DATA PROCESSING ADDENDUM

This Data Processing Addendum (“Addendum”) is made on effective date (“Effective Date”)

Between: GOLDEN ARCHES DEVELOPMENT CORPORATION, a Philippine corporation with

its principal place of business at 16th to 17th Floors, BDO Towers Paseo, Paseo de Roxas,
Makati City (“GADC”)

And: NAME OF CONTRACTOR, a nationality corporation with its principal place of business
at address (“Contractor”).

This Addendum reflects the parties’ agreement with regard to the collection, use, Processing, disclosure,
and free movement of any Personal Data (as defined below) notwithstanding whether the parties actually
enter into a transaction or further agreement:

Purpose:
Categories of Personal Data:
This Addendum is being entered into for short description of the
business relationship or the Services
The following categories of Personal Data will be collected/Processed:
enumerate categories of Personal Data (ex., name, age, address, gender,
marital status, government issued identification, account/log-in
information, contact information, usage/performance data, social media
profiles, user identification or social network communications).

I. Definitions.
a. “Addendum” means this Data Processing Addendum.
b. “Affiliate” means any entity which: (i) controls, (ii) is controlled by, or (iii) under common control
with, GADC.
c. “Business Day” means a day other than a Saturday, a Sunday, or any other day on which the
principal banks located in the Philippines are not open for business.
d. “Confidential Information” means all information disclosed and/or furnished by one party to
the other, which is the subject of the Non-Disclosure Agreement or its equivalent entered into by
the parties.
e. “Data Privacy Act” means Republic Act No. 10173 and its implementing rules and regulations.
f. “Data Protection Officer” shall refer to the accountable officer of the Contractor who shall
monitor and report all data privacy matters which may arise from the Contractor’s performance
of the Services.
g. “Data Subject” refers to an individual whose Personal Data is processed.
h. “Effective Date” means the date by which this Addendum becomes effective to bind both
parties.
i. “Intellectual Property” means any and all: (i) trademarks and service marks, including all
applications and registrations, and the goodwill connected with the use of and symbolized by the
foregoing, (ii) copyrights, including all applications and registrations related to the foregoing, (iii)
trade secrets and confidential know-how, (iv) patents and patent applications, (v) websites and
internet domain name registrations, and (vi) other intellectual property and related proprietary
rights interests, and protections (including all rights to sue and recover and retain damages, costs
and attorney’s fees, present and future infringement, and any other rights relating to any of the
foregoing) owned a party in any jurisdiction throughout the world.
j. “Non-Disclosure Agreement” refers to the Non-Disclosure Agreement or its equivalent entered
into between the parties.
k. “PDRC” means the Philippine Dispute Resolution Center.
l. “Person” includes: (i) any corporation, company, limited liability company, partnership,
governmental authority, joint venture, fund, trust, association, syndicate, organization or other
entity or group of persons, whether incorporated or not, and (ii) any individual.
m. “Personal Data” refers to any information whether recorded in a material form or not, from
which the identity of an individual is apparent or can be reasonably and directly ascertained by
the entity holding the information, or when put together with other information would directly
and certainly identify an individual. Unless otherwise stated in this Addendum, this term shall
also include Sensitive Personal Information.

GADC LEGAL_RAD_2019 v. 1.0

 n. “Personal Data Breach” means a breach of security leading to the accidental or unlawful
destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted,
stored or otherwise processed.
o. “Personal Data Retention” refers to the period that the Contractor is authorized to retain the
Personal Data.
p. “Process,” “Processes” or “Processing” refers to any operation or set of operations performed
upon the Personal Data including, but not limited to, the collection, recording, organization,
storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or
destruction of data.
q. “Purpose” is defined in Section II of this Addendum.
r. “Sensitive Personal Information” shall pertain to: (i) race, ethnic origin, marital status, age,
color, and religious, philosophical or political affiliations, (ii) health, education, genetic or sexual
life of a person, (iii) civil, criminal or administrative proceedings, (iv) unique identifiers issued by
government agencies peculiar to an individual, or (v) specifically established by law as classified.
s. “Services” means all services and/or deliverables of the Contractor to GADC.
t. “Sub-processor” means any employee, officer, director, consultant, agent, representative,
contractor, sub-contractor or service provider engaged by the Contractor who Processes Personal
Data on its behalf.
u. “Term” is defined in Section X(a) of this Addendum.

