SAN ROQUE POWER CORPORATION

DATA PRIVACY POLICY

San Roque Power Corporation (“SRPC”) is committed to protecting the privacy and security of personal data in full compliance with Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012 (DPA), its Implementing Rules and Regulations (IRR), and all relevant issuances of the National Privacy Commission (NPC).

SRPC ensures that all processing of personal data—whether through automated or manual means—is carried out in accordance with the DPA, its IRR, and NPC issuances. All personal data processing activities strictly adhere to the fundamental principles of transparency, legitimate purpose, and proportionality, and are protected by appropriate and reasonable organizational, physical, and technical security measures.

SRPC ensures that data subjects are properly informed of the nature, purpose, and extent of the processing of their personal data, their rights as data subjects under the DPA, and how these rights may be exercised.

SRPC ensures that personal data processed are adequate, relevant, suitable, necessary, and not excessive in relation to the declared and specified purposes for which they are collected. SRPC implements reasonable and appropriate organizational, physical, and technical security measures to protect personal data against accidental or unlawful destruction, alteration, disclosure, or unauthorized access, and to ensure the availability, integrity, and confidentiality of personal data.