This policy is hereby adopted by Aboitiz Foods to:

1. Comply with the statutory obligations set forth under the Personal Data Protection Act 2012 (“PDPA”) and its regulations.
2. Ensure the fair and lawful processing of the personal data of data subjects,
3. including employees, clients, customers, shareholders and other individuals.
4. Provide guidelines to team members on the proper handling of personal data.
5. Ensure the confidentiality, integrity and availability of personal data under the
6. control of the Company.
7. Ensure the confidentiality, integrity and availability of personal data under the
8. control of the Company.

2.0 Scope

This policy shall cover all personal data in whatever form (e.g., physical or digital), and processing of personal data in whatever manner (e.g., manual or automated) by Aboitiz Foods, its directors, officers, and employees.

3.0 Policy Statement

A. DEFINITIONS

1. ”Aboitiz Foods” refers to Aboitiz Foods Pte. Ltd.;
2. “Data subject” refers to an individual whose personal, sensitive personal, or privileged information is processed;
3. “Data processing systems” refers to the structure and procedure by which personal data is collected and further processed in an information and communications system or relevant filing system, including the purpose and intended output of the processing;
4. “Data sharing” is the disclosure or transfer to another entity of personal data under the custody of a company. The term excludes outsourcing, or the disclosure or transfer of personal data by the company to a contractor;
5. “Direct marketing” refers to communication by whatever means of any advertising or marketing material which is directed to particular individuals;
6. “Personal data” refers to all types of personal information including sensitive personal information and privileged information;
7. “Personal data breach” refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. A personal data breach may be in the nature of:
   1. An availability breach resulting from loss, accidental or unlawful destruction of personal data;
   2. Integrity breach resulting from alteration of personal data; and/or
   3. A confidentiality breach resulting from the unauthorized disclosure or access to personal data.
8. “Personal information” refers to any information from which the identity of an individual is apparent or can be reasonably and directly ascertained, or when put together with other information would directly and certainly identify an individual;
9. “Processing” refers to any operation or any set of operations performed upon personal data including the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Processing may either be automated or Manual;
10. “Profiling” refers to any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects of an individual, in particular to analyze or predict aspects concerning an individual’s Performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements;
11. “Privileged information” refers to any and all forms of data considered to be privileged communication under pertinent laws, including spousal communication, attorney-client communication and doctor-patient communication;
12. “Security incident” is an event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity and confidentiality of personal data. It includes incidents that would result to a personal data breach, if not for safeguards that have been put in place;
13. Sensitive personal information refers to personal information: About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
    1. About an individual’s health, education, genetic or sexual life, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the
    2. sentence of any court in such proceedings;
    3. Issued by government agencies peculiar to an individual including social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
    4. Specifically established by law to be kept classified.

B. DATA PRIVACY GOVERNANCE

1. Oversight. The Board of Directors of Aboitiz Foods shall have overall oversight of compliance with the Personal Data Protection Act  and implementation of this policy and other related policies of the Company.
2. Data Privacy Officer. A Data Privacy Officer (DPO), who shall be an organic employee of Aboitiz Foods, shall be appointed by the Chief Executive Officer (CEO). The DPO shall report directly to the CEO. In the event that the DPO has other job functions with a reporting line to another senior officer, he/she shall have a direct reporting line to the CEO for his DPO functions.
3. The DPO shall have the following duties and responsibilities:
   1. Ensure compliance with PDPA and regulations as well as this policy and other related policies of the Company;
   2. Ensure the regular review (at least annually) of privacy related policies, guidelines and procedures of the Company;
   3. Coordinate with the relevant officer/s of Aboitiz Foods responsible for information security management for the effective implementation of information security measures in the Company to ensure the  confidentiality, integrity and availability of personal data;
   4. Organize privacy and information security trainings;
   5. Coordinate with Aboitiz Foods’s Data Breach Response Team in the management of security incidents and personal data breaches;
   6. Oversee and coordinate the conduct of privacy impact assessments to identify privacy risks of Aboitiz Foods;
   7. Develop and implement remediation plans for privacy and information security risks in coordination with the information security officer and process owners;
   8. Monitor compliance with Aboitiz Foods’s privacy and information security standards of third party providers and other entities with access to personal data under the control of Aboitiz Foods;
   9. Ensure compliance by Aboitiz Foods of the reportorial, registration and other regulatory requirements under the PDPA; and
4. Team Leaders. The team leader of any department which process personal data shall have the following duties and responsibilities:
   1. Understand Aboitiz Foods compliance obligations under the PDPA and related regulations;
   2. Ensure implementation of policies and guidelines established for compliance with the PDPA and related regulations, as well as with this policy and other privacy and information security related policies of Aboitiz Foods, by embedding such policies and guidelines in the day-to-day processes and procedures of the department;
   3. Conduct privacy impact assessments as may be needed;
   4. Coordinate with the DPO and the information security officer in the development of controls and mitigation plans to address identified privacy risks.
   5. Ensure the implementation of risk controls and mitigation plans in the department;
   6. Promote a culture of privacy in the department;
   7. Ensure that team members have the capability to comply with privacy and information security requirements as provided by law, regulations or internal company policies and guidelines; and
   8. Report immediately to the DPO any security incident or data breach in accordance with the Company’s incident response policy and procedure.
5. Team Leaders. The team leader of any department which process personal data shall have the following duties and responsibilities:
   1. Understand the Company’s compliance obligations under the Personal Data Protection Act and related regulations;
   2. Understand and comply with privacy and information security policies and procedures in the processing of personal data;
   3. Report immediately to his/her respective TL any security incident or data breach in accordance with the Company’s incident response policy and procedure;
   4. Implement controls and mitigation plans to address privacy risks; and
   5. Regularly attend or undergo privacy training and other learning activities.

