Purpose & Scope

UnionBank respects and values your privacy and the secrecy of your account information with us. This Privacy
Policy ("Policy") informs you how we collect, use, store, and process your personal data in UnionBank Online
(UB Online). We adhere to the data privacy principles of (1) legitimate purpose - we only process upon your
consent, in compliance with law or contract; (2) transparency - we notify everything that happens to your data;
and (3) proportionality - collection is limited based on purpose.

This Policy applies to data subjects of UB Online whether as: (1) clients - current, past and prospective
customers as individuals or corporations; or (2) non-clients - payees or payors or bank products and services
we provide; visitors or inquirers at our branches and online channels; ultimate beneficial owners, directors or
representatives of corporate clients; and such other persons involved in transactions with us or with our
customers. ("Data Subjects")

Collection of your Personal and Sensitive Personal Data

Personal Data refers to any information that identifies or is linkable to a natural person. On the other hand,
Sensitive Personal Data is any attribute that can distinguish, qualify or classify a natural person from the others
such as data relating to your ethnicity, age, gender, health, religious or political beliefs, genetic or biometric
data.

We collect your Personal and Sensitive Personal Data when you register, sign-up or use our bank products and
services or contact us about them. We also collect through your organization whether private corporation or
government instrumentality you authorized. We may also obtain your information from other sources (i.e
publicly available platforms, financial institutions, credit agencies, payment gateway processors, public
authorities, and other registers) for purposes of identity verification and regulatory requirements by the Bangko
Sentral ng Pilipinas (BSP).

UnionBank Online Privacy Policy - Kinds of Data We Process

Know-Your-Customer (KYC) / Identification Data: refer to Personal Data and Sensitive Personal
Data we collect when you sign up or register to our products and services such as full legal name,
gender, date of birth, nationality, civil status, permanent address, present address, tax identification
number and other government-issued identification numbers, mobile number, home number, office
contact details, company name, job position or rank, office address, source of funds, gross annual
income, and such other information necessary to conduct due diligence and comply with BSP rules and
regulations.
Biometric Data: upon your express consent and subject to limitations imposed by law, data processed
for customer verification using: (1) facial recognition technology; (2) liveliness detection mechanism;
and (3) fingerprint recognition applications.
Transactional Data: linkable information to your Personal Data such as (1) bank account number,
deposits, withdrawals, such other transfers made to or from your account, and details about them such as
reference number, place and time these were made; (2) information when you contact us through our
official channels such as branches, contact centers, web and mobile platforms; (3) credit card account
number as well as purchases or transactions using your credit card; and (4) other forms of customer
account number, payments, and transactions you have with us.
Financial Data: information about the value of your property and assets, your credit history and
capacity, and other financial products and services you have with us.
Behavioral Data: this refers to your online behavior, customer segment, usage of our products and
services, internet protocol address of your devices used to access our applications, interests and needs
you share with us, and customer behavior we collect as part of due diligence, to prevent fraudulent
conduct, and comply with banking rules on anti-money laundering, terrorism financing, and tax fraud.
 Audio Visual Data: for security and improvement of our services, we process audio and video
recordings of your interactions with us and surveillance videos at branches and automated teller
machines, subject to limitations imposed by law.
Sensitive Personal Data: we may require the following Sensitive Personal Data upon your express
consent: (1) your religion when you apply for insurance products with us; (2) for customer verification,
your government-issued identification numbers or cards such as passport or driver"s license ID; or (3)
any information that is necessary, incidental to contractual agreement or in connection with a requested
product or service.
Children"s Data: we may collect information about children if they have opened an account with us
with parental consent or if you provide us in relation to a product or service you signed up with us (i.e.
when you register children as beneficiary to an insurance product or trust service with us). The foregoing
data are collectively referred to as "Customer Data" or "Personal Information".

IV. Data Processing

Processing means any activity pertaining to the collection, recording, organization, storage, updating or
modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of Customer Data.

We process your Customer Data only for legitimate purposes and with lawful basis such as your express
consent, terms and conditions of product or service you signed up with us, and/or as required by law and
regulation. We ensure that only authorized employees and third-party service providers, who satisfy our
stringent risk management, governance, information security, and data privacy requirements, can process your
data.

Data Storage

We store Customer Data in secure and encrypted Bank-managed environments, devices, and
media. For third-party managed environments such as cloud service providers, we employ BSP-
sanctioned security protocols and procure BSP approval prior deployment.
We store physical copies of documents containing your Customer Data in physical secure vaults.

