Dialysis Center PH shall, at all times, comply with the provisions of Republic Act No. 10173 or “the Data Privacy Act of 2012,” its implementing rules and regulations, and all other laws and government issuances which are now or will be promulgated relating to data privacy and the protection of personal information, if and when applicable. Dialysis Center PH, its officers, employees, agents and representative in connection with its performance of the Contract, shall, among others:

a. Process personal data only upon the documented instructions of the Customer, including transfers of personal data to another country or an international organization, unless such transfer is authorized by law;

 b. Implement measures and systems such as clear written guidelines and training modules for its employees, agents, and representatives, that will enable data subjects to exercise any and all of their rights under the Data Privacy Act of 2012;

c. Implement such measures and systems that will allow data subjects to exercise their right to object or withhold consent to further processing as provided under the Data Privacy Act of 2012;

d. Implement such measures and systems that will allow data subjects to exercise their right to access under the Data Privacy Act of 2012;

e. Maintain proper records, and provide the Customer access to such records, as will allow said Customer to comply with the exercise by data subjects of their right to access under the Data Privacy Act of 2012;

f. Ensure that the data subjects will be able to exercise their right to rectification, modification, or blocking of data under the Data Privacy Act of 2012;

g. Determine the appropriate level of security measures, subject to, and in conjunction with, that of the Customer, taking into account the nature of the personal information to be protected, the risks represented by the processing, the size of the organization and complexity of its operations, current data privacy best practices, and cost of security implementation;

h. Implement security measures for data protection (i.e., generally, the physical, organization, and technical security measures prescribed by the Data Privacy Act of 2012 and its implementing rules and regulations), including policies for evaluation, monitoring, and review of operations and security risks. These measures may include clear written guidelines, training modules for its employees, agents, and representatives, and audit measures in relation to the (1) collection, processing, maintenance, and deletion/disposal of personal data and records; and (2) the sharing of these information, especially on the specific persons to whom the information may be given access. Such measures shall aim to maintain the availability, integrity, and confidentiality of personal data, and prevent negligent, unlawful, or fraudulent processing, access, and other interference, use, disclosure, alteration, loss, and destruction of personal data;

i. Implement reasonable and appropriate organizational, physical, and technical measures intended for the protection of personal information against any accidental or unlawful destruction, alteration, and disclosure, as well as against any other unlawful processing, or for such other purposes as may be required under the Data Privacy Act of 2012 or any other applicable law or regulation;

j. Implement reasonable and appropriate measures to protect personal information against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent misuse, unlawful destruction, alteration, and contamination;

k. Ensure that its employees, agents, and representatives who are involved in the processing of personal information operate and hold personal information under strict confidentiality. This obligation shall continue even after their transfer to another position or upon termination of their employment or contractual relations;

l. Not to engage another processor without prior instruction from the Customer: Provided, that any such arrangement shall ensure that the same obligations for data protection under this document are implemented, taking into account the nature of the processing;

m. In case of data breach, promptly notify the Customer within twenty-four (24) hours or earlier from the time of discovery, to enable said Customer to notify the National Privacy Commission and the affected data subject or Customer within the period prescribed under the Data Privacy Act of 2012, when sensitive personal information that may, under the circumstances, be used to enable identity fraud are reasonably believed to have been acquired by an unauthorized person, and the Customer, Dialysis Center PH, or the National Privacy Commission believes that such unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected data subject or Customer;

n. Promptly inform the Customer, if, in its opinion, any instructions of the Customer violates, or may be construed to violate, any provision of the Data Privacy Act of 2012 or any other issuance of the National Privacy Commission;

o. Assist the Customer in ensuring compliance with the Data Privacy Act of 2012, its implementing rules and regulations, other relevant laws, and other issuances of the National Privacy Commission, taking into account the nature of processing and the information available to Dialysis Center PH;

p. At the choice of the Customer, delete, destroy, or return all personal data to the former after the end of the provision of services relating to the processing: Provided, that this includes deleting or destroying existing copies unless storage is authorized by the Data Privacy Act of 2012 or another law;

q. Make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in the Data Privacy Act of 2012, and allow for and contribute to audits, including inspections, conducted by the Subscriber or another auditor mandated by the latter; and

r. Include all the foregoing in the privacy and security policy of Dialysis Center PH (http://www.dialysiscenter.ph/privacy-policy).