DATA SHARING AGREEMENT | LISTA
This Data Sharing Agreement (“Agreement”) is entered by you, the User (“User” or “You”) and Lista Bookkeeping App, Inc. (“Lista” or “Company”) (collectively, “Parties”).
This Agreement represents a legally binding and enforceable contract between you and Lista. By accepting these Terms, you affirm and guarantee that you (a) possess full legal capacity and authority to agree to and be bound by these Terms, and (b) are at least 18 years of age or older. If you are representing an entity, organization, or any other legal entity, you confirm and declare that you have the requisite power and authority to bind such entity, organization, or legal entity to these Terms.
The Parties acknowledge that the Customers have express rights under the Republic Act No. 10173 or the Data Privacy Act of 2012 (“DPA”) and its Implementing Rules and Regulations (“IRR”), that provide for protection and confidentiality of their Personal Data.
The Parties hereby agree to bind themselves, as follows:
I. DEFINITIONS
The following terms shall have the respective meaning whenever they are used in this Agreement:
-
Commission – refers to the National Privacy Commission or NPC;​
-
Consent of the Data Subject – refers to any freely given, specific, informed indication of will obtained by the User from its Customers, who agrees to the collection and processing of his or her personal, sensitive personal information. Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of a Customer by a lawful representative or an agent specifically authorized by the Customer to do so;​
-
Data Privacy Legislation - means (1) the Data Privacy Act of 2012, its implementing rules and regulations, NPC issuances, related circulars and/or; (2) all other applicable foreign or domestic laws, rules, regulations directives and governmental requirements in relation to the privacy, security and protection of Personal Information.​
-
Data Protection Officer (“DPO”) – refers to an individual designated by a Party to be accountable for compliance with the DPA, its IRR, and other issuance of the Commission;​
-
Data Sharing - is the sharing, disclosure, or transfer to a third party of Personal Data under the custody of a personal information controller to one or more other personal information controller/s. In the case of a personal information processor, data sharing should only be allowed if it is carried out on behalf of and upon the instructions of the personal information controller it is engaged with via a subcontracting agreement. Otherwise, the sharing, transfer, or disclosure of Personal Data that is incidental to a subcontracting agreement between a personal information controller and a personal information processor should be excluded;
-
Data Sharing Agreement or DSA - refers to a contract, joint issuance, or any similar document which sets out the obligations, responsibilities, and liabilities of the personal information controllers involved in the transfer of Personal Data between or among them, including the implementation of adequate safeguards for data privacy and security, and upholding the rights of the Data Subjects: provided, that only personal information controllers should be made parties to a data sharing agreement;​
-
Data Subject/Customers – refers to data subjects whose personal and sensitive personal information are collected and processed by the User as its customers;​
-
Personal Data – refers to either the personal and/or sensitive personal information of the Customers, such as, but not limited to, name, address, contact number, email address, and birthday;​
-
Personal Information - refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual;
-
Personal Information Controller or PIC - refers to a natural or juridical person, or any other body, who controls the processing of Personal Data, or instructs another to process Personal Data on its behalf. The term excludes:​
-
A natural or juridical person, or any other body, who performs such functions as instructed by another person or organization; or
-
A natural person who processes Personal Data in connection with his or her personal, family, or household affairs;
There is control if the natural or juridical person or any other body decides on what information is processed, or the purpose or extent of its processing;​
-
-
Personal Data Breach - means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;
-
Processing - means any operation or any set of operations performed upon any Personal Information including, but not limited to, the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure, or destruction of data;​
-
v - refers to personal information:
-
about an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical, or political affiliations;
-
about an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such individual, the disposal of such proceedings, or the sentence of any court in such proceedings;
-
issued by government agencies peculiar to an individual which includes, but is not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
-
specifically established by an executive order or an act of Congress to be kept classified.
