PRIVACY POLICY

I. Introduction

This Privacy Policy document has been created, in compliance with the requirements of
Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012, its implementing rules
and regulations, and relevant National Privacy Commission issuances (collectively referred to as
either “DPA laws”). This document its attached annexes and acknowledgment form shall form
part of your employment, partnership, and/or service contract requirements at PH Global Jet
Express, Inc. (“J&T Express”, “Us”, “We”, Our”). You are thus obligated to read, comprehend, and
acknowledge your compliance with this Privacy Policy throughout your employment, partnership,
service contract duration with us.

II. Collection and Use of Personal Information

Types of Personal Data we collect

For purposes of this policy, its annexes, and acknowledgement form, “Personal Data”
shall collectively refer to Personal Information, Sensitive Personal Information, and Privileged
Information. While the terms “Process” and “Processing” shall refer to any operation or any set
of operations performed upon personal data including, but not limited to, the collection,
recording, organization, storage, updating or modification, retrieval, consultation, use,
consolidation, blocking, erasure or destruction of data. Under the DPA, Personal information
refers to any information, whether recorded in a material form or not, from which the identity of
an individual is apparent or can be reasonably and directly ascertained by the entity holding the
information, or when put together with other information would directly and certainly identify an
individual. While Sensitive Personal Information refers to personal information:

•About an individual’s race, ethnic origin, marital status, age, color, and religious,
philosophical, or political affiliations.

•About an individual’s health, education, genetic or sexual life of a person, or to any

proceeding for any offense committed or alleged to have been committed by such person,
the disposal of such proceedings, or the sentence of any court in such proceedings;

•Information issued by government agencies peculiar to an individual which includes, but

not limited to, social security numbers, previous or current health records, licenses or its
denials, suspension or revocation, and tax returns; and

•Information specifically established by an executive order or an act of Congress to be

kept as classified.

Finally, Privileged information are those pieces of information defined under the Rules of Court,
an example of such are Attorney-client privilege, spousal privilege, etc.). The list of personal data
that shall be collected from you are found in the document attached to this policy named as
“Annex A”.

Use of collected Personal Data

We collect and process your personal data for human resource management and
development as well as for other legitimate purposes essential and necessary for J&T Express’s
continued operations and growth. Our legitimate purposes for the use of your collected personal
data are as follows:

1. Maintenance of an employee roster database for identity verification procedures,

internal security, asset access protocols, and regulatory compliance;
2. Pre-qualification and post-qualification assessments

RESTRICTED – INTERNAL USE ONLY

1 of 8
 3. Processing of various contracts, certificates and documents evidencing
employment/engagement with J&T Express
4. Processing and grant of employment compensation and corporate benefits, including
payroll and loan management and Health Maintenance Organization (“HMO”) coverage
5. Development and implementation of employee learning, training, and welfare programs,
including workplace performance and compatibility testing;
6. Maintenance of employee performance appraisals/metrics as well as attendance and
geolocational records;
7. Fulfilment of contractual obligations to clients such as disclosure of business data
analytics/metrics for purposes of maintaining quality of service and reportorial
obligations
8. Processing of employee participation in organization-wide sponsored activities, events,
programs, trainings, workshops and initiatives activities, events and programs including
those related to Corporate Social Responsibility (“CSR”);
9. Implementation of incident verification, investigation, and reporting processes or matters
in relation to termination of employment;
10. Regular background and lifestyle checks on an employee to assist the organization in
conducting its continuing security assessment activities as well as in compliance with
industry and standards requirements.
11. Compliance with government and regulatory requirements such as Bureau of Internal
Revenue, Department of Labor and Employment, Social Security System, PhilHealth, and
Pag-IBIG reportorial requirements, business, and occupational permits, and licenses as
well as other National Government and Local Government Unit (LGU) compliance
requirements;
12. For the protection of lawful rights and interests of the Company in quasi-judicial and
judicial proceedings, or the establishment, exercise, or defense of legal claims against
prospectively erring employees; and
13. Periodic third-party audits and risk assessments of J&T Express’ processes and practices
which may impact its employees.

III. Recipients of your Personal Data

Internal Personnel

Only authorized personnel from the company’s Human Capital Management,

Administration, Finance, Information Technology, and Legal and Compliance business units shall
have the authority to collect and process your personal data. These personnel process your
personal data as it is necessary and essential to their legitimate and authorized job functions for
the Company. As the Company is a multinational corporation, your personal data may be
processed by authorized employees from our organization in countries where we operate.
Additional access provided to personnel not mentioned above may be provided on a case-to-case
basis only upon approval by our Data Protection Officer and in consonance with the legitimate
purposes for processing personal data as enumerated earlier.

Third Parties

We allow limited access to your personal data to authorized third-party service providers
such as vendors, suppliers, subcontractors, and/or consultants who provide outsourced functions
including, among others:

• Partner agencies who provide personnel services;

• Financial institutions that provide loan and contribution services to our employees;
• Business resource management systems, productivity tools, applications and software, as
well as cloud storage systems to meet the Company’s storage management
requirements;

RESTRICTED – INTERNAL USE ONLY

2 of 8
 • Mobile communications services;
• Payroll processing
• Health Maintenance Organization (HMO) services;
• Additional regular background and lifestyle checks on an employee to assist the
organization in conducting its continuing security assessment activities as well as in
compliance with industry and standards requirements.
• External professional advice and consultation including audits, legal assessments,
comparative compensation studies and evaluations; and
• Other financial, technical, architectural, and administrative services such as human
resource information systems, payroll, accounting, sales administration, procurement,
training and other services.

The Company remains responsible over the personal data disclosed to such third parties. As
such, we ensure that such third parties are contractually obligated to comply with the
requirements of DPA Laws and shall process your data strictly in accordance with the purposes
enumerated above. We also disclose necessary employee personal data to government
regulatory agencies and law enforcement agencies including, but not limited to the SSS,
PhilHealth, Pag-IBIG, DOLE, and the BIR in accordance with our obligations and reportorial
requirements established by law and governmental agency circulars.

Finally, we do not sell or disclose your personal data to unauthorized third parties unless we are
legally required to do so or if such action is necessary to protect, defend and/or enforce our rights,
property or the personal safety of our employees and other individuals.

IV. Personal Data Retention and Disposal

Personal data you submitted to PH Global Jet Express, Inc will only be kept in its custody only
for as long as it is legally allowed and necessary for the fulfilment of the declared, specified, and
legitimate purposes provided. After which, your personal data shall be disposed in a secure
manner that would prevent it from further processing, unauthorized access, or disclosure, access
due to negligence to any other party.

V. Your obligations under this Privacy Policy

As an employee/contractor/personnel of PH Global Jet Express, Inc., your obligations under

this policy are as follows:

1. You shall only process the Personal data in accordance to your legitimate and
authorized job responsibilities. In the conduct of your personal data processing, you
shall always adhere and follow the General principles of data privacy as provided by
DPA Laws. These principles are:

a. Transparency – at all times, you shall ensure that the Data subject, whom you are
processing their personal data, has been given clear and proper disclosures about
your processing of their personal data and that they have given their express
consent to process the same.

b. Legitimate Purpose –you will guarantee that all Personal data processing
activities you are conducting are in accordance to your legitimate job
responsibilities and is not contrary to law, public morals, and public policy. You
guarantee that in case there is doubt as to the legitimacy of your personal data
processing related tasks, you shall immediately cease any operations and consult
your supervisor, Employee Relations officer, and/or the Data Privacy Officer.

c. Proportionality – at all times you shall ensure that you will only process types of
personal data that is relevant, necessary, and proportionate to the legitimate
RESTRICTED – INTERNAL USE ONLY
3 of 8
 tasks you need to accomplish. You shall not collect/process excess personal data,
in the event that you came to a situation that you are processing excess personal
data, you shall immediately seize such activity and seek guidance from your
supervisor, Employee Relations officer and or the Data Privacy Officer on how to
address the same.

