ReSA - THE REVIEW SCHOOL OF ACCOUNTANCY

CPA Review Batch 44  October 2022 CPA Licensure Examination

RFBT-15
REGULATORY FRAMEWORK for BUSINESS TRANSACTIONS J. DOMINGO  N. SORIANO

E-COMMERCE ACT, DATA PRIVACY ACT

& EASE OF DOING BUSINESS ACT
ELECTRONIC COMMERCE ACT
(RA No. 8792)

Objective: The E-Commerce Act (Act) aims

1. to facilitate domestic and international dealings, transactions, arrangements, agreements, contracts
and exchanges and storage of information through the utilization of electronic, optical and similar medium,
mode, instrumentality and technology,
2. to recognize the authenticity and reliability of electronic data messages or electronic documents related
to such activities and
3. to promote the universal use of electronic transactions in the government and by the general public.

Sphere of Application: The Act shall apply to any kind of electronic document used in the context of commercial
and non-commercial activities to include domestic and international dealings, transactions, arrangements, agreements
contracts and exchanges and storage of information.

Definition of Terms: For the purposes of the Act, the following terms are defined, as follows:

"Computer" refers to any device or apparatus singly or interconnected which, by electronic, electro-mechanical,
optical and/or magnetic impulse, or other means with the same function, can receive, record, transmit, store, process,
correlate, analyze, projects, retrieve, and/or produce information, data, text, graphics, figures, voice, video, symbols or
other modes of expression or perform any one or more of these functions.

"Information and Communications System" refers to a system for generating, sending, receiving, storing, or
otherwise processing electronic documents and includes the computer system or other similar device by or in which
data is recorded or stored and any procedures related to the recording or storage of electronic document.

"Originator" refers to a person by whom, or on whose behalf, the electronic document purports to have been
created, generated and/or sent. The term does not include a person acting as an intermediary with respect to that
electronic document.

"Addressee" refers to a person who is intended by the originator to receive the electronic data message or
electronic document, but does not include a person acting as an intermediary with respect to that electronic data
message or electronic data document.

"Intermediary" refers to a person who in behalf of another person and with respect to a particular electronic
document sends, receives and/or stores, provides other services in respect of that electronic data message or
electronic document.

"Service provider" refers to a provider of:

1. Online services or network access or the operator of facilities therefor including entities offering the
transmission, routing, or providing of connections for online communications, digital or otherwise, between or among
points specified by a user, of electronic documents of the user's choosing; or
2. The necessary technical means by which electronic documents of an originator may be stored and made
accessible to designated or undesignated third party.

Such service providers shall

a. Have no authority to:
i. modify or alter the content of the electronic document received or
ii. to make any entry therein on behalf of the originator, addressee or any third party unless specifically
authorized to do so,
b. Retain the electronic document in accordance with the specific request or as necessary for the purpose of
performing the services it was engaged to perform.

"Electronic data message" refers to information generated, sent, received or stored by electronic, optical or
similar means.

“Electronic signature" refers to any distinctive mark, characteristic and/or sound in electronic from, representing
the identity of a person and attached to or logically associated with the electronic data message or electronic document
or any methodology or procedures employed or adopted by a person and executed or adopted by such person with the
intention of authenticating or approving an electronic data message or electronic document.

"Electronic key" refers to a secret code which secures and defends sensitive information that crossover public
channels into a form decipherable only with a matching electronic key.

"Electronic document" refers to information or the representation of information, data, figures, symbols or other
modes of written expression, described or however represented, by which a right is established or an obligation
extinguished, or by which a fact may be prove and affirmed, which is receive, recorded, transmitted, stored,
processed, retrieved or produced electronically.

Page 1 of 22 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
E-COMMERCE ACT, DATA PRIVACY ACT and EASE OF DOING BUSINESS ACT RFBT-15
LEGAL RECOGNITION OF ELECTRONIC DATA MESSAGES AND ELECTRONIC DOCUMENTS

Legal Recognition of Electronic Data Messages: Information shall not be denied validity or enforceability solely
on the ground that it is in the form of electronic data message purporting to give rise to such legal effect, or that
it is merely incorporated by reference in that electronic data message.
Legal Recognition of Electronic documents: Electronic documents shall have the legal effect, validity or
enforceability as any other document or legal writing, and:
a. Where the law requires a document to be in writing, that requirement is met by an electronic document if
the said electronic document:
i. maintains its integrity and reliability and
ii. can be authenticated so as to be usable for subsequent reference, in that:
(1) The electronic document has remained complete and unaltered, apart from the addition of any
endorsement and any authorized change, or any change which arises in the normal course of
communication, storage and display; and
(2) The electronic document is reliable in the light of the purpose for which it was generated and in the light
of all relevant circumstances.
b. Paragraph (a) applies whether the requirement therein is in the from of an obligation or whether the law simply
provides consequences for the document not being presented or retained in its original from.
c. Where the law requires that a document be presented or retained in its original form, that requirement is met
by an electronic document if-
i. There exists a reliable assurance as to the integrity of the document from the time when it was first generated
in its final from; and
ii. That document is capable of being displayed to the person to whom it is to be presented: Provided, That no
provision of the Act shall apply to vary any and all requirements of existing laws on formalities required in the
execution of documents for their validity.

For evidentiary purposes, an electronic document shall be the functional equivalent of a written document under
existing laws.

The Act does not modify any statutory any statutory rule relating to admissibility of electronic data massages
or electronic documents, except the rules relating to authentication and best evidence.

Legal Recognition of Electronic Signatures: An electronic signature on the electronic document shall be equivalent
to the signature of a person on a WRITTEN DOCUMENT if:
a. the signature is an electronic signature and
b. proved by showing that a prescribed procedure, not alterable by the parties interested in the electronic
document, existed under which-
i. A method is used to identify the party sought to be bound and to indicate said party's access to the
electronic document necessary for his consent or approval through the electronic signature;
ii. Said method is reliable and appropriate for the purpose for which the electronic document was generated
or communicated, in the light of all circumstances, including any relevant agreement;
iii. It is necessary for the party sought to be bound, in order to proceed further with the transaction to have
executed or provided the electronic signature; and
iv. The other party is authorized and enable to verify the electronic signature and to make the decision
to proceed with the transaction authenticated by the same.

Presumption Relating to Electronic Signatures: In any proceedings involving an electronic signature, it shall be
presumed that,
a. The electronic signature is the signature of the person to whom it correlates; and
b. The electronic signature was affixed by that person with the intention of signing or approving the electronic
document unless
i. the person relying on the electronically designed electronic document knows or has notice of defects in or
unreliability of the signature or
ii. reliance on the electronic signature is not reasonable under the circumstances.

Original Documents:
1. Where the law requires information to be presented or retained in its ORIGINAL FORM, that requirement is
met by an electronic data message or electronic document if:
a. the integrity of the information from the time when it was first generated in its final form, as an electronic
document is shown by evidence aliunde or otherwise; and
b. where otherwise it is required that information be presented, that the information is capable of being
displayed to the person to whom it is to be presented.
2. Paragraph (1) applies whether the requirement therein is in the form of an obligation or whether the law simply
provides consequences for the information not being presented or retained in its original form.
3. For the purpose of subparagraph (a) of paragraph (1):
a. the criteria for assessing integrity shall be whether the information has remained complete and unaltered,
apart from the addition of any endorsement and any change which arises in the normal course of communication,
storage and display; and
b. the standard of reliability required shall be assessed in the light of purpose for which the information was
generated and in the light of all the relevant circumstances.

Authentication of Electronic Data Messages and Electronic Documents: Until the Supreme Court by appropriate
rules shall have so provided, electronic documents, electronic data messages and electronic signatures, shall be
authenticated by demonstrating, substantiating and validating a claimed identity of a user, device, or another entity is
an information or communication system, among other ways, as follows;

Page 2 of 22 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
E-COMMERCE ACT, DATA PRIVACY ACT and EASE OF DOING BUSINESS ACT RFBT-15
a. The electronic signatures shall be authenticated by proof that a letter, character, number or other symbol in
electronic form representing the persons named in and attached to or logically associated with an electronic
data message, electronic document, or that the appropriate methodology or security procedures, when
applicable, were employed or adopted by such person, with the intention of authenticating or approving in an
electronic data message or electronic document;
b. The electronic data message or electronic document shall be authenticated by proof that an appropriate security
procedure, when applicable was adopted and employed for the purpose of:
i. verifying the originator of an electronic data message or electronic document, or
ii. detecting error or alteration in the communication, content or storage of an electronic document or electronic
data message from a specific point, which, using algorithms or codes, identifying words or numbers,
encryptions, answers back or acknowledgement procedures, or similar security devices.

The Supreme Court may adopt such other authentication procedures, including the use of electronic notarization systems
as necessary and advisable, as well as the certificate of authentication on printed or hard copies of the electronic
documents or electronic data messages by electronic notaries, service providers and other duly recognized or appointed
certification authorities.

Burden of Proof: The person seeking to introduce an electronic data message or electronic document in any legal
proceeding has the burden of proving its authenticity by evidence capable of supporting a finding that the electronic
data message or electronic document is what the person claims it on be.

Integrity of the Information and Communication System: In the absence of evidence to the contrary, the
integrity of the information and communication system in which an electronic data message or electronic document is
recorded or stored may be established in any legal proceeding –
a. By evidence that:
i. at all material times the information and communication system or other similar device was operating in a
manner that did not affect the integrity of the electronic data message or electronic document, and
ii. there are no other reasonable grounds to doubt the integrity of the information and communication
system,
b. By showing that the electronic data message or electronic document was recorded or stored by a party to the
proceedings who is adverse in interest to the party using it; or
c. By showing that the electronic data message or electronic document was recorded or stored in the usual and
ordinary course of business by a person who is not a party to the proceedings and who did not act under the
control of the party using the record.

Admissibility and Evidential Weight of Electronic Data Message or electronic document: In any legal
proceedings, nothing in the application of the rules on evidence shall deny the admissibility of an electronic data
message or electronic document in evidence –
a. On the sole ground that it is in electronic form; or
b. On the ground that it is not in the standard written form, and the electronic data message or electronic document
meeting, and complying with the requirements under Legal Recognition of Electronic Data Messages and Electronic
Documents mentioned above, shall be the best evidence of the agreement and transaction contained therein.

In assessing the evidential weight of an electronic data message or electronic document, the following shall be given
due regard:
a. the reliability of the manner in which it was generated, stored or communicated,
b. the reliability of the manner in which its originator was identified, and
c. other relevant factors.