C. PROCESSING OF PERSONAL DATA

1. Rights of a Data Subject. The rights of a data subject as provided in the PDPA should be observed when processing personal data.
   1. Right to be informed. A data subject has the right to be informed on the following matters:
      1. Whether his personal data shall be, are being or have processed;
      2. The type of personal data to be entered into the data processing system;
      3. The purpose/s for the processing;
      4. The scope and method of processing;
      5. The parties to whom the personal data may be disclosed;
      6. Methods utilized for automated access if allowed by the data subject;
      7. Contact details of the company or its representative
      8. Period for which the personal data will be stored; and
      9. Existence of their rights as a data subject.
   2. Right to object to processing. A data subject has a right to object to processing if the basis is consent or legitimate interest.
   3. Right to withdrawal. A data subject has a right to withdraw their consent to the processing of personal data related to them. 

If you withdraw your consent to any or all purposes and depending on the nature of your request, we may not be in a position to continue to provide our products or services to you.

1. Right to access and correction. A data subject has the right to reasonable access, upon demand, to the following:
   1. Contents of his personal data which were processed;
   2. Sources from which personal information were obtained;
   3. Names and addresses of recipients of the personal data;
   4. Manner by which the personal data were processed;
   5. Reasons for disclosure of the personal data to recipients;
   6. Information on automated processes where the personal data will or likely to be made as the sole basis for any decision significantly affecting or that will affect the data subject;
   7. Date when his personal data was last accessed or modified; and
   8. Name, address and contact details of the company or its representative.

If the information we hold about you is incorrect, you are entitled to ask us to correct any inaccuracies in the personal information.

1. Right to lodge a complaint. A data subject has the right to lodge a complaint before the Personal Data Protection Commission for any violations of his or her rights granted under the PDPA.

1. Data Processing System. To ensure effective privacy compliance and risk management,
2. Aboitiz Foods shall document the following:
   1. Departments, employees or third parties with functions relating to personal data processing.
   2. The categories of and inventory of data subjects and the types of personal data being processed.
   3. A description of the information flow, from the point of collection up to the disposal of personal data, including any processing done in between, as well as the manner and extent of processing.
   4. The purposes for processing include any intended future processing or data sharing.
   5. The recipients or intended recipients of personal data.

D.3.3 Data Collection.

1. The data subject must be informed in clear and plain language that his personal data is or will be collected and processed. For this purpose, a privacy statement containing the following information shall be supplied to the data subject at the point of collection (e.g., websites, intranet, microsite, mobile apps, customer and employee forms):
   1. Description of personal data to be processed;
   2. Purpose/s of processing;
   3. Scope and method of processing;
   4. Parties to whom the personal data may be disclosed;
   5. Contact details of the company or its Data Privacy Officer;
   6. Retention period; and
   7. His rights as a data subject.
2. Prior notification to data subjects shall be made in case of amendment privacy statement.
3. Except in instances allowed by law or regulation, the consent of the data subject to processing must be obtained prior to collection. In the case of the processing of sensitive or privileged information, all parties must have given their consent prior to processing.

