Professional Documents
Culture Documents
RFBT-15 (E-Commerce, Data Privacy - Ease of Doing Business)
RFBT-15 (E-Commerce, Data Privacy - Ease of Doing Business)
Sphere of Application: The Act shall apply to any kind of electronic document used in the context of commercial and non-
commercial activities to include domestic and international dealings, transactions, arrangements, agreements contracts and
exchanges and storage of information.
Definition of Terms: For the purposes of the Act, the following terms are defined, as follows:
"Computer" refers to any device or apparatus singly or interconnected which, by electronic, electro-mechanical, optical
and/or magnetic impulse, or other means with the same function, can receive, record, transmit, store, process, correlate,
analyze, projects, retrieve, and/or produce information, data, text, graphics, figures, voice, video, symbols or other modes of
expression or perform any one or more of these functions.
"Information and Communications System" refers to a system for generating, sending, receiving, storing, or otherwise
processing electronic documents and includes the computer system or other similar device by or in which data is recorded
or stored and any procedures related to the recording or storage of electronic document.
"Originator" refers to a person by whom, or on whose behalf, the electronic document purports to have been created,
generated and/or sent. The term does not include a person acting as an intermediary with respect to that electronic
document.
"Addressee" refers to a person who is intended by the originator to receive the electronic data message or electronic
document, but does not include a person acting as an intermediary with respect to that electronic data message or electronic
data document.
"Intermediary" refers to a person who in behalf of another person and with respect to a particular electronic document
sends, receives and/or stores, provides other services in respect of that electronic data message or electronic document.
"Electronic data message" refers to information generated, sent, received or stored by electronic, optical or similar
means.
“Electronic signature" refers to any distinctive mark, characteristic and/or sound in electronic from, representing the
identity of a person and attached to or logically associated with the electronic data message or electronic document or any
methodology or procedures employed or adopted by a person and executed or adopted by such person with the intention of
authenticating or approving an electronic data message or electronic document.
"Electronic key" refers to a secret code which secures and defends sensitive information that crossover public channels
into a form decipherable only with a matching electronic key.
"Electronic document" refers to information or the representation of information, data, figures, symbols or other modes of
written expression, described or however represented, by which a right is established or an obligation extinguished, or
by which a fact may be prove and affirmed, which is receive, recorded, transmitted, stored, processed, retrieved or
produced electronically.
Legal Recognition of Electronic Data Messages: Information shall not be denied validity or enforceability solely on
the ground that it is in the form of electronic data message purporting to give rise to such legal effect, or that it is merely
incorporated by reference in that electronic data message.
For evidentiary purposes, an electronic document shall be the functional equivalent of a written document under existing
laws.
The Act does not modify any statutory any statutory rule relating to admissibility of electronic data massages or
electronic documents, except the rules relating to authentication and best evidence.
Legal Recognition of Electronic Signatures: An electronic signature on the electronic document shall be equivalent to the
signature of a person on a WRITTEN DOCUMENT if:
a. the signature is an electronic signature and
b. proved by showing that a prescribed procedure, not alterable by the parties interested in the electronic document,
existed under which-
i. A method is used to identify the party sought to be bound and to indicate said party's access to the electronic
document necessary for his consent or approval through the electronic signature;
ii. Said method is reliable and appropriate for the purpose for which the electronic document was generated or
communicated, in the light of all circumstances, including any relevant agreement;
iii. It is necessary for the party sought to be bound, in order to proceed further with the transaction to have
executed or provided the electronic signature; and
iv. The other party is authorized and enable to verify the electronic signature and to make the decision to
proceed with the transaction authenticated by the same.
Presumption Relating to Electronic Signatures: In any proceedings involving an electronic signature, it shall be presumed
that,
a. The electronic signature is the signature of the person to whom it correlates; and
b. The electronic signature was affixed by that person with the intention of signing or approving the electronic
document unless
i. the person relying on the electronically designed electronic document knows or has notice of defects in or
unreliability of the signature or
ii. reliance on the electronic signature is not reasonable under the circumstances.
Original Documents:
1. Where the law requires information to be presented or retained in its ORIGINAL FORM, that requirement is met by
an electronic data message or electronic document if:
a. the integrity of the information from the time when it was first generated in its final form, as an electronic
document is shown by evidence aliunde or otherwise; and
b. where otherwise it is required that information be presented, that the information is capable of being displayed to
the person to whom it is to be presented.
2. Paragraph (1) applies whether the requirement therein is in the form of an obligation or whether the law simply
provides consequences for the information not being presented or retained in its original form.
3. For the purpose of subparagraph (a) of paragraph (1):
a. the criteria for assessing integrity shall be whether the information has remained complete and unaltered,
apart from the addition of any endorsement and any change which arises in the normal course of communication,
storage and display ; and
b. the standard of reliability required shall be assessed in the light of purpose for which the information was
generated and in the light of all the relevant circumstances.
Authentication of Electronic Data Messages and Electronic Documents: Until the Supreme Court by appropriate rules
shall have so provided, electronic documents, electronic data messages and electronic signatures, shall be authenticated by
demonstrating, substantiating and validating a claimed identity of a user, device, or another entity is an information or
communication system, among other ways, as follows;
a. The electronic signatures shall be authenticated by proof that a letter, character, number or other symbol in electronic
form representing the persons named in and attached to or logically associated with an electronic data message,
electronic document, or that the appropriate methodology or security procedures, when applicable, were employed
or adopted by such person, with the intention of authenticating or approving in an electronic data message or electronic
document;
b. The electronic data message or electronic document shall be authenticated by proof that an appropriate security
procedure, when applicable was adopted and employed for the purpose of:
i. verifying the originator of an electronic data message or electronic document, or
The Supreme Court may adopt such other authentication procedures, including the use of electronic notarization systems as
necessary and advisable, as well as the certificate of authentication on printed or hard copies of the electronic documents or
electronic data messages by electronic notaries, service providers and other duly recognized or appointed certification
authorities.
Burden of Proof: The person seeking to introduce an electronic data message or electronic document in any legal proceeding
has the burden of proving its authenticity by evidence capable of supporting a finding that the electronic data message or
electronic document is what the person claims it on be.
Integrity of the Information and Communication System: In the absence of evidence to the contrary, the integrity
of the information and communication system in which an electronic data message or electronic document is recorded or stored
may be established in any legal proceeding –
a. By evidence that:
i. at all material times the information and communication system or other similar device was operating in a
manner that did not affect the integrity of the electronic data message or electronic document, and
ii. there are no other reasonable grounds to doubt the integrity of the information and communication system,
b. By showing that the electronic data message or electronic document was recorded or stored by a party to the
proceedings who is adverse in interest to the party using it; or
c. By showing that the electronic data message or electronic document was recorded or stored in the usual and
ordinary course of business by a person who is not a party to the proceedings and who did not act under the control of
the party using the record.