Retention of Electronic Data Message or Electronic Document: Notwithstanding any provision of law, rule or
regulation to the contrary –
a. The requirement in any provision of law that certain documents be retained in their original form is satisfied
by retaining them in the form of an electronic data message or electronic document which
i. Remains accessible so as to be usable for subsequent reference;
ii. Is retained in the format in which it was generated, sent or received, or in a format which can be demonstrated
to accurately represent the electronic data message or electronic document generated, sent or received;
iii. Enables the identification of its originator and addressee, as well as the determination of the date and
the time it was sent or received.
b. The requirement referred to in paragraph (a) is satisfied by using the services of a third party, provided that
the conditions set forth in subparagraphs (1), (2) and (3) of paragraph (a) are met.

Proof by Affidavit: The matters referred on admissibility and on the presumption of integrity, may be presumed
to have been established by an affidavit given to the best of the deponent's knowledge subject to the rights of
parties in interest as defined in the cross-examination provided below.

Cross – Examination:
1. A deponent of an affidavit referred to above that has been introduced in evidence may be cross-examined as of
right by a party to the proceedings who is adverse in interest to the party who has introduced the affidavit or has
caused the affidavit to be introduced.
2. Any party to the proceedings has the right to cross-examine a person who is not a party to the proceedings
and who did not act under the control of the party using the record proving that the electronic data message or
electronic document was recorded or stored in the usual and ordinary course of business.

Page 3 of 22 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
E-COMMERCE ACT, DATA PRIVACY ACT and EASE OF DOING BUSINESS ACT RFBT-15
COMMUNICATION OF ELECTRONIC DATA MESSAGES OR ELECTRONIC DOCUMENTS
Formation of Validity of Electronic Contracts:
1. Except as otherwise agreed by the parties, (1) an offer, (2) the acceptance of an offer and (3) such other
elements required under existing laws for the formation of contracts may be expressed in, demonstrated and
proved by means of electronic data messages or electronic documents and no contract shall be denied validity
or enforceability on the sole ground that it is in the form of an electronic data message or electronic document, or
that any or all of the elements required under existing laws for the formation of contracts is expressed, demonstrated
and proved by means of electronic data messages or electronic documents.
2. Electronic transactions made through networking among banks, or linkages thereof with other entities or
networks, and vice versa:
a. shall be deemed consummated upon the actual dispensing of cash or the debit of one account and the
corresponding credit to another, whether such transaction is initiated by the depositor or by an authorized
collecting party.
b. The obligation of one bank, entity, or person similarly situated to another arising therefrom shall considered
absolute and shall not be subjected to the process of preference of credits.

Recognition by Parties of Electronic Data Message or Electronic document: As between the originator and
the addressee of an electronic data message or electronic document, a declaration of will or other statement shall not
be denied legal effect, validity or enforceability solely on the ground that it is in the form of an electronic data
message or electronic document.

Attribution of Electronic Data Message:

1. The Electronic Data Message or Electronic Document is that of the originator:
a. If it was sent by the originator himself.
b. As between the originator and the addressee, an electronic data message or electronic document is deemed to
be that of the originator if it was sent:
i. by a person who had the authority to act on behalf of the originator with respect to that electronic
data message or electronic document; or
ii. by an information system programmed by, or on behalf of the originator to operate automatically.
2. As between the originator and the addressee, an addressee is entitled to regard an electronic data message
or electronic document as being that of the originator, and to act on that assumption, if:
a. in order to ascertain whether the electronic data message or electronic document was that of the originator,
the addressee properly applied a procedure previously agreed to by the originator for that purpose; or
b. the electronic data message or electronic document as received by the addressee resulted from the actions
of a person whose relationship with the originator or with any agent of the originator enabled that
person to gain access to a method used by the originator to identify electronic data message or electronic
documents as his own.

The above does not apply:

i. as of the time when the addressee has both received notice from the originator that the electronic data
message or electronic document is not that of the originator, and has reasonable time to act
accordingly; or
ii. in a case within paragraph (2) sub-paragraph (b), at any time when the addressee knew or should have
known, had it exercised reasonable care of used any agreed procedure, that the electronic data message or
electronic document was not that of the originator.
iii. That the transmission resulted in any error in the electronic data message or electronic document as
received.
3. The addressee is entitled to regard each electronic data message or electronic document received as a separate
electronic data message or electronic document and to act on that assumption.

Except
a. To the extent that it duplicates another electronic data message or electronic document and
b. The addressee knew or should have known, had it exercised reasonable care or used any agreed procedure,
that the electronic data message or electronic document was a duplicate.

Error on Electronic Data Message or Electronic Document: The addressee is entitled to regard the electronic
data message or electronic document received as that which the originator intended to send, and to act on that
assumption, unless the addressee knew or should have known, had the addressee exercised reasonable care or
used the appropriate procedure –
a. That the transmission resulted in any error therein or in the electronic data message or electronic document
enters the designated information system, or
b. That electronic data message or electronic document is sent to an information system which is not so
designated by the addressee for the purposes.

Acknowledgement of Receipt of Electronic Data Message or Electronic Document:

General Rule: No acknowledgment of receipt is necessary
Exceptions:
1. If the parties agree to it
2. Originator requested in the EDM/ED
Modes of acknowledgement when required:
1. Agreement as to particular method – to be followed
2. No agreement as to particular method:
a. Any communication by the addressee
b. Any conduct of the addressee sufficient to indicate the receipt to the originator

Page 4 of 22 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
E-COMMERCE ACT, DATA PRIVACY ACT and EASE OF DOING BUSINESS ACT RFBT-15
Instances when the originator can regard non-receipt since there was no acknowledgment:
1. When the originator stated the effect or significance of acknowledgment or the ED is CONDITIONAL upon
receipt
2. No statement as to effect/significance – originator gave notice stating that no acknowledgement has been received
and specifying a reasonable time by which acknowledgement is to be received, and no acknowledgement is
received within such reasonable time.

Time of Dispatch of Electronic Data Messages or Electronic Documents: General Rule: the dispatch of an
electronic data message or electronic document occurs when it enters an information system outside the control
of the originator or of the person who sent the electronic data message or electronic document on behalf of the
originator.

Except: when otherwise agreed upon.

Time of Receipt of Electronic Data Messages or Electronic Documents. – Unless otherwise agreed between the
originator and the addressee, the time of receipt of an electronic data message or electronic document is as follows:
a. Upon entry in the designated information system – if the parties has designated an information system for the
purpose of receiving electronic data messages or electronic documents
b. Upon retrieval by the addressee:
i. There is a designated information system, but the originator and the addressee are both participants in
the designated information system;
ii. The electronic message or electronic document enters an information system of the address that is not the
designated information system;
c. Upon entry in the information system of the addressee - The parties did not designate an information
system.

These rules apply notwithstanding that the place where the information system is located may be different from the
place where the electronic data message or electronic document is deemed to be received.

Place of Dispatch and Receipt of Electronic Data Messages or Electronic Documents: Unless otherwise
agreed between the originator and the addressee, an electronic data message or electronic document is deemed to be:
1. dispatched at the place where the originator has its place of business and
2. received at the place where the addressee has its place of business.

This rule shall apply even if the originator or addressee had used a laptop other portable device to transmit or received
his electronic data message or electronic document. These rules shall also apply to determine the tax situs of such
transaction.

For the purpose hereof –

a. If the originator or addressee has more than one place of business is that which has the closest relationship
to the underlying transaction or, where there is no underlying transaction, the principal place of business.
b. If the originator or the addressee does not have a place of business, reference is to be made to its habitual
residence; or
c. The "usual place of residence" in relation to a body corporate, means the place where it is incorporated or
otherwise legally constituted.

Choice of Security Methods: Subject to applicable laws and /or rules and guidelines promulgated by the DTI with
other appropriate government agencies, parties to any electronic transaction shall be free to:
1. Determine the type of level of electronic data message or electronic document security needed, and
2. To select and use or implement appropriate technological methods that suit their need.

ELECTRONIC COMMERCE IN CARRIAGE OF GOODS

Actions Related to Contracts of Carriage of Goods: applies to any action in connection with, or in pursuance of, a
contract of carriage of goods, including but not limited to:
a. (i) furnishing the marks, number, quantity or weight of goods;
(ii) stating or declaring the nature or value of goods;
(iii) issuing a receipt for goods;
(iv) confirming that goods have been loaded;
b. (i) notifying a person of terms and conditions of the contract;
(ii) giving instructions to a carrier;
c. (i) claiming delivery of goods;
(ii) authorizing release of goods;
(iii) giving notice of loss of, or damage to goods;
d. giving any other notice or statement in connection with the performance of the contract;
e. undertaking to deliver goods to a named person or a person authorized to claim delivery;
f. granting, acquiring, renouncing, surrendering, transferring or negotiating rights in goods;
g. acquiring or transferring rights and obligations under the contract.

Transport Documents:
1. Where the law requires that any action referred to contract of carriage of goods be carried out in writing or by
using a paper document, that requirement is met if the action is carried out by using one or more electronic data
messages or electronic documents.

The above applies whether the requirement there in is in the form of an obligation or whether the law simply provides
consequences for failing either to carry out the action in writing or to use a paper document.

Page 5 of 22 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
E-COMMERCE ACT, DATA PRIVACY ACT and EASE OF DOING BUSINESS ACT RFBT-15
2. If (a) a right is to be granted to, or (b) an obligation is to be acquired by, one person and no person, and if
the law requires that, in order to effect this, the right or obligation must be conveyed to that person by the
transfer, or use of, a paper document, that requirement is met if the right or obligation is conveyed by using one
or more electronic data messages or electronic documents: Provided, that a reliable method is used to render such
electronic data messages or electronic documents unique.
For the purposes of above, the standard of reliability required shall be assessed in the light of the purpose for which
the right or obligation was conveyed and in the light of all the circumstances, including any relevant agreement.
3. Where one or more electronic data messages or electronic documents are used to effect any action in subparagraph
(f) and (g) of the above (Actions Related to Contracts of Carriage of Goods), no paper document used to effect any
such action is valid unless the use of electronic data message or electronic document has been terminated and
replaced by the used of paper documents. A paper document issued in these circumstances shall contain a
statement of such termination. The replacement of the electronic data messages or electronic documents by
paper documents shall not affect the rights or obligation of the parties involved.
4. If a rule of law is compulsorily applicable to a contract of carriage of goods which is in, or is evidenced by, a
paper document, that rule shall not be inapplicable to such a contract of carriage of goods which is evidenced
by one or more electronic data messages or electronic documents by reason of the fact that the contract is evidenced
by such electronic data message or electronic documents instead of by a paper document.