-
-
Security Breach – refers to any unauthorized, unlawful or accidental access, processing, disclosure, alteration, loss, damage, or destruction of Personal Data whether by human or natural causes; and
​​
​
II. PURPOSE OF DATA SHARING
-
This DSA is required to ensure that the sharing of Personal Information will at all times comply with the requirements of Data Privacy Legislation. -
The sharing of Personal Information between the Parties is solely for the following purposes –
-
(a) Processing an online digital ledger book/record book;
-
(b) Handling requests for payment and sending payment reminders;
-
(c) Communicating information about Lista and the Services, including but not limited to promotional offers, and services from Lista and its financial partners and third-party partners;
-
(d) Providing personalized access to Lista and its various features;
-
(e) Fulfilling contractual obligations related to the Services;
-
(f) Complying with legal and regulatory requirements, including Know Your Customer (KYC) obligations;
-
(g) Verifying the authenticity and validity of information and documents provided by Users through reliable and independent sources;
-
(h) Processing KYC Documents and ascertaining User eligibility;
-
(i) Conducting research, analysis, and understanding of the Users to improve the Services, user interface experiences, and security features;
-
(j) Evaluating eligibility for certain offers, products, or services and marketing them to Users;
-
(k) Performing analytics, customer research, and market research;
-
(l) Enhancing advertising effectiveness and attributing User actions to determine advertising value;
-
(m) Allowing participation in interactive features and gameplay events on the platform;
-
(n) Analyzing and measuring the effectiveness of advertising campaigns and determining media sources for optimal delivery;
-
(o) Coordinating with credit bureau, third-party partners, and/or financial institutions to verify creditworthiness and financial history of Users;
-
(p) Collaborate with third-party partners involved in loan processing necessary to assess and evaluate Users eligibility for a loan application including card issuance and processing;
-
(q) Facilitating the issuance and management of lines of credit and card administration, issuance and processing; and
-
(r) any other matter in relation to the Services.
-
-
The Parties agree that this DSA formalizes a lawful transfer of Personal Information between the Parties and presents no new or additional privacy concerns. A risk assessment has been conducted in respect of the Personal Information to be shared and the necessity of the sharing. This DSA serves to address any residual privacy or information risks and document the actions taken to identify, address, and mitigate those risks wherever possible.
-
The Parties shall not process shared Personal Data in a way that is incompatible with the agreed purpose or purposes.
III. PERSONAL DATA TO BE SHARED
The Personal Data to be shared by User are as follows:
-
Name (First Name, Middle Name, and Last Name);
-
Personal photographs;
-
Gender;
-
Age;
-
Nationality or Citizenship;
-
Birthdate;
-
Place of Birth;
-
Email address;
-
Home Address;
-
IDs Presented;
-
Work Details;
-
Business Name;
-
Business Category;
-
Mobile Number (including GCash Number);
-
Credit Scoring Data and Reports;
-
Family or Household Personal Information (Name, Gender, Age, Birthdate, Employment Details);
-
Financial information (income, employment details such as payslips and BIR forms);
-
Transaction Receipts (Merchant Name, Transaction Date, Amount, etc);
-
Device information;
-
Log Data;
-
Computer Internet Protocol address (“I.P.”) address;
-
Browser version;
-
Visited Websites;
-
Timestamps of Website Visits;
-
Pages Viewed;
-
Page response time;
-
Valid government-issued identification cards (“IDs”) and details therein; and Cookies and Usage Data;
-
Cookies and Usage Data;
-
Loan data & reports;
-
Education information (such as your highest level of education and area of study);
-
Mobile Device Data (Model, Applications, Location, Application Usage, Frequency);
-
Lista Card transactions; and
-
Other information you choose to provide, such as through emails or other communications, referrals, on social media pages, or in registrations and sign-up forms.
​
IV. CONSENT OF THE DATA SUBJECT
a. The User shall obtain the consent of the Data Subject/s to the data sharing between the Parties prior to collection and sharing.
b. The Parties agree and acknowledge that the Data Subjects have the right to obtain a copy of this DSA, and to access, update, or correct their respective Personal Data, or withdraw consent to the use of any of their Personal Data as defined in this DSA, and may file complaints with, and/or seek assistance from the NPC in case of violation of their rights, among other rights as enumerated in the Data Privacy Legislation. The Parties shall respect the rights of the Data Subjects as established in the Data Privacy Legislation.
c. Each Party shall maintain a record of every request made by a Data Subject, the decisions made and any information that was exchanged. Records must include copies of the request for information, details of the data accessed and shared and where relevant, notes of any meeting, correspondence or phone calls relating to the request.
d. The Parties agree to provide reasonable and prompt assistance, as is necessary under the circumstances, to each other to enable them to comply with requests and to respond to any other queries or complaints from Data Subjects.
