Policies on Data Usage (RTI Master Subscription Agreement Annex B)

This outlines the policies on data retention, ownership, and RUSH's Privacy Policy

1. Data Retention

Notwithstanding the provisions of the Data Processing Agreement below, the following shall govern RTI’s data retention policies:

1.1 Account and Contact Information. RTI will only retain such data as long as necessary for the purpose for which it was collected, as laid out in RTI privacy policy and terms of service, including any legal retention period, or as long as necessary to carry out a legitimate and reasonable promotion of RTI products and services.

1.2 Customer, Organization, Rewards, and Product Data. RTI will only retain this data as long as necessary for providing the Service Merchant has subscribed to. Should Merchant cancel their Subscription Package, Merchant’s data will be kept for one (1) day. After which, it shall be permanently deleted.

1.3 Transaction Data. RTI will only retain this data as long as necessary for providing the Service Merchant has subscribed to for up to 13 months, after which, it shall be deleted. Should Merchant cancel its Subscription Package, the remaining transaction data will be kept for one (1) day. After which, it shall be permanently deleted.

1.4 Other Service Data. Other data hosted inside the RUSH Software will be retained as long as necessary for providing the Service Merchant have subscribed to or up to 13 months whichever RTI deemed is necessary for the Service Merchant has subscribed to. Should Merchant cancel its Subscription Package, the remaining transaction data
will be kept for one (1) day. After which, it shall be permanently deleted.

1.5 Suspended Subscriptions Packages. In the event of suspension due to non-payment, data shall be kept in the RUSH Software for thirty (30) days. After which, it shall be permanently deleted.


2. Data Ownership


2.1 Ownership of Intellectual and Proprietary Works or Materials. Each party reserves their exclusive rights to proprietary works or materials including, but not limited to, electronic or print products, content files, software programs (including source and object code), specialized systems, specifications, drawings, figures, tables, diagrams, trademarks, logos, documentation, and materials (collectively referred to as the “Proprietary Products”), existing prior to the rendition by RTI of particular services under this Agreement. Any intellectual property, work, or creation that will or may be created, developed or result from any specific work or implementation of services under this Agreement, shall be governed by the relevant law, or other separate agreement between the Parties.

2.2 RTI represents and warrants that any Pre-Existing Materials included or contained in the Proprietary Products are owned or licensed by RTI, and that RTI is authorized to use and display such items in the manner contemplated by this Agreement. RTI shall be solely responsible for the validity of copyrights, trademarks and ownership of Pre-Existing Materials claimed by RTI. In addition, RTI represents and warrants that the Proprietary Products do not infringe any third party’s copyrights, trademarks, trade secrets or patents; however, the foregoing representations and warranties shall not apply to the extent the Proprietary Products include materials, software, specifications, designs, content or other items provided by the Merchant to RTI.


3. Data Processing Agreement/Privacy Policy

PURPOSE.
This Agreement is executed to enable the VENDOR to collect and/or process Personal Data of Data Subjects, subject to the herein terms and conditions, and consistent and limited to the purpose and types of Personal Data as specified in herein and in the MSA.

ARTICLE 1: DEFINITIONS
The following terms shall be defined as follows:

1.1 Merchant Personal Data refers to Personal Data that the MERCHANT discloses to RTI, or which RTI processes or possesses on behalf of the MERCHANT, or RTI otherwise obtains as a result of, or in connection with, this Agreement.

1.2 Commission refers to the National Privacy Commission of the Philippines or the NPC;

1.3 Consent refers to any freely given, specific, informed indication of will, whereby the Data Subject agrees to the collection and processing of his or her personal, sensitive personal, or privileged information. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of a Data Subject by a lawful representative or an agent specifically authorized by the Data Subject to do so;

1.4 Data Privacy Act of 2012 (“DPA”) refers collectively to Republic Act No. 10173 of the Philippines, the corresponding Implementing Rules and Regulations (“IRR”) of Republic Act No. 10173, any amendment to Republic Act No. 10173 or the IRR, and issuances of the NPC;

1.5 Data Protection Officer refers to an individual designated by each Party, as provided in Clause E of this Agreement, who is accountable for compliance with the DPA, its IRR, and other issuances of the NPC;

1.6 Data Subject refers to an individual whose personal, sensitive personal, or privileged information is processed;

1.7 Personal Data refers to either of the following:


1.7.1 Personal Information refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual; or
1.7.2 Sensitive Personal Information refers to personal information:
a. About an individual's race, ethnic origin, marital status, age, color and religious, philosophical, or political affiliations;
b. About an individual's health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings;
c. Issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
d. Specifically established by an executive order or an act of Congress to be kept classified.