ELECTRONIC TRANSACTIONS IN GOVERNMENT

Government Use of Electronic Data Messages, Electronic Documents and Electronic Signature:
Notwithstanding any law to the contrary, within two (2) years from the date of the effectivity of the Act, all
departments, bureaus, offices and agencies of the government, as well as all government-owned and –controlled
corporations, that pursuant to law require or accept the filing of documents, require that documents be created, or
retained and/or submitted, issue permits, licenses or certificates of registration or approval, or provide for the method
and manner of payment or settlement of fees and other obligations to the government, shall –
a. accept the creation, filing or retention of such documents in the form of electronic data messages or electronic
documents;
b. issue permits, licenses, or approval in the form of electronic data messages or electronic documents;
c. require and/or accept payments, and issue receipt acknowledging such payments, through systems using electronic
data messages or electronic documents; or
d. transact the government business and/or perform governmental factions using electronic data messages or
electronic documents, and for the purpose, are authorized to adopt and promulgate, after appropriate public hearing
and with due publications in newspapers of general circulation, the appropriate rules, regulations, or guidelines, to,
among others, specify –
1. the manner and format in which such electronic data messages or electronic documents shall be filed, created,
retained or issued;
2. where and when such electronic data messages or electronic documents have to signed, the use of an electronic
signature, the type of electronic signature required;
3. the format of an electronic data message or electronic document and the manner the electronic signature shall
be affixed to the electronic data messages or electronic documents;
4. the control processes and procedures appropriate to ensure adequate integrity, security and confidentiality of
electronic data messages or electronic documents or records of payments;
5. other attributes required to electronic data messages or electronic documents; and
6. the full or limited use of the documents and papers for compliance with the government
requirements: provided, That the Act shall be itself mandate any department of the government, organ of state
or statutory corporation to accept or issue any document in the form of electronic data messages or electronic
documents upon the adoption, promulgation and publication of the appropriate rules, regulations or guidelines.

DATA PRIVACY ACT (RA No. 10173)

DEFINITION OF TERMS
Commission shall refer to the National Privacy Commission created by virtue of this Act.

Consent of the data subject refers to any freely given, specific, informed indication of will, whereby the data subject
agrees to the collection and processing of personal information about and/or relating to him or her. Consent shall be
evidenced by written, electronic or recorded means. It may also be given on behalf of the data subject by an agent
specifically authorized by the data subject to do so.

Data subject refers to an individual whose personal information is processed.

Direct marketing refers to communication by whatever means of any advertising or marketing material which is
directed to particular individuals.

Filing system refers to any act of information relating to natural or juridical persons to the extent that, although the
information is not processed by equipment operating automatically in response to instructions given for that purpose,
the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way
that specific information relating to a particular person is readily accessible.

Information and Communications System refers to a system for generating, sending, receiving, storing or otherwise
processing electronic data messages or electronic documents and includes the computer system or other similar device
by or which data is recorded, transmitted or stored and any procedure related to the recording, transmission or storage
of electronic data, electronic message, or electronic document.

Page 6 of 22 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
E-COMMERCE ACT, DATA PRIVACY ACT and EASE OF DOING BUSINESS ACT RFBT-15
Personal information controller refers to a person or organization who controls the collection, holding, processing
or use of personal information, including a person or organization who instructs another person or organization to
collect, hold, process, use, transfer or disclose personal information on his or her behalf. The term excludes:
1. A person or organization who performs such functions as instructed by another person or organization; and
2. An individual who collects, holds, processes or uses personal information in connection with the individual’s
personal, family or household affairs.

Personal information processor refers to any natural or juridical person qualified to act as such under this Act to
whom a personal information controller may outsource the processing of personal data pertaining to a data
subject.
SCOPE OF APPLICATION

Applicability:
1. The processing of all types of personal information and
2. To any natural and juridical person involved in personal information processing including those personal
information controllers and processors who, although not found or established in the Philippines, use equipment
that are located in the Philippines, or those who maintain an office, branch or agency in the Philippines subject to
the immediately succeeding paragraph.

Does not apply to:

1. Information about any individual who is or was an officer or employee of a government institution that relates
to the position or functions of the individual, including:
a. The fact that the individual is or was an officer or employee of the government institution;
b. The title, business address and office telephone number of the individual;
c. The classification, salary range and responsibilities of the position held by the individual; and
d. The name of the individual on a document prepared by the individual in the course of employment with the
government;
2. Information about an individual who is or was performing service under contract for a government institution
that relates to the services performed, including the terms of the contract, and the name of the individual given in
the course of the performance of those services;
3. Information relating to any discretionary benefit of a financial nature such as the granting of a license or permit
given by the government to an individual, including the name of the individual and the exact nature of the benefit;
4. Personal information processed for journalistic, artistic, literary or research purposes;
5. Information necessary in order to carry out the functions of public authority which includes the processing of
personal data for the performance by the independent, central monetary authority and law enforcement and
regulatory agencies of their constitutionally and statutorily mandated functions.

No amendments or repeal to the following laws:

a. Republic Act No. 1405, otherwise known as the Secrecy of Bank Deposits Act;
b. Republic Act No. 6426, otherwise known as the Foreign Currency Deposit Act; and
c. Republic Act No. 9510, otherwise known as the Credit Information System Act (CISA);
6. Information necessary for banks and other financial institutions under the jurisdiction of the independent,
central monetary authority or Bangko Sentral ng Pilipinas to comply with the CISA and Republic Act No. 9160, as
amended, otherwise known as the Anti-Money Laundering Act and other applicable laws; and
7. Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of
those foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.

Protection Afforded to Journalists and Their Sources: No amendment or repeal of Republic Act No. 53, which
affords the publishers, editors or duly accredited reporters of any newspaper, magazine or periodical of general
circulation protection from being compelled to reveal the source of any news report or information appearing in
said publication which was related in any confidence to such publisher, editor, or reporter.

Extraterritorial Application: The Data Privacy Act applies to an act done or practice engaged in and outside of the
Philippines by an entity if:
1. The act, practice or processing relates to personal information about a Philippine citizen or a resident;
2. The entity has a link with the Philippines, and the entity is processing personal information in the Philippines or
even if the processing is outside the Philippines as long as it is about Philippine citizens or residents such as, but
not limited to, the following:
a. A contract is entered in the Philippines;
b. A juridical entity unincorporated in the Philippines but has central management and control in the country;
and
c. An entity that has a branch, agency, office or subsidiary in the Philippines and the parent or affiliate of
the Philippine entity has access to personal information; and
3. The entity has other links in the Philippines such as, but not limited to:
a. The entity carries on business in the Philippines; and
b. The personal information was collected or held by an entity in the Philippines.

DATA PRIVACY PRINCIPLES

The processing of personal information shall be allowed, subject to:
1. Compliance with the requirements of the Data Privacy Act and other laws allowing disclosure of information to the
public and
2. Adherence to the following principles:
a. Principle of Proportionality: The Processing of Personal data shall be adequate, relevant, suitable, necessary,
and not excessive in relation to a declared and specified purpose. Personal Data shall be processed by the
Company only if the purpose of the Processing could not reasonably be fulfilled by other means.

Page 7 of 22 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
E-COMMERCE ACT, DATA PRIVACY ACT and EASE OF DOING BUSINESS ACT RFBT-15
b. Principle of Legitimate Purpose: The Processing of Personal Data by the Company shall be compatible with
a declared and specified purpose which must not be contrary to law, morals, or public policy.
c. Principle of Transparency: The Data Subject must be aware of the nature, purpose, and extent of the
Processing of his or her Personal Data by the Company, including the risks and safeguards involved, the identity
of persons and entities involved in processing his or her Personal Data, his or her rights as a Data Subject, and
how these can be exercised. Any information and communication relating to the Processing of Personal Data
should be easy to access and understand, using clear and plain language.

PROCESSING OF PERSONAL INFORMATION

Processing refers to any operation or any set of operations performed upon personal information including, but not
limited to:
1. Collection, 7. Consultation,
2. Recording, 8. Use,
3. Organization, 9. Consolidation,
4. Storage, 10. Blocking,
5. Updating Or Modification, 11. Erasure Or
6. Retrieval, 12. Destruction of data.

PERSONAL INFORMATION, whether recorded in a material form or not, are those from which the identity of an
individual:
1. is apparent, or
2. can be reasonably and directly ascertained by the entity holding the information, or
3. when put together with other information would directly and certainly identify an individual

Examples: include the Data Owner’s Name, Home address and Phone number
Personal information must be:
1. Collected for specified and legitimate purposes determined and declared before, or as soon as reasonably practicable
after collection, and later processed in a way compatible with such declared, specified and legitimate purposes only;
2. Processed fairly and lawfully;
3. Accurate, relevant and, where necessary for purposes for which it is to be used the processing of personal
information, kept up to date; inaccurate or incomplete data must be rectified, supplemented, destroyed or their
further processing restricted;
4. Adequate and not excessive in relation to the purposes for which they are collected and processed;
5. Retained only for as long as necessary for the fulfillment of the purposes for which the data was obtained or for the
establishment, exercise or defense of legal claims, or for legitimate business purposes, or as provided by law; and
6. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for
which the data were collected and processed: Provided, That personal information collected for other purposes may
lie processed for historical, statistical or scientific purposes, and in cases laid down in law may be stored for longer
periods: Provided, further, That adequate safeguards are guaranteed by said laws authorizing their processing.

The personal information controller must ensure implementation of personal information processing principles set out
herein.
Criteria for Lawful Processing of Personal Information: The processing of personal information shall be permitted
only if not otherwise prohibited by law, and when at least one of the following conditions exists:
1. The data subject has given his or her consent;
2. The processing of personal information is necessary and is related to the fulfillment of a contract with the data
subject or in order to take steps at the request of the data subject prior to entering into a contract;
3. The processing is necessary for compliance with a legal obligation to which the personal information controller
is subject;
4. The processing is necessary to protect vitally important interests of the data subject, including life and health;
5. The processing is necessary in order to respond to national emergency, to comply with the requirements of
public order and safety, or to fulfill functions of public authority which necessarily includes the processing of
personal data for the fulfillment of its mandate; or
6. The processing is necessary for the purposes of the legitimate interests pursued by the personal information
controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden
by fundamental rights and freedoms of the data subject which require protection under the Philippine Constitution.

