Common use of DATA PRIVACY AND PROTECTION Clause in Contracts

DATA PRIVACY AND PROTECTION. a. The Parties hereby declare that they will comply with the applicable laws in force concerning data privacy and data protection within the scope of their activities under this MoU. Parties also agree to adhere to respective privacy policies of the Parties. Parties agree not to share externally any personal data/sensitive personal data/information relating to an identifiable individual (hereinafter referred to as “Personal Data”) obtained or collected for the purposes of this MoU, without obtaining prior written permission of the Party who owns such data (“Data Subject”). The Parties agree that the Data Subject(s) who may suffer damage arising from non-compliance with the respective obligations set forth in this MoU may be entitled to receive compensation for the damage suffered due to such non- compliance. b. Parties agree that: • Personal Data will be accessed processed solely for the purposes of this MoU only; • Personal Data will be handled with necessary security controls & measures; • Any incident of Personal Data breach shall be reported duly to the other Party and the owner of the data and take necessary steps as per applicable laws and policies; • Personal Data will not be retained for longer than required for the purposes of this MoU; • If Personal Data access is legally required by competent authorities, Parties will promptly notify the data owner. c. Partner Institute shall duly intimate the students/candidates regarding the collection of their Personal Data for the purposes of this MoU and ensure that the applicable privacy policy of the Foundation and/or any third party is adhered to. The Personal Data will be shared with the Foundation or any other third-party on behalf of the Foundation, which will comply with applicable data privacy and data protection laws and maintain same level of data protection security measures. Partner Institute shall duly obtain the express consent from the students/candidates/data owner as per the attached Annexure V – Personal Data d. The Data collected by Foundation under this MoU will be retained during the term of this MoU, entire enrollment period and thirty-six (36) months post completion of the enrolled courses under the Program, whichever is later. Foundation may require Partner Institute/students/candidates/data owners for additional/further information for impact assessments of the Program. e. In the event of a conflict with the remainder of this MoU or the MoU becomes void, this clause will prevail as separate data processing agreement between the Parties.

DATA PRIVACY AND PROTECTION. a. 17.1 The Parties hereby declare acknowledge and agree that, for the duration of this MTC Agreement, they may each be exposed to Personal Data and acknowledge that they will comply with the applicable laws in force concerning data privacy and data protection within the scope of their activities under this MoU. Parties also agree to adhere to respective privacy policies of the Parties. Parties agree not to share externally any personal data/sensitive personal data/information relating to an identifiable individual (hereinafter referred to as “Personal Data”) obtained or collected for the purposes of Data Protection Laws, the Customer is the controller and Performanta is the processor. 17.2 The Parties specifically record that all Personal Data, shall constitute Confidential Information, and as such shall be protected as provided for in this MoU, MTC Agreement. 17.3 Each Party hereby warrants in favour of the other Party that it shall at all times strictly comply with the Data Protection Laws. 17.4 The Customer hereby warrants and undertakes that it shall not provide any Personal Data to Performanta without obtaining the prior written permission consent of the Party who owns such data (“Data Subject”). The Parties agree that person to whom the Data Subject(s) who may suffer damage arising from non-compliance with the respective obligations set forth in this MoU may be entitled to receive compensation for the damage suffered due to such non- compliance. b. Parties agree that: • Personal Data relates, which consent will be accessed processed solely for include the purposes processing by Performanta and/or the Licensor of this MoU only; • its Personal Data will be handled with necessary security controls & measures; • Any incident and the transfer of its Personal Data to a third party who is in a foreign country, and the Customer hereby indemnifies Performanta fully for any claims made against the Performanta Group arising out of the provision of Personal Data breach shall be reported duly to it by the other Party and the owner of the data and take necessary steps as per applicable laws and policies; • Personal Data will not be retained for longer than required for the purposes of this MoU; • If Personal Data access is legally required by competent authorities, Parties will promptly notify the data ownerCustomer. c. Partner Institute shall duly intimate 17.5 The Customer: 17.5.1 authorises Performanta to process the students/candidates regarding the collection of their Personal Data for the duration of this MTC Agreement as a processor for the purpose set out in the Order form; and 17.5.2 acknowledges that, subject to clause 17.10 Performanta will make Restricted Transfers, including to those Sub-Processors where applicable listed in the relevant Order. 