Bank of Commerce (“BankCom”) is committed to protecting your Personal Data when you apply for and avail of our products, services, and facilities and/or when you access our system. This Notice provides the general privacy practices of BankCom in Processing your Personal Data that we collect from you, our customers. BankCom believes that maintaining the privacy of Personal Data is a shared responsibility between you, our customers, and us. While we endeavor to safeguard Personal Data, we expect you to be vigilant in protecting your Personal Data. WHAT PERSONAL DATA DO WE COLLECT? Depending on the product, services or facilities of BankCom that you apply for or avail or when you interact with our branches, employees, authorized representatives, agents or service providers, we collect your Personal Data such as but not limited to: Your full name and personal details such as gender, date, and place of birth, civil status, country of origin, education Contact details such as residence/permanent address, telephone/mobile number, e-mail address Specimen signatures Copy of identification documents such as passport, TIN, and SSS/GSIS Employment details or business information/interests Financial information such as income, sources of funds Images captured via CCTV when visiting our branches and offices Other information necessary to provide the product services you need Your photo As and when necessary, we may validate any of the information with third parties including government regulators and other supervisory agencies, tax authorities, judicial and quasi-judicial bodies. In the course of your availment of our products, services, and facilities, we also collect information about your account activities such as but not limited to account history, account movements, other products and services availed, relationship and interactions with third parties such as merchants, utility companies, credit card companies, etc. Further, in the course of using our website and electronic platforms, we may also collect non-personal data such as those provided by your device like the IP address, operating system, and other machine identifiers. HOW DO WE USE YOUR PERSONAL DATA? We use your Personal Data for declared, specific and legitimate purposes as allowed by and pursuant to law, primarily: To comply or fulfill our obligations arising from contracts entered between you and us such as but not limited to approval, facilitation, administration, and processing of applications and transactions; generation of statements, billings, notices and documents necessary for your continuous availment of our products, services, and facilities To comply or fulfill our obligations under banking laws, the Manual of Regulations for Banks, and other laws, rules and regulations such as but not limited to proper client identification or knowing our customer (“KYC,”) under RA 9160, the Anti-Money Laundering Act, as amended, RA 9510, the Credit Information System Act, the National Internal Revenue Code, etc. To conduct our everyday business purposes as well as operational requirements including but not limited to audit, administrative, credit, compliance, customer service, collection, and risk management processes, policies and procedures. To pursue other legitimate business interest and purposes to improve our products, services, and facilities such as the conduct of market studies, researches, survey, data analysis, modeling, etc. We will always ask for your consent before using your Personal Data for any business purpose outside in this Privacy Notice. HOW MAY WE SHARE YOUR PERSONAL DATA? We may share your Personal Data with our affiliated/related entities, and accredited service providers under the strict obligation of confidentiality under the following, and similar circumstances: To better understand how you use our products and services that allow us to improve and offer better services and other products of greater value to our customers. To offer you additional products and services from our affiliated entities, which we believe you may find interesting. To engage the assistance and support of third parties in delivering our products and services to you and in operating our business. We share the required information with the government to comply with legal and regulatory obligations. We share personal and other relevant information with the credit reporting body according to the requirements of RA 9510, the Credit Information System Act, in connection with your application for or availing of a credit facility with us. HOW LONG WILL WE RETAIN YOUR PERSONAL DATA? Your Personal Data are safeguarded and retained for as long you have transactions with us. We keep all paper-based documents in locked filing cabinets, while digital/electronic files are stored in our database and secured storage media. Your Personal Data will be stored in our system for five (5) years from the date of transaction except where specific laws and/or regulations require a different retention period, in which case, the longer retention period is observed. After this duration, the physical form will be shredded and destroyed while the electronic form will be electronically removed from the storage media that would prevent further processing, unauthorized access, or disclosure to any other party or public. WHAT ARE THE PRIVACY RISKS AND HOW DO WE PROTECT YOUR PERSONAL DATA? BankCom recognizes the privacy risks on Processing your Personal Data such as natural threats like accidental loss or destruction, and human threats like unlawful access, fraudulent misuse, unlawful destruction, alteration, and contamination. We take reasonable and appropriate physical, technical, and organizational security measures and safeguard. We strive to implement these security measures and safeguard to maintain the availability, integrity, and confidentiality of personal data and protect them against natural and human threats. Such as: Train our employees to properly and carefully manage your personal data Implement cybersecurity controls and standards mandated by Banking Laws and Bangko Sentral ng Pilipinas rules and regulations Oversee and review our third party partners and vendors to implement same level of security measures and standards. Regular privacy review of our business process and systems to comply with the BankCom’s Privacy Policy and Data Privacy Act of 2012. YOUR PRIVACY RIGHTS Because we respect your right to privacy, and unless otherwise, we have contractual or legal obligations or duty to respond to a lawful order or practical reasons why we cannot act on your request, the following are your privacy rights: Right to be informed – you may demand the details as to how your Personal Data is being processed or have been processed by us. Right to access – you may demand reasonable access to your Personal Data, such as: (a) contents of your Personal Data that were processed; (b) manner by which such data were processed; (c) date when your data was last processed and modified, among others. Right to dispute – you may dispute inaccuracy or error in your Personal Data in the Bank systems and request to correct it through our customer care representative or Branch personnel. Right to object – you may suspend, withdraw, and remove your Personal Data in certain further processing, upon demand, which include your right to opt-out to any commercial communication or advertising purposes from the bank. Right to data erasure or blocking – you have the right to suspend, withdraw or order blocking, removal or destruction of your Personal Data from the Bank system. The Bank will initially block your record and dispose it after the allowed retention period. Right to data portability – you have the right to obtain from the Bank a copy of your Personal Data in an electronic or structured format to give you more control and manage your Personal Data. Right to damages – you may claim compensation if you suffered damages due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of Personal Data. Right to file a complaint – you may file your complaint or any concerns with our Data Protection Officer through dataprivacy@bankcom.com.ph and/or with the National Privacy Commission through www.privacy.gov.ph For more description and comprehensive explanation you may view your privacy rights in this link: https://www.privacy.gov.ph/know-your-rights/ HOW TO CONTACT US Should you have any privacy inquiries and/or concerns, please do not hesitate to contact the BankCom’s Data Protection Officer at dataprivacy@bankcom.com.ph