PRIVILEGED INFORMATION refers to any and all forms of data which under the Rules of Court and other pertinent
laws constitute privileged communication.

Examples include:
1. Attorney-client privileged information
2. Doctor-patient privileged information
3. Marital privilege communication
4. Priest-confessor privileged information

SENSITIVE PERSONAL INFORMATION refers to personal information:

1. About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political
affiliations;
2. About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense
committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence
of any court in such proceedings;
3. Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers,
previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
4. Specifically established by an executive order or an act of Congress to be kept classified.

Page 8 of 22 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
E-COMMERCE ACT, DATA PRIVACY ACT and EASE OF DOING BUSINESS ACT RFBT-15
Sensitive Personal Information and Privileged Information: The processing of sensitive personal information and
privileged information shall be prohibited, except in the following cases:
1. The data subject has given his or her consent, specific to the purpose prior to the processing, or in the case of
privileged information, all parties to the exchange have given their consent prior to processing;
2. The processing of the same is provided for by existing laws and regulations, provided:
a. Such regulatory enactments guarantee the protection of the sensitive personal information and the privileged
information; and
b. The consent of the data subjects are not required by law or regulation permitting the processing of the sensitive
personal information or the privileged information;
3. The processing is necessary to protect the life and health of the data subject or another person, and the data
subject is not legally or physically able to express his or her consent prior to the processing;
4. The processing is necessary to achieve the lawful and noncommercial objectives of public organizations
and their associations: provided:
a. That such processing is only confined and related to the bona fide members of these organizations or their
associations;
b. That the sensitive personal information are not transferred to third parties; and
c. That consent of the data subject was obtained prior to processing;
5. The processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a
medical treatment institution, and an adequate level of protection of personal information is ensured; or
6. The processing concerns such personal information as is necessary for the protection of lawful rights and
interests of natural or legal persons in court proceedings, or the establishment, exercise or defense of legal
claims, or when provided to government or public authority.

Subcontract of Personal Information: A personal information controller may subcontract the processing of
personal information.

The personal information controller shall be responsible for ensuring that proper safeguards are in place to ensure:
1. The confidentiality of the personal information processed,
2. Prevent its use for unauthorized purposes, and generally,
3. Comply with the requirements of the Data Privacy Act and other laws for processing of personal information.

The personal information processor shall comply with all the requirements of the Data Privacy Act and other applicable
laws.

Extension of Privileged Communication: Personal information controllers may invoke the principle of privileged
communication over privileged information that they lawfully control or process. Subject to existing laws and regulations,
any evidence gathered on privileged information is inadmissible.

ILLUSTRATION: Examples of Personal Information, Sensitive Personal Information or Privileged Information:

Information Classification
Gender
School graduated from and date graduated
E-mail address
Laptop’s IP address
Bank account number
Home address
Income tax return
Location tracked using an app (e.g., Grab)
Court cases filed against the individual
Disclosures made to an auditor

RIGHTS OF THE DATA SUBJECT

Rights of the Data Subject:

1. Right to Informed Consent – The data subject shall be informed whether personal information pertaining to him or
her shall be, are being or have been processed;

The following information must be provided before the entry of the personal information into the processing
system, or at the next practical opportunity:
a. Description of the personal information to be entered into the system;
b. Purposes for which they are being or are to be processed;
c. Scope and method of the personal information processing;
d. The recipients or classes of recipients to whom they are or may be disclosed;
e. Methods utilized for automated access, if the same is allowed by the data subject, and the extent to which
such access is authorized;
f. The identity and contact details of the personal information controller or its representative;
g. The period for which the information will be stored; and
h. The existence of their rights, i.e., to access, correction, as well as the right to lodge a complaint before the
Commission.

2. Right to Object: The data subject shall have the right to object to the processing of his or her personal data,
including processing for direct marketing, automated processing or profiling.

Page 9 of 22 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
E-COMMERCE ACT, DATA PRIVACY ACT and EASE OF DOING BUSINESS ACT RFBT-15
3. Right to Withhold Consent: The data subject shall be notified and given an opportunity to withhold consent to
the processing in case of changes or any amendment to the information supplied or declared to the data subject in
the preceding paragraph

Amendment of information: Any information supplied or declaration made to the data subject on these matters shall
not be amended without prior notification of data subject. Except: the notification shall not apply should the
personal information be needed pursuant to a subpoena or when the collection and processing are for obvious
purposes, including when it is necessary for the performance of or in relation to a contract or service or when
necessary or desirable in the context of an employer-employee relationship, between the collector and the data
subject, or when the information is being collected and processed as a result of legal obligation.

4. Right to Access: The data subject has reasonable access to, upon demand, the following:
a. Contents of his or her personal information that were processed;
b. Sources from which personal information were obtained;
c. Names and addresses of recipients of the personal information;
d. Manner by which such data were processed;
e. Reasons for the disclosure of the personal information to recipients;
f. Information on automated processes where the data will or likely to be made as the sole basis for any
decision significantly affecting or will affect the data subject;
g. Date when his or her personal information concerning the data subject were last accessed and modified; and
h. The designation, or name or identity and address of the personal information controller.

5. Right to Correction: The data subject shall have the right to dispute the inaccuracy or error in the personal
information and have the personal information controller correct it immediately and accordingly, unless the request
is vexatious or otherwise unreasonable.

If the personal information have been corrected, the personal information controller shall ensure the accessibility
of both the new and the retracted information and the simultaneous receipt of the new and the retracted
information by recipients thereof: Provided, That the third parties who have previously received such processed
personal information shall he informed of its inaccuracy and its rectification upon reasonable request of the data
subject;

6. Right to Erasure: the data subject shall have the right to suspend, withdraw or order the blocking, removal or
destruction of his or her personal information from the personal information controller’s filing system upon
discovery and substantial proof that the personal information are incomplete, outdated, false, unlawfully obtained,
used for unauthorized purposes or are no longer necessary for the purposes for which they were collected. In this
case, the personal information controller may notify third parties who have previously received such processed
personal information;

7. Right to Damages: The data subject shall be indemnified for any damages sustained due to such inaccurate,
incomplete, outdated, false, unlawfully obtained or unauthorized use of personal information.

8. Right to Data Portability: The right of the data subject to obtain from the personal information controller a copy
of data, where personal information is processed:
a. by electronic means and
b. in a structured and commonly used format.

The Commission may specify the electronic format referred to above, as well as the technical standards, modalities
and procedures for their transfer.

Transmissibility of Rights of the Data Subject: The lawful heirs and assigns of the data subject may invoke the
rights of the data subject for which he or she is an heir or assignee at any time after the death of the data subject
or when the data subject is incapacitated or incapable of exercising the rights as enumerated above.

Non-Applicability of Rights: The above rights of a data subject are not applicable:
1. If the processed personal information are used only for the needs of scientific and statistical research and,
on the basis of such, no activities are carried out and no decisions are taken regarding the data
subject: Provided, That the personal information shall be held under strict confidentiality and shall be used only for
the declared purpose; and
2. To processing of personal information gathered for the purpose of investigations in relation to any criminal,
administrative or tax liabilities of a data subject.

SECURITY OF PERSONAL INFORMATION

Security of Personal Information:

1. The personal information controller must implement reasonable and appropriate organizational, physical and
technical measures intended for the protection of personal information against any accidental or unlawful
destruction, alteration and disclosure, as well as against any other unlawful processing.
2. The personal information controller shall implement reasonable and appropriate measures to protect personal
information against natural dangers such as accidental loss or destruction, and human dangers such as unlawful
access, fraudulent misuse, unlawful destruction, alteration and contamination.
3. The determination of the appropriate level of security must take into account (1) the nature of the personal
information to be protected, (2) the risks represented by the processing, (3) the size of the organization and
complexity of its operations, (4) current data privacy best practices and (5) the cost of security
implementation.

Page 10 of 22 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
E-COMMERCE ACT, DATA PRIVACY ACT and EASE OF DOING BUSINESS ACT RFBT-15
Subject to guidelines as the Commission may issue from time to time, the measures implemented must include:
a. Safeguards to protect its computer network against accidental, unlawful or unauthorized usage or interference
with or hindering of their functioning or availability;
b. A security policy with respect to the processing of personal information;
c. A process for identifying and accessing reasonably foreseeable vulnerabilities in its computer networks,
and for taking preventive, corrective and mitigating action against security incidents that can lead to a security
breach; and
d. Regular monitoring for security breaches and a process for taking preventive, corrective and mitigating action
against security incidents that can lead to a security breach.
4. The personal information controller must further ensure that third parties processing personal information on its
behalf shall implement the security measures required by this provision.
5. The employees, agents or representatives of a personal information controller who are involved in the
processing of personal information shall operate and hold personal information under strict confidentiality if the
personal information is not intended for public disclosure. This obligation shall continue even after leaving the public
service, transfer to another position or upon termination of employment or contractual relations.
6. The personal information controller shall promptly notify the Commission and affected data subjects when
sensitive personal information or other information that may, under the circumstances, be used to enable identity
fraud are reasonably believed to have been acquired by an unauthorized person, and the personal information
controller or the Commission believes that such unauthorized acquisition is likely to give rise to a real risk of
serious harm to any affected data subject.

Notification to the Commission: The notification shall at least describe the nature of the breach, the sensitive
personal information possibly involved, and the measures taken by the entity to address the breach. Notification
may be delayed only to the extent necessary to determine the scope of the breach, to prevent further disclosures,
or to restore reasonable integrity to the information and communications system.
a. In evaluating if notification is unwarranted, the Commission may take into account compliance by the personal
information controller with this provision and existence of good faith in the acquisition of personal information.
b. The Commission may exempt a personal information controller from notification where, in its reasonable
judgment, such notification would not be in the public interest or in the interests of the affected data subjects.
c. The Commission may authorize postponement of notification where it may hinder the progress of a criminal
investigation related to a serious breach.
Period to report: If there is likelihood of risk to individuals, the data processor must report data breaches within
72 hours.
DATA BREACH NOTIFICATION

NOTIFICATION OF THE COMMISSION: The personal information controller shall notify the Commission of a personal
data breach subject to the following procedures:

When Notification Should be Done: The Commission shall be notified within seventy-two (72) hours upon
knowledge of or the reasonable belief by the personal information controller or personal information processor that a
personal data breach has occurred.