17.6 Performanta will process Personal Data for the duration of this MTC Agreement as a processor solely for the purpose and to the extent described in relevant Order. 17.7 The Customer authorises Performanta to engage Sub-Processors [including those listed in the relevant Order]. Performanta will inform the Customer of any intended changes concerning the addition or replacement of Sub-Processors, thereby giving the Customer the opportunity to object to such changes. The Customer will notify Performanta of its consent or objection to the proposed change within [five] Business Days of having received Performanta’s notification about the change. 17.8 If Performanta appoints a Sub-Processor, Performanta will ensure, prior to the processing taking place, that Performanta has provided the Customer with such information regarding the Sub-Processor as the Customer may reasonably require and that there is a written contract in place between Performanta and the Sub-Processor that specifies the Sub-Processor’s processing activities and imposes on the Sub- Processor the same terms as those imposed on Performanta in this clause 17. Performanta will procure that Sub-Processors will perform all obligations set out in this clause 17 and Performanta will remain responsible and liable to the Customer for all acts and omissions of Sub-Processors as if they were its own. 17.9 Performanta will: 17.9.1 process the Personal Data only on documented instructions (including this Agreement) from the Customer (unless Performanta or the relevant Sub-Processor is required to process Personal Data to comply with domestic law to which Performanta is subject, in which case Performanta will notify the Customer of such legal requirement prior to such processing unless such law prohibits notice to the Customer on public interest grounds); 17.9.2 immediately notify the Customer if, in its reasonable opinion, any instruction received from the Customer infringes any Data Protection Laws; 17.9.3 ensure that any individuals authorised to process Personal Data [access such Personal Data strictly on a need-to-know basis as necessary to perform their roles in the performance of this Agreement: 17.9.3.1 have committed themselves to confidentiality or are subject to confidentiality obligations equivalent to those set out in clause 16 or are under an appropriate statutory obligation of confidentiality; [and] 17.9.3.2 are aware of and comply with this clause 16; and 17.9.3.3 are appropriately reliable, qualified and trained in relation to their processing of Personal Data; 17.9.4 keep all Personal Data confidential in accordance with the provisions of clause 16, provided that in the event and to the extent only of any conflict between this clause 17 and clause 16, this clause 17 will prevail. For the avoidance of doubt, nothing in this clause 17 will limit or restrict the disclosure of Personal Data under and in accordance with the provisions of 16.5 where the disclosure of Personal Data is required or authorised by UK laws to which Performanta is subject; 17.9.5 taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of this MoU processing, implement, and assist the Customer to implement, technical and organisational measures to ensure that a level of security appropriate to the applicable privacy policy risk presented by processing the Personal Data, in particular from a Personal Data Security Incident; 17.9.6 not, without the Customer’s prior written consent, make or permit any announcement in respect of a Personal Data Security Incident or respond to any request for exercise of a Data Subject’s rights under the Data Protection Laws or communication or complaint from a Data Subject or Data Protection Supervisory Authority in connection with Personal Data; 17.9.7 notify the Customer promptly and without undue delay after becoming aware of a Personal Data Security Incident, including the nature of the Foundation and/or any third party is adhered to. The Personal Data will Security Incident, the categories and approximate number of Data Subjects and Personal Data records concerned, the likely consequences of the Personal Data Security Incident and any measure proposed to be shared taken to address the Personal Data Security Incident and to mitigate its possible adverse effects]. Where, and in so far as, it is not possible to provide all the relevant information at the same time, the information may be provided in phases without undue delay, but Performanta may not delay notification under this clause 17.9.7on the basis that an investigation is incomplete or ongoing; 17.9.8 provide reasonable assistance to the Customer in: 17.9.8.1 documenting any Personal Data Security Incidents and reporting any Personal Data Security Incidents to any Data Protection Supervisory Authority and/or Data Subjects; 17.9.8.2 taking measures to address Personal Data Security Incidents, including, where appropriate, measures to mitigate their possible adverse effects; 17.9.8.3 documenting compliance of the processing of Personal Data with the Foundation or any other third-party on behalf Data Protection Laws, including providing a systematic description of the Foundation, which will comply with applicable data privacy and envisaged processing operations; and 17.9.8.4 conducting data protection laws and maintain same level of data protection security measures. Partner Institute shall duly obtain the express consent from the students/candidates/data owner as per the attached Annexure V – Personal Data d. The Data collected by Foundation under this MoU will be retained during the term of this MoU, entire enrollment period and thirty-six (36) months post completion of the enrolled courses under the Program, whichever is later. Foundation may require Partner Institute/students/candidates/data owners for additional/further information for impact assessments of any processing operations and consulting with Data Protection Supervisory Authorities, Data Subjects and their representatives accordingly; 17.9.9 at the Programoption of the Customer, securely delete or return to the Customer all Personal Data promptly after the end of the provision of Services relating to processing [or at any time upon request], and securely delete any remaining copies; 17.9.10 make available to the Customer all information necessary to demonstrate compliance with the obligations set out in this clause 17; 17.9.11 promptly (and in any event within 72 hours) notify the Customer of any request that it receives for exercise of a Data Subject’s rights under the Data Protection Laws or communication, request for information or complaint that it receives from a Data Subject or Data Protection Supervisory Authority or other third party in connection with Personal Data; 17.9.12 provide reasonable assistance to the Customer in responding to requests for exercising Data Subjects’ rights under the Data Protection Laws, including by appropriate technical and organisational measures, insofar as this is possible; and 17.9.13 allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer. e. In 17.10 Performanta may make a Restricted Transfer if it demonstrates or implements an appropriate safeguard for that Restricted Transfer in accordance with Data Protection Laws. Such appropriate safeguards may include: 17.10.1 an appropriate safeguard as directed by the event Customer, as determined by the Customer in accordance with Data Protection Laws; 17.10.2 that the country or territory to which the Restricted Transfer is to be made ensures an adequate level of protection for processing of Personal Data pursuant to adequacy regulations made in accordance with Data Protection Laws; or 17.10.3 an appropriate safeguard provided by the relevant processor in accordance with Data Protection Laws, in which case the Customer will execute any documents (including data transfer agreements containing the standard contractual clauses for the transfer of personal data to processors established in third countries) relating to that Restricted Transfer which the relevant processor requires it to execute from time to time. 17.11 The qualifications at clause 17.10 will not apply if: 17.11.1 the Customer’s instructions pursuant to clause 17.9.1 require Performanta to make a conflict Restricted Transfer and Performanta requires the Customer to demonstrate that an appropriate safeguard in accordance with the remainder of this MoU Data Protection Laws has been put in place prior to such Restricted Transfer; or 17.11.2 Performanta or the MoU becomes voidrelevant Sub-Processor is required to make a Restricted Transfer to comply with domestic law to which Performanta is subject, this clause in which case Performanta will prevail as separate data processing agreement between notify the PartiesCustomer of such legal requirement prior to such Restricted Transfer unless such law prohibits notice to the Customer on public interest grounds. Clause 1.9 will not apply if Performanta or the relevant Sub- Processor is required to make a Restricted Transfer to comply with domestic law to which Performanta is subject, in which case Performanta will notify the Customer of such legal requirement prior to such Restricted Transfer unless such law prohibits notice to the Customer on public interest grounds.

