be etc. for pre-employment
considered private)? record filing purposes.
2 Are you using information about individuals for a ☐ ☒ ☐

purpose it is not currently used for, or in a way it is
not currently used?
3 Will the data processing require you to contact ☐ ☒ ☐

individuals in ways which they may find intrusive?
4 Will information about individuals be disclosed to ☐ ☒ ☐

organizations or people who have not previously had
access to the information?
5 Does the data processing involve using new ☒ ☐ ☐ Fingerprint biometrics is

technology which might be perceived as being being used for
privacy intrusive (e.g., biometrics or facial timekeeping purposes
recognition, etc.)? only.
6 Will the data processing result in you making ☐ ☒ ☐

decisions or taking action against individuals in ways
which can have a significant impact on them?
Page 5 of 17
III. INVENTORY OF PERSONAL DATA

Mark “X” in the appropriate box for the personal data that the PPPMST will collect, use, store, retain, disclose, and/
or dispose. Commented [ECSA1]: Kindly update this as necessary, I just
retained the information that I got from TDI HR’s process.
Item
Personal Data Yes No
No.
1 Name X
2 Business Address X
3 Home Address X
4 Email Address – Business X
5 Email Address – Personal X
6 Telephone No. – Business X
7 Telephone No. – Home X
8 Age X
9 Date of Birth X
10 Marital Status X
11 Color, Race, or Ethnic Origin X
12 Religion X
13 Education X
14 Photo X
15 Biometrics X
16 Political Association X
17 Philosophical Beliefs X
18 Health Records (previous or current) X
19 Sexual life/ preference / practice X
20 Offence committed or alleged to have been committed, the disposal of such X
proceedings, or the sentence of any court in such proceedings
21 Document issued by government agencies peculiar to an individual: X
• Unique identifiers (e.g., TIN, UMID ID number, driver's license number,
passport number, GSIS/ SSS number, voter's registration number, etc.)
• Licenses or its denials, suspension, or revocation
• Tax returns
22 Document/ Information specifically established by an executive order or an act of X
Congress to be kept classified
23 Others (indicate below as many as will be collected, used, stored, retained, X
disclosed, and/ or disposed):
• Government and Competitive Examinations Taken
• Membership in Community Organizations
• Seminars and/or Trainings Attended
• Family Members’ Information
• Computer Operations Skills/ Competency
• Pre-employment Checklist
Page 6 of 17
IV. COLLECTION OF PERSONAL DATA

Provide your answers to all the questions below or cross-refer to relevant document(s) and include as
attachment to this form. Indicate “N/A” for the fields that are not applicable. Do not leave any item blank.
Item Question Answer
No.
1 From whom will the personal information and/ Human Resources team collects the personal
or sensitive personal information be collected? information and sensitive personal information
through subject data themselves (applicants and
Is the collection of personal data made directly employees).
from the individual or from other sources?
Specify sources of collection (direct and

indirect).
2 Who collected or will be collecting the personal Human Resources team collects the personal
information and/ or sensitive personal information and sensitive personal information of
information? both applicants and employees.
3 How will the personal information/ sensitive Personal information and sensitive personal
personal information be collected? information are collected through resume, CV, and
application form.
4 What is the purpose of collecting the personal Personal information and sensitive personal
information/ sensitive personal information? information are used for overall evaluation of job
applicant’s qualifications, as well as maintaining
Notes: and updating current employee’s 201 records.
• Purpose must not be contrary to law,
morals, or public policy.
• The collection of personal data must be for
a declared, specified, and legitimate
purpose.
• Collection of personal data should be
adequate, relevant, suitable, necessary, and
not excessive in relation to a declared and
specified purpose.
For collection of personal data authorized by a

specific law or regulation, specify the
applicable law or regulation.
5 Is consent obtained? If yes, in what manner? No, privacy notice is not indicated in the
“application form”.
Notes:
• There must be express consent from the
individual.
• Consent should be time-bound in relation to
the declared, specified, and legitimate
purpose.
Page 7 of 17

No.
6 Are the data subjects made aware of the Yes, a “declaration clause” is present in the
nature, purpose, and extent of the processing application form stating that the candidate
of their personal data, including the risks and authorizes TDI HRDD to make verifications if
safeguards involved in the processing of their necessary on the information he/she furnished and
personal data? that any misrepresentation, misinformation and/or
material omission made in relation with this
Describe how they were made aware. application for employment would render him/her
undesirable and enough basis for the immediate
termination of his/her employment in the event that
he/she was hired. Commented [ECSA2]: Kindly update this once you’ve received
7 Are the data subjects made aware of their No, privacy notice is not indicated in the their application form.
rights as data subjects and how these can be “application form”.
exercised?
Describe how they were made aware.
Is there a process in which Company can

serve the rights of the Data Subjects?
The rights of data subjects are as follows:

 Right to be informed
 Right to object
 Right to access
 Right to correct
 Right for erasure or blocking
 Right to file a complaint
 Right to damages
• Right to data portability
Describe briefly or indicate reference

document(s).
8 Are the data subjects aware of the identity of No, identity and contact information of PIC and
the Personal Information Controller (PIC) or DPO are not indicated in the “application form”.
the Personal Information Processor (PIP)?
Are the data subjects provided information

about on how to contact <the Company’s>
Data Protection Officer (DPO) or Compliance
Officer for Privacy (COP)?
If yes to any of the questions above, describe

how the data subjects were/ will be made
aware.
Page 8 of 17

No.
9 Are the personal data anonymized or de- No, collection of information attributes specifically
identified? to an individual.
V. STORAGE OF PERSONAL DATA
Item
Question Answer
No.
1 Where is the personal data currently being Collected personal data are being stored in
stored or where will it be stored? cabinets located in HR stockroom.
2 Is it being stored or will it be stored in other No, personal data is and will not be stored in other
countries? If yes, specify. countries.
3 Is the storage of personal data being or will be No, storage of personal data is and will not be
outsourced? outsourced.
If yes, specify to whom.
4 Is there a contract/ agreement with the N/A

outsourced party with the appropriate DPA
provisions?
Provide copy or indicate reference

document(s).
VI. USAGE OF PERSONAL DATA

Item
Question Answer
No.
1 What is the purpose of the personal data HR processes personal data for evaluation of
processing? candidate’s qualifications for any job vacancy, as
well as maintaining and updating current
Notes: employee’s 201 records.
• Purpose must not be contrary to law,
morals, or public policy.
• The processing of personal data must be
for a declared, specified, and legitimate
purpose.
• Processing of personal data should be
adequate, relevant, suitable, necessary,
Page 9 of 17
and not excessive in relation to a declared

and specified purpose.
For processing of personal data authorized by

a specific law or regulation, specify the
applicable law or regulation.
2 How will the accuracy and completeness of Employees fills out the HR Personal Data Sheet
the personal data be maintained? should there any changes in their personal
information such as marital status, number of
dependents, etc.
3 Who is responsible for granting access to the Human Resource team is responsible for granting
personal data and keeping it up-to-date? access to the personal data and keeping them up-
to-date.
4 What is the process for withdrawing access N/A
rights when access is no longer needed (e.g.,
if an employee leaves Company or moves to
another role for which access is no longer
required)?
VII. RETENTION OF PERSONAL DATA

Item
Question Answer
No.
1 How long are the personal data being Data retention and disposal policies and
retained? procedures are currently not in place.
2 What is the basis of the retention period? N/A
VIII. DISCLOSURE/ SHARING OF PERSONAL DATA

Provide your answers to all the questions below or cross-refer to relevant document(s) and include as attachment
to this form. Indicate “N/A” for the fields that are not applicable. Do not leave any item blank.
Item
Question Answer
No.
1 Will the personal data be disclosed/ shared No, personal data of applicants and employees will
with internal and/ or external parties? not be disclosed/shared with internal and/or
external parties.
If yes, answer the questions below.
2 What personal data are being transferred? N/A
Page 10 of 17
Item
Question Answer
No.
3 To whom are the personal data being N/A
disclosed to or shared with (internal and/ or
external)?
4 Why are the personal data being disclosed to/ N/A

shared with internal and/ or external parties?
5 Will the personal data be used or disclosed to N/A

internal and/ or external parties only for
legitimate purposes (as specified in the
consent form, contract/ agreement, etc.)?
6 Is there a contract/ data sharing agreement N/A

(with the appropriate DPA provisions) with the
outside party, to whom personal data will be
disclosed/ shared with?

document(s).
IX. DISPOSAL/ DESTRUCTION OF PERSONAL DATA

Item
Question Answer
No.
1 How will the personal data be disposed of? There is no retention period for electronic and
physical files. However, physical files are shredded
once job candidate has been rejected or employee
has already resigned.
2 Who will facilitate the destruction of the Human resource team facilitates the destruction of
personal data? the personal data.
If a third party is involved, specify the name.
3 Is there a contract/ agreement with the third N/A

party with the appropriate DPA provisions?

document(s).
4 Are there protocols/ procedures to prevent No, data retention and disposal policies and
accidental or unauthorized destruction of files procedures are currently not in place.
generated by the data processing operation?
Page 11 of 17
If yes, briefly describe
5 Will the data processing take reasonable Yes, though data retention and disposal policies
steps to destroy or de-identify personal data if and procedures are currently not in place, physical
they are no longer needed for any purpose? files are shredded once job candidate has been
rejected or employee has already resigned.
Briefly describe.
X. DATA SECURITY
Provide your answers to all the questions below or cross-refer to relevant document(s) and include as attachment to
this form. Indicate “N/A” for the fields that are not applicable. Do not leave any item blank.
Item
Question Answer
No.
1 Have you consulted IT and/ or Information N/A, HR manually processes the information.
Security Office regarding the PPPMST?
Things to consider (not limited to the

following):
• Regular testing and assessment of the
effectiveness of the information security
measures of the data processing
• Encryption of personal data while in transit
or at rest
• Interdependencies with other systems/
processes
• Security measures in place to ensure safe
transfer of personal data and prevent further
transfer or unauthorized transfer of personal
data
If No, justify why no consultation was

performed.
2 Has IT/ Information Security Office cleared N/A

your PPPMST from an information security
perspective?
Attach relevant document(s) (e.g., list of

security controls to be complied with, status,
proof of Information Security Office clearance,
etc.).
3 Who has physical and/or logical access to the Anyone from the Human Resources group has a
personal data? physical access to the personal data.
Page 12 of 17
Item
Question Answer
No.
Identify, including access rights provided.
4 Are there protocols/ procedures to administer, Retention and disposal policy and procedures not
monitor and limit the physical and/or logical in place.
personal data access related to this
PPPMST?
Briefly describe. If applicable, provide copy or

indicate reference document(s).
5 Are the duties and responsibilities of the Duties and responsibilities of personnels involved
individuals, who will handle the processing of in personal data processing is not documented.
personal data, clearly defined and
documented?
Briefly describe.
6 Are the users/ staff, who will process personal Yes, Non-disclosure agreement (NDA) are being
data, under strict confidentiality if the personal signed by all personnel from Human Resources
data are not intended for public disclosure? Group upon contract signing.
7 Are there protocols/ procedures to restore the No, retention and disposal policy and procedures
availability of personal data and/ or access to are not in place.
personal data when an incident happens?
Describe briefly. If applicable, provide copy or

8 Has the PPPMST taken reasonable steps to Data privacy policies and procedures are not in
protect the personal data it holds from misuse, place.
loss, and from unauthorized access,
modification or disclosure?
Specify the controls in place or will be

implemented. If applicable, provide copy or
9 Is it possible to extract a personal profile Data sharing policies and procedures are not in
should there be a request to do so? place.
Briefly describe.
10 Will this data processing operation utilize No servers will be utilized as Human Resources
servers? group manually processes the personal
information.
Page 13 of 17
Item
Question Answer
No.
Where are the servers housed (e.g.,
Philippines, US, etc.)?
11 Will the PPPMST transfer personal data to an No, personal data will not be transferred to an
organization or person outside of the organization or person outside of the Philippines.
Philippines?
If Yes, indicate where and answer the

questions below.
12 What is the purpose of the transfer (e.g., N/A

storage, additional access requirements,
etc.)?
13 Has the Company taken reasonable steps N/A

so that the personal data transferred will be
held, used, and disclosed consistently with
the DPA?
Describe briefly.
14 Is the recipient subject to laws or a contract N/A

enforcing information handling principles
substantially similar to the DPA?
Page 14 of 17
XI. PRIVACY RISK ASSESSMENT

Identify data privacy risks related to the potential incident which will result in harm or danger to a data subject (whether employees or third parties) and/ or the
Company. Data privacy risks could lead to the unauthorized collection, use, disclosure or access of personal data. These include risks that the confidentiality,
integrity and availability of personal data will not be maintained, or that processing will violate the rights of data subjects and/or the privacy principles
(transparency, legitimacy and proportionality). Consequently, the data privacy risks may negatively impact the Company’s reputation and may result to
operational risk (e.g., downtime) and financial risk (e.g., losses).
A. Privacy Risk Map
High
(Frequent occurrence or there is a
strong possibility that it may occur.
Moderate High High
High leakage potential or non-
compliance with required
organization-wide controls.)
Likelihood
Moderate
(Casual occurrence or it might
happen at some time since the Low Moderate High
threat source is not significantly
motivated)
Low
(Not expected but there is a slight
possibility it may occur at some Low Low Moderate
time and inaction will result to
eventual data leakage.)
High
(All or majority of data subjects will
Low
Moderate be affected or may encounter that
(A small minority of data subjects
(A subset of data subjects will be could result to discrimination,
will be affected or may encounter a
affected or may encounter identity theft or fraud, reputational
few minor and acceptable
significant inconveniences.) damage public shaming, or any
inconveniences)
other significant economic or social
disadvantage)
Impact
Page 15 of 17
B. Risk Summary
Summarize your risk assessment in the table below using the criteria in Item XI-A. Use the privacy risk map to grade the risk(s) found during PIA. To get the
risk rating: Risk = Impact x Likelihood.
Current State Risk(i) Residual Risk(ii)