Delay in Notification: Notification may only be delayed to the extent necessary to determine the scope of the breach,
to prevent further disclosures, or to restore reasonable integrity to the information and communications system. The
personal information controller need not be absolutely certain of the scope of the breach prior to notification. Its inability
to immediately secure or restore integrity to the information and communications system shall not be a ground for any
delay in notification, if such delay would be prejudicial to the rights of the data subjects. Delay in notification shall not
be excused if it is used to perpetuate fraud or to conceal the personal data breach.

When delay is prohibited: There shall be no delay in the notification if the breach involves at least one hundred (100)
data subjects, or the disclosure of sensitive personal information will harm or adversely affect the data subject. In both
instances, the Commission shall be notified within the 72-hour period based on available information. The full report of
the personal data breach must be submitted within five (5) days, unless the personal information controller is granted
additional time by the Commission to comply.

Content of Notification: The notification shall include, but not be limited to:
1. Nature of the Breach
a. description of how the breach occurred and the vulnerability of the data processing system that allowed the
breach;
b. a chronology of the events leading up to the loss of control over the personal data;
c. approximate number of data subjects or records involved;
d. description or nature of the personal data breach;
e. description of the likely consequences of the personal data breach; and
f. name and contact details of the data protection officer or any other accountable persons.
2. Personal Data Possibly Involved
a. description of sensitive personal information involved; and
b. description of other information involved that may be used to enable identity fraud.
3. Measures Taken to Address the Breach
a. description of the measures taken or proposed to be taken to address the breach;
b. actions being taken to secure or recover the personal data that were compromised;
c. actions performed or proposed to mitigate possible harm or negative consequences, and limit the damage or
distress to those affected by the incident;
d. action being taken to inform the data subjects affected by the incident, or reasons for any delay in the
notification;
e. the measures being taken to prevent a recurrence of the incident.

Page 11 of 22 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
E-COMMERCE ACT, DATA PRIVACY ACT and EASE OF DOING BUSINESS ACT RFBT-15
The Commission reserves the right to require additional information, if necessary.

Form: Notification shall be in the form of a report, whether written or electronic, containing the required contents of
notification: Provided, that the report shall also include the name and contact details of the data protection officer and
a designated representative of the personal information controller: Provided further, that, where applicable, the manner
of notification of the data subjects shall also be included in the report. Where notification is transmitted by electronic
mail, the personal information controller shall ensure the secure transmission thereof. Upon receipt of the notification,
the Commission shall send a confirmation to the personal information controller. A report is not deemed filed without
such confirmation. Where the notification is through a written report, the received copy retained by the personal
information controller shall constitute proof of such confirmation

SUBCONTRACT OF PERSONAL INFORMATION

SUBCONTRACT OF PERSONAL DATA: A personal information controller may subcontract or outsource the processing
of personal data: Provided, that the personal information controller shall use contractual or other reasonable means to
ensure that proper safeguards are in place, to ensure the confidentiality, integrity and availability of the personal data
processed, prevent its use for unauthorized purposes, and generally, comply with the requirements of the Act, these
Rules, other applicable laws for processing of personal data, and other issuances of the Commission.

AGREEMENTS FOR OUTSOURCING: Processing by a personal information processor shall be governed by a contract
or other legal act that binds the personal information processor to the personal information controller.

a. The contract or legal act shall set out the subject-matter and duration of the processing, the nature and purpose of
the processing, the type of personal data and categories of data subjects, the obligations and rights of the personal
information controller, and the geographic location of the processing under the subcontracting agreement.
b. The contract or other legal act shall stipulate, in particular, that the personal information processor shall:
1. Process the personal data only upon the documented instructions of the personal information controller,
including transfers of personal data to another country or an international organization, unless such transfer is
authorized by law;
2. Ensure that an obligation of confidentiality is imposed on persons authorized to process the personal data;
3. Implement appropriate security measures and comply with the Act, these Rules, and other issuances of the
Commission;
4. Not engage another processor without prior instruction from the personal information controller: Provided, that
any such arrangement shall ensure that the same obligations for data protection under the contract or legal act
are implemented, taking into account the nature of the processing;
5. Assist the personal information controller, by appropriate technical and organizational measures and to the
extent possible, fulfill the obligation to respond to requests by data subjects relative to the exercise of their
rights;
6. Assist the personal information controller in ensuring compliance with the Act, these Rules, other relevant laws,
and other issuances of the Commission, taking into account the nature of processing and the information
available to the personal information processor;
7. At the choice of the personal information controller, delete or return all personal data to the personal information
controller after the end of the provision of services relating to the processing: Provided, that this includes
deleting existing copies unless storage is authorized by the Act or another law;
8. Make available to the personal information controller all information necessary to demonstrate compliance with
the obligations laid down in the Act, and allow for and contribute to audits, including inspections, conducted by
the personal information controller or another auditor mandated by the latter;
9. Immediately inform the personal information controller if, in its opinion, an instruction infringes the Act, these
Rules, or any other issuance of the Commission.

DUTY OF PERSONAL INFORMATION PROCESSOR: The personal information processor shall comply with the
requirements of the Act, these Rules, other applicable laws, and other issuances of the Commission, in addition to
obligations provided in a contract, or other legal act with a personal information controller.

REGISTRATION AND COMPLIANCE REQUIREMENTS

ENFORCEMENT OF THE DATA PRIVACY ACT: Pursuant to the mandate of the Commission to administer and
implement the Act, and to ensure the compliance of personal information controllers with its obligations under the law,
the Commission requires the following:
a. Registration of personal data processing systems operating in the country that involves accessing or requiring
sensitive personal information of at least one thousand (1,000) individuals, including the personal data processing
system of contractors, and their personnel, entering into contracts with government agencies;
b. Notification of automated processing operations where the processing becomes the sole basis of making decisions
that would significantly affect the data subject;
c. Annual report of the summary of documented security incidents and personal data breaches;
d. Compliance with other requirements that may be provided in other issuances of the Commission.

REGISTRATION OF PERSONAL DATA PROCESSING SYSTEMS.

The personal information controller or personal information processor that employs fewer than two hundred fifty (250)
persons shall not be required to register unless the processing it carries out is likely to pose a risk to the rights and
freedoms of data subjects, the processing is not occasional, or the processing includes sensitive personal information of
at least one thousand (1,000) individuals.

Page 12 of 22 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
E-COMMERCE ACT, DATA PRIVACY ACT and EASE OF DOING BUSINESS ACT RFBT-15
Contents: The contents of registration shall include:
1. The name and address of the personal information controller or personal information processor, and of its
representative, if any, including their contact details;
2. The purpose or purposes of the processing, and whether processing is being done under an outsourcing or
subcontracting agreement;
3. A description of the category or categories of data subjects, and of the data or categories of data relating to them;
4. The recipients or categories of recipients to whom the data might be disclosed;
5. Proposed transfers of personal data outside the Philippines;
6. A general description of privacy and security measures for data protection;
7. Brief description of the data processing system;
8. Copy of all policies relating to data governance, data privacy, and information security;
9. Attestation to all certifications attained that are related to information and communications processing; and
10. Name and contact details of the compliance or data protection officer, which shall immediately be updated in case
of changes.

Procedure: The procedure for registration shall be in accordance with these Rules and other issuances of the Commission.
NOTIFICATION OF AUTOMATED PROCESSING OPERATIONS. The personal information controller carrying out any
wholly or partly automated processing operations or set of such operations intended to serve a single purpose or several
related purposes shall notify the Commission when the automated processing becomes the sole basis for making
decisions about a data subject, and when the decision would significantly affect the data subject.
a. The notification shall include the following information:
1. Purpose of processing;
2. Categories of personal data to undergo processing;
3. Category or categories of data subject;
4. Consent forms or manner of obtaining consent;
5. The recipients or categories of recipients to whom the data are to be disclosed;
6. The length of time the data are to be stored;
7. Methods and logic utilized for automated processing;
8. Decisions relating to the data subject that would be made on the basis of processed data or that would
significantly affect the rights and freedoms of data subject; and
9. Names and contact details of the compliance or data protection officer.

b. No decision with legal effects concerning a data subject shall be made solely on the basis of automated processing
without the consent of the data subject.

REVIEW BY THE COMMISSION: The following are subject to the review of the Commission, upon its own initiative or
upon the filing of a complaint by a data subject:
a. Compliance by a personal information controller or personal information processor with the Act, these Rules, and
other issuances of the Commission;
b. Compliance by a personal information controller or personal information processor with the requirement of
establishing adequate safeguards for data privacy and security;
c. Any data sharing agreement, outsourcing contract, and similar contracts involving the processing of personal data,
and its implementation;
d. Any off-site or online access to sensitive personal data in government allowed by a head of agency;
e. Processing of personal data for research purposes, public functions, or commercial activities;
f. Any reported violation of the rights and freedoms of data subjects;
g. Other matters necessary to ensure the effective implementation and administration of the Act, these Rules, and
other issuances of the Commission

EASE OF DOING BUSINESS ACT

(RA No. 11032)
DECLARATION OF POLICY: It is hereby declared the policy of the State to promote integrity, accountability, proper
management of public affairs and public property as well as to establish effective practices, aimed at efficient turnaround
of the delivery of government services and the prevention of graft and corruption in government. Towards this end, the
State shall maintain honesty and responsibility among its public officials and employees, and shall take appropriate
measures to promote transparency in each agency with regard to the manner of transacting with the public, which shall
encompass a program for the adoption of simplified requirements and procedures that will reduce red tape and expedite
business and nonbusiness related transactions in government.

DEFINITION OF TERMS

Action refers to the written approval or disapproval made by a government office or agency on the
application or request submitted by an applicant or requesting party for processing;
Business One a single common site or location, or a single online website or portal designated for the Business
Stop Shop Permit and Licensing System (BPLS) of an LGU to receive and process applications, receive
(BOSS) payments, and issue approved licenses, clearances, permits, or authorizations;
Business- a set of regulatory requirements that a business entity must comply with to engage, operate or
related continue to operate a business, such as, but not limited to, collection or preparation of a number of
transactions documents, submission to national and local government authorities, approval of application
submitted, and receipt of a formal certificate or certificates, permits, licenses which include primary
and secondary, clearances and such similar authorization or documents which confer eligibility to
operate or continue to operate as a legitimate business

Page 13 of 22 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
E-COMMERCE ACT, DATA PRIVACY ACT and EASE OF DOING BUSINESS ACT RFBT-15
Complex applications or requests submitted by applicants or requesting parties of a government office which
transactions necessitate evaluation in the resolution of complicated issues by an officer or employee of said
government office, such transactions to be determined by the office concerned;
Fixer any individual whether or not officially involved in the operation of a government office or agency
who has access to people working therein, and whether or not in collusion with them, facilitates
speedy completion of transactions for pecuniary gain or any other advantage or consideration;
Government the process or transaction between applicants or requesting parties and government offices or
service agencies involving applications for any privilege, right, reward, license, clearance, permit or
authorization, concession, of for any modification, renewal or extension of the enumerated
applications or requests which are acted upon in the ordinary course of business of the agency or
office concerned
Highly an application which requires the use of technical knowledge, specialized skills and/or training in
technical the processing and/or evaluation thereof
application
Nonbusiness all other government transactions not falling under Section 4 (c) of this Act
transactions
Officer or a person employed in a government office or agency required to perform specific duties and
employee responsibilities related to the application or request submitted by an applicant or requesting party
for processing
Processing the time consumed by an LGU or national government agency (NGA) from the receipt of an
time application or request with complete requirements, accompanying documents and payment of fees
to the issuance of certification or such similar documents approving or disapproving an application
or request
Red tape any regulation, rule, or administrative procedure or system that is ineffective or detrimental in
achieving its intended objectives and, as a result, produces slow, suboptimal, and undesirable social
outcomes
Regulation any legal instrument that gives effect to a government policy intervention and includes licensing,
imposing information obligation, compliance to standards or payment of any form of fee, levy,
charge or any other statutory and regulatory requirements necessary to carry out activity
Simple applications or requests submitted by applicants or requesting parties of a government office or
transactions agency which only require ministerial actions on the part of the public officer or employee, or that
which present only inconsequential issues for the resolution by an officer or employee of said
government.

COVERAGE: all government offices and agencies including LGUs, GOCCs and other government instrumentalities,
whether located in the Philippines or abroad, that provide services covering business and nonbusiness related
transactions.

Business-related transactions - a set of regulatory requirements that a business entity must comply with to engage,
operate or continue to operate a business.

Non-business transactions - all other government transactions.

REENGINEERING OF SYSTEMS AND PROCEDURES: All offices and agencies which provide government services are
hereby mandated to regularly undertake cost compliance analysis, time and motion studies, undergo evaluation and
improvement of their transaction systems and procedures and reengineer the same if deemed necessary to reduce
bureaucratic red tape and processing time.

The Anti-Red Tape Authority shall coordinate with all government offices covered under this Act in the review of existing
laws, executive issuances and local ordinances, and recommend the repeal of the same if deemed outdated, redundant,
and adds undue regulatory burden to the transacting public.

All proposed regulations of government agencies shall undergo regulatory impact assessment to establish if the proposed
regulation does not add undue regulatory burden and cost to these agencies and the applicants or requesting parties:
Provided, that when necessary, any proposed regulation may undergo pilot implementation to assess regulatory impact.

All LGUs and NGAs are directed to initiate review of existing policies and operations and commence with the
reengineering of their systems and procedures in compliance with the provisions of this Act, pending the approval of the
implementing rules and regulations (IRR) thereof.

CITIZEN’S CHARTER: All government agencies including departments, bureaus, offices, instrumentalities, or
government-owned and/or –controlled corporations, or LGUs shall set up their respective most current and updated
service standards to be known as the Citizen’s Charter in the form of information billboards which shall be posted at the
main entrance of offices or at the most conspicuous place, in their respective websites and in the form of published
materials written either in English, Filipino, or in the local dialect, that detail:
a. A comprehensive and uniform checklist of requirements for each type of application or request;
b. The procedure to obtain a particular service;
c. The person/s responsible for each step;
d. The maximum time to conclude the process;
e. The document/s to be presented by the applicant or requesting party, if necessary;
f. The amount of fees, if necessary; and
g. The procedure for filing complaints.

Page 14 of 22 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
E-COMMERCE ACT, DATA PRIVACY ACT and EASE OF DOING BUSINESS ACT RFBT-15
RULES IN ACCESSING GOVERNMENT SERVICES

ACCEPTANCE OF APPLICATIONS OR REQUESTS

1. All officers or employees shall accept written applications, requests, and/or documents being submitted by
applicants or requesting parties of the offices or agencies.
2. The receiving officer or employee shall perform a preliminary assessment of the application or request submitted
with its supporting documents to ensure a more expeditious action on the application or request. The receiving
officer or employee shall immediately inform the applicant or requesting party of any deficiency in the
accompanying requirements, which shall be limited to those enumerated in the Citizen's Charter.
3. The receiving officer or employee shall assign a unique identification number to an application or request, which
shall be the identifying number for all subsequent transactions between the government and the applicant or
requesting party regarding such specific application or request.
4. The receiving officer or employee shall issue an acknowledgement receipt containing the seal of the agency, the
name of the responsible officer or employee, his/her unit and designation, and the date and time of receipt of such
application or request.

ACTIONS OF OFFICERS:
1. PRESCRIBED PERIODS TO PROCESS: All applications or requests submitted shall be acted upon by the assigned
officer or employee within the prescribed processing time stated in the Citizen's Charter which shall not be
longer than:
TYPE OF TRANSACTION PERIOD TO PROCESS
Simple Transactions - applications or requests submitted 3 working days from date of receipt
by applicants or requesting parties of a government office
or agency which
a. only require ministerial actions on the part of the
public officer or employee, or
b. that which present only inconsequential issues for
the resolution by an officer or employee of said
government office

Complex Transactions - applications or requests 7 working days from date of receipt

submitted by applicants or requesting parties of a
government office which necessitate evaluation in the
resolution of complicated issues by an officer or
employee of said government office, such transactions to
be determined by the office concerned.

Highly technical application – an application which Whichever is shorter between:

requires the use of technical knowledge, specialized a. 20 working days or
skill and/or training in the process and/or evaluation b. As determined by the government agency
thereof. or instrumentality concerned.

Applications or requests involving activities which pose

danger to public health, public safety, public morals,
public policy.

If the application or request for license, clearance, permit, the Sanggunian concerned shall be given a period
certification or authorization shall require the approval of of forty-five (45) working days to act on the
the local Sanggunian (Sangguniang Bayan, Sangguniang application or request, which can be extended for
Panlungsod, or the Sangguniang Panlalawigan as the case another twenty (20) working days.
may be)
If the local Sanggunian concerned has denied the
application or request, the reason for the denial,
as well as the remedial measures that maybe
taken by the applicant shall be cited by the
concerned Sanggunian
2. EXTENSTION: The maximum time prescribed above may be extended only once for the same number of days,
which shall be indicated in the Citizen's Charter. Prior to the lapse of the processing time, the office or agency
concerned shall notify the applicant or requesting party in writing of the reason for the extension and final date
of release of the government service/s requested. Such written notification shall be signed by the applicant or
requesting party to serve as proof of notice.

3. ADJUSTMENT/SUSPENSION OF PERIOD TO PROCESS: In cases where the cause of delay is due to force
majeure or natural or man-made disasters, which result to damage or destruction of documents, and/or system
failure of the computerized or automatic processing, the prescribed processing times mandated in this Act shall be
suspended and appropriate adjustments shall be made.

AUTOMATIC APPROVAL OR EXTENSION OF LICENSE, CLEARANCE, PERMIT, CERTIFICATION OR

AUTHORIZATION:
1. If a government office or agency fails to approve or disapprove an original application or request for issuance of
license, clearance, permit, certification or authorization within the prescribed processing time, said application
or request shall be deemed approved: Provided, That all required documents have been submitted and all
required fees and charges have been paid.

Page 15 of 22 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
E-COMMERCE ACT, DATA PRIVACY ACT and EASE OF DOING BUSINESS ACT RFBT-15
2. The acknowledgement receipt together with the official receipt for payment of all required fees issued to the
applicant or requesting party shall be enough proof or has the same force and effect of a license, clearance,
permit, certification or authorization under this automatic approval mechanism.
3. If a government office or agency fails to act on an application or request for renewal of a license, clearance, permit,
certification or authorization subject for renewal within the prescribed processing time, said license, clearance,
permit, certification or authorization shall automatically be extended: Provided, That the Authority, in
coordination with the Civil Service Commission (CSC), Department of Trade and Industry (DTI) , Securities and
Exchange Commission (SEC), Department of the Interior and Local Government (DILG) and other agencies which
shall formulate the IRR of this Act, shall provide a listing of simple, complex, highly technical applications,
and activities which pose danger to public health, public safety, public morals or to public policy.

DENIAL OF APPLICATION OF REQUEST FOR ACCESS TO GOVERNMENT SERVICE:

Any denial of application or request for access to government service shall be:
1. Fully explained in writing,
2. Stating the name of the person making the denial and
3. the grounds upon which such denial is based.
Any denial of application or request is deemed to have been made with the permission or clearance from the highest
authority having jurisdiction over the government office or agency concerned.

LIMITATION OF SIGNATORIES
The number of signatories in any document shall be limited to a maximum of three (3) signatures which shall
represent officers directly supervising the office or agency concerned: Provided, That in case the authorized signatory is
on official business or official leave, an alternate shall be designated as signatory.

Electronic signatures or pre-signed license, clearance, permit, certification or authorization with adequate security
and control mechanism may be used.

ELECTRONIC VERSIONS OF LICENSES, CLEARANCES, PERMITS, CERTIFICATIONS OR AUTHORIZATION

All government agencies covered shall, when applicable, develop electronic versions of licenses, clearances, permits,
certifications or authorizations with the same level of authority as that of the signed hard copy, which may be printed
by the applicants or requesting parties in the convenience of their offices.

ADOPTION OF WORKING SCHEDULES TO SERVE APPLICANTS OR REQUESTING PARTIES

Heads of offices and agencies which render government services shall adopt appropriate working schedules to
ensure that all applicants or requesting parties who are within their premises prior to the end of official
working hours are attended to and served even during lunch break and after regular working hours.

STREAMLINED PROCEDURES IN LOCAL GOVERNMENT UNITS:

The LGUs are mandated to implement the following revised guidelines in the issuance of business licenses, clearances,
permits, certifications or authorizations:
a. A single or unified business application form shall be used in processing new applications for business permits
and business renewals which consolidates all the information of the applicant or requesting party by various local
government departments, such as, but not limited to, the local taxes and clearances, building clearance, sanitary
permit, zoning clearance, and other specific LGU requirements, as the case may be, including the fire clearance
from the Bureau of Fire Protection (BFP).

The unified form shall be made available online using technology-neutral platforms such as, but not limited to,
the central business portal or the city/municipality's website and various channels for dissemination. Hard copies
of the unified forms shall likewise be made available at all times in designated areas of the concerned office
and/or agency.

b. A one-stop business facilitation service, hereinafter referred to as the business one stop shop, (BOSS) for
the city/municipality's business permitting and licensing system to receive and process manual and/or electronic
submission of application for license, clearance, permit, certification or authorization shall be established within
the cities/municipalities’ Negosyo Center as provided for under Republic Act No. 10644, otherwise known as
the "Go Negosyo Act".

There shall be a queuing mechanism in the BOSS to better manage the flow of applications among the LGUs'
departments receiving and processing applications. LGUs shall implement colocation of the offices of the treasury,
business permits and licensing office, zoning office, including the BFP, and other relevant city/municipality offices,
departments, among others, engaged in starting a business, dealing with construction permits.

c. Cities/Municipalities are mandated to automate their business permitting and licensing system or set up an
electronic BOSS within a period of three (3) years upon the effectivity of this Act for a more efficient business
registration processes.

Cities/Municipalities with electronic BOSS shall develop electronic versions of licenses, clearances, permits,
certifications or authorizations with the same level of authority, which may be printed by businesses in the
convenience of their offices. The DICT shall make available to LGUs the software for the computerization of the
business permit and licensing system. The DICT, DTI, and DILG, shall provide technical assistance in the planning
and implementation of a computerized or software-enabled business permitting and licensing system.

d. To lessen the transaction requirements, other local clearances such as, but not limited to, sanitary permits,
environmental and agricultural clearances shall be issued together with the business permit.

Page 16 of 22 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
E-COMMERCE ACT, DATA PRIVACY ACT and EASE OF DOING BUSINESS ACT RFBT-15
e. Business permits shall be valid for a period of one (1) year. The city/municipality may have the option to renew
business permits within the first month of the year or on the anniversary date of the issuance of the
business permit.

f. Barangay clearances and permits related to doing business shall be applied, issued, and collected at the
city/municipality in accordance with the prescribed processing time of this Act: Provided, That the share
in the collections shall be remitted to the respective barangays. The pertinent provisions of Republic Act No.
7160, otherwise known as "The Local Government Code of 1991", specifically Article IV, Section 152(c) is hereby
amended accordingly.

VIOLATIONS AND PERSONS LIABLE: Any person who performs or cause the performance of the following acts shall
be liable:
a. Refusal to accept application or request with complete requirements being submitted by an applicant or requesting
party without due cause;
b. Imposition of additional requirements other than those listed in the Citizen’s Charter;
c. Imposition of additional costs not reflected in the Citizen’s Charter;
d. Failure to give the applicant or requesting party a written notice on the disapproval of an application or request;
e. Failure to render government services within the prescribed processing time on any application or request without
due cause;
f. Failure to attend to applicants or requesting parties who are within the premises of the office or agency concerned
prior to the end of official working hours and during lunch break;
g. Failure or refusal to issue official receipts; and
h. Fixing and/or collusion with fixers in consideration of economic and/or other gain or advantage."

Penalties and Liabilities: Any violations of the above will warrant the following penalties and liabilities.
a. First Offense: Administrative liability with 6 months suspension: Provided, however, That in the case of fixing and/or
collusion with fixers, the penalty below shall apply.
b. Second Offense: Administrative liability and criminal liability of dismissal from the service, perpetual disqualification
from holding public office and forfeiture of retirement benefits and imprisonment of 1 to 6 years with a fine of not
less than P500,000.00, but not more than P2,000,000.00.
Criminal liability shall also be incurred through the commission of bribery, extortion, or when the violation was done
deliberately and maliciously to solicit favor in cash or in kind. In such cases, the pertinent provisions of the Revised
Penal Code and other special laws shall apply.

RANKING OF THE PHILIPPINES IN THE WORLD BANK’S ANNUAL DOING BUSINESS REPORT:
1. 2016 – 103rd
2. 2017 – 99th
3. 2018 – 113th
4. 2019 – 124th
5. 2020 – 95th
E- COMMERCE

1. The Electronic Commerce Act applies to any kind of data message and electronic document used in the context of
__ activities to include __ dealings,
transactions, arrangements, agreements, contracts, and exchanges and storage of information.
A. Commercial and non-commercial; domestic and international
B. Only commercial; domestic and international
C. Only commercial; only domestic
D. Commercial and non-commercial; only domestic
2. It refers to information generated, sent, received, or stored by optical or similar means.
A. Electronic key
B. Electronic data message
C. Electronic signature
D. Electronic document
3. It refers to any distinctive mark, characteristic and/or sound in electronic form, representing the identity of a person
and attached to or logically associated with the electronic data message or electronic document
A. Electronic key
B. Electronic data message
C. Electronic signature
D. Electronic document
4. It refers to information or the representation of information, data, figures, symbols or other modes of written
expression, described or however represented, by which a right is established or an obligation extinguished, or by
which a fact may be prove and affirmed, which is receive, recorded, transmitted, stored, processed, retrieved or
produced electronically.
A. Electronic key
B. Electronic data message
C. Electronic signature
D. Electronic document
5. It refers to a secret code which secures and defends sensitive information that cross over public channels into a
form decipherable only with a matching electronic key.
A. Electronic key
B. Electronic data message
C. Electronic signature
D. Electronic document

Page 17 of 22 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
E-COMMERCE ACT, DATA PRIVACY ACT and EASE OF DOING BUSINESS ACT RFBT-15
6. First Statement: Information shall be denied legal effect, validity or enforceability solely on the grounds that it is in
the data message purporting to give rise to such legal effect, or that it is merely referred to in that electronic data
message.
Second Statement: For evidentiary purposes, an electronic document shall be the functional equivalent of a written
document under existing laws.
A. Only the first statement is true.
B. Only the second statement is true.
C. Both of the statements are true.
D. None of the statements is true.
7. In any proceedings involving an electronic signature, it shall be presumed that (a) The electronic signature is the
signature of the person to whom it correlates; and (b) The electronic signature was affixed by that person with the
intention of signing or approving the electronic
document even if the person relying on the electronically signed electronic document knows or has noticed of defects
in or unreliability of the signature or reliance on the electronic signature is not reasonable under the circumstances.
A. (a) only
B. (b) only
C. Both (a) and (b)
D. Neither (a) and (b)
8. Who has the burden of proving the authenticity of an electronic data message or electronic document in any legal
proceeding?
A. The person who sent the electronic data message
B. The person who signed the electronic document
C. The person denying the authenticity of said electronic data message or electronic document
D. The person seeking to introduce said electronic data message or electronic document
9. What may be presumed to have been established by an affidavit given to the best of the deponent’s knowledge?
A. Admissibility of electronic evidence only
B. Admissibility and presumption of integrity of electronic evidence
C. Presumption of integrity of electronic evidence only
D. None of the above
10. First Statement: As between the originator and the addressee of an electronic data message or electronic document,
a declaration of will or other statement shall not be denied legal effect, validity or enforceability solely on the
ground that it is in the form of an electronic data message.
Second Statement: An electronic data message or electronic document is that of the originator if it was sent by the
originator himself.
A. Only the first statement is true.
B. Only the second statement is true.
C. Both of the statements are true.
D. None of the statements is true.
11. On March 1, 2019, Alvin sent an email to Simon offering to sell his cellphone for P15,000. In the same email, Alvin
wrote that Simon shall have 10 days from acknowledging the receipt of Alvin’s email to decide whether to accept
his offer or not. The required acknowledgment must be sent on or before March 5, 2019. Simon, without
acknowledging Alvin’s email, replied 5 days after, signifying his acceptance of Alvin’s offer.
Is there a contract perfected?
A. Yes, because there is a meeting of the minds.
B. Yes, because Simon accepted Alvin’s offer before the expiration of the 10-day period.
C. None, because Alvin is not in writing, hence an unacceptable offer.
D. None, because Alvin’s offer is ineffective since Simon failed to acknowledge Alvin’s email.
12. When is an electronic data message or electronic document considered dispatched?
A. As agreed by the parties
B. When it enters an information system outside the control of the originator or his agent
C. When it enters an information system still within the control of the originator or his agent
D. Never, since anything electronic cannot be dispatched
13. When is an electronic data message or electronic document considered received if it was sent to an information
system of the addressee that is not the designated information system?
A. As agreed by the parties
B. At the time when the electronic data message or electronic document enters the designated information system
C. At the time when the electronic data message or electronic document is retrieved by the addressee
D. At the time when the electronic data message or electronic document enters an information system of the
addressee
14. Where is the place of dispatch of electronic data messages or electronic documents if the originator has more than
one place of business and there is an underlying transaction?
A. Place which has the closest relationship to the underlying transaction
B. Principal place of business
C. Habitual residence
D. Place where the server is located
15. Where is the place of receipt of electronic data messages or electronic documents if the addressee has no place of
business?
A. Place which has the closest relationship to the underlying transaction
B. Principal place of business
C. Habitual residence
D. Place where the server is located

