DITO TELECOMMUNITY CORPORATION

DATA PRIVACY STATEMENT FOR THE DITO MOBILE POSTPAID SERVICE

Last updated on 23 May 2023

Your privacy is important to us, which is why DITO Telecommunity Corporation (“DITO,” “We,” “us,” or “our”) has security measures to protect your Personal Data. Our commitment to your privacy is consistent with the principles of the Data Privacy Act of 2012, its Implementing Rules and Regulations, and the relevant issuances of the National Privacy Commission (“DPA”).

As a user of our mobile postpaid service, DITO will need to collect and process your Personal Data for the purposes stated in this Data Privacy Statement for the DITO Mobile Postpaid Service (“Privacy Statement”). Consistent with DITO’s commitment to transparency, DITO processes and protects your Personal Data only in accordance with what has been indicated here.

1. What does DITO do?
   

   DITO is a major telecommunications provider in the Philippines. It offers and will offer a variety of telecommunications services to consumers, including services related to mobile telephony and the internet of things.

   When you use DITO’s postpaid service, you will also be covered by DITO’s General Privacy Statement that can be accessed through https://dito.ph/privacy-policy. You can also see this on our DITO App.

   
   
2. What are the types of Personal Data that DITO collects and processes?
   

   DITO may collect and process both your personal and sensitive personal information. For the purposes of this Privacy Statement, these shall be collectively referred to as “Personal Data.” The following are the categories of Personal Data that DITO will be collecting and processing in connection to the postpaid service:

   1. Identification data: full name (surname, first name, and middle name) and date of birth, gender, residential address, and billing address
   2. Contact information: primary and alternative mobile numbers, primary and alternative email addresses, landline number;
   3. Government-issued or valid ID: type and ID number;
   4. Employment data (if you are employed): occupation and employer
   5. Business or corporate data (for business or corporate accounts): business document presented, business registration reference, authorized representative (name, contact number, email address, and ID number), and email address (for receiving monthly statements of account)
   6. Financial data: proofs of billing and other proofs of financial capacity, such as pay slips and income tax returns (if you’re employed) or audited financial statements (if you’re running a business);
   7. Transaction data: registered address or installation address, billing address, and plan type;
   8. Payment details: method of payment;
   9. Know our customer data as part of customer due diligence to prevent fraud; and
   10. Account data: handset brand and model released, handset serial number and IMEI
       
       
       
3. How does DITO collect your Personal Data?
   

   We collect your Personal Data from any documents or communications that you may have directly submitted to us, such as through application forms, contracts, the DITO App or through our other channels, physical or otherwise.

   We may also collect your Personal Data through our business intelligence platforms, which will allow us to see how you interact with our products and services.

   You may inform us of the specific Personal Data that you do not want to be processed beyond the purposes specified in the Privacy Statement. We will respect your request as far as it still allows us to meet the purposes for which your Personal Data was collected.

   
   
   
4. How does DITO process your Personal Data?
   

   Your Personal Data may be processed both by way of computer media and on paper, in compliance with the rules in relation to data protection and data security. Your Personal Data shall be collected, organized, stored, updated, retrieved, used, consolidated, or destroyed in line with the purposes for processing set out below.

   
   
   
5. Why does DITO process your Personal Data?
   

   Your Personal Data shall be processed for the following purposes:

   1. To perform our contractual obligations to you;
   2. To comply with the provisions of Republic Act No. 11934 (SIM Registration Act) and its Implementing Rules and Regulations
   3. To provide DITO mobile postpaid service to you;
   4. To determine your monthly service fee and credit limit, if applicable;
   5. To receive and analyze customer feedback based on your experience, if any;
   6. To comply with statutory and regulatory requirements, including directives, issuances by, or obligations of DITO to any competent authority, regulator, supervisory body, enforcement agency, exchange, court, quasi-judicial body or tribunal;
   7. To establish, exercise, or defend legal claims;
   8. To facilitate aftersales services; and
   9. To fulfill any other purposes directly related to the above-stated purposes.
   
   

   DITO will not process your Personal Data in ways incompatible with the above-stated purposes.

   Once you become a subscriber or a user of our mobile postpaid service, DITO’s General Privacy Statement will cover your use of the service.

   
   
6. Who is the Personal Information Controller?
   

   DITO is the Personal Information Controller under the DPA, which means that it determines the purposes for which the Personal Data it holds will be used for. It may also be that your Personal Data is disclosed to third parties pursuant to a data sharing agreement. In which case, such third parties are also the personal information controllers of your Personal Data.

   
   
   
7. To whom does DITO disclose your Personal Data and why?
   

   In compliance with Republic Act No. 11934, information that we get from you as part of the SIM registration process shall be treated as absolutely confidential and shall not be disclosed to any person. The law, however, permits disclosure of your full name and address if it’s made in compliance with the following:

   1. Any law obligating the PTE to disclose such information in accordance with the provisions of Republic Act No. 10173 or the Data Privacy Act of 2012;
   2. A court order or legal process upon finding of probable cause;
   3. A subpoena issued in compliance with Section 10 of Republic Act No. 11934; and
   4. With the written consent of the subscriber;
      
      
      
      
8. DATA RETENTION
   

   Your personal data will be retained or stored for as long as the purposes for which they are being processed have not been satisfied. DITO will retain and use your Personal Data as necessary to comply with its legal obligations, resolve disputes, and enforce its agreements:

   1. Forms that contain your Personal Data will be digitized and stored and maintained on DITO’s database hosted by a secure cloud provider. Forms, documents, and information submitted electronically shall be maintained by the same provider or in DITO’s servers.
   2. DITO shall ensure, using contractual and other reasonable means, that the third-party service providers implement proper safeguards to ensure the confidentiality, integrity and availability of the personal data processed, prevent its use for unauthorized purposes, and comply with the requirements of the DPA, its Implementing Rules and Regulations, and other applicable laws for processing of personal data, and other issuances of the National Privacy Commission.
   