II. Purpose. The parties acknowledge and agree that GADC is granting the Contractor a limited, non-
exclusive, non-transferable, and revocable authority to access, copy, Process, and use the Personal
Data solely and exclusively for the purposes described as Purpose above.

III. Description of the Personal Data. Personal Data which is authorized for Processing under this
Addendum includes the categories of data enumerated as Categories of Personal Data above. The
Personal Data is provided “as is.” GADC does not make any warranty as to the accuracy or
completeness of the Personal Data.

IV. Contractor’s Obligations. To the extent that GADC authorized the use or Processing of the Personal
Data, the Contractor hereby agrees to comply with the following obligations:

a. Processing of Personal Data. Contractor hereby agrees to Process the Personal Data on behalf of
and in accordance with GADC’s documented statements, policies or instructions, solely and
exclusively in furtherance of the Purpose, and as required in the performance of the Services or
any applicable laws, rules or regulations. Unless otherwise authorized by GADC in writing,
Contractor will not (1) attempt to identify any Person whose Personal Data is being Processed, (2)
attempt to contact those Persons, or (3) copy, decompile, modify, reverse engineer or create
derivative works out of any of the Personal Data. Contractor shall promptly notify GADC if
Contractor receives a request from a Data Subject to exercise the Data Subject’s right of access,
right of rectification, restriction of Processing, right to be forgotten, data portability, object to the
Processing or its right not to be subject to an automated individual decision-making.

b. Data Protection Officer and Registration. No later than thirty (30) days from the effectivity of
this Addendum and upon mutual consent and agreement of the parties, the Contractor shall
designate a Data Protection Officer who shall be accountable in monitoring and reporting all data
privacy matters which may arise in the course of the Contractor’s performance of the Services
and to ensure faithful compliance with the Data Privacy Act. The duties of the Data Protection
Officer shall include, but are not limited to, the conduct of regular inventory of the Contractor’s
processes and systems that handle Personal Data, privacy impact assessments, consultation with
stakeholders, and a monitoring/evaluation of all the Contractor’s policies and practices affecting
Personal Data. The Data Protection Officer shall submit a written report to GADC every three (3)
months.

Contractor shall cause, if so required by GADC or any applicable law, its registration and the
registration of its Data Protection Officer with the National Privacy Commission and ensure that
such registration is complete and up-to-date. Registration under this section shall also include,

2|Pa ge
GADC LEGAL_RAD_2019 v. 1.0
 but not be limited to, all automated Processing operations, annual report on documented security
incidents and Personal Data breaches, and its Sub-processors (if any).

c. Security Measures. Contractor shall implement the highest level of security, which shall in no
case be less than industry standards, to protect the Personal Data, taking into account the
following factors: (i) nature of the Personal Data, (ii) the risks presented by the Processing, (iii)
the size of the organization, (iv) complexity of its operation, and (v) cost of security
implementation.

Contractor shall implement appropriate physical, technical, administrative, and organizational

measures against unauthorized or unlawful Processing, access, disclosure, alteration, or theft of
any such Personal Data and against accidental loss or destruction of, or damage to such Personal
Data, including but not limited to, taking reasonable steps to ensure the reliability and integrity
of its own Sub-processors having access to such Personal Data and instructing such Sub-
processors on the special data protection obligations under this Addendum. Unless otherwise
instructed by GADC, security measures shall include, as a minimum: (i) using firewalls, intrusion
detection, password protection, and malware protection software, and annual, internal security
audits of Contractor’s systems and the Services and tests of applicable disaster recovery and
business continuity plans and facilities, (ii) ensuring that Personal Data is not stored on any
mobile device (for example, a laptop or smartphone) or transmitted electronically unless
encrypted, and (iii) compliance with GADC’s security requirements as may be issued to
Contractor from time to time. Prior to implementation of such security measures or any proposed
change thereto, Contractor shall obtain GADC’s approval, which may be withheld by GADC in
its sole discretion.

d. Disclosure. Contractor will not, without GADC’s prior written consent, publish or present to any
other Person any information that GADC has supplied to the Contractor. If Contractor is
compelled by law to disclose any Personal Data, Contractor shall notify GADC before disclosing
the compelled Personal Data. Contractor may disclose the Personal Data only to the extent
necessary and to its Sub-processors on a need-to-know basis. Contractor shall ensure that such
Sub-processors are bound to the Contractor in a written agreement containing data protection
obligations not less protective than those stated in this Addendum.

