DATA SHARING AGREEMENT
This DATA SHARING AGREEMENT (the "Agreement") is made this ___ day of _______ 2018, by and between:
[•], a corporation organized and existing under and by virtue of the laws of the Republic of the Philippines, with office address at [•] (hereinafter, the “Company”)
- and -
[•], a corporation organized and existing under and by virtue of the laws of the Republic of the Philippines, with office address at [•] (hereinafter, the “Recipient”)
(collectively, “Parties” and each a “Party”)
A. The Company, in the ordinary course of business, processes personal information from [its clients and customers] (“Data Subjects”);
B. In connection with the business operations of the Company, it may be necessary for the Company to share Data with the Recipient;
C. Under Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012, and its Implementing Rules and Regulations, Data Sharing shall be allowed if the Data Subjects consent thereto and such Data Sharing is covered by a data sharing agreement;
D. The Consent (as herein defined) of the Data Subjects have been obtained in respect of the Data Sharing;
NOW, the Parties hereby agree as follows:
- 1.1 “Consent” means any freely given, specific, informed indication of will, whereby the Data Subject agrees to the collection and processing of Personal Data about and/or relating to him or her. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of the Data Subject by an agent specifically authorized by the Data Subject to do so.
- 1.2 "Data Sharing" is the disclosure or transfer by the Company to the Recipient of Personal Data under the custody of the Company.
- 1.3 “Data Privacy Laws” shall mean Republic Act No. 10173 otherwise known as the Data Privacy Act of 2012, its Implementing Rules and Regulations, as well as the issuances of the National Privacy Commission.
1.4 “Personal Data”includes:
- “Personal information” which means any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual; and
“Sensitive personal information” which means:
- about an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
- about an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings;
- issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
- specifically established by an executive order or an act of Congress to be kept classified.
- “Privileged information” which means any and all forms of data, which, under the Rules of Court and other pertinent laws constitute as privileged communication.
- 1.4 “Processing” refers to any operation or any set of operations performed upon personal information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Processing may be performed through automated means, or manual processing, if the personal data are contained or are intended to be contained in a filing system.
- 1.5 “Security Breach” means any unauthorized, unlawful or accidental access, processing, disclosure, alteration, loss, damage, or destruction of Personal Data whether by human or natural causes.
3. DATA HANDLING
- 3.1 Personal Data shall be used and processed by the Recipient for the sole purposes for which it is provided (as shown in Annex A, or as stated when the Data is provided) and shall be handled in accordance with Data Privacy Laws.
- 3.2 Upon request by the Company or upon termination of this Agreement, the Recipient shall securely destroy Personal Data in whatever form it is held in accordance with the security requirements of this Agreement. The purging of the Personal Data will be based on the specific instructions of the Company.
- 3.3 The Company reserves the right to undertake audit compliance activity with the Recipient in accordance with this Agreement.
- 3.4 All Personal Data shared with the Recipient shall be encrypted in accordance with the Company’s approved methodologies.
4. DATA SUBJECT RIGHTS
- 4.1 In handling Personal Data, the Recipient shall uphold and recognize the rights of the Data Subjects as provided under the Data Privacy Laws, including the
- right to be informed of the processing of Personal Data and the purpose, scope and method of such processing, (ii) the existence of automated decision-making or profiling and the methods utilized for such automated decision-making, the description of Personal Data to be entered into the system, the recipients or classes of recipients of such Personal Data, and the period for which Personal Data will be stored;
- right to object to the processing of Personal Data, including processing for direct marketing, automated processing or profiling;
- right to access, upon reasonable demand, the contents of processed Personal Data, the sources from which these were obtained, the names and addresses of recipients of the Personal Data, the manner of processing, the reasons for disclosure, any information on automated processes, and the date when the Personal Data was last accessed and modified;
- right to the rectification of Personal Data in case there is an inaccuracy or error;
- right to the erasure or blocking of Personal Data where there is substantial proof that Personal Data is incomplete, outdated, false, unlawfully obtained, or is being used for purpose not authorized by the data subject;
- right to file a claim for any damages sustained due to the inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal data; and
- right to data portability or the right to obtain a copy of Personal Data in an electronic or structured format when Persona Data is processed by electronic means and in a structured and commonly used format.
5. ONWARD DISCLOSURE
- 5.1 Onward disclosure of any Personal Data shared by the Company to the Recipient under this Agreement is not allowed except with the written consent of the Company. The Recipient shall not sub-contract or engage a third party (“Third Party”) to process the Personal Data without the prior knowledge and written consent of the Company, and only after the Third Party has provided all the necessary assurance and guarantees that it has adequate administrative, physical, technical, organizational and procedural security measures to protect the Personal Data.
- 5.2 Any onward sharing by the Recipient of Personal Data to Third Parties shall be subject to the terms below:
- The Recipient and the Third Party receiving the Personal Data must execute a data sharing agreement with the same terms and conditions as this Agreement. A copy of such agreements and other relevant documents will be submitted to the Company for prior confirmation and approval.
- The Recipient shall ensure and cause the Third Party to exercise the same degree of care as required of the Recipient under this Agreement. The Recipient shall ensure that the Third Party adopts appropriate safeguards to protect the Personal Data from misuse and unauthorized access or disclosure. For this purpose, the Recipient shall ensure that the Third Party shall:
- implement security measures that ensure the availability, integrity, and confidentiality of Personal Data;
- implement reasonable and appropriate organizational, physical, technical, administrative and procedural measures to protect Personal Data against any Security Breach;
- ensure that Personal Data is backed up on a regular basis and that any back up is subject to security measures as necessary to protect the availability, integrity and confidentiality of Personal Data; and
- monitor compliance with the provisions of this Agreement and the applicable laws, on data privacy and security.
- The Third Party shall delete the Personal Data within 24 hours from the completion of the purpose for which it was collected, as set forth in Annex B hereof, as may be determined by the Recipient or the Company. The purging of the Personal Data shall be based on the specific instructions of the Company.
- The Company also retains the right to audit any Third Party’s compliance with the requirements of this Agreement, the agreement between the Recipient and the Third Party, and any agreement between the Company and the Data Subjects. In such instances, the Company will require the Recipient to facilitate and liaise with the Third Party to enable compliance checks to be carried out.
- The Recipient shall only share Personal Data with Third Parties, as may be necessary to carry out the purposes stated in Annex A hereof.
6. REVIEW OF PROCESSES
- 6.1 This Agreement and any data sharing agreement between the Recipient and any of its Third Party service providers, as applicable, shall be evaluated and reviewed by the Parties on an annual basis.
- 6.2 The Company shall have the right to review the security measures adopted by the Recipient and each of the Third Parties, to ensure that the same are consistent with the provisions of this Agreement. The Recipient shall give (and shall cause any Third Party to give) the Company access to the records of the Recipient and the Third Parties for this purpose.
7. SECURITY BREACH MANAGEMENT
- 7.1 Each of the Parties shall have the manpower, system, facilities and equipment in place to properly monitor access to Personal Data, and to monitor and identify a Security Breach.
- 7.2 If the Recipient becomes aware of any Security Breach on its personnel, premises, facilities, system, or equipment, it shall, within a reasonable period, notify the Company of the Security Breach, investigate the Security Breach and provide the Company with information about the Security Breach, and take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Breach.
- The Recipient shall cooperate with the Company in relation to the incident investigation requirements for any Security Breach of Personal Data.
- The Parties agree that:
- An unsuccessful Security Breach attempt will not be subject to this Section. An unsuccessful Security Breach attempt is one that results in no unauthorized access, processing, disclosure, alteration, loss, damage, or destruction to Personal Data or to any equipment or facilities storing Personal Data, which includes, but not limited to, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond internet protocol addresses or headers) or similar incidents; and
- the Recipient shall send the notification of any Security Breach to the Company within 24 hours from knowledge thereof.
