DATA PRIVACY SHARING AGREEMENT
UY, NICOLASORA & ASSOCIATES, a partnership organized and existing under the laws of the Philippines and having its principal place of business at Uy, Nicolasora & Associates, Co., a partnership duly organized and existing under the laws of the Republic of the Philippines, with principal office address at 5/F-B RCC Center, 104 Shaw Blvd, Brgy. Kapitolyo, Pasig City 1603, represented herein by its Managing Partner, HAZEL C. NICOLASORA, (hereinafter be referred to as “UNA”)
SECTION 1. TERM.
This Agreement shall commence on the date above-written and shall continue for a period of three (3) years (the “Term”), unless sooner terminated under Section 7 hereof on Termination. This Agreement can be renewed upon Parties’ written agreement, provided that such Term or any extension will not exceed five (5) years.
SECTION 2. DEFINITIONS.
- “Authorized Personnel” refers to an employee or officer of the Parties authorized to collect and/or process Personal Data either by function of their office or position, through specific authority, or pursuant to this Agreement.
- “Compliance Officer for Privacy” or “COP” refers to an individual duly authorized by each Party to perform some of the functions of the Data Protection Officer for a company, a branch, sub-office, or component unit, if any.
- “Consent of the Data Subject” refers to any freely given, specific, informed indication of will, whereby Data Subject agrees to the collection and processing of his/her Personal Sensitive Information, and/or Privileged Information. It shall be evidenced by written, electronic, or an agent specifically authorized by the Data Subject to do so.
- “Data Protection Officer” or “DPO” refers to the officer duly designated by each Party to be accountable for the latter’s compliance with laws, regulations, and issuances on data privacy.
- “Data Subject” refers to any individual whose Personal, Personal Sensitive and/or Privileged Information, are collected, stored and processed.
- “Personal Data” refers to all types of Personal Information collected, stored and processed by the Parties. Personal Data may be classified as follows:
- “Confidential Personal Data” pertains to all other information to which access is restricted, and of which Processing requires the written consent of the Data Subject concerned, such as, but not limited to Contact Information, Address, Visa Information, Credit Card Information, Company Information, Employee ID, Cost Center, Travel Preferences and Memberships. It also includes Personal Information and Sensitive Personal Information; and
- “Public Personal Data” pertains to Personal Information of Data Subjects which may be disclosed to the public by the Parties due to, or as required by, their business operations, and for government regulatory compliance and company disclosures.
- “Personal Data Breach” refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. A personal data breach may be in the nature of:
- An “availability breach” resulting from loss, accidental or unlawful destruction of personal data;
- “Integrity breach” resulting from alteration of personal data; and/or
- A “confidentiality breach” resulting from the unauthorized disclosure of or access to personal data.
- “Personal Information” refers to any information, whether recorded in a material form or not, which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information or when put together with other information would directly and certainly identify an individual.
- “Personal Information Controller” or “PIC” refers to a natural or juridical person, or any other body that controls the processing of personal data, or instructs another to process personal data on its behalf. UNA and SECOND PARTY are PICs.
- “Personal Information Processor” or “PIP” refers to any natural or juridical person or any other body to whom a personal information controller may outsource or instruct the processing of personal data pertaining to a data subject;
- “Privileged Information” refers to any and all forms of data, which under the Rules of Court and other pertinent laws constitute privileged communication;
- “Processing” refers to any operation or any set of operations performed upon Personal Data including, but not limited to, collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction thereof. Processing may be performed through automated means or manual processing.
- “Security Incident” is an event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity, and confidentiality of personal data. It shall include incidents that would result to a personal data breach, if not for safeguards that have been put in place.
- “Sensitive Personal Information” refers to personal information:
- About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations
- About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations
- Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns, and
- Specifically established by an executive order or an act of Congress to be kept classified.
SECTION 3. PERSONAL DATA
- Personal Data covered by Data Sharing. To achieve the purposes laid down in this Agreement, UNA may share or transfer Personal Information, Sensitive Personal Information, and such other Personal Data to SECOND PARTY. SECOND PARTY may also share or transfer aforesaid information to UNA.
- Operational Details of Data Sharing. In sharing or transferring Personal Data to each other under this Agreement, the Parties shall observe the following:
- Information on Data Sharing. Prior to collecting Personal Data from a Data Subject and Data Sharing, either Party must provide the following information to the Data Subject:
- identity of the Parties and their PIP(s), if any, who will be given access to the Personal Data;
- purpose(s) of Data Sharing
- categories of Personal Data collected, shared, and further processed;
- intended recipient(s) or categories of recipient(s) of the Personal Data;
- existence of the rights of the Data Subject; and
- if requested by the Data Subject, other information that would sufficiently notify the Data Subject of the nature and extent of Data Sharing and the manner of Processing.
- Consent of the Data Subject. The Party collecting the Personal Information, Sensitive Personal Information, and such other Personal Data from a Data Subject shall ensure that the Data Subject gives his/her prior written consent to the Data Sharing and Processing.
- Data Sharing. The Parties may share the Personal Data collected to each other through paper-based/physical or digital/electronic means, provided that the Security Measures laid down in Section 4 hereof are observed. Transfer of Personal Data via electronic mail shall be through a secure and encrypted e-mail facility.
- Processing of Personal Data. As soon as Personal Data is shared by either Party to the other, the latter may commence processing of Personal Data.
- Outsourcing of Personal Data. In the Processing of Personal Data, either Party may engage the services of any PIP, whose engagement must be covered by a duly executed Outsourcing Agreement(s).
SECTION 4. SECURITY MEASURES.
- Security Measures. The Parties undertake to observe and implement the following reasonable and appropriate, physical, technical and organizational measures to ensure privacy and data protection. These Security Measures aim to protect Personal Data against natural dangers such as accidental loss or destruction, and human dangers, such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.
- Format of Data. Personal Data stored by the Parties may be in digital/electronic format and paper-based/physical format.
- Storage Type and Location. All Personal Data collected, shared, and processed by the Parties shall be stored in secure facilities, whether virtual or physical. Papers of physical documents containing the Personal Data shall be stored in locked filing cabinets, access keys to which shall be entrusted to Authorized Personnel. Digital or electronic documents containing Personal Data shall be stored in computers, portable disks, and other devices, provided either the document or the device where it is stored is protected by password(s) or passcodes(s).
- Access. Only Authorized Personnel and the PIP(s) named under Section 3 (2)(e) hereof, if any, may access the Personal Data shared by the Parties. Either Party shall ensure that any person acting its authority, and who has access to the Personal Data collected under this Agreement, processes the Personal Data exclusively for the Purpose(s) identified in this Agreement.
- Monitoring of Access. Access of Personal Data by all Authorized Personnel shall be monitored by the DPO and/or COP of the Party concerned, in accordance with its own data protection policies.
- Retention and Disposal. The Parties shall retain the Personal Data collected, shared and processed for the Term of this Agreement, and for five (5) years thereafter, or as long as may be necessary to accomplish the purpose of the Data Sharing and Processing (the “Retention Period”). After the Retention Period or when the Data Subject requests in writing that his/her Personal Data be destroyed, the Parties shall dispose of the Personal Data in their custody, in accordance with their respective data protection policies.
- In the processing of the Personal Data collected and shared under this Agreement, the Parties commit to observe the most appropriate Security Measures, whether physical, technical, or organizational, according to the requirements of data privacy laws, regulations, and government issuances, as well as their respective data protection policies.
SECTION 5. REPRESENTATION AND WARRANTIES.
- Confidentiality. The Parties shall treat the Personal Data shared under this Agreement with utmost confidentiality. Further, the Parties shall ensure that their respective personnel, employees, agents and/or representatives, as well as PIP(s), if any, engaged in the Processing of Personal Data under this Agreement, understand and are fully informed of the confidential nature of the Personal Data being processed, and that in their obligation to keep the same in confidence survives the termination of their engagement, employment and/or any relationship with either Party.
- Data Sharing. The Parties shall neither share Personal Data received by virtue of this Agreement with any other party, nor process the same for any purpose, other than those laid down in this Agreement, or incidental thereto, without the prior written consent of the concerned Data Subjects.
- Data Privacy Compliance. The Parties hereby represent and warrant that in the Processing of Personal Data under this Agreement, they shall comply, and/or are compliant with data privacy laws, regulations, and other government issuances. The Parties further represent and warrant that they have in place appropriate Security Measures that endeavor to protect the Personal Data they process under this Agreement from any Security Incident, including Personal Data Breach.
SECTION 6. REMEDIES AVAILABLE TO DATA SUBJECTS.
- Rights of the Data Subjects. In the processing of Personal Data, the Parties commit to respect and uphold the following rights of the Data Subjects:
- The Data Subject has a right to be informed whether Personal Data pertaining to him/her will be, are being, or were processed;
- The Data Subject has the right to object to the processing of his/her Personal Data;
- The Data Subject has the right to reasonable access, upon demand, to Personal Data;
- The Data Subject has the right to dispute and have corrected any inaccuracy or error in his/her Personal Data and have the Parties accordingly and immediately correct or cause the correction thereof, unless the request is vexatious or unreasonable;
- The Data Subject has the right to suspend, withdraw or order the blocking, removal or destruction of his/her Personal Data from the Parties’ data processing system;
- The Data Subject has the right to obtain a copy of the Personal Data, where his/her is processed by electronic means; and
- The Data Subject has the right to complain before government authorities of any data privacy violation committed by either Party in the Processing of Personal Data under this Agreement.