DATA PRIVACY AND PROTECTION. a. 18.1 The MERCHANT will not, without prior written consent of the relevant Customer, use or disclose information on Customer or his/her transactions howsoever obtained and in whatsoever from the information shall take, to any third party (other than the Merchant’s agents for the sole purpose of assisting the MERCHANT to complete or enforce the transactions and the MERCHANT’s insurers and professional advisers) unless such disclosure is compelled by the law. 18.2 The MERCHANT will not, without the prior written consent of RCBC use or disclose information howsoever obtained and in whatsoever form on the business of RCBC or the System or this Agreement, to any third party (other than to the MERCHANT agents for the purpose of assisting the MERCHANT to complete or enforce the transactions and the MERCHANT agents for the purpose of assisting the MERCHANT to complete or enforce the transactions and the MERCHANT insurers and professional Advisers) unless such disclosure is required by the law. 18.3 In connection with the cognizance by the Parties hereto of the above cited rule, the MERCHANT hereby declare commits and guarantees to RCBC that they will it shall not in any manner, or for any purpose, store data that it may encounter and/or come to know of during the course of its relations with RCBC as specified. Furthermore, the MERCHANT shall exert extra diligence to ensure the confidentiality of any and all Customer data including but not limited to card number and expiry date and other similar information. 18.4 The MERCHANT shall comply with the applicable laws in force concerning requirements of the Data Privacy Act (RA 10173), its Implementing Rules and Regulations, the memorandum circulars issued by the National Privacy Commission, and all confidentiality rules and laws, as applicable. The MERCHANT shall uphold the rights of data subjects, and adhere to general data privacy principles of transparency, legitimate purpose, and data proportionality and the requirements of lawful processing. The MERCHANT shall implement reasonable and appropriate organizational, physical, and technical security measures for the protection within the scope of their activities under this MoU. Parties also agree to adhere to respective privacy policies of the Parties. Parties agree not to share externally any personal data/sensitive . The MERCHANT shall use any information acquired in fulfilling this Agreement only and such Information may not be used for other purposes unless agreed to by the Parties in writing. 18.5 The MERCHANT authorizes RCBC or its duly authorized personnel to obtain, receive, record, use, process, store, disclose personal data/information, any and all information relating pertaining to an identifiable individual the MERCHANT, including the MERCHANT’s personal information, any account, or any transactions on any account (hereinafter referred to as collectively, the “Personal Data”) obtained or collected for the purposes of this MoU, without obtaining prior written permission of the Party who owns such data (“Data SubjectInformation”). The Parties agree that the Data Subject(s) who may suffer damage arising from non, to RCBC’s subsidiaries, affiliates, agents, representatives, service providers, vendors, counterparties and other third party partners such as merchants, co-compliance with the respective obligations set forth in this MoU may be entitled brand partners, credit bureaus credit information, credit and loan providers, financial institution, telecommunications companies, other/similar information providers, or to receive compensation for the damage suffered due to such non- compliance. b. Parties agree that: • Personal Data will be accessed processed solely for the purposes of this MoU only; • Personal Data will be handled with necessary security controls & measures; • Any incident of Personal Data breach shall be reported duly to the other Party and the owner of the data and take necessary steps as per applicable laws and policies; • Personal Data will not be retained for longer than required for the purposes of this MoU; • If Personal Data access is legally required by courts, competent authorities, Parties will promptly notify the data owner. c. Partner Institute shall duly intimate the students/candidates regarding the collection of their Personal Data or government agencies and instrumentalities, wher-ever situated, for the purposes following purposes: (a) opening an account or providing any service or product to the MERCHANT; (b) processing or verifying any transaction; (c) validating, verifying, and/or updating its information and its related documents; (d) enforcing or protecting RCBC’s rights in the prosecution or defense of this MoU RCBC or its directors, officers, or employees with regards to disputes or claims pertaining to the products and ensure that services of RCBC; (e) allowing RCBC to perform its obligations and provide the services under any applicable privacy policy law, rules and regulations, contract, or orders from any court or quasi-judicial and administrative offices including the neces-sary reporting, transfer and disclosures to any credit insti-tutions or its members; (f) protecting the MERCHANT and/or RCBC against fraudulent, unauthorized, or illegal actions and/or related transactions; (g) allowing RCBC, its affiliates and/or subsidiaries, agents and third parties selected by any of them to perform the Foundation and/or required customer due diligence client identification, risk profile assessment or comply with regulatory obligations on money-laundering, terrorist financing, and risk management; (h) offer products and services of RCBC and any of its subsidiaries and affiliates or third party is adhered to. The Personal Data will be shared with partners, including data profiling, processing, monitoring, reviewing, reporting, storing, statistical and risk analysis purposes; and (i) any other instances analogous to the Foundation foregoing or authorized by the MERCHANT or any other third-party on behalf of the Foundation, which will comply with applicable data privacy and data protection laws and maintain same level of data protection security measures. Partner Institute shall duly obtain the express consent from the students/candidates/data owner as per the attached Annexure V – Personal Data d. The Data collected by Foundation under this MoU will be retained during the term of this MoU, entire enrollment period and thirty-six (36) months post completion of the enrolled courses under the Program, whichever is later. Foundation may require Partner Institute/students/candidates/data owners for additional/further information for impact assessments of the Programor regulations. e. In the event of a conflict with the remainder of this MoU or the MoU becomes void, this clause will prevail as separate data processing agreement between the Parties.