1. What Personal Data PepsiCo may collect from you and how it is collected

When you engage in any business or transaction with PepsiCo or participate in, access or sign up to any of PepsiCo’s services, activities or online contents (including on social media and messaging applications), such as newsletters, promotions, live chats, message boards, websites and mobile notifications or votes, PepsiCo may, by automated or non-automated means, collect or receive Personal Data about you. This may include, but not limited to, your name and surname, email address, postal address, telephone or mobile number, gender, nationality, date of birth, educational background, occupation, bank account details, biometric data, as well as information collected about your use of PepsiCo services, such as what you read, watched, or did on our website, app, or when using our other services.

Please note that sometimes you may decide to provide us with sensitive Personal Data, which refers to information about your racial or ethnic origin, marital status, identification card number, passport number, driver’s license number, age, colour, religion, philosophical or political beliefs/affiliations, criminal records, health data or disability condition, education, information issued by government agencies peculiar to an individual, among other sensitive personal information defined by the DPA (‘Sensitive Personal Data’). If you do this, PepsiCo will provide further information about how PepsiCo will use your collected Sensitive Personal Data and may seek your explicit consent at that time, if it is required under applicable laws and regulations on personal data protection.

Some of our services enable you to sign-in via third-party service providers, such as Facebook, X, and Instagram. If you choose to sign-in via a third-party service provider, you will be presented with a dialog box which will ask your permission to allow PepsiCo to access your Personal Data (e.g. your name and surname, date of birth, email address or any other information you have made publicly accessible on the third-party site).

PepsiCo may also collect information about how you use the PepsiCo mobile app, PepsiCo websites, or other PepsiCo content online, and the device(s) you use to access the services as well as unique online identifiers such as IP addresses and cookies, which are numbers and files that can help to uniquely identify a specific computer or other network device on the internet.

PepsiCo will only collect Personal Data that is necessary, material, or relevant for the purposes, reasons, and basis stated below.

2. Why PepsiCo processes your collected Personal Data

PepsiCo only collects, uses, discloses, transfers, or processes your Personal Data where it is necessary or there is a lawful basis to do so which may include:

• performance of any contract between you and PepsiCo, or in order to take steps at your request prior to entering into a contract between you and PepsiCo (‘Contract Performance’);
• for compliance with legal obligations to which PepsiCo is subject to (‘Legal Obligations’);
• to protect your vitally important interests, including life and health;
• in order to respond to national emergency, comply with requirements of public order, and safety, or fulfill functions of public authority where necessary; and
• where it is necessary for the legitimate interests pursued by PepsiCo or by a third party or parties to whom the data is disclosed, except for where such interests are overridden by your fundamental rights and freedoms which require protection under the Philippine Constitution.

Apart from the mentioned lawful bases, PepsiCo may process your Personal Data by securing your consent (‘Consent’). If PepsiCo asks for your consent, PepsiCo will specify what PepsiCo is asking for and ask you to confirm your choice to give us that consent. If you are a child (any person under 18 years of age), we will seek your consent and your parents’ or guardian’s consent. If PepsiCo cannot provide a service or product without your consent to process your Personal Data, PepsiCo will make this clear when PepsiCo asks for your consent.

PepsiCo will use or process your Personal Data for a number of purposes, including the following:

2.1 Contract Performance
PepsiCo will process your Personal Data in accordance with the contract between you and PepsiCo, and for the following reasons:

• Delivering products and/or services to you or procuring products and/or services from you;
• Administering, implementing, maintaining, managing and operating our products and/or services;
• Processing, assessing and determining any applications or requests made by you in connection with our products and/or services;
• Entering into or executing contracts and maintaining your account with PepsiCo;
• Exercising rights or performing obligations under executed contracts;
• Support you to participate in activities organized by or on behalf of PepsiCo; or
• Other related reasons.

2.2 Legal Obligations
PepsiCo will rely on the purpose of legal obligations in which the processing of your Personal Data is necessary for compliance with a legal obligation to which PepsiCo is subject to.

