Privacy Statement

DITO TELECOMMUNITY CORPORATION

Last updated 22 February 2021

  1. What is DITO's privacy promise to you?

    1. Why are we making a promise?

      As a telecommunications company, DITO Telecommunity Corporation ("DITO," "we," "us," or "our") provides a public service. Therefore, everything we do must benefit you.

      We can provide and improve our products and services for and to you if we understand you better. To do that, we may ask you to sign in to some of our products and services. Doing so gives us some of your data, which we promise to use in two (2) main ways:

      As a provider of public service, we need to make sure that you get the best out of the products and services we provide. It helps to understand who and why they are using these products and services so that we can:

      1. Create a more personal and relevant DITO for you.

        Your personal data will help make DITO more personal for you. A more personal DITO means being able to:

        • let you know about things that we think you will like;

        • give you content that is relevant to your preferences; and

        • ensure you can use things that are appropriate for your age.

      2. Provide a better DITO for everyone.

        As a provider of public service, we need to make sure that you get the best out of the products and services we provide. It helps to understand who and why you are using these products and services so that we can:

        • make sure that you have a great experience with DITO; and

        • know more about what you love so we can make more of the things you love.

      By giving us a bit of your data, you are helping us achieve these things. We assure you that we will keep your personal data safe and secure while we do these things.

    2. What does our privacy promise say?

      Our privacy promise to you talks about how we treat your personal data and how we give you control as to what happens to it. Our privacy promise rests on three (3) principles, namely:

      1. Transparency

        We will always explain what personal data we are collecting from and about you and why. Generally, will only use and process the personal data we need to:

        • improve our products and services;

        • make your experience with DITO better; and

        • fulfill our legal obligations.

      2. Choice

        Because we will be needing some of your personal data to ensure that we can provide our products and services to you, we will help you make informed decisions about your personal data here.

      3. Trust

        Your trust is important to us, so we promise to keep your personal data safe and secure. Except when required by law or where you have given your clear and explicit consent, we promise to never sell your personal data to anyone and to use it only for purposes that we will identify in our privacy statement.

      You can find out more about why we are processing your personal data here.

  2. What does DITO do?

    We are a major telecommunications provider in the Philippines. We offer and will be offering a variety of telecommunications services to you, including services related to mobile telephony and the internet of things.

  3. What is the purpose and scope of our privacy statement?

    At DITO, we understand that your personal data is very important. To make sure that you understand what we do with your personal data, we made this privacy statement to explain to you the details in a simple and transparent way. We made sure that this would be consistent with the principles of the Data Privacy Act of 2012, its Implementing Rules and Regulations, and the relevant issuances of the National Privacy Commission ("DPA").

    This privacy statement applies to:

    • All past, present, and prospective subscribers or customers of DITO who are individuals. This includes one-person businesses, legal representatives, or contact persons acting on behalf of our corporate customers; and

    • Non-DITO Subscribers. These could include anyone that visits a DITO website, channel, branch, or office, as there may be transactions with non-DITO subscribers that may need personal data.

  4. What are the types of your personal data that we process?

    Personal data refers to information that identifies or can be linked to you, a natural person. The personal data that we process incudes:

    1. Identification data, such as name, gender, salutation, date and place of birth, ID type and number, tax identification number, customer segment, nationality, email address, home address, province, city or municipality, district, ZIP code, mobile and telephone number, and specimen signature;

    2. Employment data, such as company name or employer, office address, province, city or municipality, district, ZIP code, office telephone number, occupation, job title, position, and years in employment

    3. Financial data, such as proofs of billing and other proofs of financial capacity;

    4. Transaction data, such as preferred billing address, subscription type (whether prepaid or postpaid), and plan type;

    5. Service data, such as details of calls, SMS, and data usage;

    6. Network data, such as your network performance experience, diagnostic information, signal strength, dropped calls, data failures, and other network performance issues;

    7. Device data, such as the IP address of your mobile device or the computer you use, the IMEI of your mobile device, device brand and model, operating software or system version, and the pages you visit on our websites and apps;

    8. Data about what you love and need that you give us through surveys, our contact centers, or through any other channel that you use to contact us;

    9. Know our customer data as part of customer due diligence to prevent fraud;

    10. Location data if you are using location-based services;

    11. Audio-visual data, such as security footage at DITO stores and offices, or recordings of phone or video calls or chats with us where applicable and allowed by law; and

    12. Your interactions with us on social media and through our channels, such as Facebook, Twitter, Instagram, other social media platforms, our website, and live chat.

  5. How do we collect your personal data?

    We collect your personal data when you:

    1. fill out application forms, sign contracts or agreements, or accomplish any other similar documents through any of our channels, may it be through our online channels, stores, or through our sales representatives or specialists;

    2. reach out to us to ask about something, file a complaint, or make a request for service;

    3. participate in our research and surveys;

    4. use our network, facilities, and services;

    5. pay your bills or buy our products and services;

    6. join our promos, raffles, or rewards and loyalty programs; and

    7. visit and transact in our stores, apps, and websites.

    If you will be providing us the personal data of other people, you warrant that you have obtained the consent of the owner of that personal data.

    We may also collect your personal data from our subsidiaries, affiliates, and business partners, if you gave them consent to share your personal data with us.

  6. How do we process your personal data and why?

    When we process your personal data, it means that we are collecting, recording, storing, modifying, organizing, using, disclosing, transferring, or deleting it according to the law. The processing that we do will be done only with your consent or if justified through our legitimate business interests. We can do these activities through computer media and on paper.

    Anyway, we only process your personal data:

    1. To perform our contractual obligations to you. We use data about you, such as your name and contact details, when you sign a contract with us, or we must contact you. We also analyze your data to see whether you are eligible for specific products and services.

    2. To improve our business and our operations. We analyze and process data related to your usage of our network and facilities to help keep our services going, manage your account, provide you with customer care activities, receive, investigate, and resolve your service-related requests and concerns, monitor and maintain the quality and security of our network, train our staff, and plan for our future.

    3. To improve our products and services. We analyze and process how you use and interact with our products and services so we can know how to improve them for you. For instance:

      • We study specific details about your usage, such as how often you use our SMS, voice, and data services.

      • We look at historical locational information on your use of our products and services, which will give us information on foot traffic, crowd density, and mobility patterns.

      • Sometimes, we analyze your personal data using automated processes, such as algorithms, to speed up decisions regarding credit limits on your postpaid plans

      • We also look at the data on transactions between you and our third-party service providers or suppliers so we can give them advice on how transactions can be improved. When we process personal data for this purpose, we may give aggregated data to these service providers and suppliers. Note that you cannot be identified using this aggregated data.

    4. To secure your data and our operations. We have a duty to protect your personal data, as well to prevent, detect, and contain any possible data breaches. Moreover, we also have a duty to make sure that our operations remain secure. To do this, we process your personal data to perform IT security operations, business continuity operations, disaster recovery, and auditing.

    5. To develop our relationship with you. We ask you for feedback about our products and services, or record your conversations with us through telephone, live chat, or social media. We may share this with certain members of our staff to improve or customize our products and services for you. We may send you newsletters, emails, calls, or mobile notifications to let you know about these products and services. While you will be given a chance to opt in to these notifications at the very first time we will be getting your personal data, you may later opt out if you no longer want to receive these offers or notifications.

      • To provide products, services, and marketing tailored just for you. We use your data for our legitimate business interests, which includes the development and improvement of our products and services, segmentation, and profiling of customers, and targeted and untargeted marketing. We do this because we want to make sure that our products and services meet what you want and need from us, and we want to let you know once these are ready for you. Of course, while you will be given a chance to opt in to this at the very first time we will be getting your personal data, you may later opt out if you no longer want to receive these personalized offers.

    6. To assist public authorities. We may process your personal data to generate statistics based on your use of our network and facilities to help public authorities in the areas of healthcare, disaster management, and other similar projects. As much as possible, we anonymize this information so you can never be identified as an individual.

    7. To comply with our legal obligations. We process your data to comply with our obligations under the law and to the government regulators. This may include providing information to the Credit Information Corporation in accordance with the Credit Information Systems Act.

    8. To establish, exercise, or defend legal claims. We may process your data to prosecute or defend a legal claim.

    You can be assured that will not process your personal data in a way that is inconsistent with these purposes.

  7. Who is the Personal Information Controller?

    We are considered the Personal Information Controller ("PIC") under the DPA. This means that we can determine the purposes for which your personal data can be used. In case your personal data is shared with your consent to a third party under a data sharing agreement, this third party will also be considered a PIC.

  8. To whom do we disclose your personal data and why?

    To ensure that we offer you the best possible service and that we remain competitive in our business, we may share data externally, i.e. outside of DITO, with third parties. Whenever we do so, we ensure that this is shared on a confidential basis and only through secure means. All such disclosure will always follow applicable privacy laws and regulations.

    We will never share, rent, or sell your personal data to third parties, except in special circumstances where this is required by law or you have given your clear and explicit consent.

    In some instances, we may need to share your personal data to our agents, subsidiaries, affiliates, partners, and other third parties as part of our operations and for the continued provision of products and services. This means that we might share your information with:

    1. Our service providers, contractors, and professional advisors. We may have to share personal data carry out certain activities in the normal course of our business. These service providers, contractors, and professional advisors help us with activities like:

      • designing, developing, maintaining, debugging, and optimizing our products, services, systems, tools, and applications;

      • providing application or infrastructure services;

      • marketing activities or events and managing customer communications, including mobile attributions and the generation of analytics;

      • preparing reports and statistics, printing materials, and designing products;

      • creating and placing advertisements on apps, websites, social media, and other modes of communication;

      • performing legal, auditing, or other special services provided by lawyers, notaries, auditors, or other professional advisors;

      • identifying, investigating, or preventing fraud or other misconduct; and

      • facilitating payment and transfer of funds;

    2. Our subsidiaries and affiliates with whom you have also signed up with.We do so only to improve our operations as well those of our subsidiaries and affiliates. For example, we can study your use of our products and services as well as that of our subsidiaries and affiliates to create product and service bundles that would meet your needs.

    3. Other companies to whom you have also given consent for us to share information with. For example, when you sign up for products and services by other companies, they may request your data from us in for them to validate your identity; and

    4. Government, supervisory, judicial authorities. To comply with our own legal and regulatory obligations, we may disclose your personal data to the appropriate government, supervisory, and judicial authorities such as:

      • Public authorities, regulators, and supervisory bodies such as the National Telecommunications Commission and the National Privacy Commission;

      • Judicial and investigative authorities such as the police, public prosecutors, courts, and arbitration and mediation bodies.

    If you want to know our partners, you can make a request through our Data Protection Officer using the contact details below.

    When using our products and services, you may happen to interact with the products and services of Over the Top ("OTT") services providers, like media streaming services. They will be collecting personal data through their own products and services. This is governed by their own privacy policies, statements, or notices, so we highly encourage you to read them.

  9. How long do we keep your personal data?

    When we keep your personal data, we will be following these principles:

    1. We will only hold your personal data for as long as we do the activities we told you about. Essentially, we will keep your personal data for as long as it is necessary for us:

      • to continue providing you with the products and services you get from us;

      • to meet our legitimate business purposes;

      • to comply with our own legal obligations; and

      • to exercise or defend legal claims when the need arises.

      Generally, however, we will be keeping your personal data for a maximum period of ten (10) years after termination of service.

    2. We think about the type of data we collect, how much we collect, whether it is sensitive or not, and any other applicable legal requirements.

    3. We design our services so that we do not hold your data any longer than we must.

    4. We always think about the potential risk from anyone using or sharing your personal data without permission.

    For the actual handling of your personal data:

    1. Physical copies of the forms you submit to us will be stored in secure storage areas.

    2. Physical forms and documents that contain your personal data will be digitized and stored on our secure databases. Electronic copies of these forms will also be stored in our secure databases.

  10. How long do we protect your personal data?

    We are committed to keeping your personal data safe. To maintain this commitment, we:

    1. design our products and services with your safety in mind;

    2. established a dedicated team to look after the safety and security of your personal data;

    3. use the right organizational, physical, and technical security measures, which includes audits, policies and procedures related to data security, setting up secured servers and firewalls, encryption, and other security controls;

    4. ensure only qualified and authorized staff have access to your personal data, and that our staff are bound to keep your personal data confidential;

    5. regularly review our collection, storage, and processing practices;

    6. use contracts to make sure that third party service providers that process your personal data for us have the right security measures that will help keep your personal data safe;

    7. notify you and the appropriate privacy regulators in the event of a personal data breach, and

    8. let you update or correct your personal data to keep our records up to date.

  11. What are your rights in relation to your personal data?

    The Data Privacy Act of 2012, or DPA for short, gives you rights in relation to your personal data. It essentially gives you control on how your personal data is collected and used by companies.

    Below is a list of your rights. We want to make sure that you understand what these are, so we are describing each of these rights in a simple and transparent manner:

    1. The right to be informed. When we ask you to share your personal data with us, we give you details of what data we will be using, why we will be using it, and how long we will be keeping it, among other things.

    2. The right to object. This is your right to tell us to stop using your personal data. Please note, however, the DPA still allows us to use your personal data despite the exercise of this right under certain conditions. For example, we will still process your personal data despite your objection if we are legally required to do so or if it is necessary to fulfill our legal obligations to you.

    3. The right to access. This right allows you to ask whether we have personal data on you and, if we do, ask for a copy of that personal data.

    4. The right to rectification. This gives you the right to correct anything that you think is wrong with the personal data we have on file on you.

    5. The right to erasure or blocking. This gives you the right to ask us to delete your personal data. However, there are only certain instances where you can exercise this, such as in a case where you think we are processing your personal data unlawfully.

    6. The right to portability. This right allows you to get a copy of the personal data we have on you in a structure, commonly used, and machine-readable format.

    7. The right to damages. This right allows you to be indemnified for any damages that you may have sustained due to any violation of the DPA.

    8. The right to complain with the National Privacy Commission ("NPC"). In case you feel that any of your privacy rights have been violated, you have the right to file a complaint with the NPC. However, we encourage you to come to us first so we can resolve your complaint.

    While you do have the right to withdraw the consent you have given (which can be done by reaching out to our Data Protection Officer), please note that this withdrawal will not stop us from processing your personal data so long as there are other legal bases to do so. In other words, if you withdraw your consent, we can only stop the processing activities that rely on your consent. If, however, we cannot give you a legal basis to justify the continued processing of your personal data, we will either stop the processing and delete your personal data or anonymize it.

    In any case, to exercise any of these rights, please get in touch with our Data Protection Officer through the contact details we have indicated below. In certain instances, we may ask for supporting documents or proof before we can move forward with your request. In some cases, we may deny your request and, if allowed by law, we will notify you of the reason for denial. We may also charge you a reasonable fee to help us process your request.

  12. How can you contact about your personal data?

    In case you have questions, concerns, or complaints regarding the processing of your personal data, you contact our Data Protection Officer through the contact details below:

    Addressed to:

    The Data Protection Officer

    Office Address:

    11th Floor, Udenna Tower, Rizal Drive cor. 4th Avenue
    Bonifacio Global City, City of Taguig

    Email Address:

  13. How will you know if there are changes to this privacy statement?

    This privacy statement will be updated from time to time to comply with changes in the law, adopt new technologies, or for some other legitimate reason. If we do make important changes, like how and why we use your personal data, we will let you know through a notice, email, SMS, or a message in our app. We will also make sure to get your updated consent when necessary.

    This version became effective on 22 February 2021.