Admissibility and Evidential Weight of Electronic Data Message or electronic document: In any legal proceedings,
nothing in the application of the rules on evidence shall deny the admissibility of an electronic data message or
electronic document in evidence –
a. On the sole ground that it is in electronic form; or
b. On the ground that it is not in the standard written form, and the electronic data message or electronic document
meeting, and complying with the requirements under Legal Recognition of Electronic Data Messages and Electronic
Documents mentioned above, shall be the best evidence of the agreement and transaction contained therein.
In assessing the evidential weight of an electronic data message or electronic document, the following shall be given due regard:
a. the reliability of the manner in which it was generated, stored or communicated,
b. the reliability of the manner in which its originator was identified, and
c. other relevant factors.
Retention of Electronic Data Message or Electronic Document: Notwithstanding any provision of law, rule or regulation
to the contrary –
a. The requirement in any provision of law that certain documents be retained in their original form is satisfied by
retaining them in the form of an electronic data message or electronic document which –
i. Remains accessible so as to be usable for subsequent reference;
ii. Is retained in the format in which it was generated, sent or received, or in a format which can be demonstrated to
accurately represent the electronic data message or electronic document generated, sent or received;
iii. Enables the identification of its originator and addressee, as well as the determination of the date and the
time it was sent or received.
b. The requirement referred to in paragraph (a) is satisfied by using the services of a third party, provided that the
conditions set fourth in subparagraphs (1), (2) and (3) of paragraph (a) are met.
Proof by Affidavit: The matters referred on admissibility and on the presumption of integrity, may be presumed to have
been established by an affidavit given to the best of the deponent's knowledge subject to the rights of parties in interest
as defined in the cross-examination provided below.
Cross – Examination:
1. A deponent of an affidavit referred to above that has been introduced in evidence may be cross-examined as of right
by a party to the proceedings who is adverse in interest to the party who has introduced the affidavit or has caused the
affidavit to be introduced.
2. Any party to the proceedings has the right to cross-examine a person who is not a party to the proceedings and who
did not act under the control of the party using the record proving that the electronic data message or electronic
document was recorded or stored in the usual and ordinary course of business.
Error on Electronic Data Message or Electronic Document: The addressee is entitled to regard the electronic data
message or electronic document received as that which the originator intended to send, and to act on that assumption,
unless the addressee knew or should have known, had the addressee exercised reasonable care or used the appropriate
procedure –
a. That the transmission resulted in any error therein or in the electronic data message or electronic document enters
the designated information system, or
b. That electronic data message or electronic document is sent to an information system which is not so designated
by the addressee for the purposes.
Time of Dispatch of Electronic Data Messages or Electronic Documents: General Rule: the dispatch of an electronic
data message or electronic document occurs when it enters an information system outside the control of the originator
or of the person who sent the electronic data message or electronic document on behalf of the originator.
Except: when otherwise agreed upon.
Time of Receipt of Electronic Data Messages or Electronic Documents. – Unless otherwise agreed between the originator
and the addressee, the time of receipt of an electronic data message or electronic document is as follows:
a. Upon entry in the designated information system – if the parties has designated an information system for the purpose
of receiving electronic data messages or electronic documents
b. Upon retrieval by the addressee:
i. There is a designated information system, but the originator and the addressee are both participants in the
designated information system;
ii. The electronic message or electronic document enters an information system of the address that is not the designated
information system;
c. Upon entry in the information system of the addressee - The parties did not designate an information system.
Transport Documents:
1. Where the law requires that any action referred to contract of carriage of goods be carried out in writing or by using a
paper document, that requirement is met if the action is carried out by using one or more electronic data messages or
electronic documents.
The above applies whether the requirement there in is in the form of an obligation or whether the law simply provides
consequences for failing either to carry out the action in writing or to use a paper document.
2. If (a) a right is to be granted to, or (b) an obligation is to be acquired by, one person and no person, and if the law
requires that, in order to effect this, the right or obligation must be conveyed to that person by the transfer, or use of,
a paper document, that requirement is met if the right or obligation is conveyed by using one or more electronic data
messages or electronic documents: Provided, that a reliable method is used to render such electronic data messages or
electronic documents unique.
For the purposes of above, the standard of reliability required shall be assessed in the light of the purpose for which the
right or obligation was conveyed and in the light of all the circumstances, including any relevant agreement.
3. Where one or more electronic data messages or electronic documents are used to effect any action in subparagraph (f) and
(g) of the above (Actions Related to Contracts of Carriage of Goods), no paper document used to effect any such action is
valid unless the use of electronic data message or electronic document has been terminated and replaced by the used
of paper documents. A paper document issued in these circumstances shall contain a statement of such
termination. The replacement of the electronic data messages or electronic documents by paper documents shall not
affect the rights or obligation of the parties involved.
4. If a rule of law is compulsorily applicable to a contract of carriage of goods which is in, or is evidenced by, a paper
document, that rule shall not be inapplicable to such a contract of carriage of goods which is evidenced by one or more
electronic data messages or electronic documents by reason of the fact that the contract is evidenced by such electronic
data message or electronic documents instead of by a paper document.
Commission shall refer to the National Privacy Commission created by virtue of this Act.
Consent of the data subject refers to any freely given, specific, informed indication of will, whereby the data subject agrees
to the collection and processing of personal information about and/or relating to him or her. Consent shall be evidenced by
written, electronic or recorded means. It may also be given on behalf of the data subject by an agent specifically authorized by
the data subject to do so.
Direct marketing refers to communication by whatever means of any advertising or marketing material which is directed to
particular individuals.
Filing system refers to any act of information relating to natural or juridical persons to the extent that, although the information
is not processed by equipment operating automatically in response to instructions given for that purpose, the set is structured,
either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information
relating to a particular person is readily accessible.
Information and Communications System refers to a system for generating, sending, receiving, storing or otherwise
processing electronic data messages or electronic documents and includes the computer system or other similar device by or
which data is recorded, transmitted or stored and any procedure related to the recording, transmission or storage of electronic
data, electronic message, or electronic document.
Personal information controller refers to a person or organization who controls the collection, holding, processing or use
of personal information, including a person or organization who instructs another person or organization to collect, hold,
process, use, transfer or disclose personal information on his or her behalf. The term excludes:
1. A person or organization who performs such functions as instructed by another person or organization; and
2. An individual who collects, holds, processes or uses personal information in connection with the individual’s personal,
family or household affairs.
Personal information processor refers to any natural or juridical person qualified to act as such under this Act to whom a
personal information controller may outsource the processing of personal data pertaining to a data subject.
SCOPE OF APPLICATION
Applicability:
1. The processing of all types of personal information and
2. To any natural and juridical person involved in personal information processing including those personal
information controllers and processors who, although not found or established in the Philippines, use equipment that are
located in the Philippines, or those who maintain an office, branch or agency in the Philippines subject to the immediately
succeeding paragraph.
