SUPPLIER DATA PROTECTION REQUIREMENTS APPLICABILITY RESPONSE SUPPORTING REMARKS

SECTION ONE: Data Privacy Governance

With Data Privacy Officer (DPO)

1 Appointment of a Data Privacy Officer (DPO) Applicable Compliant
Documents

2 Registration of Data Processing Systems Applicable Compliant Registration Form

SECTION TWO: Risk Assessment

Regular conduct of Privacy Impact Assessments for processes, products,

3 Applicable Compliant
or systems that involve the processing of personal data

SECTION THREE: Privacy Culture

4 Availability of your organization's Personal Data Privacy Policy Applicable Compliant

5 Formulation of your organization's Privacy Management Program (PMP) Not Applicable Non-Compliant

Establishing a culture of privacy through awareness and education

6 Applicable Compliant
programs for employees and subcontractors

7 Issuance of Security Clearance for those handling personal data Applicable Compliant

SECTION FOUR: Privacy in Day-to-Day Information Lifecycle Operations

Informing data subjects of any personal information processing

8 Applicable Compliant
activities and obtain their consent, when necessary

Formulation of policies/procedures that allow data subjects to object to

9 Applicable Compliant
further processing, or changes to the information obtained from them

Formulation of policies that limit data processing according to its

10 Applicable Compliant
declared, specified, and legitimate purpose

Formulation of policies/procedures for providing data subjects with

access to their personal information, including its sources, recipients,
11 method of collection, purpose of disclosure to third parties, automated Applicable Compliant
processes, date of last access, and identity of the controller (Data
Subject Access Request)

Formulation of policies/procedures that allow data subjects to dispute

12 inaccuracy or error of their personal information, including Applicable Compliant
policies/procedures to keep the same up to date

Formulation of policies/procedures that allow a data subject to suspend,

13 withdraw, or order the blocking, removal or destruction of their personal Applicable Compliant
information

Formulation of policies/procedures for accepting and addressing

14 Applicable Compliant
complaints from data subjects

Formulation of policies/procedures that allow data subjects to get

indemnified for any damages sustained due to inaccurate, incomplete,
15 Applicable Compliant
outdated, false and unlawfully obtained or unauthorized use of personal
information

Formulation of policies/procedures that allow data subjects to obtain a

16 copy of his/her personal data processed by electronic means and in a Applicable Compliant
structured and commonly used format

Formulation of policies/procedures for the creation and collection,

storage, transmission, use and distribution, and retention of personal
17 data for only a limited period, OR until the purpose of the processing Applicable Compliant
has been achieved, and ensuring that data is securely detroyed or
disposed of

SECTION FIVE: Managing Personal Data Security Risks

Implementation of appropriate and sufficient organizational security

18 Applicable Compliant
measures

Implementation of appropriate and sufficient physical security measures

19 Applicable Compliant
(Physical Access and Security, Design and Infrastructure)

Implementation of appropriate and suffcient technical security

20 (Firewalls, Encryption, Access Control Policy, Security of Data Storage, Applicable Compliant
and Other Information Security Tools)

SECTION SIX: Data Breach Management

Compliance with the Data Privacy Act's Data Breach Management

21 Requirements (e.g. Security Policy, Data Breach Response Team, Applicable Compliant
Incident Response Procedure, Document, Breach Notification)

CERTIFIED TRUE and CORRECT by:

Rudziya Arceo HR Manager April 24, 2019

Signature over Printed Name Designation Date