DITO TELECOMMUNITY CORPORATION

DATA PRIVACY STATEMENT FOR DISTRIBUTORS, VENDORS, AND AGENTS

Last updated on 2 September 2020

Your privacy is important to us, which is why DITO Telecommunity Corporation (“DITO,” “We,” “us,” or
“our”) developed and established the appropriate security measures to protect your Personal Data. Our
commitment to your privacy is consistent with the principles of the Data Privacy Act of 2012, its
Implementing Rules and Regulations, and the relevant issuances of the National Privacy Commission
(“DPA”).

As a distributor, vendor, or agent of DITO, it is necessary for us to collect and process your Personal Data
for the purposes stated in this Data Privacy Statement for Distributors, Vendors, and Agents (“Privacy
Statement”). In line with DITO’s commitment to transparency, DITO processes and protects your
Personal Data only in accordance with what is indicated in this Privacy Statement.

I. What does DITO do?

DITO is a major telecommunications provider in the Philippines. It offers and will offer a variety of
telecommunications services to consumers, including services related to mobile telephony and the
internet of things.

II. What are the types of Personal Data that DITO collects and processes?

DITO will collect and process both personal and sensitive personal information. For the purposes of this
Privacy Statement, these shall be collectively referred to as “Personal Data.” The following are the
categories of Personal Data that DITO collects and processes:

• Personal Details (for individual distributors and legal representatives): full name (first name and last
name), region, address, mobile number, other available contact numbers

• Government-Issued Identification and Records: certificate or ID type (e.g. passport, driver’s license)
and certificate or ID number, Tax Identification Number (for individual distributors), SEC, DTI, and
BIR registration, business permits, mayor’s permits, and other government-issued ID numbers
presented and uploaded as proof of identity

• Business or Trade Information of the Distributor: company name, company profile, owners and
officers of the company, customers or outlets of distributor, channel category (i.e. general trade,
modern trade, device retail trade), channel type (e.g. if the channel category is general trade, then
the channel types would be distributors, retailers, and direct sales agents), level (i.e. distributor,
dealer, or retailer), role, location, person-in-charge, trade type (e.g. convenience store,
supermarket), partner category (i.e. whether an individual partner or a representative of a
company), channel name (company name), channel code (this is automatically assigned by DITO’s
systems to serve as a unique
 identifier), distributor business registration number, distributor status (e.g. whether the distributor
is still being engaged by DITO or not), reason for suspension (if applicable), tax code, business scope
(e.g. what business or service a distributor, vendor, or agent can do on behalf of DITO), and business
rating

• Bank account information: bank name, branch name, bank account owner’s name, and bank code

• DITO system-related information: system access credentials, operating record or log, log-in record
or log, log-out record or log, IP address and device number of device used to access DITO systems,
MAC address of company-issued devices, and facial features for facial recognition

• Closed-Circuit Television Camera Footage within DITO’s premises: identity, actions, and
whereabouts

III. How does DITO collect your Personal Data?

We collect your Personal Data from any documents or communications that you may have directly
submitted to us, from publicly available information, or from third parties.

Once you become a distributor, vendor, or agent of DITO, you will be referred to in many documents
and records that are produced by you and by DITO’s employees in the course of carrying out the
business of DITO. Your Personal Data that is relevant to your role in DITO, including your participation in
events and activities, may be made public through different media, such as newsletters and social media
accounts.

You may inform us of the specific Personal Data that you do not want to be processed beyond the
purposes specified in the Privacy Statement. We will respect your request in so far as it is still feasible to
fulfill the purposes for which your Personal Data was collected.

Where you have provided us with the Personal Data of individuals other than yourself, you warrant that
you have obtained their consent for the disclosure in accordance with the DPA. Your Personal Data shall
be collected, organized, stored, updated, retrieved, used, consolidated, or destroyed in line with the
purposes for processing set out below.

IV. How does DITO process your Personal Data?

Your Personal Data may be processed both by way of computer media and on paper, in compliance with
the rules in relation to data protection and data security. Your Personal Data shall be collected,
organized, stored, updated, retrieved, used, consolidated, or destroyed in line with the purposes for
processing set out below.