2.3 Other Processing Purposes
PepsiCo may also process your Personal Data for the following purposes:

• Conducting meetings either physically or virtually through reliable programs, apps or softwares;
• Communicating information about our services, activities or online contents (e.g. relating to upcoming promotions or new product launches) or dealing with your requests and enquiries;
• Administering services, which means that PepsiCo may contact you for reasons related to the business, transaction, service, activity, or online content you have executed or signed up for (e.g. notifying you about the administration of a promotion that you have participated in, or notifying you that a particular service, activity, or online content has been suspended for maintenance or updating our Privacy Policy);
• Customizing the content that you see on our website and app, and the advertising that you see on our website, app, or other sites and services;
• Working with third parties to show you relevant advertising on those third-party websites;
• Contacting you about any submission you have made;
• Using IP addresses and device identifiers to identify the location of users, blocking disruptive use, establishing the number of visits from different countries, tailoring the content of our website, app or other services based on browsing behaviors, and determining which country you are accessing the services from;
• Analyzing and researching so that PepsiCo may improve the services offered by PepsiCo;
• Investigating suspected misconduct activities reported by or against you or third parties via PepsiCo Speak Up Hotline including enquiring those who witnessed the misconducts;
• Conducting a third-party due diligence against you to find out any red-flag signs and for our Global Anti-Bribery Compliance Policy including investigation via public sources;
• Establishing, complying, exercising, or defending legal claims against you or initiating litigation action to protect our interests;
• Analysing, supporting, maintaining and improving your experience about PepsiCo branded products and services offered by PepsiCo and conducting market research and targeted advertising through use of automated data processing technologies on dedicated platforms of PepsiCo and/or PepsiCo’s partners which includes market segmentation and profiling based on your Personal Data and converting your Personal Data into identifiers used for advertising purposes by PepsiCo or PepsiCo’s partners; and
• Other purposes as notified to you at the time of collecting and processing data.

If you would like to exercise your rights, or no longer wish for us to process your collected Personal Data, you can exercise your rights, including to withdraw your consent at any time by email to asia.privacy@pepsico.com. When you request to exercise your rights, we will assess the validity of your request in accordance with applicable law and process your request accordingly. Where relevant, we will inform you of the likely consequences of your rights request or consent withdrawal prior to actioning your request. If your request has been denied, we will also provide reasons for that decision. If your consent has been withdrawn, we will cease collecting, using or disclosing the personal data unless it is required or authorized under any applicable laws.

Where PepsiCo proposes using your Personal Data for any other purposes, PepsiCo will ensure that PepsiCo notifies you first and/or requests your consent as required by the applicable laws.

3. When PepsiCo will disclose or transfer collected Personal Data about you

PepsiCo may, from time to time, with your consent, disclose or transfer your collected Personal Data to other entities in the PepsiCo group or to third parties for any of the purposes listed in item 2. Examples of relevant third parties to whom PepsiCo may disclose or transfer your collected Personal Data include governmental agencies and or third parties who perform services or activities to improve services on our behalf, such as web-hosting providers, payment providers, customer relationship management providers, marketing partners, media and fulfilment partners, and database analytics providers.

When PepsiCo discloses or transfers your collected Personal Data to third parties who perform services on our behalf, PepsiCo ensures that such service providers use your collected Personal Data only in accordance with our instructions, and PepsiCo does not authorize them to use, disclose or transfer your collected Personal Data except as necessary to perform services on our behalf or to comply with applicable legal obligations including entering into Data Sharing Agreements with these third parties.

PepsiCo may also disclose or transfer your collected Personal Data to third parties in the circumstances as follows:

• where the disclosure or transfer is required to do so by laws or comply with a specific order from any competent authority;
• where the disclosure or transfer is required for the purposes of, or in connection with, any legal proceedings, or otherwise for the purpose of establishing, exercising or defending our legal rights;
• where the disclosure is required by law enforcement authorities or other government agencies who have issued a lawful disclosure request for the Personal Data;
• where PepsiCo believes the disclosure is necessary to prevent harm or financial loss, or in connection with an investigation of suspected or actual criminal activity; or
• where PepsiCo sells or transfers all or a portion of our business or assets (including through a merger, reorganization, spin-off, dissolution or liquidation).

4. Cross-border Data Transfers

Due to the global nature of our operations, PepsiCo deals with many international organizations and uses global information systems. As a result, PepsiCo may (i) transfer Personal Data to any of the third parties mentioned in item 3 within or outside of the Philippines and (ii) process Personal Data from a place outside of the Philippines in order to perform any of the processing purposes (collectively "Cross- border Data Transfer"). PepsiCo will take all necessary measures to ensure that any Cross-border Data Transfers are sufficiently protected and comply with all requirements as set out under applicable data protection laws, including the requirement to enter into a data transfer agreement where required by applicable laws.

