(b) Nothing prevents it from fulfilling the instructions received from the Disclosing Party

and its obligations under the Agreement, and if it becomes aware of any event
OUTSOURCING AGREEMENT SUPPLEMENT
which is likely to have a substantial adverse effect on the warranties and
BDO IS BOTH THE RECEIVING PARTY AND DISCLOSING PARTY obligations set forth in this Supplement, it will promptly notify the Disclosing Party
of such event, in which case the Disclosing Party is entitled to either suspend the
SUPPLEMENT TO CMS MASTER AGREEMENT dated
transfer of data and/or terminate the Agreement;
_____________ (the “Agreement”) between
_________________________________________________ and BDO Unibank,
Inc. (individually referred to as a “Party,” and both referred to as “Parties”) (c) It will ensure that an obligation of confidentiality is imposed on persons authorized
to process the Personal Data and take reasonable steps to ensure the reliability
The Parties have adopted or will adopt, to the extent possible, the "Data Privacy and integrity of any its personnel who have access to the Personal Data. Further,
Principles" as indicated in the Implementing Rules and Regulations of Republic the Receiving Party shall disclose Personal Data or permit access to such
Act 10173, otherwise known as the Data Privacy Act of 2012 ("Principles"), as may Personal Data only to those authorized personnel with a need to know basis, and
be modified from time to time, recognizing the importance of appropriate privacy shall only provide such Personal Data to enable its authorized personnel to provide
protections for consumer data. The Parties, as personal information processors, the Services set forth in the Agreement;
agree that they (including their respective directors, officers, employees,
subsidiaries, representatives, sub-contractors, or agents) will comply with the (d) It has implemented and currently maintains the appropriate Technical, Physical
Principles. The Parties further warrant that they have implemented and currently and Organizational Security Measures which comply with the Applicable Data
adhere to privacy principles, policies, or practices that are fully compliant with the Protection Law prior to and throughout the duration of the processing of Personal
Principles and the Applicable Data Protection Law (as defined below). Data transferred by the Disclosing Party;

The Party who has received or will receive Personal Data (the “Receiving Party”) (e) It will not engage another processor without prior written instruction from the
and the Party who has disclosed or will disclose Personal Data (the “Disclosing Disclosing Party; Provided, that if allowed by the Disclosing Party to engage
Party”) in relation to or in connection with the provisions of the Agreement, as another processor, the Receiving Party’s agreement with the processor shall
supplemented by this Supplement, shall strictly comply with the following ensure that the same obligations for data protection under the Agreement and
obligations. Applicable Data Protection Law are implemented, taking into account the nature
of the processing;
I. Definitions
(f) It will promptly notify the Disclosing Party about:
For purposes of this Supplement, the following definitions shall apply:
i. Any legally binding request for disclosure of the Personal Data by a law
(a) “Personal Information”, “Sensitive Personal Information”, “Personal Data”, “Data
enforcement authority unless otherwise prohibited, such as a prohibition under
Subject”, “Processing”, “Personal Information Controller”, and “Personal
Information Processor”, shall have the same meaning as set forth in the criminal law to preserve the confidentiality of a law enforcement investigation; and
Implementing Rules and Regulations of Republic Act No. 10173, otherwise known
as the Data Privacy Act of 2012, as may be amended and supplemented from time ii. Any requests received from Data Subjects, without responding to such requests,
to time; unless it has been authorized to do so by the Disclosing Party;

