Comprehensive Data Policy

While your consent may be solicited to process your personal data, we may also process personal data without your consent, such as when processing is allowed under Section 12 or Section 13 of the DPA.

To enable us to remain in contact and build relationship with you, it is important that SGV & Co. collects, uses, processes and retains your personal information when it is reasonable and necessary.

In particular, we are using your information to:

• Properly address the inquiries and requests
• Forward your inquiries and requests to appropriate internal committee or authorized personnel for action and response
• To provide notice and update with current SGV & Co.'s initiative such as compliance and industry updates, workshop and sponsored trainings
• Perform such other processing or disclosure that may be required under law or regulations

As a general rule, personal data processed by the SGV & Co. is not shared with any other party unless such disclosure is allowed under Section 12 or 13 of the DPA.

You authorize SGV & Co. to disclose your information to accredited/affiliated third parties or independent/non-affiliated third parties, whether local or foreign in the following circumstances:

• As necessary for the proper execution of processes related to the declared purpose
• The use or disclosure is reasonably necessary, required or authorized by or under law
• This means we might provide information to the following: Our partner companies, organizations, or agencies including their sub-contractors or prospective business partners that act as our service providers and contractors
• Law enforcement and government agencies
• All third parties with which we share this information are required to use your personal information in a manner that is consistent with this policy

We collect personal data from you (e.g. name, e-mail address) when you electronically share to us your information and submit to us your message through the SGV & Co. General Contact Us Form.

Risk refers to the potential of an incident to result in harm or danger to a data subject or organization. Risks may lead to the unauthorized collection, use, disclosure, or access to personal data. It includes risks involving the confidentiality, integrity, and availability of personal data or the risk that processing will violate the general data privacy principles and the rights of data subjects.

SGV & Co. ensures that adequate physical, technical, and organizational security measures are in place to protect personal information's confidentiality, integrity, and availability. However, this does not guarantee absolute protection against certain risks involving the processing of personal data, such as when systems are exposed to targeted cyberattacks, malware, ransomware, and computer viruses or when manual records are accessed without authority.

However, adequate policies are in place to ensure appropriate security incident management in line with existing SGV & Co. policies, and the DPA, NPC circulars, and other issuances of NPC.

• We safeguard the confidentiality, integrity, and availability of your personal information by maintaining a combination of organizational, physical, and technical security measures based on generally accepted data privacy and information security standards. Among the measures we implement are the following: We keep and protect your information using a secured server behind a firewall, deploying encryption on computing devices and physical security controls
• We restrict access to your information only to qualified and authorized personnel who hold your information with strict confidentiality
• Any personal information that you provide on the Website is initially processed and stored by SGV & Co. Using a secured connection, authorized SGV & Co. personnel can then access and download your personal information.

SGV & Co. reserves the right to update or revise this privacy notice at any time and will provide a new privacy notice whenever there are substantial changes. Prior versions of the privacy notice shall be retained and shall be provided to data subjects upon request.

We store files containing personal information in our computers and servers, which are kept in a secure environment. We may also store your personal information with cloud-based third-party data storage providers. We shall ensure that proper measures are adopted to protect your information.

Your personal information will be kept for a period of ten (10) years from the submission of your inquiries and requests through the Website, unless you request your data to be deleted in our database and hard copies immediately. Once deleted, the data will be completely removed from all the storage location.

Other categories of data may be kept longer than ten (10) years when its retention period is determined by other relevant laws and regulations.

Physical records shall be disposed of through shredding, while digital files may be anonymized. In all instances, our manner of disposal shall ensure that the personal information shall no longer be retrieved, processed, or accessed by unauthorized persons.

Under the DPA, you have the right to be informed regarding processing the personal information we hold about you.

Further, you may be entitled to request:

• Access to personal data we process about you. It is your right to obtain confirmation on whether or not data relating to you are being processed;
• Rectification of your personal data. This is your right to have your personal data corrected if it is inaccurate or incomplete;
• Erasure or order blocking of your personal data whenever warranted;
• The right to object if the personal data processing involved is based on consent or on legitimate interest;
• The right to data portability through which you may obtain and electronically move, copy, or transfer your data securely for further use.

As data subject, you have the right to be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of your personal data, taking into account any violation of your right and freedoms as data subject. Suppose you think that your personal information has been misused, maliciously disclosed, or improperly disposed of or that your data privacy rights have been violated. In that case, you have a right to file a complaint with the NPC.

You understand that you may request SGV & Co. by a written letter or email to the Data Privacy Officer (DPO) to exercise your rights which include right to access, modify, erasure and object to processing your personal data within a reasonable time after such request. You may reach us through our Data Protection Officer at 6760 Ayala Avenue, Makati City, Metro Manila 1226 or email us at sgvgco@ph.ey.com.

While your consent may be solicited to process your personal data, we may also process personal data without your consent, such as when processing is allowed under Section 12 or Section 13 of the DPA.

We collect your personal data to facilitate your application process and to enable us to connect with you for an opportunity to work with SGV & Co. In particular, we are using your personal data to:

• Review your profile and application if it meets the requirements and qualifications of SGV & Co. for a specific role or position
• Maintain communication with you and provide notice and update on the status of your application
• Send you an invitation for interview if you meet the requirements of SGV & Co. for a specific role or position
• Such other processing or disclosure for an orderly and proper application process with SGV & Co.
• When available, sending you the materials presented or used during the trainings/seminars either electronically or in hard copy, as may be applicable; or
• Perform such other processing or disclosure that may be required under law or regulations

As a general rule, personal data processed by the SGV & Co. is not shared with any other party unless such disclosure is allowed under Section 12 or 13 of the DPA.

You authorize SGV & Co. to disclose your information to accredited/affiliated third parties or independent/non-affiliated third parties, whether local or foreign in the following circumstances:

• As necessary for the proper execution of processes related to the declared purpose
• The use or disclosure is reasonably necessary, required or authorized by or under law

This means we might provide information to the following:

• Our partner companies, organizations, or agencies including their sub-contractors or prospective business partners that act as our service providers and contractors
• Law enforcement and government agencies
• All third parties with which we share this information are required to use your personal information in a manner that is consistent with this policy

We collect the personal data below upon your electronic submission of below data with us through the Careers General Application Form:

• Basic personal information such as your name, email address and contact number
• Sensitive personal information such as your company name, company industry, and position.

Please note that you are responsible for ensuring that all such personal information you submit through the Website is accurate, complete and up-to-date.

Risk refers to the potential of an incident to result in harm or danger to a data subject or organization. Risks may lead to the unauthorized collection, use, disclosure, or access to personal data. It includes risks involving the confidentiality, integrity, and availability of personal data or the risk that processing will violate the general data privacy principles and the rights of data subjects.

SGV & Co. ensures that adequate physical, technical, and organizational security measures are in place to protect personal information's confidentiality, integrity, and availability. However, this does not guarantee absolute protection against certain risks involving the processing of personal data, such as when systems are exposed to targeted cyberattacks, malware, ransomware, and computer viruses or when manual records are accessed without authority.

However, adequate policies are in place to ensure appropriate security incident management in line with existing SGV & Co. policies, and the DPA, NPC circulars, and other issuances of NPC.

We safeguard the confidentiality, integrity, and availability of your personal information by maintaining a combination of organizational, physical, and technical security measures based on generally accepted data privacy and information security standards. Among the measures we implement are the following:

• We keep and protect your information using a secured server behind a firewall, deploying encryption on computing devices and physical security controls
• We restrict access to your information only to qualified and authorized personnel who hold your information with strict confidentiality
• Any personal information that you provide on the Website is initially processed and stored by SGV & Co. Using a secured connection, authorized SGV & Co. personnel can then access and download your personal information.

SGV & Co. reserves the right to update or revise this privacy notice at any time and will provide a new privacy notice whenever there are substantial changes. Prior versions of the privacy notice shall be retained and shall be provided to data subjects upon request.

We store files containing personal information in our computers and servers, which are kept in a secure environment. We may also store your personal information with cloud-based third-party data storage providers. We shall ensure that proper measures are adopted to protect your information.

Your personal information will be kept for a period of ten (10) years from the submission of your inquiries and requests through the Website, unless you request your data to be deleted in our database and hard copies immediately. Once deleted, the data will be completely removed from all the storage location.

Other categories of data may be kept longer than ten (10) years when its retention period is determined by other relevant laws and regulations.

Physical records shall be disposed of through shredding, while digital files may be anonymized. In all instances, our manner of disposal shall ensure that the personal information shall no longer be retrieved, processed, or accessed by unauthorized persons.

Under the DPA, you have the right to be informed regarding processing the personal information we hold about you.

