DATA SHARING AGREEMENT

1. Adherence to the Data Privacy Act of 2012 The Parties hereby adhere to the provisions of Republic Act 10173, otherwise known as the Data Privacy Act of 2012, its Implementing Rules and Regulations, and the issuances of the National Privacy Commission (collectively, “DPA”), recognizing the importance of appropriate privacy protections for data subjects.

2. Definitions

   1. Personal Information, Sensitive Personal Information, Personal Data, Data Subject, Processing, Personal Information Controller, and Personal Information Processor shall have the same meaning as set forth in the Implementing Rules and Regulations of Republic Act 10173, otherwise known as the Data Privacy Act of 2012, as may be amended and supplemented from time to time;

   2. Sharing Party refers to the Party sharing the Personal Information, the Merchant;

   3. Receiving Party refers to the Party receiving the Personal Information, ZAP Group Inc.;

   4. Merchant Agreement refers to the agreement entered into by the Sharing Party and the Receiving Party which governs the use by the Sharing Party of the ZAP Platform and its appurtenant Modules and features and the processing of personal information by the Receiving Party on behalf of the Sharing Party;

   5. NPC means the National Privacy Commission, the independent body created by RA 10173 mandated to administer and implement the Data Privacy Act of 2012;

   6. NPC Circular 16-03 means the Circular issued by the NPC on December 15, 2016 entitled “Personal Data Breach Management,” as may be amended or supplemented from time to time;

   7. Personal Data Breach shall have the same meaning as set forth in NPC Circular 16-03;

   8. Security Incident shall have the same meaning as set forth in NPC Circular 16-03;

   9. Shared Data means the personal information disclosed by the Sharing Party to the Receiving Party under the Agreement;

3. Data Sharing Arrangement

   1. Data Sharing. During the effectivity of the Merchant Agreement, the Parties agree and understand that both the Merchant and ZAP shall be considered personal information controllers over the personal data collected and processed.

   2. Termination of Merchant Agreement. Upon the termination of the Merchant Agreement, the Parties agree and understand that the Merchant shall cease to be a personal information controller. All control over the personal data collected and processed by ZAP shall be turned over and transferred to ZAP.

   3. Shared Data. Control over the following personal data will be shared by the Sharing Party to the Receiving Party:

      1. Customer Data: Name, Gender, Date of Birth, Mobile Number, Email Address, City, Membership Date, Member ID, Transaction History with Merchant

      2. Other Customer Data as instructed to be collected and processed by Merchant

      3. Purpose of Disclosure

      4. To maintain the transaction history of the customer

      5. Demographic analysis

      6. Market analysis

      7. Operation of ZAP Loyalty

      8. To address customer concerns with regard to the Platform

      9. To carry out ZAP’s lawful business activities, including company audits or investigation of a complaint or security threat

      10. To comply with statutory and regulatory requirements, including directives, issuances by, or obligations of ZAP to any competent authority, regulator, supervisory body, enforcement agency, exchange, court, quasi-judicial body or tribunal;

      11. To enable ZAP to exercise sound corporate governance over its businesses, ensure that risks arising therefrom are duly identified, measured, managed and mitigated, and enhance risk assessment and prevent fraud;

      12. Establish, exercise, or defend legal claims; and

      13. Fulfill any other purposes directly related or necessary to the performance of the above-stated purposes.

   4. Obligations of the Receiving Party

      1. The Receiving Party warrants that it shall be accountable for Shared Data under its control and custody, including Shared Data that it transferred to a third party for processing. It shall use contractual or other reasonable means to provide a comparable level of protection while the Shared Data are being processed by a third party.

      2. The Receiving Party shall notify the NPC and the data subjects of any Personal Data Breach involving the Shared Data pursuant to the requirements of the DPA, including Circular 16-03, as may be amended from time to time.

   5. Obligations of the Sharing Party

      1. The Sharing Party warrants that it shall not use the services of the Receiving Party for any illegal or unauthorized purposes, nor shall it, in utilizing the services, violate any applicable laws of the Republic of the Philippines.

   6. Communication. For questions, requests, and notifications, communication may be directed to each Party’s designated Data Protection Officer or his/her replacement or substitute. Unless otherwise provided, the ZAP account owner is deemed as the Data Protection Officer for the purposes of this Agreement.

   ZAP Data Protection Officer
   Unit 407, JG Building
   C. Raymundo Avenue, Rosario
   Pasig City 1909, Metro Manila, Philippines
   +63 2 8423-9143
   privacy@ZAP.com.ph
   

4. Security Obligations. Pursuant to its obligation to maintain the appropriate Technical, Physical, and Organizational Security Measures, the Receiving Party warrants that, at minimum, it shall have the following security measures:

   1. Secure hashing of customer credentials.

   2. Customer login controls to prevent brute force logins and password recovery.

   3. Automated application of security related OS and application fixes.

   4. Utilization of application and employee specific keys to limit per access to the infrastructure.

   5. Two-Factor Authentication requirement for ZAP employees with access to private infrastructure.

   6. Private network to disallow public server access to private components of the infrastructure.

5. Data Subject Rights. Each Party shall respect the following rights accorded to Data Subjects by the Data Privacy Act of 2012:

   1. Right to be informed. Data subjects have the right to be informed whether Personal Information pertaining to them shall be, are being, or have been processed, including the existence of automated decision-making and profiling. This Agreement may be accessed by the Data Subject upon written request submitted to any of the Parties.

   2. Right to object. Data subjects have the right to object to the processing of their Personal Information, including processing for direct marketing, automated processing or profiling. They may withhold consent to the processing in case of changes or any amendment to the information supplied or declared to the data subject.

   3. Right to access. Data subjects have the right to request access to any of their personal data, subject to certain restrictions.

   4. Right to rectification. Data subjects have the right to dispute the inaccuracy or error in the personal data and have the personal information controller correct it immediately and accordingly, unless the request is vexatious or otherwise unreasonable.

   5. Right to erasure or blocking. Data subjects have the right to suspend, withdraw or order the blocking, removal or destruction of his or her personal data from the personal information controller’s filing system.

   6. Right to damages. Data subjects have the right to be indemnified for any damages sustained due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of Personal Information, taking into account any violation of your rights and freedoms as data subject.

   7. Right to lodge a complaint with the National Privacy Commission

6. General Provisions

   1. Entire Agreement. The Parties intend that this Agreement, together with all attachments, schedules, exhibits, and other documents that both are referenced in this Agreement and refer to this Agreement, represent the final expression of the Parties' intent and agreement between the Parties relating to the subject matter of this Agreement, contain all the terms the Parties agreed to relating to the subject matter, and replace all the Parties' previous discussions, understandings, and agreements relating to the subject matter.

   2. Governing Law. This Agreement shall be governed, construed, and enforced in accordance with the laws of the Republic of the Philippines.

   3. Venue. In case of any disagreement by the Parties on the interpretation and implementation of the provisions of this Agreement, the appropriate court of Makati City shall have exclusive jurisdiction over the same.

   4. Severability. If any part of this Agreement is declared unenforceable or invalid, the remainder will continue to be valid and enforceable.

   5. Each of the Parties hereto represents and warrants that it has full power and authority to enter into and perform its obligations under this Agreement. All necessary actions, consents, and approvals for the execution of this Agreement have been taken and/or obtained.