8. REPRESENTATIONS AND WARRANTIES
Each of the Parties represents and warrants to each other that:
- It is an organization duly established, validly existing and in good standing under the laws of the Republic of the Philippines and has the requisite corporate power and authority to enter into this Agreement and to carry out its obligations hereunder.
- All the necessary corporate or legal actions for the execution, delivery and performance of this Agreement and execution of the works as contemplated hereunder have been duly taken and this Agreement constitutes the legal, valid and binding obligations of the parties, enforceable against it in accordance with the terms hereof.
- Its execution, delivery and performance of this Agreement shall not violate or contravene any provision of law or other governmental directive, shall not conflict with its Articles of Incorporation, By-Laws or other corporate documents and shall not conflict with or result in the breach of any provision of any agreement or instrument to which it is a party or by which any of its properties or assets is bound.
- It has and will keep valid all such authorities, permits, licenses from either private or government entities, whether local or national, necessary to perform its obligations during the effectivity of this Agreement.
- It complies in all material respects with the Data Privacy Laws and all applicable laws in respect of Processing of Personal Data.
- 9.1 No Employer-Employee Relationship
The Parties agree and understand that Recipient and any person acting under it or through its authority is an independent entity and nothing in this Agreement shall be construed in any way or manner, to create between them a relationship of employer and employee, principal and agent, partners or any other relationship other than that of independent parties contracting with each other solely for the purpose of carrying out the provisions of the Agreement. Neither shall the employees, agents or representatives of one party be considered as the employees, agents or representatives of the other.
- 9.2 Assignment
Except as may be allowed under this Agreement, the Recipient shall not assign this Agreement or any part thereof to any third party without the prior written consent of the Company. The Recipient shall utilize only individuals under its direct employ and shall not sub-contract any work or portion thereof to a third party provider whether or not such third party is a subsidiary, affiliate or related company of Recipient, without obtaining a prior written approval from the Company.
- 9.3 Termination
Either Party may terminate this agreement by giving the other Party a notice of termination at least (10) ten days prior to the effectivity of the termination. The Parties shall remain liable to obligations due and demandable before the date of termination. In the event this Agreement is collateral to or dependent upon another or principal contract, then unless otherwise specifically provided, this Agreement shall be coterminous with such principal contract.
- 9.4 Indemnity
A party (“Defaulting Party”) shall indemnify and hold the other Party, its directors, officers, employees, affiliates, agents, and stockholders (“Non-Defaulting Party”), free and harmless from any and all losses, claims, damages, liabilities and expenses (including attorney’s fees), or any actions with respect thereto, arising directly or indirectly out of or by virtue of the failure of the Defaulting Party to comply with any of its undertakings or other obligations in this Agreement and under the Data Privacy Laws. The Defaulting Party will pay for or reimburse the Non-Defaulting Party within ten days from demand for any reasonable and documented legal or other expense reasonably incurred by the Non-Defaulting Party in connection with investigating or defending against such losses, claims, damages, expenses, liabilities or actions.
- 9.5 Enforcement of Rights
Failure or delay of any Party to insist, once or in several instances, on the strict performance by the other Party of any stipulation or condition of this Agreement or to exercise any right or option herein shall not be construed as abandonment, withdrawal, waiver or cancellation of such stipulation, condition, right or option.
- 9.6 Severability
If one or more of the provisions in this Agreement shall be invalid, illegal or unenforceable under any applicable law, the validity, legality and enforceability of the remaining provisions hereof shall not in any way be affected or impaired.
- 9.7 Jurisdiction
The validity, construction, interpretation and performance of this Agreement shall be governed by the laws of the Republic of the Philippines.
- 9.8 Venue
Any suit or proceeding arising out of this Agreement, including the interpretation and construction hereof shall be brought before the proper courts of [______City], to the exclusion of all other courts or tribunals, the Parties hereto submitting to such court’s exclusive jurisdiction.
- 9.9 Counterparts
This Agreement may be executed in counterparts, each of which may be deemed an original but all of which shall constitute one and the same instrument.