One Partnership Referral Program Agreement: Data Sharing Agreeement

Last Updated May 29, 08:26 AM

ONE PARTNERSHIP REFERRAL PROGRAM AGREEMENT

ANNEX A

DATA SHARING AGREEMENT

This Data Sharing Agreement (this “Agreement”) is entered into into upon the signing of the One Partnership Referral Program Broker Agreement document by and between Innovation Love, Inc (“COMPANY”) and YOU (“PARTNER”)

PART I. GENERAL CONDITIONS

Nature of this Agreement

This Agreement involves the disclosure or transfer of personal data under the custody of one of the Parties to the other Party pursuant to the project or undertaking of the Parties described in Part II (Special Conditions). In this Agreement, both Parties are acting as personal information controllers of the personal data.

  1. Adherence to the Data Privacy Act of 2012

The Parties hereby adhere to the provisions of Republic Act 10173, otherwise known as the Data Privacy Act of 2012, its Implementing Rules and Regulations, and the issuances of the National Privacy Commission ("Commission") (collectively, ‘DPA’), recognizing the importance of appropriate privacy protections for data subjects.

  1. Definitions

    1. ‘Personal Information’ refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual;

    2. ‘Sensitive Personal Information’ refers to personal information:

  2. About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;

  3. About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings;

  4. Issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and

  5. Specifically established by an executive order or an act of Congress to be kept classified.

  6. ‘Personal data’ refers to both personal information, sensitive personal information, and privileged information disclosed by the Sharing Party to the Receiving Party pursuant to the Service Agreement;

  7. ‘Processing’ refers to any operation or any set of operations performed upon personal data including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data. Processing may be performed through automated means, or manual processing, if the personal data are contained or are intended to be contained in a filing system;

  8. ‘Data subject’ refers to an individual whose personal, sensitive personal, or privileged information is processed;

  9. ‘Security incident’ is an event or occurrence that affects or tends to affect data protection, or may compromise the availability, integrity and confidentiality of personal data. It includes incidents that would result to a personal data breach, if not for safeguards that have been put in place;

  10. ‘Personal data breach’ refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. A personal data breach may be in the nature of:

  11. An availability breach resulting from loss, accidental or unlawful destruction of personal data;

  12. An integrity breach resulting from alteration of personal data; and/or

  13. A confidentiality breach resulting from the unauthorized disclosure of or access to personal data.

  14. ‘Personal information controller’ refers to a natural or juridical person, or any other body who controls the processing of personal data, or instructs another to process personal data on its behalf. The term excludes:

  15. A natural or juridical person, or any other body, who performs such functions as instructed by another person or organization; or

  16. A natural person who processes personal data in connection with his or her personal, family, or household affairs;

There is control if the natural or juridical person or any other body decides on what information is collected, or the purpose or extent of its processing;

  1. ‘Personal information processor’ refers to any natural or juridical person or any other body to whom a personal information controller may outsource or instruct the processing of personal data pertaining to a data subject;

  2. ‘Receiving Party’ refers to such party that, as a personal information controller, receives personal information from the other party pursuant to this Agreement.

  3. ‘Sharing Party’ refers to such party that, as a personal information controller, discloses or transfers personal information to the other party pursuant to this Agreement.

  4. ‘Technical, physical, and organizational security measures’ means those measures aimed at protecting Personal Information transmitted, stored, or otherwise processed against improper, unauthorized, accidental or unlawful processing, destruction or loss, disposal, alteration, disclosure, or access, and against all other unauthorized and unlawful forms of processing.

  5. Scope

The terms of this Agreement shall apply to personal data in all its forms. It may be on paper, stored electronically, held on film, microfiche, or other media. It includes text, pictures, audio, and video. It covers information transmitted by post, by electronic means, and by oral communication, including telephone and voicemail. It applies throughout the lifecycle of the data from creation, collection, storage, utilization, to disposal. The terms of this Agreement apply to all officers, employees, and subcontractors of both Parties where they are performing their duties in relation to this Agreement.

  1. Roles of the Parties

Each Party may act as a Disclosing Party or a Receiving Party, as may be specified in Part II (Special Conditions).

