Sustainability Report 2021

61 Introduction Customers Social Governance Appendix Environment Sustainability Report 2021 Data Privacy Data collection is an integral part of theBank’sbusinessprocesswhenproviding banking services to customers. It is the Bank’s responsibility to utilize client information in a way that fosters trust and mitigates potential risks that may adversely affect the customer’s financial well-being, privacy, and human rights. The Bank tracked and monitored the percentage of customers whose data is used for secondary purpose; in 2021, it was 27%. Our continuous efforts to improve data privacy throughout the value chain is centered on ensuring that our employees and suppliers are aware of and understand their responsibilities regarding data management. TheBankrequiressuppliers tosigntheData Processing Agreement (DPA) in order to protect our customer’s information, which is incompliancewithPDPA, and to regulate any personal data processing conducted only for business purposes. PDPA was also one of the key contents for ttb’s In an on-going effort to build a better understanding and importance of PDPA, PDPA training has become a mandatory course since 2020 which started off with the Personal Data Protection Act Series 1: Introduction to PDPA. In 2021, the Personal Data Protection Act Series 2, which focused on data privacy, data security, and datamanagement, resulted in 100%employee completion rate-including all subsidiaries. Subsequently, an intensive PDPA training was designed specifically for customer-facing employees in retail banking to ensure that our practice strictly complies with PDPA regulation across the following touchpoints: retail branch, contact center, and sales. The intensive training provided a comprehensive understanding of PDPA, roles and responsibilities, data subject rights, and lawful basis for processingdata –covering 7 topics: consent, vital interest, contract, public task, legitimate interest, legal obl igat ions, and research. 100% of targeted employees completed the training. Data Privacy and Cybersecurity Supplier Day 2021 which focused on educating our suppliers the importance of PDPA, roles and responsibilities of data controller and processors, ttb’s new protocol in compliance with PDPA, and PDPAcompliancepreparationfor suppliers. Consequently, 100% of suppliers signed the Data Processing Agreement and PDPA consents in 2021. As for business partners, the Controller to Controller (C2C) and Data Sharing Agreement are targeted to roll out in 2022. 0 Customer data breach case with significant impacts 0 Substantiated complaints of customer privacy breaches 0 Substantiated complaints of customer breaches from regulators 100% Suppliers signed Data Processing Agreement (DPA) 100% of employees completed Personal Data Protection Act Series 2 100% of targeted employees completed PDPA Intensive Training