   

   Generally, however, we are obligated to retain the data for ten (10) years, from date of deactivation, the relevant data and information of such deactivated SIM.

   
   
   
9. How does DITO protect your Personal Data?
   

   We are committed to keeping your personal data safe. To maintain this commitment:

   1. In compliance with the SIM Registration Act, we:
      1. Maintain a secure register of the SIMs or our end-users;
      2. Implement any change in the information in our SIM register as requested by end-users within the period required by law;
      3. Deactivate the SIM within twenty-four (24) hours from receipt of information on the death of the end-user, loss or theft of a SIM, or request for deactivation;
      4. Immediately effect barring of any SIM reported as lost or stolen;
      5. Deactivate, temporarily or permanently, the SIM used for fraudulent SMS or calls upon due investigation;
      6. Treat as absolutely confidential to any person any information or data obtained during the registration process, unless otherwise permitted by Republic Act No. 11934 and other relevant laws;
      7. Ensure that the end-users’ data are secured, encrypted, and protected at all times and comply with the security standards prescribed by the Department of Information and Communications Technology (“DICT”);
      8. Report to the DICT within twenty-four (24) hours of detection any incident of cyber-attack on the SIM register.
      9. Report to the National Privacy Commission in case of a personal data breach; and
      10. Allow the DICT to perform an annual audit;
   2. We design our products and services with your safety in mind;
   3. We established a dedicated team to look after the safety and security of your personal data;
   4. We use the right organizational, physical, and technical security measures, which includes audits, policies and procedures related to data security, setting up secured servers and firewalls, encryption, and other security controls;
   5. We ensure only qualified and authorized staff have access to your personal data, and that our staff are bound to keep your personal data confidential;
   6. We regularly review our collection, storage, and processing practices;
   7. We use contracts to make sure that third party service providers that process your personal data for us have the right security measures that will help keep your personal data safe;
   8. We notify you and the appropriate privacy regulators in the event of a personal data breach; and
   9. We let you update or correct your personal data to keep our records up to date.
      
      
   
   
10. What are your rights regarding your Personal Data?
    

    As a data subject, you have certain rights under the DPA. You may exercise the following rights to your discretion:

    1. The right to access Personal Data
       

       Under the DPA, it is possible for individuals to request access to any of their Personal Data held by DITO, subject to certain restrictions. A request for disclosure of such information is called a subject access request. Any such requests should be addressed to DITO’s Data Protection Officer through the contact information below.

    2. The right to make corrections to Personal Data
       

       The DPA requires DITO to take reasonable steps to ensure that any Personal Data it processes is accurate and updated. It is your responsibility to inform DITO of any changes to the Personal Data that you have supplied to us during your relationship with DITO.

    3. The right to object to the processing of Personal Data
       

       You have the right to object to the processing of your Personal Data. You shall also be notified and be given an opportunity to withhold consent to the processing in case of changes or any amendment to the information made known to you in this Privacy Statement.

        

       Please note that some of the Personal Data you have provided to us is necessary for us to comply with statutory and regulatory requirements, as well as DITO’s administrative policies. Hence, the collection and processing of these pieces of Personal Data is mandatory.

    4. The right to erasure or blocking of Personal Data
       

       You have the right to suspend, withdraw or order the blocking, removal, or destruction of your Personal Data from our filing system. However, the exercise of this right is subject to certain conditions as specified by the DPA.

    5. The right to be informed of the existence of processing of your Personal Data
       

       You have the right to be informed whether Personal Data pertaining to you shall be, is being, or have been processed, including the existence of automated decision-making and profiling.

    6. The right to damages
       

       Upon presentation of a valid decision, DITO recognizes your right to be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of your Personal Data, taking into account any violation of your rights and freedoms as a data subject.

    7. The right to lodge a complaint before the National Privacy Commission
       
       
       
11. How will you be informed of any changes to this Privacy Statement?
    

    This Privacy Statement may be updated from time to time. The data subject will be notified through the appropriate portal should there be any amendments or changes to this Privacy Statement.

    
    
    
12. How can you contact DITO if you have questions about this Privacy Statement?
    

    In case you have questions, concerns, or complaints regarding the processing of your Personal Data, you may address them to DITO’s Data Protection Officer:

                    Addressed to:                    The Data Protection Officer

                    Office address: 11^th Floor, Udenna Tower, Rizal Drive cor. 4^th Avenue

                                                                    Bonifacio Global City, Taguig City

                    Email address:   privacymatters@dito.ph

    
    
    
13. For how long shall your consent be valid?
    

    Once you agree to the processing of your Personal Data according to the terms of this Privacy Statement, your consent and authorization shall remain valid and subsisting for a limited period consistent with the purposes stated above or until otherwise revoked or cancelled in writing in accordance with the DPA.