Data Privacy Notice

This is the Data Privacy Notice structured according to the requirements of the IRR of the Data Privacy Act of 2012

1. Introduction

AAT Business Solutions, Inc. ( AAT, we, our, or us ) values your privacy and is committed to protecting the personal data we collect, process, and store in the course of our operations.

This Notice explains how AAT collects, uses, shares, and protects your personal data in accordance with the Data Privacy Act of 2012 (R.A. 10173), its Implementing Rules and Regulations, and other applicable issuances of the National Privacy Commission (NPC).

By interacting with AAT whether as a client, customer, employee, applicant, or third party you consent to the collection and processing of your personal data as described in this Notice.

⸻

2. Scope

This Notice applies to:

Clients and their customers whose data are processed by AAT in connection with business process outsourcing, collections, and customer support services.

Employees, agents, suppliers, and other partners whose data are collected for legitimate business, contractual, or regulatory purposes.

AAT acts as a Personal Information Controller (PIC) when it determines the purpose and means of processing, and as a Personal Information Processor (PIP) when processing data on behalf of clients.

⸻

3. Personal Data We Collect

We collect personal data necessary for lawful business operations, including but not limited to:

Identification Data: name, address, date of birth, nationality, and government-issued IDs.

Contact Details: phone number, email, and mailing address.

Employment Data: position, work records, and credentials.

Financial Data: account numbers, payment history, or transaction details.

Call and Communication Records: audio recordings, emails, and correspondence for verification, training, and audit purposes.

When required by clients, AAT may also process sensitive personal information such as health, financial standing, or criminal records, subject to enhanced safeguards.

⸻

4. Purpose of Processing

We process personal data for the following lawful purposes:

Performance of contractual obligations to clients and customers.

Customer verification, collection, and settlement of accounts.

Compliance with applicable laws, regulations, and lawful orders of authorities.

Protection of AAT s rights and legitimate business interests.

Recruitment, human resource administration, and payroll processing.

Security, audit, and risk management.

Marketing and client communications, when consented to.

⸻

5. Legal Basis for Processing

AAT processes personal data only when at least one of the following lawful bases exists under Section 12 of the Data Privacy Act:

Consent of the data subject;

Necessity for the performance of a contract or pre-contractual obligation;

Compliance with a legal obligation;

Protection of vitally important interests of the data subject;

Pursuit of AAT s or a third party s legitimate interests, provided such interests are not overridden by the fundamental rights and freedoms of the data subject.

6. Data Sharing and Disclosure

AAT does not sell personal data.

We may share data only with:

Clients and business partners to whom we provide services;

Service providers and subcontractors performing functions on our behalf (e.g., IT, accounting, courier, or legal);

Government agencies and regulators pursuant to lawful orders; and

Third parties with whom AAT has executed data sharing or processing agreements ensuring compliance with the Data Privacy Act.

All recipients are contractually required to maintain confidentiality and implement appropriate security measures.

7. Data Retention and Disposal

AAT retains personal data only for as long as necessary to fulfill the declared purpose or as required by law, regulation, or contract.

After the retention period, records are securely deleted or anonymized using methods approved by the NPC to prevent unauthorized access, use, or disclosure.

8. Data Subject Rights

Under the Data Privacy Act, you have the right to:

Be informed about the processing of your personal data;

Access and obtain a copy of your personal data;

Object to processing or withdraw consent;

Request correction of inaccurate or outdated information;

Request erasure or blocking of personal data no longer necessary;

Data portability, where applicable; and

File a complaint with the National Privacy Commission.

To exercise these rights, please contact our Data Protection Officer.

9. Data Protection and Security Measures

AAT implements organizational, physical, and technical safeguards to protect personal data from loss, misuse, unauthorized access, alteration, or disclosure.

These include:

Controlled access to systems and facilities;

Encryption and secure storage of records;

Regular security audits and employee training;

Confidentiality undertakings by staff and partners; and

Breach notification procedures in accordance with NPC guidelines.

10. Data Breach Notification

In case of a data breach that may compromise your personal data, AAT will notify affected individuals and the National Privacy Commission within the prescribed period, in accordance with NPC Circular No. 16-03.

11. Contact Information

For inquiries, requests, or complaints regarding your personal data, you may contact:

Data Protection Officer

AAT Business Solutions, Inc.

IPI Buendia Tower, Sen. Gil Puyat Ave., Pasay City

Email: dpo@aatlaw.ph

Telephone: (+632) 8564-4258

12. Updates to this Notice

This Notice may be updated from time to time to reflect changes in applicable laws, internal policies, or business practices.

Updates will be posted on our website with the date of effect indicated.

Effective Date: [2025]