CGHMC NPC Registration Form

Parties:
• Personal Information Controller (PIC / “the Clinic”):
o I am practicing at CGHMC, with business address at 286 Blumentritt St. Sta Cruz, Manila.
• Data Protection Officer (DPO / “the Appointee”):
o Jamie Francis Dy, providing DPO-as-a-Service.

Effective Date: This agreement becomes effective upon the Clinic’s electronic acceptance below.

1. Appointment and Scope of Authority
The Clinic, as a Personal Information Controller (PIC) under the Philippine Data Privacy Act of 2012 (DPA) and its implementing rules and regulations, hereby appoints Jamie Francis Dy as its Data Protection Officer (DPO).
1.1. Authorized Responsibilities. The DPO is authorized and engaged to perform the following services on behalf of the Clinic:
• Advise and monitor the Clinic’s compliance with the DPA and NPC issuances.
• Conduct and coordinate Privacy Impact Assessments (PIAs).
• Develop, implement, and maintain the Clinic’s Privacy Management Program (PMP), including but not limited to:
o Privacy Notices and Data Privacy Policy
o Data Retention and Destruction Schedules
o Security Measures and Incident Response Procedures
o Protocols for handling data subject rights requests
• Manage all communications and submissions with the National Privacy Commission (NPC), including the Clinic’s Registration as a PIC.
• Serve as the primary point of contact for data subjects and the NPC on all data privacy matters.
• Conduct or arrange privacy training for Clinic personnel and compliance audits.
1.2. Nature of Appointment. This appointment is non-exclusive and does not establish an employer-employee relationship. The Clinic retains full responsibility for its compliance with all applicable data privacy laws.

2. Clarification on Data Access and Control
Appointing Jamie Francis Dy as your Data Protection Officer (DPO) does not grant him blanket access to patient records or other sensitive information. Your clinic remains the Personal Information Controller (PIC) and retains full control over who accesses patient data.
2.1. DPO’s Role (Advisory and Oversight):
The DPO will:
• Guide your clinic to comply with the Data Privacy Act and NPC requirements.
• Conduct a Privacy Impact Assessment (PIA) of your clinic’s processes and systems.
• Draft and implement your Privacy Notice, Data Privacy Policy, retention schedule, and incident response procedures.
• Provide staff training and issue certificates of completion.
• Handle NPC communications and assist with your NPC registration as a PIC.
2.2. Limits on DPO Authority:
The DPO will not, without your explicit, case-by-case authorization:
• Access or view patient records, except when strictly necessary for a defined compliance task (e.g., system mapping) and only under the principles below.
• Make clinical, billing, or business decisions for your clinic.
2.3. Data Access Principles:
Any access to patient data for compliance purposes is governed by the following strict principles:
• Minimum Necessary: Only the least amount of de-identified or anonymized information needed for the specific compliance task will be requested.
• Need-to-Know Basis: Any access is role-based, time-bound, and logged.
• Confidential and Secure: All information you provide is protected by organizational, physical, and technical safeguards consistent with NPC rules.

3. PIC Status and Accountability
The Clinic acknowledges that it operates as an independent Personal Information Controller for the personal data it processes in its private practice. This appointment does not transfer controller status or accountability to Chinese General Hospital and Medical Center (CGHMC). Any data sharing or use of CGHMC systems shall be governed by a separate Data Sharing or Data Processing Agreement, as applicable.

4. Consent for Data Processing
To enable the DPO to perform the services, the Clinic provides explicit consent for the DPO to process personal data as described below.
4.1. Scope of Data Processing.
• Data Subjects: The Clinic, its personnel, and its patients.
• Categories of Data Processed:
o Clinic and personnel data (e.g., names, contact details, professional licenses, signatures).
o Patient data to the minimum extent necessary (e.g., sample records, metadata for system mapping and testing). The Clinic is strongly advised to de-identify sample patient records before sharing.
• Purposes of Processing:
o Conducting PIAs, risk assessments, and gap analyses.
o Drafting policies, notices, and Records of Processing Activities (ROPAs).
o Performing NPC registration, notifications, and communications.
o Implementing technical and organizational security measures.
o Managing data breaches and fulfilling legal notification duties.
4.2. Legal Bases & Safeguards.
• Legal Bases: Compliance with a legal obligation; legitimate interests in ensuring data protection; performance of a contract.
• Data Retention: Documentation will be retained for the period required by law (e.g., NPC Circulars). Patient-level data used for testing will be deleted upon completion of the relevant task.
• International Transfers: If tools with offshore hosting are used, appropriate safeguards (e.g., encryption, contractual clauses) will be implemented.

5. Confidentiality and Security
The DPO shall implement appropriate organizational, physical, and technical security measures aligned with NPC standards and industry best practices to protect all information provided by the Clinic. All such information shall be treated as confidential and used solely for the purposes defined in this Agreement.

6. Subprocessors
The DPO may use third-party service providers (e.g., cloud storage, e-signature platforms). A list of key subprocessors is provided below. All subprocessors are bound by written agreements requiring equivalent data protection standards.
*Current Subprocessors: Google Workspace (PH/SG), Microsoft 365 (APAC), [XYZ E-Signature Provider] (US/EU).*

7. Term and Termination
This appointment continues until terminated by either party.
• Termination for Convenience: Either party may terminate with thirty (30) days written notice.
• Termination for Cause: Either party may terminate immediately for a material breach of data protection laws or this Agreement.
• Effect of Termination: Termination does not relieve the Clinic of its ongoing obligations under the DPA. The DPO may retain necessary documentation as required by law.

8. Fees
The fees, billing cycle, and detailed scope of services are as outlined in Annex A (Scope & Fees), which is incorporated into this Agreement by reference.

9. Indemnification
The Clinic agrees to indemnify and hold the DPO harmless against any claims, losses, or damages arising from the Clinic’s (i) provision of inaccurate information, (ii) failure to implement the DPO’s recommended policies or measures, or (iii) unauthorized processing of personal data.

10. Governing Law and Venue
The laws of the Republic of the Philippines shall govern this Agreement. The parties agree that the primary venue for any disputes shall be the courts of Manila City, Philippines, without prejudice to the exclusive jurisdiction of the National Privacy Commission over data privacy matters.

11. Entire Agreement
This document, together with any referenced Annexes, constitutes the entire agreement between the parties concerning the subject matter and supersedes all prior discussions and agreements.

Acceptance and E-Signature
By checking the box, typing your name, and providing your e-signature below, you acknowledge that you have read, understood, and agree to be legally bound by all terms and conditions of this Agreement. You confirm you have the authority to bind the Clinic to this Agreement and provide consent for the processing of personal data as described herein.
This action authorizes Jamie Francis Dy to proceed with the NPC registration and all related compliance activities on the Clinic’s behalf.
• I Agree. I accept the terms of this Appointment of Data Protection Officer, Consent for Processing, and Engagement for Privacy Compliance Services.