Privacy Policy

Lima Water Corporation is fully committed to comply with the Republic Act 10173 – Data Privacy
Act of 2012. We abide by its Implementing Rules and Regulations through the data privacy and
protection policies that we have adopted internally.
From time to time, it may be necessary for you to provide personal data in connection with your
visits to our company website and portals, our offices, with your direct or indirect dealings with
our Company, our officers and employees, and in your browsing activities through any of our
website or mobile applications, as a customer, an investor, a shareholder, job applicant or in any
relevant capacity.

THE PERSONAL DATA WE COLLECT

We may collect and process personal data from you in the ordinary course of the Company’s
business which may include, to the extent necessary to respond to your requests, queries, and
concerns, basic information such as your name, residence, and contact details, and sensitive
personal information such as your age, marital status, tax identification number,
government-issued identification cards, financial information, tax returns, educational
background, and work history, among others (collectively, your “Personal Data”).

When you visit our websites or use any of our mobile applications, other information that may
also constitute Personal Data, such as your browser type, operating system, IP address, domain
name, number of times and dates you visited the website or accessed the mobile application,
and the amount of time you spent browsing through the website or mobile application, may be
collected via cookies and other tracking technologies, such as transparent GIF files. Aggregate
Information or non-personally identifiable and anonymous data, such as how many times you
log onto our websites or mobile applications may also be collected.

HOW WE USE COOKIES AND TRACKING TECHNOLOGIES

A cookie is a small file which asks permission to be placed on your computer’s hard drive.
Cookies allow websites to recognize your computer when you return, enabling it to display
personalized settings and other user preferences. It also allows websites to respond to you as an
individual. The websites and apps can tailor operations to your needs, likes, and dislikes by
gathering and remembering information about your preferences.

We use traffic log cookies to identify which pages are being visited. This helps us to analyze data
about web page traffic and to improve our website in order to tailor it to your needs. We only
use this information for statistical analysis purposes after which, the data is removed from the
system.

In general, cookies help us provide you with a better website, by enabling us to monitor which
pages you find useful and which you do not. A cookie in no way gives us access to your computer
or any information about you, other than the data you choose to share with us.
You will be given the opportunity to accept or reject the use of cookies on our websites in a
pop-up box when you first access our website. Once you agree, the file is added and the cookie
helps analyze web traffic or lets you know when you visit a particular site. Most web browsers,
however, automatically accept cookies, but you can usually modify your browser setting to
decline cookies if you prefer. You may choose not to accept the cookies, however, this may
restrict the services that you can access at our websites. Declining cookies may also prevent you
from taking full advantage of our websites.

HOW WE USE THE PERSONAL DATA WE COLLECT

When necessary, we request for your Personal Data for us to understand your needs and provide
you with a better service, and in particular for the following purposes:

Creating, managing, and maintaining your account and customer record;
To be used as reference for concerns related to your customer application process, consumption,
billing, collection of payments, and related matters;
For keeping an internal record for confirming, maintaining, verifying or updating our customer
records, statistical analysis, and internal reporting;
For customer relationship management purposes, such as updating you on our activities in
connection with our services, and responding to customer concerns;
For marketing-related communications including via email, postal mail, social media platforms,
and text or direct messages;
For service and customer care improvement;
Communicating with or contacting you with regard to your account with us;
Establishing your identity and qualification as a job applicant;
Complying with the due diligence requirements in fund-raising, investment activities, and
transactions with customers, lenders, creditors, or financial institutions;
Facilitating the establishment and exercise of legal claims;
Complying with all legal and regulatory requirements ; and
Complying with and responding to legal processes or lawful orders of any judicial or
quasi-judicial bodies.

SECURITY AND RETENTION OF PERSONAL DATA

We are committed to ensuring that your Personal Data is kept secure. We have implemented
suitable and adequate organizational, physical and technical security measures, policies, and
procedures intended to reduce the risks of accidental destruction or loss, or the unauthorized
disclosure or access to such information which are appropriate and adequate to the nature of
the Personal Data we collect.

We may retain your Personal Data only for as long as necessary for legitimate business purposes,
to comply with laws, regulations, or lawful court order, or to establish or defend a legal action
and will be disposed thereafter according to the disposal policy.

DISCLOSURE OF PERSONAL DATA

We may share with or disclose your Personal Data to:

Any of our affiliate or subsidiary only for the purposes we have collected your Personal Data;
Any agent, contractor, or sub-contractor performing services related to stockholders services;
Any consultant, adviser, auditor, or service provider we engaged to carry out functions or
activities related to our legitimate business activities;
Any person to whom we propose to assign or transfer any of its rights and/or duties;
Any court of law or administrative agency of the government pursuant to a lawful order issued in
relation to a pending case or proceeding before such court or agency;
Our lenders or creditors, underwriters, as well as the consultant, adviser or, auditor of the
foregoing;
Your lawyer, attorney-in-fact, or duly authorized agent or representative, upon presentation of a
duly executed special power of attorney;
Any regulatory, quasi-judicial or judicial authority, or as otherwise considered necessary or
appropriate for our legitimate business purposes.

Any access to Personal Data will be limited to the person who requires your Personal Data to
perform the functions for which personal information has been collected, and as required or

allowed by law. We do not sell, trade, or otherwise transfer your Personal Data to third parties. If
shared, we will, at your request, provide you with details of the companies with whom we have
shared your Personal Data.

NOTIFICATION OF CHANGES

We may amend or update this privacy statement from time to time as may be necessary. We
recommend that you check this privacy notice every time we advise you of any change.

REQUESTS, ACCESS, RECOURSE AND QUESTIONS REGARDING THIS PRIVACY STATEMENT

You are entitled to request that we:

provide you with a copy of your Personal Data that we hold and inform you of:
(a) the source of your Personal Data;
(b) the purposes and methods of processing;
(c) the data controller’s identity; and
(d) the entities or categories of entity with whom your Personal Data may be shared;
cease processing your Personal Data, in whole or in part, as you direct us, for any purpose, save
to the extent it is lawful to do so without consent under the Data Privacy Act of 2012;
do not transfer your Personal Data to third parties for the purposes of direct marketing or any
other purposes you have not consented to;
correct any errors in your Personal Data; and
update your Personal Data as required.

If you have questions, concerns, or complaints regarding our compliance with the Data Privacy
Act of 2012 or if you wish to exercise your rights to access, rectification, object, portability or
deletion in instances allowed under the law, you may contact us through our Data Privacy Officer
by way of any of the following channels:

AIC Data Protection Officer
Mailing Address: NAC Tower, 32nd Street, Bonifacio Global City, Taguig City 1634
Email Address: aicdpo@aboitiz.com
Please use the following subject format:
Inquiry on Data Privacy

When there is a perceived violation of your rights, you may file a complaint with the National
Privacy Commission (NPC). Take note that you must communicate your privacy concern with the concerned organization first and try to resolve the issue prior to escalation to NPC.In cases
where you file a complaint for violation of your rights, and for any injury suffered as a result of
the processing of your personal data, the NPC may award you indemnity for the damages you
sustained.

KNOW YOUR RIGHTS

1. Right To Be Informed

As data subjects, you have the right to be informed whether your personal data shall be, are
being, or have been processed, including whether the processing was done through an
automated decision-making system or profiling activity.

You can find this information in a privacy statement. This document is a demonstration of the
data privacy principle of transparency, upholds your right, and every data subject’s right to
information. It serves as a statement to data subjects describing how the organization collects,
uses, retains, and discloses personal information.

Keep in mind that a privacy notice is not equivalent to consent. While consent may not be
required in certain instances when it is not relied on as the basis for processing personal data, a
privacy notice is required at all times in order for data subjects to be informed of the processing
of their personal data and their rights as data subjects.

2. Right To Object

You have the right to object to the processing of your personal data if the basis is consent or
legitimate interest such as direct marketing, profiling, and automated processing purposes.

In case of any significant change or amendment to the information previously provided to you,
you must be notified anew in a reasonable manner. You must also be given an opportunity to
object and/or withdraw consent, if consent was previously given for the processing of personal
data.

If you expressed your objection, the organization shall stop the processing of personal data and
comply with the objection. However, despite your objection, the organization may have other
valid grounds to continue processing your personal data. For example, the processing is
mandated by law or required in a judicial proceeding. In such instances, the organization must
inform the data subject of the lawful basis or compelling reason for the continued processing of
their personal data.

3. Right to Access

You have the right to reasonable access and confirm whether or not data relating to you are
being processed, and you may request information about any of the following:

a. The type and category of your personal information processed by the organization;
b. Sources from which your personal information were obtained, if the data was not
collected directly from you;
c. Purposes of processing;
d. Manner of processing
e. Information on automated processing system, especially if the decision will be left solely
based on the algorithm of such processing activity;
f. Names and addresses of recipients of your personal information;
g. Reasons for the disclosure of your personal information to recipients;
h. Date when your personal information were last accessed and modified;
i. Retention period for your personal information; and
j. The designation, name or identity, and address of the organization’s data protection
officer (DPO).

These information are usually found in the privacy notice or consent form that was given to you
in observance of the data privacy principle of transparency and to uphold your right to
information.

Note that you may only request to have access to your own personal data and other information
listed above. You can not request to access information relating to any other individual.

4. Right To Rectification

You have the right to dispute the inaccuracy or error in your personal data and have the
organization correct the same within a reasonable period of time. You also have the right to have
incomplete personal data completed, including the means of providing a supplementary
statement for the completion.

Note however that a request may be denied when obviously it is made with no real purpose
other than to harass, cause annoyance, or hamper the delivery and performance of services of
the organization.

5. Right To Erasure Or Blocking

You have the right to request for the suspension, withdrawal, blocking, removal, or destruction
of your personal data from the organization’s filing systems.

This right may be exercised upon your discovery with substantial proof of any of the following:

The personal data is:
a. incomplete, outdated, false, or unlawfully obtained;
b. used for an unauthorized purpose;
c. no longer necessary for the purpose/s for which they were collected; or
d. concerns private information that is prejudicial to you, subject to certain exceptional
circumstance allowed under privacy law;
You object to the processing of your personal data and no other laws allow the processing of
your personal data;
The processing is unlawful; or
The organization violated any of your rights as a data subject.

Organizations shall inform, in a reasonable manner, the current and previous recipients or third
parties of your request and the erasure of your personal information. Where personal data that
is the subject of your request for erasure is publicly available, the organization shall take
reasonable and appropriate measures to communicate with other organizations responsible for
making your personal information available to the public and request them to erase copies or
remove search results or links to your personal data.

6. Right To Data Portability

You have the right to obtain from the organization a copy of your personal data and/or have the
same transmitted to another organization in a commonly accepted electronic format that allows
further use by the recipient that you choose. In order to exercise this right, processing must be
based either on your consent or contract and the personal data must be processed by electronic
means in a structured and commonly used format such as spreadsheets and pdf files.

7. Right To Be Indemnified

You have the right to dispute the inaccuracy or error in your personal data and have the organization correct the same within a reasonable period of time. You also have the right to have incomplete personal data completed, including the means of providing a supplementary statement for the completion.

8. Right To Lodge A Complaint

When there is a perceived violation of your rights, you may file a complaint with the National
Privacy Commission (NPC). Take note that you must communicate your privacy concern with the
concerned organization first and try to resolve the issue prior to escalation to NPC. In cases
where you file a complaint for violation of your rights, and for any injury suffered as a result of
the processing of your personal data, the NPC may award you indemnity for the damages you
sustained.

EXERCISE YOUR RIGHTS

1. WHO MAY EXERCISE THESE RIGHTS?

● You as the data subject may exercise your privacy rights.
● You may also authorize another person or entity to facilitate the exercise of your rights
with specific and documented authorization.
● The lawful heirs of a data subject may likewise exercise any of his or her rights, at any
time after his or her death, or when he or she is incapacitated or incapable of exercising
the same.

2. DO I NEED TO PAY A FEE TO EXERCISE MY RIGHTS?

Generally, organizations shall not charge any fee to fulfill the exercise of your rights, except when
the request requires reasonable fees to cover administrative costs such as printing expenses,
among others.

3. PERIOD TO COMPLY WITH THE REQUEST?

Requests shall be resolved within thirty (30) business days upon receipt of the accomplished
request form.

An extension of fifteen (15) business days may be given depending on the nature of the request
i.e., complex or numerous. You or your authorized representative will be notified in case of
extension and the reason for such.

4. DENIAL OF REQUEST?

Organizations may deny or limit your requests if:

● Information is publicly available. In such case, the organization will point you to the publicly available information;
● Your request has been previously granted,unless a reasonable period of time has passed from the previous request;
● Your request will entail disproportionate effort;
● When your request is made with no real purpose other than to harass, cause annoyance, or hamper the delivery and performance of service;
● Your request will contrast the need to fulfill the purpose/s for which the data was obtained;
● Your request will violate the organization’s compliance obligation which requires the processing of your personal data;
● Your request is contrary to legitimate business purposes of the organization that is consistent with the applicable industry standard for personal
● data retention;

❖ Denial or limitation is provided by any existing law, rules, and regulations; and
❖ Your request will adversely affect the rights and freedoms of other data subjects.

When your request is denied, you will be clearly and fully informed of the reason for the
limitation or denial.

CONTACT US

You may send your queries to: