Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

RFBT > Data Privacy Act (RA No. 10173) > Flashcards

Data Privacy Act (RA No. 10173) Flashcards

1
Q

It refers to any natural or juridical person qualified to act as such under this Act to whom a personal information controller may outsource the processing of personal data pertaining to a data subject.

A

Personal information processor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Scope of Application

Applicability

A
  1. The processing of all types of personal information and
  2. To any natural and juridical person involved in personal information processing including those personal information controllers and processors who, although not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines subject to the immediately succeeding paragraph.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Extraterritorial Application

A

The Data Privacy Act applies to an act done or practice engaged in and outside of the Philippines by an entity if:
1. The act, practice or processing relates to personal information about a Philippine citizen or a resident;
2. The entity has a link with the Philippines, and the entity is processing personal information in the Philippines or even if the processing is outside the Philippines as long as it is about Philippine citizens or residents such as, but not limited to, the following:
a. A contract is entered in the Philippines;
b. A juridical entity unincorporated in the Philippines but has central management and control in the country; and
c. An entity that has a branch, agency, office or subsidiary in the Philippines and the parent or affiliate of the Philippine entity has access to personal information; and
3. The entity has other links in the Philippines such as, but not limited to:
a. The entity carries on business in the Philippines; and
b. The personal information was collected or held by an entity in the Philippines.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Data Privacy Principles

A

The processing of personal information shall be allowed, subject to:
1. Compliance with the requirements of the Data Privacy Act and other laws allowing disclosure of information to the public and
2. Adherence to the following principles:
a. Principle of Proportionality: The Processing of Personal data shall be adequate, relevant, suitable, necessary, and not excessive in relation to a declared and specified purpose. Personal Data shall be processed by the Company only if the purpose of the Processing could not reasonably be fulfilled by other means.
b. Principle of Legitimate Purpose: The Processing of Personal Data by the Company shall be compatible with a declared and specified purpose which must not be contrary to law, morals, or public policy.
c. Principle of Transparency: The Data Subject must be aware of the nature, purpose, and extent of the Processing of his or her Personal Data by the Company, including the risks and safeguards involved, the identity of persons and entities involved in processing his or her Personal Data, his or her rights as a Data Subject, and how these can be exercised. Any information and communication relating to the Processing of Personal Data should be easy to access and understand, using clear and plain language.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Personal Information

A

Whether recorded in material form or not, are those from which the identity of an individual:
1. is apparent, or
2. can be reasonable and directly ascertained by the entity holding the information, or
3. when put together with other information would directly and certainly identify an individual

Examples: include the Data Owner’s Name, Home address and Phone number

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Criteria for Lawful Processing of Personal Information

A

The processing of personal information shall be permitted only if not otherwise prohibited by law, and when at least one of the following conditions exists:
1. The data subject has given his or her consent;
2. The processing of personal information is necessary and is related to the fulfillment of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract;
3. The processing is necessary for compliance with a legal obligation to which the personal information controller is subject;
4. The processing is necessary to protect vitally important interests of the data subject, including life and health;
5. The processing is necessary in order to respond to national emergency, to comply with the requirements of public order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the fulfillment of its mandate; or
6. The processing is necessary for the purposes of the legitimate interests pursued by the personal information controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

The processing of sensitive personal information and privileged information shall be prohibited, except in the following cases:

A
  1. The data subject has given his or her consent, specific to the purpose prior to the processing, or in the case of privileged information, all parties to the exchange have given their consent prior to processing;
  2. The processing of the same is provided for by existing laws and regulations, provided:
    a. Such regulatory enactments guarantee the protection of the sensitive personal information and the privileged information; and
    b. The consent of the data subjects are not required by law or regulation permitting the processing of the sensitive personal information or the privileged information;
  3. The processing is necessary to protect the life and health of the data subject or another person, and the data subject is not legally or physically able to express his or her consent prior to the processing;
  4. The processing is necessary to achieve the lawful and noncommercial objectives of public organizations and their associations: provided:
    a. That such processing is only confined and related to the bona fide members of these organizations or their associations;
    b. That the sensitive personal information are not transferred to third parties; and
    c. That consent of the data subject was obtained prior to processing;
  5. The processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical treatment institution, and an adequate level of protection of personal information is ensured; or
  6. The processing concerns such personal information as is necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings, or the establishment, exercise or defense of legal claims, or when provided to government or public authority.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

The personal information controller shall be responsible for ensuring that proper safeguards are in place to ensure:

A
  1. The confidentiality of the personal information processed,
  2. Prevent its use for unauthorized purposes, and generally,
    3.** Comply with the requirements of the Data Privacy Act** and other laws for processing of personal information.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Extension of Privileged Communication

A

Personal information controllers may invoke the principle of privileged communication over privileged information that they lawfully control or process. Subject to existing laws and regulations, any evidence gathered on privileged information is inadmissible.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Notification to the Commission

A

The notification shall at least describe the nature of the breach, the sensitive personal information possibly involved, and the measures taken by the entity to address the breach. Notification may be delayed only to the extent necessary to determine the scope of the breach, to prevent further disclosures, or to restore reasonable integrity to the information and communications system.
a. In evaluating if notification is unwarranted, the Commission may take into account compliance by the personal information controller with this provision and existence of good faith in the acquisition of personal information.
b. The Commission may exempt a personal information controller from notification where, in its reasonable judgment, such notification would not be in the public interest or in the interests of the affected data subjects.
c. The Commission may authorize postponement of notification where it may hinder the progress of a criminal investigation related to a serious breach.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Requirements Relating to Access by Agency Personnel to Sensitive Personal Information

A
  1. On-site and Online Access – Except as may be allowed through guidelines to be issued by the Commission, no employee of the government shall have access to sensitive personal information on government property or through online facilities unless the employee has received a security clearance from the head of the source agency.
  2. Off-site Access – Unless otherwise provided in guidelines to be issued by the Commission, sensitive personal information maintained by an agency may not be transported or accessed from a location off government property unless a request for such transportation or access is submitted and approved by the head of the agency in accordance with the following guidelines:
    a. Deadline for Approval or Disapproval – In the case of any request submitted to the head of an agency, such head of the agency shall approve or disapprove the request within two (2) business days after the date of submission of the request.
    In case there is no action by the head of the agency, then such request is considered disapproved;
    b. Limitation to 1,000 Records – If a request is approved, the head of the agency shall limit the access to not more than one thousand (1,000) records at a time; and
    c. Encryption – Any technology used to store, transport or access sensitive personal information for purposes of off-site access approved under this subsection shall be secured by the use of the most secure encryption standard recognized by the Commission.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

When is delay in notification prohibited

A

There shall be no delay in the notification if the breach involves at least one hundred (100) data subjects, or the disclosure of sensitive personal information will harm or adversely affect the data subject. In both instances, the Commission shall be notified within the 72-hour period based on available information. The full report of the personal data breach must be submitted within five (5) days, unless the personal information controller is granted additional time by the Commission to comply.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Form of Notification

A

Notification shall be in the form of a report, whether written or electronic, containing the required contents of notification: Provided, that the report shall also include the name and contact details of the data protection officer and a designated representative of the personal information controller: Provided further, that, where applicable, the manner of notification of the data subjects shall also be included in the report. Where notification is transmitted by electronic mail, the personal information controller shall ensure the secure transmission thereof. Upon receipt of the notification, the Commission shall send a confirmation to the personal information controller. A report is not deemed filed without such confirmation. Where the notification is through a written report, the received copy retained by the personal information controller shall constitute proof of such confirmation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Enforcement of the Data Processing Systems

A

a. Registration of personal data processing systems operating in the country that involves accessing or requiring sensitive personal information of at least one thousand (1000) individuals, including the personal data processing system of contractors, and their personnel, entering into contracts with government agencies;
b. Notification of automated processing operations where the processing becomes the sole basis of making decisions that would significantly affect the data subject;
c. Annual report of the summary of documented security incidents and personal data breaches;
d. Compliance with other requirements that may be provided in other issuances of the Commission.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Registration of Personal Data Processing Systems

A

The personal information controller or personal information processor that employrs fewer than two hundred fifty (250) persons shall not be required to register unless the processing it carries out is likely to pose a risk to the rights and freedoms of data subjects, the processing is not occassional, or the processing includes sensitive personal information of at least one thousand individuals.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly

RFBT (14 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions