RFBT-11

ReSA - THE REVIEW SCHOOL OF ACCOUNTANCY
CPA Review Batch 41  May 2021 CPA Licensure Examination  Week No. 20
REGULATORY FRAMEWORK for BUSINESS TRANSACTIONS Atty. J. Domingo  Atty. N. Soriano
RFBT-11: E-COMMERCE ACT, DATA PRIVACY ACT

& EASE OF DOING BUSINESS ACT
I. E-COMMERCE ACT
Objective: The E-Commerce Act (Act) aims

1. to facilitate domestic and international dealings, transactions, arrangements, agreements,
contracts and exchanges and storage of information through the utilization of electronic, optical and
similar medium, mode, instrumentality and technology,
2. to recognize the authenticity and reliability of electronic data messages or electronic documents
related to such activities and
3. to promote the universal use of electronic transactions in the government and by the general public.
Sphere of Application: The Act shall apply to any kind of electronic document used in the context of
commercial and non-commercial activities to include domestic and international dealings, transactions,
arrangements, agreements contracts and exchanges and storage of information.
Definition of Terms: For the purposes of the Act, the following terms are defined, as follows:
"Addressee" refers to a person who is intended by the originator to receive the electronic data message
or electronic document, but does not include a person acting as an intermediary with respect to that electronic
data message or electronic data document.
"Computer" refers to any device or apparatus singly or interconnected which, by electronic, electro-
mechanical, optical and/or magnetic impulse, or other means with the same function, can receive, record,
transmit, store, process, correlate, analyze, projects, retrieve, and/or produce information, data, text, graphics,
figures, voice, video, symbols or other modes of expression or perform any one or more of these functions.
"Electronic data message" refers to information generated, sent, received or stored by electronic, optical
or similar means.
"Information and Communications System" refers to a system for generating, sending, receiving, storing,
or otherwise processing electronic documents and includes the computer system or other similar device by
or in which data is recorded or stored and any procedures related to the recording or storage of electronic
document.
“Electronic signature" refers to any distinctive mark, characteristic and/or sound in electronic from,
representing the identity of a person and attached to or logically associated with the electronic data message or
electronic document or any methodology or procedures employed or adopted by a person and executed or
adopted by such person with the intention of authenticating or approving an electronic data message or
electronic document.
"Electronic document" refers to information or the representation of information, data, figures, symbols or
other modes of written expression, described or however represented, by which a right is established or an
obligation extinguished, or by which a fact may be prove and affirmed, which is receive, recorded,
transmitted, stored, processed, retrieved or produced electronically.
"Electronic key" refers to a secret code which secures and defends sensitive information that crossover
public channels into a form decipherable only with a matching electronic key.
"Intermediary" refers to a person who in behalf of another person and with respect to a particular
electronic document sends, receives and/or stores, provides other services in respect of that electronic
data message or electronic document.
"Originator" refers to a person by whom, or on whose behalf, the electronic document purports to have
been created, generated and/or sent. The term does not include a person acting as an intermediary with
respect to that electronic document.
"Service provider" refers to a provider of:

1. Online services or network access or the operator of facilities therefor including entities offering the
transmission, routing, or providing of connections for online communications, digital or otherwise, between
or among points specified by a user, of electronic documents of the user's choosing; or
2. The necessary technical means by which electronic documents of an originator may be stored and made
accessible to designated or undesignated third party.
Such service providers shall

a. Have no authority to:
i. modify or alter the content of the electronic document received or
Page 1 of 23 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY RFBT-11
Week No. 20: INTELLECTUAL PROPERTY LAWS
ii. to make any entry therein on behalf of the originator, addressee or any third party unless
specifically authorized to do so,
b. Retain the electronic document in accordance with the specific request or as necessary for the
purpose of performing the services it was engaged to perform.
LEGAL RECOGNITION OF ELECTRONIC DATA MESSAGES AND ELECTRONIC DOCUMENTS
Legal Recognition of Electronic Data Messages: Information shall not be denied validity or
enforceability solely on the ground that it is in the form of electronic data message purporting to give
rise to such legal effect, or that it is merely incorporated by reference in that electronic data message.
Legal Recognition of Electronic documents:
For evidentiary purposes, an electronic document shall be the functional equivalent of a written document
under existing laws.
The Act does not modify any statutory any statutory rule relating to admissibility of electronic data
massages or electronic documents, except the rules relating to authentication and best evidence.
Electronic documents shall have the legal effect, validity or enforceability as any other document or
legal writing, and:
a. Where the law requires a document to be in writing, that requirement is met by an electronic
document if the said electronic document:
i. maintains its integrity and reliability and
ii. can be authenticated so as to be usable for subsequent reference, in that:
(1) The electronic document has remained complete and unaltered, apart from the addition of any
endorsement and any authorized change, or any change which arises in the normal course of
communication, storage and display; and
(2) The electronic document is reliable in the light of the purpose for which it was generated and in
the light of all relevant circumstances.
b. Paragraph (a) applies whether the requirement therein is in the form of an obligation or whether the law
simply provides consequences for the document not being presented or retained in its original
from.
c. Where the law requires that a document be presented or retained in its original form, that requirement
is met by an electronic document if-
i. There exists a reliable assurance as to the integrity of the document from the time when it was first
generated in its final from; and
ii. That document is capable of being displayed to the person to whom it is to be presented: Provided,
That no provision of the Act shall apply to vary any and all requirements of existing laws on formalities
required in the execution of documents for their validity.
Legal Recognition of Electronic Signatures: An electronic signature on the electronic document shall be
equivalent to the signature of a person on a written document if:
a. the signature is an electronic signature and
b. proved by showing that a prescribed procedure, not alterable by the parties interested in the electronic
document, existed under which-
i. A method is used to identify the party sought to be bound and to indicate said party's access to the
electronic document necessary for his consent or approval through the electronic signature;
ii. Said method is reliable and appropriate for the purpose for which the electronic document was
generated or communicated, in the light of all circumstances, including any relevant agreement;
iii. It is necessary for the party sought to be bound, in order to proceed further with the transaction to
have executed or provided the electronic signature; and
iv. The other party is authorized and enable to verify the electronic signature and to make the
decision to proceed with the transaction authenticated by the same.
Presumption Relating to Electronic Signatures: In any proceedings involving an electronic signature, it

shall be presumed that,
a. The electronic signature is the signature of the person to whom it correlates; and
b. The electronic signature was affixed by that person with the intention of signing or approving the
electronic document unless
i. the person relying on the electronically designed electronic document knows or has notice of defects
in or unreliability of the signature or
ii. reliance on the electronic signature is not reasonable under the circumstances.
Original Documents:
1. Where the law requires information to be presented or retained in its original form, that requirement
is met by an electronic data message or electronic document if:
a. the integrity of the information from the time when it was first generated in its final form, as an
electronic document is shown by evidence aliunde or otherwise; and
Page 2 of 23
b. where otherwise it is required that information be presented, that the information is capable of being
displayed to the person to whom it is to be presented.
2. Paragraph (1) applies whether the requirement therein is in the form of an obligation or whether the law
simply provides consequences for the information not being presented or retained in its original form.
3. For the purpose of subparagraph (a) of paragraph (1):
a. the criteria for assessing integrity shall be whether the information has remained complete and
unaltered, apart from the addition of any endorsement and any change which arises in the normal
course of communication, storage and display ; and
b. the standard of reliability required shall be assessed in the light of purpose for which the
information was generated and in the light of all the relevant circumstances.
Authentication of Electronic Data Messages and Electronic Documents: Until the Supreme Court by
appropriate rules shall have so provided, electronic documents, electronic data messages and electronic
signatures, shall be authenticated by demonstrating, substantiating and validating a claimed identity of a user,
device, or another entity is an information or communication system, among other ways, as follows;
a. The electronic signatures shall be authenticated by proof that a letter, character, number or other symbol in
electronic form representing the persons named in and attached to or logically associated with an electronic
data message, electronic document, or that the appropriate methodology or security procedures,
when applicable, were employed or adopted by such person, with the intention of authenticating or
approving in an electronic data message or electronic document;
b. The electronic data message or electronic document shall be authenticated by proof that an appropriate
security procedure, when applicable was adopted and employed for the purpose of verifying the
originator of an electronic data message or electronic document, or detecting error or alteration in the
communication, content or storage of an electronic document or electronic data message from a specific
point, which, using algorithms or codes, identifying words or numbers, encryptions, answers back or
acknowledgement procedures, or similar security devices.
The Supreme Court may adopt such other authentication procedures, including the use of electronic notarization
systems as necessary and advisable, as well as the certificate of authentication on printed or hard copies of the
electronic documents or electronic data messages by electronic notaries, service providers and other duly
recognized or appointed certification authorities.
The person seeking to introduce an electronic data message or electronic document in any legal proceeding has
the burden of proving its authenticity by evidence capable of supporting a finding that the electronic data
message or electronic document is what the person claims it on be.
In the absence of evidence to the contrary, the integrity of the information and communication system in
which an electronic data message or electronic document is recorded or stored may be established in any
legal proceeding –
a. By evidence that:
i. at all material times the information and communication system or other similar device was
operating in a manner that did not affect the integrity of the electronic data message or electronic
document, and
ii. there are no other reasonable grounds to doubt the integrity of the information and
communication system,
b. By showing that the electronic data message or electronic document was recorded or stored by a party to
the proceedings who is adverse in interest to the party using it; or
c. By showing that the electronic data message or electronic document was recorded or stored in the usual
and ordinary course of business by a person who is not a party to the proceedings and who did not act
under the control of the party using the record.
Admissibility and Evidential Weight of Electronic Data Message or electronic document: In any legal
proceedings, nothing in the application of the rules on evidence shall deny the admissibility of an
electronic data message or electronic document in evidence –
a. On the sole ground that it is in electronic form; or
b. On the ground that it is not in the standard written form, and the electronic data message or electronic
document meeting, and complying with the requirements under Legal Recognition of Electronic Data
Messages and Electronic Documents mentioned above, shall be the best evidence of the agreement and
transaction contained therein.
In assessing the evidential weight of an electronic data message or electronic document, the following shall be
given due regard:
a. the reliability of the manner in which it was generated, stored or communicated,
b. the reliability of the manner in which its originator was identified, and
c. other relevant factors.
Retention of Electronic Data Message or Electronic Document: Notwithstanding any provision of law, rule
or regulation to the contrary –
Page 3 of 23
a. The requirement in any provision of law that certain documents be retained in their original form is
satisfied by retaining them in the form of an electronic data message or electronic document
which –
1. Remains accessible so as to be usable for subsequent reference;
2. Is retained in the format in which it was generated, sent or received, or in a format which can be
demonstrated to accurately represent the electronic data message or electronic document generated,
sent or received;
3. Enables the identification of its originator and addressee, as well as the determination of the date
and the time it was sent or received.
b. The requirement referred to in paragraph (a) is satisfied by using the services of a third party, provided
that the conditions set fourth in subparagraphs (1), (2) and (3) of paragraph (a) are met.
Proof by Affidavit: The matters referred on admissibility and on the presumption of integrity, may be
presumed to have been established by an affidavit given to the best of the deponent's knowledge subject
to the rights of parties in interest as defined in the cross-examination provided below.
Cross – Examination:
1. A deponent of an affidavit referred to above that has been introduced in evidence may be cross-
examined as of right by a party to the proceedings who is adverse in interest to the party who has
introduced the affidavit or has caused the affidavit to be introduced.
2. Any party to the proceedings has the right to cross-examine a person who is not a party to the
proceedings and who did not act under the control of the party using the record proving that the
electronic data message or electronic document was recorded or stored in the usual and
ordinary course of business.
COMMUNICATION OF ELECTRONIC DATA MESSAGES OR ELECTRONIC DOCUMENTS
Formation of Validity of Electronic Contracts:

