AEG Technology Solutions Corporation

A Privacy Impact Assessment (“PIA”) is a structured process used by AEG Technology Solutions Corporation to assess how personal data is collected, used, stored, shared, protected, and disposed of across systems, projects, and services.

This page outlines AEG’s approach to identifying privacy risks and implementing reasonable and appropriate controls to reduce risks to data subjects and support lawful processing.

The purpose of the Privacy Impact Assessment is to:

• Identify privacy and data protection risks in proposed or existing processing activities
• Evaluate whether personal data processing is lawful, fair, and proportionate
• Support the implementation of privacy-by-design and privacy-by-default principles
• Reduce risks of unauthorized access, disclosure, misuse, or loss of personal data
• Support compliance with RA 10173 and related regulatory guidance

The PIA may apply to AEG systems, services, and projects involving personal data, including:

• Website forms and account registration systems
• POS, inventory, payroll, and business management systems
• Cloud-based applications and customer portals
• CCTV, monitoring, and security-related deployments where applicable
• Service request, installation, support, and billing workflows
• Internal administrative and operational processing activities

The PIA may cover personal data such as:

• Names, addresses, and contact details
• Email addresses, usernames, and account identifiers
• Transaction records, service records, and support logs
• Technical data such as IP address, device details, and access logs
• Employee, client, customer, supplier, or end-user information, where applicable

The PIA reviews processing activities which may include:

• Collection of personal data through forms, contracts, accounts, and service requests
• Storage in databases, servers, cloud platforms, or backup systems
• Use of data for service delivery, communication, billing, support, and security
• Sharing with authorized staff, service providers, or lawful government requests
• Deletion, anonymization, archival, or disposal of records

AEG evaluates privacy risks such as:

• Unauthorized access to personal data
• Excessive or unnecessary collection of information
• Improper disclosure, sharing, or transfer of data
• Weak authentication, access control, or system configuration
• Insufficient notice, transparency, or lawful basis for processing
• Excessive retention or improper disposal of records

As part of the PIA process, AEG evaluates the adequacy of controls such as:

• Role-based access control and authentication measures
• Password policies and credential protection
• Encryption where applicable
• Logging, monitoring, and incident detection
• Physical, technical, and organizational safeguards
• Vendor and third-party risk controls where relevant

AEG reviews whether a processing activity is necessary for a legitimate and lawful purpose, and whether the scope of collected personal data is proportionate to that purpose.

• Only data reasonably necessary for the intended purpose should be collected
• Alternative approaches with lower privacy risk may be considered where feasible
• Processing should be aligned with notice, consent, contractual need, or other lawful basis

The PIA considers the possible impact of processing on data subjects, including:

• Loss of confidentiality or unauthorized exposure of personal information
• Inconvenience, reputational harm, or financial risk from misuse of data
• Inability of individuals to exercise rights or understand processing activities
• Risks associated with inaccurate, incomplete, or outdated information

Where risks are identified, AEG may implement measures such as:

• Reducing the amount of personal data collected
• Improving notices, consent mechanisms, and internal procedures
• Strengthening security controls and system configurations
• Restricting access to sensitive or confidential information
• Improving retention controls and secure disposal procedures
• Conducting training, review, or additional approvals before implementation

The PIA also considers whether personal data is shared with third parties such as hosting providers, payment providers, integrators, contractors, or support vendors.

• Third-party processing should be subject to appropriate contractual and confidentiality controls
• Data sharing should be limited to what is necessary and lawful
• Third-party privacy and security risks should be considered before engagement

The PIA examines whether personal data is retained only for as long as necessary and lawfully permitted.

• Retention periods should reflect legal, regulatory, operational, and contractual requirements
• Outdated or unnecessary records should be archived, anonymized, or securely disposed of when appropriate
• Disposal processes should reduce the risk of unauthorized recovery or disclosure

The PIA may be reviewed and updated when:

• A new system, service, or project is introduced
• There is a material change in data processing activities
• New privacy or security risks are identified
• Applicable laws, regulations, or guidance materially change

AEG treats privacy governance as an ongoing responsibility. Privacy reviews, documentation, internal procedures, and appropriate oversight form part of its broader accountability framework.

• Relevant stakeholders may be involved in reviewing processing risks
• Privacy considerations may be integrated into project planning and operations
• Documented assessments may support internal review and compliance activities

For privacy-related questions, concerns, or requests, you may contact:

AEG Technology Solutions Corporation is committed to responsible processing of personal data and to supporting compliance with the Data Privacy Act of 2012 (RA 10173), its Implementing Rules and Regulations, and applicable guidance issued by the National Privacy Commission (NPC).