  1. No warranties Clause

THE PARTNER ACKNOWLEDGES THAT ALL PERSONAL DATA IS PROVIDED “AS IS.” PARTNER ACKNOWLEDGES THAT COMPANY MAKES NO WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY AS TO MERCHANTABILITY OR FITNESS OF THE PERSONAL DATA FOR A PARTICULAR PURPOSE. PARTNER HEREBY AGREES TO COMPLETELY AND ABSOLUTELY REMISE, RELEASE AND FOREVER DISCHARGE COMPANY AND/OR ITS SUCCESSORS-IN-INTEREST, STOCKHOLDERS, OFFICERS, DIRECTORS, AGENTS, OR EMPLOYEES FROM ANY ACTION, SUM OF MONEY, DAMAGES, CLAIMS AND DEMANDS WHATSOEVER, WHICH IN LAW OR IN EQUITY PARTNER EVER HAD, NOW HAVE, OR WHICH PARTNER, ITS SUCCESSORS AND ASSIGNS HEREAFTER MAY HAVE BY REASON OF OR ARISING WHOLLY, PARTIALLY, OR DIRECTLY FROM ANY PRIOR REPRESENTATION AND UNDERSTANDING WITH THE COMPANY, WHETHER ORAL OR WRITTEN.

  1. Obligations of the Receiving Party

  2. The Receiving Party shall be accountable for Shared Data under its control and custody, including Shared Data that it transferred to a third party for processing. It shall use technical, physical, and organizational security measures to protect the Shared Data. It shall use contractual or other reasonable means to provide a comparable level of protection while the Shared Data is being processed by a third party.

  3. The Receiving Party shall notify the Commission and the data subjects of any Personal Data Breach involving the Shared Data pursuant to the requirements of the DPA, including Circular 16-03, as may be amended from time to time. To this end, the Receiving Party shall likewise inform the Sharing Party of any security incident, as defined under the DPA, or any Personal Data Breach within twenty-four hours from knowledge of or reasonable belief that the same had occurred.

  4. Further processing of Shared Data shall adhere to the data privacy principles laid down in the DPA, its IRR, and other issuances of the Commission.

  5. Data Subject Rights

Each Party shall respect the following rights accorded to Data Subjects by the Data Privacy Act of 2012:

  1. Right to be informed. Data subjects have the right to be informed whether Personal Information pertaining to them shall be, are being, or have been processed, including the existence of automated decision-making and profiling. This Agreement may be accessed by the Data Subject upon written request submitted to any of the Parties.

  2. Right to object. Data subjects have the right to object to the processing of their Personal Information, including processing for direct marketing, automated processing or profiling. They may withhold consent to the processing in case of changes or any amendment to the information supplied or declared to the data subject.

  3. Right to access. Data subjects have the right to request access to any of their personal data, subject to certain restrictions.

  4. Right to rectification. Data subjects have the right to dispute the inaccuracy or error in the personal data and have the personal information controller correct it immediately and accordingly, unless the request is vexatious or otherwise unreasonable.

  5. Right to erasure or blocking. Data subjects have the right to suspend, withdraw or order the blocking, removal or destruction of his or her personal data from the personal information controller’s filing system.

  6. Right to damages. Data subjects have the right to be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of Personal Information, taking into account any violation of the rights and freedoms of the data subject.

  7. Right to lodge a complaint with the National Privacy Commission.

  8. Governing Law

This Agreement shall be governed, construed, and enforced in accordance with Philippine law, without regard to its conflict of laws rules.

  1. Dispute Resolution

Any dispute in connection with the validity, interpretation, implementation or alleged breach of any provision of this Agreement or regarding a question, including the question as to whether the termination of this Agreement by one party hereto has been legitimate, arising from or related to this Agreement shall be notified in writing by one Party to the other, the Parties hereto shall endeavor to settle such dispute amicably.  If the Parties fail to reach any agreement within sixty (60) days after negotiation begins, either Party may submit such dispute in the appropriate courts of Mandaluyong City.

PART II. SPECIAL CONDITIONS

  1. Description of Project or Undertaking

This Agreement is entered into pursuant to the Memorandum of Agreement dated ________________ for the purpose of providing the PARTNER with the tools and resources they need to meet the growing demands of the real estate market effectively (Memorandum of Agreement).

  1. Term and Termination

  2. Unless earlier terminated by either Party, this Agreement shall be effective from the date first appearing above, co-terminous with the Memorandum of Agreement and shall be terminated immediately upon cessation or termination of the Memorandum of Agreement.

  3. The Parties shall periodically review this Agreement on an annual basis to determine the proprietary of continuing the data sharing, taking into account the sufficiency of the safeguards implemented for data protection and any data breach or security incident that may have occurred affecting the shared data.

  4. This Agreement may be terminated on the following grounds:

  5. Upon the mutual written agreement of all parties;

  6. By any innocent Party, upon breach of another Party of any provision of this Agreement;

  7. By any surviving Party, upon the dissolution or death of any Party;

  8. By the National Privacy Commission,

    1. Upon a finding that data sharing is: (a) no longer necessary for the specified purpose/s and its objective/s has already been achieved; or (b) detrimental to national security, public interest or public policy, or the termination of the same is necessary to preserve and protect the rights of a data subject

    2. Upon determination that a Party has violated the Data Privacy Act, or any of its implementing rules and regulations;

  9. By either Party, for any reason after thirty (30) Business Days’ written notice to the other Party.

  10. Personal Data to be Disclosed

  11. COMPANY, as the Sharing Party, shall disclose the following personal data to PARTNER

Data Subject(s): Buyer-User

Data Fields/Categories:

  • Complete Name (Last name, First name, Middle name)

  • Mobile Number

  • Email Address

  • Property Preferences based on properties inquired or pre-qualification:

  • Property Type/Subtype

  • Listing Type

  • Property TCP/Price Range

  • Monthly Income

  • Location

  • Property Condition

  • Rent Term

  • Move-in timeline

Method of Processing:

  • Automated via inquiry form to be filled out by buyer-user

  • Manual - via pre-qualification call and email correspondence with the buyer-user

By whom performed (Counterparty or Counterparty’s PIP/Service Provider): N/A

PARTNER, as the Receiving Party, shall not disclose the above-specified personal data to any third party without the prior written permission of the COMPANY, except as may be required by law, court order or other governmental action or any rule or regulation. Unauthorized disclosure is punishable under Republic Act No. 10173 or the Data Privacy Act and Republic Act No. 10175 or the Cybercrime Prevention Act.

PARTNER, as the Sharing Party shall disclose the following personal data to COMPANY:

Data Subject(s): Buyer-User

Data Fields/Categories:

  • Complete Name (Last name, First name, Middle name)

  • Mobile Number

  • Email Address

  • Transaction Status

  • Closed Transaction details:

  • Property Details

  • Property TCP

Method of Processing: Manual - via call, email, and face-to-face correspondence with the buyer user

By whom performed (Counterparty or Counterparty’s PIP/Service Provider): N/A

  1. Purposes of Disclosure

  2. PARTNER, as the Receiving Party, shall use and process the personal data from COMPANY for the following purpose(s):

    1. Assessment of qualification and eligibility of data subjects for any sales/rental transaction
  3. COMPANY, as the Receiving Party, shall use and process the personal data received from PARTNER for the following purposes:

    1. Monitoring of users with closed sales/rental transactions

    2. Processing of Service Fee per the Memorandum of Agreement in relation to successfully closed transaction

    3. Monitoring of users who would like to apply for home loans

    4. Processing of Service Fee per the Memorandum of Agreement in relation to successful home loan applications

Subject to subsequent amendments of this Agreement and consent of the data subjects, the Parties may agree to the further processing of personal information for commercial purposes and value-added services.

  1. Operational Details of Data Sharing

  2. Transfer

Once the data subjects submitted their inquiry form to a property, the COMPANY will pre-qualify the data subject and will be notified that they will be endorsed to PARTNER. Once the data subject expresses their consent to the endorsement, data pertaining to such data subjects will be transferred to PARTNER      through a CRM accessible using a secured account.

To ensure the security of the transfer and maintain the integrity of the data, COMPANY      utilizes industry-recognized data encryption and has put in place physical, electronic, and managerial procedures designed to help prevent unauthorized access, to maintain data security, and to correctly use the data collected, such as:

The COMPANY has implemented a number of organizational security measures to protect the data during transfer. These measures include:

  • Implement a data security policy that defines the roles and responsibilities of all employees who handle data.

  • Implement a system for managing user access to data.

  • Restrict access to sensitive data to only those employees who need it to do their jobs.

The COMPANY has also implemented a number of physical security measures to protect the data during transfer. These measures include:

  • Secured data transfer protocol to protect the data from unauthorized access

  • Backup data regularly

  • Detection systems to protect against cyberattacks.

The COMPANY has also implemented a number of technical security measures to protect the data during storage. These measures include:

  • The data is encrypted during transit and at rest.

  • The data is stored on a secure server.

  • The data is accessed using secure protocols.

To further ensure the security of the transfer, COMPANY and PARTNER have Data Protection Officers responsible for ensuring the respective Party’s compliance with data privacy laws and monitoring the implementation of their respective security measures.

  1. Storage and Retention

Data collected will be retained by COMPANY for as long as the purposes for which they are being processed have not been satisfied. COMPANY will retain and use data collected as long as necessary to comply with its legal obligations, resolve disputes, and enforce its agreements but shall not exceed ten (10) years.

