Data Privacy Act essentials for CPAs

Page 1 of 5 | RFBT-Live Lectures Handouts No.
12
LAW ON DATA PRIVACY ACT

ATTY. MAE DIANE M. AZORES, CPA

ATTY. MAE DIANE AZORES, CPA
1. This refers to the individual whose personal information is processed
w
a. Personal information controller
b. Data subject
c. Personal information processor
ie
d. Data Compliance Officer
2. This refers to any information whether recorded in a material form or not, from which the identity of
ev
an individual is apparent or can be reasonably and directly ascertained by the entity holding the
information, or when put together with other information would directly and certainly identify an
individual.
a. Private information
b. Privileged information
c. Sensitive information
d. Personal information
R
PA
3. I. A data subject can be a juridical person
II. Processing of personal information is generally prohibited
a. Both statements are correct
b. Both statements are false
C
c. Only Statement I is correct

d. Only Statement II is correct
4. Consent of the data subject may be given through the following means, except:
EO
a. Written
b. Electronic
c. Implied
d. Recorded
R
5. This refers to a person or organization who controls the collection, holding, processing or use of
personal information, including a person or organization who instructs another person or
organization to collect, hold, process, use, transfer or disclose personal information on his or her
behalf:
a. Data subject
b. Personal information controller
REO CPA REVIEW PHILIPPINES Effectiveness. Efficiency. Convenience

www.reocpareview.ph REAL EXCELLENCE ONLINE CPA REVIEW
(074) 665 6774 0916 840 0661 support@reo.com.ph MAY 2022 LIVE LECTURE MATERIALS
Page 2 of 5 | RFBT-Live Lectures Handouts No. 12

d. National Privacy Commission
6. This refers to any natural or juridical to whom a personal information controller may outsource the
processing of personal data pertaining to a data subject.
a. Data subject
b. Data protection officer
d. National Privacy Commission
w
7. The Data Privacy Act applies in the following cases, except:
a. Processing of personal data of a Filipino citizen by a natural person located outside the
ie
Philippines
b. Processing of personal data through the use of equipment located in the Philippines by a
foreign company
ev
c. Personal information processed for journalistic, artistic, literary or research purposes
d. Collection of data by an entity in the Philippines
8. The following may be classified as sensitive personal information, except:

a. Marital status
b. SSS number
c. Biometric data
R
PA
d. PRC ID number
9. This data privacy principle states that the processing of information shall be adequate, relevant,
suitable, necessary, and not excessive in relation to a declared and specified purpose
a. Transparency
C
b. Fiscal adequacy
c. Legitimate purpose
d. Proportionality
EO
10. Processing of personal information shall be permitted in the following instances, except:
a. Compliance with legal obligation
b. For the fulfillment of a contract
c. To protect vital interests of the data subject, such as life and health
d. For legitimate interests even if it will override fundamental rights and freedoms
R
11. I. As a general rule, processing of sensitive personal information is not allowed

II. Processing of sensitive personal information is only allowed in case the data subject agrees


12. Which of the following is NOT a responsibility of a personal information controller under the Data
Privacy Act?
a. Implement reasonable and appropriate measures to protect personal information against
natural dangers
b. Data breach notification
c. Registration of data processing systems
d. Creation of a department solely for the purpose of assuring compliance with data privacy
law
w
13. Which of the following is not a right of a data subject?
a. Right to be informed
ie
b. Right to object
c. Right to access the personal information controller’s database
d. Right to rectification
ev
14. The data subject may ask for the erasure or blocking of his personal data when:
a. The personal data is incomplete
b. The data subject withdraws consent
R
c. The data subject is not compensated for processing of the data
d. Both a and b
PA
15. I. A data subject can claim damages in case of unauthorized use of personal data
II. Rights of data subjects are intransmissible
C
16. The right of a data subject to obtain from the personal information controller a copy of data
undergoing processing in an electronic or structured format, which is commonly used and allows
EO
for further use by the data subject

a. Right of transmissibility of rights
b. Right to rectification
c. Right to data portability
d. Right to blocking
R
17. I. If the personal data of a data subject is used for scientific research purposes, the right to access
is not applicable
II. The data subject may authorize other person to facilitate the exercise of his rights on his or her
behalf


18. The data subject’s right to object to the processing of his or her personal data is not available in the
following cases, except:
a. If the data subject withholds consent
b. The personal data is needed pursuant to a subpoena
c. The information is being collected and processed as a result of a legal obligation
d. The processing is for the performance of a contract to which the data subject is not a party
w
19. Data breach notification must be done within:
a. 48 hours upon knowledge of the data breach by the personal information controller
b. 72 hours upon knowledge of the data breach by the personal information controller
ie
c. 24 hours upon knowledge of the data breach by the personal information controller
d. 12 hours upon knowledge of the data breach by the personal information controller
ev
20. I. Data breach notification shall be given to the National Privacy Commission only
II. Data breach notification must be done in case of reasonable belief that sensitive personal
information was acquired by an unauthorized person
R
PA
21. The following are exceptions to the rule that personal information controller or personal information
processor that employs fewer than two hundred fifty (250) persons shall not be required to register
their personal data processing systems, except:
a. the processing it carries out is likely to pose a risk to the rights and freedoms of data
C
subjects
b. the processing is not occasional
c. the processing includes sensitive personal information of at least one thousand (1,000)
individuals
EO
d. the processing is in compliance with a contract
22. Which of the following companies is required to register their personal data processing systems?
I. Company A who employs less than 250 employees but has access to Company B’s data
R
processing system to process the sensitive personal information of Company B’s

employees which is over 1,000
II. Company C (which employs less than 250 employees and does not process sensitive
personal information of at least 1,000 individuals) contracted Company D (which processes
sensitive personal information of at least 1,000 individuals) to perform all of Company C’s
finance and accounting functions.
a. Company A only


b. Companies A,B,C and D

c. Companies A and D only
d. Companies A, B and D only
23. I. A personal information controller cannot subcontract or outsource the processing of personal data.
II. Personal information controllers are required to submit an annual report of the summary of
documented security incidents and personal data breaches;
w
ie
24. Mark went to Handyman to purchase light bulb. Before he can enter the store, the security guard
ev
stopped him and required him to write his details such as name, cellphone number, address,
temperature and signature in a logbook that is visible and accessible to everyone who enters the
store. Is the practice of Handyman allowed under the Data Privacy Act?
R
a. No, because it may give rise to data breach
b. Yes, because it is required by law for contact tracing
c. No, because it is paper based
d. Yes, because there was consent by the data subject
PA
25. Based on the facts in the preceding number, Handyman shared the details of its customers to its
marketing agency for its promotional activities. Is that allowed under the Data Privacy Act?
a. Yes, because it is authorized by law
b. Yes, as long as the data subject consents
C
c. No, because there is no data sharing agreement

d. No, because there must be approval by the National Privacy Commission first
EO
R


Data Privacy Act essentials for CPAs

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Data Privacy Act essentials for CPAs

Uploaded by

Copyright:

Available Formats

Page 1 of 5 | RFBT-Live Lectures Handouts No.

LAW ON DATA PRIVACY ACT

LAW ON DATA PRIVACY ACT

1. This refers to the individual whose personal information is processed

c. Only Statement I is correct

REO CPA REVIEW PHILIPPINES Effectiveness. Efficiency. Convenience

LAW ON DATA PRIVACY ACT

d. National Privacy Commission

8. The following may be classified as sensitive personal information, except:

11. I. As a general rule, processing of sensitive personal information is not allowed

REO CPA REVIEW PHILIPPINES Effectiveness. Efficiency. Convenience

LAW ON DATA PRIVACY ACT

d. Only Statement II is correct

for further use by the data subject

REO CPA REVIEW PHILIPPINES Effectiveness. Efficiency. Convenience

LAW ON DATA PRIVACY ACT

d. Only Statement II is correct

d. the processing is in compliance with a contract

processing system to process the sensitive personal information of Company B’s

REO CPA REVIEW PHILIPPINES Effectiveness. Efficiency. Convenience

LAW ON DATA PRIVACY ACT

b. Companies A,B,C and D

c. No, because there is no data sharing agreement

REO CPA REVIEW PHILIPPINES Effectiveness. Efficiency. Convenience

You might also like