Risk Description Risk Treatment Plan
(High, Moderate, Low) (High, Moderate, Low)
Litigation or Complaint Absence of privacy notice High Incorporate privacy notice in the Low
from the data subject. in the application form. application form.
Identity Theft, Identity Data retention and High Establish data retention and disposal Low
Fraud or Hacking disposal policies and policies and procedures for electronic
procedures are not in and physical records.
place.
Incomplete and/or Absence of privacy notice High Incorporate privacy notice in the Low
inaccurate personal in the personal information personal information form (PIF).
information form (PIF) in Human
Resources group‘s bi-
annual program to update
employees’ personal
information.
<Add additional rows as

necessary>
(i) Considering existing controls/ mitigating measures that are already implemented.
(ii) Considering planned controls/ mitigating measures that will be implemented.
Page 16 of 17
XII. SUMMARY OF ACTION ITEMS

The table below shall be accomplished by the DPO and/ or COP, and/ or relevant subject matter resources
(SMRs).
Status
Target (Completed; Work
Ref# Recommended action item(s) Responsible
Completion in Progress; Not
yet Started)
1
2
3
4
5 <Add additional rows as necessary>
Prepared by: Date:
<Signature Over Printed Name>

Reviewed by: Date:
<Data Protection Officer/ Compliance Officer for Privacy>

Approved by: Date:
<Project Manager/ Group Head>

Page 17 of 17

Data Privacy Manual: Privacy Impact Assessment (Pia)

Uploaded by

Copyright:

Available Formats

Data Privacy Manual: Privacy Impact Assessment (Pia)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Data Privacy Manual: Privacy Impact Assessment (Pia)

Uploaded by

Copyright:

Available Formats

Insert Logo DATA PRIVACY MANUAL

Date: Month Day Year Document No.: XXX-XXX-XXX

PRIVACY IMPACT ASSESSMENT (PIA)

ii. DEFINITION OF TERMS

Date: Month Day Year Document No.: XXX-XXX-XXX

PRIVACY IMPACT ASSESSMENT (PIA)

Date: Month Day Year Document No.: XXX-XXX-XXX

PRIVACY IMPACT ASSESSMENT (PIA)

PIA Reference Number

Name of Program, Project, Human Resources

Project Manager / Department Nolly Bayran

Date of PPPMST March 1, 2018

If Yes, specify the following:

Name of outsourced party(ies) Personal Information Processors (PIPs):

Data Sharing Parties

Date: Month Day Year Document No.: XXX-XXX-XXX

PRIVACY IMPACT ASSESSMENT (PIA)

External Stakeholders (third Applicants, PIPs, and Data Sharing Parties

Date: Month Day Year Document No.: XXX-XXX-XXX

PRIVACY IMPACT ASSESSMENT (PIA)

II. THRESHOLD ANALYSIS

2 Are you using information about individuals for a ☐ ☒ ☐

3 Will the data processing require you to contact ☐ ☒ ☐

4 Will information about individuals be disclosed to ☐ ☒ ☐

5 Does the data processing involve using new ☒ ☐ ☐ Fingerprint biometrics is

6 Will the data processing result in you making ☐ ☒ ☐

Date: Month Day Year Document No.: XXX-XXX-XXX

PRIVACY IMPACT ASSESSMENT (PIA)

III. INVENTORY OF PERSONAL DATA

Date: Month Day Year Document No.: XXX-XXX-XXX

PRIVACY IMPACT ASSESSMENT (PIA)

IV. COLLECTION OF PERSONAL DATA

Specify sources of collection (direct and

For collection of personal data authorized by a

Date: Month Day Year Document No.: XXX-XXX-XXX

PRIVACY IMPACT ASSESSMENT (PIA)

Item Question Answer

Describe how they were made aware.

Is there a process in which Company can

The rights of data subjects are as follows:

Describe briefly or indicate reference

Are the data subjects provided information

If yes to any of the questions above, describe

Date: Month Day Year Document No.: XXX-XXX-XXX

PRIVACY IMPACT ASSESSMENT (PIA)

Item Question Answer

If yes, specify to whom.

4 Is there a contract/ agreement with the N/A

Provide copy or indicate reference

VI. USAGE OF PERSONAL DATA

Date: Month Day Year Document No.: XXX-XXX-XXX

PRIVACY IMPACT ASSESSMENT (PIA)

and not excessive in relation to a declared

For processing of personal data authorized by

VII. RETENTION OF PERSONAL DATA

2 What is the basis of the retention period? N/A

VIII. DISCLOSURE/ SHARING OF PERSONAL DATA

2 What personal data are being transferred? N/A

Date: Month Day Year Document No.: XXX-XXX-XXX