Professional Documents
Culture Documents
12
w
a. Personal information controller
b. Data subject
c. Personal information processor
ie
d. Data Compliance Officer
2. This refers to any information whether recorded in a material form or not, from which the identity of
ev
an individual is apparent or can be reasonably and directly ascertained by the entity holding the
information, or when put together with other information would directly and certainly identify an
individual.
a. Private information
b. Privileged information
c. Sensitive information
d. Personal information
R
PA
3. I. A data subject can be a juridical person
II. Processing of personal information is generally prohibited
a. Both statements are correct
b. Both statements are false
C
4. Consent of the data subject may be given through the following means, except:
EO
a. Written
b. Electronic
c. Implied
d. Recorded
R
5. This refers to a person or organization who controls the collection, holding, processing or use of
personal information, including a person or organization who instructs another person or
organization to collect, hold, process, use, transfer or disclose personal information on his or her
behalf:
a. Data subject
b. Personal information controller
c. Personal information processor
(074) 665 6774 0916 840 0661 support@reo.com.ph MAY 2022 LIVE LECTURE MATERIALS
Page 2 of 5 | RFBT-Live Lectures Handouts No. 12
6. This refers to any natural or juridical to whom a personal information controller may outsource the
processing of personal data pertaining to a data subject.
a. Data subject
b. Data protection officer
c. Personal information processor
d. National Privacy Commission
w
7. The Data Privacy Act applies in the following cases, except:
a. Processing of personal data of a Filipino citizen by a natural person located outside the
ie
Philippines
b. Processing of personal data through the use of equipment located in the Philippines by a
foreign company
ev
c. Personal information processed for journalistic, artistic, literary or research purposes
d. Collection of data by an entity in the Philippines
9. This data privacy principle states that the processing of information shall be adequate, relevant,
suitable, necessary, and not excessive in relation to a declared and specified purpose
a. Transparency
C
b. Fiscal adequacy
c. Legitimate purpose
d. Proportionality
EO
10. Processing of personal information shall be permitted in the following instances, except:
a. Compliance with legal obligation
b. For the fulfillment of a contract
c. To protect vital interests of the data subject, such as life and health
d. For legitimate interests even if it will override fundamental rights and freedoms
R
12. Which of the following is NOT a responsibility of a personal information controller under the Data
Privacy Act?
a. Implement reasonable and appropriate measures to protect personal information against
natural dangers
b. Data breach notification
c. Registration of data processing systems
d. Creation of a department solely for the purpose of assuring compliance with data privacy
law
w
13. Which of the following is not a right of a data subject?
a. Right to be informed
ie
b. Right to object
c. Right to access the personal information controller’s database
d. Right to rectification
ev
14. The data subject may ask for the erasure or blocking of his personal data when:
a. The personal data is incomplete
b. The data subject withdraws consent
R
c. The data subject is not compensated for processing of the data
d. Both a and b
PA
15. I. A data subject can claim damages in case of unauthorized use of personal data
II. Rights of data subjects are intransmissible
a. Both statements are correct
b. Both statements are false
c. Only Statement I is correct
C
16. The right of a data subject to obtain from the personal information controller a copy of data
undergoing processing in an electronic or structured format, which is commonly used and allows
EO
17. I. If the personal data of a data subject is used for scientific research purposes, the right to access
is not applicable
II. The data subject may authorize other person to facilitate the exercise of his rights on his or her
behalf
a. Both statements are correct
b. Both statements are false
c. Only Statement I is correct
18. The data subject’s right to object to the processing of his or her personal data is not available in the
following cases, except:
a. If the data subject withholds consent
b. The personal data is needed pursuant to a subpoena
c. The information is being collected and processed as a result of a legal obligation
d. The processing is for the performance of a contract to which the data subject is not a party
w
19. Data breach notification must be done within:
a. 48 hours upon knowledge of the data breach by the personal information controller
b. 72 hours upon knowledge of the data breach by the personal information controller
ie
c. 24 hours upon knowledge of the data breach by the personal information controller
d. 12 hours upon knowledge of the data breach by the personal information controller
ev
20. I. Data breach notification shall be given to the National Privacy Commission only
II. Data breach notification must be done in case of reasonable belief that sensitive personal
information was acquired by an unauthorized person
a. Both statements are correct
b. Both statements are false
c. Only Statement I is correct
d. Only Statement II is correct
R
PA
21. The following are exceptions to the rule that personal information controller or personal information
processor that employs fewer than two hundred fifty (250) persons shall not be required to register
their personal data processing systems, except:
a. the processing it carries out is likely to pose a risk to the rights and freedoms of data
C
subjects
b. the processing is not occasional
c. the processing includes sensitive personal information of at least one thousand (1,000)
individuals
EO
22. Which of the following companies is required to register their personal data processing systems?
I. Company A who employs less than 250 employees but has access to Company B’s data
R
a. Company A only
23. I. A personal information controller cannot subcontract or outsource the processing of personal data.
II. Personal information controllers are required to submit an annual report of the summary of
documented security incidents and personal data breaches;
a. Both statements are correct
w
b. Both statements are false
c. Only Statement I is correct
d. Only Statement II is correct
ie
24. Mark went to Handyman to purchase light bulb. Before he can enter the store, the security guard
ev
stopped him and required him to write his details such as name, cellphone number, address,
temperature and signature in a logbook that is visible and accessible to everyone who enters the
store. Is the practice of Handyman allowed under the Data Privacy Act?
R
a. No, because it may give rise to data breach
b. Yes, because it is required by law for contact tracing
c. No, because it is paper based
d. Yes, because there was consent by the data subject
PA
25. Based on the facts in the preceding number, Handyman shared the details of its customers to its
marketing agency for its promotional activities. Is that allowed under the Data Privacy Act?
a. Yes, because it is authorized by law
b. Yes, as long as the data subject consents
C