Protection Afforded to Journalists and Their Sources: No amendment or repeal of Republic Act No. 53, which affords the
publishers, editors or duly accredited reporters of any newspaper, magazine or periodical of general circulation protection
from being compelled to reveal the source of any news report or information appearing in said publication which was
related in any confidence to such publisher, editor, or reporter.
Extraterritorial Application: The Data Privacy Act applies to an act done or practice engaged in and outside of the Philippines
by an entity if:
1. The act, practice or processing relates to personal information about a Philippine citizen or a resident;
2. The entity has a link with the Philippines, and the entity is processing personal information in the Philippines or even if
the processing is outside the Philippines as long as it is about Philippine citizens or residents such as, but not limited to,
the following:
a. A contract is entered in the Philippines;
b. A juridical entity unincorporated in the Philippines but has central management and control in the country; and
c. An entity that has a branch, agency, office or subsidiary in the Philippines and the parent or affiliate of the
Philippine entity has access to personal information; and
3. The entity has other links in the Philippines such as, but not limited to:
a. The entity carries on business in the Philippines; and
b. The personal information was collected or held by an entity in the Philippines.
PERSONAL INFORMATION, whether recorded in a material form or not, are those from which the identity of an individual:
1. is apparent, or
2. can be reasonably and directly ascertained by the entity holding the information, or
3. when put together with other information would directly and certainly identify an individual
Examples: include the Data Owner’s Name, Home address and Phone number
Personal information must be:
1. Collected for specified and legitimate purposes determined and declared before, or as soon as reasonably practicable after
collection, and later processed in a way compatible with such declared, specified and legitimate purposes only;
2. Processed fairly and lawfully;
3. Accurate, relevant and, where necessary for purposes for which it is to be used the processing of personal information,
kept up to date; inaccurate or incomplete data must be rectified, supplemented, destroyed or their further processing
restricted;
4. Adequate and not excessive in relation to the purposes for which they are collected and processed;
5. Retained only for as long as necessary for the fulfillment of the purposes for which the data was obtained or for the
establishment, exercise or defense of legal claims, or for legitimate business purposes, or as provided by law; and
6. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the
data were collected and processed: Provided, That personal information collected for other purposes may lie processed for
historical, statistical or scientific purposes, and in cases laid down in law may be stored for longer periods: Provided, further,
That adequate safeguards are guaranteed by said laws authorizing their processing.
The personal information controller must ensure implementation of personal information processing principles set out herein.
PRIVILEGED INFORMATION refers to any and all forms of data which under the Rules of Court and other pertinent laws
constitute privileged communication.
Examples include:
1. Attorney-client privileged information
2. Doctor-patient privileged information
3. Marital privilege communication
4. Priest-confessor privileged information
Sensitive Personal Information and Privileged Information: The processing of sensitive personal information and
privileged information shall be prohibited, except in the following cases:
1. The data subject has given his or her consent, specific to the purpose prior to the processing, or in the case of privileged
information, all parties to the exchange have given their consent prior to processing;
2. The processing of the same is provided for by existing laws and regulations, provided:
a. Such regulatory enactments guarantee the protection of the sensitive personal information and the privileged
information; and
b. The consent of the data subjects are not required by law or regulation permitting the processing of the sensitive
personal information or the privileged information;
3. The processing is necessary to protect the life and health of the data subject or another person, and the data subject
is not legally or physically able to express his or her consent prior to the processing;
4. The processing is necessary to achieve the lawful and noncommercial objectives of public organizations and their
associations: provided:
a. That such processing is only confined and related to the bona fide members of these organizations or their associations;
b. That the sensitive personal information are not transferred to third parties; and
c. That consent of the data subject was obtained prior to processing;
5. The processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical
treatment institution, and an adequate level of protection of personal information is ensured; or
6. The processing concerns such personal information as is necessary for the protection of lawful rights and interests of
natural or legal persons in court proceedings, or the establishment, exercise or defense of legal claims, or when provided
to government or public authority.
Subcontract of Personal Information: A personal information controller may subcontract the processing of personal
information.
The personal information controller shall be responsible for ensuring that proper safeguards are in place to ensure :
1. The confidentiality of the personal information processed,
2. Prevent its use for unauthorized purposes, and generally,
3. Comply with the requirements of the Data Privacy Act and other laws for processing of personal information.
The personal information processor shall comply with all the requirements of the Data Privacy Act and other applicable laws.
Extension of Privileged Communication: Personal information controllers may invoke the principle of privileged
communication over privileged information that they lawfully control or process. Subject to existing laws and regulations, any
evidence gathered on privileged information is inadmissible.
The following information must be provided before the entry of the personal information into the processing system, or at
the next practical opportunity:
a. Description of the personal information to be entered into the system;
b. Purposes for which they are being or are to be processed;
c. Scope and method of the personal information processing;
2. Right to Object: The data subject shall have the right to object to the processing of his or her personal data, including
processing for direct marketing, automated processing or profiling.
3. Right to Withhold Consent: The data subject shall be notified and given an opportunity to withhold consent to the
processing in case of changes or any amendment to the information supplied or declared to the data subject in the preceding
paragraph
Amendment of information: Any information supplied or declaration made to the data subject on these matters shall not
be amended without prior notification of data subject. Except: the notification shall not apply should the personal
information be needed pursuant to a subpoena or when the collection and processing are for obvious purposes, including
when it is necessary for the performance of or in relation to a contract or service or when necessary or desirable in the
context of an employer-employee relationship, between the collector and the data subject, or when the information is being
collected and processed as a result of legal obligation.
4. Right to Access: The data subject has reasonable access to, upon demand, the following:
a. Contents of his or her personal information that were processed;
b. Sources from which personal information were obtained;
c. Names and addresses of recipients of the personal information;
d. Manner by which such data were processed;
e. Reasons for the disclosure of the personal information to recipients;
f. Information on automated processes where the data will or likely to be made as the sole basis for any decision
significantly affecting or will affect the data subject;
g. Date when his or her personal information concerning the data subject were last accessed and modified; and
h. The designation, or name or identity and address of the personal information controller.
5. Right to Correction: The data subject shall have the right to dispute the inaccuracy or error in the personal information
and have the personal information controller correct it immediately and accordingly, unless the request is vexatious or
otherwise unreasonable.