2. Manner of processing personal data - you will ensure all of your personal data
processing activities always have the appropriate safeguards applied to it. At the
minimum you shall ensure:
a. You are only using Company-issued assets to process personal data.
b. The file, device, and/or medium you are using to process personal data is
password protected and/or encrypted.
c. Access to the personal data you are processing is limited to you and authorized
personnel.
d. There should be a user access management as to who has access to the personal
data file/medium that you are processing. You or your supervisor must maintain
a documentation that holds: a) the names of the personnel who have access to
the said personal data file/medium, b) what level of access privileges do they have
(i.e. read-only, modify etc.), and c) date stamps on when such personnel started
having access to the file and when access was revoked

3. You shall not create, directly or indirectly, any unauthorized copy of any personal data
that you have processed or had access to - whether incidental to the performance of
your work or by accident. This obligation continues even after your contract relations
with us.

4. You shall not disclose to any person or entity any personal data that you have
processed or had access to - whether incidental to the performance of your work or
by accident. This obligation continues even after your contract relations with us.

5. You shall report immediately to the escalation channel - your supervisor, Employee-
relations, and/or the Privacy Office - any process or personnel who do not comply
with the provisions of this Privacy Policy and any incidents that you perceive or
believe there is a breach of personal data (i.e. unauthorized disclosures,
compromised personal data file/systems, etc.). All reported violations of this Privacy
Policy shall be kept in strict confidence by the escalation channel personnel and they
are duty bound to ensure that there is no unlawful retaliation on the reporting
personnel. Finally, be reminded that any concealment or omission to report violations
of this Privacy Policy are in contravention of the Company’s code of discipline.

6. You shall first communicate to the Privacy Office or employee relations officer any
clarifications or questions you may have concerning this Policy or anything related to
the Data Privacy Act before resorting to any third-party channels.

VI. Your Rights as a Data Subject

Under the Data Privacy Act, as a Data subject your rights are:

• Be Informed - You have the right to be informed of what, how, and why we collect and
process your personal data.
• To Object - You have the right to object to the processing and/or sharing of your personal
data especially when you feel that we do not have lawful grounds to do so. However, note
that this may result in the termination of your employment with us when such data you
RESTRICTED – INTERNAL USE ONLY
4 of 8
 objected or refused to provide us is necessary for us to perform our obligations to you as
your employer.
• Withdraw Consent - You have the right to withdraw your consent to our processing
activities on your personal data. However, note that this right does not apply on instances
wherein our processing of your personal data rely on grounds provided by law besides
consent. Similar with the right to object, your withdrawal of your consent to the
processing of your personal data may result in the termination of your employment with
us when such withdrawal impairs our capability to perform completely our obligations to
you as your Employer.
• To Access - you have the right to request reasonable access to your personal data subject
to our company’s internal procedures.
• To Data Portability - You have the right to obtain a copy of the personal data we collected
from you in a format that is portable subject to our internal procedures.
• To Rectify - You have the right to ask us to rectify and/or update your personal data if
there are any errors or inaccuracies, subject to review and our company’s internal
procedures.
• Erasure or Blocking - You have the right to suspend, withdraw, or order the blocking,
removal, or destruction of inaccurate, incomplete, outdated, false, or unlawfully obtained
personal data, or personal data not necessary for the purpose for which it was collected,
and for such other cases provided in the Data Privacy Act of 2012. Do note that your
exercise of this right may result in the termination of your employment with us when such
demand to erase or block your data impairs completely our capability to perform our
obligations to you as your Employer.
• Damages - You have the right to be indemnified for damages sustained, if any, due to
inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of your
personal data.

V. Contacting the Privacy Office

If you have any questions, concerns, or clarifications about any provisions of this Privacy Policy
you may contact the Data Protection Officer’s office via email at dpo@jtexpress.ph

[This part is intentionally left blank, succeeding pages are Annex A and Acknowledgment form]

RESTRICTED – INTERNAL USE ONLY

5 of 8