To ensure the security and maintain the integrity of the data stored and retained and maintain the integrity of the data, COMPANY utilizes industry-recognized data encryption and has put in place physical, electronic, and managerial procedures designed to help prevent unauthorized access, to maintain data security, and to correctly store the data collected.

The COMPANY has implemented a number of organizational security measures to protect the data during storage. These measures include:

  • A documented data storage process that outlines the steps involved in storing the data.

  • A system for tracking the storage of the data.

  • A system for auditing the storage of the data.

The COMPANY has also implemented a number of physical security measures to protect the data during storage. These measures include:

  • Access to the data is restricted to authorized personnel.

  • A system for managing user access to data.

  • Use of strong passwords and two-factor authentication to protect user accounts.

  • The data is stored in a secure location.

  • The data is backed up regularly.

The COMPANY has also implemented a number of technical security measures to protect the data during storage. These measures include:

  • The data is encrypted during storage.

  • The data is stored on a secure server.

  • The data is accessed using secure protocols.

To further ensure the security of the data stored and retained, COMPANY and PARTNER have Data Protection Officers responsible for ensuring the respective Party’s compliance with data privacy laws and monitoring the implementation of their respective security measures.

  1. Return, Destruction or Disposal

If the return of the data is not reasonably feasible, the Data Recipient shall, upon the termination of the data sharing arrangement or at the request of the Data Provider, securely destroy or dispose of the shared data in a manner that ensures the data cannot be reconstructed or accessed by unauthorized parties. The destruction or disposal process shall comply with all applicable laws and regulations.

Data Retention Period:

The Data Recipient shall not retain the shared data beyond the duration necessary to fulfill the purpose for which it was shared which shall not exceed ten (10) years, unless otherwise required by law or with the explicit consent of the Data Provider.

  1. Data Breach Management

Data Breach Notification

In the event of a data breach involving the data shared under this Agreement, the COMPANY or the PARTNER, as the case may be, shall notify the affected data subjects immediately without undue delay. The notification will be made using the contact information provided by the data subjects or any other contact details reasonably available to the Data Controller.

Content of Notification:

The data breach notification to the data subjects shall include, but not be limited to, the following information:

  • Description of the nature of the breach and the categories of data affected.

  • The likely consequences of the data breach.

  • Measures taken or proposed to be taken by the COMPANY or the PARTNER to address the data breach.

  • Contact information for the Data Protection Officer or the person responsible for managing the data breach incident.

  • Recommendations for the data subjects on steps they should take to protect their interests and mitigate potential damages resulting from the breach.

Cooperation and Assistance:

The COMPANY or the PARTNER shall provide full cooperation and assistance to the data subjects in fulfilling their legal obligations, including regulatory reporting requirements or any other actions related to the data breach, as required by applicable laws and regulations.

Confidentiality:

Both parties agree to treat all information related to the data breach as strictly confidential, except to the extent necessary to comply with legal obligations or to seek professional advice.

Data Breach Prevention and Security Measures:

The COMPANY and the PARTNER agrees to implement reasonable and appropriate security measures to protect the data shared under this Agreement from unauthorized access, loss, or disclosure. Data Recipient(s) shall also employ adequate security measures to protect the data once received.

Termination of Data Sharing:

In the event of a severe or repeated breach, either party may terminate the data sharing arrangement with immediate effect.

  1. Exercise of data subject rights

The party responsible for addressing data subject requests and complaints are the Data Protection Officers of COMPANY and PARTNER.

A data subject can access or obtain a copy of the DSA and/or his/her personal information:

  1. The data subject submits a request to either Party’s DPO.

  2. The DPO reviews the request and determines whether it can be granted.

  3. If the request is granted, the DPO provides the data subject with the requested information.

  4. If the request is denied, the DPO provides the data subject with a reason for the denial.

  5. Mutual Indemnification

Each Party shall irrevocably, unconditionally, and fully indemnify and hold the other Party, its directors, stockholders, officers, employees, and agents, and hold them free and harmless from and against any and all claims, suits, actions or demands or losses, damages, costs and expenses including, without limiting the generality of the foregoing, attorney’s fees and costs of suit arising from any breach of their respective warranties and obligations.

  1. Communications Regarding Data Privacy Concerns

For questions, requests, and notifications, communication may be directed to each Party’s designated Data Protection Officer or his/her replacement or substitute.

INNOVATION LOVE, INC.

RONALD JOHN R. DAVID

rj@onepropertee.com

(02)7751-6673