DATA SHARING AGREEMENT

KNOW ALL MEN BY THIS PRESENTS:

This Data Sharing Agreement, hereinafter referred to as Agreement, made and entered into this
______ day of _______________________ at Butuan City, Philippines, by and between:

The DEPARTMENT OF SOCIAL WELFARE AND DEVELOPMENT, a national agency of the

Republic of the Philippines, with office address at Batasan Pambansa Complex, Diliman,
Quezon City herein represented by RAMEL F. JAMEN, in his capacity as OIC-Regional
Director of the Field Office CARAGA, hereinafter referred to as the “Personal Information
Controller (PIC)”.

-and-

The LOCAL GOVERNMENT UNIT OF THE MUNICIPALITY OF NASIPIT, AGUSAN DEL

NORTE, a Municipality of the Republic of the Philippines created under IDENTIFY THE LAW
THAT CREATED NASIPIT, with principal address at ADDRESS OF THE MUNICIPAL HALL,
herein represented by ENRICO R. CORVERA, in his capacity as Municipal Mayor, hereinafter
referred to as the “Personal Information Processor (PIP)”,

Witnesseth:

WHEREAS, the Local Government Unit of Nasipit thru its Municipal Social Welfare Office
requested the DSWD Field Office Caraga for access of data from the Pantawid Pamilya Pilipino
Program (4Ps), and in particular, the list of 4Ps beneficiaries from the Municipality of Nasipit,
Province of Agusan del Norte;

WHEREAS, the purpose of acquiring the aforesaid list of 4Ps beneficiaries is for identification of
potential persons under Priority Group A5 for COVID-19 Vaccination;

WHEREAS, Section 22 of Republic Act No. 10173, or the Data Privacy Act (DPA) of 2012
provides that all personal information, whether sensitive or not, maintained by the government,
its agencies and instrumentalities shall be secured, as far as practicable, with the use of the
most appropriate standard recognized by the information and communications technology
industry, and as recommended by the National Privacy Commission (NPC), and that the head of
each government agency or instrumentality shall be responsible for complying with the security
requirements provided under the DPA;

WHEREAS, Section 20(d) of the IRR of the aforesaid law explicitly provides that:

Page 1 of 9
 “d. Data sharing between government agencies for the purpose of a public
function or provision of a public service shall be covered by a data
sharing agreement. (emphasis supplied)

1. Any or all government agencies party to the agreement shall comply

with the Act, these Rules, and all other issuances of the Commission,
including putting in place adequate safeguards for data privacy and
security.

2. The data sharing agreement shall be subject to review of the Commission, on

its own initiative or upon complaint of data subject.”

NOW THEREFORE, for and in consideration of the above premises, the PARTIES hereby
agree as follows:

I. GENERAL PROVISION

1. The PARTIES agree that the provisions of DPA shall be considered read into this
Agreement and that the same principles of transparency, legitimate purpose and
proportionality shall govern the implementation of this Agreement.

2. The DSWD FO-CARAGA (PIC) shall share documents/ records which contain
personal information of its data subjects to the LGU of Nasipit (PIP).

II. DEFINITIONS

1. For the purposes of this Agreement, “personal data”, “personal information

controller”, “process/processing”, “data subject” and “data sharing” shall have the
same meaning as in Republic Act No. 10173 or the Data Privacy Act of 2012, and its
Implementing Rules and Regulations.

2. Provided further, that DSWD FO-CARAGA shall serve and shall be referred to as
the Personal Information Controller (PIC), and the LGU of Nasipit as the
Personal Information Processor (PIP).

III. OBLIGATIONS OF THE DSWD FO-CARAGA (Personal Information Controller)

1. The PIC shall:

1.1. Act as and have the duties and accountabilities of a PIC for all personal data
processed by their respective agencies;

1.2. Have in place reasonable and appropriate physical, technical and

organizational measures intended to protect personal data up to the date of

Page 2 of 9
 transfer to the any of the PARTIES, against accidental or unlawful destruction
or accidental loss, alteration, unauthorized disclosure or access, as well as
against any other unlawful processing;

1.3. Uphold the rights of the data subject in accordance with the DPA, including the
relevant rules and regulations issued by the National Privacy Commission
(NPC), and with respect to the data privacy practices and protocols of the PIC;

1.4. Have in place the required procedures or protocols so that any person or party
acting under the authority of the (PIC), as the case may be, to have access to
the personal data for transfer will respect and maintain the confidentiality and
security of the personal data, and shall be obligated to process the personal
data only on instructions from either (PIC), as the case may be;

1.5. Process and transfer personal data to either PARTIES in accordance with the
DPA, including the relevant rules and regulations issued by the National
Privacy Commission, and with respect to the data privacy practices and
protocols of the PARTIES, and the details of the transfer specified in Annex
“A” of this Agreement;

1.6. Provide the (PIP), when so requested, information vital to the proper use and
protection of the shared data, particularly on relevant stipulations under the
DPA and the respective data sharing and privacy policies and guidelines of
the PIC;

1.7. Respond, within reasonable time, to information requests and complaints from
data subjects and the NPC concerning processing of the personal data by
(PIP) to the extent reasonably possible and with the information reasonably
available to it if (PIP) is unwilling and unable to respond;

1.8. Make available, upon request and following the procedures laid out in the
respective data sharing and privacy policies and guidelines of the PIC, a copy
of this Agreement to the affected data subjects, as well as the NPC where
required; and

1.9. Provide the (PIP) with a password that will be used to access encrypted data.

IV. OBLIGATIONS OF THE LGU-NASIPIT (Personal Information Processor)

1. The PIP shall:

1.1. Act as and have the duties and accountabilities of a personal information
processor for all personal data received from the PIC and covered under this
Agreement;

1.2. Have in place appropriate physical, technical and organizational measures to

protect the personal data received from the PIC against accidental or

Page 3 of 9
 unlawful destruction or accidental loss, alteration, unauthorized disclosure or
access, as well as against any other unlawful processing;
1.3. Uphold the rights of the data subject in accordance with the DPA, including
the relevant rules and regulations issued by the National Privacy Commission
(NPC), and with respect to the data privacy practices and protocols of the
PARTIES;

1.4. Receive and further process personal data from the PIC in accordance with
purpose it was intended for (as enumerated in Annex “A”), the data sharing
and privacy policies and guidelines of the PIC, and the provisions of the DPA;

1.5. Have the legal authority to give warranties and fulfill the undertakings set out
in this Agreement;

1.6. Have in place the required procedures or protocols so that any person or
party acting under the authority of the PIP to have access to the personal
data will be legally answerable to the PIP to respect and maintain the
confidentiality and security of the personal data, and shall be obligated to
process the personal data only on instructions from the PIP;

1.7. Prohibit disclosure or transfer of the personal data to any third party, except
those disclosures required by law. Provided that, in cases PIP transferred or
disclosed the personal data to a third-party, regardless of the existence of
knowledge of the PIC, will be the sole responsibility of PIP, and therefore, will
no longer be the accountability or liability of the PIC;

1.8. PIP commits to observe the strictest confidentiality concerning the personal
data it shall collect, process, or access to in the performance of its duties and
functions, and refrain from disclosing them to any other natural or legal
person, including among its workers and other staff, not expressly authorized
to access the personal data. This non-disclosure and confidentiality obligation
shall stay unaffected without limitation in time, even in the case of resignation
or termination from employment, end of term or appointment of the its
authorized personnel or officer handling such data;

1.9. Have no reason to believe, at the time of entering into this Agreement, in the
existence of any laws that would have a substantial adverse effect on the
guarantees provided for under this Agreement, and it will inform the PIC if it
becomes aware of any such laws;

1.10. Identify to the PIC a designated data protection officer within its organization
authorized to respond to information requests and complaints concerning
processing of the personal data, and will cooperate in good faith with the PIC,
the data subject, and the NPC concerning all such enquiries within a
reasonable time;

1.11. Upon reasonable request of the PIC, submit its data processing facilities,
data files and documentation needed for processing to reviewing, auditing
and/or certification by the NPC to ascertain compliance with the warranties
and undertakings in this Agreement, with reasonable notice and during
regular business hours;

Page 4 of 9
 1.12. Provide the PIC with information necessary for the sharing of personal data,
including but not limited to specific data requirements, processes to be
applied to the personal data, timeframe as to when the said data will be
needed, and the list of names of the staff and respective position titles who
will be authorized to access subject information of this Agreement, including
the principal Agreement, and which shall form part of the details of transfer in
Annex A, and;

1.13. Accomplish the feedback report form on data utilization as provided by the
PIC.

V. TERMINATION OF AGREEMENT

1. This DSA shall automatically be deemed terminated upon accomplishment of the

objective by which this Agreement is based unto. Either party may also be entitled to
terminate the Agreement in the event of any breach of obligations under the same.

2. The PARTIES agree, however, that the termination of the Agreement at any time, in
any circumstances and for whatever reason, does not exempt them from the
obligations and/or conditions under the clauses as regards the processing of the
personal data transferred.

3. In the event of termination of this Agreement, PIP must securely return all personal
data and all copies of the personal data subject to this Agreement to PIC forthwith or,
at PIC’s choice, will destroy all copies of the same according to the requirement for
disposal provided under the data privacy policy of the PARTIES, subject to the
requirements of the DPA.

4. PIP shall then issue a verified certification to PIC that it has returned all copies or has
destroyed the data as stipulated, unless PIP is prevented by law from destroying or
returning all or part of such data, in which event the data will be kept confidential and
will not be actively processed for any purpose.

VI. DESCRIPTION OF THE TRANSFER

1. The details of the transfer and of the personal data are specified in Annex A, which
forms an integral part of this Agreement. The parties may execute additional
annexes to cover additional transfers, which will be submitted to the NPC, when
required. Annex A may, in the alternative, be drafted to cover multiple transfers.

VII. LIABILITIES

1. Each party shall be liable for the violation of pertinent provisions of the DPA, and
may be penalized as stipulated in Sections 25-37, Chapter VIII of the Act. The

Page 5 of 9
 parties agree that they may be exempted from this liability upon proving that neither
of them is responsible for the said violation.

2. Breach of any clause of this Agreement, and provisions of the data sharing and
privacy policy and guidelines of the PIC shall mean the immediate termination of this
Agreement and the blacklisting of the PIP from further usage of any data from the
PIC.

3. The PIP further agrees to indemnify the PIC against all costs, claims, damages or
expenses incurred by the PIC or for which the PIC may become liable due to any
failure by the PIP or its employees, subcontractors or agents, and any other party
receiving the personal data from the PIP, to comply with the obligations under this
Agreement.

VIII. RESOLUTION OF DISPUTES WITH DATA SUBJECTS

1. The Parties agree that a data subject shall have the right to enforce his/her rights as
stipulated in the DPA against either PARTY, for their respective breach of their
contractual obligations, with regard to the data subject’s personal data. In cases
involving allegations of breach by the PIP, the data subject must first directly enforce
his or her rights against the PIP. If the PIP does not take appropriate action within a
reasonable period (which under normal circumstances would be one (1) month) the
data subject may then request the PIC to take appropriate action to enforce his or
her rights against the PIP.

2. In the event of a dispute or claim brought by a data subject concerning the

processing of the personal data against either or both of the PARTIES, the PARTIES
will inform each other about any such disputes or claims, and will cooperate with a
view to settling them amicably in a timely fashion.

3. The PARTIES agree to respond to any generally available non-binding mediation

procedure initiated by a data subject. If they do participate in the proceedings, the
PARTIES may elect to do so remotely (such as by telephone or other electronic
means). The PARTIES also agree to consider participating in any other arbitration,
mediation or other dispute resolution proceedings developed by the NPC for data
protection disputes.

IN WITNESS WHEREOF, the PARTIES hereto have caused this Agreement to be

signed in their respective names in _____________________, Republic of the Philippines, as of
the day and year written above:
AUTHORIZED SIGNATORIES

DSWD FIELD OFFICE CARAGA (PIC) LGU NASIPIT (PIP)

BY: BY:

Page 6 of 9
 RAMEL F. JAMEN ENRICO R. CORVERA
OIC-Regional Director Mayor

Signed in the Presence of:

JEAN PAUL S. PARAJES __________________________

Data Protection Officer Data Protection Officer
DSWD FO-CARAGA LGU NASIPIT

Page 7 of 9
ANNEX A: Description of the Transfer
(Please accomplish this form accurately and exhaustively. Do not be limited by the spaces provided. You may use
additional sheets if necessary.)

DATA SUBJECTS
The personal data transferred concern the following categories of data subjects (Please specify):

Pantawid Pamilyang Pilipino Program (4Ps) beneficiaries of Gigaquit, Surigao del Norte

PURPOSE OF THE TRANSFER

For identification of persons, 18 to 59 years old, who will comprise the Priority Group A5 for
Covid-19 Vaccination.

CATEGORIES OF DATA

Name, Address, Date of Birth, Age

ADDITIONAL USEFUL INFORMATION

(Describe arrangements for securing password, storage limits and other relevant information)

The data sharing is done thru the use of USB Flash Drive (encrypted)
containing the requested data.

SECOND PARTY (PIP) DESIGNATED DATA HANDLERS OTHER THAN DATA

PROTECTION OFFICER
(Specific names of Designated Staff and their specific roles and responsibilities such as those assigned to handle,
process, store, delete data within the specified timeline)

DESIGNATED DATA PROTECTION OFFICERS

Personal Information Controller Personal Information Processor

DSWD FIELD OFFICE CARAGA LGU NASIPIT

RAMEL F. JAMEN ENRICO R. CORVERA

OIC-Regional Director Mayor

Page 8 of 9
REPUBLIC OF THE PHILIPPINES )

CITY OF BUTUAN ) S.S.

ACKNOLWEDGMENT
BEFORE ME, a Notary Public for and in the above jurisdiction, personally appeared the
following:

VERIFIED DATE/PLACE
NAME EVIDENCE OF ISSUED
IDENTITY
RAMEL F. JAMEN

ENRICO R. CORVERA

known to me to be the named persons who executed the foregoing instrument and
acknowledged to me that the same is their own free will and voluntary act and deed.

This instrument consists of nine (9) pages including this page wherein this
Acknowledgment is written, and is signed by the parties and their instrumental witnesses on
each and every page hereof.

WITNESS MY HAND AND SEAL, this _____ day of ______________ 20____ at

_______________________, Philippines.

Doc. No. ________;

Page No. ________; NOTARY PUBLIC
Book No. ________;
Series of 20____.

Page 9 of 9