Data Access

Customer Data can only be accessed by authorized personnel on a role-based manner following the
proportionality principle that authorized personnel can only access the Customer Data they need
for their role and purpose in the bank. The proportionality principle means that the processing of
information shall be adequate, relevant, suitable, necessary, and not excessive in relation to a
declared and specified purpose. Personal information shall be processed only if the purpose of the
processing could not reasonably be fulfilled by other means.

Data Use

Customer Engagement
We use your contact details with us to communicate with you about your relationship with
us. We may ask for feedback, surveys or polls about our products and services.
We may send you email or mobile notifications, telephone calls, or newsletters about
product and services enhancements and account security reminders.
You have the right to opt out from this form of communications with you or choose another
means for which we can contact you.
Marketing
We may use your information for us to send out campaign materials of commercial products
and services we hope you find interesting, relevant, and useful.
 We want to establish a more personalized relationship with you by providing you offers that
would suit your lifestyle and needs.
We perform data analysis on results of our marketing campaigns to measure their
effectiveness and relevance.
You have the right to withdraw your consent or unsubscribe from receiving personalized
offers.
Due Diligence and Regulatory Compliance
We may use Customer Data to evaluate your eligibility for bank products and services.
We use your account details when you instruct us to make a payment or fulfill an investment
order.
We process Customer Data in compliance with legal obligations and statutory requirements
by BSP, and other regulatory agencies.
Business Insights
We perform data analysis and reporting based on your Customer Data and how we
operationalize to aid our management make better decisions.
We analyze your behavioral data, your interactions with our products and services, and our
communications with you to aid us understand the areas for improvement and development.
We analyze transactional data performed through our third-party service providers and
partners in order to determine how we can jointly improve our products and services for
you.
Data Quality
We shall process your Customer Data in compliance with the data quality standards imposed
by BSP. We may obtain additional information about you from government institutions to
improve the quality of your Customer Data with us. We may contact you to ensure accuracy
and integrity of your information in our data processing systems.
Protection and Security
We process Customer Data for your account protection against cybercrime, identity theft,
estafa, fraud, financial crimes such as money laundering, terrorism financing, and tax fraud.
We use your Personal Data such as name, age, nationality, IP address, home address, and
other Transactional Data to conduct profiling for detection of suspicious activity on your
account.
We may employ artificial intelligence and machine learning in real-time detection of
suspected fraudulent activities on your account.
We may reset your password or temporarily freeze your online banking account to protect
you from detected suspected fraudulent activities.

Data Retention

Pursuant to BSP Regulations, retention period for transaction records shall be five (5) years from
the date of transaction except where specific laws and/or regulations require a different retention
period, in which case, the longer retention period is observed.

For financial data and documents which indicate taxable transactions, data shall be preserved for
ten (10) years per BIR Regulation.

We keep your data as long as it is necessary: a) for the fulfillment of the declared, specified, and
legitimate purposes, or when the processing relevant to the purposes has been terminated; b) for
the establishment, exercise or defense of legal claims; or c) for legitimate business purposes, which
shall be in accordance with the standards of the banking industry.

Data Disposal
 After the expiration of the imposed retention period, we dispose personal data in a secure manner
in order to prevent further processing, unauthorized access, or disclosure to any other party.

V. Data Sharing and Purpose

When you consent to the processing of your Customer Data with us, you also agree to help us comply with our
statutory and contractual obligations with other financial institutions. We may also share your Customer Data
externally with our partners, upon your consent, for value added services you may find useful and relevant on
top of your account with us. For contractual and value-added service data sharing agreements, we employ
standardized model clauses as recommended by National Privacy Commission to ensure data protection of
Customer Data. Below are the disclosures required by the government entities, other regulatory authorities and
financial institutions:

Bangko Sentral ng Pilipinas (BSP), Anti-Money Laundering Council (AMLC)

We are subjected to mandatory disclosures to the AMLC under Republic Act No. 9160 or the Anti-
Money Laundering Act of 2001, as amended, when there is probable cause that the deposits or
investments involved are in anyway related to unlawful activities or money laundering offenses.

BSP mandates disclosures and reporting in compliance with its issuances for the protection of the
integrity of the banking sector.

Bureau of Internal Revenue (BIR)

We may conduct random verification with the BIR in order to establish authenticity of tax returns
submitted to us.