If the personal information have been corrected, the personal information controller shall ensure the accessibility of
both the new and the retracted information and the simultaneous receipt of the new and the retracted information
by recipients thereof: Provided, That the third parties who have previously received such processed personal information
shall he informed of its inaccuracy and its rectification upon reasonable request of the data subject;
6. Right to Erasure: the data subject shall have the right to suspend, withdraw or order the blocking, removal or
destruction of his or her personal information from the personal information controller’s filing system upon discovery
and substantial proof that the personal information are incomplete, outdated, false, unlawfully obtained, used for
unauthorized purposes or are no longer necessary for the purposes for which they were collected. In this case, the personal
information controller may notify third parties who have previously received such processed personal information;
7. Right to Damages: The data subject shall be indemnified for any damages sustained due to such inaccurate,
incomplete, outdated, false, unlawfully obtained or unauthorized use of personal information.
8. Right to Data Portability: The right of the data subject to obtain from the personal information controller a copy of
data, where personal information is processed:
a. by electronic means and
b. in a structured and commonly used format.
The Commission may specify the electronic format referred to above, as well as the technical standards, modalities and
procedures for their transfer.
Transmissibility of Rights of the Data Subject: The lawful heirs and assigns of the data subject may invoke the rights
of the data subject for which he or she is an heir or assignee at any time after the death of the data subject or when the
data subject is incapacitated or incapable of exercising the rights as enumerated above.
Non-Applicability of Rights: The above rights of a data subject are not applicable:
1. If the processed personal information are used only for the needs of scientific and statistical research and, on the
basis of such, no activities are carried out and no decisions are taken regarding the data subject: Provided, That
the personal information shall be held under strict confidentiality and shall be used only for the declared purpose; and
2. To processing of personal information gathered for the purpose of investigations in relation to any criminal,
administrative or tax liabilities of a data subject.
Subject to guidelines as the Commission may issue from time to time, the measures implemented must include:
a. Safeguards to protect its computer network against accidental, unlawful or unauthorized usage or interference with
or hindering of their functioning or availability;
b. A security policy with respect to the processing of personal information;
c. A process for identifying and accessing reasonably foreseeable vulnerabilities in its computer networks, and
for taking preventive, corrective and mitigating action against security incidents that can lead to a security breach;
and
d. Regular monitoring for security breaches and a process for taking preventive, corrective and mitigating action against
security incidents that can lead to a security breach.
4. The personal information controller must further ensure that third parties processing personal information on its behalf
shall implement the security measures required by this provision.
5. The employees, agents or representatives of a personal information controller who are involved in the processing of
personal information shall operate and hold personal information under strict confidentiality if the personal information
are not intended for public disclosure. This obligation shall continue even after leaving the public service, transfer to another
position or upon termination of employment or contractual relations.
6. The personal information controller shall promptly notify the Commission and affected data subjects when sensitive
personal information or other information that may, under the circumstances, be used to enable identity fraud are
reasonably believed to have been acquired by an unauthorized person, and the personal information controller or the
Commission believes that such unauthorized acquisition is likely to give rise to a real risk of serious harm to any
affected data subject.
Notification to the Commission: The notification shall at least describe the nature of the breach, the sensitive personal
information possibly involved, and the measures taken by the entity to address the breach. Notification may be delayed
only to the extent necessary to determine the scope of the breach, to prevent further disclosures, or to restore reasonable
integrity to the information and communications system.
a. In evaluating if notification is unwarranted, the Commission may take into account compliance by the personal
information controller with this provision and existence of good faith in the acquisition of personal information.
b. The Commission may exempt a personal information controller from notification where, in its reasonable judgment,
such notification would not be in the public interest or in the interests of the affected data subjects.
c. The Commission may authorize postponement of notification where it may hinder the progress of a criminal
investigation related to a serious breach.
Period to report: If there is likelihood of risk to individuals, the data processor must report data breaches within 72 hours.
Principle of Accountability: Each personal information controller is responsible for personal information under its control or
custody, including information that have been transferred to a third party for processing, whether domestically or internationally,
subject to cross-border arrangement and cooperation.
1. The personal information controller is accountable for complying with the requirements of the Data Privacy Act and
shall use contractual or other reasonable means to provide a comparable level of protection while the information are being
processed by a third party.
2. Data Protection Officer: The personal information controller shall designate an individual or individuals who are
accountable for the organization’s compliance with the Data Privacy Act. The identity of the individual(s) so designated
shall be made known to any data subject upon request.
Responsibility of Heads of Agencies: All sensitive personal information maintained by the government, its agencies and
instrumentalities shall be secured, as far as practicable, with the use of the most appropriate standard recognized by the
information and communications technology industry, and as recommended by the Commission.
The head of each government agency or instrumentality shall be responsible for complying with the security
requirements mentioned while the Commission shall monitor the compliance and may recommend the necessary action in
order to satisfy the minimum standards.
In case there is no action by the head of the agency, then such request is considered disapproved;
b. Limitation to 1,000 Records – If a request is approved, the head of the agency shall limit the access to not more
than one thousand (1,000) records at a time; and
c. Encryption – Any technology used to store, transport or access sensitive personal information for purposes of off-site
access approved under this subsection shall be secured by the use of the most secure encryption standard
recognized by the Commission.
1. Unauthorized Processing: any person who process personal information without the consent of the data subject, or
without being authorized under the Data Privacy Act or any existing law. Penalties:
Imprisonment Fine
Personal Information 1 to 3 years P500,000 – P2,000,000
Sensitive Personal Information 3 to 6 years P500,000 – P4,000,000
2. Access – any person who, due to negligence, provided access to personal information without being authorized under the
Data Privacy Act or any existing law. Penalties:
Imprisonment Fine
Personal Information 1 to 3 years P500,000 – P2,000,000
Sensitive Personal Information 3 to 6 years P500,000 – P4,000,000
3. Improper Disposal – any person who knowingly or negligently dispose, discard or abandon the personal information of
an individual in an area accessible to the public or has otherwise placed the personal information of an individual in its
container for trash collection. Penalties:
Imprisonment Fine
Personal Information 6 mos. to 2 years P100,000 – P500,000
Sensitive Personal Information 1 to 3 years P100,000 – P1,000,000
4. Processing for Unauthorized Purposes - processing personal information for purposes not authorized by the data
subject, or otherwise authorized under this Act or under existing laws. Penalties:
Imprisonment Fine
Personal Information 1 year and 6 mos. to 5 years P500,000 – P1,000,000
Sensitive Personal Information 2 to 7 years P500,000 – P2,000,000
5. Unauthorized Access or Intentional Breach – any person who knowingly and unlawfully, or violating data confidentiality
and security data systems, breaks in any way into any system where personal and sensitive personal information is stored.
Penalty shall be imprisonment of 1 year to 3 years and a fine of P500,000 to P2,000,000.
6. Concealment of Security Breaches Involving Sensitive Personal Information. – any person who, after having
knowledge of a security breach and of the obligation to notify the Commission, intentionally or by omission conceals the
fact of such security breach. The penalty shall be imprisonment of 1 year and 6 months to 5 years and a fine of P500,000
to P1,000,000.
7. Malicious Disclosure – Any personal information controller or personal information processor or any of its officials,
employees or agents, who, with malice or in bad faith, discloses unwarranted or false information relative to any personal
information or personal sensitive information obtained by him or her. The penalty shall be imprisonment of 1 year and 6
months to 5 years and a fine of P500,000 to P1,000,000.
8. Unauthorized Disclosure. – Any personal information controller or personal information processor or any of its officials,
employees or agents, who discloses to a third party personal or sensitive personal information, not covered by Malicious
Disclosure above, without the consent of the data subject. The penalties:
Imprisonment Fine
Personal Information 1 year to 3 years P500,000 – P1,000,000
Sensitive Personal Information 3 to 5 years P500,000 – P2,000,000
shall he subject to imprisonment ranging from one (1) year to three (3) years and a fine of not less than Five hundred
thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00).
9. Combination or Series of Acts – Any combination or series of acts as defined in above shall make the person subject to
imprisonment 3 to 6 years and a fine of P1,000,000 to P5,000,000.
Extent of Liability:
1. Juridical Persons: If the offender is a corporation, partnership or any juridical person, the penalty shall be imposed upon
the responsible officers, as the case may be, who participated in, or by their gross negligence, allowed the commission
of the crime. If the offender is a juridical person, the court may suspend or revoke any of its rights under the Data Privacy
Act.
2. Alien: If the offender is an alien, he or she shall, in addition to the penalties above, be deported without further
proceedings after serving the penalties prescribed.
3. Large-Scale: The maximum penalty in the scale of penalties respectively provided shall be imposed when the personal
information of at least one hundred (100) persons is harmed, affected or involved as the result of the above-mentioned
actions.
4. Public Official or Employee: If the offender is a public official or employee and he or she is found guilty of Improper
Disposal of Personal Information and Sensitive Personal Information and Processing of Personal Information and Sensitive
Personal Information for Unauthorized Persons, he or she shall, in addition to the penalties prescribed, suffer perpetual
or temporary absolute disqualification from office, as the case may be.
5. Offense Committed by Public Officer: When the offender or the person responsible for the offense is a public officer as
defined in the Administrative Code of the Philippines in the exercise of his or her duties, an accessory penalty consisting
in the disqualification to occupy public office for a term double the term of criminal penalty imposed shall he
applied.
6. Restitution: Restitution for any aggrieved party shall be governed by the provisions of the New Civil Code.
NOTIFICATION OF THE COMMISSION: The personal information controller shall notify the Commission of a personal data
breach subject to the following procedures:
When Notification Should be Done: The Commission shall be notified within seventy-two (72) hours upon knowledge of
or the reasonable belief by the personal information controller or personal information processor that a personal data breach
has occurred.
Delay in Notification: Notification may only be delayed to the extent necessary to determine the scope of the breach, to
prevent further disclosures, or to restore reasonable integrity to the information and communications system. The personal
information controller need not be absolutely certain of the scope of the breach prior to notification. Its inability to immediately
secure or restore integrity to the information and communications system shall not be a ground for any delay in notification, if
such delay would be prejudicial to the rights of the data subjects. Delay in notification shall not be excused if it is used to
perpetuate fraud or to conceal the personal data breach.
When delay is prohibited: There shall be no delay in the notification if the breach involves at least one hundred (100) data
subjects, or the disclosure of sensitive personal information will harm or adversely affect the data subject. In both instances,
the Commission shall be notified within the 72-hour period based on available information. The full report of the personal data
breach must be submitted within five (5) days, unless the personal information controller is granted additional time by the
Commission to comply.
Content of Notification: The notification shall include, but not be limited to:
1. Nature of the Breach
a. description of how the breach occurred and the vulnerability of the data processing system that allowed the breach;
b. a chronology of the events leading up to the loss of control over the personal data;
c. approximate number of data subjects or records involved;
d. description or nature of the personal data breach;
e. description of the likely consequences of the personal data breach; and
f. name and contact details of the data protection officer or any other accountable persons.
2. Personal Data Possibly Involved
a. description of sensitive personal information involved; and
b. description of other information involved that may be used to enable identity fraud.
3. Measures Taken to Address the Breach
a. description of the measures taken or proposed to be taken to address the breach;
b. actions being taken to secure or recover the personal data that were compromised;
c. actions performed or proposed to mitigate possible harm or negative consequences, and limit the damage or distress
to those affected by the incident;
d. action being taken to inform the data subjects affected by the incident, or reasons for any delay in the notification;
e. the measures being taken to prevent a recurrence of the incident.
Form: Notification shall be in the form of a report, whether written or electronic, containing the required contents of notification:
Provided, that the report shall also include the name and contact details of the data protection officer and a designated
representative of the personal information controller: Provided further, that, where applicable, the manner of notification of the
data subjects shall also be included in the report. Where notification is transmitted by electronic mail, the personal information
controller shall ensure the secure transmission thereof. Upon receipt of the notification, the Commission shall send a
confirmation to the personal information controller. A report is not deemed filed without such confirmation. Where the
notification is through a written report, the received copy retained by the personal information controller shall constitute proof
of such confirmation
SUBCONTRACT OF PERSONAL DATA: A personal information controller may subcontract or outsource the processing of
personal data: Provided, that the personal information controller shall use contractual or other reasonable means to ensure that
proper safeguards are in place, to ensure the confidentiality, integrity and availability of the personal data processed, prevent
its use for unauthorized purposes, and generally, comply with the requirements of the Act, these Rules, other applicable laws
for processing of personal data, and other issuances of the Commission.
AGREEMENTS FOR OUTSOURCING: Processing by a personal information processor shall be governed by a contract or other
legal act that binds the personal information processor to the personal information controller.
a. The contract or legal act shall set out the subject-matter and duration of the processing, the nature and purpose of the
processing, the type of personal data and categories of data subjects, the obligations and rights of the personal information
controller, and the geographic location of the processing under the subcontracting agreement.
b. The contract or other legal act shall stipulate, in particular, that the personal information processor shall:
1. Process the personal data only upon the documented instructions of the personal information controller, including
transfers of personal data to another country or an international organization, unless such transfer is authorized by
law;
2. Ensure that an obligation of confidentiality is imposed on persons authorized to process the personal data;
3. Implement appropriate security measures and comply with the Act, these Rules, and other issuances of the
Commission;
4. Not engage another processor without prior instruction from the personal information controller: Provided, that any
such arrangement shall ensure that the same obligations for data protection under the contract or legal act are
implemented, taking into account the nature of the processing;
5. Assist the personal information controller, by appropriate technical and organizational measures and to the extent
possible, fulfill the obligation to respond to requests by data subjects relative to the exercise of their rights;
DUTY OF PERSONAL INFORMATION PROCESSOR: The personal information processor shall comply with the requirements
of the Act, these Rules, other applicable laws, and other issuances of the Commission, in addition to obligations provided in a
contract, or other legal act with a personal information controller.
ENFORCEMENT OF THE DATA PRIVACY ACT: Pursuant to the mandate of the Commission to administer and implement the
Act, and to ensure the compliance of personal information controllers with its obligations under the law, the Commission requires
the following:
a. Registration of personal data processing systems operating in the country that involves accessing or requiring sensitive
personal information of at least one thousand (1,000) individuals, including the personal data processing system of
contractors, and their personnel, entering into contracts with government agencies;
b. Notification of automated processing operations where the processing becomes the sole basis of making decisions that
would significantly affect the data subject;
c. Annual report of the summary of documented security incidents and personal data breaches;
d. Compliance with other requirements that may be provided in other issuances of the Commission.
The personal information controller or personal information processor that employs fewer than two hundred fifty (250) persons
shall not be required to register unless the processing it carries out is likely to pose a risk to the rights and freedoms of data
subjects, the processing is not occasional, or the processing includes sensitive personal information of at least one thousand
(1,000) individuals.
Contents: The contents of registration shall include:
1. The name and address of the personal information controller or personal information processor, and of its representative,
if any, including their contact details;
2. The purpose or purposes of the processing, and whether processing is being done under an outsourcing or subcontracting
agreement;
3. A description of the category or categories of data subjects, and of the data or categories of data relating to them;
4. The recipients or categories of recipients to whom the data might be disclosed;
5. Proposed transfers of personal data outside the Philippines;
6. A general description of privacy and security measures for data protection;
7. Brief description of the data processing system;
8. Copy of all policies relating to data governance, data privacy, and information security;
9. Attestation to all certifications attained that are related to information and communications processing; and
10. Name and contact details of the compliance or data protection officer, which shall immediately be updated in case of
changes.
Procedure: The procedure for registration shall be in accordance with these Rules and other issuances of the Commission.
NOTIFICATION OF AUTOMATED PROCESSING OPERATIONS. The personal information controller carrying out any wholly
or partly automated processing operations or set of such operations intended to serve a single purpose or several related
purposes shall notify the Commission when the automated processing becomes the sole basis for making decisions about a data
subject, and when the decision would significantly affect the data subject.
b. No decision with legal effects concerning a data subject shall be made solely on the basis of automated processing without
the consent of the data subject.
REVIEW BY THE COMMISSION: The following are subject to the review of the Commission, upon its own initiative or upon
the filing of a complaint by a data subject:
a. Compliance by a personal information controller or personal information processor with the Act, these Rules, and other
issuances of the Commission;
b. Compliance by a personal information controller or personal information processor with the requirement of establishing
adequate safeguards for data privacy and security;
c. Any data sharing agreement, outsourcing contract, and similar contracts involving the processing of personal data, and its
implementation;
DECLARATION OF POLICY: It is hereby declared the policy of the State to promote integrity, accountability, proper
management of public affairs and public property as well as to establish effective practices, aimed at efficient turnaround of the
delivery of government services and the prevention of graft and corruption in government. Towards this end, the State shall
maintain honesty and responsibility among its public officials and employees, and shall take appropriate measures to promote
transparency in each agency with regard to the manner of transacting with the public, which shall encompass a program for
the adoption of simplified requirements and procedures that will reduce red tape and expedite business and nonbusiness related
transactions in government.
DEFINITION OF TERMS:
Action refers to the written approval or disapproval made by a government office or agency on the application
or request submitted by an applicant or requesting party for processing;
Business One a single common site or location, or a single online website or portal designated for the Business Permit
Stop Shop and Licensing System (BPLS) of an LGU to receive and process applications, receive payments, and issue
(BOSS) approved licenses, clearances, permits, or authorizations;
Business- a set of regulatory requirements that a business entity must comply with to engage, operate or continue
related to operate a business, such as, but not limited to, collection or preparation of a number of documents,
transactions submission to national and local government authorities, approval of application submitted, and receipt
of a formal certificate or certificates, permits, licenses which include primary and secondary, clearances
and such similar authorization or documents which confer eligibility to operate or continue to operate as
a legitimate business
Complex applications or requests submitted by applicants or requesting parties of a government office which
transactions necessitate evaluation in the resolution of complicated issues by an officer or employee of said government
office, such transactions to be determined by the office concerned;
Fixer any individual whether or not officially involved in the operation of a government office or agency who
has access to people working therein, and whether or not in collusion with them, facilitates speedy
completion of transactions for pecuniary gain or any other advantage or consideration;
Government the process or transaction between applicants or requesting parties and government offices or agencies
service involving applications for any privilege, right, reward, license, clearance, permit or authorization,
concession, of for any modification, renewal or extension of the enumerated applications or requests which
are acted upon in the ordinary course of business of the agency or office concerned
Highly technical an application which requires the use of technical knowledge, specialized skills and/or training in the
application processing and/or evaluation thereof
Nonbusiness all other government transactions not falling under Section 4 (c) of this Act
transactions
Officer or a person employed in a government office or agency required to perform specific duties and
employee responsibilities related to the application or request submitted by an applicant or requesting party for
processing
Processing time the time consumed by an LGU or national government agency (NGA) from the receipt of an application or
request with complete requirements, accompanying documents and payment of fees to the issuance of
certification or such similar documents approving or disapproving an application or request
Red tape any regulation, rule, or administrative procedure or system that is ineffective or detrimental in achieving
its intended objectives and, as a result, produces slow, suboptimal, and undesirable social outcomes
Regulation any legal instrument that gives effect to a government policy intervention and includes licensing, imposing
information obligation, compliance to standards or payment of any form of fee, levy, charge or any other
statutory and regulatory requirements necessary to carry out activity
Simple applications or requests submitted by applicants or requesting parties of a government office or agency
transactions which only require ministerial actions on the part of the public officer or employee, or that which present
only inconsequential issues for the resolution by an officer or employee of said government.
COVERAGE: all government offices and agencies including LGUs, GOCCs and other government instrumentalities, whether
located in the Philippines or abroad, that provide services covering business and nonbusiness related transactions.
Business-related transactions - a set of regulatory requirements that a business entity must comply with to engage, operate
or continue to operate a business.
REENGINEERING OF SYSTEMS AND PROCEDURES: All offices and agencies which provide government services are hereby
mandated to regularly undertake cost compliance analysis, time and motion studies, undergo evaluation and improvement of
their transaction systems and procedures and reengineer the same if deemed necessary to reduce bureaucratic red tape and
processing time.
The Anti-Red Tape Authority shall coordinate with all government offices covered under this Act in the review of existing laws,
executive issuances and local ordinances, and recommend the repeal of the same if deemed outdated, redundant, and adds
undue regulatory burden to the transacting public.
All proposed regulations of government agencies shall undergo regulatory impact assessment to establish if the proposed
regulation does not add undue regulatory burden and cost to these agencies and the applicants or requesting parties: Provided,
That when necessary, any proposed regulation may undergo pilot implementation to assess regulatory impact.
CITIZEN’S CHARTER: All government agencies including departments, bureaus, offices, instrumentalities, or government-
owned and/or –controlled corporations, or LGUs shall set up their respective most current and updated service standards to be
known as the Citizen’s Charter in the form of information billboards which shall be posted at the main entrance of offices or at
the most conspicuous place, in their respective websites and in the form of published materials written either in English, Filipino,
or in the local dialect, that detail:
a. A comprehensive and uniform checklist of requirements for each type of application or request;
b. The procedure to obtain a particular service;
c. The person/s responsible for each step;
d. The maximum time to conclude the process;
e. The document/s to be presented by the applicant or requesting party, if necessary;
f. The amount of fees, if necessary; and
g. The procedure for filing complaints.
ACTIONS OF OFFICERS:
1. PRESCRIBED PERIODS TO PROCESS: All applications or requests submitted shall be acted upon by the assigned officer
or employee within the prescribed processing time stated in the Citizen's Charter which shall not be longer than:
Complex Transactions - applications or requests submitted 7 working days from date of receipt
by applicants or requesting parties of a government office
which necessitate evaluation in the resolution of
complicated issues by an officer or employee of said
government office, such transactions to be determined by the
office concerned.
If the application or request for license, clearance, permit, the Sanggunian concerned shall be given a period of
certification or authorization shall require the approval of the forty-five (45) working days to act on the
local Sanggunian (Sangguniang Bayan, Sangguniang application or request, which can be extended for
Panlungsod, or the Sangguniang Panlalawigan as the case may another twenty (20) working days.
be)
If the local Sanggunian concerned has denied the
application or request, the reason for the denial, as
well as the remedial measures that maybe taken by
the applicant shall be cited by the concerned
Sanggunian
2. EXTENSTION: The maximum time prescribed above may be extended only once for the same number of days, which
shall be indicated in the Citizen's Charter. Prior to the lapse of the processing time, the office or agency concerned shall
notify the applicant or requesting party in writing of the reason for the extension and final date of release of the
government service/s requested. Such written notification shall be signed by the applicant or requesting party to serve as
proof of notice.
Any denial of application or request is deemed to have been made with the permission or clearance from the highest
authority having jurisdiction over the government office or agency concerned.
LIMITATION OF SIGNATORIES
The number of signatories in any document shall be limited to a maximum of three (3) signatures which shall represent
officers directly supervising the office or agency concerned: Provided, That in case the authorized signatory is on official
business or official leave, an alternate shall be designated as signatory.
Electronic signatures or pre-signed license, clearance, permit, certification or authorization with adequate security and
control mechanism may be used.
All government agencies covered shall, when applicable, develop electronic versions of licenses, clearances, permits,
certifications or authorizations with the same level of authority as that of the signed hard copy, which may be printed by the
applicants or requesting parties in the convenience of their offices.
Heads of offices and agencies which render government services shall adopt appropriate working schedules to ensure that
all applicants or requesting parties who are within their premises prior to the end of official working hours are
attended to and served even during lunch break and after regular working hours.
The LGUs are mandated to implement the following revised guidelines in the issuance of business licenses, clearances, permits,
certifications or authorizations:
a. A single or unified business application form shall be used in processing new applications for business permits and
business renewals which consolidates all the information of the applicant or requesting party by various local government
departments, such as, but not limited to, the local taxes and clearances, building clearance, sanitary permit, zoning
clearance, and other specific LGU requirements, as the case may be, including the fire clearance from the Bureau of Fire
Protection (BFP).
The unified form shall be made available online using technology-neutral platforms such as, but not limited to, the central
business portal or the city/municipality's website and various channels for dissemination. Hard copies of the unified
forms shall likewise be made available at all times in designated areas of the concerned office and/or agency.
b. A one-stop business facilitation service, hereinafter referred to as the business one stop shop, (BOSS) for the
city/municipality's business permitting and licensing system to receive and process manual and/or electronic submission of
application for license, clearance, permit, certification or authorization shall be established within the
cities/municipalities’ Negosyo Center as provided for under Republic Act No. 10644, otherwise known as the "Go
Negosyo Act".
There shall be a queuing mechanism in the BOSS to better manage the flow of applications among the LGUs' departments
receiving and processing applications. LGUs shall implement colocation of the offices of the treasury, business permits
and licensing office, zoning office, including the BFP, and other relevant city/municipality offices, departments, among
others, engaged in starting a business, dealing with construction permits.
c. Cities/Municipalities are mandated to automate their business permitting and licensing system or set up an
electronic BOSS within a period of three (3) years upon the effectivity of this Act for a more efficient business
registration processes.
d. To lessen the transaction requirements, other local clearances such as, but not limited to, sanitary permits,
environmental and agricultural clearances shall be issued together with the business permit.
e. Business permits shall be valid for a period of one (1) year. The city/municipality may have the option to renew
business permits within the first month of the year or on the anniversary date of the issuance of the business
permit.
f. Barangay clearances and permits related to doing business shall be applied, issued, and collected at the
city/municipality in accordance with the prescribed processing time of this Act: Provided, That the share in the
collections shall be remitted to the respective barangays. The pertinent provisions of Republic Act No. 7160, otherwise
known as "The Local Government Code of 1991", specifically Article IV, Section 152(c) is hereby amended accordingly.
VIOLATIONS AND PERSONS LIABLE: Any person who performs or cause the performance of the following acts shall be
liable:
a. Refusal to accept application or request with complete requirements being submitted by an applicant or requesting party
without due cause;
b. Imposition of additional requirements other than those listed in the Citizen’s Charter;
c. Imposition of additional costs not reflected in the Citizen’s Charter;
d. Failure to give the applicant or requesting party a written notice on the disapproval of an application or request;
e. Failure to render government services within the prescribed processing time on any application or request without due
cause;
f. Failure to attend to applicants or requesting parties who are within the premises of the office or agency concerned prior to
the end of official working hours and during lunch break;
g. Failure or refusal to issue official receipts; and
h. Fixing and/or collusion with fixers in consideration of economic and/or other gain or advantage."
Penalties and Liabilities: Any violations of the above will warrant the following penalties and liabilities.
a. First Offense: Administrative liability with 6 months suspension: Provided, however, That in the case of fixing and/or
collusion with fixers, the penalty below shall apply.
b. Second Offense: Administrative liability and criminal liability of dismissal from the service, perpetual disqualification from
holding public office and forfeiture of retirement benefits and imprisonment of 1 to 6 years with a fine of not less than
P500,000.00, but not more than P2,000,000.00.
Criminal liability shall also be incurred through the commission of bribery, extortion, or when the violation was done deliberately
and maliciously to solicit favor in cash or in kind. In such cases, the pertinent provisions of the Revised Penal Code and other
special laws shall apply.
