Metro Retail Logo

Privacy Notice

Personal Data Collected and Manner of Collection

We collect the following personal data from you when you manually or electronically submit to us your inquiries or requests:

  • Name
  • Email Address
  • Address
  • Mobile and Landline Number

Basis, Use, and Purpose for Processing of Personal Data

You hereby authorize MRSGI, its affiliates, subsidiaries, related parties and agents, to collect, use and process your personal data.

In these instances, your personal data is utilized for the following purposes:

  1. To register your online account and fulfill your purchase/s in the ShopMetro Shopping Portal;
  2. To notify and update you of your online account status, including complimentary, commercial, and promotional advertisements, loyalty and reward offers, exclusive invites, discounts, surveys, and other marketing and promotional offers that MRSGI, its affiliates, subsidiaries, related parties, and agents may deem relevant and beneficial to their customers;
  3. Respond to your inquiries;
  4. Provide information about our products and services;
  5. To conduct data analyses, research, demographics, surveys, and customer relationship management;
  6. Improve our website and services;
  7. To comply with the legal and regulatory obligations and requirements of the government to which MRSGI is subject; and
  8. For any other purpose/s in connection with the foregoing and/or related to my purchase/s in the ShopMetro Shopping Portal.

Methods Utilized for Automated Access

MRSGI uses Google Analytics, a third-party service, to analyze our web traffic data, help us determine our website’s engagement, and improve our website services and features. This service uses cookies. Data generated is not shared with any other party.

The following web traffic data are processed for this purpose:

  • Most viewed products
  • Most visited store
  • Geolocation
  • The referring site or platform (if any) through which you accessed this site
  • Web browser type

Disclosure of Personal Data

Personal data processed by the MRSGI is not shared with any other party unless such disclosure is allowed under Section 12, 13 or 14 of the DPA.

We do not share your personal data with third parties except:

  • When required by law
  • With service providers who assist us in operating our website and conducting our business, subject to confidentiality agreements

Risks Involved

Risk refers to the potential of an incident to result in harm or danger to a data subject or organization. Risks may lead to the unauthorized collection, use, disclosure, or access to personal data. It includes risks involving the confidentiality, integrity, and availability of personal data or the risk that processing will violate the general data privacy principles and the rights of data subjects.

MRSGI ensures that adequate physical, technical, and organizational security measures are in place to protect personal information’s confidentiality, integrity, and availability. However, this does not guarantee absolute protection against certain risks involving the processing of personal data, such as when systems are exposed to targeted cyberattacks, malware, ransomware, and computer viruses or when manual records are accessed without authority.

However, adequate policies are in place to ensure appropriate security incident management in line with existing NPC policies, circulars, and other issuances.

Data Protection and Security Measures

We safeguard the confidentiality, integrity, and availability of your personal information by maintaining a combination of organizational, physical, and technical security measures based on generally accepted data privacy and information security standards. Among the measures we implement are the following:

  • Policies on access control in both digital and physical infrastructures to prevent unauthorized access to personal information.
  • Acceptable use policies
  • End-to-end encryption and data classification whenever suitable.
  • Security measures against natural disasters, power disturbances, external access, and similar threats.
  • Technical measures to protect our computers and databases against accidental, unlawful, or unauthorized usage, interference, or access.

Storage and Retention

We store files containing personal information in our computers and servers, which are kept in a secure environment. We may also store your personal information with cloud-based third-party data storage providers. We shall ensure that proper measures are adopted to protect your information.

Personal data shall be stored in a database for 10 years after inquiries and requests are acted upon. After which, records shall be disposed of securely.

Other categories of data may be kept longer than 10 years when its retention period is determined by other relevant laws and regulations.

Disposal

You may ask us to delete or remove your Personal Data by filling up the form located at My Account > Account Deactivation. We may reach out to you via e-mail or phone within 3 business days of submitting the request. It may take up to 30 days from the beginning of the deletion process to properly delete your account and personal data associated with it.

Physical records shall be disposed of through shredding, while digital files shall be anonymized. In all instances, our manner of disposal shall ensure that the personal information shall no longer be retrieved, processed, or accessed by unauthorized persons.

Rights of a Data Subject

Under the DPA, you have the right to be informed regarding processing the personal information we hold about you.

Further, you may be entitled to request:

  • Access to personal data we process about you. It is your right to obtain confirmation on whether or not data relating to you are being processed;
  • Rectification of your personal data. This is your right to have your personal data corrected if it is inaccurate or incomplete;
  • Erasure or order blocking of your personal data whenever warranted;
  • The right to object if the personal data processing involved is based on consent or on legitimate interest;
  • The right to data portability through which you may obtain and electronically move, copy, or transfer your data securely for further use.

You may claim compensation if you believe you suffered damages due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of personal data or for violating your rights and freedoms as a data subject.

Suppose you think that your personal information has been misused, maliciously disclosed, or improperly disposed of or that your data privacy rights have been violated. In that case, you have a right to file a complaint with the NPC.

Changes to the Privacy Notice

MRSGI reserves the right to update or revise this privacy notice at any time and will provide a new privacy notice whenever there are substantial changes. Prior versions of the privacy notice shall be retained and shall be provided to data subjects upon request.

Feedback on our Privacy Notice

Suppose you have suggestions or comments regarding our privacy statement and notice or for any issues concerning MRSGI’s data privacy practices. In that case, you may reach us through our email at mrsgi.dpo@metroretail.ph.