DITO TELECOMMUNITY CORPORATION

PRIVACY STATEMENT FOR LEAD GENERATION (5G HOME WIFI)

Last updated 26 June 2025

DITO Telecommunity Corporation ("DITO," "we," "us," or "our") is committed to safeguarding your privacy and upholding your rights under applicable data privacy laws. We implement appropriate measures to ensure the security of your personal data in compliance with Republic Act No. 10173, also known as the Data Privacy Act of 2012 (DPA), its Implementing Rules and Regulations, and other relevant issuances of the National Privacy Commission (NPC). We are committed to safeguarding your personal data across all channels of interaction with us, including our website, mobile applications, online portals, physical stores and offices, paper-based forms, and digital communications such as email, SMS, and other electronic messaging platforms.

We encourage you to review this privacy statement thoroughly to understand how we handle your personal data and the principles that guide our data processing activities. This statement outlines how we collect, use, and disclose your personal data, and provides information on how you may access, update, or manage your data, including your options and preferences regarding its use.

I. What does DITO do?

We are a major telecommunications provider in the Philippines. We offer and will be offering a variety of telecommunications services to you, including but not limited to, services related to mobile telephony and the internet of things.

II. What is the purpose and scope of this privacy statement for lead generation?

At DITO, we understand that your personal data is very important. To make sure that you understand what we will be doing with your personal data, we made this privacy statement to explain the details to you in a simple and transparent way. We made sure that this would be consistent with the principles of the DPA, its Implementing Rules and Regulations, and the relevant issuances of the National Privacy Commission.

This privacy statement applies to people who signed up and gave their express consent to be updated about our 5G Home WiFi service. In other words, this only applies to this instance of generating leads for DITO.

Further, you will likewise be covered by DITO's General Privacy Statement that can be accessed through https://dito.ph/privacy-policy. You can also access the same through the DITO Application ("DITO App").

III. What are the types of your personal data that we will be processing?

Personal data refers to information that identifies or can be linked to you, a natural person. To keep you updated about our products and services, we will just need your full name, mobile number, telephone number, email address, address, and preferred DITO Experience Store.

IV. How will we be collecting your personal data?

We collect your personal data when you:

  1. fill out and submit application forms, sign contracts or agreements, or accomplish any other similar documents through any of our channels, may it be through our online channels, stores, or through our sales representatives or specialists;

  2. reach out to us to ask about something, file a complaint, or make a request for service;

  3. visit and transact in our stores, apps, and websites; and

  4. submit your personal data to us for any other reason.

V. How do we process your personal data and why?

When we process your personal data, it means that we are collecting, recording, storing, modifying, organizing, using, disclosing, transferring, or deleting it according to the law. The processing that we do will be done only with your consent, or if justified by our legitimate business interests. We can do these activities through either software or paper-based mechanisms. Anyway, we will only be processing your personal data:

  1. To give you updates on our DITO 5G Home WiFi. We may process your personal data so we can check whether you are eligible for our 5G Home WiFi service. If we find out that you are not yet eligible for this specific service, we may offer you our other products and services that we think will benefit you.

  2. To comply with our legal obligations. We process your data to comply with our obligations under the law and to the government regulators.

  3. To establish, exercise, or defend legal claims. If necessary, we may process your data to prosecute or defend a legal claim.

You can be assured that we will not process your personal data in a way that is inconsistent with these purposes.

VI. Who is the Personal Information Controller?

We are considered the Personal Information Controller ("PIC") under the DPA. This means that we can determine the purposes for which your personal data can be used. In case your personal data is shared with your consent to a third party under the appropriate data transfer agreement, this third party will also be considered a PIC or Personal Information Processor ("PIP") depending on the terms contained therein.

VII. To whom do we disclose your personal data and why?

To deliver optimal service and maintain our competitive edge, we may share your personal data with third parties outside of DITO. Such disclosures are carried out securely and confidentially, and always in compliance with applicable data privacy laws and regulations. We will never share, lease, or sell your personal data to third parties, unless required by law or if you have provided explicit consent.

We will never share, rent, or sell your personal data to third parties, except in special circumstances where this is required by law or you have given your clear and explicit consent.

In some instances, we may need to share your personal data with our agents, subsidiaries, affiliates, partners, and other third parties as part of our operations and for the continued provision of products and services. This means that we might share your information with:

  1. Our service providers, contractors, and professional advisors. We may have to share personal data to carry out certain activities in the normal course of our business. These service providers, contractors, and professional advisors help us with activities like:

    • designing, developing, maintaining, debugging, and optimizing our products, services, systems, tools, and applications;
    • providing application or infrastructure services;
    • marketing activities or events and managing customer communications, including mobile attributions and the generation of analytics;
    • preparing reports and statistics, printing materials, and designing products;
    • creating and placing advertisements on apps, websites, social media, and other modes of communication;
    • facilitating payment and transfer of funds;
    • identifying, investigating, or preventing fraud or other misconduct; and
    • performing legal, auditing, or other special services provided by lawyers, notaries, auditors, or other professional advisors.

  2. Our subsidiaries and affiliates with whom you have also signed up with. We do so only to improve our operations as well as those of our subsidiaries and affiliates. For example, we can study your use of our products and services as well as that of our subsidiaries and affiliates to create product and service bundles that would meet your needs.

  3. Other companies to whom you have also given consent for us to share information with. For example, when you sign up for products and services by other companies, they may request your data from us for them to validate your identity; and

  4. Government, supervisory, judicial authorities. To comply with our own legal and regulatory obligations, we may disclose your personal data to the appropriate government, supervisory, and judicial authorities such as:

    • Public authorities, regulators, and supervisory bodies such as the National Telecommunications Commission and the National Privacy Commission;
    • Judicial and investigative authorities such as the police, public prosecutors, courts, and arbitration and mediation bodies.

If you want to know our partners, you can make a request through our Data Protection Officer using the contact details outlined in Part XII below.

VIII. How long will we be keeping your personal data here?

When we keep your personal data, we will be following these principles:

  1. We will retain personal data only according to operational needs and in compliance with legal and regulatory purposes.

  2. However, we may retain your personal data for longer when it is necessary for us:

    • to continue providing you with the products and services you get from us;
    • to meet our legitimate business purposes;
    • to comply with our own legal obligations; and
    • to exercise or defend legal claims when the need arises.

For the actual handling of your personal data:

  1. Physical copies of the forms you submit to us will be stored in secure storage areas.

  2. Electronic copies of these forms will also be stored in our secure databases.

IX. How do we protect your personal data?

We are committed to keeping your personal data safe. To maintain this commitment, we:

  1. design our products and services with your safety in mind;

  2. established a dedicated team to look after the safety and security of your personal data;

  3. use the right organizational, physical, and technical security measures, which includes audits, policies and procedures related to data security, setting up secured servers and firewalls, encryption, and other security controls;

  4. ensure only qualified and authorized staff have access to your personal data, and that our staff are bound to keep your personal data confidential;

  5. use contracts to make sure that third-party service providers that process your personal data for us have the right security measures that will help keep your personal data safe;

  6. notify you and the appropriate privacy regulators in the event of a personal data breach; and

  7. we let you update or correct your personal data to keep our records up to date.

To help us serve you effectively, it is essential that the personal data you submit to us is complete, accurate, and true. Any inaccuracies may hinder our ability to provide the products and services you have requested. If any information or circumstances change, we ask that you promptly notify us to ensure the accuracy of your personal data. You may also be required to provide supporting documentation or additional details to help DITO verify the updated information.

X. What are your rights in relation to your personal data?

The DPA gives you rights in relation to your personal data. It essentially gives you control on how your personal data is collected and used by companies.

Below is a list of your rights. We want to make sure that you understand what these are, so we are describing each of these rights in a simple and transparent manner:

  1. The right to be informed. When we ask you to share your personal data with us, we give you details of what data we will be using, why we will be using it, and how long we will be keeping it, among other things.

  2. The right to object. This is your right to tell us to stop using your personal data. Please note, however, the DPA still allows us to use your personal data despite the exercise of this right under certain conditions. For example, we will still process your personal data despite your objection if we are legally required to do so or if it is necessary to fulfill our legal obligations to you.

  3. The right to access. This right allows you to ask whether we have personal data on you and, if we do, ask for a copy of that personal data.

  4. The right to rectification. This gives you the right to correct anything that you think is wrong with the personal data we have on file on you.

  5. The right to erasure or blocking. This gives you the right to ask us to delete your personal data. However, there are only certain instances where you can exercise this, such as in a case where you think we are processing your personal data unlawfully.

  6. The right to portability. This right allows you to get a copy of the personal data we have on you in a structure, commonly used, and machine-readable format.

  7. The right to damages. This right allows you to be indemnified for any damages that you may have sustained due to any violation of the DPA.

  8. The right to complain with the National Privacy Commission ("NPC"). In case you feel that any of your privacy rights have been violated, you have the right to file a complaint with the NPC. However, we encourage you to come to us first so we can resolve your complaint.

While you do have the right to withdraw the consent you have given, please note that this withdrawal will not stop us from processing your personal data so long as there are other legal bases to do so. In other words, if you withdraw your consent, we can only stop the processing activities that rely on your consent. If, however, we cannot give you a legal basis to justify the continued processing of your personal data, we will either stop the processing and delete your personal data or anonymize it.

In any case, to exercise any of these rights, please get in touch with our Data Protection Officer through the contact details we have indicated in Part XII below. In certain instances, we may ask for supporting documents or proof before we can move forward with your request. If someone else submits the request on your behalf, they must provide proof of authorization; otherwise, it will be rejected. Any identification provided will be processed in compliance with applicable laws. In some cases, we may deny your request and, if allowed by law, we will notify you of the reason for denial. We may also charge you a reasonable fee to help us process your request.

XI. How can you contact us about your personal data?

In case you have questions, concerns, or complaints regarding the processing of your personal data, you can contact our Data Protection Officer through the contact details below:

  • Addressed to: The Data Protection Officer

  • Office Address: 16th Floor, Udenna Tower, Rizal Drive cor. 4th Avenue , Bonifacio Global City, City of Taguig

  • Email Address: privacymatters@dito.ph

XII. How will you know if there are changes to this privacy statement?

This privacy statement will be updated from time to time to comply with changes in the law, adopt new technologies, or for some other legitimate reason. If we do make important changes, like how and why we use your personal data, we will let you know through a notice, email, SMS, or a message in our app. We will also make sure to get your updated consent when necessary.

This version became effective on 26 June 2025.

DITO TELECOMMUNITY CORPORATION

PRIVACY STATEMENT FOR MOBILE POSTPAID SERVICE

Last updated 26 June 2025

DITO Telecommunity Corporation (“DITO,” “we,” “us,” or “our”) is committed to safeguarding your privacy and upholding your rights under applicable data privacy laws. We implement appropriate measures to ensure the security of your personal data in compliance with Republic Act No. 10173, also known as the Data Privacy Act of 2012 (DPA), its Implementing Rules and Regulations, and other relevant issuances of the National Privacy Commission (NPC). We are committed to safeguarding your personal data across all channels of interaction with us, including our website, mobile applications, online portals, physical stores and offices, paper-based forms, and digital communications such as email, SMS, and other electronic messaging platforms.

As a user of our mobile postpaid service, we encourage you to review this privacy statement thoroughly to understand how we handle your personal data and the principles that guide ousr data processing activities. This statement outlines how we collect, use, and disclose your personal data, and provides information on how you may access, update, or manage your data, including your options and preferences regarding its use.

I. What does DITO do?

DITO is a major telecommunications provider in the Philippines. It offers and will offer a variety of telecommunications services to consumers, including services related to mobile telephony and the internet of things.

Further, when you avail of our postpaid service, you will likewise be covered by DITO’s General Privacy Statement, which can be accessed through https://dito.ph/privacy-policy. You can also view this on the DITO Application (“DITO App”).

II. What are the types of Personal Data that DITO collects and processes?

In purchasing our products and in engaging our services, we may collect and process both your personal and sensitive personal information. For the purposes of this Privacy Statement, these shall be collectively referred to as “Personal Data.” The following are the categories of Personal Data that DITO will be collecting and processing in connection to the postpaid service:

  1. Identification data, such as name, gender, salutation, date and place of birth, ID type and number, tax identification number, customer segment, nationality, home address, province, city or municipality, district, ZIP code, and specimen signature.

  2. Employment data, such as company name or employer, office address, province, city or municipality, district, ZIP code, office telephone number, occupation, job title, position, and years of employment.

  3. Contact information: primary and alternative mobile numbers, primary and alternative email addresses, landline number.

  4. Business or corporate data (for business or corporate accounts): business document presented, business registration reference, authorized representative (name, contact number, email address, and ID number), and email address (for receipt of monthly statements of account).

  5. Financial data: proofs of billing and other proofs of financial capacity, such as pay slips and income tax returns (if you’re employed) or audited financial statements (if you’re running a business).

  6. Transaction data: registered address or installation address, preferred billing address, and plan type.

  7. Service data, such as details of calls, SMS, and data usage.

  8. Network data, such as your network performance experience, diagnostic information, signal strength, dropped calls, data failures, and other network performance issues.

  9. Device data, such as the IP address of your mobile device or the computer you use, the IMEI of your mobile device, device brand and model, operating software or system version, and the pages you visit on our websites and apps.

  10. Location data if you are using location-based services.

  11. Payment details: method of payment.

  12. Know our customer data as part of customer due diligence to prevent fraud.

  13. Your interactions with us on social media and through our channels, such as Facebook, Twitter, Instagram, other social media platforms, our website, and live chat.

III. How does DITO collect your Personal Data?

We collect your Personal Data from any documents or communications that you may have directly submitted to us, such as through application forms, contracts, the DITO App or through our other channels, physical or otherwise.

We may also collect your Personal Data through our business intelligence platforms, which will allow us to see how you interact with our products and services.

You may withdraw your consent to the processing of your Personal Data at any time. Upon receipt of your request, we will promptly delete your Personal Data and cease processing, unless we have a legal basis under applicable law to continue processing despite the withdrawal of consent.

We may also collect your personal data from our subsidiaries, affiliates, and business partners, if you give them consent to share your personal data with us.

IV. How does DITO process your Personal Data?

When we process your personal data, it means that we are collecting, recording, storing, modifying, organizing, using, disclosing, transferring, or deleting it in accordance with the law. The processing that we do will be done only with your consent, or if justified by our legitimate business interests. We can do these activities through either software or paper-based mechanisms.

V. Why does DITO process your Personal Data?

Your Personal Data shall be processed for the following purposes:

  1. To perform our contractual obligations to you;

  2. To comply with the provisions of Republic Act No. 11934 (otherwise known as the “SIM Registration Act”) and its Implementing Rules and Regulations (“SRA IRR”);

  3. To provide DITO mobile postpaid service and other related services to you;

  4. To provide products, services, and marketing tailored just for you;

  5. To determine your monthly service fee and credit limit, if applicable;

  6. To receive and analyze customer feedback based on your experience, if any;

  7. To comply with statutory and regulatory requirements, including directives, issuances by, or obligations of DITO to any competent authority, regulator, supervisory body, enforcement agency, exchange, court, quasi-judicial body or tribunal;

  8. To establish, exercise, or defend legal claims;

  9. To facilitate aftersales services; and

  10. To fulfill any other purposes directly related to the above-stated purposes.

Rest assured that DITO will not process your Personal Data in ways incompatible with the above-stated purposes.

. Who is the Personal Information Controller?

DITO is the Personal Information Controller (“PIC”) under the DPA, which means that it determines the purposes for which the Personal Data it holds will be used for. In case your personal data is shared with your consent to a third party under the appropriate data transfer agreement, this third party will also be considered a PIC or a Personal Information Processor (“PIP”) depending on the terms contained therein.

. To whom does DITO disclose your Personal Data and why?

In compliance with the SIM Registration Act, information that we get from you as part of the SIM registration process shall be treated as absolutely confidential and shall not be disclosed to any person. The law, however, permits disclosure of your full name and address if it’s made in compliance with the following:

  1. Any law obligating the PTE to disclose such information in accordance with the provisions of Republic Act No. 10173 or the Data Privacy Act of 2012;

  2. A court order or legal process upon finding of probable cause;

  3. A subpoena issued in compliance with Section 10 of Republic Act No. 11934; and

  4. With the written consent of the subscriber.

In some instances, we may need to share your personal data with our agents, subsidiaries, affiliates, partners, and other third parties as part of our operations and for the continued provision of products and services. Whenever we do so, we ensure that this is shared on a confidential basis and only through secure means. All disclosures will always follow applicable privacy laws and regulations.

We will never share, rent, or sell your personal data to third parties, except in special circumstances where this is required by law, or you have given your clear and explicit consent.

VIII. DATA RETENTION

When we keep your personal data, we will be following these principles:

  1. We will retain personal data only according to operational needs and in compliance with legal and regulatory purposes.

  2. However, we may retain your personal data for longer when it is necessary for us:

    • to continue providing you with the products and services you get from us;
    • to meet our legitimate business purposes;
    • to comply with our own legal obligations; and
    • to exercise or defend legal claims when the need arises.

For the actual handling of your personal data:

  1. Physical copies of the forms you submit to us will be stored in secure storage areas.

  2. Electronic copies of these forms will also be stored in our secure databases.

IX. How does DITO protect your Personal Data?

We are committed to keeping your personal data safe. To maintain this commitment:

  1. In compliance with the SIM Registration Act, we:

    1. Maintain a secure register of the SIMs or our end-users;

    2. Implement any change in the information in our SIM register as requested by end-users within the period required by law;

    3. Deactivate the SIM within twenty-four (24) hours from receipt of information on the death of the end-user, loss or theft of a SIM, or request for deactivation;

    4. Immediately effect barring of any SIM reported as lost or stolen;

    5. Deactivate, temporarily or permanently, the SIM used for fraudulent SMS or calls upon due investigation;

    6. Treat as absolutely confidential any information or data obtained during the registration process, unless otherwise permitted by the SIM Registration Act and other applicable laws;

    7. Ensure that the end-users' data are secured, encrypted, and protected at all times and comply with the security standards prescribed by the Department of Information and Communications Technology ("DICT");

    8. Report to the DICT within twenty-four (24) hours of detection any incident of cyber-attack on the SIM register;

    9. Report to the National Privacy Commission in case of a personal data breach; and

    10. Allow the DICT to perform an annual audit;

  2. We design our products and services with your safety in mind;

  3. We established a dedicated team to look after the safety and security of your personal data;

  4. We use the right organizational, physical, and technical security measures, which includes audits, policies and procedures related to data security, setting up secured servers and firewalls, encryption, and other security controls;

  5. We ensure only qualified and authorized staff have access to your personal data, and that our staff are bound to keep your personal data confidential;

  6. We regularly review our collection, storage, and processing practices;

  7. We use contracts to make sure that third party service providers that process your personal data for us have the right security measures that will help keep your personal data safe;

  8. We notify you and the appropriate privacy regulators in the event of a personal data breach; and

  9. We let you update or correct your personal data to keep our records up to date.

To help us serve you effectively, it is essential that the personal data you submit to us is complete, accurate, and true. Any inaccuracies may hinder our ability to provide the products and services you have requested. If any information or circumstances change, we ask that you promptly notify us to ensure the accuracy of your personal data. You may also be required to provide supporting documentation or additional details to help DITO verify the updated information.

X. What are your rights regarding your Personal Data?

As a data subject, you have certain rights under the DPA. You may exercise the following rights to your discretion:

  1. The right to access Personal Data
    Under the DPA, it is possible for individuals to request access to any of their Personal Data held by DITO, subject to certain restrictions. A request for disclosure of such information is called a subject access request.

  2. The right to make corrections to Personal Data
    The DPA requires DITO to take reasonable steps to ensure that any Personal Data it processes is accurate and updated. It is your responsibility to inform DITO of any changes to the Personal Data that you have supplied to us during your relationship with DITO.

  3. The right to object to the processing of Personal Data
    You have the right to object to the processing of your Personal Data. You shall also be notified and be given an opportunity to withhold consent to the processing in case of changes or any amendment to the information made known to you in this Privacy Statement.
    Please note that some of the Personal Data you have provided to us is necessary for us to comply with statutory and regulatory requirements, as well as DITO’s administrative policies. Hence, the collection and processing of these pieces of Personal Data is mandatory.

  4. The right to erasure or blocking of Personal Data
    You have the right to suspend, withdraw or order the blocking, removal, or destruction of your Personal Data from our filing system. However, the exercise of this right is subject to certain conditions as specified by the DPA.

  5. The right to be informed of the existence of processing of your Personal Data
    You have the right to be informed whether Personal Data pertaining to you shall be, is being, or have been processed, including the existence of automated decision-making and profiling.

  6. The right to data portability
    You have the right to get a copy of the Personal Data we have on you in a structure, commonly used, and machine-readable format.

  7. The right to damages
    Upon presentation of a valid decision, DITO recognizes your right to be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of your Personal Data, taking into account any violation of your rights and freedoms as a data subject.

  8. The right to lodge a complaint before the National Privacy Commission.
    To exercise your rights, please contact our Data Protection Officer using the details in Part XII below. We may request supporting documents to process your request. If someone else submits the request on your behalf, they must provide proof of authorization; otherwise, it will be rejected. Any identification provided will be processed in compliance with applicable laws. In some cases, we may deny your request and, if permitted, inform you of the reason. A reasonable fee may apply to cover processing costs.

XI. How can you contact DITO if you have questions about this Privacy Statement?

In case you have questions, concerns, or complaints regarding the processing of your Personal Data, you may address them to DITO's Data Protection Officer:

  • Addressed to: The Data Protection Officer

  • Office address: 16th Floor, Udenna Tower, Rizal Drive cor. 4th Avenue, Bonifacio Global City, Taguig City

  • Email address: privacymatters@dito.ph

XII. For how long shall your consent be valid?

Once you agree to the processing of your Personal Data according to the terms of this Privacy Statement, your consent and authorization shall remain valid and subsisting for a limited period consistent with the purposes stated above or until otherwise revoked or cancelled in writing in accordance with the DPA.

XIII. How will you be informed of any changes to this Privacy Statement?

This privacy statement will be updated from time to time to comply with changes in the law, adopt new technologies, or for some other legitimate reason. If we do make important changes, like how and why we use your personal data, we will let you know through a notice, email, SMS, or a message in our app. We will also make sure to get your updated consent when necessary.

This version became effective on 26 June 2025.

DITO TELECOMMUNITY CORPORATION

PRIVACY STATEMENT FOR DITO LOAD ASSIST

Last updated 26 June 2025

DITO Telecommunity Corporation ("DITO," "we," "us," or "our") is committed to safeguarding your privacy and upholding your rights under applicable data privacy laws. We implement appropriate measures to ensure the security of your personal data in compliance with Republic Act No. 10173, also known as the Data Privacy Act of 2012 (DPA), its Implementing Rules and Regulations, and other relevant issuances of the National Privacy Commission (NPC). We are committed to safeguarding your personal data across all channels of interaction with us, including our website, mobile applications, online portals, physical stores and offices, paper-based forms, and digital communications such as email, SMS, and other electronic messaging platforms.

We encourage you to review this privacy statement thoroughly to understand how we handle your personal data and the principles that guide our data processing activities. This statement outlines how we collect, use, and disclose your personal data, and provides information on how you may access, update, or manage your data, including your options and preferences regarding its use.

I. What does DITO do?

We are a major telecommunications provider in the Philippines. We offer and will be offering a variety of telecommunications services to you, including services related to mobile telephony and the internet of things.

II. What is the purpose and scope of this privacy statement for load assist?

This Privacy Statement explains how we collect, use, store, and protect your personal data when you avail of our Load Assist Service. By availing of the Load Loan Service, you acknowledge that you have read, understood, and agreed to the practices described in this Privacy Statement.

Further, when you avail of our Load Assist Service, you will likewise be covered by DITO's General Privacy Statement that can be accessed through https://dito.ph/privacy-policy. You can also access the same through the DITO Application ("DITO App").

III. What are the types of your personal data that we will be processing?

Personal data refers to information that identifies or can be linked to you, a natural person. For the purpose of providing you the Load Assist Service, we will be needing the following information:

  1. Subscriber-related information: mobile station international subscriber directory number or mobile number and whether the mobile number has been registered or not; and
  2. Service usage information: information related to topping up (balance, amount, and validity) and information related to services products purchased or availed of.

IV. How will we be collecting your personal data?

Since the Load Assist Service is a network-based service, we primarily collect your personal data through your use of our network. This includes:

  • Automatically collected data from your transactions, device, and network usage;
  • Direct information provided by you when applying for or managing your Load Loan; and
  • Data from third parties such as authorized service providers supporting our operations.

V. How do we process your personal data and why?

When we process your personal data, it means that we are collecting, recording, storing, modifying, organizing, using, disclosing, transferring, or deleting it according with the law. The processing that we do will be done only with your consent, or if justified by our legitimate business interests. We can do these activities through either software or paper-based mechanisms. Anyway, we will only be processing your personal data:

  1. To determine your eligibility for the load loan. This will also allow us to invite you to avail of the load loan if you are eligible for it;
  2. To facilitate your Load Loan application and approval;
  3. To validate your requests to get credit and to subsequently give you such credit if you are eligible;
  4. To facilitate the recovery of the credit provided once possible;
  5. To detect and prevent fraud, unauthorized transactions, and other security risks;
  6. To process payments and manage your loan balance; and
  7. To facilitate the reconciliation process in terms of validating the credit and recovery transactions between DITO and its loan service provider.

You can be assured that we will not process your personal data in a way that is inconsistent with these purposes.

VI. Who is the Personal Information Controller?

We are considered the Personal Information Controller ("PIC") under the DPA. This means that we can determine the purposes for which your personal data can be used. In case your personal data is shared with your consent to a third party under the appropriate data transfer agreement, this third party will also be considered a PIC or a Personal Information Processor ("PIP") depending on the terms contained therein.

VII. To whom do we disclose your personal data and why?

To deliver optimal service and maintain our competitive edge, we may share your personal data with third parties outside of DITO. Such disclosures are carried out securely and confidentially, and always in compliance with applicable data privacy laws and regulations. We will never share, lease, or sell your personal data to third parties, unless required by law or if you have provided explicit consent.

We will never share, rent, or sell your personal data to third parties, except in special circumstances where this is required by law or you have given your clear and explicit consent.

In some instances, we may need to share your personal data to our agents, subsidiaries, affiliates, partners, and other third parties as part of our operations. This means that we might share your information with:

  1. Our service providers. We may have to share personal data to carry out certain activities in the normal course of our business. These service providers, contractors, and professional advisors help us with activities like:

    1. Helping us offer the Load Assist Service to eligible subscribers; and
    2. identifying, investigating, or preventing fraud or other misconduct.

  2. Government, supervisory, judicial authorities. To comply with our own legal and regulatory obligations, we may disclose your personal data to the appropriate government, supervisory, and judicial authorities such as:

    1. Public authorities, regulators, and supervisory bodies such as the National Telecommunications Commission and the National Privacy Commission; and
    2. Judicial and investigative authorities such as the police, public prosecutors, courts, and arbitration and mediation bodies.

VII. How long will we be keeping your personal data here?

When we keep your personal data, we will be following these principles:

  1. We will retain personal data only according to operational needs and in compliance with legal and regulatory purposes.

  2. However, we may retain your personal data for longer when it is necessary for us:

    • to continue providing you with the products and services you get from us;
    • to meet our legitimate business purposes;
    • to comply with our own legal obligations; and
    • to exercise or defend legal claims when the need arises.

For the actual handling of your personal data:

  1. Physical copies of the forms you submit to us will be stored in secure storage areas.

  2. Electronic copies of these forms will also be stored in our secure databases.

VIII. How do we protect your personal data?

We are committed to keeping your personal data safe. To maintain this commitment, we:

  1. design our products and services with your safety in mind;
  2. established a dedicated team to look after the safety and security of your personal data;
  3. use the right organizational, physical, and technical security measures, which includes audits, policies and procedures related to data security, setting up secured servers and firewalls, encryption, and other security controls;
  4. ensure only qualified and authorized staff have access to your personal data, and that our staff are bound to keep your personal data confidential;
  5. use contracts to make sure that third-party service providers that process your personal data for us have the right security measures that will help keep your personal data safe;
  6. notify you and the appropriate privacy regulators in the event of a personal data breach; and
  7. we let you update or correct your personal data to keep our records up to date.

To help us serve you effectively, it is essential that the personal data you submit to us is complete, accurate, and true. Any inaccuracies may hinder our ability to provide the products and services you have requested. If any information or circumstances change, we ask that you promptly notify us to ensure the accuracy of your personal data. You may also be required to provide supporting documentation or additional details to help DITO verify the updated information.

IX. What are your rights in relation to your personal data?

The DPA gives you rights in relation to your personal data. It essentially gives you control over how your personal data is collected and used by companies.

Below is a list of your rights. We want to make sure that you understand what these are, so we are describing each of these rights in a simple and transparent manner:

  1. The right to be informed. When we ask you to share your personal data with us, we give you details of what data we will be using, why we will be using it, and how long we will be keeping it, among other things.

  2. The right to object. This is your right to tell us to stop using your personal data. Please note, however, the DPA still allows us to use your personal data despite the exercise of this right under certain conditions. For example, we will still process your personal data despite your objection if we are legally required to do so or if it is necessary to fulfill our legal obligations to you.

  3. The right to access. This right allows you to ask whether we have personal data on you and, if we do, ask for a copy of that personal data.

  4. The right to rectification. This gives you the right to correct anything that you think is wrong with the personal data we have on file on you.

  5. The right to erasure or blocking. This gives you the right to ask us to delete your personal data. However, there are only certain instances where you can exercise this, such as in a case where you think we are processing your personal data unlawfully.

  6. The right to portability. This right allows you to get a copy of the personal data we have on you in a structure, commonly used, and machine-readable format.

  7. The right to damages. This right allows you to be indemnified for any damages that you may have sustained due to any violation of the DPA.

  8. The right to complain with the National Privacy Commission. In case you feel that any of your privacy rights have been violated, you have the right to file a complaint with the NPC. However, we encourage you to come to us first so we can resolve your complaint.

While you do have the right to withdraw the consent you have given (which can be done by reaching out to our Data Protection Officer), please note that this withdrawal will not stop us from processing your personal data so long as there are other legal bases to do so. In other words, if you withdraw your consent, we can only stop the processing activities that rely on your consent. If, however, we cannot give you a legal basis to justify the continued processing of your personal data, we will either stop the processing and delete your personal data or anonymize it.

In any case, to exercise any of these rights, please get in touch with our Data Protection Officer through the contact details we have indicated below. In certain instances, we may ask for supporting documents or proof before we can move forward with your request. If someone else submits the request on your behalf, they must provide proof of authorization; otherwise, it will be rejected. Any identification provided will be processed in compliance with applicable laws. In some cases, we may deny your request and, if allowed by law, we will notify you of the reason for denial. We may also charge you a reasonable fee to help us process your request.

X. How can you contact us about your personal data?

In case you have questions, concerns, or complaints regarding the processing of your personal data, you can contact our Data Protection Officer through the contact details below:

  • Addressed to: The Data Protection Officer

  • Office Address: 16th Floor, Udenna Tower, Rizal Drive cor. 4th Avenue, Bonifacio Global City, City of Taguig

  • Email Address: privacymatters@dito.ph

XI. How will you know if there are changes to this privacy statement?

This privacy statement will be updated from time to time to comply with changes in the law, adopt new technologies, or for some other legitimate reason. If we do make important changes, like how and why we use your personal data, we will let you know through a notice, email, SMS, or a message in our app. We will also make sure to get your updated consent when necessary.

This version became effective on 26 June 2025.

DITO TELECOMMUNITY CORPORATION

DATA PRIVACY STATEMENT FOR ENTERPRISE SERVICES

Last updated 11 April 2025

DITO Telecommunity Corporation (“DITO,” “we,” “us,” or “our”) is committed to safeguarding your privacy and upholding your rights under applicable data privacy laws. We implement appropriate measures to ensure the security of your personal data in compliance with Republic Act No. 10173, also known as the Data Privacy Act of 2012 (DPA), its Implementing Rules and Regulations, and other relevant issuances of the National Privacy Commission (NPC). We are committed to safeguarding your personal data across all channels of interaction with us, including our website, mobile applications, online portals, physical stores and offices, paper-based forms, and digital communications such as email, SMS, and other electronic messaging platforms.

To provide you with our enterprise services, DITO will need to collect and process your Personal Data for the purposes stated in this Data Privacy Statement for Enterprise Services (“Enterprise Privacy Statement”). This statement outlines how we collect, use, and disclose your personal data, and provides information on how you may access, update, or manage your data, including your options and preferences regarding its use.

  1. I. What does DITO do?

    DITO is a major telecommunications provider in the Philippines. It offers and will offer a variety of telecommunications services to consumers, including services related to mobile telephony and the internet of things.

    When you use our enteprise services, you will likewise be covered by DITO’s General Privacy Statement that can be accessed through https://dito.ph/privacy-policy. You can also access the same through the DITO Application (“DITO App”).

  2. II. What are the types of Personal Data that DITO collects and processes?

    DITO may collect and process both your personal and sensitive personal information. For the purposes of this Privacy Statement, these shall be collectively referred to as “Personal Data.”

    If you are getting our Business Mobile Postpaid Service, the following are the categories of Personal Data that DITO will be collecting and processing:

    1. Identification data: full name, gender, nationality, and specimen signature (of the Authorized Company Signatory, Company Representative, and Company Assignee);
    2. Contact Information: primary mobile number, telephone number, and email addresses (for Company Representative) and email address (for Company Assignee);
    3. Corporate Information: business name, head office address (unit, floor, building name, street, and street number), telephone number, SEC registration number, BIR number, company incorporation date, and designation (of the Authorized Company Signatory, Company Representative, and Company Assignee);
    4. Financial data: such as proofs of billing and other proofs of financial capacity;
    5. Transaction data: registered account name, plan type and coverage;
    6. Service data: details of calls, SMS, data usage, network performance experience, diagnostic information, signal strength, dropped calls, data failures, and other network performance issues;
    7. Device data: IP address of the issued mobile device or the computer, the IMEI of the mobile device, device brand and model, operating software or system version;
    8. Location: address (including longitude and latitude) and billing address if you are using location-based services;
    9. Government-issued or valid ID: Government-issued ID Number or Company ID Number (of the Authorized Company Signatory, Company Representative, and Company Assignee); and
    10. Other data collected through surveys, our contact or call centers, or through any other channel that you use to contact us.