- Exercise of Rights. The Parties shall ensure that it is made known to the Data Subjects that they may access and/or modify his/her Personal Data processed by the Parties under this Agreement. A Data Subject who seeks to access and/or modify his/her Personal Data and/or exercise any of the rights under Section 6.1 hereof may address his/her request in writing to the DPO of the Party in custody of his/her Personal Data.
- Access to this Agreement. Any Data Subject, whose Personal Data are being processed or shared under this Agreement may request in writing a copy of this Agreement. Such request must be addressed to the DPO of either Party.
- Security Incident(s) and Personal Data Breach.
- Personal Data Breach. If either Party becomes aware of any Personal Data Breach, involving any of its personnel, premises, facilities, systems and/or equipment, it shall, within a reasonable period and/or according to its data protection policies:
(i) inform the other Party of the Personal Data Breach;
(ii) investigate the Personal Data Breach and inform the other Party of the results thereof;
(iii) take all the necessary and reasonable steps to mitigate the adverse effect of, as well as minimize any damage, if any, resulting from, the Personal Data Breach, and;
(iv) inform the relevant government authorities of such event, if legally required to do so.
- Security Incident(s). Any Security Incident(s) other than Personal Data Breach, and any unsuccessful or attempted Personal Data Breach shall not be subject to the foregoing Section. An unsuccessful or attempted Personal Data Breach is on that does not actually result in accidental or unlawful destructions, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise permitted under this Agreement.
- No Fault or Liability. The obligation of either Party to report or to respond to a Personal Data Breach under Section 4 (4)(a) hereof is not and will not be construed as an acknowledgement by either Party of any fault or liability for the Personal Data Breach.
- Other Requests(s). Any other request(s), including complaint(s) of Data Subjects with regard to the Processing of their Personal Data may be communicated to either Party through its DPO.
SECTION 7. TERMINATION. This Agreement can be terminated by three (3) months’ written notice served by either party.
SECTION 8. COUNTERPARTS. This Agreement may be executed in counterparts, all or any of which shall be treated for all purposes as one original and shall be and constitute one and the same instrument, and may be executed by the Parties in original or telecopy produced by fax machine or other means of electronic communication producing a printed copy.
SECTION 9. SEVERABILITY. Any provision of this Agreement which is prohibited or unenforceable in any jurisdiction shall, as to such jurisdiction, be ineffective to the extent of such prohibition or unenforceability without invalidating the remaining provisions hereof, and any such prohibition or unenforceability in any jurisdiction shall not invalidate or render unenforceable such provision in any other jurisdiction.
SECTION 10. AMENDMENTS. This Agreement constitutes the entire agreement of the Parties with respect to the subject matter hereof and representations or statements, oral or written, not contained herein, will not be binding on the parties. No modification or amendment to this Agreement will be effective unless in writing and signed by both Parties.
SECTION 11. VENUE OF ACTION. Any legal action, suit, or proceeding arising out of or relating to this Agreement shall be instituted exclusively in the courts of Manila City.
SECTION 12. GOVERNING LAW. This Agreement and the relationships created hereby shall be construed in accordance with and governed by the laws of the Republic of the Philippines.
DATA PRIVACY CONSENT
In compliance with Republic Act No.10173 or the Data Privacy Act (DPA) of 2012, and its Implementing Rules and Regulations (IRR) effective since Se
In compliance with Republic Act No.10173 or the Data Privacy Act (DPA) of 2012, and its Implementing Rules and Regulations (IRR) effective since September 8, 2016, I allow Uy, Nicolasora & Associates (the “UNA”) to provide me certain services declared in relation to the transaction/s, contract/s and/or agreement/s I executed with the UNA:
As such, I agree and authorize the UNA to:
- Collect and use my personal and sensitive information to process the services and administer the benefits as stated in my transaction/s, contract/s and/or agreement/s I have with UNA.
- Retain my personal and sensitive information in the Database of UNA.
- Transfer my information to UNA’s affiliates and necessary third parties for any legitimate business purpose. I am assured that security systems are employed to protect my information.
- Inform me of future customer campaigns and base its offer using the personal information I shared with the UNA.
- Allow the UNA and its third-party agents (ex. External Legal Advisor) to use my personal information for future businesses, campaigns and transactions with the UNA.
