Whenever used in this Notice, the following terms shall have the respective meanings as set forth below:

(a) “Affiliate” an entity that directly or indirectly through one or more intermediaries, controls or is controlled by, or is under common control with, the person specified, through the ownership of voting shares, by contact, or otherwise.

(b) “Business Day” means any day that Philippine banks are open for business in Makati City,

(c) “Data Subject” refers to an individual whose personal information is processed

(d) “DPA” means the Data Privacy Act of 2012 and its implementing rules and regulations, as well as the circulars issued by the National Privacy Commission from time to time.

(e)  “Notice” means this data privacy notice may be amended, modified or supplemented from time to time.

(f)  “Person” means any natural or juridical person.

(g)  “Personal data” means personal information and sensitive personal information.

(h)  “Personal information” refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information, would directly and certainly identify an individual.

(i)   “Processing” refers to any operation or any set of operations performed upon personal data including, but not limited to, the collection, recording, organization, storage, updating, or modification, retrieval, consultation, use, consolidation, blocking, erasure, or destruction of data. Processing may be performed through automated means, or manual processing, if the personal data is contained or intended to be contained in a filing system.

(j)  “Sensitive personal information” refers to personal information: (1) about an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations; (2) about an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings; (3) issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; or (4) specifically established by an executive order or an act of Congress to be kept classified.

(k)  “Subsidiary” an enterprise that is controlled by another enterprise, known as the parent.

The Personal Data collected by the PDS Group and how it is processed may vary based on the type of transaction or interaction with the data subject. Personal information that may be collected from a Data Subject includes, but is not limited to:

1. Data Subject’s name and personal particulars such as contact details, address, gender, birthdate, nationality, marital status, education;
2. specimen signatures;
3. digital photos and biometrics;
4. government ID details;
5. financial information (such as income, expenses, balances, investments, tax, insurance, financial and transaction history, among others);
6. employment details;
7. business interests and assets;
8. images via CCTV and other similar recording devices and processes;
9. voice recordings of our conversations with you.

Personal data is collected and processed fairly and lawfully, mainly to verify the identity of individuals and deliver the products and services offered by the PDS Group. This data allows the PDS Group to send necessary documents, such as invoices and statements, and to ensure that clients are kept informed about relevant market information. The information is also used to improve the products and services offered by the PDS Group, enabling the organization to respond to inquiries regarding the website, online platforms or services, and to facilitate participation in various events organized by the PDS Group. Additionally, the data collected is utilized to manage the safety and security of the PDS Group’s premises, systems, personnel, and guests.

The personal data provided may also be used to review and evaluate applications submitted to the PDS Group. This process may involve conducting necessary background checks and ensuring compliance with applicable legal and regulatory requirements. Furthermore, personal data may be processed to fulfil contractual or legal obligations under agreements with individuals or other involved entities. The PDS Group also uses personal data to conduct audits and reviews of internal processes and systems, allowing the organization to manage risks effectively, engage in strategic planning, and ensure compliance with various operational and audit standards.

Moreover, the PDS Group uses personal data to safeguard against the misuse or abuse of its products and services and to comply with Philippine laws. This includes responding to court orders, adhering to the rules and regulations of the Bangko Sentral ng Pilipinas (“BSP”), the Securities and Exchange Commission (“SEC”), and assisting with requests from local or foreign authorities.

Lastly, the PDS Group may use personal data for any other purposes related to the aforementioned activities, as permitted by law or with the Data Subject’s consent.

Within the PDS Group, personal data may be shared to provide the products or services offered or to continue a Data Subject’s relationship or transaction with the PDS Group.

The PDS Group also works with affiliates and third parties to help operate its business, information may be shared to affiliates and third parties for the purposes for which the personal data was collected, to fulfill specific business functions or operational requirement, or for any other reasonable purpose relevant to the context. This may include engaging third-party service providers for physical security, maintenance, storage and records management, payment systems, or other business functions, as well as complying with legal requirements, enforcing terms and conditions of contracts or agreements, addressing fraud, security, or technical issues, and responding to emergencies to protect the rights, property, or safety of the PDS Group’s stakeholders or third parties. The sharing of personal information by the PDS Group to its affiliates and third parties is made under strict confidentiality and data sharing agreements and strictly in accordance with applicable laws and the commitments outlined in this Notice.

Personal data collected by the PDS Group may be transferred, stored, or processed outside the Philippines in connection with business operations or to fulfil the PDS Group’s legal obligations in other jurisdictions. In case personal data is transferred outside of the Philippines, the PDS Group shall ensure compliance with relevant data protection laws and regulations in the countries where the data is to be processed.

It is important to note that the PDS Group does not and will not sell personal data to third parties. Any sharing of personal data with third parties is conducted in full compliance with the data privacy obligations established in contracts, terms and conditions, or relevant legal frameworks governing the relationship with the individual.

The PDS Group recognizes the importance of protecting personal data and is committed to safeguarding its confidentiality, integrity, and availability. The organization employs a combination of physical, technological, and procedural safeguards to protect personal data from unauthorized access, use, and disclosure such as establishing limitations, when applicable, on access to personal data, document storage security policies, security measures on controlled access to our systems and premises, stringent selection of third-party data processors and agents, non-disclosure and privacy protection clauses in agreements, the conduct of data privacy trainings for PDS Group’s officers and employees, and technology-based security tools or measures to protect the PDS Group’s websites, platforms  and data processing systems.

The personal data collected is stored exclusively in secure environments managed by the PDS Group. Robust procedures have been implemented to protect your data from unauthorized access, use, and disclosure, such as the use of advanced technology solutions like encryption to enforce the necessary security controls.

The PDS Group shall only retain personal data for as long as it is required or permitted to by law or as relevant for the purposes for which it was collected, and necessary: a) for the fulfilment of the declared, specified, and legitimate purposes; b) for the establishment, exercise, or defense of legal claims; or c) for legitimate business purposes including compliance with legal or regulatory requirements. In no case shall the PDS Group use a Data Subject’s personal data outside of the purposes stated herein.

The PDS Group will cease to retain personal data and securely dispose of it or remove the means by which the personal data can be associated with a Data Subject as soon as it is reasonable to assume that such retention no longer serves the purposes for which the personal data was collected and is no longer necessary for any legal or business purpose.

The PDS Group has established a personal data breach handling procedure to address security incidents that may potentially result in a personal data breach. In the event of a suspected or actual breach, the PDS Group will take immediate action to contain the breach, mitigate its consequences, and notify the relevant parties.

If it is determined that a personal data breach has occurred, the PDS Group will notify the National Privacy Commission (NPC) and other relevant authorities in accordance with the requirements of the Data Privacy Act of 2012 (DPA) and other applicable regulations. The PDS Group will also notify affected issuers, participants, transfer agents, underwriters, and/or individuals as prescribed by the DPA and other relevant laws.

Under the Data Privacy Act of 2012, Data Subjects whose personal data is collected and processed by the PDS Group have the following rights:

1. Right to Be Informed: Data Subjects have the right to be informed about how their personal data is being processed. This includes information about the type of data collected, the purposes for processing, the recipients of the data, and the manner of processing.

2. Right to Object: Data Subjects have the right to object to the processing of their personal data, withdraw consent to further processing, and request the removal of their personal data from the PDS Group’s data processing systems.

3. Right to Access: Data Subjects have the right to access their personal data held by the PDS Group. This may include obtaining a copy of the personal data, the manner in which it has been processed, the sources from which the data was obtained, and the recipients of the data.

4. Right to Rectification: Data Subjects have the right to correct any inaccuracies or errors in their personal data and request that the PDS Group update or rectify the information.

5. Right to Data Erasure or Blocking: Based on valid grounds provided in the DPA and its implementing rules and regulations, Data Subjects have the right to suspend, withdraw, or order the blocking, removal, or destruction of their personal data.

6. Right to Damages: Data Subjects have the right to be indemnified for damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of personal data. This includes any violation of the individual’s rights as a data subject.

7. Right to Secure Data Portability: To the extent applicable, Data Subjects have the right to obtain their personal data in an electronic or structured format that is commonly used, allowing for further use of the data.

8. Right to File a Complaint: Data Subjects have the right to file complaints or raise concerns with the National Privacy Commission regarding the PDS Group’s processing of their personal data. Complaints may be filed through the NPC’s website at www.privacy.gov.ph.

For any queries, clarifications, comments, or requests regarding any aspect of this Notice, or to exercise a data subject’s rights pertaining to personal data, or to provide feedback on the PDS Group’s processing of personal data, the Data Protection Officer can be reached through the following email addresses: pdtc-dpo@pds.com.ph or pdex-dpo@pds.com.ph.

The PDS Group may modify or amend this Privacy Notice to keep up with any changes in relevant laws and regulations applicable or how the PDS Group collects, use, protects, stores, shares or disposes of personal information. Any relevant updates will be posted on the PDS Group website.