DATA SHARING AGREEMENT

KNOWN ALL MEN BY THESE PRESENTS:

This Data Sharing Agreement (the “Agreement”) is made this __date___ day of October
2020 between:

GREEN CROSS INC., a company organized and existing under the laws of
the Philippines, with principal office address at 14th Floor, Common Goal
Tower, Finance corner Industry Streets, Madrigal Business Park, Muntinlupa
City, represented by its [AVP-Supply Chain], [Michael Anthony Co] (the
“Disclosing Party”);

-and-

[ Company Name ], a company organized and existing

under the laws of [Country], with principal office address at [ Company
Address ], represented by [ Company President/Owner
], [ ] (the “Receiving Party”).

(Disclosing Party and Receiving Party may each be referred to as a “Party”

and collectively as the “Parties”)

WHEREAS:

A. The Disclosing Party has shared and/or transferred or intends to share and/or
transfer Personal Data (as hereinafter defined) of Data Subjects to the Receiving
Party for the Purposes (as hereinafter defined) enumerated under this Agreement.

B. The Receiving Party hereby agrees to provide a standard of protection to the

Personal Data so transferred and received that is compliant with the standard of
protection required under Republic Act No. 10173, otherwise known as the Data
Privacy Act of 2012 (the “DPA”), its Implementing Rules and Regulations, and all
the existing circulars and/or guidelines that have been issued and shall be issued
by the National Privacy Commission (collectively, the “DPA Legislation”).

C. The Receiving Party hereby agrees to comply with any and all other applicable
laws or regulations with respect to the privacy of the Data Subject (as hereinafter
defined).

THEREFORE THE PARTIES HEREBY AGREE AS FOLLOWS:

1. Definitions

In this Agreement:

“Data Subject” refers to an individual whose personal, sensitive personal or

privileged information is processed and transferred to the Receiving Party;

“Personal Data” refers to all types of Personal Information and Sensitive

Personal Information that are under the custody of the Disclosing Party;

“Personal Data Breach” refers to a breach of security leading to the accidental

or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to,
personal data transmitted, stored, or otherwise processed;

“Personal Information” refers to any information, whether recorded in a

material form or not, from which the identity of an individual is apparent or can be
reasonably and directly ascertained by the entity holding the information, or when

1
 put together with other information would directly and certainly identify an
individual;

“Purposes” means solely for the purposes laid down in Section 2 of this
Agreement;

“Process” or “Processes” or “Processing” refers to any operation or any set of

operations performed upon Personal Data including, but not limited to, the
collection, recording, organization, storage, updating or modification, retrieval,
consultation, use, consolidation, blocking, erasure or destruction of Personal Data.
Processing may be performed through automated means, or manual processing, if
the Personal Data are contained or are intended to be contained in a filing
system;

“Security Incident” is an event or occurrence that affects or tends to affect data

protection, or may compromise the availability, integrity and confidentiality of
personal data. It includes incidents that would result to a Personal Data Breach, if
not for safeguards that have been put in place;

“Sensitive Personal Information” refers to Personal Information:

(a) personal information about an individual’s race, ethnic origin, marital

status, age, color and religious, philosophical or political affiliations;

(b) personal information about an individual’s health, education, genetic or

sexual life of a person, or to any proceeding for any offense committed or
alleged to have been committed by such individual, the disposal of such
proceedings, or the sentence of any court in such proceedings;

(c) personal information issued by government agencies peculiar to an

individual which includes, but is not limited to, social security numbers,
previous or current health records, licenses or its denials, suspension or
revocation and tax returns; and

(d) personal information specifically established by an executive order or an

act of Congress to be kept classified; and

“Subsidiary” is an entity, including an unincorporated entity such as a

partnership, that is controlled by another entity (and “Subsidiaries” shall be
construed accordingly).

2. Purposes

The Personal Data received by the Receiving Party shall be used by the latter only
for the following purposes agreed upon by the Parties:

2.1 preparation of documents and performance of acts necessary or desirable to

accomplish the services and transactions for which the Disclosing Party
entered into an agreement with, hired or engaged, or was hired or
engaged by the Receiving Party for;

2.2 complying with reportorial, filing, and other legal requirements under the law,
or as required by any request or direction of any governmental authority,
or responding to requests for information from public agencies, offices,
statutory boards or other similar authorities;

2.3 providing services necessary to fulfill the Service Agreement];

2.4 purposes which may be related to any of the foregoing purposes enumerated

2
 (collectively, the “Purposes”).

3. Personal Data Collected

The Personal Data to be disclosed by the Disclosing Party to the Receiving Party
will be limited to the Personal Data requested by the Receiving Party as listed in
the forms provided to the Disclosing Party, those indicated in any service
agreement, and/or other documents, agreements, and undertakings executed
between the Disclosing Party and the Receiving Party.

4. Compliance with the DPA Legislation

The Receiving Party shall comply with the DPA Legislation with regard to any and
all Personal Data that it receives from the Disclosing Party, including, but not
limited to, (a) having in place technical, organizational and physical security
measures; and (b) recognizing the rights of the Data Subject as provided under
the DPA Legislation.

5. Receiving Party’s Obligations

5.1 The Receiving Party agrees, warrants and undertakes that when dealing with
any and all Personal Data received from the Disclosing Party, it shall:

(a) not violate its obligations under DPA Legislation when dealing with
any and all Personal Data received from the Disclosing Party;

(b) only use Personal Data in accordance with the Purposes for which
the Disclosing Party transferred, shared or disclosed the Personal
Data and as is necessary for the Disclosing Party to fulfil its
obligations under the DPA Legislation. In this regard, the Receiving
Party undertakes to use the Personal Data that it receives from the
Disclosing Party solely for the Purposes provided in this Agreement
and not for any other purpose whatsoever and shall not disclose the
Personal Data it receives from Disclosing Party to any party
(including its affiliates or related corporations) whatsoever, subject
to Clauses 5.1(k) and (l). This includes the Receiving Party not
disclosing any such Personal Data to any of its third-party service
providers or agents;

(c) take appropriate technical, physical, and organizational security

measures through the application of internal policies that it has
with regard to the security of Personal Data to the Personal Data, in
accordance with the DPA Legislation, to protect Personal Data
against accidental or unlawful destruction or accidental loss,
alteration, unauthorised disclosure or access and against all other
unlawful forms of Processing. Such measures shall ensure a level of
security appropriate to the risks represented by the Processing and
the nature of the data to be protected, having regard to the current
data privacy best practices and the cost of implementation. In this
regard, the Receiving Party warrants that it has in place appropriate
internal policies, physical, technical, and organizational measures
dealing with the security of Personal Data and that such policies
provide for a level of protection that is compliant with that required
under DPA Legislation;

(d) give the Disclosing Party notice 1 immediately or within twenty-four

1
The contents of the notification shall at least describe the nature of the event, the Personal Data
possibly involved, and the measures taken by the Receiving Party to address the event. The
notification shall also include measures taken to reduce the harm or negative consequences of the

3
 (24) hours upon knowledge or when the Receiving Party has
reasonable belief, that any of the events referred to in Clause
5.1(b), a Security Incident or Personal Data Breach has occurred
and shall promptly take all steps necessary to remedy the event
and prevent its re-occurrence;

(e) employ reasonable measures to ensure that the Personal Data that
it processes are accurate, complete, and up to date;

(f) not retain Personal Data for a period longer than is necessary for
the Purposes for which the Disclosing Party disclosed the Personal
Data. Hence, the Receiving Party shall cease to retain and shall
destroy or permanently delete, or in the alternative, shall
anonymize Personal Data when the Purposes for which the Personal
Data was collected by the Receiving Party is no longer relevant or
applicable;

(g) on request of any Data Subject whose Personal Data the Receiving
Party has received from the Disclosing Party, allow the requesting
Data Subject to exercise his/her rights to information, object,
access, rectification, erasure or blocking, and data portability of his
Personal Data, which are accorded to the Data Subject and in
compliance with the conditions and requirements of the DPA
Legislation with respect thereto. The Receiving Party shall, as soon
as reasonably possible, notify the Disclosing Party in writing of the
Data Subject’s exercise of its rights under the DPA Legislation;

(h) without limiting the generality of subparagraph (f), with respect to

access rights, amongst other things, on request of a Data Subject
who has rights under the DPA Legislation to access Personal Data,
the Receiving Party shall, as soon as reasonably possible, provide
the Data Subject with Personal Data about the Data Subject that is
in the possession or under the control of the Receiving Party, in
compliance with the DPA Legislation and other requirements
dealing with a Data Subject’s access rights set out therein. The
Receiving Party shall, as soon as reasonably possible, notify the
Disclosing Party in writing of the Data Subject’s exercise of its rights
under this clause;

(i) without limiting the generality of subparagraph (f), with respect to

correction rights, amongst other things, on request of a Data
Subject who has rights under the DPA Legislation to correct an error
or omission in that Data Subject’s Personal Data, the Receiving
Party shall, as soon as reasonably practicable:

(i) notify the Disclosing Party in writing of the Data Subject's

exercise of its right of correction;

(ii) make necessary correction to Personal Data;

(iii) supply the Data Subject with a copy of Personal Data as

corrected; and

(iv) where Personal Data has been disclosed to a third party, and
unless there is reason to believe that the third party has
ceased Processing the Personal Data, take all practicable

event, the representatives of the Receiving Party, including its contact details, from whom the Data
Subject can obtain additional information about the event, and any assistance to be provided to
the affected Data Subjects.

4
 steps to supply the third party with a copy of Personal Data
so corrected accompanied by a notice in writing stating the
reasons for the correction,

in compliance with the DPA Legislation and other requirements

dealing with a Data Subject’s correction rights set out therein;

(j) subject to the fulfilment of the Purposes, limit disclosure of such

Personal Data to its employees, agents and professional advisors:

(i) on a need to know basis and only for the Purposes of

Processing for which such Personal Data was disclosed by
the Disclosing Party; and

(ii) who have been made aware of the obligations specified

under this Agreement and who agree to abide by the same
obligations;

(k) without prejudice to Clause 5.1(a), not disclose or transfer any

Personal Data received from the Disclosing Party to any other third
party without the prior written approval of the Disclosing Party, and
in the event of disclosure or transfer, such disclosure or transfer
shall be consistent with the ability of the Disclosing Party to
disclose or transfer the Personal Data and upon such additional
terms and conditions which the Disclosing Party may impose on it
for such disclosure or transfer; and

(l) not disclose or transfer any Personal Data or any part thereof to a
third party in another country (whether for the purpose of data
storage, back-up or any other purpose whatsoever), unless for any
of the Purposes or with the prior written approval of the Disclosing
Party, and that it shall not allow any other party to do the same. In
this regard, the Receiving Party undertakes and warrants that all
Personal Data that it receives from the Disclosing Party shall remain
in the Philippines, and not be transferred to another country in any
way whatsoever and that the storage and backup of such Personal
Data shall always remain in the Philippines. If the Receiving Party
wishes to transfer such Personal Data to another country, the
Receiving Party must first obtain the Disclosing Party’s prior written
approval (which the Disclosing Party need not give) and such
approval (if any) could only be given by the Disclosing Party if the
consent of the Data Subject whose Personal Data is to be
transferred to another country has been obtained (except where an
exception to such consent from the relevant Data Subject under the
DPA Legislation applies). Further and subject to the aforesaid,
where the Personal Data is to be transferred to another country, to
take any such additional measures as are necessary to ensure that
the Personal Data is transferred in accordance with the
requirements of the DPA Legislation. Where appropriate or as
required by law, transfer of Personal Data to another country shall
be pursuant to written agreements between parties to ensure that
the Personal Data will be adequately protected.

5.2 The Receiving Party shall promptly notify the Disclosing Party if any
complaints are received about the Processing of the Personal Data
received from the Disclosing Party. The Receiving Party shall not make
any admissions or take any action which may be prejudicial to the defense
or settlement of any such complaint, and shall provide to the Disclosing
Party such reasonable assistance as it may require in connection with such

5
 complaint. In this regard, the following representatives may be contacted
on behalf of the Parties in relation to any issues involving Personal Data
subject of this Agreement:

For the Data Controller: For the Data Processor:

Rez D. Dupa [insert name]
Green Cross, Inc. [insert company name]
E-mail: [email protected] E-mail: []
Contact Number: 0917 832 2626 Contact Number: []

6. Receiving Party’s Obligations

The Disclosing Party agrees that it shall ensure that it complies at all times with
the DPA Legislation, and, in particular, the Disclosing Party represents and
warrants that any disclosure of Personal Data made by it to the Receiving Party is
made with the Data Subject’s consent or is otherwise lawful.

7. Destruction or Return of Personal Data

Upon written request at any time by the Disclosing Party, the Receiving Party
shall immediately cease all Processing of the Personal Data shared and/or
transferred by the Disclosing Party, and, as requested by the Disclosing Party,
safely destroy the Personal Data or arrange for the prompt and safe return to the
Disclosing Party on suitable media of all copies of the Personal Data held in
whatever form by the Receiving Party or any third parties to whom Receiving
Party disclosed such Personal Data pursuant to this Agreement. Where requested
by the Disclosing Party, the Receiving Party shall certify that such destruction has
taken place.

8. Intellectual Property

The Receiving Party acknowledges, accepts and agrees that the Personal Data
and all intellectual property rights and any other rights subsisting in them,
including without limitation any database rights, with respect to the Personal Data
disclosed hereunder by the Disclosing Party is the property of and owned by the
Disclosing Party and/or its Subsidiaries, affiliates, related corporations, associates
or advisors, as the case may be, and the Receiving Party undertakes not to do
anything to contradict the aforesaid. Nothing in this Agreement shall be
construed as granting any property rights, by license or otherwise, to the
Receiving Party, with respect to any Personal Data disclosed to the Receiving
Party pursuant to this Agreement, or with respect to any and all current and
future intellectual property rights of the Disclosing Party whether registered or
not, and whether or not such applications can be made, including patent rights,
design rights, industrial designs, trademarks, service marks, inventions or trade
secrets, trade and business names, domain names, marks and devices copyrights,
utility model rights, integrated circuits, integrated circuit topography rights, mask
work rights and all other similar proprietary rights and applications for any of
those rights, rights in databases, all rights of whatever nature in computer
programs, firmware, micro-code and other computer software and data, know-
how, technical specifications, functional requirements, any other rights resulting
from intellectual activity in the industrial, scientific, literary and artistic fields and
all intangible rights and privileges of a nature similar to any of the foregoing
which are capable of protection in any relevant country of the world, based on
such Personal Data. The Receiving Party shall neither make nor use nor sell for
any purpose, any product or other item using, incorporating or derived from any
Personal Data disclosed hereunder.

9. Duration

6
 This Agreement shall enter into force upon signature thereof, and shall remain in
force until the Receiving Party or the Disclosing Party ended its business
transactions.

10. Indemnity

Notwithstanding anything to the contrary, the Receiving Party undertakes to

indemnify and at all times hereafter to keep the Disclosing Party and its
Subsidiaries (together with their respective officers, employees and agents) and
the Data Subject (each an “Injured Party”) indemnified against any and all
losses, damages, actions, proceedings, costs, claims, demands, and liabilities
(including full legal costs and attorney’s fees) which may be suffered or incurred
by the Injured Party or asserted against the Injured Party by any person or entity
(including such entity’s officers, employees, agents) whatsoever, in respect of any
matter or event whatsoever arising out of, in the course of, by reason of or in
respect of:

(a) any breach of any of the provisions in this Agreement; and/or

(b) any action or omission by the Receiving Party and/or any of its employees
or agents, that causes the Disclosing Party to be in breach of the DPA
Legislation.

11. Enforcement

Without prejudice to any other rights or remedies that the Disclosing Party and
Data Subject may have, the Receiving Party acknowledges and agrees that
damages would not be an adequate remedy for any breach of the provisions of
this Agreement, and that any such breach will cause the Disclosing Party and
Data Subject irreparable injury and damage. Accordingly, the Receiving Party
agrees that the Disclosing Party and Data Subject shall be entitled to immediate
equitable relief including, but not limited to, injunction in the event of any such
breach.

12. Severability

If any of the provisions of this Agreement is found to be invalid for any reason
whatsoever, such invalidity shall not affect the validity and operation of the other
remaining provisions of this Agreement.

13. Waiver

Any delay or failure by the Disclosing Party in exercising any right, power or
privilege hereunder shall not constitute a waiver of such right, power or privilege
by the Disclosing Party, nor shall any single or partial exercise thereof preclude
any further exercise of any right, power or privilege.

14. Governing Law and Venue of Actions

The terms of this Agreement shall be governed by and construed in all aspects in
accordance with the laws of Philippines. The Parties hereby submit to the non-
exclusive jurisdiction of the Philippine courts.

15. Entire Understanding

The Parties acknowledge that this document contains the entire terms of this
Agreement, and supersedes any and all prior oral or written communications
relating to the subject matter of this Agreement.

7
16. Variation

This Agreement may not be amended, unless in writing and signed by a duly
authorised representative of each of the Parties.

17. Counterparts

This Agreement may be signed in counterparts, each of which shall be considered

an original and all of which taken together form one single document.

18. Miscellaneous

Without prejudice to all of the foregoing obligations, which are legally binding on
the Receiving Party for any Personal Data that the Disclosing Party may disclose
or transfer to the Receiving Party, for the avoidance of doubt, this Agreement
does not impose an obligation on the Disclosing Party, nor a continuing obligation
on the Disclosing Party, to disclose or transfer any Personal Data to the Receiving
Party.

IN WITNESS WHEREOF, this Agreement has been entered into on the day and year above
written.

Green Cross Inc. [ Company Name]

Signed by: Signed by:

_______________________ _______________________

Witnessed by: Witnessed by:

_______________________ _______________________