BIR may inquire into bank accounts of the following: a) a decedent in order to determine his gross
estate; b) a taxpayer who has filed an application to compromise his tax liability on the ground of
financial incapacity; and c) a taxpayer, information on whose account is requested by a foreign tax
authority.

Credit Agencies

Subject to your consent, may implement necessary reference checks including, but not limited to,
credit reporting/reference agencies, the credit bureau, and/or any other financial institution to
enable UnionBank to ascertain your status, in helping the Bank at arriving at a decision in
applications, if any, where your account is linked or related to our credit-related products or
facilities.

Judicial and Investigative Authorities

We may be mandated to disclose certain Customer Data upon service of legal court orders (i.e.,
unexplained wealth under Section 8 of R.A. No. 3019) or express legal request from police, public
prosecutors, courts, or dispute resolution providers allowed by law.

In these cases, we would notify you of the disclosure to the requesting government authority,
subject to limitations imposed by law.

Other Regulatory Authorities

 Regulatory authorities when such other persons or entities we may deem as having authority or
right to such disclosure of information as in the case of regulatory agencies, government or
otherwise, which have required such disclosure from us and when the circumstance so warrant.

Financial Institutions

To fulfill payments and services, we may have to share your information with correspondent
banks, network payment processors (i.e., Visa, Mastercard, American Express, JCB), stockbrokers,
fund managers, or portfolio service providers.

We disclose your Personal Data with insurers, insurance brokers, or providers of deposit or
protection against all kinds of risks.

For purposes of consumer reporting, account updates and fraud prevention, we may share your
data with reference agencies such as Bankers Association of the Philippines (BAP).

Value Added Services

With your express consent, we may disclose your Customer Data to our partners who collaborate
with us to provide services to you and provide joint communications that we hope you find of
interest.

Through our digital channels, you may instruct other mobile financial technology applications to
retrieve your account information, initiate payments or cash-in from your account with us via our
Application Programming Interface (API) facility.

VI. Rights of Data Subjects

Under the Data Privacy Act of 2012, you have the following rights:

1) Right to be informed - you may demand the details as to how your Personal Information is being
processed or have been processed by the Bank, including the existence of automated decision-making
and profiling systems.

2) Right to access - upon written request, you may demand reasonable access to your Personal
Information, which may include the contents of your processed personal information, the manner of
processing, sources where they were obtained, recipients and reason of disclosure.

3) Right to dispute - you may dispute inaccuracy or error in your Personal Information in the Bank
systems through our contact center representatives.

4) Right to object - you may suspend, withdraw, and remove your Personal Information in certain
further processing, upon demand, which include your right to opt-out to any commercial communication
or advertising purposes from the Bank.

5) Right to data erasure - based on reasonable grounds, you have the right to suspend, withdraw or
order blocking, removal or destruction of your personal data from the Bank"s filing system, without
prejudice to the Bank continuous processing for commercial, operational, legal, and regulatory purposes.

6) Right to data portability - you have the right to obtain from the Bank your Personal Information in
an electronic or structured format that is commonly used and allows for further use.
 7) Right to be indemnified for damages - as data subject, you have every right to be indemnified for
any damages sustained due to such violation of your right to privacy through inaccurate, false,
unlawfully obtained or unauthorized use of your information.

8) Right to file a complaint - you may file your complaint or any concerns with our Data Protection
Officer and/or with the National Privacy Commission through www.privacy.gov.ph.

VII. Contact our Data Protection Officer

For inquiries and concerns, you may address them to UnionBank"s Data Protection Officer at 30/F UnionBank
Plaza, Meralco Avenue cor. Onyx Road, Pasig City or through email at [email protected]

Consent to the Data Privacy Policy

Please check the box below if you consent to credit-checking as explained in this Policy:

I consent to the submission of my personal information for the purpose of credit checking, as
explained under this Privacy Policy.

By signing below, I /we also authorize and consent to the processing of my/our personal information, as well as
to the submission of my/our personal information for the purposes explained under this Privacy Policy and for
purposes of complying with other mandatory submissions under the Philippine laws and rules and regulation
not herein enumerated and I acknowledge that I/we have read, understood, and fully agree with the terms of
this Policy.

Signature over Printed Name

Date

Leandro Jr Crebello
April 19, 2023 02:05:35 PM (GMT+8)