Further, you may be entitled to request:

• Access to personal data we process about you. It is your right to obtain confirmation on whether or not data relating to you are being processed;
• Rectification of your personal data. This is your right to have your personal data corrected if it is inaccurate or incomplete;
• Erasure or order blocking of your personal data whenever warranted;
• The right to object if the personal data processing involved is based on consent or on legitimate interest;
• The right to data portability through which you may obtain and electronically move, copy, or transfer your data securely for further use.

As data subject, you have the right to be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of your personal data, taking into account any violation of your right and freedoms as data subject. Suppose you think that your personal information has been misused, maliciously disclosed, or improperly disposed of or that your data privacy rights have been violated. In that case, you have a right to file a complaint with the NPC.

You understand that you may request SGV & Co. by a written letter or email to the Data Privacy Officer (DPO) to exercise your rights which include right to access, modify, erasure and object to processing your personal data within a reasonable time after such request. You may reach us through our Data Protection Officer at 6760 Ayala Avenue, Makati City, Metro Manila 1226 or email us at sgvgco@ph.ey.com.

While your consent may be solicited to process your personal data, we may also process personal data without your consent, such as when processing is allowed under Section 12 or Section 13 of the DPA.

We also process your personal data to enable us to remain in contact and build relationship with you as our alumni. SGV & Co. collects, uses, processes and retains your personal information when it is reasonable and necessary.

In particular, we are using your information to:

• To give promotional information on SGV & Co. events such as alumni homecoming, SGV & Co. anniversary.
• To greet you on your birthday.
• To provide notice and update with current SGV & Co.'s initiative such as compliance and industry updates, career opportunities, workshops and sponsored trainings; and
• Perform such other processing or disclosure that may be required under law or regulations.

As a general rule, personal data processed by the SGV & Co. is not shared with any other party unless such disclosure is allowed under Section 12 or 13 of the DPA.

You authorize SGV & Co. to disclose your information to accredited/affiliated third parties or independent/non-affiliated third parties, whether local or foreign in the following circumstances:

• As necessary for the proper execution of processes related to the declared purpose
• The use or disclosure is reasonably necessary, required or authorized by or under law

This means we might provide information to the following:

• Our partner companies, organizations, or agencies including their sub-contractors or prospective business partners that act as our service providers and contractors
• Law enforcement and government agencies
• All third parties with which we share this information are required to use your personal information in a manner that is consistent with this policy

We collect the personal data from you when you electronically share to us your information and submit to us your message through the SGV & Co. Alumni Registration and Store Inquiry Form:

• Basic personal information such as your name, email address and contact number
• Sensitive personal information such as your age, date of birth, gender, current employment information and previous SGV & Co. employment information.

Risk refers to the potential of an incident to result in harm or danger to a data subject or organization. Risks may lead to the unauthorized collection, use, disclosure, or access to personal data. It includes risks involving the confidentiality, integrity, and availability of personal data or the risk that processing will violate the general data privacy principles and the rights of data subjects.

SGV & Co. ensures that adequate physical, technical, and organizational security measures are in place to protect personal information's confidentiality, integrity, and availability. However, this does not guarantee absolute protection against certain risks involving the processing of personal data, such as when systems are exposed to targeted cyberattacks, malware, ransomware, and computer viruses or when manual records are accessed without authority.

However, adequate policies are in place to ensure appropriate security incident management in line with existing SGV & Co. policies, and the DPA, NPC circulars, and other issuances of NPC.

We safeguard the confidentiality, integrity, and availability of your personal information by maintaining a combination of organizational, physical, and technical security measures based on generally accepted data privacy and information security standards. Among the measures we implement are the following:

• We keep and protect your information using a secured server behind a firewall, deploying encryption on computing devices and physical security controls
• We restrict access to your information only to qualified and authorized personnel who hold your information with strict confidentiality
• Any personal information that you provide on the Website is initially processed and stored by SGV & Co. Using a secured connection, authorized SGV & Co. personnel can then access and download your personal information.

SGV & Co. reserves the right to update or revise this privacy notice at any time and will provide a new privacy notice whenever there are substantial changes. Prior versions of the privacy notice shall be retained and shall be provided to data subjects upon request.

We store files containing personal information in our computers and servers, which are kept in a secure environment. We may also store your personal information with cloud-based third-party data storage providers. We shall ensure that proper measures are adopted to protect your information.

Your personal information will be kept for a period of ten (10) years from the submission of your inquiries and requests through the Website, unless you request your data to be deleted in our database and hard copies immediately. Once deleted, the data will be completely removed from all the storage location.

Other categories of data may be kept longer than ten (10) years when its retention period is determined by other relevant laws and regulations.

Physical records shall be disposed of through shredding, while digital files may be anonymized. In all instances, our manner of disposal shall ensure that the personal information shall no longer be retrieved, processed, or accessed by unauthorized persons.

Under the DPA, you have the right to be informed regarding processing the personal information we hold about you.

Further, you may be entitled to request:

• Access to personal data we process about you. It is your right to obtain confirmation on whether or not data relating to you are being processed;
• Rectification of your personal data. This is your right to have your personal data corrected if it is inaccurate or incomplete;
• Erasure or order blocking of your personal data whenever warranted;
• The right to object if the personal data processing involved is based on consent or on legitimate interest;
• The right to data portability through which you may obtain and electronically move, copy, or transfer your data securely for further use.

As data subject, you have the right to be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of your personal data, taking into account any violation of your right and freedoms as data subject. Suppose you think that your personal information has been misused, maliciously disclosed, or improperly disposed of or that your data privacy rights have been violated. In that case, you have a right to file a complaint with the NPC.

You understand that you may request SGV & Co. by a written letter or email to the Data Privacy Officer (DPO) to exercise your rights which include right to access, modify, erasure and object to processing your personal data within a reasonable time after such request. You may reach us through our Data Protection Officer at 6760 Ayala Avenue, Makati City, Metro Manila 1226 or email us at sgvgco@ph.ey.com.

While your consent may be solicited to process your personal data, we may also process personal data without your consent, such as when processing is allowed under Section 12 or Section 13 of the DPA. We collect your personal data to enable us to perform processes to facilitate training and registration of Continuing Professional Development (CPD) to the PRC.

In particular, we are using your information to:

• Forecast the schedules of the trainings that you will be attending as a participant, resource speaker, panelist/reactor, facilitator/moderator
• Process the registration of trainings including the list of participants to PRC
• Perform such other processing or disclosure that may be required under law or regulations

As a general rule, personal data processed by the SGV & Co. is not shared with any other party unless such disclosure is allowed under Section 12 or 13 of the DPA.

You authorize SGV & Co. to disclose your information to accredited/affiliated third parties or independent/non-affiliated third parties, whether local or foreign in the following circumstances:

• As necessary for the proper execution of processes related to the declared purpose
• The use or disclosure is reasonably necessary, required or authorized by or under law

This means we might provide information to the following:

• Our partner companies, organizations, or agencies including their sub-contractors or prospective business partners that act as our service providers and contractors
• Law enforcement and government agencies

All third parties with which we share this information are required to use your personal information in a manner that is consistent with this policy

• We collect information to process your requirements to Professional Regulatory Commission (PRC) as a licensed professional and for the renewal of your license as you have provided to us manually or electronically. This includes information such as: Basic personal information such as your name, email address, contact number, company name, company industry, and position.
• Sensitive personal information such as your PRC license number and its expiration date.

In case the training/s will be conducted through an online platform (e.g. MS Teams) and be recorded, your personal information that may appear, if any, in the recorded video may also be processed. Any photographs, video and/or audio recordings (Materials) may be taken during the training/s. SGV & Co. may collect, use, reproduce, edit and/or share the Materials for internal and external publications (which include magazines, newsletters and websites), for publicity and marketing purposes, and/or for post-event communications with event attendees. All rights, title and interests in the Materials shall belong to SGV & Co.

Please note that you are responsible for ensuring that all such personal information you submit through the Website is accurate, complete and up-to-date.

Risk refers to the potential of an incident to result in harm or danger to a data subject or organization. Risks may lead to the unauthorized collection, use, disclosure, or access to personal data. It includes risks involving the confidentiality, integrity, and availability of personal data or the risk that processing will violate the general data privacy principles and the rights of data subjects.

SGV & Co. ensures that adequate physical, technical, and organizational security measures are in place to protect personal information's confidentiality, integrity, and availability. However, this does not guarantee absolute protection against certain risks involving the processing of personal data, such as when systems are exposed to targeted cyberattacks, malware, ransomware, and computer viruses or when manual records are accessed without authority.

However, adequate policies are in place to ensure appropriate security incident management in line with existing SGV & Co. policies, and the DPA, NPC circulars, and other issuances of NPC.

We safeguard the confidentiality, integrity, and availability of your personal information by maintaining a combination of organizational, physical, and technical security measures based on generally accepted data privacy and information security standards. Among the measures we implement are the following:

• We keep and protect your information using a secured server behind a firewall, deploying encryption on computing devices and physical security controls
• We restrict access to your information only to qualified and authorized personnel who hold your information with strict confidentiality
• Any personal information that you provide on the Website is initially processed and stored by SGV & Co. Using a secured connection, authorized SGV & Co. personnel can then access and download your personal information.

SGV & Co. reserves the right to update or revise this privacy notice at any time and will provide a new privacy notice whenever there are substantial changes. Prior versions of the privacy notice shall be retained and shall be provided to data subjects upon request.

We store files containing personal information in our computers and servers, which are kept in a secure environment. We may also store your personal information with cloud-based third-party data storage providers. We shall ensure that proper measures are adopted to protect your information.

The data will be kept for period ten (10) years from successful execution of the trainings, unless you request your data to be deleted in our database and hard copies immediately. Once deleted, the data will be completely removed from all the storage location.

In case the trainings/seminars are conducted through online platforms (i.e. MS Teams), your name, email address and company name shall be deleted from the online platform at the end of the session and, when applicable, after we send you the materials used during the trainings/seminars conducted through the online platform.

Other categories of data may be kept longer than ten (10) years when its retention period is determined by other relevant laws and regulations. Physical records shall be disposed of through shredding, while digital files may be anonymized. In all instances, our manner of disposal shall ensure that the personal information shall no longer be retrieved, processed, or accessed by unauthorized persons.

Under the DPA, you have the right to be informed regarding processing the personal information we hold about you.

Further, you may be entitled to request:

• Access to personal data we process about you. It is your right to obtain confirmation on whether or not data relating to you are being processed;
• Rectification of your personal data. This is your right to have your personal data corrected if it is inaccurate or incomplete;
• Erasure or order blocking of your personal data whenever warranted;
• The right to object if the personal data processing involved is based on consent or on legitimate interest;
• The right to data portability through which you may obtain and electronically move, copy, or transfer your data securely for further use.

As data subject, you have the right to be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of your personal data, taking into account any violation of your right and freedoms as data subject.

Suppose you think that your personal information has been misused, maliciously disclosed, or improperly disposed of or that your data privacy rights have been violated. In that case, you have a right to file a complaint with the NPC.

You understand that you may request SGV & Co. by a written letter or email to the Data Privacy Officer (DPO) to exercise your rights which include right to access, modify, erasure and object to processing your personal data within a reasonable time after such request. You may reach us through our Data Protection Officer at 6760 Ayala Avenue, Makati City, Metro Manila 1226 or email us at sgvgco@ph.ey.com.

While your consent may be solicited to process your personal data, we may also process personal data without your consent, such as when processing is allowed under Section 12 or Section 13 of the DPA.

We collect your personal data to enable us to perform processes to facilitate training and seminars which may either be face-to-face or through online platform (i.e. MS Teams).

In particular, we are using your personal information to:

• Forecast the schedules of the trainings that you will be attending as a participant, resource speaker, panelist/reactor, facilitator/moderator
• Process the registration of trainings/seminars
• Where applicable, provide you with the invitation and joining instructions for your participation and/or access to our recorded trainings/seminars through an online platform;
• When available, the sending of materials presented or used during the training/seminars either electronically or in hard copies;
• Perform such other processing or disclosure as may be required under the law or regulations.

As a general rule, personal data processed by the SGV & Co. is not shared with any other party unless such disclosure is allowed under Section 12 or 13 of the DPA.

You authorize SGV & Co. to disclose your information to accredited/affiliated third parties or independent/non-affiliated third parties, whether local or foreign in the following circumstances:

• As necessary for the proper execution of processes related to the declared purpose
• The use or disclosure is reasonably necessary, required or authorized by or under law

This means we might provide information to the following:

• Our partner companies, organizations, or agencies including their sub-contractors or prospective business partners that act as our service providers and contractors
• Law enforcement and government agencies

All third parties with which we share this information are required to use your personal information in a manner that is consistent with this policy

We collect information to maintain communication with you as you have provided to us manually or electronically. This includes information such as:

• Basic personal information such as your name, email address, contact number, company name, company industry, position.
• Sensitive personal information such as your PRC license number and its expiration date.

In case the training/s will be conducted through an online platform (e.g. MS Teams) and be recorded, your personal information that may appear, if any, in the recorded video may also be processed. Any photographs, video and/or audio recordings (Materials) may be taken during the training/s. SGV & Co. may collect, use, reproduce, edit and/or share the Materials for internal and external publications (which include magazines, newsletters and websites), for publicity and marketing purposes, and/or for post-event communications with event attendees. All rights, title and interests in the Materials shall belong to SGV & Co.

Please note that you are responsible for ensuring that all such personal information you submit through the Website is accurate, complete and up-to-date.

Risk refers to the potential of an incident to result in harm or danger to a data subject or organization. Risks may lead to the unauthorized collection, use, disclosure, or access to personal data. It includes risks involving the confidentiality, integrity, and availability of personal data or the risk that processing will violate the general data privacy principles and the rights of data subjects.

SGV & Co. ensures that adequate physical, technical, and organizational security measures are in place to protect personal information's confidentiality, integrity, and availability. However, this does not guarantee absolute protection against certain risks involving the processing of personal data, such as when systems are exposed to targeted cyberattacks, malware, ransomware, and computer viruses or when manual records are accessed without authority.

However, adequate policies are in place to ensure appropriate security incident management in line with existing SGV & Co. policies, and the DPA, NPC circulars, and other issuances of NPC.

We safeguard the confidentiality, integrity, and availability of your personal information by maintaining a combination of organizational, physical, and technical security measures based on generally accepted data privacy and information security standards. Among the measures we implement are the following:

• We keep and protect your information using a secured server behind a firewall, deploying encryption on computing devices and physical security controls
• We restrict access to your information only to qualified and authorized personnel who hold your information with strict confidentiality
• Any personal information that you provide on the Website is initially processed and stored by SGV & Co. Using a secured connection, authorized SGV & Co. personnel can then access and download your personal information.

SGV & Co. reserves the right to update or revise this privacy notice at any time and will provide a new privacy notice whenever there are substantial changes. Prior versions of the privacy notice shall be retained and shall be provided to data subjects upon request.

We store files containing personal information in our computers and servers, which are kept in a secure environment. We may also store your personal information with cloud-based third-party data storage providers. We shall ensure that proper measures are adopted to protect your information.

The data will be kept for period ten (10) years from successful execution of the trainings, unless you request your data to be deleted in our database and hard copies immediately. Once deleted, the data will be completely removed from all the storage location.

In case the trainings/seminars are conducted through online platforms (i.e. MS Teams), your name, email address and company name shall be deleted from the online platform at the end of the session and, when applicable, after we send you the materials used during the trainings/seminars conducted through the online platform.

Other categories of data may be kept longer than ten (10) years when its retention period is determined by other relevant laws and regulations. Physical records shall be disposed of through shredding, while digital files may be anonymized. In all instances, our manner of disposal shall ensure that the personal information shall no longer be retrieved, processed, or accessed by unauthorized persons.

Under the DPA, you have the right to be informed regarding processing the personal information we hold about you.

Further, you may be entitled to request:

• Access to personal data we process about you. It is your right to obtain confirmation on whether or not data relating to you are being processed;
• Rectification of your personal data. This is your right to have your personal data corrected if it is inaccurate or incomplete;
• Erasure or order blocking of your personal data whenever warranted;
• The right to object if the personal data processing involved is based on consent or on legitimate interest;
• The right to data portability through which you may obtain and electronically move, copy, or transfer your data securely for further use.

As data subject, you have the right to be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of your personal data, taking into account any violation of your right and freedoms as data subject.

Suppose you think that your personal information has been misused, maliciously disclosed, or improperly disposed of or that your data privacy rights have been violated. In that case, you have a right to file a complaint with the NPC.

You understand that you may request SGV & Co. by a written letter or email to the Data Privacy Officer (DPO) to exercise your rights which include right to access, modify, erasure and object to processing your personal data within a reasonable time after such request. You may reach us through our Data Protection Officer at 6760 Ayala Avenue, Makati City, Metro Manila 1226 or email us at sgvgco@ph.ey.com.

While your consent may be solicited to process your personal data, we may also process personal data without your consent, such as when processing is allowed under Section 12 or Section 13 of the DPA.