1.8 Personal Data Breach refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

1.9 Personal Information Controller (“PIC”) refers to the party who controls the processing of Personal Data, or instructs another to process Personal Data on its behalf. There is control if the party decides on what information is collected, or the purpose or extent of its processing. For purposes of this Data Processing Agreement, the MERCHANT shall be the PIC.

1.10 Personal Information Processor (“PIP”) refers to any natural or juridical person or any other body to whom a Personal Information Controller may outsource or instruct the processing of Personal Data pertaining to a Data Subject. For purposes of this Agreement, RTI shall be the PIP.

1.11 Personnel shall refer to the directors, employees, agents, consultants, successors, and assigns, or otherwise acting under the authority of RTI as provided in Section 4 of this Agreement;

1.12 Processing refers to any operation or any set of operations performed upon Personal Data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure, or destruction of data. Processing may be performed through automated means, or manual processing, if the Personal Data are contained or are intended to be contained in a filing system.

1.13 Security Incident refers to an event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity, and confidentiality of personal data. It includes incidents that would result to a personal data breach, if not for safeguards that have been put in place;

ARTICLE 2: RESPONSIBILITIES OF THE PARTIES

2.1 The responsibilities of the MERCHANT as the PIC are as follows:

2.1.1 As a PIC of the Personal Data in their original possession, such PIC shall warrant and be responsible for (a) ensuring it collects the Personal Data lawfully and in accordance with the requirements of the DPA and applicable data privacy laws; (b) obtaining the necessary prior consent of the Data Subject over the collection of their Personal Data; (c) apprising the Data Subject of the nature, purpose, and extent of the processing of his or her Personal Data, including the identity of PIC; and (d) his or her rights as a Data Subject, and how these rights can be exercised.
2.1.2 The PIC shall be responsible for the quality of the Personal Data being shared. The DPO of MERCHANT
shall take into account existing controls in the collection and processing of Personal Data that will be shared in order to
give reasonable assurance that it is accurate and up to date. Adequate care must be undertaken specifically for Sensitive
Personal Information.

2.2 The responsibilities of RTI as the PIP are as follows:

2.2.1 It shall not share Merchant Personal Data with any third party without the prior written permission and instruction of the MERCHANT.
2.2.2 It shall use or process Merchant Personal Data only for the purpose of fulfilling its obligations under this Agreement. RTI shall not otherwise use or process Merchant Personal Data unless in accordance with MERCHANT’s documented instructions.
2.2.3 It shall segregate Merchant Personal Data from its own and its other clients’ data.
2.2.4 It shall not subcontract nor engage a third party or Personal Information Processor to process Merchant Personal Data without the prior knowledge and written agreement of the MERCHANT, and only after the third party has provided all the necessary assurances and guarantees that it has adequate organizational, technical, and physical security measures to protect Personal Data.
2.2.5 It undertakes that it will not, at any time, whether during the course of, or after the Term of this Agreement, exploit or modify any Personal Data of any person.
2.2.6 RTI shall comply with all the requirements under the Data Privacy Act of 2012, including the appointment of a Data Protection Officer among others, at its own cost.
2.2.7 All right, title, and interest in the Personal Data shall remain the property of the MERCHANT. RTI shall not have any right or claim of ownership to the Personal Data. RTI shall cooperate with the MERCHANT to protect Personal Data.
2.2.8 RTI shall not transfer Merchant Personal Data to a jurisdiction outside the Philippines without the prior written consent of the MERCHANT. In case the MERCHANT provides such written consent, RTI shall comply with the applicable requirements of the Data Privacy Act of 2012 and other applicable laws of the jurisdiction where Merchant Personal Data will be transferred to. In case MERCHANT provides such written consent, VENDOR shall comply with the applicable requirements of the Data Privacy Act of 2012 and other Applicable Laws of the jurisdiction where shared Personal Data will be transferred to and ensure the protection of shared Personal Data in accordance with the standards set forth in this Agreement. Where such transfers involve a third party, RTI, as the Data Importer, shall disclose to MERCHANT, the Data Exporter, the identity of such third party prior to the transfer and shall ensure that the third party is contractually bound to the same obligations of a Receiving Party under this Agreement.
2.2.9 In case of any judicial order, governmental action, or legal obligation requiring RTI to disclose Merchant Personal Data, RTI shall immediately inform the MERCHANT thereof. RTI shall support and cooperate in the intervention of the MERCHANT in contesting the judicial order, governmental action, or legal obligation, or minimizing the scope of the disclosure.
2.2.10 If in the course of the implementation of this Agreement, RTI shall disclose to the MERCHANT any Personal Data, such as Personal Data of RTI’s Personnel, or it becomes inevitable for the MERCHANT to process such Personal Data for RTI’s completion of the services under this Agreement (such as where RTI shall send its Personnel to a MERCHANT site monitored by CCTVs which captures images), RTI warrants that it has obtained the valid and legally-compliant consent of such individuals to have their Personal Data disclosed to the MERCHANT and that such consent continues to be effective, valid, and legally-compliant at the time of disclosure to the MERCHANT.


ARTICLE 3: ORGANIZATIONAL, TECHNICAL, AND PHYSICAL SECURITY MEASURES

3.1 RTI shall have in place appropriate organizational, technical, and physical security measures that protect Personal Data from Security Incidents and Personal Data Breaches. RTI shall implement security measures which include at least:


3.1.1 Specific controls such as but are not limited to, access controls, host security, business continuity plan, perimeter security, and other measures reasonably necessary to ensure confidentiality, integrity, and availability of Personal Data,
3.1.2 Measures to securely dispose of the Personal Data, taking into account available technology so that such information cannot be practicably read or reconstructed,
3.1.3 Plans and procedures to recover Personal Data following an unplanned event resulting in an interruption of or inaccessibility of Personal Data,
3.1.4 Implementing logging and auditing techniques for access to Personal Data processes,
3.1.5 Use of anonymization, pseudonymization, and encryption of Personal Data as appropriate, taking into account the risks that are presented by the processing, and
3.1.6 Regular testing of the effectiveness of the security measures implemented.


3.2 RTI shall ensure that Personal Data is backed up on a regular basis, and that any backup is subject to security measures as necessary to protect the confidentiality, integrity, and availability of Personal Data.

3.3 RTI shall restrict the use of any access granted by the MERCHANT to its systems only for such purposes as authorized under this Agreement, to prevent misuse and abuse of such access. Procedures shall be in place to ensure that RTI employees’ access to Merchant Personal Data, systems, and applications is for the purposes of this Agreement and for no other reason.

3.4 The MERCHANT has the right to revoke access of RTI or access of any of RTI’s Personnel without notice.

3.5 RTI shall ensure that its Personnel will not perform any duties incompatible with the fulfillment of his/her roles and responsibilities.

3.6 RTI shall not perform any means to circumvent the security mechanisms in place or exploit vulnerabilities present in the MERCHANT’s systems and/or applications.

3.7 RTI shall be responsible for any activities performed by its Personnel on the MERCHANT’s data, systems, and applications and develop a process for reviewing work performed by its Personnel to determine the appropriateness of activities performed and checks for suspicious transactions if any.

3.8 RTI shall comply with all the items in the MERCHANT’s Information Security and Data Privacy (“ISDP”) Control Requirements which signifies the compliance of RTI to the MERCHANT’s Information Security and Data Privacy policies.


3.8.1 For any non-conformity to the MERCHANT’s ISDP Requirements, RTI shall prepare and submit a detailed Corrective or Preventive Action Plan with a timeline acceptable to the MERCHANT, within 15 days upon notice.
3.8.2 RTI shall ensure closure of findings, rectification of non-conformities, and implementation of agreed recommendations to address the non-conformities within the timeline agreed with MERCHANT.

ARTICLE 4: PERSONNEL

4.1 RTI shall take steps to ensure that any person acting under its authority and who has access to Merchant Personal Data, does not process them except for purposes of this Agreement or as required by law.

4.2 RTI shall disclose the Merchant Personal Data only to its Personnel who need to have access to it only for the purpose set out in this Agreement, and shall ensure that they adhere and abide by these terms and conditions in writing. RTI shall keep a log or written record of the names of all individuals or entities to whom Merchant Personal Data was disclosed and the type of Merchant Personal Data (ex: name, mobile number and other Personal Data) which it disclosed to the said individual and entity, and make available the same to the MERCHANT immediately upon demand. For this purpose, RTI warrants that it has obtained the valid and legally-compliant consent of such individuals to have their names and such other relevant data disclosed to the MERCHANT and that such consent continues to be effective, valid, and legally-compliant at the time of disclosure to the MERCHANT.

4.3 RTI shall ensure that its Personnel engaged in the Processing of Merchant Personal Data are informed of and understand the confidential nature of the Merchant Personal Data and are subject to obligations of confidentiality, and that such obligations survive the termination of that Personnel’s engagement or relationship with each Party.

4.4 RTI shall take reasonable steps to ensure the reliability of any of its Personnel who has access to Merchant Personal Data, such as ensuring he or she has received appropriate training in data protection prior to their access or Processing of Merchant Personal Data and has signed a written undertaking that he or she understands and will act in accordance with his or her responsibilities of confidentiality under this Agreement.


ARTICLE 5: DATA SUBJECT ACCESS RIGHTS

5.1 The Parties recognize that Data Subjects have express rights under the DPA and applicable data privacy laws which provide for the protection and confidentiality of their Personal Data. Data Subjects have a right to see what Personal Data is held about them, and to know why and how it is processed. Any inquiry or request of Personal Data by a Data Subject can be made by submitting a written request with the Data Protection Officers named in Clause E of this Agreement.

5.2 The MERCHANT, as a Personal Information Controller, has an obligation to respond to any request or complaint by a Data Subject. RTI, as a Personal Information Processor, shall:


5.2.1 immediately notify the MERCHANT if it receives a request from a Data Subject under the Data Privacy Act of 2012 and applicable data privacy laws with respect to Merchant Personal Data; and
5.2.2 ensure that it does not respond to that request except on the documented instructions of the MERCHANT, or as required under the Data Privacy Act of 2012, in which case RTI shall to the extent permitted by Data Privacy Act of 2012, inform the MERCHANT of that legal requirement before responding to the request.


5.3
The MERCHANT, with the assistance and cooperation of RTI as necessary, shall rectify the complaint by any Data Subject within thirty (30) days from receipt of any such complaint. The Data Subject shall be given a response in writing describing how the complaint was rectified and how the situation complained of will be avoided moving forward.

5.4 RTI shall have an established procedure in upholding and enforcing Data Subject rights. They shall provide a mechanism for MERCHANT to be indemnified for any cost it will incur for any liability paid to any Data Subject who suffers any damages due to inaccurate, incomplete, outdated, false, and unlawfully obtained Personal Data and/or unauthorized use of Personal Data by RTI.


ARTICLE 6: BREACH MANAGEMENT AND NOTIFICATION


6.1 RTI shall immediately notify the MERCHANT if RTI becomes aware of any potential or actual security or data privacy incident involving Merchant Personal Data, in relation to Articles 2.2.8 and 2.2.9. The MERCHANT shall have the sole discretion to deny, suspend or withdraw any control-related process, such as but not limited to access or retrieval of Merchant Personal Data, granted to RTI, without need of prior written notice to RTI, to protect the rights of the MERCHANT or a Data Subject.


6.1.2 If RTI suspects or becomes aware of any Security Incident within its network, operating systems, software applications, data storage systems, media channels, or other office procedures, RTI shall notify the MERCHANT in writing within twenty-four (24) hours from the occurrence or discovery of the Security Incident and shall fully cooperate with the MERCHANT, at RTI’s cost, to prevent, mitigate, or remediate the Security Incident.

6.1.3 In case the Security Incident amounts to a Personal Data Breach as defined under the Data Privacy Act of 2012, RTI shall immediately comply with the requirements of the Data Privacy Act of 2012, and shall take the appropriate steps to remedy the Personal Data Breach.


6.2 RTI shall implement policies and procedures for guidance of its Personnel in the event of a Security Incident or Personal Data Breach, including but not limited to:


6.2.1 A procedure for the timely discovery of a Security Incident or Personal Data Breach, including the identification of person or persons responsible for regular monitoring and evaluation of Security Incidents or Personal Data Breaches;
6.1.2 A policy for documentation, regular review, evaluation, and updating of the privacy and security policy and practices;
6.1.3 Clear reporting lines in the event of a Security Incident or Personal Data Breach, including the identification of a person responsible for setting in motion the Security Incident or Personal Data Breach incident response procedure, and who shall be immediately contacted in the event of a possible or confirmed a Security Incident or Personal Data Breach;
6.2.4 A process to conduct a preliminary assessment for purposes of:
a. Assessing the nature and scope of the Security Incident or Personal Data Breach and the immediate damage;
b. Determining the need for notification of law enforcement or external expertise; and
c. Implementing immediate measures necessary to secure any evidence, contain the Security Incident or Personal Data Breach, and restore integrity to the Personal Data;
6.2.5 A process for evaluating the Security Incident or Personal Data Breach as to its nature, extent and cause, the adequacy of safeguards in place, immediate and long-term damage, impact of the breach, and its potential harm and negative consequences to Merchant Personal Data and affected Data Subjects;
6.2.6 A procedure for contacting law enforcement in case the Security Incident or Personal Data Breach involves possible commission of criminal acts;
6.2.7 A process of conducting of investigations that will evaluate fully the Security Incident or Personal Data Breach;
6.2.8 A procedure for immediately notifying the PIC when the Security Incident or Personal Data Breach is subject
to the notification requirement under the Data Privacy Act of 2012; and
6.2.9 A list of measures and procedures for mitigating the possible harm and negative consequences to the PIC and to the affected Data Subjects in the event of a Security Incident or Personal Data Breach. RTI must be ready to provide assistance to the Data Subjects of the MERCHANT whose Personal Data may have been affected.

6.3 RTI shall have the manpower, system, facilities and equipment in place to properly monitor access to Merchant Personal Data, and to monitor and identify a Security Incident or Personal Data Breach. If RTI becomes aware of any Security Incident or Personal Data Breach on its Personnel, premises, facilities, system, or equipment, it shall:

6.3.1 Notify the MERCHANT of the Security Incident or Personal Data Breach by written notification or notification to the MERCHANT’s DPO counterpart via email within twenty-four (24) hours from knowledge or discovery thereof. The notification shall at least specify (a) the time, date, location, and description of the breach, including a description of affected and/or potentially affected Personal Data; (b) the categories and approximate number of Data Subjects and records concerned; (c) assessment of the likely consequences of the breach; and (d) measures taken and/or to be taken to mitigate the consequences of the breach;
6.3.2 Investigate the Security Incident or Personal Data Breach and provide the MERCHANT with information about the Security Incident or Personal Data Breach, and apprise the MERCHANT of any additional information related to the Security Incident or Personal Data Breach that may become available after initial notification; and
6.3.3 Take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident or Personal Data Breach, and undertake immediate action to prevent a repeated occurrence of the Security Incident or Personal Data Breach.
6.3.4 Not issue any press release or any public notice that relates to the Personal Data Breach without the MERCHANT’s prior approval.


6.4 RTI shall cooperate with the MERCHANT on incident investigation requirements for any Security Incident or Personal Data Breach of Merchant Personal Data. The MERCHANT may require RTI to provide further details and actions taken on the Security Incident or Personal Data Breach.