D.3.4 Fair and Lawful Processing. 

1. Processing must be for purposes that are not contrary to law, morals or public policy. Personal data must not be misused and processing must be in accordance with the declared and specified purposes. Appropriate measures shall be implemented to prevent misuse of personal data that can harm a data subject.
2. Data Quality. Data quality must be ensured when processing personal data. Personal data must be accurate, relevant and, where necessary for purposes for which it is to be used, kept up to date.
3. Inaccurate or incomplete data must be corrected, supplemented, destroyed or their further processing restricted.
4. Proportionality of Processing. Processing must be adequate and not excessive in relation to the purposes for which they are collected and processed.
5. Retention. Personal data shall be retained only for as long as necessary for the fulfillment of the purposes for which it was obtained, or for the establishment, exercise or defense or legal claims, or for legitimate business purposes, or as provided by law.
6. Data Sharing.
   1. The consent of the data subject on data sharing must be obtained even when the data is to be shared with the Company’s parent, subsidiaries or affiliates.
   2. Any data sharing arrangement must be covered by a data sharing agreement which shall provide, among others, the data privacy and security standards to be observed.
7. Data Transfer. Personal Data may be transferred to places outside of Singapore (which may be located in countries where a different data protection regime is found in the country you are based) when carrying out the purposes stated herein.
8. Security Measures. Taking into account its risk profile, the Company shall implement the appropriate organizational, physical and technical security measures to ensure privacy and data protection.
   1. Promote privacy and data protection awareness in the company through training and regular communication.
   2. Establish proficiency skills development and training for employees handling personal data to ensure protection of personal data. Training in data privacy and information security policies and procedures should be part of the on-boarding process for new employees handling personal data.
   3. Employees, service providers and other third parties who have access to personal data not intended for public disclosure shall be required to hold personal data under strict confidentiality even after termination of employment or contractual relations. This requirement shall be enforced through confidentiality agreements or confidentiality clauses in service agreements.
   4. Information security measures shall be adopted. In this regard, information security management policies are deemed incorporated in this policy.
9. Outsourcing. Aboitiz Foods shall ensure the protection of personal data when outsourcing activities that involve processing of personal data. Among the measures that can be undertaken to ensure data protection by contractors or service providers are the following:
   1. Set appropriate privacy and security standards (organizational, physical and technical measures) to be complied by contractors or service providers when processing personal data.
   2. Take into account in the accreditation, hiring and performance evaluation processes the capability of contractors or service providers to meet the privacy and security standards set by Aboitiz Foods.
   3. Embed privacy requirements, security standards, data breach management
   4. protocol and the right of the company to audit compliance with the foregoing requirements in the agreements with contractors or service providers.
   5. Conduct compliance audits where appropriate.

D.3.3 Data Collection.

1. As part of its information security management system, Aboitiz Foods shall establish detective controls (which, depending on a company’s risk profile, may be a combination of process, human capital, physical and technological controls) to detect potential or actual security incidents or data breaches as well as complaints, non-compliances or misconducts relating to privacy and data protection.
2. Aboitiz Foods shall establish and implement a security incident management policy, which shall include the following:
   1. Creation of a data breach response team to ensure that timely and appropriate action is taken in the event of a security incident or personal data breach.
   2. Implementation of an incident response procedure including the execution of corrective actions and controls to:
      1. Contain or mitigate the negative effect of a security incident, data breach, complaint, non-compliance or misconduct;
      2. Restore integrity to the information and communications system; and
      3. Improve prevention and detection of future incidents.
   3. The conduct of internal investigation to understand the facts, circumstances, root causes and appropriate resolution.
   4. The procedure for contacting law enforcement authorities in case possible criminal acts were committed.
   5. Compliance with the notification and reporting requirements of the National Privacy Commission in the event of occurrence of personal data breach or security incident.

F. DISCIPLINARY ACTIONS

• Violations of this policy, the PDPA and its Implementing Rules and Regulations, including data breaches, will be dealt with in accordance with an established disciplinary action and appropriate responses for potential legal actions, including civil and criminal actions.

4.0 Generated Documented Information

5.0 Reference