​
V. PROCEDURES FOR USE OR PROCESS OF PERSONAL DATA
A. Procedure
Parties assure and undertake to inform the Data Subjects of the following information prior to collection or before Personal Data is shared:
-
The identity of Personal Information Controllers or Personal Information Processors that will be given access to the Personal Data;
-
The purpose of data sharing;
-
The categories of Personal Data concerned;
-
Intended recipients or categories of recipients of the Personal Data;
-
Existence of the rights of Data Subjects, including the right to access and correction, and the right to object. However, the other party shall be informed of any request to access or correct personal information which is the subject matter of this sharing agreement;
-
Any information concerning all phases of any loan processing activity, from loan solicitation, loan origination, and remedial measures; and
-
Other information that would sufficiently notify the Data Subject of the nature and extent of data sharing and the manner of processing.
​
B. Data Transmission
-
The Parties shall use the highest degree of care in the transmission of Personal Data to the receiving Party. The disclosing Party shall ensure that only secured modes of transmission of confidential information are utilized. Should there be unauthorized use, dissemination, or publication of the shared Personal Data because of and solely attributable to the disclosing Party's breach of its commitment to exercise utmost degree of care in the transmission of confidential information, the disclosing Party alone will bear the damage or loss.
-
The disclosing Party shall transfer the shared Personal Data to the receiving Party whenever there are new Data Subjects applicable for purposes of this DSA. The disclosing Party shall inform the receiving Party of the transfer or transmission of the shared Personal Data and the necessary access requirements such as the required passwords, as appropriate. The disclosing Party shall ensure that the shared Personal Data shall be in a format that is structured and commonly used.
​
C. Assistance
-
The receiving Party shall promptly and appropriately deal with all inquiries from the disclosing Party relating to its Processing of Personal Information. The receiving Party shall, upon reasonable request, provide the disclosing Party, the name, address, and role of its subcontractor to whom Processing of Personal Information was contracted out, if any.
-
A Party shall immediately inform the other Party (except to the extent prohibited by applicable law), in writing, of any requests in relation to the Processing of the shared Personal Data received from a Data Subject, employees, government or regulatory authority, court, or other third parties, pursuant to this DSA.
-
The applicable Party shall be entitled to reasonable documented costs it incurs in providing any assistance or cooperation under this DSA except to the extent such cooperation is required as a result of breach of this DSA.
D. Subcontracting
The Party receiving the Shared Data may outsource or subcontract any of its Processing under this DSA without the prior written consent of the disclosing Party, provided that lawful criteria for processing personal data exist. The Receiving Party may subcontract any of its Processing under the DSA provided that: (i) the subcontracting is done pursuant to a written agreement imposing upon the sub-contractor the same level of obligations imposed under this DSA; and (ii) the receiving Party shall remain fully liable to the disclosing Party for the sub-contractor’s performance of its obligation under such written agreement.
​
E. Breach Management​
Except to the extent prohibited by applicable law, the affected Party shall inform the other Party in writing and in sufficient detail as mandated under the Data Privacy Legislation of any Personal Data Breach or any unauthorized or unlawful Processing of any shared Personal Data (“Data Protection Incident”) (including any corrective action taken) within seventy-two (72) hours from the discovery of the personal data breach.
For purposes of this provision, “discovery” refers to the moment when a personal data breach is identified or becomes known to the personal information controller or processor. It signifies the point in time when the organization becomes aware of the breach, either through internal monitoring, incident reporting, or any other means of detecting the unauthorized access, acquisition, or disclosure of personal data.
Notification shall be required upon knowledge of or when there is reasonable belief by the personal information controller or personal information processor that a Personal Data breach requiring notification has occurred, under the following conditions:
-
The Personal Data involves sensitive personal information or any other information that may be used to enable identity fraud;
-
There is reason to believe that the information may have been acquired by an unauthorized person; and
-
The personal information controller or the Commission believes that the unauthorized acquisition is likely to give rise to a real risk of serious harm to any affected Data Subject.
​
F. Permitted Disclosure
Parties may disclose the Personal Data only to:
-
The extent necessary;
-
To authorized persons only;
-
With notice to the other party; and
-
With the consent of the Data Subject or when expressly authorized by law.
​
G. Required Disclosure​
If a party is compelled by law to disclose any Personal Data, it shall notify the other party of such fact before disclosing the compelled Personal Data.
​
​
VI. SECURITY MEASURES
A. Confidentiality
The Parties shall ensure that its employees who are given access to Personal Information are subject to appropriate and binding confidentiality obligations in respect to such Processing or are under an appropriate statutory obligation of confidentiality.
B. Accuracy
The Parties shall take reasonable steps to ensure that its Processing of Personal Information is and remains accurate and complete and restricted to the declared purpose/s.
C. Data Security
-
The Parties shall keep the shared Personal Data secure and shall exercise at least the same degree of care to protect such data and other information as it does to protect its own data and information.
-
The Parties shall ensure that shared Personal Data is kept logically and physically separate from all its other data;
-
The Parties shall ensure that the encrypted system or database, where the shared Personal Data is stored, appropriate access controls and access rights are only given to those personnel who need access thereto;
-
The Parties shall ensure that if shared Personal Data is placed on a portable electronic device (including laptops, memory sticks and back-up tapes) or transmitted electronically, it is securely encrypted;
-
The Parties shall take precautions to prevent any disabling device being introduced into its system, including by ensuring that virus protection software against viruses, malware, trojans and other similar threats are used and kept up to date; and
-
On a calendar quarterly basis and upon request by any Party, the other Party shall provide the requesting Party with an updated list of those personnel having access to shared Personal Data, and the level of such access. The receiving Party must ensure that its personnel who are given access to shared Personal Data are subject to appropriate and binding confidentiality obligations in respect to such processing.
​
VII. ONLINE ACCESS TO PERSONAL DATA
If the Parties shall grant online access to Personal Data under its control or custody to the other, it shall specify the following information:
a. justification for allowing online access;
b. parties that shall be granted online access;
c. types of Personal Data that shall be made accessible online;
d. estimated frequency and volume of the proposed access; and
program, middleware and encryption method/standard that will be used
​
VIII. MUTUAL REPRESENTATIONS
Each Party represents and warrants to the other Party that –
-
They are compliant with data protection requirements as established under Data Privacy Legislation;
-
They have appropriate physical, technical, and organizational measures adopted and maintained to protect Personal Information against any Data Privacy Breach;
-
In such case of cross-border transfer of Personal Information, the Parties shall comply with Data Privacy Legislation as may be applicable to the data exporter and data importer;
-
User warrants and represents that any data shared to Lista was collected or generated through lawful means in compliance with Data Privacy Legislation. When consent is necessary, User has the obligation to obtain recorded consent from the Data Subject prior to Processing Personal Data;
-
It will update itself, on a regular basis, on the issuances of the NPC and other Data Privacy Legislation and shall strictly adhere thereto;
-
It will ensure that an obligation of confidentiality is imposed on its personnel authorized to process the shared Personal Data and take reasonable steps to ensure the reliability and integrity of any its personnel who have access to the shared Personal Data. Only those personnel on a need-to-know basis shall be given access to such shared Personal Data; and
-
It will promptly notify disclosing Party about: (i) Any legally binding request for disclosure of the shared Personal Data by virtue of a court order or in compliance with any law unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation; and (ii) Any requests received from Data Subjects. For purposes of item (ii), the receiving Party and disclosing Party shall cooperate to properly respond and address such requests to the extent allowed by law which may involve the Data Subject’s right to access, copy, correct, rectify, erase or remove their Personal Data.
​
IX. RIGHTS OF THE DATA SUBJECT
Under the Law, you are entitled to the following data privacy rights:
-
the right to be informed whether your Personal Data shall be, are being, or have been processed;
-
the right to object to the processing of your Personal Data;
-
the right to reasonably access your Personal Data;
-
the right to dispute the inaccuracy or error in your Personal Data and have us correct it immediately and accordingly;
-
the right to suspend, withdraw, or order the blocking, removal or destruction of your Personal Data from our records;
-
the right to file a complaint with the NPC for any violation of your data privacy rights;
-
the right to be indemnified for any damages sustained due to such inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of your Personal Data not in accordance with this Statement;
-
and the right to data portability of your Personal Data.
​
In respecting your data privacy rights, you may opt to tell us:
-
not to share your information with our subsidiaries and affiliates or with other companies that we have business with provided that such information is not critical nor required by applicable laws and regulations in maintaining the Services that you have availed with us;
-
to provide you with information that we currently have about you subject to restrictions applied to us as a company operating in the Philippines by certain laws and regulations;
-
to update your Personal Data; and
-
about your other concerns relating to how we collect, use, share, protect or dispose of your information.
​Inquiry or request for Personal Data can be requested by submitting a written request with the following DPO (or its equivalent), who shall be the first port of call for any questions about this Agreement:
Data Protection Officer
Email: dpo@lista.com.ph
Address: 168 Alfonso XII Clairemont Hills Corazon De Jesus, City Of San Juan, Second District, NCR, 1500
Phone: +63 09171163169
Each Party shall rectify the complaint by any Customer within thirty (30) days from receipt of any complaint. The Customer shall be given a response in writing describing how the complaint was rectified and how the situation complained of will be avoided moving forward.