We collect your personal data to enable us to remain in contact and build relationships with you. In particular, we are using your personal data to:

• Properly address the inquiries and requests
• Forward your inquiries and requests to appropriate internal committee or authorized personnel for action and response
• To provide you with appropriate notice and updates with current SGVFI’s initiative
• Perform such other processing or disclosure that may be required under law or regulations

Please note that you are responsible for ensuring that all such personal information you submit through the Website is accurate, complete and up-to-date.

As a general rule, personal data processed by the SGVF is not shared with any other party unless such disclosure is allowed under Section 12 or 13 of the DPA.

You authorize SGVF to disclose your information to accredited/affiliated third parties or independent/non-affiliated third parties, whether local or foreign in the following circumstances:

• As necessary for the proper execution of processes related to the declared purpose
• The use or disclosure is reasonably necessary, required or authorized by or under law

This means we might provide information to the following:

• Our partner companies, organizations, or agencies including their sub-contractors or prospective business partners that act as our service providers and contractors
• Law enforcement and government agencies
• All third parties with which we share this information are required to use your personal information in a manner that is consistent with this policy

We collect the personal data below when you electronically share your information and submit to us your message through the SGVF Contact Us Form:

• Basic personal information such as your name, email address, contact number, company name, company industry, position.

Risk refers to the potential of an incident to result in harm or danger to a data subject or organization. Risks may lead to the unauthorized collection, use, disclosure, or access to personal data. It includes risks involving the confidentiality, integrity, and availability of personal data or the risk that processing will violate the general data privacy principles and the rights of data subjects.

SGVF ensures that adequate physical, technical, and organizational security measures are in place to protect personal information's confidentiality, integrity, and availability. However, this does not guarantee absolute protection against certain risks involving the processing of personal data, such as when systems are exposed to targeted cyberattacks, malware, ransomware, and computer viruses or when manual records are accessed without authority.

However, adequate policies are in place to ensure appropriate security incident management in line with existing SGVF policies, and the DPA, NPC circulars, and other issuances of NPC.

We safeguard the confidentiality, integrity, and availability of your personal information by maintaining a combination of organizational, physical, and technical security measures based on generally accepted data privacy and information security standards. Among the measures we implement are the following:

• We keep and protect your information using a secured server behind a firewall, deploying encryption on computing devices and physical security controls
• We restrict access to your information only to qualified and authorized personnel who hold your information with strict confidentiality
• Any personal information that you provide on the Website is initially processed and stored by SGVF. Using a secured connection, authorized SGVF personnel can then access and download your personal information.

SGVF reserves the right to update or revise this privacy notice at any time and will provide a new privacy notice whenever there are substantial changes. Prior versions of the privacy notice shall be retained and shall be provided to data subjects upon request.

We store files containing personal information in our computers and servers, which are kept in a secure environment. We may also store your personal information with cloud-based third-party data storage providers. We shall ensure that proper measures are adopted to protect your information.

Your personal information will be kept for a period of ten (10) years from the submission of your inquiries and requests through the Website, unless you request your data to be deleted in our database and hard copies immediately. Once deleted, the data will be completely removed from all the storage location.

Other categories of data may be kept longer than ten (10) years when its retention period is determined by other relevant laws and regulations.

Physical records shall be disposed of through shredding, while digital files may be anonymized. In all instances, our manner of disposal shall ensure that the personal information shall no longer be retrieved, processed, or accessed by unauthorized persons.

Under the DPA, you have the right to be informed regarding processing the personal information we hold about you.

Further, you may be entitled to request:

• Access to personal data we process about you. It is your right to obtain confirmation on whether or not data relating to you are being processed;
• Rectification of your personal data. This is your right to have your personal data corrected if it is inaccurate or incomplete;
• Erasure or order blocking of your personal data whenever warranted;
• The right to object if the personal data processing involved is based on consent or on legitimate interest;
• The right to data portability through which you may obtain and electronically move, copy, or transfer your data securely for further use.

As data subject, you have the right to be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of your personal data, taking into account any violation of your right and freedoms as data subject. Suppose you think that your personal information has been misused, maliciously disclosed, or improperly disposed of or that your data privacy rights have been violated. In that case, you have a right to file a complaint with the NPC.

You understand that you may request SGVF by a written letter to our Executive Director to exercise your rights which include right to access, modify, erasure and object to processing your personal data within a reasonable time after such request. You may reach us through our office at 6760 Ayala Avenue, Makati City, Metro Manila 1226 or email at sgvf.admin@sgv.ph.