(b) “Applicable Data Protection Law” means Republic Act No. 10173, also known as (g) It will assist the Disclosing Party in fulfilling its obligation to respond to requests by
the Data Privacy Act of 2012, its Implementing Rules and Regulations, other Data Subjects relative to the exercise of their rights under the Applicable Data
relevant laws and issuances by the NPC, and any other legislation protecting the Protection Law. To this extent, the Receiving Party agrees to assist the Disclosing
fundamental rights and freedoms of individuals, and in particular, their right to Party in responding to requests from Data Subjects, including, but not limited to,
privacy with respect to control and processing of Personal Data, as well as foreign their right to access, copy, correct, rectify, erase or remove their Personal Data;
legislation and issuances protecting the right of individuals to privacy, if applicable;
(h) It will assist the Disclosing Party in ensuring compliance with the Applicable Data
(c) “Circular 16-03” means the Circular issued by the NPC on December 15, 2016 Protection Law, taking into account the nature of processing and the information
entitled “Personal Data Breach Management,” as may be amended or available to the Receiving Party;
supplemented from time to time;
(i) After the end of the provision of Services relating to the processing, the Receiving
(d) “NPC” means the National Privacy Commission; Party shall ensure that the Personal Data are properly disposed of in such a way
that would prevent further processing as well as improper, unauthorized,
(e) “Personal Data Breach” shall have the same meaning as set forth in Circular 16- accidental or unlawful access;
03;
(j) It will immediately inform the Disclosing Party if, in its opinion, any of its instruction
(f) “Services” means the acts and services required to be rendered or performed infringes the Applicable Data Protection Law;
under the Agreement;
(k) It will not transfer any Personal Data, including transfer to another country or to a
(g) “Technical, Physical, and Organizational Security Measures” means those subcontractor in another country, without the express written consent of the
measures aimed at protecting Personal Data transmitted, stored, or otherwise Disclosing Party. If the Disclosing Party provides consent, the Receiving Party
processed against improper, unauthorized, accidental or unlawful processing, shall provide a written undertaking that the Personal Data transferred to another
destruction or loss, disposal, alteration, disclosure, or access, and against all other country will be protected at a standard that is comparable to that under the
unauthorized and unlawful forms of processing. Applicable Data Protection Law;

(l) It will register itself and its relevant systems to comply with the provisions of the
II. Transfer of Personal Data Applicable Data Protection Law;

The term of this Supplement, the purposes of processing, the types of Personal (m) It will update its relevant systems and its Technical, Physical, and Organizational
Data being processed, the manner of processing, the location of processing, and Security Measures as necessary to comply with the provisions of the Applicable
the details of online access to Personal Data are specified in Appendix I, which Data Protection Law;
forms an integral part of this Supplement.
(n) It will immediately report any Personal Data Breach or any other violation of the
III. Obligations of The Receiving Party as Personal Information Processor Applicable Data Protection Law to the Disclosing Party and to the appropriate
The Receiving Party agrees and warrants the following: regulatory authority, as applicable. The report should contain detailed information
about those matters required under Circular 16-03 and other Applicable Data
(a) It will process the Personal Data only on behalf of the Disclosing Party for purposes Protection Law;
stated in the Agreement and in compliance with its documented instructions. If the
Receiving Party cannot provide such compliance for whatever reason, it agrees (o) In the event of Personal Data Breach, it will assist and cooperate with the
to inform the Disclosing Party promptly of its inability to comply, in which case the Disclosing Party to investigate and remediate the breach, cooperate with any
relevant regulatory authority or law enforcement official, and assist with any
Disclosing Party at its sole option is entitled to suspend the transfer of data and/or
required notification to Data Subjects;
terminate the Agreement;
(p) It will strictly adhere to and adopt the guidelines and security measures in Rules II
to IV of Circular 16-03 to prevent Personal Data Breach;

Authorized Signatory Authorized Signatory BDO Authorized Signatory BDO Authorized Signatory
(q) It will update itself, on a regular basis, on the issuances of the NPC and relevant Personal Data that have been transferred to the Receiving Party or its sub-
regulatory authorities in relation to Applicable Data Protection Law and strictly contractors for processing. To this extent, the Receiving Party therefore agrees to
adhere thereto; irrevocably and unconditionally indemnify and hold the Disclosing Party, its
officers, employees, and agents, free and harmless from and against any and all
(r) It will cooperate, upon the Disclosing Party’s request, in any data protection impact claims, suits, actions or demands or losses, damages, costs and expenses
assessment, audit or inspection or any inquiry or notice received from any relevant including, without limiting the generality of the foregoing, attorney's fees and costs
regulatory authority or law enforcement official. of suit that the Disclosing Party may face, suffer or incur by reason or in respect
of:
IV. Warranties of the Disclosing Party
The Disclosing Party warrants that:
(a) It has implemented and currently maintains the appropriate Technical, Physical i. The Receiving Party’s or its sub-contractor’s breach of any of the warranties and
and Organizational Security Measures which comply with the Applicable Data obligations set forth in this Supplement, regardless of the cause of such breach; or
Protection Law prior to and throughout the duration of the processing of Personal
Data transferred by the Disclosing Party; ii. Any act, omission or negligence of the Receiving Party or its sub-contractor that
causes or results in the Disclosing Party being in breach of its obligations under
(b) It has full capacity and authority to disclose the Personal Data to the Receiving the Applicable Data Protection Law.
Party;
(b) This Supplement shall survive the termination or expiration of the Agreement.
(c) It has complied with the requirements of Applicable Data Protection Law and has
obtained sufficient written consent from the data subjects to whom the Personal By signing this Supplement, the Parties agree that the terms hereof shall form an
Data pertains, if necessary, to enable to the Receiving Party to perform the integral part of the Agreement, as well as any and all extensions, renewals, and
Services and its other obligations under the Agreement, and it will provide proof of amendments thereof, or supplements thereto.
such consent when requested by the Receiving Party.
VIII. Communications
(d) It will assist the Receiving Party in ensuring compliance with the Applicable Data For questions, requests, and notifications, communications may be coursed
Protection Law, taking into account the nature of processing and the information
made available to the Receiving Party; through (a) _______________________ designated Data Protection Officer or
his/her replacement or substitute, at [dedicated email address] and (b) BDO
(e) In the event of Personal Data Breach, it will assist and cooperate with the
Receiving Party to investigate and remediate the breach, cooperate with any Unibank, Inc.’s designated Data Protection Officer or his/her replacement or
relevant regulatory authority or law enforcement official, and assist with any substitute, at data_protection_officer@bdounibankinc@[Link].
required notification to Data Subjects;

(f) It will strictly adhere to and adopt the guidelines and security measures in Rules II
to IV of Circular 16-03 to prevent Personal Data Breach; APPENDIX 1

(g) It will update itself, on a regular basis, on the issuances of the NPC and relevant Term of this Supplement: (refers to duration of the arrangement/project) Until
regulatory authorities in relation to Applicable Data Protection Law and strictly terminated by either party
adhere thereto; Purpose of processing – (refers to a description of why processing is performed)
For collection and disbursement purposes
(h) It will cooperate, upon the Receiving Party’s request, in any data protection impact Types of Personal Data being processed – (refers to whether personal, sensitive
assessment, audit or inspection or any inquiry or notice received from any relevant personal or privileged information is processed) Personal, Sensitive personal
regulatory authority or law enforcement official. and/or Privileged
Manner of processing – (refers to a description on how information will be
V. Subcontracting of Processing Services processed, i.e. details of manual, automated or combination processing) Manual,
Automated and/or Combination
(a) The Receiving Party shall not subcontract any of its processing operations Location of processing – (refers to where information will be processed) Client’s
performed on behalf of the Disclosing Party without the prior written consent of the office address as indicated in the Master Agreement
Disclosing Party. Where the Receiving Party subcontracts its obligations under Policy on the return, retention, or disposal of records – (refers to a description of
this Supplement with the consent of the Disclosing Party, it shall do so only by way how information will be returned, kept, and destroyed or removed) Compliant with
of a written agreement with the subcontractor, which imposes the same obligations BSP guidelines on the retention and disposal of records/documents
on the subcontractor as are imposed on the Receiving Party under this Details of online access to Personal Data (if applicable)
Supplement. Justification for allowing online access – (refers to why online access should be
(b) The Receiving Party shall maintain a list of subcontracting agreements concluded provided) For collection and disbursement purposes
under this Supplement, which shall be updated at least once a year. Upon the Parties that are granted online access – (refers to specific individuals who will be
Disclosing Party’s request, the list and relevant agreements shall be made given online access – If not known, the name of the recipient company and a
available to the Disclosing Party and/or to any relevant regulatory authority, if general statement, i.e. its authorized representatives may be indicated) All
applicable. Business Online Banking and SFTP user/s authorized and enrolled by the
Company
VI. Obligations After the Termination of Personal Data Processing Services Types of personal data that are made accessible online – (refers to the details of
personal information and/or sensitive personal information that will be accessed
The Parties agree that on the termination of the provision of data processing online. A statement on whether personal, sensitive personal or privileged
services, the Receiving Party shall ensure that the Personal Data are properly information shall be accessible may suffice) Personal, Sensitive personal and/or
disposed of in such a way that would prevent further processing as well as Privileged
improper, unauthorized, accidental or unlawful access. Estimated frequency and volume of the proposed access – (how often
information is accessed; please clarify volume - This refers to number of
VII. Liability and Indemnification accessible records online) Daily/Volume of transactions vary per day
Program, middle-ware and encryption method that will be used – (refers to the
(a) The Parties agree that under the Applicable Data Protection Law, the Disclosing methods used to secure online access) Business Online Banking and Secure
Party remains accountable for Personal Data under its control or custody, including File Transfer Protocol

COMPANY NAME: BDO UNIBANK, INC.

Title: Name: MICHAEL ANTHONY A. MERESEN / VP

Authorized Signatory Authorized Signatory