​
​
X. DURATION OF THIS AGREEMENT
Unless extended by mutual written consent of both Parties hereto, this Agreement shall automatically renew for successive one (1) year periods from the date hereof, unless terminated by either party. This automatic renewal shall continue until either party provides written notice of termination in accordance with the terms and conditions set forth in this Agreement.
​
​
XI. RETENTION, RETURN AND/OR DESTRUCTION OF PERSONAL DATA
Personal Data should only be processed for as long as is necessary and for the accomplished of its purposes. Processing of Personal Data should be limited accordingly and for a period no longer than the term of this Agreement. Specific justification for processing of Personal Data beyond said period is required.
Lista may request a written permission to keep Personal Data for specified purposes in anticipation of further use. In such cases, the written permission must be renewed annually and each time a new project or use is undertaken. At the end of the specified time period, the Personal Data must be deleted unless otherwise agreed by the Parties in writing.
In view of the foregoing, if Personal Data has been held for longer than one (1) year, an updated version must be obtained as soon as practicable.
Upon expiration or termination of this Agreement, whichever comes first, Lista shall perform the following within thirty (30) days from date of said expiration or termination:
a. Return all Personal Data of Customers in any recorded form including any other property, information, and documents provided by the User;
b. Destroy all copies it made of Personal Data and any other property, information and documents if requested by the User. For print out or other tangible formats, the document will be shredded. For data in electronic form, the document must be deleted, wiped, overwritten or otherwise make it irretrievable; and
c. Deliver to the User a certificate confirming Lista’s compliance with the return or destruction obligation under this section, if requested by the User.
XII. GENERAL PROVISIONS
-
Entire Agreement. This Agreement constitutes the entire agreement between the parties with respect to the subject matter hereof. It excludes and supersedes everything else which has occurred between the Parties whether written or oral, including all other communications with respect to the subject matter hereof.
-
Amendment. This Agreement may not be amended or modified except in writing and consented to by both Parties.
-
Separability Clause. If any provision of this Agreement is illegal or unenforceable, its invalidity shall not affect the other provisions of this Agreement that can be given effect without the invalid provision. If any provision of this Agreement does not comply with any law, ordinance or regulation, such provision to the extent possible shall be interpreted in such a manner to comply with such law, ordinance or regulation, or if such interpretation is not possible, it shall be deemed to satisfy the minimum requirements thereof.
-
Assignment. Either Party shall not assign or delegate its rights or obligations under this Agreement, in whole or in part, to any third party by operation of law or otherwise, without the prior written consent of the other. Any attempted assignment or delegation, that does not comply with this section, shall be null and void and of no effect.
-
Non-Waiver of Rights. The failure of a Party to insist upon a strict performance of any of the terms, conditions and covenants hereof, shall not be deemed a relinquishment or waiver of any right/remedy that said Party may have, nor shall it be construed as a waiver of any subsequent breach of the same or other terms, conditions and covenants.
Any waiver, extension or forbearance of any of the terms, conditions and covenants of this Agreement by any Party hereto shall be in writing and limited to the particular instance only and shall not in any manner be construed as a waiver, extension or forbearance of any of the terms, conditions and/or covenants of this Agreement.
-
Integration. This DSA is made an integral part of the Agreement between USER and LISTA along with the Terms and Conditions and Privacy Statement.
-
Alternative Dispute Resolution. In the event of any dispute or difference of any kind whatsoever arising out of or relating to this Addendum, the Parties shall, at first instance, exercise their best efforts to resolve the dispute or difference by mutual consultation as soon as possible. In case best efforts fail, the dispute or difference shall be referred to alternative dispute resolution which shall be governed in accordance with the provisions provided in the 2021 Rules of Procedure of the National Privacy Commission or NPC Circular No. 2021-01. If the dispute remains unresolved after exhausting the NPC procedures, the Parties agree to submit to the exclusive jurisdiction of the courts located in Makati City, Philippines.
-
Governing Law and Venue. This Agreement shall be governed by and construed in accordance with the laws of the Philippines, without regard to any conflicts of law rules. Exclusive jurisdiction over and venue of any suit arising out of or relating to this Agreement shall be in the courts of Makati City, Philippines. The Parties hereby consent and submit to the exclusive jurisdiction and venue of those courts.