5. Informing you of our collection of your Personal Data

Before PepsiCo collects or processes your Personal Data, PepsiCo will always notify you about our processing as required by applicable laws (‘Processing Notice’), except when it is not necessary for us to inform you of our processing activities, such as when you, as the data subject, have been fully aware of and consented to what is described in the Processing Notice before consenting to our collection of your Personal Data.

6. Sources of your Personal Data

PepsiCo will collect your Personal Data directly from you, but sometimes PepsiCo may collect them from publicly available sources and/or from other parties, in which case PepsiCo will ensure that PepsiCo and/or other parties fully comply with the applicable laws.

7. Your rights

The applicable laws aim to give you more control of your Personal Data. You have legal rights concerning your collected Personal Data as described below in this policy. However, please understand that we might not be able to accommodate your requests in some circumstances if doing so is not permitted by applicable laws. In exercising your rights, a reasonable prior written request or demand may be sent to asia.privacy@pepsico.com.

7.1 Right to be informed
You have the right to be informed of the processing of your Personal Data and be furnished with certain information, as provided for by this Privacy Policy, unless PepsiCo has a lawful basis to deny your request.

7.2 Right to withdraw consent
You may consent to the processing of your Personal Data, as well as withdraw your consent at any time, unless PepsiCo has a lawful basis to deny your request.

7.3 Right to object
You also have the right to object to the processing of your Personal Data, in order to prevent or limit Personal Data disclosure or use for advertising or marketing purposes, unless there are circumstances that do not allow you to make the objection in accordance with applicable laws.

7.4 Right to access
You have the right to reasonably access, upon prior written demand, your Personal Data that PepsiCo holds or has collected from you, including the manner of how your Personal Data was processed, unless PepsiCo has a lawful basis to deny your request.

7.5 Right to rectification
You have the right to dispute the inaccuracy or error in your Personal Data and request the rectification of any inaccuracy or error in the Personal Data collected from you, unless PepsiCo has a lawful basis to deny your request.

7.6 Right to erasure or blocking
You have the right to suspend, withdraw, or order the blocking, removal, or destruction of your Personal Data, unless there are circumstances that do not allow you to make the objection in accordance with applicable laws.

7.7 Right to data portability
You may request a copy of your collected Personal Data from PepsiCo when your Personal Data is processed by electronic means and in a structured and commonly used format, unless PepsiCo has a lawful basis to deny your request.

7.8 Right to indemnification
You have the right to be indemnified for any damages you may have sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained or authorized use of your Personal Data

8. Your obligations

As a data subject, you will have the following obligations:

• Respect and protect others’ Personal Data;
• Fully and accurately provide your Personal Data when consenting to the processing of your Personal Data;
• Comply with regulations of the laws on protection of Personal Data and prevent violations against regulations on Personal Data protection.

9. Data retention period

Your Personal Data shall be kept within a period necessary to achieve the Personal Data processing purposes or for the period specified by applicable laws. PepsiCo will promptly delete, irrecoverably destroy, or anonymize your Personal Data so that you can no longer be identified through such data when the Personal Data retention period ends. PepsiCo undertakes that your Personal Data will be retained in a secure location, accessible only to authorized persons, and will be immediately destroyed or irrevocably anonymized once the retention period has elapsed.

10. Data security

PepsiCo uses a range of measures to keep your collected Personal Data safe and secure, which may include encryption and other forms of security. PepsiCo requires our employees and third parties who carry out work on our behalf to comply with the appropriate privacy laws and standards including obligations to prevent any leakage of Personal Data and to apply appropriate security measures for the processing of Personal Data.

Nevertheless, please understand that although we strive our best to securely store your Personal Data, we cannot guarantee that our security measures will prevent third parties, such as hackers, from illegally obtaining access to your Personal Data. In case of a data breach (if any), PepsiCo will comply with all reporting and remedial measures as established under the applicable data protection laws.

11. Changes to this Privacy Policy

PepsiCo reserves the right to change, amend, or update this privacy policy at any time as PepsiCo deems appropriate, or as may be required by applicable laws, by updating the “Last Updated” date at the top of this policy and posting the new Privacy Policy or providing any other notice required by applicable law via our website or via asia.privacy@pepsico.com. If it is required by applicable laws, we will obtain your valid consent to any relevant updates to the updated Privacy Policy.

12. How you can contact us

If you have any comments, suggestions, questions or want to make a complaint or exercise your rights regarding your collected Personal Data, please contact us by email at asia.privacy@pepsico.com.