e. Sub-processors. Contractor shall not sub-contract any Processing without the prior written
consent of GADC. In cases where such consent was given, Contractor shall: (i) conduct an audit
of the security and privacy practices of Sub-processors to ensure that the Sub-processors shall
provide a level of security and privacy appropriate to their access to the Personal Data and the
scope of the Services they are engaged to provide, and (ii) ensure that it has a written agreement
with each Sub-processor containing data protection obligations not less protective than those
stated in this Addendum. Contractor shall be liable for acts and omissions of its Sub-processors to
the same extent that the Contractor would be liable if performing the Services of each Sub-
processor directly under terms of this Addendum.

f. Personal Data Breach. In any instance of Personal Data Breach, Contractor shall ensure that the
designated Data Protection Officer shall: (i) notify GADC of the incident within twenty-four (24)
hours from the occurrence of the Personal Data Breach, (ii) assist GADC in any investigation into
the incident, including access to Contractor’s Sub-processors, documents, and systems, (iii)
cooperate with any remediation that GADC, in its discretion, determines is necessary to address
any applicable reporting requirements, and (iv) mitigate any effects of such Personal Data Breach,
including measures necessary to restore goodwill with stakeholders, including research subjects,
collaborators, governmental authorities, and the public.

g. Personal Data Retention. Contractor may only retain Personal Data for as long as necessary for
the Purpose for which such Personal Data was collected or as may be allowed by applicable law.
Unless otherwise instructed by GADC or as may be required by law or other legal proceedings,
Contractor shall only retain the Personal Data for a period of five (5) years after the termination
of the Services. After the period of Personal Data Retention has lapsed, Contractor shall promptly
return and/or destroy the Personal Data in accordance with Section V of this Addendum.

3|Pa ge
GADC LEGAL_RAD_2019 v. 1.0
 h. Audit and Inspections. Contractor shall make available to GADC all information necessary to
demonstrate compliance with the Data Privacy Act and shall allow audits by GADC or a third-
party auditor in relation to the Processing of Personal Data. Upon GADC’s request, Contractor
shall accurately complete an information security questionnaire regarding the Contractor’s data
protection policies and security practices. GADC or its third-party auditor may perform an on-
site inspection of Contractor’s premises provided that a written notice is given to the Contractor
at least ten (10) days prior to the intended date of on-site inspection. Upon GADC’s sole
discretion, such on-site inspection can be substituted by detailed documentation regarding the
data protection policies and security measures implemented by the Contractor.

i. Compliance with the Data Privacy Act. In handling the Personal Data shared by GADC for the
purpose of this Addendum, Contractor guarantees that it shall comply with the Data Privacy Act.
In Processing the Personal Data, Contractor shall adhere to the principles of transparency,
legitimate purpose, and proportionality. The Contractor hereby undertakes that it will comply
with all the General Data Privacy Principles in the Data Privacy Act, and it shall implement
internal rules and policies to cover all of its employees, agents or personnel who may have access
to the Personal Data under this Addendum.

j. GADC as controller. Contractor likewise understands and agrees that GADC is a Personal Data
controller under the Data Privacy Act. For this purpose, Contractor hereby consents and warrants
that it shall obtain the consent required from any Sub-processor to the collection, processing,
retention, and disposal of their respective Personal Data as may be required or deemed necessary
for the performance of the Services. Contractor hereby acknowledges and agrees that any such
processing of Contractor’s (or, any Sub-processor’s) Personal Data shall be done in accordance
with GADC’s Data Protection Statement attached hereto as Annex A.

V. Return and/or Destruction of Personal Data. Within five (5) days from the expiration or termination
of the Services or upon GADC’s request, Contractor shall: (i) return to GADC the Personal Data and
any other property, information, and documents, including Confidential Information and Intellectual
Property (including, each and every form and copy), or (ii) if requested by GADC, destroy or securely
erase all applicable copies of the Personal Data and any other property, information, and documents,
including Confidential Information and Intellectual Property, instead of returning the same to
GADC. Contractor shall deliver to GADC a certificate confirming Contractor’s compliance with this
section. GADC reserves the right to withhold any payment due to the Contractor, in addition to other
available remedies, until all Personal Data, property, information, or documents are returned or
destroyed in accordance with this section. The obligations under this section shall remain in full force
after the expiration or termination of the Services or this Addendum until the total destruction and/or
delivery to GADC of all Personal Data is completed.

VI. Confidentiality of Personal Data. The parties shall continue to be bound by the terms of the Non-
Disclosure Agreement. Both parties shall treat all Personal Data as Confidential Information in
accordance with the Non-Disclosure Agreement.

VII. Intellectual Property Ownership. Except for any Intellectual Property rights included in any
deliverable to use Personal Data, the parties hereby acknowledge that this Addendum does not
constitute a grant by either party to the other of any license or right to either party’s Intellectual
Property existing as of the Effective Date. If either party develops any new Intellectual Property
in connection with this Addendum, the parties shall enter into a separate definitive agreement
regarding the ownership of that new Intellectual Property. Neither party will use the other
party’s name, logos, trademarks or other marks without that party’s written consent.

VIII. Representations and Warranties.

a. Mutual Representations.
i. Each has full power, authority and legal right to execute, deliver, and perform this Addendum
and has taken all the necessary corporate action to authorize the foregoing.
ii. Neither party is under any restriction or obligation that could affect its performance of its
obligations under this Addendum.

4|Pa ge
GADC LEGAL_RAD_2019 v. 1.0
 iii. Neither party’s execution, delivery, and performance of this Addendum and the other
documents to which it is a party, and the consummation of the transactions contemplated in
this Addendum, do or will result in its violation or breach of any applicable law or order, or
require the consent of any Person, or conflict with, result in a violation or breach of or,
constitute a default under, or result in the acceleration of any material contract.

b. GADC’s Representations.
i. GADC has the exclusive right to grant use of the Personal Data.
ii. GADC has not assigned or granted, and is not obligated to assign or grant, any exclusive
license to the use of the Personal Data to any third party that would conflict the authorities
granted to the Contractor under this Addendum.

c. Contractor’s Representations. In the event that Contractor provides GADC or any other Person
with Personal Data for purposes of this Addendum, Contractor hereby warrants that the Personal
Data complies with the requirements of the Data Privacy Act and that it has rights and
authorizations necessary to provide said Personal Data to GADC or other Person.

IX. Term and Termination

a. Term. This Addendum will commence on Effective Date and continue as long as the Contractor
retains the Personal Data or until the expiration or termination of the Services, whichever comes
later.

b. Termination. Either party may terminate this Addendum, for any reason, provided that: (i) the
business relationship of the parties has likewise terminated, and (ii) a written notice is given to
the other party at least thirty (30) days before the intended date of termination.

Each party may terminate the Services and this Addendum with immediate effect by delivering a
notice of the termination to the other party if: (i) the other party fails to perform, has made or
makes any inaccuracy in, or otherwise materially breaches any of its obligations, covenants or
representations, and the failure, inaccuracy or breach continues for a period of three (3) days after
the injured party delivers notice to the breaching party reasonably detailing the breach, or (ii) if
either party becomes insolvent, bankrupt or enters receivership, dissolution or liquidation.

X. Indemnification
a. Indemnification by Contractor. Contractor (as indemnifying party) shall indemnify GADC (as
an indemnified party) against all losses and expenses arising out of any proceeding brought by
either a third party or GADC, and arising out of Contractor’s breach of its obligations,
representations, warranties or covenants under this Addendum.

b. Mutual Indemnification. Each party (as an indemnifying party) shall indemnify the other (as an
indemnified party) against all loses arising out of any proceeding brought by either a third party
or an indemnified party, and arising out of the indemnifying party’s willful misconduct or gross
negligence.

XI. Miscellaneous Provisions.

a. Acknowledgment. Nothing in this Addendum requires the parties to enter into any future
transaction or business relationship.

b. Entire Agreement. The parties intend that this Addendum and other documents that are
referenced in this Addendum represent the final expression of the parties’ intent and agreement
between the parties relating to the subject matter of this Addendum, contain all the terms the
parties agreed to relating to the subject matter, and replace all the parties’ previous discussions,
understandings, and agreements relating to the subject matter.

c. Assignment. Neither party may assign this Addendum or any of their rights or obligations under
this Addendum without the other party’s written consent. Unless explicitly stated otherwise
elsewhere in this Addendum, no Person other than the parties themselves has any rights or
remedies under this Addendum.

5|Pa ge
GADC LEGAL_RAD_2019 v. 1.0
 d. Notices. All notices and other communications between the parties must be in writing. The
parties shall give all notices and communications between the parties by (i) personal delivery, (ii)
a nationally-recognized, next-day courier service, or (iii) registered mail, to the party’s address
specified in this Addendum. A notice given under this Addendum will be effective on the other
party’s receipt of it, or if mailed, on earlier of the other party’s receipt of it and the fifth (5th)
Business Day after mailing it.

e. Dispute Resolution. The parties mutually agree to use their best efforts to amicably resolve any
dispute or difference that may arise between the parties relating to this Addendum or the
operation or construction thereof or any matter or thing in any way connected with the Services
or the rights duties or liabilities of the parties in connection with their business relationship. In
the event any dispute, controversy or claim arising out of or relating to this Addendum or the
Services, or the breach, termination or invalidity thereof is not resolved within thirty (30) days
from the date of receipt of the complaint by one party, the parties agree to refer the dispute to the
Philippine Dispute Resolution Center (“PDRC”), in accordance with the rules of the PDRC for
the time being in force, which rules are deemed to be incorporated by reference in this clause.
There will be three (3) arbitrators. Each Party shall appoint one (1) arbitrator. The arbitrators thus
appointed shall select a third arbitrator who shall act as the presiding arbitrator of the tribunal or
panel. The place of arbitration will be Makati City. The language to be used in the arbitral
proceedings shall be English. This Addendum, and any dispute arising out of the matters
covered herein, shall be governed by the laws of the Republic of the Philippines.

f. Headings. The headings used in this Addendum and its division into sections, schedules,
exhibits, appendices, and other subdivisions do not affect its interpretation.

g. Construction of Terms. The parties have each participated in settling the terms of this
Addendum. Any rule of legal interpretation to the effect that any ambiguity is to be resolved
against the drafting party will not apply in interpreting this Addendum.

h. Conflict of Terms. If there is any inconsistency between the terms of this Addendum and those
in any document entered into by the parties, the terms of the specified agreement will prevail,
under the rule of statutory construction that a specific controls over the general. The parties shall
take all necessary steps to conform the inconsistent terms to the terms of the specified agreement.

i. Severability. If any part of this Addendum is declared unenforceable or invalid, the remainder
will continue to be valid and enforceable.

j. Waiver. Neither party’s failure nor neglect to enforce any of its rights under this Addendum will
be deemed to be a waiver of that party’s rights. A waiver or extension is only effective if it is in
writing and signed by the party granting it. A party’s failure or neglect to enforce any of its rights
under this Addendum will not be deemed to be a waiver of that or any other of its rights.

k. Amendment. This Addendum may only be amended by a written instrument executed on behalf
of each of the parties in this Addendum.

ACCEPTED AND AGREED:

GOLDEN ARCHES DEVELOPMENT CORPORATION NAME OF CONTRACTOR

Signed: Signed:
Name: name of signatory Name: name of signatory
Title: position of signatory Title: position of signatory
Date: date of signing Date: date of signing

6|Pa ge
GADC LEGAL_RAD_2019 v. 1.0
 Annex A
Data Protection Statement

GOLDEN ARCHES DEVELOPMENT CORPORATION is a personal information controller under the

Data Privacy Act of 2012 (Republic Act No. 10173) and its implementing rules and regulations.

1. Personal Data that we collect

The types of Personal Data that we collect about individuals include:
 Name  Birthday
 Age  Government Records
 Mobile Number / Telephone Number  Email Address
 Address  Marital Status
 Affiliations  Tax Returns

You may have provided the Personal Data to us personally or authorised other individuals to provide the
Personal Data to us and consent (on your behalf) to our collection of your Personal Data from these
individuals. These individuals could be your superiors, employees, subordinates, colleagues and your
family members.

Where you give us Personal Data about other individuals, you confirm that you are authorised to disclose
and consent, on their behalf, to the processing of such Personal Data for the purposes described in the
section “Purposes for which we collect and use Personal Data” or other purposes for which your consent
has been sought and obtained.

2. Purposes for which we collect and use Personal Data

We only collect and use Personal Data for purposes which you have consented to and for which we have
been authorised. If we need to use your Personal Data for any purpose which you have not previously
consented to, we would seek your consent prior to using your Personal Data for the new purpose.

