Advancing Asia as a New Generation Digital Champion

Ensuring Data Privacy

Founded on the Group’s principles of T.R.U.S.T. and our Privacy Commitment emboldens us to uphold the highest standards in protecting our customers', employees' and other stakeholders' personal data

INTRODUCING AXIATA’S DATA PRIVACY POLICY

We are committed to protecting the Privacy and data of our customers, employees and other stakeholders with utmost respect and due care.

We have implemented an overarching Data Privacy Policy which establishes the mandatory requirements of Axiata Group with respect to protection of personal data.

The underlying premise to this Policy is that good Privacy is good business. Good Privacy practices are a key component of corporate governance and accountability.

Our Policy outlines Axiata Group’s approach towards Data Privacy and supports our ambition in proactively enhancing customer digital trust and confidence.

SCOPE AND APPLICABILITY

Our Data Privacy Policy applies to all Stakeholders of Axiata Group, which includes subsidiaries and associated companies that the Group has a controlling stake or ownership. Companies or entities in which Axiata Group does not have a controlling stake are encouraged to adopt this Policy.

This Policy shall apply to the end-to-end processing of personal data of customers, employees and all other stakeholders (collectively referred to as “data subjects”), may it be in the form of digital, on paper or other materials. This Policy applies to all the employees, contract staff and vendors who process personal data on the Company’s behalf.

Axiata shall comply with applicable Privacy laws. To the extent this Policy contradicts or is inconsistent with requirements to any law, statute or regulation, the higher standards shall prevail.

GUIDING PRINCIPLES

Axiata’s activities and Privacy practices are underpinned by the T.R.U.S.T. principles:

TRANSPARENT

We are TRANSPARENT about what, why and how we collect and protect YOUR PERSONAL DATA so that YOU can make informed decisions.


RIGHTS

We respect YOUR RIGHTS as individuals, so YOU are in control of YOUR PERSONAL DATA.


USE

We USE YOUR PERSONAL DATA for specific and stated purposes and keep it for as long as required only.


SECURITY

We have established robust CYBER SECURITY PRACTICES in line with leading industry standards to protect YOUR PERSONAL DATA that YOU have shared with us.


TRANSFER

With YOUR CONSENT or in accordance with APPLICABLE LAWS we may TRANSFER YOUR PERSONAL DATA and will take appropriate steps to ensure it is adequately protected.

Data Privacy Practices

In order to comply with and operationalize the T.R.U.S.T. principles, Axiata shall implement the following Data Privacy Practices:

Lawfulness, Fairness, and Transparency

1. To process personal data lawfully, fairly and in a transparent manner. To provide the data subjects with a Privacy Notice which specifies details on the purpose for which the personal data is being collected and processed, source of the personal data, class of the third parties to which the personal data is disclosed or may be disclosed to, security measures towards protection of personal data, data retention requirements, rights available to data subjects and other relevant information in line with applicable Privacy laws.

Data must be collected and processed from data subjects in a lawful, fair and transparent manner.

2. We will process Personal Data when it is necessary and meets at least one of the following lawful bases where:

  • The data subject has consented for their personal data to be processed, strictly within the purposes for which the consent is given

  • The processing is necessary for the performance of a contract with the data subject

  • Steps are taken at the request of the data subject to enter into a contract

  • The processing is necessary to comply with legal obligations/regulatory requirement

  • It is required for administration of justice

  • To protect the vital interests of data subjects

  • Any other lawful base for processing personal data as stated by applicable Privacy laws

Lawful bases for processing Personal Data:

  • Consent
  • Performance of Contract
  • Entering into Contract
  • Legal Obligations
  • Administration of Justice
  • Protection of Vital Interests
  • Any other applicable lawful base

3. We will ensure that while processing Sensitive Personal Data explicit consent is required of data subjects except for other lawful bases stated below:

  • Exercising obligations which are imposed by law on the Company in connection with employment

  • Any legal proceedings

  • Obtaining legal advice

  • Establishing, exercising or defending legal rights

  • The processing is necessary to protect the vital interests of the data subject or another person

  • Any other lawful base for processing sensitive personal data as stated by applicable Privacy laws

Lawful bases for processing Sensitive Personal data:

  • Explicit Consent
  • Legal proceedings, advice and defense
  • Administration of Justice
  • Protection of Vital Interests
  • Any other applicable lawful base

4. We will take reasonable steps to maintain accurate, complete, not misleading and up to date personal data only for the purpose(s) identified in the Privacy Notice.

5. We will ensure that personal data collected and processed shall be adequate, relevant and not excessive for the purpose(s) identified in the Privacy Notice.

Data Subject Rights

Axiata respects the rights of data subjects and shall provide them with the opportunity and platform to exercise their rights. We have established processes for receiving, recording and responding to such requests.

Retention and Disposal

We will define and document retention periods for various categories of personal data in accordance with the stated purpose or as required by the law. We will ensure that personal data is retained as per the defined retention periods. Post expiry of the retention period, personal data shall be securely disposed or de-identified.

Define and document data retention periods and securely dispose personal data post expiry of the retention periods.

Privacy by Design

Privacy by Design is a methodology that enables Privacy to be built into the design and architecture of systems, products and processes.

Axiata has adopted Privacy by Design methodology to ensure that Data Privacy issues are considered at the design phase of any system, service, product or process and then throughout the personal data lifecycle.

We will conduct Data Protection Impact Assessments (DPIAs) to identify underlying Privacy risks in the high-risk personal data processing activities.

Privacy by Design methodology is to be adopted and Privacy must be incorporated from the initial design phase.

Data Privacy Impact Assessments shall be conducted to identify the underlying Privacy risks of the high-risk processes.

Vendor Privacy Management and cross border data transfers

Axiata has established processes with respect to managing high-risk data processing vendors from a Data Privacy standpoint. The processes include the following activities:

Due Diligence Conduct due diligence on prospective high-risk vendor’s information security and Privacy posture prior to onboarding.
Data Processing Agreements Include adequate Privacy and information security clauses in all contractual agreements.
Periodic Vendor Assessment Conduct periodic assessment of existing high-risk vendors’ compliance with contractual and regulatory obligations.
DPIAs for Projects Conduct DPIAs prior to onboarding high-risk projects from existing vendors.

Key Vendor Privacy Management Activities:

  • Due Diligence
  • Contracts with adequate Privacy and Security clauses
  • Periodic Vendor Assessments
  • DPIAs to onboard new projects

We will assess the permissibility of Cross-Border Data Transfers in accordance with applicable Privacy laws. Further, the Company shall also ensure that necessary safeguards (such as Data Transfer Agreements) are in place to protect all the Cross-Border Data Transfers.

Privacy Incident and Data Breach Management

We have defined and implemented a process for reporting, assessing, resolving, communicating, escalating, notifying, and performing of any other actions required in the effective management of Privacy incidents and data breaches.

Security

We have implemented appropriate technical safeguards and organizational measures to maintain the confidentiality, integrity and availability of personal data.

Audit, Review and Reporting

Axiata will carry out periodic Privacy audits on our data processing environment to monitor its compliance against this Policy, Group Privacy standards and applicable Privacy laws.

Training and Awareness

Axiata mandates annual Data Privacy awareness trainings for our employees and contract staff. We will also raise awareness through knowledge sharing sessions, e-mailers, posters, Privacy campaigns and other such means.

Mandate Data Privacy Awareness trainings for all employees and contract staff.