Bayad AND DATA PRIVACY

CUSTOMER DATA

CIS Bayad Center, Inc. (“Bayad”) adheres to data privacy principles of transparency, legitimate purpose, and proportionality in the processing of its customer personal information.

Processing your Personal Data

What personal data do we collect?

Bayad collects your personal and sensitive personal information when you register, sign-up or use our products and services or contact us about them. We also obtain your information for purposes of identity verification and regulatory requirements by the Bangko Sentral ng Pilipinas (BSP) thru physical and/or digital means. Examples include:

• 1. Transactional Data: refers to account number, reference number, credit card number, billing address, credit card expiry date, credit card security code, bill month, amount, due date, and other types of customer account number.
• 2. Know-Your-Customer (KYC)/Identification Data: these are your personal and sensitive personal information when you register to our products and services such as full name, birth date, birthplace, permanent and present address, civil status, nationality, email address, contact number, religion, occupation, government-issued identification numbers, nature of work, source of funds, employer name and such other information necessary to conduct due diligence and comply with BSP rules and regulations.
• 3. Biometric Data: data processed for customer verification such as fingerprint, face recognition, photo, live video, etc.
• 4. Audio Visual Data: for typical security and access control purposes, surveillance videos are processed at our branches and franchisees, subject to limitations imposed by law.

Why do we process this personal data? Bayad processes this personal data to process transactions or fulfill obligations, and to improve our services. Specifically, this information is used to offer our customers more personalized services, by informing our customers of rewards for which they may qualify and, with our customer’s consent, for the offering of other unrelated services that may suit our customers better, using my contact information that provided in our online and offline transaction forms.

How do we process your data? Your data is processed through several servers running proprietary software dedicated to routing your payment to your biller of choice in the fastest possible manner. Our servers use the latest in interfacing protocols and the least amount of information necessary to process your transaction to ensure real-time transmission of data to your biller of choice, in as much as your biller’s infrastructure allows the same.

Protecting Your Personal Data

How do we protect your data? We have appointed data stewards and information asset custodians to ensure that your data is properly handled and kept secure, in accordance with our Data Handling Policy, data privacy laws, and industry approved standards.

Retaining Your Data

How long do we retain your data? We will keep your personal data for 1 year from date of transaction unless the law requires a longer period. At the end of the retention period, your personal data shall be deleted and made unrecoverable using approved secure disposal methods (e.g. data sanitization, secure shredding). This includes physical media (e.g. printed, removable media, back-up tapes, etc.). We keep a record of how, when, and by whom the information was destroyed, to provide an audit trail.

PROSPECTIVE, ACTIVE, AND SEPARATED EMPLOYEES AND ON-THE-JOB TRAINEES

We value the privacy of our employees and their dependents as well as our job applicants, on-the-job trainees and retirees. We collect and maintain their personal data in connection with our prospective, active, and previous contracts with them, whether for employment or training agreements. We ensure that their information is updated and kept confidential, even beyond their separation from CIS Bayad Center, Inc., or any of its subsidiaries.

Collecting employee personal data

We collect your personal data in the course of, or incidental to the conduct of, our business with you. These data include any other information that you voluntarily provide to us for any legitimate purpose declared at the point of collection as well as information about you that we received from third parties and other sources where the disclosure was subject of a consent that you gave separately or a legal requirement. We collect the following information:

• 1. Information you submit when you apply at Bayad or any of its subsidiaries, for work or training, including what is contained in your resume or curriculum vitae and application form (e.g., work references);
• 2. Information we collect during the processing of your application, such as testing results, employment offer, results of character investigation, and pre-employment medical assessment;
• 3. Information we collect and maintain during your employment, such as your personal information, addresses, education records, professional licenses and permits, and government-issued identification information; payroll information, including but not limited to government mandated and third party remittances like SSS, Philhealth, and Pag-ibig membership and contributions, taxes, bank account information; wages; entitlements and benefits; medical and dental care records; emergency contact information; training and certifications; performance evaluation; sanctions; and employment changes / work history;
• 4. Information we collect and maintain to facilitate your use of tools, equipment, and software that are related to the performance of your duties and responsibilities; to assist you in any work-related issues that you may encounter as you perform your duties and responsibilities, including troubleshooting of technical problems; to develop ways to improve your work conditions, such as automation of transactions and processes;
• 5. Information you provide about your dependents/beneficiaries for purposes of but not limited to administration of health maintenance plan, insurance claims, or profiling;
• 6. Information you provide when you participate in our surveys related to internal business processes, such as but not limited to employee engagement events, sustainability efforts, post-training assessments, climate surveys;
• 7. Information we retain after your separation from service, such as but not limited to pension information, retiree eligibilities and other benefits, bank account information, addresses, beneficiaries, and emergency contact information; and
• 8. Information we may record as you perform your duties and responsibilities, strictly limited to photos and videos of you in the workplace or in other Bayad-sponsored programs that contain your image or voice.

Purposes for the Processing of Personal Information

We store, process, and/or analyze the personal data collected for some legitimate purpose, related or incidental to the conduct of our business, including but not limited to maintaining safety and security within Bayad premises. Specifically, we may store, process, and/or analyze your personal data for the following and any other legitimate purposes related to the fulfillment thereof:

• 1. To handle your application for employment or training. We process your personal data to evaluate your eligibility for employment or training, including the verification of your qualifications, employment history, and character references (background checking);
• 2. To manage our employer-employee or training relationship. We process your data to maintain your employment, on-the-job training and/or personal records, including your contact information, for operational or administrative efficiency. Specifically for employees, we collect, store, and process your data to administer your pay, statutory and salary deductions, entitlements, and benefits, and those of your dependents or beneficiaries, to conduct your performance reviews and grant rewards, to establish appropriate training and/or developmental interventions including your membership with professional or industry organizations, to monitor your work performance and use of Bayad resources, and to conduct internal investigation and/or administer disciplinary action and sanction as necessary.
• 3. To address or enforce legal claims or obligations arising from employment contract or training relationship. We process your data to comply with applicable statutory and regulatory requirements and submissions, including the processing of your work or labor-related claims (e.g. worker compensation, insurance claims, etc.). Your personal data may also be processed to enforce our claims or defend our rights in any proceeding arising from our relationship.
• 4. To improve your welfare, productivity, safety, and security at work. We process your data to develop your health and wellness programs, including provision of your medical benefits; to conduct employee engagement activities; to create and maintain user accounts that serve as your personalized work credentials and access rights; and to facilitate and maintain overall productivity, safety, and security in the workplace and in all business operations. We also facilitate the payment of your donation to foundations or charitable institutions through deduction from your payroll account and implement corporate social responsibility and other Bayad programs or events.
• 5. To maintain our post-employment relationship. We process your data to administer your pension, retiree eligibilities and other benefits.
• 6. To prepare publications that feature Bayad or any of its subsidiaries. We process your images or voice that we may have recorded in the workplace or during your participation in Bayad-sponsored activities to give the general public previews on the work culture and workplace environment in Bayad or any of its subsidiaries.

Processing Employee Information

How do we process employee information?

As personal information controller, your employee information is processed.

• 1. Data Subject - Prospective, active, and separated employees, as well as on-the-job trainees
• 2. As needed / as applicable
• 3. When applicable, data sharing or outsourced processes are covered by DSA, NDA, and/or OAs
• 4. Engagement – Engagement - Onboarding, Bayad activities, duties and responsibilities as a Bayad employee, payroll, filing of government mandatories (BIR, DOLE, etc.), benefits processing, etc.

While most processes relating to Human Resources are processed in-house, some employee information is processed through an attendance system powered by Sprout Solutions, Inc., while some talent resourcing and other payroll processing functions are carried out by Meralco. Payroll accounts are processed by Banco de Oro Unibank, Meralco Ortigas branch.

Sharing and Disclosure of Your Personal Data

To whom do we disclose your personal data? We disclose your personal data to: (a) employees, authorized representatives, trainees, and consultants; (b) contractors, and business partners, including auditors; and (c) government entities, under these details:

• Employees, Authorized Representatives, Trainees, and Consultants. We ensure that our employees and trainees commit to observe the privacy policies of Bayad. We require our Authorized Representatives and Consultants to sign a Non-Disclosure Agreement (NDA), to ensure that they process your data confidentially in a manner consistent with the purpose of their employment or engagement.
• Contractors, and Business Partners, including Auditors. We require our contractors, subsidiaries, and business partners, through a Data Processing, Data Sharing, or Outsourcing Agreements, as applicable, and/or Non-Disclosure Agreement (NDA), to secure and keep your data confidential. We take your privacy seriously so punitive or legal action will be initiated in case of proven misdeed. Moreover, we do not allow our contractors, subsidiaries, and business partners to disclose or share your data to others, or to use it for their own purposes, without your consent.
• Government entities. Your information may also be disclosed to government entities pursuant to and in compliance with applicable laws and regulations, subpoena or court order.

To whom do we share your personal data? Unless you provide specific consent or except in instances allowed under Philippine data privacy and protection laws, we will not:

• Share your personal data with our business partners and other third parties for their own commercial purpose or benefit;
• Use your personal data to enable third-party targeted advertisements which are not related to our business.

In case that data sharing, including cross-border transfer, is allowed, we shall ensure the protection of your data through appropriate Data Sharing Agreements and commit to give you prior notice to any such transfer and processing of your data.

Protecting Your Personal Data

How do we protect your data? We have appointed data stewards and information asset custodians to ensure that your data is properly handled and kept secure, in accordance with our Data Handling Policy, data privacy laws, and industry approved standards.

We are committed to ensure the integrity, confidentiality, availability, and security of your information. We implement reasonable organizational, physical, and technical security measures in collecting, processing, transmitting, storing, and disposing your personal data such as using secure servers, firewalls and security controls and ensuring regular conduct of audit and testing of our security protocols.

For an enhanced online experience, our services are available through compatible devices, such as laptops, PCs, tablets, and mobile phones. For your added security, we recommend that you install anti-virus software on any such device before accessing the internet.

You are responsible for the security of your information once it reaches you or your representative in any medium, including but not limited to written correspondences, bills, emails, system applications, and on-line accounts.

You should take appropriate measures to ensure that any medium or device you use to monitor or manage your account is secure and not accessible to anyone without permission.

Retaining Your Data

We keep your personal data only for as long as necessary:

• for the fulfillment of the declared, specified, and legitimate purposes provided above, or when the processing relevant to the purpose has been completed or terminated;
• for the establishment, exercise, or defense of legal claims; or
• for other business purposes, that are consistent with standards established or approved by regulatory agencies governing Bayad.

Thereafter, your personal data shall be disposed of or discarded in a secure manner that would prevent further processing, unauthorized access, or disclosure to any other party or the public.

VENDORS, SUPPLIERS OR CONTRACTORS, AND CONSULTANTS

We value the privacy of all our individual vendors, suppliers, contractors and consultants as well as the officers, employees, attorneys-in-fact, and authorized representatives of our corporate service providers. We request for the personal data of sole proprietors and other individual persons representing our corporate contractors mostly for purposes of accreditation and official correspondences. At the point of data collection, we give them an opportunity to review our Privacy Statement and sign acknowledgment forms to signify that they have understood how we uphold their rights as data subjects and how we secure copies of their personal data that are in our possession.

Collection of Personal Data

What personal data do we collect? We collect your personal data in the course of, or incidental to the conduct of, our business with you. These data include any other information that you voluntarily provide to us for any legitimate purpose declared at the point of collection as well as information about you that we received from third parties and other sources where the disclosure was subject of a consent that you gave separately or a legal requirement.

We will be collecting the following information from you:

• Information you submit to Bayad in your application for accreditation, use of supply chain application system, and/or processing of payments, such as your name, tax identification number, government-issued identification information, address, contact details, educational attainment, work experience and banking information;
• Information we collect and maintain about you and your employees in relation to the preparation, execution, or fulfilment of your contract with us, and to the development of a single contact directory that may guide Bayad, its subsidiaries and affiliates in coordinating with your representatives for upcoming business partnerships or engagements;
• Information that your employees submit to have access to or perform your services or deliver your products within the premises of Bayad.

Purpose of Processing Personal Data

Why do we collect this data? We store, process, and/or analyze the personal data collected for some legitimate purpose, related or incidental to the conduct of our business, including maintaining safety and security within Bayad premises.

Specifically, we may store, process, and/or analyze your personal data for the following and any other legitimate purposes related to the fulfillment thereof:

• To establish our business relationship or consultancy engagement. We process your personal data to evaluate your application for accreditation or as basis for our engagement.
• To conduct business with you. We process your data to enforce our legal and contractual obligations including evaluating or auditing the provision of goods and/or services you provide, and facilitating the payment of your invoices in various payment methods (i.e., Fund Transfer, Corporate Check, Outsourced Check); informing you of our requirements, programs, or advisories; referring you as a potential service provider to our customers; and responding to your questions, comments, and feedback by letter, e-mail, telephone, or other media for internal administrative purposes, such as auditing, data analysis, and database records management. Your data may also be processed to comply with statutory, legal, and regulatory requirements related to our business.
• To maintain your account with us and establish potential business relationship with our Subsidiaries and Affiliates. We maintain and update your vendor account information and establish details of your authorized contact persons for the goods and/or services you provide. We may also process your data for procurement synergy initiatives, including referring you as a potential vendor to our subsidiaries and affiliates and maintaining a directory as a single point of reference in the pursuit of these initiatives.

Processing Personal Information

How do we process your information? Generally, your personal data is processed:

Sharing and Disclosure of Your Personal Data

To whom do we disclose your personal data? We disclose your personal data to: (a) employees, authorized representatives, trainees, and consultants; (b) contractors, and business partners, including auditors; and (c) government entities, under these details:

• Employees, Authorized Representatives, Trainees, and Consultants. We ensure that our employees and trainees commit to observe the privacy policies of Bayad. We require our Authorized Representatives and Consultants to sign a Non-Disclosure Agreement (NDA), to ensure that they process your data confidentially in a manner consistent with the purpose of their employment or engagement.
• Contractors, and Business Partners, including Auditors. We require our contractors, subsidiaries, and business partners, through a Data Processing, Data Sharing, or Outsourcing Agreements, as applicable, and/or Non-Disclosure Agreement (NDA), to secure and keep your data confidential. We take your privacy seriously so punitive or legal action will be initiated in case of proven misdeed. Moreover, we do not allow our contractors, subsidiaries, and business partners to disclose or share your data to others, or to use it for their own purposes, without your consent.
• Government entities. Your information may also be disclosed to government entities pursuant to and in compliance with applicable laws and regulations, subpoena or court order.

To whom do we share your personal data? Unless you provide specific consent or except in instances allowed under Philippine data privacy and protection laws, we will not:

• Share your personal data with our business partners and other third parties for their own commercial purpose or benefit;
• Use your personal data to enable third-party targeted advertisements which are not related to our business.

In case that data sharing, including cross-border transfer, is allowed, we shall ensure the protection of your data through appropriate Data Sharing Agreements and commit to give you prior notice to any such transfer and processing of your data.

Protecting Your Personal Data

How do we protect your data? We have appointed data stewards and information asset custodians to ensure that your data is properly handled and kept secure, in accordance with our Data Handling Policy, data privacy laws, and industry approved standards.

We are committed to ensure the integrity, confidentiality, availability, and security of your information. We implement reasonable organizational, physical, and technical security measures in collecting, processing, transmitting, storing, and disposing your personal data such as using secure servers, firewalls and security controls and ensuring regular conduct of audit and testing of our security protocols.

You are responsible for the security of your information once it reaches you or your representative in any medium, including but not limited to written correspondences, bills, emails, system applications, and on-line accounts. You should take appropriate measures to ensure that any medium or device you use to monitor or manage your account is secure and not accessible to anyone without permission.

Retaining Your Data

We keep your personal data only for as long as necessary:

• for the fulfillment of the declared, specified, and legitimate purposes provided above, or when the processing relevant to the purpose has been completed or terminated;
• for the establishment, exercise, or defense of legal claims; or
• for other business purposes, that are consistent with standards established or approved by regulatory agencies governing Bayad.

Thereafter, your personal data shall be disposed of or discarded in a secure manner that would prevent further processing, unauthorized access, or disclosure to any other party or the public.

GUESTS AND VISITORS

We respect the privacy of any person who visits Bayad’s physical offices and other areas where Bayad’s properties are located whether by invitation, upon authorization, or on their own accord. We primarily collect their personal data to establish their identities and monitor their whereabouts while they are inside Bayad-owned premises. Unless required by reasons of public safety and orderliness, we neither access nor share any information that might have been stored in our devices such as closed-circuit television cameras after the guest or visitor has left Bayad-owned premises.

Data Collection

What do we collect? We collect your personal data in the course of, or incidental to the conduct of, our business with you. These data include any other information that you voluntarily provide to us for any legitimate purpose declared at the point of collection as well as information about you that we received from third parties and other sources where the disclosure was subject of a consent that you gave separately or a legal requirement.

We collect the following information from our guests and visitors: (a) information we collect when you enter our premises such as your name, address, vehicle type and plate number or conduction sticker number, and identification card details including government-issued identification information; and (b) information captured by our close circuit television (CCTV) installed in our premises including entrance and exit points.

Processing Your Information

How do we process your information? Generally, your personal data is processed:

Purpose of Processing

Why do we process your information? We store, process, and/or analyze the personal data collected for some legitimate purpose, related or incidental to the conduct of our business, including maintaining safety and security within the Company premises. Specifically, we may store, process, and/or analyze your personal data for the following and any other legitimate purposes related to the fulfillment thereof:

• To monitor and/or control your entrance to, or exit from, and activities within, our premises. We process your personal data to facilitate your ingress to and egress from our premises, offices, and facilities, including your vehicles or materials, such as verification of your identity and recording the purpose of your visit. We also monitor your location and activities inside the company premises, including ingress and egress of equipment, vehicle, and materials;
• To enforce safety and security measures and procedures. This includes conducting investigations and imposing sanctions in case of violations of Bayad policies and security and safety procedures or commission of crimes.

Sharing and Disclosure of Your Personal Data

To whom do we disclose your personal data? We disclose your personal data to: (a) employees, authorized representatives, trainees, and consultants; (b) contractors, and business partners, including auditors; and (c) government entities, under these details:

• Employees, Authorized Representatives, Trainees, and Consultants. We ensure that our employees and trainees commit to observe the privacy policies of Bayad. We require our Authorized Representatives and Consultants to sign a Non-Disclosure Agreement (NDA), to ensure that they process your data confidentially in a manner consistent with the purpose of their employment or engagement.
• Contractors, and Business Partners, including Auditors. We require our contractors, subsidiaries, and business partners, through a Data Processing, Data Sharing, or Outsourcing Agreements, as applicable, and/or Non-Disclosure Agreement (NDA), to secure and keep your data confidential. We take your privacy seriously so punitive or legal action will be initiated in case of proven misdeed. Moreover, we do not allow our contractors, subsidiaries, and business partners to disclose or share your data to others, or to use it for their own purposes, without your consent.
• Government entities. Your information may also be disclosed to government entities pursuant to and in compliance with applicable laws and regulations, subpoena or court order.

To whom do we share your personal data? Unless you provide specific consent or except in instances allowed under Philippine data privacy and protection laws, we will not:

• Share your personal data with our business partners and other third parties for their own commercial purpose or benefit;
• Use your personal data to enable third-party targeted advertisements which are not related to our business.

In case that data sharing, including cross-border transfer, is allowed, we shall ensure the protection of your data through appropriate Data Sharing Agreements and commit to give you prior notice to any such transfer and processing of your data.

Protecting Your Personal Data

How do we protect your data? We have appointed data stewards and information asset custodians to ensure that your data is properly handled and kept secure, in accordance with our Data Handling Policy, data privacy laws, and industry approved standards.

We are committed to ensure the integrity, confidentiality, availability, and security of your information. We implement reasonable organizational, physical, and technical security measures in collecting, processing, transmitting, storing, and disposing your personal data such as using secure servers, firewalls and security controls and ensuring regular conduct of audit and testing of our security protocols.

You are responsible for the security of your information once it reaches you or your representative in any medium, including but not limited to written correspondences, bills, emails, system applications, and on-line accounts. You should take appropriate measures to ensure that any medium or device you use to monitor or manage your account is secure and not accessible to anyone without permission.

Retaining Your Data

We keep your personal data only for as long as necessary:

• for the fulfillment of the declared, specified, and legitimate purposes provided above, or when the processing relevant to the purpose has been completed or terminated;
• for the establishment, exercise, or defense of legal claims; or
• for other business purposes, that are consistent with standards established or approved by regulatory agencies governing Bayad.

Thereafter, your personal data shall be disposed of or discarded in a secure manner that would prevent further processing, unauthorized access, or disclosure to any other party or the public.

UPDATING OUR PRIVACY STATEMENT

We update our privacy statement and practices regularly to reflect changes in applicable laws, government and regulatory requirements, technological, industry and business practices. We will notify you on these changes whenever applicable.

UPHOLDING YOUR DATA SUBJECT RIGHTS

As an individual whose information we collect and store to fulfill our legitimate purposes, you have rights as a data subject under the DPA.

You have the right to be informed about how and why we collect your personal data. You also have the right to access a copy of your personal information in our possession; the right to withdraw consent that you previously gave; the right to have your information corrected if you believe that it is inaccurate or incomplete; and the right to erase or block your information from our databases.

We also recognize your right to data portability, also known as your right to obtain and electronically move, copy, or transfer personal data for further use. Furthermore, we also respect your right to file a complaint with the National Privacy Commission and your right to be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of your personal information.

How do we exercise our data subject rights? We advocate for your right to be able to exercise your data subject rights; for which you may use these forms: