REPUBLIC ACT NO. ____________
AN ACT PROVIDING FOR THE RECOGNITION AND USE OF ELECTRONIC COMMERCIAL AND NON-COMMERCIAL TRANSACTIONS AND DOCUMENTS, PENALTIES FOR UNLAWFUL USE THEREOF, AND FOR OTHER PURPOSES
This Act shall be known as the
“Electronic Commerce Act of 2000.”
8792
Section 2. Declaration of Policy. – It is the policy of the State to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth. The State recognizes the vital role of information and communications technology in nation-building and its inherent obligation to ensure that personal information in information and communications systems in the government and in the private sector are secured and protected.
“Data Privacy Act of 2012″
REPUBLIC ACT NO. _________
AN ACT PROTECTING INDIVIDUAL PERSONAL INFORMATION IN INFORMATION AND COMMUNICATIONS SYSTEMS IN THE GOVERNMENT AND THE PRIVATE SECTOR, CREATING FOR THIS PURPOSE A NATIONAL PRIVACY COMMISSION, AND FOR OTHER PURPOSES
This Act shall be known as the “Data Privacy Act of 2012″.
10173
Section 3. Objective - This Act aims to facilitate domestic and international dealings, transactions, arrangements agreements, contracts and exchanges and storage of information through the utilization of electronic, optical and similar medium, mode, instrumentality and technology to recognize the authenticity and reliability of electronic documents related to such activities and to promote the universal use of electronic transaction in the government and general public.
“Electronic Commerce Act of 2000.”
Choices:
a. Addressee
b. Computer
c. Electronic Data Message
d. Information and Communications System
e. Electronic Signature
- ___________ refers to any distinctive mark, characteristic and/or sound in electronic form representing the identity of a person and attached to or logically associated with the electronic data message or electronic document or any methodology adopted by a person and executed by such person with the intention of authenticating or approving an electronic data message or electronic document.
- _________ refers to any device or apparatus which, by electronic, electro-mechanical, or magnetic impulse, or by other means, is capable or receiving, recording, transmitting, storing, processing, retrieving, or producing information, data figures, symbols or other modes of written expression according to mathematical and logical rules.
- ___________ refers to a system intended for and capable of generating, sending, receiving, storing, or otherwise processing electronic data message or electronic documents and includes the computer system or other similar device.
- ___________ refers to information generated, sent, received or stored by electronic, optical or similar means.
- __________ refers to a person who is intended by the originator to receive the electronic data message or electronic document. The term does not include a person acting as an intermediary with respect to that electronic data message or electronic data document.
- Electronic Signature
- Computer
- Information and Communications System
- Electronic Data Message
- Addressee
Choices:
a. Electronic Document
b. Electronic Key
c. Intermediary
d. Originator
e. Service provider
- _________ refers to a person by whom, or on whose behalf, the electronic document purports to have been 7reated, generated and/or sent.
7.________ refers to information or the representation of information, data, figures, symbols or other modes of written expression, by which a right is established or an obligation extinguished. - _______ refers to a person who in behalf of another person and with respect to a particular electronic document sends, receives and/or stores that electronic data message or electronic document.
- _______ refers to a secret code which secures and defends sensitive information that cross over public channels into a form decipherable only with a matching electronic key.
- __________ refers to a provider of
a. On-line services or network access or the operator of facilities offering the transmission, routing, or providing connections for online communications, digital or otherwise, between or among points specified by a user.
b. The necessary technical means by which electronic documents of an originator may be stored and made accessible to designated or undesignated third party.
- Originator
- Electronic Document
- Intermediary
- Electronic Key
- Service provider
For evidentiary purposes, an electronic document shall be the functional ____________ of a written document under existing laws.
equivalent
(a) _____________ with refers to unauthorized access into or interference in a computer system/server or information and communication system; or any access in order to corrupt, alter, steal, or destroy using a computer or other similar information and communication devices, without the knowledge and consent of the owner of the computer or information and communications system, including the introduction of computer viruses and the like, resulting in the corruption, destruction, alteration, theft or loss of electronic data messages or electronic documents.
Shall be punished by a minimum fine of _____________ and a maximum commensurate to the damage incurred and a mandatory imprisonment of ________ to three (3) years;
(b) _________ or the unauthorized copying, reproduction, dissemination, or distribution, importation, use, removal, alteration, substitution, modification, storage, uploading, downloading, communication, making available to the public, or broadcasting of protected material, electronic signature or copyrighted works including legally protected sound recordings or phonograms or information material on protected works, through the use of telecommunication networks, such as, but not limited to, the internet, in a manner that infringes intellectual property rights shall be punished by a minimum fine of ___________ and a maximum commensurate to the damage incurred and a mandatory imprisonment of ________ to three (3) years;
a. Hacking or crackling
One Hundred Thousand pesos (P 100,000.00)
six (6) months
b. Piracy
one hundred thousand pesos (P 100,000.00)
six (6) months
- It refers to a person who is intended by the originator to receive the electronic data message or electronic document.
a. Addressee
b. Recipient
c. Intermediary
d. Provider - It refers to a person by whom, or on whose behalf, the electronic document purports to have been created, generated and/or sent.
a. Addressor
b. Sender
c. Originator
d. Provider - It refers to any distinctive mark, characteristic and/or sound in electronic from, representing the identity of a person and attached to or is associated with the electronic data message or electronic document or any methodology or procedures employed or adopted by a person and executed or adopted by such person with the intention of authenticating or approving an electronic data message or electronic document.
a. Electronic key
b. Electronic ID
C Electronic mark
d. Electronic signature - Statement 1: An audio can be a form of electronic signature.
Statement 2: Without a right established or an obligation extinguished, an information cannot be considered as an electronic document.
a. Only Statement 1 is true.
b. Only Statement 2 is true.
C. Both statements are true.
d. Both statements are not true. - A service provider has the authority to:
I. Modify or alter the contnt of the electronic document received
II. Make any entry therein on behalf of the originator
a. I only
b. II only
c. Both I and II
d. Neither I nor II.
- A
- C
- D
- C
(f) “Electronic Document” refers to information or the representation of information, data, figures, symbols or other modes of written expression, described or however represented, by which a right is established or an obligation extinguished, or by which a fact may be prove and affirmed, which is receive, recorded, transmitted, stored, processed, retrieved or produced electronically. - A
Such service providers shall have NO authority to modify or alter the content of the electronic data message or electronic document received OR to make any entry therein on behalf of the originator, addressee or any third party unless specifically authorized to do so, and who shall retain the electronic document in accordance with the specific request or as necessary for the purpose of performing the services it was engaged to perform.
- Under the Civil Code, a contract of sale of goods priced not less than P500 is covered by the Statute of Frauds. If the contract of sale of goods was entered into in electronic form, what is the status of the contract?
a. Perfectly valid.
b. Voidable, for failure to comply with the requirement of the Statute of
c. Unenforceable, for failure to comply with the requirement of the Statute of Fraud.
d. Void - Where the law requires that a document be presented or retained in its original form, that requirement is met by an electronic document if:
a. The integrity of the document can be definitely traced from the time when it was first generated in its final form
b. There exists a reliable assurance as to the integrity of the document from the time when it was first generated in its final form
c. There exists an electronic signature which ensures the integrity of the document from the time when it was first generated in its final form
d. The originator employed security features such as the use of electronic keys at the onset of the document which still exists in the final form of the document - Statement 1: For evidentiary purposes, an electronic document does not satisfy the requirement of an original document.
Statement 2: An electronic signature cannot be considered as equivalent to the signature of a person in a written document.
a. Only Statement 1 is true.
b. Only Statement 2 is true.
C. Both statements are true.
d. Both statements are not true. - In proving that an electronic signature is equivalent to the signature of person in a written document, there must also be proof that a procedure was followed, under all of the following, except:
a. A method is used to identify the party sought to be bound and to indicate said party’s access to the electronic document necessary for his consent or approval through the electronic signature.
b. Said method is reliable and appropriate for the purpose for which the electronic document was generated or communicated, in the light of all circumstances, including relevant agreement.
c. It is necessary for the party sought to be bound, in order to proceed all circumstances, including any relevant agreement; further with the transaction to have executed or provided the electronic signature; and
d. The other party can rely on the electronic signature as authentic for all intents and purposes - Which of the following electronic data message can be attributed to the Electronic data messages sent by a person who had the authority originator?
I. Electronic data messages sent by a person who had the authority to act on behalf of the originator
II. Electronic data messages by an information system programmed by the originator
III. Electronic data messages by an information system programmed on behalf of the originator
a. I only.
b. I and II only.
c. I and III only.
d. I, II, and III.
- A
- B
(c) Where the law requires that a document be presented or retained in its original form, that requirement is met by an electronic document if -
i. There exists a reliable assurance as to the integrity of the document from the time when it was first generated in its final form; and
ii. That document is capable of being displayed to the person to whom it is to be presented: Provided, That no provision of this Act shall apply to vary any and all requirements of existing laws on formalities required in the execution of documents for their validity. - D
- D
Section 8. Legal Recognition of Electronic Signatures. - An electronic signature on the electronic document shall be equivalent to the signature of a person on a written document if that signature is proved by showing that a prescribed procedure, not alterable by the parties interested in the electronic document, existed under which -
(a) A method is used to identify the party sought to be bound and to indicate said party’s access to the electronic document necessary for his consent or approval through the electronic signature;
(b) Said method is reliable and appropriate for the purpose for which the electronic document was generated or communicated, in the light of all circumstances, including any relevant agreement;
(c) It is necessary for the party sought to be bound, in or order to proceed further with the transaction, to have executed or provided the electronic signature; and
(d) The other party is authorized and enabled to verify the electronic signature and to make the decision to proceed with the transaction authenticated by the same. - D
Section 18. Attribution of Electronic Data Message. -
(1) An electronic data message or electronic document is that of the originator if it was sent by the originator himself.
(2) As between the originator and the addressee, an electronic data message or electronic document is deemed to be that of the originator if it was sent:
(a) by a person who had the authority to act on behalf of the originator with respect to that electronic data message or electronic document; or
(b) by an information system programmed by, or on behalf of the originator to operate automatically.
(3) As between the originator and the addressee, an addressee is entitled to regard an electronic data message or electronic document as being that of the originator, and to act on that assumption, if:
(a) in order to ascertain whether the electronic data message or electronic document was that of the originator, the addressee properly applied a procedure previously agreed to by the originator for that purpose; or
(b) the electronic data message or electronic document as received by the addressee resulted from the actions of a person whose relationship with the originator or with any agent of the originator enabled that person to gain access to a method used by the originator to identify electronic data messages as his own.
- Samantha obtained two electronic documents. The first electronic s protected with a password. Samantha called Rose to ask of the document, and Rose informed Samantha to application that provides a six-digit key which changes every 30 seconds. Upon use of the application, Samantha was able to gain access to the document. Upon browsing the document, Samantha saw promissory note payable to her electronically signed by Marie.On due date, Samantha went to Marie to collect on the proceeds of the promissory note. Marie contends that the promissory note was not hers and that she should not be liable. Which of the following statements
is true?
a. Samantha can regard the electronic document as that of Rose since it was the procedure given by Rose which gave access to the document.
b. Samantha can regard the electronic document as that of Marie since an electronic signature is the functional equivalent of a signature on a writ
c. Samantha can regard the electronic document as that of both Rose and Marie since they were both instrumental on Samantha’s access to the document
d. Samantha cannot regard the electronic document as that of both Rose and Marie considering that the electronic document is password-protected - Robin received two electronic non-negotiable promissory notes by email on January 15, 2021. The emails were received two seconds apart. The two electronic promissory notes were identical. The amount involved P2,000,000 each, and were electronically signed by Matt as the maker on the same date. Both promissory notes were due on March 15, 2021. On the said date, Robin sought to collect P4,000,000 from Matt. However, Matt contended that he only undertook to pay P2,000,000 and that the second email he received was just an error of double sending. Robin? How much should Matt pay?
a. P2,000,000. Duplicates of electronic documents cannot be regarded as separate electronic documents.
b. P4,000,000. Robin is entitled to regard each electronic document received as separate electronic documents.
c. P3,000,000. Duplicates of electronic documents are only given one half of its intended effectivity.
d. No liability. The apparent DUPLICATION OF THE ELECTRONIC DOCUMENTS INVALIDATES ALL THAT HAS BEEN RECEIVED - If the addressee and the originator are both participants in the designate information system, the time of receipt of electronic data messages is:
a. Upon entry in the designated information system
b. Upon sending by the originator
c. Upon acknowledgment of receipt by the addressee
d. Upon retrieval by the addressee invalidates all - An electronic contract of sale of services was entered into between Patrick business in Mandaluyong. While Patrick was on vacation at Cebu City, in Quezon City while Bob is a resident of Pasig with principal place of and Bob. Patrick is a resident of Marikina with principal place of business opened the document at Cebu City. Where is the electronic contract of Bob sent a contract of sale to Patrick. Patrick, through his mobile phone, sale received?
a. Marikina
b. Quezon City
c. Pasig
d. Cebu City - Statement 1: Where the law requires that any action referred to contract of carriage of goods be carried out in writing or by using a paper document, that requirement is met if the action is carried out by using one or more electronic data messages or electronic documents.
Statement 2: Parties to any electronic transaction shall be free to determine the type of level of electronic data message or electronic document security needed.
a. Only Statement 1 is true.
b. Only Statement 2 is true.
c. Both statements are true.
d. Both statements are not true.
- B
Section 9. Presumption Relating to Electronic Signatures - In any proceedings involving an electronic signature, it shall be presumed that -
(a) The electronic signature is the signature of the person to whom it correlates; and
(b) The electronic signature was affixed by that person with the intention of signing or approving the electronic document unless the person relying on the electronically signed electronic document knows or has noticed of defects in or unreliability of the signature or reliance on the electronic signature is not reasonable under the circumstances. - A
Section 18. Attribution of Electronic Data Message.
(6) The addressee is entitled to regard each electronic data message or electronic document received as a separate electronic data message or electronic document and to act on that assumption, except to the extent that it DUPLICATES another electronic data message or electronic document and the addressee knew or should have known, had it exercised reasonable care or used any agreed procedure, that the electronic data message or electronic document was a duplicate. - D
Section 22. Time of Receipt of Electronic Data Messages or Electronic Documents. - Unless otherwise agreed between the originator and the addressee, the time of receipt of an electronic data message or electronic document is as follows:
a.) If the addressee has designated an information system for the purpose of receiving electronic data message or electronic document, receipt occurs at the time when the electronic data message or electronic document enters the designated information system: Provide, however, that if the originator and the addressee are both participants in the designated information system, receipt occurs at the time when the electronic data message or electronic document is RETRIEVED BY THE ADDRESSEE; - B
Section 23. Place of Dispatch and Receipt of Electronic Data Messages or Electronic Documents. - Unless otherwise agreed between the originator and the addressee, an electronic data message or electronic document is deemed to be dispatched at the place where the ORIGINATOR HAS ITS PLACE OF BUSINESS and received at the place where the ADDRESSEE HAS ITS PLACE OF BUSINESS. This rule shall apply even if the originator or addressee had used a laptop other portable device to transmit or received his electronic data message or electronic document. This rule shall also apply to determine the tax situs of such transaction. - C
Section 24. Choice of Security Methods. - Subject to applicable laws and /or rules and guidelines promulgated by the Department of Trade and Industry with other appropriate government agencies, parties to any electronic transaction shall be free to determine the type of level of electronic data message and electronic document security needed, and to select and use or implement appropriate technological methods that suit their need.
Choices:
a. Commission
b. Data subject
c. Consent of the data subject
d. Direct marketing
e. Filing system
- _____ shall refer to the National Privacy Commission created by virtue of the law.
- ________ refers to any act of information relating to natural or juridical persons to the extent that, the set is structured either by reference to individuals or by reference to criteria relating to individuals in such a way that specific information relating to a particular person is readily accessible.
- ___________ refers to any freely given, specific, informed indication of will. Consent shall be evidenced by written, electronic or recorded means or may also be given on behalf of the data subject by an agent specifically authorized by the data subject to do so.
- _______ refers to an individual whose personal information is processed.
- __________ refers to communication by whatever means of any advertising or marketing material which is directed to particular individuals.
- Commission
- Filing system
- Consent of the data subject
- Data subject
- Direct marketing
Choices:
a. Information and Communications System
b. Personal information
c. Personal information controller
d. Personal information processor
e. Processing
- ___________ refers to any information from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information.
- __________ refers to a system for generating, sending, receiving, storing or otherwise processing electronic data messages or electronic documents and includes the computer system or other similar device by which data is recorded, transmitted or stored.
- ____________ refers to any natural or juridical person qualified to act as such to whom a personal information controller may outsource the processing of personal data pertaining to a data subject.
- ___________ refers to a person or organization who controls the collection, holding, processing or use of personal information, including a person or organization who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information.
- ________ refers to any operation or any set of operations performed upon personal information including but not limited to the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, blocking, erasure or destruction of data.
- Personal information
- Information and Communications System
- Personal information processor
- Personal information controller
- Processing
- _________ information refers to any and all forms of data which under the Rules of Court and other pertinent laws constitute privileged communication.
- _________ information refers to personal information:
a. About an individual’s race, ethnic origin, marital status, age, color and religious, philosophical or political affiliation
b. About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings
c. Social security numbers, previous or current health records, licenses or its denials, suspension or revocation and tax returns
d. About information specifically established by an executive order or an act of Congress to be kept classified.
- Privileged
- Sensitive personal
Section 4. Scope. – This Act applies to the processing of all types of personal information and to any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines subject to the immediately succeeding paragraph: Provided, That the requirements of Section 5 are complied with.
“Data Privacy Act of 2012″
REPUBLIC ACT NO. 10173
The Commission shall be attached to the Department of Information and Communications Technology (DICT) and shall be headed by a Privacy Commissioner, who shall also act as Chairman of the Commission. The Privacy Commissioner shall be assisted by two (2) Deputy Privacy Commissioners, one to be responsible for Data Processing Systems and one to be responsible for Policies and Planning. The Privacy Commissioner and the two (2) Deputy Privacy Commissioners shall be appointed by the President of the Philippines for a term of ____ years, and may be reappointed for another term of _____ years. Vacancies in the Commission shall be filled in the same manner in which the original appointment was made.
The Privacy Commissioner must be at least _____ years of age and of good moral character, unquestionable integrity and known probity, and a recognized expert in the field of information technology and data privacy. The Privacy Commissioner shall enjoy the benefits, privileges and emoluments equivalent to the rank of Secretary.
The Deputy Privacy Commissioners must be recognized experts in the field of information and communications technology and data privacy. They shall enjoy the benefits, privileges and emoluments equivalent to the rank of Undersecretary.
three (3); three (3)
thirty-five (35)
To administer and implement the provisions of this Act, and to monitor and ensure compliance of the country with international standards set for data protection, there is hereby created an independent body to be known as the ____________, winch shall have the following functions:
(a) Ensure compliance of personal information controllers with the provisions of this Act;
(b) Receive complaints, institute investigations, facilitate or enable settlement of complaints through the use of alternative dispute resolution processes, adjudicate, award indemnity on matters affecting any personal information, prepare reports on disposition of complaints and resolution of any investigation it initiates, and, in cases it deems appropriate, publicize any such report: Provided, That in resolving any complaint or investigation (except where amicable settlement is reached by the parties), the Commission shall act as a collegial body. For this purpose, the Commission may be given access to personal information that is subject of any complaint and to collect the information necessary to perform its functions under this Act;
(c) Issue cease and desist orders, impose a temporary or permanent ban on the processing of personal information, upon finding that the processing will be detrimental to national security and public interest;
(d) Compel or petition any entity, government agency or instrumentality to abide by its orders or take action on a matter affecting data privacy;
(e) Monitor the compliance of other government agencies or instrumentalities on their security and technical measures and recommend the necessary action in order to meet minimum standards for protection of personal information pursuant to this Act;
(f) Coordinate with other government agencies and the private sector on efforts to formulate and implement plans and policies to strengthen the protection of personal information in the country;
(g) Publish on a regular basis a guide to all laws relating to data protection;
(h) Publish a compilation of agency system of records and notices, including index and other finding aids;
(i) Recommend to the Department of Justice (DOJ) the prosecution and imposition of penalties specified in Sections 25 to 29 of this Act;
(j) Review, approve, reject or require modification of privacy codes voluntarily adhered to by personal information controllers: Provided, That the privacy codes shall adhere to the underlying data privacy principles embodied in this Act: Provided, further, That such privacy codes may include private dispute resolution mechanisms for complaints against any participating personal information controller. For this purpose, the Commission shall consult with relevant regulatory agencies in the formulation and administration of privacy codes applying the standards set out in this Act, with respect to the persons, entities, business activities and business sectors that said regulatory bodies are authorized to principally regulate pursuant to the law: Provided, finally. That the Commission may review such privacy codes and require changes thereto for purposes of complying with this Act;
(k) Provide assistance on matters relating to privacy or data protection at the request of a national or local agency, a private entity or any person;
(l) Comment on the implication on data privacy of proposed national or local statutes, regulations or procedures, issue advisory opinions and interpret the provisions of this Act and other data privacy laws;
(m) Propose legislation, amendments or modifications to Philippine laws on privacy or data protection as may be necessary;
(n) Ensure proper and effective coordination with data privacy regulators in other countries and private accountability agents, participate in international and regional initiatives for data privacy protection;
(o) Negotiate and contract with other data privacy authorities of other countries for cross-border application and implementation of respective privacy laws;
(p) Assist Philippine companies doing business abroad to respond to foreign privacy or data protection laws and regulations; and
(q) Generally perform such acts as may be necessary to facilitate cross-border enforcement of data privacy protection.
National Privacy Commission
Section 10. The Secretariat.
The Commission is hereby authorized to establish a Secretariat. Majority of the members of the Secretariat must have served for at least _____ years in any agency of the government that is involved in the processing of personal information including, but not limited to, the following offices:
Social Security System (SSS),
Government Service Insurance System (GSIS),
Land Transportation Office (LTO),
Bureau of Internal Revenue (BIR),
Philippine Health Insurance Corporation (PhilHealth),
Commission on Elections (COMELEC),
Department of Foreign Affairs (DFA),
Department of Justice (DOJ), and
Philippine Postal Corporation (Philpost).
five (5)
Section 12. Criteria for Lawful Processing of Personal Information. – The processing of personal information shall be permitted only if not otherwise prohibited by law, and when at least one of the following conditions exists:
(a) The data subject has given his or her consent;
(b) The processing of personal information is necessary and is related to the fulfillment of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract;
(c) The processing is necessary for compliance with a legal obligation to which the personal information controller is subject;
(d) The processing is necessary to protect vitally important interests of the data subject, including life and health;
(e) The processing is necessary in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate; or
(f) The processing is necessary for the purposes of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.
Section 13. Sensitive Personal Information and Privileged Information. – The processing of sensitive personal information and privileged information shall be prohibited, except in the following cases:
(a) The data subject has given his or her consent, specific to the purpose prior to the processing, or in the case of privileged information, all parties to the exchange have given their consent prior to processing;
(b) The processing of the same is provided for by existing laws and regulations: Provided, That such regulatory enactments guarantee the protection of the sensitive personal information and the privileged information: Provided, further, That the consent of the data subjects are not required by law or regulation permitting the processing of the sensitive personal information or the privileged information;
(c) The processing is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his or her consent prior to the processing;
(d) The processing is necessary to achieve the lawful and noncommercial objectives of public organizations and their associations: Provided, That such processing is only confined and related to the bona fide members of these organizations or their associations: Provided, further, That the sensitive personal information are not transferred to third parties: Provided, finally, That consent of the data subject was obtained prior to processing;
(e) The processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal information is ensured; or
(f) The processing concerns such personal information as is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise or defense of legal claims, or when provided to government or public authority.
Rights of Data Subject
1. Right to be informed whether personal information being processed pertains to him or her
- Right to be furnished the information before the entry of his or her personal information into the processing system of the personal information controller.
- Right to have reasonable access to the following:
a. Contents of his or her personal information being processed
b. Sources from which personal information was obtained
c. Names and addresses of recipients of the personal information
d. Manner by which such data were processed
e. Reasons for the disclosure of the personal information to recipients
f. Information on automated processes where the data will be made as the sole basis for any decision significantly affecting the data subject
g. Date when his or her personal information was last accessed and modified
h. The designation, name, identity and address of the personal information controller - Right to dispute the inaccuracy or error in the personal information and have the personal information controller correct it immediately and accordingly.
- Right to suspend, withdraw or order the blocking, removal or destruction of his or her personal information from the personal information controller’s filing system upon discovery and substantial proof that the personal information are incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes or are no longer necessary for the purposes for which they were collected
- Right to be indemnified for any damages sustained due to such inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal information.
- Transmissibility of Rights of Data Subject – The lawful heirs and assigns of the data subject may invoke the rights of the data subject at any time after the death of the data subject or when the data subject is incapacitated of exercising the rights under the law.
(l) Sensitive personal information refers to personal information:
(1) About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
(2) About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
(3) Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or cm-rent health records, licenses or its denials, suspension or revocation, and tax returns; and
(4) Specifically established by an executive order or an act of Congress to be kept classified.
- It refers to communication by whatever means of any advertising or marketing material which is directed to particular individuals.
a. Direct marketing
b. Direct communication
c. Direct advertising
d. Direct infringement - It refers to a person or organization who controls the collection, holding,processing or use of personal information, including a person or organization who instructs another person or organization to collect,hold, process, use, transfer or disclose personal information on his or her behalf
a. Personal information collector
b. Personal information controller
c. Personal information manager
d. Personal information repository - It refers to an individual whose personal information is processed.
a. Personal information provider
b. Personal information holder
c. Data subject
d. Data person - Anita obtains the addresses of her customers for her food business, so that she may be able to deliver her goods efficiently. Bonnie obtains the names and age of her students as part of her recordkeeping as adviser of the class. Cassie obtains emails and phone numbers of her friends to save on her phone. Who among them is a personal information controller?
a. Anita only.
b. Anita and Bonnie only.
c. Anita and Cassie only.
d. Bonnie and Cassie only. - Winnie, a personal information processor, is charged with violation of the Data Privacy Act. The violation consists of two acts. First, Winnie revealed the salary range of Sally, an Administrative Officer III at the Department of Finance. Second, Winnie, in publishing her research, disclosed the ages and sexes of the respondents to her survey. Is Winnie liable for violation of the Data Privacy Act?
a. No.
b. Yes, but only as to the first act.
c. Yes, but only as to the second act.
d. Yes, on both acts.
- A
- B
- C
- B
- A
- Which of the following statements is true regarding news sources of journalists?
a. Journalists are compelled to reveal the source of any news report.
b. Journalists, by order of competent court, are compelled to reveal the source of any news report.
c. Journalists are compelled to reveal details regarding sources of any news report except those classified as sensitive personal information.
d. Journalists are not compelled to reveal the source of any news report. - Which of the following is not included in the application of the Data Privacy Act?
I. Information about an individual who is or was performing service under contract for a banking institution that relates to the services performed
II. Information necessary for banks and other financial institutions to comply with the Anti-Money Laundering Act
a. I only.
b. II only.
c. I and II only.
d. Neither I nor II. - Which of the following statements is true regarding a personal information controller outside of the Philippines?
a. A personal information controller outside of the Philippines is not covered by the Data Privacy Act even if the personal information pertains to Philippine citizens.
b. A personal information controller outside of the Philippines is not covered by the Data Privacy Act even if the personal information pertains to Philippine residents.
c. A personal information controller inside the Philippines is not covered by the Data Privacy Act if the personal information pertains to non-residents.
d. A personal information controller outside of the Philippines is covered by the Data Privacy Act even if the personal information pertains to Philippine residents or citizens - The National Privacy Commission is an agency attached to:
a. Department of National Defense
b. Commission on Human Rights
c. Department of Information and Communications Technology
d. Department of Privacy - All of the following are qualifications of the Privacy Commissioner, except:
a. At least thirty-five (35) years of age
b. A resident of the Philippines for at least two (2) years probity
c. Of good moral character, unquestionable integrity and known
d. A recognized expert in the field of information technology and data privacy
- D
- B
The Act does not apply to certain types of data when processing is required for compliance with other laws or for lawful government functions.
I. Information about a person performing services under contract for a bank is covered by the Act.
II. Information necessary for banks to comply with the Anti-Money Laundering Act (AMLA) is exempted from the Data Privacy Act’s coverage, as it falls under lawful processing for regulatory compliance. - D
- C
- B
- Which of the following acts performed upon personal information constitute processing?
I. Collection
II. Storage
III. Retrieval
IV. Erasure
a. I and IlI only.
b. IIand IV only.
c. I, II, and III only.
d. I, II, III, and IV. - This principle provides that the Processing of Personal data shall be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose.
a. Principle of Proportionality
b. Principle of Legitimate Purpose
c. Principle of Relevance
d. Principle of Reasonable Extent - This principle provides that the Data Subject must be aware of the nature,purpose, and extent of the Processing of his or her Personal Data by the Company, including the risks and safeguards involved, the identity of persons and entities involved in processing his or her Personal Data, his or her rights as a Data Subject, and how these can be exercised.
a. Principle of Proportionality
b. Principle of informed Consent
C. Principle of Awareness
d. Principle of Transparency - This principle provides that the Processing of Personal Data by the Company shall be compatible with a declared and specified purpose Wwhich must not be contrary to law, morals, or public policy,
a. Principle of Transparency
b. Principle of Compatibility
c. Principle of Legitimate Purpose
d. Principle of Adherence - Kris joined the raffle draw of Barry’s Supermarket in the hopes of winning a 42” Smart TV. Kris indicated her mobile phone number and email address in the form given for the raffle entry. The form looked simple for Kris. It just contained empty fields to be filled out, the logo of Barry’s Supermarket, and the grand prizes to be won. However, to hey surprise, Kris soon received multiple promotions from different brandg asking her to buy products at a discount. Her email inbox soon became spammed as well with unwanted promotion. Is there a data privacy principle violated?
a. None.
b. Yes. The Principle of Proportionality was violated.
c. Yes. The Principle of Legitimate Purpose was violated.
d. Yes. The Principle of Transparency was violated.
- D
- A
- D
- C
- D
- Which of the following best defines the term “personal information”?
a. Those which the data subject would normally and reasonably regard as private in nature.
b. Those from which the identity of an individual is apparent or can be reasonably and directly ascertained
c. Those from which the identity of an individual can be subject to identity theft
d. Those which the personal information controller would regard as having economic value - Statement 1: There can be no lawful processing of personal information without the consent of the data subject.
Statement 2: If the processing is necessary for compliance with a legal obligation to which the personal information controller is subject, then such is considered as lawful processing by the Data Privacy Act.
a. Only Statement 1 is true.
b. Only Statement 2 is true.
c. Both statements are true.
d. Both statements are not true. - All of the following are privileged information, except:
a. Attorney-client privileged information
b. Doctor-patient privileged information
c. Priest-confessor privileged information
d. Bank-client privileged information - Which of the following is classified as sensitive personal information?
a. List of Facebook friends
b. Tax returns
c. Credit card information
d. Passwords - Which of the following is not classified as sensitive personal information?
a. Bidding documents
b. Political affiliation
c. High school grades
d. Social security numbers
- B
- B
Statement 1 is not entirely true. Consent is one lawful basis, but not the only one.
Statement 2 is true. Processing for compliance with a legal obligation is a valid lawful basis under Section 12 of the Act. - D
- B
- A
Under Section 3(l) of the Data Privacy Act of 2012 (RA 10173) in the Philippines, sensitive personal information includes:
- Political affiliations ✅
- Education-related data (e.g., high school grades) ✅
- Government-issued identifiers like Social Security numbers ✅
However, bank account numbers, while certainly private and protected, are not explicitly classified as sensitive personal information under the law. They fall under personal information, which still requires protection but is subject to less stringent processing rules compared to sensitive personal data
-
Law on Obligations141
-
Holidays25
-
Law on Contracts43
-
Anti Bouncing Checks Law (B.P 22)6
-
Labor Standards11
-
Law on Sales34
-
PDIC & Consumer Act14
-
First Preboard16
-
Anti-Money Laundering Law (AMLA)17
-
PLEDGE & MORTGAGE33
-
Partnership56
-
Quizzer18
-
Bank Secrecy Law + TILA + FRIA16
-
Lemon Law & Intellectual Property29
-
Insurance Law, Securities Reg Code, Social Security law49
-
Cooperative64
-
Corporation45
-
Data Privacy & E commerce26
-
Banking laws27
-
Phil Competition Act, EDBA, Govt Procurement18