6.5 For the avoidance of doubt, there shall be no more Processing of Merchant Personal Data by RTI in the event of a material breach of this Agreement.

ARTICLE 7: AUDIT

7.1 The MERCHANT shall have the right to audit and inspect the organizational, technical, and physical security measures implemented by RTI to check for compliance with this Agreement, security policies, and applicable data privacy laws.

7.2 In the course of such audit, the MERCHANT may conduct the following measures including but not limited to:


7.2.1 Obtaining any and all relevant information from RTI necessary to demonstrate its compliance with this Agreement;
7.2.2 Requesting RTI to submit an existing attestation or certificate by an independent professional expert on their compliance to the Data Privacy Act of 2012 and applicable data privacy laws, and the security requirements therein; and
7.2.3 Conducting an on-site inspection of the business operations of RTI or have the same conducted by a qualified third-party auditor or assessor, which shall not be an existing independent consultant of RTI. The on-site inspection shall be conducted during regular business hours and with reasonable and timely advance notice to RTI.


7.3 RTI shall by written request and within a reasonable period of time, submit to the MERCHANT any and all information, documentation, and/or other means of factual proof necessary for the conduct of an audit.

7.4 The MERCHANT, upon its discretion, may extend its review, if needed, and RTI is expected to heed the request until the MERCHANT is satisfied with the conduct of the review.

7.5 RTI shall assure the MERCHANT of its transparency and readiness to entertain anytime the latter’s request for announced or unannounced inspection of RTI’s organization, sites, facilities, etc. especially during the conduct of an investigation.

7.6 RTI shall, within 30 days of receiving the due diligence report, provide MERCHANT with a written report outlining the corrective actions that RTI has implemented or proposes to implement with the schedule and current status of each corrective action. RTI shall update this report to the MERCHANT every 30 days, reporting the status of all corrective actions through the date of implementation. RTI shall implement all corrective actions within 90 days of RTI's receipt of the due diligence or audit report.

ARTICLE 8: RETENTION PERIOD OF PERSONAL DATA

8.1 RTI should only process and retain Merchant Personal Data for the duration of this Agreement, and Merchant Personal Data shall be deleted upon expiry thereof. Specific justification approved by the MERCHANT, in writing, is required for processing of Merchant Personal Data beyond this period.

8.2 RTI shall inform the MERCHANT of its Data Disposal Policy and Procedure. Within sixty (60) days from termination of this Frame Agreement, Purchase Order and/or Supplemental Agreement, unless a longer period has been agreed upon, the MERCHANT may request RTI to copy the MERCHANT Data (which includes Merchant
Personal Data) stored in RTI’s storage and processing systems. Thereafter, RTI shall properly dispose and delete Merchant Personal Data from the storage and processing systems of RTI, and its approved subcontractors, if any. RTI shall submit to the MERCHANT a notarized attestation stating that RTI has properly disposed and deleted Merchant Personal Data in accordance with this Agreement.

8.3 If a complaint is received about the accuracy of Merchant Personal Data which affects Personal and/or Sensitive Personal Information shared with RTI, revised Merchant Personal Data will be communicated to RTI. RTI must immediately replace the outdated data with the revised data.

ARTICLE 9: RETURN OR DESTRUCTION OF PERSONAL DATA

9.1 Upon MERCHANT’s request, or the expiration or termination of this Agreement, RTI shall, without undue delay, and in no case beyond thirty (30) days from such MERCHANT’s request, or expiration or termination of this Agreement, RTI shall:


9.1.1 Return all Merchant Personal in any recorded form including all other documents, reports and other data subsets created from the processing of same, and other property, information, and documents provided by the MERCHANT;
9.1.2 Destroy all copies of Merchant Personal Data and any other property, information and documents if requested by the MERCHANT. For print-outs or other tangible formats, the document will be shredded. For data in electronic form, the document must be permanently deleted, wiped, overwritten, or otherwise made irretrievable;
9.1.3 Ensure and warrant the permanent deletion of all Merchant Personal Data shared to it from the systems of its Personnel and approved subcontractors, if any, in accordance with Article 2.2.4 herein; and
9.1.4 Deliver to the MERCHANT a certificate confirming RTI’s compliance with the return or destruction obligation under Article 9 of this Agreement, if requested by the MERCHANT.


