Philippine Addendum to AirAsia’s Privacy Statement

This page modifies and supplements AirAsia’s (“AirAsia” or the “Group”) Privacy Statement in compliance with Republic Act No. 10173, or the Data Privacy Act of 2012 (“DPA”), its implementing rules and regulations (“IRR”) and relevant issuances of the National Privacy Commission (“NPC”). Philippines AirAsia (“PAA”, “we”, “us”, “our”) is committed to the protection and lawful processing of your personal information.

Risks involved at any stage of processing

PAA is committed to protecting your personal information through physical, technical and organizational security measures which safeguard the confidentiality, integrity, and availability of your personal information. We have implemented measures that are designed to comply with the applicable data protection laws and regulations. Among others, these include encryption of data, limiting of access, and employment of technology to protect your personal information from cybersecurity risks.

While PAA is committed to implementing robust security measures, it is important to note that no system can guarantee absolute protection against all risks. Risks include, but are not limited to, the unauthorized collection, use, disclosure, or access to personal information. These risks may arise in circumstances beyond our control, such as in confidentiality, integrity and availability breaches. Nonetheless, we are continuously adapting and implementing necessary changes to ensure continuous security of your personal information. We have also established policies and procedures for security incident management, including possible instances of data breach, in line with industry best practices, legal requirements, and relevant data protection laws and regulations.

Retention Policies

PAA shall not retain personal information for longer than the necessary period. We commit to dispose of your personal information in the manner described in this Addendum and/or your contract upon the fulfilment of the declared, specified, and legitimate purpose, or when the processing relevant to the purpose has been terminated. We shall only retain your personal information for as long as necessary to comply with our legal obligations, to resolve disputes, and to enforce our agreements with third parties.

Manner of secure disposal of obsolete data

Upon the fulfillment of the legitimate purpose or when processing has been terminated, your personal information shall be securely and permanently deleted from our database, systems, or services environments, except as otherwise required or allowed by law. Physical copies of your personal information shall be destroyed.

Rights of data subjects as recognized under the DPA and how such rights can be exercised

We commit to upholding your rights as data subjects, including your right to access, correction, erasure and to object to the processing of your personal information. You may withdraw your consent to the processing of your personal information at any time. Requests for the exercise of such rights may be made through PAA’s Data Protection Officer.

Data Protection Officer

All concerns and requests relating to your personal information must be addressed to PAA’s Data Protection Officer through email at [email protected].