Data Sharing Agreement

(JCNorth is the receiving party)

SUPPLEMENT TO _________________________ dated _______________(the “Agreement”) between ________________ (the “Company”) and JCNORTH (the “Recipient”)  (both referred to as “Parties”).  

Unless the context requires otherwise, the term "Company" shall include natural persons or juridical entities. 

The Company has adopted or will adopt, to the extent possible, the "Data Privacy Principles" as indicated in the Implementing Rules and Regulations of Republic Act 10173, otherwise  known as the Data Privacy Act of 2012 ("Principles"), as may be modified from time to time, recognizing the importance of appropriate privacy protections for consumer data. The  Recipient, as personal information controller, agrees that it (including its directors, officers, employees, subsidiaries, representatives, sub-contractors, or agents) will comply with the  Principles. The Recipient further warrants that it has implemented and currently adheres to privacy principles, policies, or practices that are fully compliant with the Principles and  the Applicable Data Protection Law (as defined below).  

To the extent the Recipient has received or will receive Personal Data from the Company in relation to or in connection with the provision of the Agreement, as supplemented by this  Supplement, it shall strictly comply with the following obligations. 

I. Definitions 

For purposes of this Supplement, the following definitions shall apply: 

“Personal Information”, “Sensitive Personal Information”, “Personal Data”, “Data Subject”, “Processing”, “Personal Information Controller”, and “Personal Information Processor”,  

(a) shall have the same meaning as set forth in the Implementing Rules and Regulations of Republic Act 10173, otherwise known as the Data Privacy Act of 2012, as may be amended  and supplemented from time to time; 

(b) “Applicable Data Protection Law” means Republic Act No. 10173, also known as the Data Privacy Act of 2012, its Implementing Rules and Regulations, other relevant laws and  issuances by the NPC, and any other legislation protecting the fundamental rights and freedoms of individuals, and in particular, their right to privacy with respect to control and  processing of Personal Data, as well as foreign legislation and issuances protecting the right of individuals to privacy, if applicable;  

(c) “Circular 16-03” means the Circular issued by the NPC on December 15, 2016 entitled “Personal Data Breach Management,” as may be amended or supplemented from time to time;  (d) 

“NPC” means the National Privacy Commission;  

(e) “Personal Data Breach” shall have the same meaning as set forth in Circular 16-03;  

(f) “Services” means the acts and services required to be rendered or performed by the Recipient under the Agreement;  

(g) “Technical, Physical, and Organizational Security Measures” means those measures aimed at protecting Personal Data transmitted, stored, or otherwise processed against  improper, unauthorized, accidental or unlawful processing, destruction or loss, disposal, alteration, disclosure, or access, and against all other unauthorized and unlawful forms of  processing.  

II. Transfer of Personal Data 

The term of this Supplement, the purposes of processing, the types of Personal Data being processed, the manner of processing, the location of processing, and the details of online  access to Personal Data are specified in Appendix I, which forms an integral part of this Supplement. 

III. Obligations of Recipient  

Recipient agrees and warrants the following: 

(a) It will process the Personal Data only for purposes stated in the Agreement and in compliance with its documented instructions. If Recipient cannot provide such compliance for  whatever reason, it agrees to inform the Company promptly of its inability to comply, in which case the Company at its sole option is entitled to suspend the transfer of data and/or  terminate the Agreement; 

(b) Nothing prevents it from fulfilling the instructions received from the Company and its obligations under the Agreement, and if it becomes aware of any event which is likely to have  a substantial adverse effect on the warranties and obligations set forth in this Supplement, it will promptly notify the Company of such event, in which case the Company is entitled  to either suspend the transfer of data and/or terminate the Agreement;  

(c) It will ensure that an obligation of confidentiality is imposed on persons authorized to process the Personal Data and take reasonable steps to ensure the reliability and integrity of  any its personnel who have access to the Personal Data. Further, Recipient shall disclose Personal Data or permit access to such Personal Data only to those authorized personnel  with a need to know basis, and shall only provide such Personal Data to enable its authorized personnel to provide the Services set forth in the Agreement;  

(d) It has implemented and currently maintains the appropriate Technical, Physical and Organizational Security Measures which comply with the Applicable Data Protection Law prior  to and throughout the duration of the processing of Personal Data transferred by the Company; 

(e) It will not share Personal Data with any party without prior written instruction from the Company; Provided, that if allowed by the Company to engage another processor,  Recipient’s agreement with the processor shall ensure that the same obligations for data protection under the Agreement and Applicable Data Protection Law are implemented,  taking into account the nature of the processing; 

(f) It will promptly notify the Company about: 

i. Any legally binding request for disclosure of the Personal Data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve  the confidentiality of a law enforcement investigation; and 

ii. Any requests received from Data Subjects without responding to such requests, unless it has been authorized to do so by the Company;  

(g) It will assist the Company in fulfilling its obligation to respond to requests by Data Subjects relative to the exercise of their rights under the Applicable Data Protection Law. To this  extent, Recipient agrees to assist the Company in responding to requests from Data Subjects, including, but not limited to, their right to access, copy, correct, rectify, erase or  remove their Personal Data; 

(h) It will assist the Company in ensuring compliance with the Applicable Data Protection Law, taking into account the nature of processing and the information available to the  Recipient; 

(i) After the end of the provision of Services relating to the processing, the Recipient shall ensure that the Personal Data are properly disposed of in such a way that would prevent  further processing as well as improper, unauthorized, accidental or unlawful access.  

(j) It will immediately inform the Company if, in its opinion, any of its instruction infringes the Applicable Data Protection Law; 

(k) It will not transfer any Personal Data, including transfer to another country or to a subcontractor in another country, without the express written consent of the Company. If the  Company provides consent, Recipient shall provide a written undertaking that the Personal Data transferred to another country will be protected at a standard that is comparable  to that under the Applicable Data Protection Law; 

(l) It will register itself and its relevant systems to comply with the provisions of the Applicable Data Protection Law; 

(m) It will update its relevant systems and its Technical, Physical, and Organizational Security Measures as necessary to comply with the provisions of the Applicable Data Protection Law; 

(n) It will immediately report any Personal Data Breach or any other violation of the Applicable Data Protection Law to the Company and to the appropriate regulatory authority, as  applicable. The report should contain detailed information about those matters required under Circular 16-03 and other Applicable Data Protection Law;  

Revised as of June 2019

(o) In the event of Personal Data Breach, it will assist and cooperate with the Company to investigate and remediate the breach, cooperate with any relevant regulatory authority or  law enforcement official, and assist with any required notification to Data Subjects; 

(p) It will strictly adhere to and adopt the guidelines and security measures in Rules II to IV of Circular 16-03 to prevent Personal Data Breach; 

(q) It will update itself, on a regular basis, on the issuances of the NPC and relevant regulatory authorities in relation to Applicable Data Protection Laws and strictly adhere thereto; 

(r)  It will cooperate, upon the Company’s request, in any data protection impact assessment, audit or inspection or any inquiry or notice received from any relevant regulatory  authority or law enforcement official. 

IV. Warranties of the Company  

The Company warrants that:  

(a) It has implemented and currently maintains the appropriate Technical, Physical and Organizational Security Measures which comply with the Applicable Data Protection Law prior  to and throughout the duration of the processing of Personal Data transferred by the Company; 

(b) It has full capacity and authority to disclose the Personal Data to the Recipient;  

(c) It has complied with the requirements of Applicable Data Protection Laws and has obtained sufficient written consent from the data subjects to whom the Personal Data pertains,  if necessary, to enable the Recipient to perform the Services and its other obligations under the Agreement, and it will provide proof of such consent when requested by the  Recipient.  

(d) It will assist the Recipient in ensuring compliance with the Applicable Data Protection Law, taking into account the nature of processing and the information made available to the  Recipient; 

(e) In the event of Personal Data Breach, it will assist and cooperate with the Recipient to investigate and remediate the breach, cooperate with any relevant regulatory authority or  law enforcement official, and assist with any required notification to Data Subjects; 

(f)  It will strictly adhere to and adopt the guidelines and security measures in Rules II to IV of Circular 16-03 to prevent Personal Data Breach; 

(g) It will update itself, on a regular basis, on the issuances of the NPC and relevant regulatory authorities in relation to Applicable Data Protection Laws and strictly adhere thereto; 

(h)  It will cooperate, upon the Recipient’s request, in any data protection impact assessment, audit or inspection or any inquiry or notice received from any relevant regulatory  authority or law enforcement official. 

V. Subcontracting  

(a)  The Recipient shall not subcontract any of its processing operations without the prior written consent of the Company. Where Recipient subcontracts its obligations under this  Supplement with the consent of the Company, it shall do so only by way of a written agreement with subcontractor, which imposes the same obligations on the subcontractor as  are imposed on Recipient under this Supplement.  

(b)  The Recipient shall maintain a list of subcontracting agreements concluded under this Supplement, which shall be updated at least once a year. Upon the Company’s request, the  list and relevant agreements shall be made available to the Company and/or to any relevant regulatory authority, if applicable. 

VI. Obligations After the Termination of the Agreement 

The Parties agree that on the termination of the Agreement, the Recipient shall ensure that the Personal Data are properly disposed of in such a way that would prevent further  processing as well as improper, unauthorized, accidental or unlawful access.  

VII. Liability and Indemnification 

The Parties agree that under the Applicable Data Protection Law, the Company remains accountable for Personal Data under its control or custody, including Personal Data that  

(a)  have been transferred to Recipient. To this extent, Recipient therefore agrees to irrevocably and unconditionally indemnify and hold the Company, its officers, employees, and  agents, free and harmless from and against any and all claims, suits, actions or demands or losses, damages, costs and expenses including, without limiting the generality of the  foregoing, attorney's fees and costs of suit that the Company may face, suffer or incur by reason or in respect of: 

i. The Recipient’s breach of any of the warranties and obligations set forth in this Supplement, regardless of the cause of such breach; 

or 

ii. Any act, omission or negligence of the Recipient that causes or results in the Company being in breach of its obligations under the Applicable Data Protection Law. 

This Supplement shall survive the termination or expiration of the Agreement. 

(b) 

VIII. Rights and Remedies of the Data Subjects 

Data Subjects have the right to obtain a copy of this Supplement, and to access, update, or correct certain personal information, or withdraw consent to the use of any of their Personal  Data as set out in this Supplement, and may file complaints with, and/or seek assistance from the NPC in case of violation of their rights. The Recipient shall promptly notify the  Company of any requests received from Data Subjects in connection with the foregoing rights without responding or acceding to such requests, unless it has been authorized to do  so by the Company. 

For questions, requests, and notifications, communications may be coursed through (a) _______________________at [email address] or through its designated Data Protection Officer  or his/her replacement or substitute, at [dedicated email address] and (b) JCNorth, Inc.’s designated Data Protection Officer or his/her replacement or substitute, at  data_protection_officer@jcnorth@jcaranagroup.com. 

By signing this Supplement, the Parties agree that the terms hereof shall form an integral part of the Agreement, as well as any and all extensions, renewals, and amendments thereof,  or supplements thereto.