We collect and use the Personal Data that you provide to us arising from your business relationship with
McDonald’s as a Vendor/ Service Provider/ Lessor/ Business Partner (each a “Contractor”) for the
following purposes:

 To conduct due diligence/background checks that are mandated by legislation or

McDonald’s practices;
 For the purposes of the supply of products and services and support by Contractors to McDonald’s,
including any evaluation thereof;
 To keep Contractors updated on changes to McDonald’s’ policies;
 To evaluate and to improve McDonald’s’ s products and services;
 Security clearance / entry access into McDonald’s events and premises;
 To facilitate attendance at events/functions organised by McDonald’s or supported by McDonald’s;
or
 For purposes that are ancillary to or in furtherance of the above purposes.

We also disclose and transfer Personal Data to the following parties for the purposes of managing,
operating, administering and running our business and for other business and legal purposes:

 Third party service providers who will conduct due diligence/ background checks that are mandated
by legislation or McDonald’s practices;
 Financial institutions for purposes of payments and transactions related to McDonald’s’ provision of
products and services or related to products and services provided to McDonald’s by our vendors /
service providers / consultants;
 To our service providers (who may be located outside Philippines) that have been retained to
perform services on our behalf, including:
a. Service providers who provide information technology and outsourcing services such as data
storage, electronic mail services, deployment of management operations for information
technology and HR outsourcing services;

7|Pa ge
GADC LEGAL_RAD_2019 v. 1.0
 b. Professional, financial and legal advisors, tax advisors, auditors, insurers and insurance brokers;
c. Vendors, service providers, and consultants that have been engaged to help manage, operate,
administer and run McDonald’s’ operations and business process or provide services to facilitate
our provision of our products and services; and
d. External contractors to provide consultancy and evaluative services to McDonald’s and for
McDonald’s’ products and services, or organise events for McDonald’s.

McDonald’s requires that the parties to whom we transfer Personal Data and our service providers
implement adequate levels of protection in order to protect Personal Data. We also require that these
parties only process Personal Data strictly for purposes for which we engage them for and consistent with
the purposes that we have described above.

In addition, we would disclose Personal Data in the following circumstances:

 we are required to do so by law;
 in response to a request from law enforcement authorities or other government officials;
 to comply with a court order or direction from a government agency or regulatory authority ordering
the disclosure of the Personal Data; and
 where the disclosure is necessary for investigations or legal proceedings.

In addition to the above purposes for which Personal Data is collected and used, McDonald’s also
collects, uses and processes Personal Data from its course participants, or from companies who register
their employees for courses administered by McDonald’s.

3. Disclosure, sharing and transfer of Personal Data

McDonald’s does not sell or rent Personal Data that we collect from individuals, including our web site
visitors. In the course of or in connection with providing our products and services to our customers and
partners, we disclose, share and transfer Personal Data to the following parties for the following
purposes:
 To our agents and sub-contractors who are directly involved in the transactions.
 To government and non-government authorities, agencies and/or regulators as required under law or
under directions or orders from the government and non-government authorities, agencies and/or
regulators for security, regulatory approvals or permits.
 To other entities for the purpose of responding to questions, concerns, comments or feedback on our
products or services or our business, or to share knowledge on issues such as industry developments,
McDonald’s’ business, market outlook, corporate events and other products and services of the
McDonald’s that may be of interest to your company, organisation or business.
 To event organisers and service providers to facilitate the planning of events / functions that
McDonald’s organises or is involved in.

4. Protection and Security of Personal Data

We employ a range of technological and physical security arrangements and maintain safeguards to
protect against the accidental or unauthorised access, collection, use, disclosure, copying, modification,
disposal, deletion and other similar risks to Personal Data.

5. Retention of your Personal Data

McDonald’s only retains Personal Data for as long as the retention is required for the purposes for which
we collected the Personal Data, the purposes described in this statement and for other business and legal
purposes. Generally, we do not retain Personal Data for a period of longer than five (5) years after the
original purposes for which the Personal Data was collected have ceased to be applicable, unless
otherwise required by law, or other mandatory directions by court or government authorities or for
purposes of legal proceedings or other similar proceedings or investigations.

6. How to Contact Us
If you have any questions or comments about this Policy and our policies and practices on our collection,
use, disclosure or retention of Personal Data, you may contact our Data Protection Officer,
CHRISTOPHER JOHN D. IGNACIO, thru landline at (02) 888 8500.

8|Pa ge
GADC LEGAL_RAD_2019 v. 1.0