1.A procedure for the collection of personal data, including proce-
        dures for obtaining consent, when applicable;

               2. Procedures that limit the processing of data, to ensure that it
        is only to the extent necessary for the declared, specified, and legitimate
        purpose;

               3. Policies for access management, system monitoring, and proto-
        cols to follow during security incidents or technical problems;

               4. Policies and procedures for data subjects to exercise their rights
        under the DPA;

               5. Data retention schedule, including timeline or conditions for era-
        sure or disposal of records.

        C. PHYSICAL SECURITY MEASURES.
               DPO shall comply with the following guidelines for physical
        security:
               1. Policies and procedures shall be implemented to monitor and
        limit access to and activities in the room, workstation or facility, including
        guidelines that specify the proper use of and access to electronic media;

               2. Design of office space and work stations, including the physical
        arrangement of furniture and equipment, shall provide privacy to anyone
        processing personal data, taking into consideration the environment and
        accessibility to the public;

               3. The duties, responsibilities and schedule of individuals involved
        in the processing of personal data shall be clearly defined to ensure that
        only the individuals actually performing official duties shall be in the room or
        work station, at any given time;

               4. Any natural or juridical person or other body involved in the pro-
        cessing of personal data shall implement Policies and procedures regard-
        ing the transfer, removal, disposal, and re-use of electronic media, to


       HEADWAY CAPS INTERNATIONAL CO.,INC.                             47