9.2 In cases where the MERCHANT receives a request from its customers for the deletion of Merchant Personal Data under the custody of RTI, the MERCHANT shall forward this request to RTI and RTI shall have a process to accommodate this request.


9.2.1 The MERCHANT shall have the sole responsibility of determining the validity of the request for deletion and shall only forward valid requests for deletion to RTI.
9.2.2 Upon receiving the request for deletion, RTI shall proceed with deleting the subject Merchant Personal Data, and thereafter email the MERCHANT confirming such deletion.

ARTICLE 10: LIABILITIES

10.1 Each Party shall be liable for any damage or loss that results from its failure or refusal to perform any obligation under this Agreement, or its breach of the warranties and representations made herein.

10.2 The compensation for any liability incurred by either of the Parties as a result of the failure or refusal to perform any obligation under this Agreement, or the breach of any of the warranties and representations made herein, shall be governed by the pertinent provisions of the Letter Agreement entered into between the MERCHANT and RTI.

10.3 In case the Security Incident or Personal Data Breach of RTI is material and substantial, and such will cause the MERCHANT irreparable injury for which it would have no adequate remedy at law, and for which there is an urgent and permanent necessity to prevent serious damage, the MERCHANT shall be entitled to immediately seek an injunctive relief prohibiting any violation of this Agreement, in addition to any other rights and remedies available to it.

10.4 RTI shall defend, indemnify, and hold the MERCHANT, its affiliates, and their respective officers, directors, stockholders, employees, and agents, harmless from and against any and all claims, suits, causes of action, liability, loss, costs, and damages, including attorney’s fees and costs of litigation, in connection with or as a result of any third party claim arising from the Security Incident or Personal Data Breach of RTI.


ARTICLE 11: MISCELLANEOUS PROVISION

11.1 Entire Agreement. This Agreement constitutes the entire agreement between the Parties with respect to the subject matter hereof. It excludes and supersedes everything else which has occurred between the Parties whether written or oral, including all other communications with respect to the subject matter hereof.

11.2 Amendment and Modification. This Agreement may not be amended or modified except in writing, dated and signed by both Parties.

11.3 Separability Clause.
If any provision of this Agreement is illegal or unenforceable, its invalidity shall not affect the other provisions of this Agreement that can be given effect without the invalid provision. If any provision of this Agreement does not comply with any law, ordinance or regulation, such provision to the extent possible shall be interpreted in such a manner to comply with such law, ordinance or regulation, or if such interpretation is not possible, it shall be deemed to satisfy the minimum requirements thereof.

11.4 Legal Capacity of Representatives. Each Party represents and warrants to the other Party that its representative executing this Agreement on its behalf is its duly appointed and acting representative and has the legal capacity required under the applicable law to enter into this Agreement and bind it.

11.5 Governing Law and Venue. This Agreement shall be governed by and construed in accordance with the laws of the Republic of the Philippines, without regard to any conflicts of law rules. Exclusive jurisdiction over and venue of any suit arising out of or relating to this Agreement shall be in the courts of Taguig City. The Parties hereby consent and submit to the exclusive jurisdiction and venue of those courts.

11.6 Counterparts. This Agreement may be executed in any number of counterparts, each of which is an original, but all of which together constitute one and the same agreement.

11.7 Electronic Signatures. This Agreement may be executed electronically or by way of electronic signature and such electronic signatures shall be deemed original signatures, have the same force and effect as manual signatures and binding upon the Parties. If this Agreement shall be executed electronically, the best evidence of this Agreement shall be a copy of this Agreement bearing an electronic signature, in portable document format (.pdf) form, or in any other electronic format intended to preserve the original graphic and pictorial appearance of a document. 11.8 In case of conflict of provisions between this Data Processing Agreement and the Data Retention policy as provided for in this annex, the latter shall prevail.

 

Effective Date: February 27, 2023