V. Why does DITO process your Personal Data?

Your Personal Data shall be processed for the following purposes:

a. To facilitate the screening, vetting, selection, and accreditation of distributors, agents, and/or
vendors;
b. To serve as reference for the preparation and delivery of documents necessary for the
accomplishment of the distributor, agent, and/or vendor selection and accreditation process;
c. To encode and upload distributor and/or vendor information to facilitate access into the
appropriate information technology systems as used by DITO, including the Distributor Sales
Channel Management system as well as the distributor and/or vendor-specific apps;
d. To facilitate all necessary transactions between DITO and the distributor, vendor, and/or agent;
e. To view and manage distributor, vendor, and/or agent information, as well as to manage the
relationship between DITO and the distributor, vendor, and/or agent through the monitoring of
deliverables and the other performance obligations;
f. To record and manage all purchases made through and for vendors and distributors;
g. To facilitate the auditing of all transactions entered by the distributors and vendors;
h. To manage requests for the allocation of the appropriate sales resources;
i. To facilitate e-load transactions when applicable, including making requests for e-load and
recharging of e-load;
j. To manage and facilitate the sale of value-added services;
k. To manage and facilitate the sale of reload cards;
l. To process and manage payments to distributors, vendors, and agents through their nominated
bank accounts;
m. To facilitate all transactions entered by distributors, vendors, and/or agents with customers or
subscribers on behalf of DITO;
n. To enable DITO to exercise sound corporate governance over its operations, ensure risks arising
from such operations are identified, measured, managed, and mitigated, and enhance risk
assessment and prevent fraud;
o. To comply with statutory and regulatory requirements, including directives, issuances by or
obligations of DITO to any competent authority, regulator, supervisory body, enforcement agency,
exchange, court, quasi-judicial body, or tribunal;
p. To establish, exercise, or defend legal claims; and
q. To fulfill any other purposes directly related to the above-stated purposes.

DITO will not process the personal information of its distributors, vendors, and agents, in ways
incompatible with the above-stated purposes.

VI. Who is the Personal Information Controller?

DITO is the Personal Information Controller under the DPA, which means that it determines the
purposes for which the Personal Data it holds will be used for. It may also be that your Personal Data is
disclosed to third parties pursuant to a data sharing agreement. In which case, such third parties are also
the personal information controllers of your Personal Data.

VII. To whom does DITO disclose your Personal Data?

Your Personal Data may be disclosed to third parties for the following purposes:

a. To respond to law enforcement authority or other government regulatory bodies’ requests;

b. To create and maintain your account and Personal Data on DITO’s management support system,
business support system, operations support system, Distributor Sales Channel Management
system, and other relevant information technology systems;
c. To generate insights on how DITO’s systems are used, with such data being used for further
streamlining and improvement of the systems;
d. To prevent physical harm or financial loss;
e. To conduct audits, including operational, risk, compliance, financial, and anti-fraud, and corruption
audits, and/or investigate a Complaint or security threat;
f. To comply with DITO’s business and management responsibilities and policies, which are necessary
for the continued operations of DITO;
g. To comply with statutory requirements;
h. To establish, exercise, or defend legal claims; and
i. To fulfill any other purposes directly related to the above-stated purposes.

To verify the accuracy of the Personal Data you provided, DITO (or its authorized representatives and/or
service providers) will conduct background checks, which will include verification with third parties,
where applicable. You expressly authorize DITO (or its authorized representatives and/or service
providers) to verify such information and procure copies of relevant records and documents from these
third parties.

When the processing of your Personal Data is outsourced by DITO to a third party, the processing will be
subject to written agreements between DITO and the third parties processing the data. These written
agreements specify the rights and obligations of each party and will provide that the third party has
adequate security measures in place and will only process your personal information on the specific
written instructions of DITO.

DITO may also transfer your personal information to third parties as required by law or legal instrument,
to protect DITO’s rights or assets and in emergencies where the health or safety of a person is endangered.

DITO will not sell, rent, share, trade, or disclose any of your personal data to any other party without
your prior written consent, with the exception of any third-party service providers that DITO has
engaged, whose services necessarily require the processing of your personal data.