RANKING OF THE PHILIPPINES IN THE WORLD BANK’S ANNUAL DOING BUSINESS REPORT:
1. 2016 – 103rd
2. 2017 – 99th
3. 2018 – 113th
4. 2019 – 124th
5. 2020 – 95th
E- COMMERCE ACT
1. The Electronic Commerce Act applies to any kind of data message and electronic document used in the context of __
activities to include __ dealings, transactions, arrangements, agreements, contracts, and exchanges and storage of
information.
A. Commercial and non-commercial; domestic and international
B. Only commercial; domestic and international
C. Only commercial; only domestic
D. Commercial and non-commercial; only domestic
2. It refers to information generated, sent, received, or stored by optical or similar means.
A. Electronic key C. Electronic signature
B. Electronic data message D. Electronic document
3. It refers to any distinctive mark, characteristic and/or sound in electronic form, representing the identity of a person
and attached to or logically associated with the electronic data message or electronic document
A. Electronic key C. Electronic signature
B. Electronic data message D. Electronic document
4. It refers to information or the representation of information, data, figures, symbols or other modes of written
expression, described or however represented, by which a right is established or an obligation extinguished, or by
which a fact may be prove and affirmed, which is receive, recorded, transmitted, stored, processed, retrieved or
produced electronically.
A. Electronic key C. Electronic signature
B. Electronic data message D. Electronic document
5. It refers to a secret code which secures and defends sensitive information that cross over public channels into a form
decipherable only with a matching electronic key.
A. Electronic key C. Electronic signature
B. Electronic data message D. Electronic document
1 A 6 B 11 D 16 A
2 B 7 A 12 A 17 C
3 C 8 D 13 A 18 A
4 D 9 B 14 A 19 D
5 A 10 C 15 C 20 C
1. It refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent
or can be reasonably and directly ascertained by the entity holding the information, or when put together with other
information would directly and certainly identify an individual.
a Data subject c Privileged information
b Personal information d Sensitive personal information
2. It refers to any and all forms of data which under the Rules of Court and other pertinent laws constitute privileged
communication.
a. Data subject c Privileged information
b. Personal information d Sensitive personal information
3. First Statement: DPA applies to the processing of all types of personal information and to any natural and juridical person
involved in personal information processing including those personal information controllers and processors who, although
not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an
office, branch or agency in the Philippines, except when DPA is not applicable, subject to the requirements of extraterritorial
application.
Second Statement: The Data Privacy Act is applicable to Information about any individual who is or was an officer or
employee of a government institution that relates to the position or functions of the individual.
a. Only the first statement is true. c Both of the statements are true
b. Only the second statement is true. d None of the statements is true
4. Which information is/are not covered by the Data Privacy Act?
a. About an individual who is or was performing service under contract for a government institution that relates to
the services performed
b. Relating to any discretionary benefit of a financial nature such as the granting of a license or permit given by the
government to an individual
c. Processed for journalistic, artistic, literary or research purposes
d. All of the above
5. Which information is/are not covered by the Data Privacy Act?
a. Necessary in order to carry out the functions of public authority
b. Necessary for banks and other financial institutions under the jurisdiction of the independent, central monetary
authority or Bangko Sentral ng Pilipinas to comply with RA 9510, and RA 9160, as amended
c. Originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign jurisdictions,
including any applicable data privacy laws, which is being processed in the Philippines
d. All of the above
6. First Statement: The Data Privacy Act did not amend or repeal the provisions of RA 53, which affords the publishers,
editors or duly accredited reporters of any newspaper, magazine or periodical of general circulation protection from being
compelled to reveal the source of any news report or information appearing in said publication which was related in any
confidence to such publisher, editor, or reporter.
Second Statement: The Data Privacy Act applies to an act done or practice engaged within the Philippines by an entity
only and does not apply to those done and engaged outside of the Philippines.
a. Only the first statement is true. c Both of the statements are true
b. Only the second statement is true. d None of the statements is true
1 B 11 B 21 A
2 C 12 C 22 C
3 A 13 B 23 D
4 D 14 B 24 C
5 D 15 D 25 B
6 A 16 A 26 C
7 D 17 D 27 A
8 C 18 B 28 B
9 B 19 C 29 D
10 A 20 C 30 D
1. Under the Ease of Doing Business Act, this has been defined as a set of regulatory requirements that
a business entity must comply with to engage or operate or continue to operate a business:
A. Business-related transaction
B. License
C. Non-business transactions
D. Complex transactions
2. After acceptance of the written applications, requests, and/or documents, who shall perform the
preliminary assessment of the application or request?
A. The receiving officer
B. The direct supervisor of the receiving officer
C. The head of the agency
D. The Anti-Red Tape Authority
3. A transaction which present only inconsequential issues for the resolution by an officer or employee of
the concerned government office is known as:
A. Simple transaction
B. Complex transaction
C. Highly-technical transaction
D. A transaction that will require the approval of a local sanggunian
5. An application which requires the use of technical knowledge, specialized skill and/or training in the
process and/or evaluation thereof.
A. Simple Transaction
B. Complex Transaction
C. Highly-Technical Transaction
D. None of the choices
6. If the approval of the local Sanggunian is required, the processing time of the application or request,
the approval of the Sanggunian concerned shall be given a period of ____________.
A. 20 calendar days
B. 45 calendar days
C. 20 working days
D. 45 working days
7. If a transaction is categorized as complex, it shall be processed not more than 7 working days from the
date of receipt, which is also the number of days indicated in the citizens’ charter. The maximum time
for extension that may be granted is:
A. 3 working days
B. 7 working days
C. 20 working days
D. 45 working days
8. If a government office fails to approve or disapprove an application within the prescribed processing
time:
A. It shall be deemed approved
B. It shall be deemed denied
C. It shall be deemed approved only if all the required documents have been submitted and all required
fees and charges have been paid
D. It shall be deemed denied if all the required documents have not been submitted even if all required
fees and charges have been paid
9. The number of signatories in any document shall be limited to a maximum of ___ signatures which shall
represent officers directly supervising the office or agency concerned.
A. 1
B. 3
C. 5
D. 7
10. Mr. X went to a government agency and arrived at 4:58pm. He was 12th in the number of persons who
sill be submitting an application for a government license. The agency closes at 5:00pm and it takes on
average 20mins to process the submission which means only 1 applicant will be processed before closing
time. In this case,
A. Mr. X would have to go back the following day and will be considered 11th in the processing queue.
B. Mr. X would have to go back the following day and obtain a new queueing number.
C. Mr. X would not have to go back as his application is still required to be processed that same day.
D. Mr. X can be considered a priority.
1 A 6 D
2 A 7 B
3 A 8 C
4 D 9 B
5 C 10 C