I also acknowledge and warrant that I have acquired the consent from all parties relevant to this consent and hold free and harmless and indemnify Uy, Nicolasora & Associates, including its partners, officers, associates, employees and/or authorized representative/s from any complaint, suit, or damages which any party may file or claim in relation to my consent.
UY, NICOLASORA & ASSOCIATES (UNA) is committed to providing its employees, clients and Data Subjects with the highest levels of professional service. This includes protecting their privacy as UNA understands the importance of privacy of their Personal Data and Personal Information.
PURPOSE OF THE POLICY
DATA PROTECTION PRINCIPLES
All UNA personnel must adhere to the following general principles when collecting, using, disclosing, processing or otherwise handling Personal Information and/or Sensitive Personal Information.
The consent of an individual must be obtained, in accordance with the applicable Philippine data privacy laws, before collecting, using, or disclosing his personal data for a purpose. An individual also has a right to withdraw his consent, by giving reasonable notice.
Before embarking on a new business project or initiative that requires the collection of Personal Data, consider each category of Personal Data that is proposed to be collected and assessed whether the PIC (such as UNA) is able to perform the project or initiative without it. One should only collect the minimum Personal Data it requires for the legitimate purpose it is required for.
Personal Data may only be collected, used, or disclosed for legitimate purposes that a reasonable person would consider appropriate in the circumstances. Fresh consent must be sought if any purposes for which consent was obtained differ from the original purpose communicated and agreed to by the individual.
UNA must notify individuals of the purpose(s) for which it intends to collect, use, or disclose his Personal Data on or before UNA’s collection, use or disclosure of such Personal Data. If UNA will be collecting Personal Data for a new purpose (as above), UNA will need to provide fresh notification to the individuals.
Upon request by an individual, he or she must be provided with his/her Personal Data possessed or controlled by UNA, unless prohibited by Philippine Data Privacy laws or regulations or other applicable laws or regulations in the country. Once UNA received the request, UNA will need to understand internally how the individual’s Personal Data has been used, processed, or disclosed by UNA. UNA needs to ensure that it log all activities in relation to the access and extraction of Personal Data held by it.
Unless the aforesaid laws or regulations provide otherwise, such personal data must be provided as soon as practicable and no later than thirty (30) days after the individual’s first request for such personal data.
An individual may also request UNA to correct any inaccuracies in her/his personal data which is in UNA’s possession or control. Unless Philippine laws or regulations provide otherwise, such personal data must be corrected or erased as soon as practicable, but no later than thirty (30) days after the individual’s first request for such correction.
Reasonable efforts must be made to ensure that personal data collected by or on behalf of UNA is accurate and complete. This obligation applies at the time of collection and throughout the period during which such personal data is in UNA’s possession or control.
Where the data is more sensitive (e.g., identification numbers, mobile numbers), UNA must ensure that there are additional testing and checking performed to address any mistakes made during the point of data entry. For example, a second person should double check the records to ensure accuracy.
Personal Data in UNA’s possession or under its control must be protected by reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks.
UNA personnel should take note of the following basic guidelines when sending Personal Data:
- Before sending a communication (e.g., email, Skype message/attachment) containing Personal Data, ensure that the recipient address (e.g., email address, fax number, Skype ID) is correct and matches that of the intended recipient and that the right files are attached prior to sending.
- Perform regular housekeeping of auto-complete email list and double check recipient’s email addresses before sending out emails or documents containing Personal Data.
- Where possible, implement automated processing of documents or communications containing Personal Data (e.g., merging content or populating fields from various sources). Ensure the accuracy and reliability of the automated process by checking it regularly.
- Require UNA employees handling and sending Personal Data to be bound by confidentiality obligations in their employment agreements.
- Store hardcopy documents containing Personal Data in locked storage systems.
- Ensure that the computer networks being utilized by UNA to access, store or process Personal Data are secure.
- Install appropriate computer security software and use suitable computer security settings.
Unless Philippine laws or regulations provide otherwise, the retention of documents containing personal data must cease, or the means by which the personal data can be associated with particular individuals must be removed (for e.g., anonymization of data) as soon as:
- it is reasonable to assume that the purpose for which the personal data was collected is no longer being served by retention of such personal data; and
- retention is no longer necessary for legal or business purposes.
UNA personnel shall ensure proper disposal of Personal Data which should no longer be retained by UNA. Printed Personal Data should be shredded and digital documents containing such Personal Data should be permanently deleted.
Uy, Nicolasora and Associates Co.
5/F-B RCC Center, 104 Shaw Blvd, Pasig, 1603 Metro Manila
Mobile: +63 917 596 6748