Data Privacy Practices
In order to comply with and operationalize the T.R.U.S.T. principles, Axiata shall implement the following Data Privacy Practices:
Lawfulness, Fairness, and Transparency
1. To process personal data lawfully, fairly and in a transparent manner. To provide the data subjects with a Privacy Notice which specifies details on the purpose for which the personal data is being collected and processed, source of the personal data, class of the third parties to which the personal data is disclosed or may be disclosed to, security measures towards protection of personal data, data retention requirements, rights available to data subjects and other relevant information in line with applicable Privacy laws.
Data must be collected and processed from data subjects in a lawful, fair and transparent manner.
2. We will process Personal Data when it is necessary and meets at least one of the following lawful bases where:
- The data subject has consented for their personal data to be processed, strictly within the purposes for which the consent is given
- The processing is necessary for the performance of a contract with the data subject
- Steps are taken at the request of the data subject to enter into a contract
- The processing is necessary to comply with legal obligations/regulatory requirement
- It is required for administration of justice
- To protect the vital interests of data subjects
- Any other lawful base for processing personal data as stated by applicable Privacy laws
Lawful bases for processing Personal Data:
- Consent
- Performance of Contract
- Entering into Contract
- Legal Obligations
- Administration of Justice
- Protection of Vital Interests
- Any other applicable lawful base
3. We will ensure that while processing Sensitive Personal Data explicit consent is required of data subjects except for other lawful bases stated below:
- Exercising obligations which are imposed by law on the Company in connection with employment
- Any legal proceedings
- Obtaining legal advice
- Establishing, exercising or defending legal rights
- The processing is necessary to protect the vital interests of the data subject or another person
- Any other lawful base for processing sensitive personal data as stated by applicable Privacy laws
Lawful bases for processing Sensitive Personal data:
- Explicit Consent
- Legal proceedings, advice and defense
- Administration of Justice
- Protection of Vital Interests
- Any other applicable lawful base
4. We will take reasonable steps to maintain accurate, complete, not misleading and up to date personal data only for the purpose(s) identified in the Privacy Notice.
5. We will ensure that personal data collected and processed shall be adequate, relevant and not excessive for the purpose(s) identified in the Privacy Notice.
Data Subject Rights
Axiata respects the rights of data subjects and shall provide them with the opportunity and platform to exercise their rights. We have established processes for receiving, recording and responding to such requests.
Retention and Disposal
We will define and document retention periods for various categories of personal data in accordance with the stated purpose or as required by the law. We will ensure that personal data is retained as per the defined retention periods. Post expiry of the retention period, personal data shall be securely disposed or de-identified.
Define and document data retention periods and securely dispose personal data post expiry of the retention periods.
Privacy by Design
Privacy by Design is a methodology that enables Privacy to be built into the design and architecture of systems, products and processes.
Axiata has adopted Privacy by Design methodology to ensure that Data Privacy issues are considered at the design phase of any system, service, product or process and then throughout the personal data lifecycle.
We will conduct Data Protection Impact Assessments (DPIAs) to identify underlying Privacy risks in the high-risk personal data processing activities.
Privacy by Design methodology is to be adopted and Privacy must be incorporated from the initial design phase.
Data Privacy Impact Assessments shall be conducted to identify the underlying Privacy risks of the high-risk processes.
Vendor Privacy Management and cross border data transfers
Axiata has established processes with respect to managing high-risk data processing vendors from a Data Privacy standpoint. The processes include the following activities:
Due Diligence |
Conduct due diligence on prospective high-risk vendor’s information security and Privacy posture prior to onboarding. |
Data Processing Agreements |
Include adequate Privacy and information security clauses in all contractual agreements. |
Periodic Vendor Assessment |
Conduct periodic assessment of existing high-risk vendors’ compliance with contractual and regulatory obligations. |
DPIAs for Projects |
Conduct DPIAs prior to onboarding high-risk projects from existing vendors. |
Key Vendor Privacy Management Activities:
- Due Diligence
- Contracts with adequate Privacy and Security clauses
- Periodic Vendor Assessments
- DPIAs to onboard new projects
We will assess the permissibility of Cross-Border Data Transfers in accordance with applicable Privacy laws. Further, the Company shall also ensure that necessary safeguards (such as Data Transfer Agreements) are in place to protect all the Cross-Border Data Transfers.
Privacy Incident and Data Breach Management
We have defined and implemented a process for reporting, assessing, resolving, communicating, escalating, notifying, and performing of any other actions required in the effective management of Privacy incidents and data breaches.
Security
We have implemented appropriate technical safeguards and organizational measures to maintain the confidentiality, integrity and availability of personal data.
Audit, Review and Reporting
Axiata will carry out periodic Privacy audits on our data processing environment to monitor its compliance against this Policy, Group Privacy standards and applicable Privacy laws.
Training and Awareness
Axiata mandates annual Data Privacy awareness trainings for our employees and contract staff. We will also raise awareness through knowledge sharing sessions, e-mailers, posters, Privacy campaigns and other such means.
Mandate Data Privacy Awareness trainings for all employees and contract staff.