    If you are getting our 5G Enterprise FWA, the following are the categories of Personal Data that DITO will be collecting and processing:

    1. Identification data: full name, gender, nationality, and specimen signature (of the Authorize Company Signatory, Company Representative, and Company Assignee);
    2. Contact information: primary mobile numbers, telephone number, and email addresses (for Company Representative) and email address (for Company Assignee);
    3. Corporate Information: business name, head office address (unit, floor, building name, street, and street number), telephone number, SEC registration number, BIR number, company incorporation date, and designation (of the Authorized Company Signatory and Company Representative);
    4. Location: address (including longitude and latitude), preferred installation address, and billing address if you are using location-based services;
    5. Network data: such as network performance experience, diagnostic information, signal strength, dropped calls, data failures, and other network performance issues;
    6. Government-issued or valid ID: Government-issued ID Number or Company ID Number (of the Authorized Company Signatory, Company Representative, and Company Assignee); and
    7. Other data collected through surveys, our contact or call centers, or through any other channel that you use to contact us.

  3. III. How does DITO collect your Personal Data?

    We collect your Personal Data from any documents or communications that you may have directly submitted to us, such as through application forms, contracts, the DITO App or through our other channels, whether physical or otherwise.

    We may also collect your Personal Data through our business intelligence platforms, which will allow us to see how you interact with our products and services.

    Further, your Personal Data is also captured via closed-circuit television cameras (CCTVs) or other equipment or devices while you are within our premises.

    Lastly, we also collect your Personal Data when you visit and transact in our stores, apps, and websites and when you submit your Personal Data to us for any other reason.

  4. IV. How does DITO process your Personal Data?

    Your Personal Data may be processed through either software or paper-based mechanisms, in compliance with the rules related to data protection and data security. Your Personal Data shall be collected, organized, stored, updated, retrieved, used, consolidated, or destroyed in line with the purposes for processing set out in this Enterprise Privacy Statement.

  5. V. Why does DITO process your Personal Data?

    Your Personal Data shall be processed for the following purposes:

    1. General Purposes for Processing
      1. To perform our contractual obligations to you;
      2. To comply with the SIM Registration Act;
      3. To determine your monthly service fee and credit limit, if applicable;
      4. To receive and analyze customer feedback based on your experience, if any;
      5. To comply with statutory and regulatory requirements, including directives, issuances by, or obligations of DITO to any competent authority, regulator, supervisory body, enforcement agency, exchange, court, quasi-judicial body, or tribunal;
      6. To establish, exercise, or defend legal claims;
      7. To facilitate aftersales services; and
      8. To maintain safety.
    2. If you’re getting our Business Mobile Postpaid Service
      1. To provide you with our Business Mobile Prepaid Service and to help you manage the accounts of assignees under this service; and
      2. To facilitate the issuance of mobile postpaid devices.
    3. If you’re getting our Business Enterprise Fixed Wireless Access Service
      1. To provide you with our Business Enterprise Fixed Wireless Access Service and to help you manage the accounts of assignees under this service; and
      2. To facilitate the delivery and installation of the FWA units.
    4. To fulfill any other purposes directly related to the above-stated purposes.

    DITO will not process your Personal Data in ways incompatible with the above-stated purposes and will only process such data for purposes directly related to those stated above.

  6. VI. Who is the Personal Information Controller?

    DITO is a Personal Information Controller (“PIC”) under the DPA, which means that it determines the purposes for which the Personal Data it holds will be used for. It may also be that your Personal Data is disclosed to third parties pursuant to a data transfer agreement. In which case, this third party will also be considered a PIC or a Personal Information Processor (“PIP”) depending on the terms contained therein.

    However, since the use of our Enterprise Services may require you or your organization to share personal data that you are already processing for your own purposes, you or your organization will also be considered as a Personal Information Controller under the DPA. For this purpose, you or your organization, as the PIC, is thus obligated to obtain the valid consent of the relevant data subjects before you share the same with us. You should also be prepared to provide proof of such consent should we ask for it.

  7. VII. To whom does DITO disclose your Personal Data and why?

    The following are the third parties to whom your personal data may be shared or disclosed:

    1. Information technology services providers
    2. Our subsidiaries and affiliates
    3. Over the Top (“OTT”) service providers;
    4. Suppliers;
    5. External auditors;
    6. External counsel;
    7. External fulfillment teams; and
    8. Government, regulatory, judicial authorities

    Your Personal Data may be disclosed to third parties for the following purposes:

    1. To help us deliver and install the relevant devices covered under by the applicable Enterprise Service;
    2. To respond to law enforcement authority or other government regulatory bodies’ requests;
    3. To help us determine the maximum allowable monthly service fee and credit limit for you;
    4. To generate insights on how DITO’s systems are used, with such data being used for further streamlining and improvement of the systems;
    5. To prevent physical harm or financial loss;
    6. To conduct audits, including operational, risk, compliance, financial, and anti-fraud, and corruption audits, and/or investigate a complaint or security threat;
    7. To comply with DITO’s business and management responsibilities and policies, which are necessary for the continued operations of DITO;
    8. To establish, exercise, or defend legal claims; and
    9. To fulfill any other purposes related to the above-stated purposes.

    When the processing of your Personal Data is outsourced by DITO to a third party, the processing will be subject to written agreements between DITO and the third parties processing the data. These written agreements will specify the rights and obligations of each party and will ensure that the third party has adequate security measures in place and will only process your Personal Data upon the specific written instructions of DITO.

    DITO may also transfer your Personal Data to third parties as required by law or legal instrument, to protect DITO’s rights or assets and in emergencies where the health or safety of a person is endangered.

    DITO will not sell, rent, share, trade, or disclose any of your Personal Data to any other party without your prior written consent, except for any third-party service providers that DITO has engaged, whose services necessarily require the processing of your personal data.

  8. VIII. DATA RETENTION

    We will retain personal data only according to operational need and in compliance with legal and regulatory purposes. In general, we shall only retain your personal data for ten (10) years after the processing relevant to the purpose has been terminated. However, we may retain your personal data for longer when it is necessary for us:

    • to continue providing you with the products and services you get from us;
    • to meet our legitimate business purposes;
    • to comply with our own legal obligations; and
    • to exercise or defend legal claims when the need arises.

    Forms that contain your Personal Data will be digitized and stored and maintained on DITO’s database hosted by a secure cloud provider. Forms, documents, and information submitted electronically shall be maintained by the same provider or in DITO’s secured servers.

    DITO shall ensure, using contractual and other reasonable means, that the third-party service providers implement proper safeguards to ensure the confidentiality, integrity and availability of the personal data processed, prevent its use for unauthorized purposes, and comply with the Data Privacy Regulations.

    In any event, once your Personal Data has reached the end of the retention period or if we no longer have any legal justification to keep it, your data will either be deleted or anonymized (if in an electronic format) or shredded (if in a physical format) in accordance with our policies.

  9. IX. How does DITO protect your Personal Data?

    We are committed to keeping your personal data safe. To maintain this commitment, we:

    1. Design our products and services with your safety in mind;
    2. Established a dedicated team to look after the safety and security of your personal data;
    3. Use the right organizational, physical, and technical security measures, which includes audits, policies and procedures related to data security, setting up secured servers and firewalls, encryption, and other security controls;
    4. Ensure only qualified and authorized staff have access to your personal data, and that our staff are bound to keep your personal data confidential;
    5. Regularly review our collection, storage, and processing practices;
    6. Use contracts to make sure that third-party service providers that process your personal data for us have the right security measures that will help keep your personal data safe;
    7. Notify you and the appropriate privacy regulators in the event of a personal data breach; and
    8. Let you update or correct your personal data to keep our records up to date.

    To help us serve you effectively, it is essential that the personal data you submit to us is complete, accurate, and true. Any inaccuracies may hinder our ability to provide the products and services you have requested. If any information or circumstances change, we ask that you promptly notify us to ensure the accuracy of your personal data. You may also be required to provide supporting documentation or additional details to help DITO verify the updated information.

  10. X. What are your rights regarding your Personal Data?

    As a data subject, you have certain rights under the DPA. You may exercise the following rights to your discretion:

    1. The right to access Personal Data

      Under the DPA, it is possible for individuals to request access to any of their Personal Data held by DITO, subject to certain restrictions. A request for disclosure of such information is called a subject access request. Any such requests should be addressed to DITO’s Data Protection Officer through the contact information provided below in Part XII of this Enterprise Privacy Statement.

    2. The right to make corrections to Personal Data

      The DPA requires DITO to take reasonable steps to ensure that any Personal Data it processes is accurate and updated. It is your responsibility to inform DITO of any changes to the Personal Data that you have supplied to us during your relationship with DITO.

    3. The right to object to the processing of Personal Data

      You have the right to object to the processing of your Personal Data. You shall also be notified and be given an opportunity to withhold consent to the processing in case of changes or any amendment to the information made known to you in this Enterprise Privacy Statement.

      Keep in mind that while you do have the right to withdraw the consent you have given, please note that this withdrawal will not stop us from processing your personal data so long as there are other legal bases to do so. In other words, if you withdraw your consent, we can only stop the processing activities that rely on your consent. If, however, we cannot give you a legal basis to justify the continued processing of your personal data, we will either stop the processing and delete your personal data or anonymize it.

      Also, please note that some of the Personal Data you have provided to us is necessary for us to comply with statutory and regulatory requirements, as well as DITO’s administrative policies. Hence, the collection and processing of these pieces of Personal Data is mandatory.

    4. The right to erasure or blocking of Personal Data

      You have the right to suspend, withdraw or order the blocking, removal, or destruction of your Personal Data from our filing system. However, the exercise of this right is subject to certain conditions as specified by the DPA.

    5. The right to be informed of the existence of processing of your Personal Data

      You have the right to be informed whether Personal Data pertaining to you shall be, is being, or have been processed, including the existence of automated decision-making and profiling.

    6. The right to portability

      This right allows you to get a copy of the Personal Data we have on you in a structure, commonly used, and machine-readable format.

    7. The right to damages

      Upon presentation of a valid decision, DITO recognizes your right to be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of your Personal Data, taking into account any violation of your rights and freedoms as a data subject.

    8. The right to lodge a complaint before the National Privacy Commission

      In case you feel that any of your privacy rights have been violated, you have the right to file a complaint with the NPC. However, we encourage you to come to us first so we can resolve your complaint.

      To exercise your rights, please contact our Data Protection Officer using the details in Part XII below. We may request supporting documents to process your request. If someone else submits the request on your behalf, they must provide proof of authorization; otherwise, it will be rejected. Any identification provided will be processed in compliance with applicable laws. In some cases, we may deny your request and, if permitted, inform you of the reason. A reasonable fee may apply to cover processing costs.

  11. XI. How will you be informed of any changes to this Privacy Statement?

    This Enterprise Privacy Statement may be updated from time to time to comply with changes in the law, adopt new technologies, or for some other legitimate reason. The data subject will be notified through the appropriate channel should there be any amendments or changes to this Enterprise Privacy Statement.

  12. XII. How can you contact DITO if you have questions about this Enterprise Privacy Statement?

    In case you have questions, concerns, or complaints regarding the processing of your Personal Data, you may address them to DITO’s Data Protection Officer:

    Addressed to: The Data Protection Officer
    Office Address:

    16th Floor, Udenna Tower, Rizal Drive cor. 4th Avenue, Bonifacio Global City, City of Taguig
    Email Address:

    privacymatters@dito.ph

  13. XIII. For how long shall your consent be valid?

    Once you agree to the processing of your Personal Data according to the terms of this Enterprise Privacy Statement, your consent and authorization shall remain valid and subsisting for a limited period consistent with the purposes stated above or until otherwise revoked or cancelled in writing in accordance with the DPA.

    This version became effective on April 11, 2025.