PHILIPPINE ADDENDUM TO AIRASIA’S PRIVACY STATEMENT

Philippines AirAsia (“PAA”, “we”, “us”, “our”) collects, processes, and retains Personal Data (as defined below) from its passengers, agents, clients, business partners, vendors, contractors and other third parties who transact with us (the “Data Subjects”).

This Addendum outlines the Personal Data we collect and process; the purpose for our collection and processing; the basis of processing, including the scope and method of data processing; the recipients for the data we collect and process; the retention period for the data collected; the rights of our Data Subjects; and the contact details of our data protection officer. We may, at any time and at our sole discretion, amend and update this Addendum.

This page modifies and supplements AirAsia’s (“AirAsia” or the “Group”) Privacy Statement in compliance with Republic Act No. 10173, or the Data Privacy Act of 2012 (“DPA”), its implementing rules and regulations (“IRR”) and relevant issuances of the National Privacy Commission (“NPC”). We have prepared this Addendum to help you understand how PAA processes and safeguards the Personal Data that it collects by reason of and in relation to your transactions with the Company, or your employment (whether on a part-time, temporary or full-time basis and including internships or traineeships), as applicable. We are committed to the protection and lawful processing of your personal information.

1. PERSONAL DATA WE COLLECT AND PROCESS

  1. PAA collects and processes Personal Data in order to enable the Company to properly provide and manage our air transport services and to comply with legal obligations and regulatory requirements. The Personal Data we collect pertain to basic information which we employ to improve our services and better address our clients' specific demands, such as:
    1. For Passengers:
      1. Name, address, mobile number/contact number, and e-mail address;
      2. Gender, date of birth, birthplace, civil or marital status, citizenship;
      3. Government-issued identification cards or documents such as passport, driver’s license, etc;
      4. Any information of similar nature that is necessary for the Company to manage its working relationship with Passengers.
    2. For Vendors, Third Parties, and other Contractors
      1. Name, address, mobile number/contact number, and e-mail address;
      2. Business or employment information such as the name of company, complete office address, business e-mail address and business telephone number
      3. Professional and other work-related licenses, permits, and certifications held;
      4. Information relating to your personal bank details;
      5. Information relating to your legal clearance and obligations;
      6. Any information of similar nature that is necessary for the Company to manage its working relationship with Vendors and other contractors.
  2. In addition to the Personal Data you provide to the Company directly, the Company may also collect your Personal Data from a variety of sources, including without limitation from: the visitation of or entry at our place of business / premises owned and/or occupied by us; dealing with our employees, including transactions with them via our contact numbers or online channels; submitting inquiries, concerns, requests, or complaints with our customer care agents and other officers; events, activities or otherwise; the use of the Company’s facilities; registration or attendance at any event or otherwise organized or sponsored by the Company, whether solely or in association/partnership with any third parties; persons that you have appointed and authorized the Company to communicate with such as representatives or liaison, and emergency contacts; regulatory and governmental authorities; and/or such other sources which you have given your consent and authorization; customer surveys and/or cookies used on the website and/or the Company’s social media pages.
  3. You are responsible for the accuracy of your Personal Data provided to the Company. You may also update the Company if there are any changes to your Personal Data that you wish to make. If you provide the Company with Personal Data of other parties, you are responsible for the accuracy of such data and confirm that you have obtained any necessary consent(s) for providing the Company with such Personal Data. You agree to indemnify, release, and hold the Company harmless from any damages and/or losses caused by the provision and the use of such Personal Data to/by the Company.

2. PURPOSE OF OUR COLLECTION AND PROCESSING

  1. PAA processes and uses your Personal Data for the following purposes:
    1. Verification. Verifying your identity and the accuracy of your personal details and other information provided.
    2. Communications. Your Personal Data may be used to allow the Company to communicate with you to provide our air transport services and when processing complaints and inquiries. The Company may also use Personal Data of passengers to notify them of important information regarding their flight or the transport service subject of the Contract of Carriage, and the Personal Data of business partners, clients, third parties, vendors, contractors to notify them of changes to any of the Company’s terms, conditions, and policies, and facilitating collection efforts.
    3. Internal Purposes and Record Keeping. Your Personal Data may be used by our sales department or relevant department for the purpose of evaluating compliance to processes, feedback and improving customer care response to clients' demands and expectations, including, but not limited to conduct of research and studies or surveys.
    4. Third Party Service Provider. For the purpose of implementing our business, the Company may work with third parties who provide services. For the duration of the services performed for the Company or the pertinent commercial agreement, the Company may share your Personal Data with such third parties if necessary for the purpose of enabling such third parties to provide their services to the Company.
    5. Miscellaneous. The Company may disclose your Personal Data if the Company believes that it is being required to do so: (i) by law; (ii) to comply with legal process or governmental requests; (iii) to enforce our policies; (iv) to protect our operations; (v) to protect the rights, privacy, safety or property of the Company, you or others; and (vi) to permit the Company to pursue available remedies or limit any damages that it may sustain.

3. HOW WE PROCESS YOUR PERSONAL DATA

  1. PAA collects and processes the Personal Data you provide through our website, by electronic mail or through submission of physical documents, pursuant to its legitimate interests or further to an existing contractual arrangement. The Company shall only resort to the use of legitimate interests when Personal Information is involved. Legitimate interests shall not be used in case of Sensitive Personal Information.
  2. Personal Data that the Company collects when you avail of our air transport services may be recorded and stored in digital or electronic format and physical copies. Digital and electronic copies of your Personal Data are stored in our servers, while physical copies are stored in secured storage.
  3. Access to information is limited to our operations and relevant department personnel and other authorized officers of the Company, to the extent that they require your Personal Data and only for the purposes above indicated.
  4. The Company may organize or consolidate your Personal Data to allow the Company to use the data for the purposes above stated. The Company can also retrieve any of your stored data for the same purposes, as well as to update, modify or correct your data upon your request.

