Data Privacy


In this Data Privacy, “PLDT” may refer to PLDT (SG) Pte. Ltd., PLDT (US) Ltd., PLDT (HK) Limited, or PLDT Japan GK, as determined by the entity signing/accepting the Service Order Form for the provision of the Services.


Whenever applicable, in performing its obligations under this Document, PLDT as a third party data processor shall, at all times, comply with the provisions of Republic Act No. 10173 or “the Data Privacy Act of 2012,” its implementing rules and regulations, and all other laws and government issuances which are now or will be promulgated relating to data privacy and the protection of personal information. PLDT, its officers, employees, and representatives undertake to:


  1. Process personal data under the instructions stated in this Document as agreed upon by Customer and PLDT including transfers of personal data to another country or an international organization, unless such transfer is authorized by law;
  2. Implement required measures and systems that will enable data subjects or subscribers to reasonably exercise their rights under the Data Privacy Act of 2012;
  3. Maintain proper records, and provide Customer the necessary access to such records, to the extent which will allow Customer to comply with the reasonable exercise by data subjects or subscribers of their right to access under the Data Privacy Act of 2012;
  4. Determine the appropriate level of security measures considering that of Customer, taking into account the nature of the personal information to be protected, the risks represented by the processing, the size of the organization and complexity of its operations, current data privacy best practices, and cost of security implementation;
  5. Implement required security measures for data protection, including policies for evaluation, monitoring, and review of operations and security risks. Such measures shall aim to maintain the availability, integrity, and confidentiality of personal data, and prevent negligent, unlawful, or fraudulent processing, access, and other interference, use, disclosure, alteration, loss, and destruction of personal data;
  6. Implement reasonable and appropriate organizational, physical, and technical measures intended for the protection of personal information against any accidental or unlawful destruction, alteration, and disclosure, as well as against any other unlawful processing, or for such other purposes as may be required under the Data Privacy Act of 2012 or any other applicable law or regulation;
  7. Implement reasonable and appropriate measures to protect personal information against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration, and contamination;
  8. Ensure to the extent that it is necessary and reasonable, that its employees, agents, and representatives who are involved in the processing of personal information operate and hold personal information under strict confidentiality;
  9. Not engage another processor without prior instruction from Customer: Provided, that any such arrangement shall ensure that the same obligations for data protection under this Document are implemented, taking into account the nature of the processing;
  10. Notify Customer as soon as it is reasonable to do so under the circumstances, to enable it to notify the National Privacy Commission and the affected data subject or subscriber within the period prescribed under the Data Privacy Act of 2012, when sensitive personal information that may, under the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized person, and the PLDT, Customer, or the National Privacy Commission believes that such unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject or subscriber;
  11. Promptly notify Customer if, in its opinion, any instructions of Customer violates, or may be construed to violate, any provision of the Data Privacy Act of 2012 or any other issuance of the National Privacy Commission;
  12. Reasonably assist Customer in ensuring compliance with the Data Privacy Act of 2012, its implementing rules and regulations, other relevant laws, and other issuances of the National Privacy Commission, taking into account the nature of processing and the information available to PLDT
  13. At the choice of Customer, delete or return all personal data to the former after the end of the provision of services relating to the processing: Provided, that this includes deleting existing copies unless storage is authorized by the Data Privacy Act of 2012 or another law;
  14. Make available to Customer the information necessary to reasonably demonstrate, under the circumstances, compliance with the obligations laid down in the Data Privacy Act of 2012, and allow for and contribute to audits, including inspections, conducted by Customer or another auditor as agreed upon by the parties, to the extent necessary for compliance with the Data Privacy Act of 2012.