The following are the third parties to whom your personal data may be shared or disclosed:

a. Background investigators
b. Regulatory bodies/agencies and other legal bodies
c. Banks
d. Information technology services providers
e. Suppliers
f. External auditors
g. External counsel

VIII. DATA RETENTION

Your personal data will be retained or stored for as long as the purposes for which they are being
processed have not been satisfied. DITO will retain and use your personal information as necessary to
comply with its legal obligations, resolve disputes, and enforce its agreements:
1. Hardcopies of the forms you have submitted, as well as all records that shall be relevant to your
application to DITO, may be stored in DITO’s premises in a secure cabinet.
2. Forms and documents that contain your Personal Data will be digitized and stored and maintained
on DITO’s database hosted by a secure cloud provider. Forms, documents, and information
submitted electronically shall be maintained by the same provider or in DITO’s servers.
3. DITO shall ensure, using contractual and other reasonable means, that the third-party service
providers implement proper safeguards to ensure the confidentiality, integrity and availability of the
personal data processed, prevent its use for unauthorized purposes, and comply with the
requirements of the DPA, its Implementing Rules and Regulations, and other applicable laws for
processing of personal data, and other issuances of the National Privacy Commission.

IX. How does DITO protect your Personal Data?

Consistent with DITO’s commitment to the protection of your Personal Data, DITO has put in place
physical, technical, and organizational security measures designed to prevent unauthorized access, to
maintain data security, and to use the Personal Data DITO processes correctly. These safeguards vary
based on the sensitivity of the Personal Data that we collect and store.

X. What are your rights regarding your Personal Data?

As a data subject, you have certain rights under the DPA. You may exercise the following rights to your
discretion:

1. The right to access Personal Data

Under the DPA, it is possible for individuals to request access to any of their Personal Data
held by DITO, subject to certain restrictions. A request for disclosure of such information is
called a subject access request. Any such requests should be addressed to DITO’s Data
Protection Officer through the contact information below.

2. The right to make corrections to Personal Data

The DPA requires DITO to take reasonable steps to ensure that any Personal Data it
processes is accurate and updated. It is your responsibility to inform DITO of any changes to
the Personal Data that you have supplied to us during your relationship with DITO.

3. The right to object to the processing of Personal Data

You have the right to object to the processing of your Personal Data. You shall also be
notified and be given an opportunity to withhold consent to the processing in case of
changes or any amendment to the information made known to you in this Privacy
Statement.

Please note that some of the Personal Data you have provided to us is necessary for us to
comply with statutory and regulatory requirements, as well as DITO’s administrative
policies. Hence, the collection and processing of these pieces of Personal Data is
mandatory. Withholding your consent to the processing of certain pieces of Personal Data
may prevent DITO from processing your job application.

4. The right to erasure or blocking of Personal Data

 You have the right to suspend, withdraw or order the blocking, removal, or destruction of
your Personal Data from our filing system. However, the exercise of this right is subject to
certain conditions as specified by the DPA.

5. The right to be informed of the existence of processing of your Personal Data

You have the right to be informed whether Personal Data pertaining to you shall be, is
being, or have been processed, including the existence of automated decision-making and
profiling.

6. The right to damages

Upon presentation of a valid decision, DITO recognizes your right to be indemnified for any
damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained or
unauthorized use of your Personal Data, taking into account any violation of your rights and
freedoms as a data subject.

7. The right to lodge a complaint before the National Privacy Commission

XI. How will you be informed of any changes to this Privacy Statement?

This Privacy Statement may be updated from time to time. The data subject will be notified through the
appropriate portal or app should there be any amendments or changes to this Privacy Statement.

XII. How can you contact DITO if you have questions about this Privacy Statement?

In case you have questions, concerns, or complaints regarding the processing of your Personal Data, you
may address them to DITO’s Data Protection Officer:

Addressed to: The Data Protection Officer

Office address: 11th Floor, Udenna Tower, Rizal Drive cor. 4th Avenue
Bonifacio Global City, Taguig City
Email address: dataprivacy@dito.ph
Phone Number: 7976-6888

XIII. For how long shall your consent be valid?

Once you agree to the processing of your Personal Data according to the terms of this Privacy
Statement, your consent and authorization shall remain valid and subsisting for a limited period
consistent with the purposes stated above or until otherwise revoked or cancelled in writing in
accordance with the DPA.

Signature: ________________________________