4. PROTECTION OF YOUR PERSONAL DATA

  1. PAA is committed to protecting your personal information through physical, technical, and organizational security measures which safeguard the confidentiality, integrity, and availability of your personal information. We have implemented measures that are designed to comply with the applicable data protection laws and regulations. Among others, these include encryption of data, limiting of access, and employment of technology to protect your personal information from cybersecurity risks.
  2. In the event of a breach, or unauthorized access or disclosure of Personal Data, we will immediately notify the concerned clients and affected interested persons within seventy-two (72) hours after knowledge thereof. We will likewise transmit a report thereof to the NPC through the Data Breach Notification Management System (“DBNMS”) and will fully cooperate with them as regards any future investigation on the matter to the extent necessary to protect our clients and other interested persons' Personal Data.
  3. We likewise endeavor to regularly update this Addendum, to reflect any amendments to the DPA or in its IRR, as well as to implement any data privacy issuance from the NPC, including maintaining annual registration requirement of the NPC through the NPC Registration System (“NPCRS”), as part of our undertaking to protect our clients’ Personal Data, including all other interested persons who transact with our Company.
  4. While PAA is committed to implementing robust security measures, it is important to note that no system can guarantee absolute protection against all risks. Risks include, but are not limited to, the unauthorized collection, use, disclosure, or access to personal information. These risks may arise in circumstances beyond our control, such as in confidentiality, integrity and availability breaches. Nonetheless, we are continuously adapting and implementing necessary changes to ensure continuous security of your personal information. We have also established policies and procedures for security incident management, including possible instances of data breach, in line with industry best practices, legal requirements, and relevant data protection laws and regulations.

5. RECIPIENT OF DATA WE COLLECT AND PROCESS

  1. We disclose the Personal Data to the following individuals and entities, in fulfillment of the foregoing purposes:
    1. Our Company directors, officers, and relevant employees;
    2. Our parent company, [Capital A Berhad];
    3. Service providers and consultants contracted for accomplishing marketing, sales, commercial and other corporate purposes;
    4. Lawyers, auditors, and their corresponding service providers for advisory purposes;
    5. Banks, financial institutions, and other nonbank financial intermediaries for financial and commercial purposes; and
    6. Other third parties our company may transact with in the fulfillment of corporate purposes, e.g., subcontractors.
  2. The foregoing individuals and entities are required to use the disclosed Personal Data strictly in compliance with the purposes identified herein and in observance of the data privacy principles emphasized in this Privacy Notice, as well as those enumerated under the Privacy Laws.
  3. Moreover, the data shall be provided in a manner and form as specified in a separate contract of agreement. The Company and third parties shall take reasonable measures to protect the data from breach of the agreement or any part thereof or from unauthorized and unlawful disclosure to other parties. The following shall be observed in sharing data:
    1. The amount of information that shall be collected and processed are defined.
    2. The information shall be provided only to the authorized recipients as of the date of the agreement.
    3. The Company may withhold or order to cease processing or sharing of data at any time if it deems that such processing or disclosure is contrary to law or adversarial to the Company’s interests.
    4. The Company may share anonymized or aggregated information internally and with third parties for any purposes.

6. RETENTION PERIOD

  1. PAA shall maintain and store the Personal Data for the duration of the accomplishment of the purpose for which they were collected and processed. We shall only retain your personal information for as long as necessary to comply with our legal obligations, to resolve disputes, and to enforce our agreements with third parties. However, please note that we may retain Personal Data for longer periods for the purpose of complying with legal requirements imposed by the government. In this case, implementation of organizational, physical and security measures to safeguard the rights of our data subjects and other interested persons whose Personal Data were obtained, will be strictly observed by our Company. Personal Data will not be retained for a period longer than 5 years.
  2. Upon conclusion of the foregoing purposes and processes, we commit to dispose of your Personal Data in a secure manner, to protect it against further processing, unauthorized access, or disclosure to any other persons in any manner that would prejudice the interests of Data Subjects.

7. DATA SUBJECT RIGHTS AND COMPLAINT MECHANISM

  1. PAA is committed to upholding the data privacy rights of our Data Subjects under the Privacy Laws. As Data Subjects, you have the right to be informed, to access your Personal Data, to object to processing, to erasure, to rectification, to file a complaint, to damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of Personal Data.
  2. To exercise your data privacy rights, you may contact our Data Protection Officer by email at [email protected] or by contact number at 0282944517.
  3. Please clearly indicate the information that you wish to review, correct, update, or modify. The Company will endeavor to comply with your request as soon as reasonably possible. If the Company is unable to uphold your data privacy rights, you have the right to lodge a complaint before the NPC.
  4. The Company welcomes any feedback from you regarding any area of our existing services or marketing strategies. You may send your specific feedback to the email address and contact number above. Any feedback you provide shall be deemed to be confidential. Your feedback is highly appreciated as it serves as a way for us to improve our services and best satisfy your needs.

8. ACKNOWLEDGEMENT AND CONSENT

We may, from time to time, modify, update, or amend the terms of this Addendum by placing the updated Addendum on our website. The effective date of such modifications, updates or amendments will be noted at the end of this page. The Company will inform you in writing of any changes to this Addendum, either by email, letter, posting the changes at the Company’s official website, or other communication channels. The Company will accordingly ask for your consent on matters affecting your Personal Data before effecting the changes.