1. Except as otherwise agreed by the parties, (1) an offer, (2) the acceptance of an offer and (3) such
other elements required under existing laws for the formation of contracts may be expressed in,
demonstrated and proved by means of electronic data messages or electronic documents and no
contract shall be denied validity or enforceability on the sole ground that it is in the form of an electronic
data message or electronic document, or that any or all of the elements required under existing laws for the
formation of contracts is expressed, demonstrated and proved by means of electronic data messages or
electronic documents.
2. Electronic transactions made through networking among banks, or linkages thereof with other
entities or networks, and vice versa:
a. shall be deemed consummated upon the actual dispensing of cash or the debit of one account
and the corresponding credit to another, whether such transaction is initiated by the depositor or by
an authorized collecting party.
b. The obligation of one bank, entity, or person similarly situated to another arising therefrom shall
considered absolute and shall not be subjected to the process of preference of credits.
Recognition by Parties of Electronic Data Message or Electronic document: As between the originator
and the addressee of an electronic data message or electronic document, a declaration of will or other
statement shall not be denied legal effect, validity or enforceability solely on the ground that it is in the
form of an electronic data message or electronic document.
Attribution of Electronic Data Message:

1. The Electronic Data Message or Electronic Document is that of the originator:
a. If it was sent by the originator himself.
b. As between the originator and the addressee, an electronic data message or electronic document is
deemed to be that of the originator if it was sent:
i. by a person who had the authority to act on behalf of the originator with respect to that
electronic data message or electronic document; or
ii. by an information system programmed by, or on behalf of the originator to operate
automatically.
2. As between the originator and the addressee, an addressee is entitled to regard an electronic data
message or electronic document as being that of the originator, and to act on that assumption, if:
a. in order to ascertain whether the electronic data message or electronic document was that of the
originator, the addressee properly applied a procedure previously agreed to by the originator
for that purpose; or
b. the electronic data message or electronic document as received by the addressee resulted from the
actions of a person whose relationship with the originator or with any agent of the originator
enabled that person to gain access to a method used by the originator to identify electronic data
message or electronic documents as his own.
The above does not apply:
Page 4 of 23
i. as of the time when the addressee has both received notice from the originator that the electronic
data message or electronic document is not that of the originator, and has reasonable time to
act accordingly; or
ii. in a case within paragraph (2) sub-paragraph (b), at any time when the addressee knew or should
have known, had it exercised reasonable care of used any agreed procedure, that the electronic data
message or electronic document was not that of the originator.
iii. That the transmission resulted in any error in the electronic data message or electronic document as
received.
3. The addressee is entitled to regard each electronic data message or electronic document received as a
separate electronic data message or electronic document and to act on that assumption.
Except
a. To the extent that it duplicates another electronic data message or electronic document and
b. The addressee knew or should have known, had it exercised reasonable care or used any agreed
procedure, that the electronic data message or electronic document was a duplicate.
Error on Electronic Data Message or Electronic Document: The addressee is entitled to regard the
electronic data message or electronic document received as that which the originator intended to send,
and to act on that assumption, unless the addressee knew or should have known, had the addressee
exercised reasonable care or used the appropriate procedure –
a. That the transmission resulted in any error therein or in the electronic data message or electronic
document enters the designated information system, or
b. That electronic data message or electronic document is sent to an information system which is not so
designated by the addressee for the purposes.
Agreement on Acknowledgement of Receipt of Electronic Data Message or Electronic Document:
General Rule: No acknowledgement of receipt is necessary

Except: if the parties agree to it; or when the originator requested in the electronic data message or electronic
document.
Method of Acknowledgment:
1. Agreement as to particular method – to be followed;
2. No agreement on a particular method:
a. Any communication by the addressee;
b. Any conduct of the addressee sufficient to indicate receipt to the originator
When the originator can regard that the EMD/ED was not received when there is no acknowledgement:
1. When the originator stated the effect or significance of acknowledgment or the ED is CONDITIONAL upon
receipt
2. No statement as to effect/significance but originator gave notice stating that no acknowledgement has been
received and specifying a reasonable time by which acknowledgement is to be received, and no
acknowledgement is received within such reasonable time.
Time of Dispatch of Electronic Data Messages or Electronic Documents: Unless otherwise agreed
between the originator and the addressee, the dispatch of an electronic data message or electronic document
occurs when it enters an information system outside the control of the originator or of the person who
sent the electronic data message or electronic document on behalf of the originator.
Time of Receipt of Electronic Data Messages or Electronic Documents. – Unless otherwise agreed
between the originator and the addressee, the time of receipt of an electronic data message or electronic
document is as follows:
a. If the addressee has designated an information system for the purpose of receiving electronic data
messages or electronic documents, receipt occurs at the time when the electronic data message or
electronic document enters the designated information system
EXCEPT: That if the originator and the addressee are both participants in the designated information
system, receipt occurs at the time when the electronic data message or electronic document is retrieved
by the addressee;
b. If the electronic data message or electronic document is sent to an information system of the addressee
that is not the designated information system, receipt occurs at the time when the electronic data
message or electronic document is retrieved by the addressee;
c. If the addressee has not designated an information system, receipt occurs when the electronic data
message or electronic document enters an information system of the addressee.
These rules apply not withstanding that the place where the information system is located may be different
from the place where the electronic data message or electronic document is deemed to be received.
ILLUSTRATION: On March 15, 2021, S sent an offer to sell to B a specific piece of land for P1M through an email
which was received by B on the same day late afternoon. On March 31, 2021, at 3:00PM in the afternoon, B
Page 5 of 23
sent an email accepting the terms of the sale, it entered the information system of S on 3:15PM and S retrieved
it at 4:00PM. When was there a perfected contract of sale?
Place of Dispatch and Receipt of Electronic Data Messages or Electronic Documents: Unless
otherwise agreed between the originator and the addressee, an electronic data message or electronic
document is deemed to be:
1. dispatched at the place where the originator has its place of business and
2. received at the place where the addressee has its place of business.
This rule shall apply even if the originator or addressee had used a laptop other portable device to transmit or
received his electronic data message or electronic document. These rules shall also apply to determine the tax
situs of such transaction.
For the purpose hereof –

a. If the originator or addressee has more than one place of business is that which has the closest
relationship to the underlying transaction or, where there is no underlying transaction, the principal place
of business.
b. If the originator or the addressee does not have a place of business, reference is to be made to its
habitual residence; or
c. The "usual place of residence" in relation to a body corporate, means the place where it is
incorporated or otherwise legally constituted.
Choice of Security Methods: Subject to applicable laws and /or rules and guidelines promulgated by the DTI
with other appropriate government agencies, parties to any electronic transaction shall be free to:
1. Determine the type of level of electronic data message or electronic document security needed, and
2. To select and use or implement appropriate technological methods that suit their need.
ELECTRONIC COMMERCE IN CARRIAGE OF GOODS
Actions Related to Contracts of Carriage of Goods: applies to any action in connection with, or in
pursuance of, a contract of carriage of goods, including but not limited to:
a. (i) furnishing the marks, number, quantity or weight of goods;

(ii) stating or declaring the nature or value of goods;
(iii) issuing a receipt for goods;
(iv) confirming that goods have been loaded;
b. (i) notifying a person of terms and conditions of the contract;
(ii) giving instructions to a carrier;
c. (i) claiming delivery of goods;
(ii) authorizing release of goods;
(iii) giving notice of loss of, or damage to goods;
d. giving any other notice or statement in connection with the performance of the contract;
e. undertaking to deliver goods to a named person or a person authorized to claim delivery;
f. granting, acquiring, renouncing, surrendering, transferring or negotiating rights in goods;
g. acquiring or transferring rights and obligations under the contract.
Transport Documents:
1. Where the law requires that any action referred to contract of carriage of goods be carried out in writing
or by using a paper document, that requirement is met if the action is carried out by using one or more
electronic data messages or electronic documents.
The above applies whether the requirement there in is in the form of an obligation or whether the law
simply provides consequences for failing either to carry out the action in writing or to use a paper
document.
2. If (a) a right is to be granted to, or (b) an obligation is to be acquired by, one person and no person,
and if the law requires that, in order to effect this, the right or obligation must be conveyed to that
person by the transfer, or use of, a paper document, that requirement is met if the right or obligation is
conveyed by using one or more electronic data messages or electronic documents: Provided, that a reliable
method is used to render such electronic data messages or electronic documents unique.
For the purposes of above, the standard of reliability required shall be assessed in the light of the purpose
for which the right or obligation was conveyed and in the light of all the circumstances, including any
relevant agreement.
3. Where one or more electronic data messages or electronic documents are used to effect any action in
subparagraph (f) and (g) of the above (Actions Related to Contracts of Carriage of Goods), no paper
document used to effect any such action is valid unless the use of electronic data message or electronic
document has been terminated and replaced by the used of paper documents. A paper document
issued in these circumstances shall contain a statement of such termination. The replacement of
the electronic data messages or electronic documents by paper documents shall not affect the rights or
obligation of the parties involved.
Page 6 of 23
4. If a rule of law is compulsorily applicable to a contract of carriage of goods which is in, or is evidenced
by, a paper document, that rule shall not be inapplicable to such a contract of carriage of goods which is
evidenced by one or more electronic data messages or electronic documents by reason of the fact that the
contract is evidenced by such electronic data message or electronic documents instead of by a paper
document.
ELECTRONIC TRANSACTIONS IN GOVERNMENT
Government Use of Electronic Data Messages, Electronic Documents and Electronic Signature:
Notwithstanding any law to the contrary, within two (2) years from the date of the effectivity of the Act,
all departments, bureaus, offices and agencies of the government, as well as all government-owned and –
controlled corporations, that pursuant to law require or accept the filing of documents, require that documents
be created, or retained and/or submitted, issue permits, licenses or certificates of registration or approval, or
provide for the method and manner of payment or settlement of fees and other obligations to the government,
shall –
a. accept the creation, filing or retention of such documents in the form of electronic data messages or
electronic documents;
b. issue permits, licences, or approval in the form of electronic data messages or electronic documents;
c. require and/or accept payments, and issue receipt acknowledging such payments, through systems using
electronic data messages or electronic documents; or
d. transact the government business and/or perform governmental factions using electronic data messages or
electronic documents, and for the purpose, are authorized to adopt and promulgate, after appropriate public
hearing and with due publications in newspapers of general circulation, the appropriate rules, regulations,
or guidelines, to, among others, specify –
1. the manner and format in which such electronic data messages or electronic documents shall be filed,
created, retained or issued;
2. where and when such electronic data messages or electronic documents have to signed, the use of an
electronic signature, the type of electronic signature required;
3. the format of an electronic data message or electronic document and the manner the electronic
signature shall be affixed to the electronic data messages or electronic documents;
4. the control processes and procedures appropriate to ensure adequate integrity, security and
confidentiality of electronic data messages or electronic documents or records of payments;
5. other attributes required to electronic data messages or electronic documents; and
6. the full or limited use of the documents and papers for compliance with the government
requirements: provided, That the Act shall be itself mandate any department of the government, organ
of state or statutory corporation to accept or issue any document in the form of electronic data
messages or electronic documents upon the adoption, promulgation and publication of the appropriate
rules, regulations or guidelines.
Extent of Liability of a Service Provider:

GENERAL RULE: No person or party shall be subject to any civil or criminal liability in respect of the
electronic data message or electronic document for which the person or party acting as a service provider,
merely provides access if such liability is founded on.
INCLUDING: The making, publication, dissemination or distribution of such material or any statement made in
such material, including possible infringement of any right subsisting in or in relation to such
material. Provided, That:
1. The service provider does not have actual knowledge, or is not aware of the facts or circumstances
from which it is apparent, that the making, publication, dissemination or distribution of each material is
unlawful or infringes any rights subsisting in or in relation to such material;
2. The service provider does not knowingly receive a financial benefit directly attributable to the
unlawful or infringing activity; and
3. The service provider does not directly commit any infringement or other unlawful act and does not
cause another person or party to commit any infringement or other unlawful act and/or does not
benefit financially from the infringing activity or unlawful act or another person or party.
EXCEPTIONS:
1. The obligations and liabilities of the parties under the electronic data message or electronic document
2. Any obligation founded on contract;
3. The obligation of a service provider as such under a licensing or other regulatory regime established
under written law;
4. Any obligation imposed under any written law;
5. The civil liability of any party to the extent that such liability forms the basis for injunctive relief issued by
a court under any law requiring that the service provider take or refrain from action necessary to remove,
block or deny access to any material, or to preserve evidence of a violation of law.
Lawful Access: Access to an electronic file, or an electronic signature of an electronic data message or
electronic document shall only be authorized and enforced in favor of the individual or entity having a legal right
to the possession or the use of plaintext, electronic signature or file or solely for the authorized purposes. The
Page 7 of 23
electronic key for identity or integrity shall not be made available to any person or party without the consent of
the individual or entity in lawful possession of that electronic key;
Obligation of Confidentiality: Except for the purposes authorized under the E-Commerce Act, any person
who obtained access to any electronic key, electronic data message or electronic document, book, register,
correspondence, information, or other material pursuant to any powers conferred under the Act, shall not
convey to or share the same with any other person.
Unlawful Acts and Penalties: The following acts, shall be penalized by fine and/or imprisonment, as follows:
Unlawful Description Penalty

Act Fine Imprisonment
Hacking unauthorized access into or interference in a computer Min - P100,000 6 months to 3
or system/server or information and communication system; or years
crackling any access in order to corrupt, alter, steal, or destroy using Max – damage
a computer or other similar information and communication incurred
devices, without the knowledge and consent of the owner of
the computer or information and communications system,
including the introduction of computer viruses and the like,
resulting in the corruption, destruction, alteration, theft or
loss of electronic data messages or electronic documents
Piracy the unauthorized copying, reproduction, dissemination, or Min - P100,000 6 months to 3
distribution, importation, use, removal, alteration, years
substitution, modification, storage, uploading, downloading, Max – damage
communication, making available to the public, or incurred
broadcasting of protected material, electronic signature or
copyrighted works including legally protected sound
recording or phonograms or information material on
protected works, through the use of telecommunication
networks, such as, but not limited to, the internet, in a
manner that infringes intellectual property rights
Violations of the Consumer Act of Republic Act No. 7394 and Penalties
other relevant to pertinent laws through transaction covered provided in those
by or using electronic data messages or electronic laws
documents
Other violations of the provisions of the E-Commerce Act Max – Max – 6 years
P1,000,000
Statutory Interpretation: Unless otherwise expressly provided for, the interpretation of the E-Commerce Act
shall give due regard to:
1. Its international origin and
2. The need to promote uniformity in its application and the observance of good faith in international
trade relations.
The generally accepted principles of international law and convention and electronic commerce shall likewise be
considered.
Reciprocity: All benefits, privileges, advantages or statutory rules established under the E-Commerce Act,
including those involving practice of profession, shall be enjoyed only by parties whose country origin grants the
same benefits and privileges or advantages to Filipino citizens.
1. First statement: The E-Commerce Act applies to domestic transactions only.

Second Statement: The E-Commerce Act aims to promote the universal use of electronic transactions in the
government and by the general public.
A. Both statements are correct
B. Both statements are incorrect
C. Only the first statement is correct
D. Only the second statement is correct
2. The requirement of the law is met by an electronic document if:

I. The document maintains its integrity and reliability
II. Can be authenticated so as to be usable for subsequent reference, in that the document has remained
complete and unaltered and the document is reliable I the light of the purpose for which it was
generated
A. I only
B. II only
C. Both I and II
D. Neither I nor II
Page 8 of 23
3. P authorized A, through email, to sell the former’s lot. A sold the said lot to B in a private instrument. What
is the status of the contract?
A. Valid
B. Voidable
C. Uneforceable
D. Void
4. First Statement: An electronic signature is presumed to be the signature of the person to whom it correlates
Second Statement: An electronic signature is presumed affixed by that person with the intention of signing
or approving it.
A. Both statements are correct
B. Both statements are incorrect
C. Only the first statement is correct
D. Only the second statement is correct
5. The requirement under the rules of civil procedure that documents must be presented in its original form is
likewise met by an electronic document or electronic data message. This requirement is known as:
A. Best Evidence Rule
B. Best Evidence Obtainable Rule
C. Evidence Aliunde
D. Parol Evidence Rule
6. S through email offered to sell his land to B by sending a soft copy of the deed of sale affixing his (S)
signature, for a specific price. B accepted the offer by sending a copy of the deed of sale with his electronic
signature. What is the status of the contract?
A. Unenforceable since it is not in writing
B. Void as there are no written signatures
C. Rescissible
D. Valid
7. The acknowledgment of receipt of an electronic data message or electronic document shall be necessary in
the following instances
I. There is stipulation requiring acknowledgment of receipt
II. The originator requested for acknowledgment in the electronic data message or electronic document
A. I only
B. II only
C. Both I and II
D. Neither I nor II
8. The time of receipt shall be upon actual retrieval by the addressee:

A. If the parties designated an information system for the purpose of receiving electronic data messages
and electronic documents and the originator and the addressee are not participants of the same system
B. If the parties designated an information system for the purpose of receiving electronic data messages
and electronic documents and the originator and the addressee are participants of the same system
C. If the parties did not designate an information system
D. All of the choices
9. S sold his land to B by sending an email using his gmail account, as agreed by the parties. B, on the other
hand, sent his acceptance of the offer by using his gmail account. The email acceptance was sent by B at
9AM; it entered the gmail account of S at 1:00PM and it was retrieved by S on the same day at 4:00PM.
When was there deemed receipt of the acceptance email of B?
A. 9:00AM
B. 1:00PM
C. 4:00PM
D. None of the choices
10. The place of dispatch of the electronic data message or electronic document shall be the place of business
of the originator. If there is more than one place of business, it shall mean:
A. The principal place of business
B. That which has the closest relationship to the underlying transaction
C. Any of the places of business
D. The habitual residence of the originator
II. DATA PRIVACY ACT
DEFINITION OF TERMS:
Commission shall refer to the National Privacy Commission created by virtue of this Act.
Page 9 of 23
Consent of the data subject refers to any freely given, specific, informed indication of will, whereby the data
subject agrees to the collection and processing of personal information about and/or relating to him or her.
Consent shall be evidenced by written, electronic or recorded means. It may also be given on behalf of the data
subject by an agent specifically authorized by the data subject to do so.
Data subject refers to an individual whose personal information is processed.
Direct marketing refers to communication by whatever means of any advertising or marketing material which
is directed to particular individuals.
Filing system refers to any act of information relating to natural or juridical persons to the extent that,
although the information is not processed by equipment operating automatically in response to instructions
given for that purpose, the set is structured, either by reference to individuals or by reference to criteria
relating to individuals, in such a way that specific information relating to a particular person is readily
accessible.
Information and Communications System refers to a system for generating, sending, receiving, storing or
otherwise processing electronic data messages or electronic documents and includes the computer system or
other similar device by or which data is recorded, transmitted or stored and any procedure related to the
recording, transmission or storage of electronic data, electronic message, or electronic document.
Personal information controller refers to a person or organization who controls the collection, holding,
processing or use of personal information, including a person or organization who instructs another person or
organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf. The
term excludes:
1. A person or organization who performs such functions as instructed by another person or organization;
and
2. An individual who collects, holds, processes or uses personal information in connection with the individual’s
personal, family or household affairs.
Personal information processor refers to any natural or juridical person qualified to act as such under this
Act to whom a personal information controller may outsource the processing of personal data pertaining
to a data subject.
ILLUSTRATION: the Human Resource Department, headed by the Executive Vice President for HR, is tasked to
collect information from applicants who may eventually be hired and join the company according to the
directives of the Board of Directors. In this case, is the EVP for HR a Personal Information Processor or
Controller?
ILLUSTRATION: a passenger of a bus took a picture of the conductor which she found to be cute. Can the
passenger be considered a personal information controller?
SCOPE
Applicability:
1. The processing of all types of personal information and
2. To any natural and juridical person involved in personal information processing including those
personal information controllers and processors who, although not found or established in the Philippines,
use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the
Philippines subject to the immediately succeeding paragraph.
Does not apply to:

1. Information about any individual who is or was an officer or employee of a government institution that
relates to the position or functions of the individual, including:
a. The fact that the individual is or was an officer or employee of the government institution;
b. The title, business address and office telephone number of the individual;
c. The classification, salary range and responsibilities of the position held by the individual; and
d. The name of the individual on a document prepared by the individual in the course of employment with
the government;
2. Information about an individual who is or was performing service under contract for a government
institution that relates to the services performed, including the terms of the contract, and the name of the
individual given in the course of the performance of those services;
3. Information relating to any discretionary benefit of a financial nature such as the granting of a license
or permit given by the government to an individual, including the name of the individual and the exact
nature of the benefit;
4. Personal information processed for journalistic, artistic, literary or research purposes;
5. Information necessary in order to carry out the functions of public authority which includes the
processing of personal data for the performance by the independent, central monetary authority and law
enforcement and regulatory agencies of their constitutionally and statutorily mandated functions.
Page 10 of 23
No amendments or repeal to the following laws:

a. Republic Act No. 1405, otherwise known as the Secrecy of Bank Deposits Act;
b. Republic Act No. 6426, otherwise known as the Foreign Currency Deposit Act; and
c. Republic Act No. 9510, otherwise known as the Credit Information System Act (CISA);
6. Information necessary for banks and other financial institutions under the jurisdiction of the
independent, central monetary authority or Bangko Sentral ng Pilipinas to comply with the CISA and
Republic Act No. 9160, as amended, otherwise known as the Anti-Money Laundering Act and other
applicable laws; and
7. Personal information originally collected from residents of foreign jurisdictions in accordance with the
laws of those foreign jurisdictions, including any applicable data privacy laws, which is being processed in
the Philippines.
Protection Afforded to Journalists and Their Sources: No amendment or repeal of Republic Act No. 53,
which affords the publishers, editors or duly accredited reporters of any newspaper, magazine or periodical of
general circulation protection from being compelled to reveal the source of any news report or
information appearing in said publication which was related in any confidence to such publisher, editor, or
reporter.
Extraterritorial Application: The Data Privacy Act applies to an act done or practice engaged in and outside
of the Philippines by an entity if:
1. The act, practice or processing relates to personal information about a Philippine citizen or a
resident;
2. The entity has a link with the Philippines, and the entity is processing personal information in the
Philippines or even if the processing is outside the Philippines as long as it is about Philippine citizens or
residents such as, but not limited to, the following:
a. A contract is entered in the Philippines;
b. A juridical entity unincorporated in the Philippines but has central management and control in the
country; and
c. An entity that has a branch, agency, office or subsidiary in the Philippines and the parent or
affiliate of the Philippine entity has access to personal information; and
3. The entity has other links in the Philippines such as, but not limited to:
a. The entity carries on business in the Philippines; and
b. The personal information was collected or held by an entity in the Philippines.
THE NATIONAL PRIVACY COMMISSION
Functions of the National Privacy Commission: The National Privacy Commission was created to administer
and implement the provisions of the Data Privacy Act and to monitor and ensure compliance of the country with
international standards set for data protection. Its functions include:
1. Ensure compliance of personal information controllers with the provisions of this Act;
2. Receive complaints, institute investigations, facilitate or enable settlement of complaints through the use of
alternative dispute resolution processes, adjudicate, award indemnity on matters affecting any personal
information, prepare reports on disposition of complaints and resolution of any investigation it initiates, and,
in cases it deems appropriate, publicize any such report: Provided, That in resolving any complaint or
investigation (except where amicable settlement is reached by the parties), the Commission shall act as a
collegial body. For this purpose, the Commission may be given access to personal information that is
subject of any complaint and to collect the information necessary to perform its functions under this Act;
3. Issue cease and desist orders, impose a temporary or permanent ban on the processing of personal
information, upon finding that the processing will be detrimental to national security and public interest;
4. Compel or petition any entity, government agency or instrumentality to abide by its orders or take action on
a matter affecting data privacy;
5. Monitor the compliance of other government agencies or instrumentalities on their security and technical
measures and recommend the necessary action in order to meet minimum standards for protection of
personal information pursuant to this Act;
6. Coordinate with other government agencies and the private sector on efforts to formulate and implement
plans and policies to strengthen the protection of personal information in the country;
7. Publish on a regular basis a guide to all laws relating to data protection;
8. Publish a compilation of agency system of records and notices, including index and other finding aids;
9. Recommend to the Department of Justice (DOJ) the prosecution and imposition of penalties provided under
the Act;
10. Review, approve, reject or require modification of privacy codes voluntarily adhered to by personal
information controllers: Provided, That the privacy codes shall adhere to the underlying data privacy
principles embodied in this Act: Provided, further, That such privacy codes may include private dispute
resolution mechanisms for complaints against any participating personal information controller. For this
purpose, the Commission shall consult with relevant regulatory agencies in the formulation and
administration of privacy codes applying the standards set out in this Act, with respect to the persons,
entities, business activities and business sectors that said regulatory bodies are authorized to principally
regulate pursuant to the law: Provided, finally. That the Commission may review such privacy codes and
require changes thereto for purposes of complying with the Data Privacy Act;
Page 11 of 23
11. Provide assistance on matters relating to privacy or data protection at the request of a national or local
agency, a private entity or any person;
12. Comment on the implication on data privacy of proposed national or local statutes, regulations or
procedures, issue advisory opinions and interpret the provisions of this Act and other data privacy laws;
13. Propose legislation, amendments or modifications to Philippine laws on privacy or data protection as may be
necessary;
14. Ensure proper and effective coordination with data privacy regulators in other countries and private
accountability agents, participate in international and regional initiatives for data privacy protection;
15. Negotiate and contract with other data privacy authorities of other countries for cross-border application
and implementation of respective privacy laws;
16. Assist Philippine companies doing business abroad to respond to foreign privacy or data protection laws and
regulations; and
17. Generally perform such acts as may be necessary to facilitate cross-border enforcement of data privacy
protection.
Confidentiality: The Commission shall ensure at all times the confidentiality of any personal information that
comes to its knowledge and possession.
Organizational Structure of the Commission: The Commission shall be attached to the Department of
Information and Communications Technology (DICT) and shall be headed by a Privacy Commissioner, who shall
also act as Chairman of the Commission.
The Privacy Commissioner shall enjoy the benefits, privileges and emoluments equivalent to the rank of
Secretary.
The Privacy Commissioner shall be assisted by two (2) Deputy Privacy Commissioners, one to be responsible for
Data Processing Systems and one to be responsible for Policies and Planning.
They shall enjoy the benefits, privileges and emoluments equivalent to the rank of Undersecretary.
Term and Vacancy: The Privacy Commissioner and the two (2) Deputy Privacy Commissioners shall be
appointed by the President of the Philippines for a term of three (3) years, and may be reappointed for another
term of three (3) years. Vacancies in the Commission shall be filled in the same manner in which the original
appointment was made.
Qualifications of the Privacy Commissioner:

1. At least thirty-five (35) years of age
2. Of good moral character, unquestionable integrity and known probity, and
3. A recognized expert in the field of information technology and data privacy.
The Deputy Privacy Commissioners must be recognized experts in the field of information and communications
technology and data privacy.
Acts done in good faith: The Privacy Commissioner, the Deputy Commissioners, or any person acting on their
behalf or under their direction, shall not be civilly liable for acts done in good faith in the performance of their
duties.
However, he or she shall be liable for willful or negligent acts done by him or her which are contrary to
law, morals, public policy and good customs even if he or she acted under orders or instructions of
superiors. In case a lawsuit is filed against such official on the subject of the performance of his or her duties,
where such performance is lawful, he or she shall be reimbursed by the Commission for reasonable costs of
litigation.
The Secretariat: Majority of the members of the Secretariat must have served for at least five (5) years in any
agency of the government that is involved in the processing of personal information including, but not limited
to, the following offices: Social Security System (SSS), Government Service Insurance System (GSIS), Land
Transportation Office (LTO), Bureau of Internal Revenue (BIR), Philippine Health Insurance Corporation
(PhilHealth), Commission on Elections (COMELEC), Department of Foreign Affairs (DFA), Department of Justice
(DOJ), and Philippine Postal Corporation (Philpost).
PROCESSING OF PERSONAL INFORMATION
Processing refers to any operation or any set of operations performed upon personal information including, but
not limited to:
1. Collection,
2. Recording,
3. Organization,
4. Storage,
5. Updating Or Modification,
6. Retrieval,
Page 12 of 23
7. Consultation,
8. Use,
9. Consolidation,
10. Blocking,
11. Erasure Or
12. Destruction of data.
General Data Privacy Principles: The processing of personal information shall be allowed, subject to:
(1) Compliance with the requirements of the Data Privacy Act and other laws allowing disclosure of information
to the public and
(2) Adherence to the following principles:
1. Principle of Proportionality: The Processing of Personal data shall be adequate, relevant, suitable,
necessary, and not excessive in relation to a declared and specified purpose. Personal Data shall be
processed by the Company only if the purpose of the Processing could not reasonably be fulfilled by
other means.
2. Principle of Legitimate Purpose: The Processing of Personal Data by the Company shall be
compatible with a declared and specified purpose which must not be contrary to law, morals, or public
policy.
3. Principle of Transparency: The Data Subject must be aware of the nature, purpose, and extent of the
Processing of his or her Personal Data by the Company, including the risks and safeguards involved, the
identity of persons and entities involved in processing his or her Personal Data, his or her rights as a
Data Subject, and how these can be exercised. Any information and communication relating to the
Processing of Personal Data should be easy to access and understand, using clear and plain language.
ILLUSTRATION: A customer wants to apply for a loyalty rewards card. The customer service representative
asks the customer to fill-out a form which includes information for blood type and political affiliation. Can the
company collect such information?
PERSONAL INFORMATION, whether recorded in a material form or not, are those from which the identity of
an individual:
1. is apparent, or
2. can be reasonably and directly ascertained by the entity holding the information, or
3. when put together with other information would directly and certainly identify an individual
Examples: include the Data Owner’s Name, Home address and Phone number
Personal information must be:

1. Collected for specified and legitimate purposes determined and declared before, or as soon as reasonably
practicable after collection, and later processed in a way compatible with such declared, specified and
legitimate purposes only;
2. Processed fairly and lawfully;
3. Accurate, relevant and, where necessary for purposes for which it is to be used the processing of personal
information, kept up to date; inaccurate or incomplete data must be rectified, supplemented, destroyed or
their further processing restricted;
4. Adequate and not excessive in relation to the purposes for which they are collected and processed;
5. Retained only for as long as necessary for the fulfillment of the purposes for which the data was obtained or
for the establishment, exercise or defense of legal claims, or for legitimate business purposes, or as
provided by law; and
6. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes
for which the data were collected and processed: Provided, That personal information collected for other
purposes may lie processed for historical, statistical or scientific purposes, and in cases laid down in law
may be stored for longer periods: Provided, further, That adequate safeguards are guaranteed by said laws
authorizing their processing.
The personal information controller must ensure implementation of personal information processing principles
set out herein.
Criteria for Lawful Processing of Personal Information: The processing of personal information shall be
permitted only if not otherwise prohibited by law, and when at least one of the following conditions exists:
1. The data subject has given his or her consent;
2. The processing of personal information is necessary and is related to the fulfillment of a contract with
the data subject or in order to take steps at the request of the data subject prior to entering into a contract;
3. The processing is necessary for compliance with a legal obligation to which the personal information
controller is subject;
4. The processing is necessary to protect vitally important interests of the data subject, including life and
health;
5. The processing is necessary in order to respond to national emergency, to comply with the
requirements of public order and safety, or to fulfill functions of public authority which necessarily
includes the processing of personal data for the fulfillment of its mandate; or
Page 13 of 23
6. The processing is necessary for the purposes of the legitimate interests pursued by the personal
information controller or by a third party or parties to whom the data is disclosed, except where such
interests are overridden by fundamental rights and freedoms of the data subject which require protection
under the Philippine Constitution.
PRIVILEGED INFORMATION refers to any and all forms of data which under the Rules of Court and other
pertinent laws constitute privileged communication.
Examples include:
1. Attorney-client privileged information
2. Doctor-patient privileged information
3. Marital privilege communication
4. Priest-confessor privileged information
SENSITIVE PERSONAL INFORMATION refers to personal information:

1. About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political
affiliations;
2. About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any
offense committed or alleged to have been committed by such person, the disposal of such proceedings, or
the sentence of any court in such proceedings;
3. Issued by government agencies peculiar to an individual which includes, but not limited to, social security
numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax
returns; and
4. Specifically established by an executive order or an act of Congress to be kept classified.
Sensitive Personal Information and Privileged Information: The processing of sensitive personal
information and privileged information shall be prohibited, except in the following cases:
1. The data subject has given his or her consent, specific to the purpose prior to the processing, or in the
case of privileged information, all parties to the exchange have given their consent prior to processing;
2. The processing of the same is provided for by existing laws and regulations, provided:
a. Such regulatory enactments guarantee the protection of the sensitive personal information and the
privileged information; and
b. The consent of the data subjects are not required by law or regulation permitting the processing of the
sensitive personal information or the privileged information;
3. The processing is necessary to protect the life and health of the data subject or another person, and
the data subject is not legally or physically able to express his or her consent prior to the processing;
4. The processing is necessary to achieve the lawful and noncommercial objectives of public
organizations and their associations: provided:
a. That such processing is only confined and related to the bona fide members of these organizations or
their associations;
b. That the sensitive personal information are not transferred to third parties; and
c. That consent of the data subject was obtained prior to processing;
5. The processing is necessary for purposes of medical treatment, is carried out by a medical practitioner
or a medical treatment institution, and an adequate level of protection of personal information is ensured;
or
6. The processing concerns such personal information as is necessary for the protection of lawful rights and
interests of natural or legal persons in court proceedings, or the establishment, exercise or defense of
legal claims, or when provided to government or public authority.
ILLUSTRATION: A doctor logs in the symptoms and medications prescribed of a particular client. Is the doctor
allowed to collect and process such information?
ILLUSTRATION: The employee is being required to provide his SSS, PAGIBIG, Philhealth numbers to the
employer. Can the employer lawfully collect such information?
ILLUSTRATION: A car dealer is asking a pontential buyer to fill-out a form which includes the name, credit
card details (as mode of payment), address and racial origin of the buyer. Can the car dealer legally process the
same?
Subcontract of Personal Information: A personal information controller may subcontract the processing of
personal information.
The personal information controller shall be responsible for ensuring that proper safeguards are in place
to ensure :
1. The confidentiality of the personal information processed,
2. Prevent its use for unauthorized purposes, and generally,
3. Comply with the requirements of the Data Privacy Act and other laws for processing of personal
information.
Page 14 of 23
The personal information processor shall comply with all the requirements of the Data Privacy Act and other
applicable laws.
Extension of Privileged Communication: Personal information controllers may invoke the principle of
privileged communication over privileged information that they lawfully control or process. Subject to existing
laws and regulations, any evidence gathered on privileged information is inadmissible.
ILLUSTRATION: Examples of Personal Information, Sensitive Personal Information or Privileged Information:
Information Classification
Gender
School graduated from and date graduated
E-mail address
Laptop’s IP address
Bank account number
Home address
Income tax return
Location tracked using an app (e.g. grab)
Court cases filed against the individual
Disclosures made to an auditor
RIGHTS OF THE DATA SUBJECT
Rights of the Data Subject:

1. Right to Informed Consent – The data subject shall be informed whether personal information
pertaining to him or her shall be, are being or have been processed;
The following information must be provided before the entry of the personal information into the processing
system, or at the next practical opportunity:
a. Description of the personal information to be entered into the system;
b. Purposes for which they are being or are to be processed;
c. Scope and method of the personal information processing;
d. The recipients or classes of recipients to whom they are or may be disclosed;
e. Methods utilized for automated access, if the same is allowed by the data subject, and the extent to
which such access is authorized;
f. The identity and contact details of the personal information controller or its representative;
g. The period for which the information will be stored; and
h. The existence of their rights, i.e., to access, correction, as well as the right to lodge a complaint
before the Commission.
2. Right to Object: The data subject shall have the right to object to the processing of his or her personal
data, including processing for direct marketing, automated processing or profiling.
3. Right to Withhold Consent: The data subject shall be notified and given an opportunity to withhold
consent to the processing in case of changes or any amendment to the information supplied or declared to
the data subject in the preceding paragraph
Amendment of information: Any information supplied or declaration made to the data subject on these
matters shall not be amended without prior notification of data subject. Except: the notification shall not
apply should the personal information be needed pursuant to a subpoena or when the collection and
processing are for obvious purposes, including when it is necessary for the performance of or in relation to a
contract or service or when necessary or desirable in the context of an employer-employee relationship,
between the collector and the data subject, or when the information is being collected and processed as a
result of legal obligation.
4. Right to Access: The data subject has reasonable access to, upon demand, the following:
a. Contents of his or her personal information that were processed;
b. Sources from which personal information were obtained;
c. Names and addresses of recipients of the personal information;
d. Manner by which such data were processed;
e. Reasons for the disclosure of the personal information to recipients;
f. Information on automated processes where the data will or likely to be made as the sole basis for
any decision significantly affecting or will affect the data subject;
g. Date when his or her personal information concerning the data subject were last accessed and
modified; and
h. The designation, or name or identity and address of the personal information controller.
5. Right to Correction: The data subject shall have the right to dispute the inaccuracy or error in the
personal information and have the personal information controller correct it immediately and accordingly,
unless the request is vexatious or otherwise unreasonable.
Page 15 of 23
If the personal information have been corrected, the personal information controller shall ensure the
accessibility of both the new and the retracted information and the simultaneous receipt of the new
and the retracted information by recipients thereof: Provided, That the third parties who have previously
received such processed personal information shall he informed of its inaccuracy and its rectification upon
reasonable request of the data subject;
6. Right to Erasure: the data subject shall have the right to suspend, withdraw or order the blocking,
removal or destruction of his or her personal information from the personal information controller’s
filing system upon discovery and substantial proof that the personal information are incomplete, outdated,
false, unlawfully obtained, used for unauthorized purposes or are no longer necessary for the purposes for
which they were collected. In this case, the personal information controller may notify third parties who
have previously received such processed personal information;
7. Right to Damages: The data subject shall be indemnified for any damages sustained due to such
inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of personal information.
8. Right to Data Portability: The right of the data subject to obtain from the personal information controller
a copy of data, where personal information is processed:
a. by electronic means and
b. in a structured and commonly used format.
The Commission may specify the electronic format referred to above, as well as the technical standards,
modalities and procedures for their transfer.
Transmissibility of Rights of the Data Subject: The lawful heirs and assigns of the data subject may
invoke the rights of the data subject for which he or she is an heir or assignee at any time after the death of
the data subject or when the data subject is incapacitated or incapable of exercising the rights as
enumerated above.
Non-Applicability of Rights: The above rights of a data subject are not applicable:
1. If the processed personal information are used only for the needs of scientific and statistical research
and, on the basis of such, no activities are carried out and no decisions are taken regarding the
data subject: Provided, That the personal information shall be held under strict confidentiality and shall be
used only for the declared purpose; and
2. To processing of personal information gathered for the purpose of investigations in relation to any
criminal, administrative or tax liabilities of a data subject.
SECURITY OF PERSONAL INFORMATION
Security of Personal Information:

1. The personal information controller must implement reasonable and appropriate organizational, physical
and technical measures intended for the protection of personal information against any accidental or
unlawful destruction, alteration and disclosure, as well as against any other unlawful processing.
2. The personal information controller shall implement reasonable and appropriate measures to protect
personal information against natural dangers such as accidental loss or destruction, and human dangers
such as unlawful access, fraudulent misuse, unlawful destruction, alteration and contamination.
3. The determination of the appropriate level of security must take into account (1) the nature of the
personal information to be protected, (2) the risks represented by the processing, (3) the size of the
organization and complexity of its operations, (4) current data privacy best practices and (5) the cost
of security implementation.
Subject to guidelines as the Commission may issue from time to time, the measures implemented must
include:
a. Safeguards to protect its computer network against accidental, unlawful or unauthorized usage or
interference with or hindering of their functioning or availability;
b. A security policy with respect to the processing of personal information;
c. A process for identifying and accessing reasonably foreseeable vulnerabilities in its computer
networks, and for taking preventive, corrective and mitigating action against security incidents that can
lead to a security breach; and
d. Regular monitoring for security breaches and a process for taking preventive, corrective and
mitigating action against security incidents that can lead to a security breach.
4. The personal information controller must further ensure that third parties processing personal information
on its behalf shall implement the security measures required by this provision.
5. The employees, agents or representatives of a personal information controller who are involved in the
processing of personal information shall operate and hold personal information under strict confidentiality
if the personal information are not intended for public disclosure. This obligation shall continue even after
leaving the public service, transfer to another position or upon termination of employment or contractual
relations.
Page 16 of 23
6. The personal information controller shall promptly notify the Commission and affected data subjects
when sensitive personal information or other information that may, under the circumstances, be used to
enable identity fraud are reasonably believed to have been acquired by an unauthorized person, and
the personal information controller or the Commission believes that such unauthorized acquisition is likely
to give rise to a real risk of serious harm to any affected data subject.
Notification to the Commission: The notification shall at least describe the nature of the breach, the
sensitive personal information possibly involved, and the measures taken by the entity to address the
breach. Notification may be delayed only to the extent necessary to determine the scope of the breach, to
prevent further disclosures, or to restore reasonable integrity to the information and communications
system.
a. In evaluating if notification is unwarranted, the Commission may take into account compliance by the
personal information controller with this provision and existence of good faith in the acquisition of
personal information.
b. The Commission may exempt a personal information controller from notification where, in its reasonable
judgment, such notification would not be in the public interest or in the interests of the affected data
subjects.
c. The Commission may authorize postponement of notification where it may hinder the progress of a
criminal investigation related to a serious breach.
Period to report: If there is likelihood of risk to individuals, the data processor must report data breaches
within 72 hours.
ACCOUNTABILITY FOR TRANSFER OF PERSONAL INFORMATION
Principle of Accountability: Each personal information controller is responsible for personal information under
its control or custody, including information that have been transferred to a third party for processing, whether
domestically or internationally, subject to cross-border arrangement and cooperation.
1. The personal information controller is accountable for complying with the requirements of the Data
Privacy Act and shall use contractual or other reasonable means to provide a comparable level of
protection while the information are being processed by a third party.
2. Data Protection Officer: The personal information controller shall designate an individual or
individuals who are accountable for the organization’s compliance with the Data Privacy Act. The identity
of the individual(s) so designated shall be made known to any data subject upon request.
SECURITY OF SENSITIVE PERSONAL INFORMATION IN GOVERNMENT
Responsibility of Heads of Agencies: All sensitive personal information maintained by the government,
its agencies and instrumentalities shall be secured, as far as practicable, with the use of the most appropriate
standard recognized by the information and communications technology industry, and as recommended by the
Commission.
The head of each government agency or instrumentality shall be responsible for complying with the
security requirements mentioned while the Commission shall monitor the compliance and may recommend
the necessary action in order to satisfy the minimum standards.
Requirements Relating to Access by Agency Personnel to Sensitive Personal Information:

1. On-site and Online Access – Except as may be allowed through guidelines to be issued by the
Commission, no employee of the government shall have access to sensitive personal information on
government property or through online facilities unless the employee has received a security
clearance from the head of the source agency.
2. Off-site Access – Unless otherwise provided in guidelines to be issued by the Commission, sensitive
personal information maintained by an agency may not be transported or accessed from a location off
government property unless a request for such transportation or access is submitted and approved
by the head of the agency in accordance with the following guidelines:
a. Deadline for Approval or Disapproval – In the case of any request submitted to the head of an
agency, such head of the agency shall approve or disapprove the request within two (2) business
days after the date of submission of the request.
In case there is no action by the head of the agency, then such request is considered disapproved;
b. Limitation to 1,000 Records – If a request is approved, the head of the agency shall limit the
access to not more than one thousand (1,000) records at a time; and
c. Encryption – Any technology used to store, transport or access sensitive personal information for
purposes of off-site access approved under this subsection shall be secured by the use of the most
secure encryption standard recognized by the Commission.
Applicability to Government Contractors: In entering into any contract that may involve accessing or
requiring sensitive personal information from one thousand (1,000) or more individuals, an agency shall
require a contractor and its employees to register their personal information processing system with
Page 17 of 23
the Commission in accordance with the Data Privacy Act and to comply with the other provisions of said Act, in
the same manner as agencies and government employees comply with such requirements.
UNLAWFUL ACTS AND PENALTIES
1. Unauthorized Processing: any person who process personal information without the consent of the data
subject, or without being authorized under the Data Privacy Act or any existing law. Penalties:
Imprisonment Fine
Personal Information 1 to 3 years P500,000 – P2,000,000
Sensitive Personal Information 3 to 6 years P500,000 – P4,000,000
2. Access – any person who, due to negligence, provided access to personal information without being
authorized under the Data Privacy Act or any existing law. Penalties:
Imprisonment Fine
Personal Information 1 to 3 years P500,000 – P2,000,000
3. Improper Disposal – any person who knowingly or negligently dispose, discard or abandon the personal
information of an individual in an area accessible to the public or has otherwise placed the personal
information of an individual in its container for trash collection. Penalties:
Imprisonment Fine
Personal Information 6 mos. to 2 years P100,000 – P500,000
4. Processing for Unauthorized Purposes - processing personal information for purposes not authorized by
the data subject, or otherwise authorized under this Act or under existing laws. Penalties:
Imprisonment Fine
Personal Information 1 year and 6 P500,000 – P1,000,000
mos. to 5 years
5. Unauthorized Access or Intentional Breach – any person who knowingly and unlawfully, or violating
data confidentiality and security data systems, breaks in any way into any system where personal and
sensitive personal information is stored. Penalty shall be imprisonment of 1 year to 3 years and a fine of
P500,000 to P2,000,000.
6. Concealment of Security Breaches Involving Sensitive Personal Information. – any person who,
after having knowledge of a security breach and of the obligation to notify the Commission, intentionally or
by omission conceals the fact of such security breach. The penalty shall be imprisonment of 1 year and 6
months to 5 years and a fine of P500,000 to P1,000,000.
7. Malicious Disclosure – Any personal information controller or personal information processor or any of its
officials, employees or agents, who, with malice or in bad faith, discloses unwarranted or false information
relative to any personal information or personal sensitive information obtained by him or her. The penalty
shall be imprisonment of 1 year and 6 months to 5 years and a fine of P500,000 to P1,000,000.
8. Unauthorized Disclosure. – Any personal information controller or personal information processor or any
of its officials, employees or agents, who discloses to a third party personal or sensitive personal
information, not covered by Malicious Disclosure above, without the consent of the data subject. The
penalties:
Imprisonment Fine
Personal Information 1 year to 3 years P500,000 – P1,000,000
shall he subject to imprisonment ranging from one (1) year to three (3) years and a fine of not less than
Five hundred thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00).
9. Combination or Series of Acts – Any combination or series of acts as defined in above shall make the
person subject to imprisonment 3 to 6 years and a fine of P1,000,000 to P5,000,000.
Extent of Liability:
1. Juridical Persons: If the offender is a corporation, partnership or any juridical person, the penalty shall be
imposed upon the responsible officers, as the case may be, who participated in, or by their gross
Page 18 of 23
negligence, allowed the commission of the crime. If the offender is a juridical person, the court may
suspend or revoke any of its rights under the Data Privacy Act.
2. Alien: If the offender is an alien, he or she shall, in addition to the penalties above, be deported without
further proceedings after serving the penalties prescribed.
3. Large-Scale: The maximum penalty in the scale of penalties respectively provided shall be imposed
when the personal information of at least one hundred (100) persons is harmed, affected or involved as
the result of the above-mentioned actions.
4. Public Official or Employee: If the offender is a public official or employee and he or she is found guilty
of Improper Disposal of Personal Information and Sensitive Personal Information and Processing of Personal
Information and Sensitive Personal Information for Unauthorized Persons, he or she shall, in addition to the
penalties prescribed, suffer perpetual or temporary absolute disqualification from office, as the case
may be.
5. Offense Committed by Public Officer: When the offender or the person responsible for the offense is a
public officer as defined in the Administrative Code of the Philippines in the exercise of his or her duties, an
accessory penalty consisting in the disqualification to occupy public office for a term double the
term of criminal penalty imposed shall he applied.
6. Restitution: Restitution for any aggrieved party shall be governed by the provisions of the New Civil Code.
1. The Data Privacy Act is primarily implemented by which government agency?

A. Data Privacy Commission
B. National Privacy Commission
C. Department of Trade and Industry
D. Anti-Money Laundering Council
2. Refers to the individual whose personal information is processed:

A. Subject party
B. Data subject
C. Personal information owner
D. Private individual
3. During the graduation of X, his mother Y took pictures of him and posted it in social media. In this case, is Y
considered a personal information controller?
A. Yes, because she took pictures of X with his face which is considered a personal information and t here
was processing of the same
B. No, because she processed personal information in connection with the individual’s family affairs
C. Yes, because she posted the pictures in social media which constitutes processing of personal
information
D. No, because she is considered as a personal information processor.
4. The Data Privacy Act does not apply to:

A. The processing of all types of personal information and
B. To any natural and juridical person involved in personal information processing
C. Information about any individual who is or was an officer or employee of a government institution that
relates to the position or functions of the individual
5. In processing personal information, this principle provides that the Processing of Personal data shall be
adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose.
A. Principle of Proportionality
B. Principle of Legitimate Purpose
C. Principle of Transparency
D. All of the choices
6. A person’s information related to his bank accounts is considered:

A. Personal Information
B. Sensitive Personal Information
C. Privileged Information
7. The data subject’s right to obtain from the personal information controller a copy of data, where personal
information is processed by electronic means and in a structured and commonly used format:
A. Right to Access
B. Right to Correction
C. Right to Erasure
D. Right to Data Portability
8. The lawful heirs and assigns of the data subject may invoke the rights of the data subject for which he or
she is an heir or assignee:
I. In case of death of the data subject
II. In case of the data subject’s incapacity
Page 19 of 23
III. In case of incapability of the data subject to exercise the rights
A. I, II and III
B. I and II only
C. I and III only
D. II and III only
9. The data subject’s rights does not apply in the following cases, except:
A. In case of processing for the needs of scientific and statistical research
B. For purposes of investigation in relation to a criminal or administrative liability
C. In case of BIR audits
D. None of the choices is an exception
10. The offense under the Data Privacy Act, when it involves at least 100 persons that is harmed or affected by
the offense committed, shall be punished with the maximum penalty. This is known as:
A. Large-scale
B. Syndicated
C. Bigtime
D. Nationwide
III. EASE OF DOING BUSINESS ACT
COVERAGE: all government offices and agencies including LGUs, GOCCs and other government
instrumentalities, whether located in the Philippines or abroad, that provide services covering business and
nonbusiness related transactions.
Business-related transactions - a set of regulatory requirements that a business entity must comply with to
engage, operate or continue to operate a business.
Non-business transactions - all other government transactions.
RULES IN ACCESSING GOVERNMENT SERVICES
ACCEPTANCE OF APPLICATIONS OR REQUESTS

1. All officers or employees shall accept written applications, requests, and/or documents being submitted by
applicants or requesting parties of the offices or agencies.
2. The receiving officer or employee shall perform a preliminary assessment of the application or request
submitted with its supporting documents to ensure a more expeditious action on the application or request.
The receiving officer or employee shall immediately inform the applicant or requesting party of any
deficiency in the accompanying requirements, which shall be limited to those enumerated in the Citizen's
Charter.
3. The receiving officer or employee shall assign a unique identification number to an application or
request, which shall be the identifying number for all subsequent transactions between the government and
the applicant or requesting party regarding such specific application or request.
4. The receiving officer or employee shall issue an acknowledgement receipt containing the seal of the
agency, the name of the responsible officer or employee, his/her unit and designation, and the date and
time of receipt of such application or request.
ACTIONS OF OFFICERS:
1. PRESCRIBED PERIODS TO PROCESS: All applications or requests submitted shall be acted upon by the
assigned officer or employee within the prescribed processing time stated in the Citizen's Charter which
shall not be longer than:
TYPE OF TRANSACTION PERIOD TO PROCESS

Simple Transactions - applications or requests 3 working days from date of receipt
submitted by applicants or requesting parties of a
government office or agency which
a. only require ministerial actions on the part of
the public officer or employee, or
b. that which present only inconsequential issues
for the resolution by an officer or employee of said
government office
Complex Transactions - applications or requests 7 working days from date of receipt

submitted by applicants or requesting parties of a
government office which necessitate evaluation in
the resolution of complicated issues by an officer or
employee of said government office, such transactions
to be determined by the office concerned.
Page 20 of 23
Highly technical application – an application which Whichever is shorter between:

requires the use of technical knowledge, a. 20 working days or
specialized skill and/or training in the process b. As determined by the government
and/or evaluation thereof. agency or instrumentality concerned.
Applications or requests involving activities which pose

danger to public health, public safety, public
morals, public policy.
If the application or request for license, clearance, the Sanggunian concerned shall be given a
permit, certification or authorization shall require the period of forty-five (45) working days to act
approval of the local Sanggunian (Sangguniang on the application or request, which can be
Bayan, Sangguniang Panlungsod, or the Sangguniang extended for another twenty (20) working
Panlalawigan as the case may be) days.
If the local Sanggunian concerned has denied

the application or request, the reason for the
denial, as well as the remedial measures that
maybe taken by the applicant shall be cited by
the concerned Sanggunian
2. EXTENSTION: The maximum time prescribed above may be extended only once for the same number
of days, which shall be indicated in the Citizen's Charter. Prior to the lapse of the processing time, the
office or agency concerned shall notify the applicant or requesting party in writing of the reason for the
extension and final date of release of the government service/s requested. Such written notification shall be
signed by the applicant or requesting party to serve as proof of notice.
3. ADJUSTMENT/SUSPENSION OF PERIOD TO PROCESS: In cases where the cause of delay is due to

force majeure or natural or man-made disasters, which result to damage or destruction of documents,
and/or system failure of the computerized or automatic processing, the prescribed processing times
mandated in this Act shall be suspended and appropriate adjustments shall be made.
AUTOMATIC APPROVAL OR EXTENSION OF LICENSE, CLEARANCE, PERMIT, CERTIFICATION OR

AUTHORIZATION:
1. If a government office or agency fails to approve or disapprove an original application or request for
issuance of license, clearance, permit, certification or authorization within the prescribed processing
time, said application or request shall be deemed approved: Provided, That all required documents
have been submitted and all required fees and charges have been paid.
2. The acknowledgement receipt together with the official receipt for payment of all required fees
issued to the applicant or requesting party shall be enough proof or has the same force and effect of a
license, clearance, permit, certification or authorization under this automatic approval mechanism.
3. If a government office or agency fails to act on an application or request for renewal of a license,
clearance, permit, certification or authorization subject for renewal within the prescribed processing
time, said license, clearance, permit, certification or authorization shall automatically be extended:
Provided, That the Authority, in coordination with the Civil Service Commission (CSC), Department of Trade
and Industry (DTI) , Securities and Exchange Commission (SEC), Department of the Interior and Local
Government (DILG) and other agencies which shall formulate the IRR of this Act, shall provide a listing of
simple, complex, highly technical applications, and activities which pose danger to public health,
public safety, public morals or to public policy.
DENIAL OF APPLICATION OF REQUEST FOR ACCESS TO GOVERNMENT SERVICE:

Any denial of application or request for access to government service shall be:
1. Fully explained in writing,
2. Stating the name of the person making the denial and
3. the grounds upon which such denial is based.
Any denial of application or request is deemed to have been made with the permission or clearance from
the highest authority having jurisdiction over the government office or agency concerned.
LIMITATION OF SIGNATORIES
The number of signatories in any document shall be limited to a maximum of three (3) signatures which
shall represent officers directly supervising the office or agency concerned: Provided, That in case the
authorized signatory is on official business or official leave, an alternate shall be designated as
signatory.
Electronic signatures or pre-signed license, clearance, permit, certification or authorization with adequate
security and control mechanism may be used.
Page 21 of 23
ELECTRONIC VERSIONS OF LICENSES, CLEARANCES, PERMITS, CERTIFICATIONS OR

AUTHORIZATION
All government agencies covered shall, when applicable, develop electronic versions of licenses, clearances,
permits, certifications or authorizations with the same level of authority as that of the signed hard copy,
which may be printed by the applicants or requesting parties in the convenience of their offices.
ADOPTION OF WORKING SCHEDULES TO SERVE APPLICANTS OR REQUESTING PARTIES
Heads of offices and agencies which render government services shall adopt appropriate working schedules
to ensure that all applicants or requesting parties who are within their premises prior to the end of
official working hours are attended to and served even during lunch break and after regular working
hours.
PROCEDURES IN LOCAL GOVERNMENT UNITS:
The LGUs are mandated to implement the following revised guidelines in the issuance of business licenses,
clearances, permits, certifications or authorizations:
a. A single or unified business application form shall be used in processing new applications for business
permits and business renewals which consolidates all the information of the applicant or requesting party by
various local government departments, such as, but not limited to, the local taxes and clearances, building
clearance, sanitary permit, zoning clearance, and other specific LGU requirements, as the case may be,
including the fire clearance from the Bureau of Fire Protection (BFP).
The unified form shall be made available online using technology-neutral platforms such as, but not
limited to, the central business portal or the city/municipality's website and various channels for
dissemination. Hard copies of the unified forms shall likewise be made available at all times in
designated areas of the concerned office and/or agency.
b. A one-stop business facilitation service, hereinafter referred to as the business one stop shop,
(BOSS) for the city/municipality's business permitting and licensing system to receive and process manual
and/or electronic submission of application for license, clearance, permit, certification or authorization shall
be established within the cities/municipalities’ Negosyo Center as provided for under Republic Act
No. 10644, otherwise known as the "Go Negosyo Act". There shall be a queuing mechanism in the BOSS
to better manage the flow of applications among the LGUs' departments receiving and processing
applications. LGUs shall implement colocation of the offices of the treasury, business permits and licensing
office, zoning office, including the BFP, and other relevant city/municipality offices, departments, among
others, engaged in starting a business, dealing with construction permits.
c. Cities/Municipalities are mandated to automate their business permitting and licensing system or set
up an electronic BOSS within a period of three (3) years upon the effectivity of this Act for a more
efficient business registration processes.
Cities/Municipalities with electronic BOSS shall develop electronic versions of licenses, clearances,
permits, certifications or authorizations with the same level of authority, which may be printed by
businesses in the convenience of their offices. The DICT shall make available to LGUs the software for the
computerization of the business permit and licensing system. The DICT, DTI, and DILG, shall provide
technical assistance in the planning and implementation of a computerized or software-enabled business
permitting and licensing system.
d. To lessen the transaction requirements, other local clearances such as, but not limited to, sanitary
permits, environmental and agricultural clearances shall be issued together with the business permit.
e. Business permits shall be valid for a period of one (1) year. The city/municipality may have the option
to renew business permits within the first month of the year or on the anniversary date of the
issuance of the business permit.
f. Barangay clearances and permits related to doing business shall be applied, issued, and collected at the
city/municipality in accordance with the prescribed processing time of this Act: Provided, That the
share in the collections shall be remitted to the respective barangays. The pertinent provisions of
Republic Act No. 7160, otherwise known as "The Local Government Code of 1991", specifically Article IV,
Section 152(c) is hereby amended accordingly.
1. Under the Ease of Doing Business Act, this has been defined as a set of regulatory requirements that a
business entity must comply with to engage or operate or continue to operate a business:
A. Business-related transaction
B. License
C. Non-business transactions
D. Complex transactions
Page 22 of 23
2. After acceptance of the written applications, requests, and/or documents, who shall perform the preliminary
assessment of the application or request?
A. The receiving officer
B. The direct supervisor of the receiving officer
C. The head of the agency
D. The Anti-Red Tape Authority
3. A transaction which present only inconsequential issues for the resolution by an officer or employee of the
concerned government office is known as:
A. Simple transaction
B. Complex transaction
C. Highly-technical transaction
D. A transaction that will require the approval of a local sanggunian
4. For this type of transactions, the Ease of Doing Business Act allows a maximum of 20 working days to
process. Which one is an exception?
A. an application or request which requires the use of technical knowledge, specialized skill and/or training
in the process and/or evaluation thereof.
B. An application involving activities which pose danger to public health
C. A request involving activities which pose danger to public safety
D. Applications or requests submitted by applicants or requesting parties of a government office which
necessitate evaluation in the resolution of complicated issues by an officer or employee of said
government office, such transactions to be determined by the office concerned
5. An application which requires the use of technical knowledge, specialized skill and/or training in the process
and/or evaluation thereof.
A. Simple Transaction
B. Complex Transaction
C. Highly-Technical Transaction
6. If the approval of the local Sanggunian is required, the processing time of the application or request, the
approval of the Sanggunian concerned shall be given a period of ____________.
A. 20 calendar days
B. 45 calendar days
C. 20 working days
D. 45 working days
7. If a transaction is categorized as complex, it shall be processed not more than 7 working days from the date
of receipt, which is also the number of days indicated in the citizens’ charter. The maximum time for
extension that may be granted is:
A. 3 working days
B. 7 working days
C. 20 working days
D. 45 working days
8. If a government office fails to approve or disapprove an application within the prescribed processing time:
A. It shall be deemed approved
B. It shall be deemed denied
C. It shall be deemed approved only if all the required documents have been submitted and all required
fees and charges have been paid
D. It shall be deemed denied if all the required documents have not been submitted even if all required
fees and charges have been paid
9. The number of signatories in any document shall be limited to a maximum of ___ signatures which shall
represent officers directly supervising the office or agency concerned.
A. 1
B. 3
C. 5
D. 7
10. Mr. X went to a government agency and arrived at 4:58pm. He was 12 th in the number of persons who sill
be submitting an application for a government license. The agency closes at 5:00pm and it takes on
average 20mins to process the submission which means only 1 applicant will be processed before closing
time. In this case,
A. Mr. X would have to go back the following day and will be considered 11th in the processing queue.
B. Mr. X would have to go back the following day and obtain a new queueing number.
C. Mr. X would not have to go back as his application is still required to be processed that same day.
D. Mr. X can be considered a priority
Page 23 of 23

RFBT-11

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

RFBT-11

Uploaded by

Copyright:

Available Formats

ReSA - THE REVIEW SCHOOL OF ACCOUNTANCY

RFBT-11: E-COMMERCE ACT, DATA PRIVACY ACT

Objective: The E-Commerce Act (Act) aims

"Service provider" refers to a provider of:

Such service providers shall

Page 1 of 23 0915-2303213  www.resacpareview.com

LEGAL RECOGNITION OF ELECTRONIC DATA MESSAGES AND ELECTRONIC DOCUMENTS

Legal Recognition of Electronic documents:

Presumption Relating to Electronic Signatures: In any proceedings involving an electronic signature, it

COMMUNICATION OF ELECTRONIC DATA MESSAGES OR ELECTRONIC DOCUMENTS

Formation of Validity of Electronic Contracts:

Attribution of Electronic Data Message:

The above does not apply:

Agreement on Acknowledgement of Receipt of Electronic Data Message or Electronic Document:

General Rule: No acknowledgement of receipt is necessary

For the purpose hereof –

ELECTRONIC COMMERCE IN CARRIAGE OF GOODS

a. (i) furnishing the marks, number, quantity or weight of goods;

ELECTRONIC TRANSACTIONS IN GOVERNMENT

Extent of Liability of a Service Provider:

Unlawful Description Penalty

1. First statement: The E-Commerce Act applies to domestic transactions only.

2. The requirement of the law is met by an electronic document if:

8. The time of receipt shall be upon actual retrieval by the addressee:

II. DATA PRIVACY ACT

Data subject refers to an individual whose personal information is processed.

Does not apply to:

No amendments or repeal to the following laws:

THE NATIONAL PRIVACY COMMISSION

Qualifications of the Privacy Commissioner:

PROCESSING OF PERSONAL INFORMATION

Personal information must be:

SENSITIVE PERSONAL INFORMATION refers to personal information:

ILLUSTRATION: Examples of Personal Information, Sensitive Personal Information or Privileged Information:

RIGHTS OF THE DATA SUBJECT

Rights of the Data Subject:

SECURITY OF PERSONAL INFORMATION

Security of Personal Information:

ACCOUNTABILITY FOR TRANSFER OF PERSONAL INFORMATION

SECURITY OF SENSITIVE PERSONAL INFORMATION IN GOVERNMENT

Requirements Relating to Access by Agency Personnel to Sensitive Personal Information:

UNLAWFUL ACTS AND PENALTIES

1. The Data Privacy Act is primarily implemented by which government agency?

2. Refers to the individual whose personal information is processed:

4. The Data Privacy Act does not apply to:

6. A person’s information related to his bank accounts is considered:

III. In case of incapability of the data subject to exercise the rights

III. EASE OF DOING BUSINESS ACT

Non-business transactions - all other government transactions.

RULES IN ACCESSING GOVERNMENT SERVICES

ACCEPTANCE OF APPLICATIONS OR REQUESTS

TYPE OF TRANSACTION PERIOD TO PROCESS

Complex Transactions - applications or requests 7 working days from date of receipt

Highly technical application – an application which Whichever is shorter between:

Applications or requests involving activities which pose

If the local Sanggunian concerned has denied

3. ADJUSTMENT/SUSPENSION OF PERIOD TO PROCESS: In cases where the cause of delay is due to

AUTOMATIC APPROVAL OR EXTENSION OF LICENSE, CLEARANCE, PERMIT, CERTIFICATION OR

DENIAL OF APPLICATION OF REQUEST FOR ACCESS TO GOVERNMENT SERVICE:

ELECTRONIC VERSIONS OF LICENSES, CLEARANCES, PERMITS, CERTIFICATIONS OR

ADOPTION OF WORKING SCHEDULES TO SERVE APPLICANTS OR REQUESTING PARTIES

PROCEDURES IN LOCAL GOVERNMENT UNITS:

You might also like