Page 18 of 22 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
E-COMMERCE ACT, DATA PRIVACY ACT and EASE OF DOING BUSINESS ACT RFBT-15
16. Which government agency is empowered to promulgate rules and regulations for the implementation of the
Electronic Commerce Act?
A. Department of Trade and Industry (DTI)
B. Department of Transportation and Communication (DOTC)
C. Department of Information and Communications Technology (DICT)
D. Supreme Court (SC)
17. First Statement: Where the requires that any action referred to contract of carriage of goods be carried out in
writing or by using a paper document, that requirement is met if the action is carried out by using one or more
electronic data messages or electronic documents.
Second Statement: The "usual place of residence" in relation to a body corporate, means the place where it is
incorporated or otherwise legally constituted.
A. Only the first statement is true.
B. Only the second statement is true.
C. Both of the statements are true.
D. None of the statements is true.
18. On March 1, 2019, Donald, through a text message, offered to sell his land to Hillary for P10,000. Hillary accepted
Donald’s offer by sending an email to Donald on March 2, 2019, which Donald was able to read on March 3, 2019.
On March 4, 2019, wondering if Donald received her email, Hillary sent a text message to Donald signifying once
again her acceptance of Donald’s offer, to which Donald immediately replied, “K”. Is there an enforceable contract
of sale?
A. Yes, because the offer and the acceptance in electronic form satisfy the requirement that a sale of land be in
writing.
B. Yes, because a contract of sale of land is enforceable whether executed in writing or not.
C. No, the offer and the acceptance were not reduced into writing.
D. No, there was no valid contract at all.
19. On March 1, 2019, Donald, through a text message, offered to sell his land to Hillary for P10,000. Hillary accepted
Donald’s offer by sending an email to Donald on March 2, 2019, which Donald was able to read on March 3, 2019.
On March 4, 2019, wondering if Donald received her email, Hillary sent a text message to Donald signifying once
again her acceptance of Donald’s offer, to which a recipient (Donald’s wife) immediately replied, “Sorry, but Donald
just died a few hours ago”. Is there a perfected contract of sale?
A. No, because Hillary’s acceptance was not made in a text message.
B. No, because Donald has already died and can no longer perform any contractual obligation.
C. Yes, because the knowledge of Donald’s wife of Hillary’s acceptance through a text message on March 4, 2019
perfects the contract since she is a legal heir of Donald.
D. Yes, because the email Hillary sent on March 2, 2019 signifying her acceptance was read by Donald on March
3, 2019.
20. On March 1, 2019, Donald, through a text message, offered to sell his land to Hillary for P10,000. Hillary accepted
Donald’s offer by sending an email to Donald on March 2, 2019, which Donald was able to read on March 3, 2019.
On March 4, 2019, wondering if Donald received her email, Hillary sent a text message to Donald signifying once
again her acceptance of Donald’s offer, to which Donald immediately replied, “K”. When was the contract of sale
of land perfected?
A. March 1, 2019
B. March 2, 2019
C. March 3, 2019
D. March 4, 2019

1 A 6 B 11 D 16 A
2 B 7 A 12 A 17 C
3 C 8 D 13 A 18 A
4 D 9 B 14 A 19 D
5 A 10 C 15 C 20 C

DATA PRIVACY
1. It refers to any information whether recorded in a material form or not, from which the identity of an individual
is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put
together with other information would directly and certainly identify an individual.
a Data subject
b Personal information
c Privileged information
d Sensitive personal information
2. It refers to any and all forms of data which under the Rules of Court and other pertinent laws constitute
privileged communication.
a. Data subject
b. Personal information
c. Privileged information
d. Sensitive personal information
3. First Statement: DPA applies to the processing of all types of personal information and to any natural and
juridical person involved in personal information processing including those personal information controllers
and processors who, although not found or established in the Philippines, use equipment that are located in
the Philippines, or those who maintain an office, branch or agency in the Philippines, except when DPA is not
applicable, subject to the requirements of extraterritorial application.

Page 19 of 22 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
E-COMMERCE ACT, DATA PRIVACY ACT and EASE OF DOING BUSINESS ACT RFBT-15
Second Statement: The Data Privacy Act is applicable to Information about any individual who is or was an
officer or employee of a government institution that relates to the position or functions of the individual.
a. Only the first statement is true.
b. Only the second statement is true.
c. Both of the statements are true.
d. None of the statements is true.
4. Which information is/are not covered by the Data Privacy Act?
a. About an individual who is or was performing service under contract for a government institution that
relates to the services performed
b. Relating to any discretionary benefit of a financial nature such as the granting of a license or permit
given by the government to an individual
c. Processed for journalistic, artistic, literary or research purposes
d. All of the above
5. Which information is/are not covered by the Data Privacy Act?
a. Necessary in order to carry out the functions of public authority
b. Necessary for banks and other financial institutions under the jurisdiction of the independent, central
monetary authority or Bangko Sentral ng Pilipinas to comply with RA 9510, and RA 9160, as amended
c. Originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign
jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines
d. All of the above
6. First Statement: The Data Privacy Act did not amend or repeal the provisions of RA 53, which affords the
publishers, editors or duly accredited reporters of any newspaper, magazine or periodical of general
circulation protection from being compelled to reveal the source of any news report or information appearing
in said publication which was related in any confidence to such publisher, editor, or reporter.
Second Statement: The Data Privacy Act applies to an act done or practice engaged within the Philippines
by an entity only and does not apply to those done and engaged outside of the Philippines.
a. Only the first statement is true.
b. Only the second statement is true.
c. Both of the statements are true.
d. None of the statements is true.
7. Which of the following is/are the functions of the National Privacy Commission?
a. Ensure compliance of personal information controllers with the DPA
b. Issue cease and desist orders, impose a temporary or permanent ban on the processing of personal
information, upon finding that the processing will be detrimental to national security and public
interest
c. Compel or petition any entity, government agency or instrumentality to abide by its orders or take
action on a matter affecting data privacy
d. All of the above
8. First Statement: The National Privacy Commission shall ensure at all times the confidentiality of any personal
information that comes to its knowledge and possession.
Second Statement: The National Privacy Commission is attached to the Department of Information and
Communications Technology (DICT).
a. Only the first statement is true.
b. Only the second statement is true.
c. Both of the statements are true.
d. None of the statements is true.
9. Who heads the National Privacy Commission?
a. Privacy Chairman
b. Privacy Commissioner
c. Privacy President
d. Privacy Head
10. What are the two responsibilities of the Deputy Privacy Commissioners?
a. Data Processing Systems and Policies and Planning
b. Data Collection Systems and Policies and Planning
c. Data Processing Systems and Finance
d. Data Privacy Systems and Policies and Performance
11. Who appoints the officers of the National Privacy Commission?
a. DICT Secretary
b. President
c. Executive Secretary
d. DTI Secretary
12. How long is the term of a Privacy Commissioner?
a. 1 year
b. 2 years
c. 3 years
d. 5 years
13. What is/are the qualifications of a Privacy Commissioner?
a. At least 36 years of age
b. Of good moral character, unquestionable integrity, and known probity
c. A recognized expert in the field of information technology only
d. All of the above

Page 20 of 22 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
E-COMMERCE ACT, DATA PRIVACY ACT and EASE OF DOING BUSINESS ACT RFBT-15
14. A Deputy Privacy Commissioner shall enjoy the benefits, privileges, and emoluments equivalent to the rank
of:
a. Secretary
b. Undersecretary
c. Assistant Secretary
15. The processing of personal information adheres to which principle/s?
a. Transparency
b. Legitimate purpose
c. Proportionality
d. All of the above
16. Who must ensure implementation of personal information principles set out in the Data Privacy Act?
a. Personal information controller
b. Personal information processor
c. Privacy Commissioner
d. Deputy Privacy Commissioner
17. When is processing of personal information lawful?
a. Data subject gave his or her consent
b. When necessary or related to the fulfillment of a contract with the data subject or in order to take
steps at the request of the data subject prior to entering into a contract
c. When necessary for compliance with a legal obligation to which the personal information controller is
subject
d. All of the above
18. When is processing of personal information lawful?
a. When necessary to protect the life and health of the data subject or another person, even when the
data subject is legally or physically able to express his or her consent prior to the processing
b. When necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical
treatment institution, and an adequate level of protection of personal information is ensured
c. When not necessary for the protection of lawful rights and interests of natural or legal persons in court
proceedings, or the establishment, exercise or defense of legal claims, or when provided to government
or public authority
d. None of the above
19. First Statement: A personal information controller may subcontract the processing of personal
information.
Second Statement: Personal information controllers may invoke the principle of privileged communication
over privileged information that they lawfully control or process.
a. Only the first statement is true.
b. Only the second statement is true.
c. Both of the statements are true.
d. None of the statements is true.
20. First Statement: The lawful heirs and assigns of the data subject may invoke the rights of the data subject
for, which he or she is an heir or assignee at any time after the death of the data subject or when the
data subject is incapacitated or incapable of exercising the rights of the data subject.
Second Statement: The rules on rights, its transmissibility, and portability are not applicable if the
processed personal information are used only for the needs of scientific and statistical research and, on
the basis of such, no activities are carried out and no decisions are taken regarding the data subject.
a. Only the first statement is true.
b. Only the second statement is true.
c. Both of the statements are true.
d. None of the statements is true.
21. In case of privacy breach, who is mandated to notify the National Privacy Commission?
a. Personal information controller
b. Personal information processor
c. President
d. Independent auditor
22. Except as may be allowed through guidelines to be issued by the National Privacy Commission, no
employee of the government shall have access to sensitive personal information on government property
or through online facilities unless the employee has received a security clearance from the __ of the source
agency.
a. Personal information controller
b. Personal information processor
c. Head
d. Lawyer
23. In the case of any request submitted to the head of an agency, such head of the agency shall approve or
disapprove the request __ after the date of submission of the request.
a. One calendar day
b. Two calendar days
c. One business day
d. Two business days

Page 21 of 22 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
E-COMMERCE ACT, DATA PRIVACY ACT and EASE OF DOING BUSINESS ACT RFBT-15

24. In entering into any contract that may involve accessing or requiring sensitive personal information from
__, an agency shall require a contractor and its employees to register their personal information processing
system with the National Privacy Commission in accordance with the DPA and to comply with the other
provisions of the DPA including the immediately preceding section, in the same manner as agencies and
government employees comply with such requirements.
a. 100 or more individuals
b. 500 or more individuals
c. 1,000 or more individuals
d. 5,000 or more individuals
25. If the offender is a corporation, partnership or any juridical person, the penalty shall be imposed upon the
__.
a. Directors
b. Responsible officers
c. Incorporators
d. Stockholders/Partners
26. First Statement: If the offender under DPA is a juridical person, the court may suspend or revoke any of its
rights under the DPA.
Second Statement: If the offender under DPA is an alien, he or she shall, in addition to the penalties herein
prescribed, be deported without further proceedings after serving the penalties prescribed.
a. Only the first statement is true.
b. Only the second statement is true.
c. Both of the statements are true.
d. None of the statements is true.
27. The __ penalty in the scale of penalties respectively provided for the preceding offenses shall be imposed
when the personal information of at least __ persons is harmed, affected or involved as the result of the
punishable actions.
a. Maximum; 100
b. Maximum; 1,000
c. Minimum; 100
d. Minimum; 1,000

28. When the offender or the person responsible for the offense under DPA is a public officer as defined in the
Administrative Code of the Philippines in the exercise of his or her duties, an accessory penalty consisting in the
disqualification to occupy public office for a term __ the term of criminal penalty imposed shall he applied.
a. Same as
b. Double
c. Triple
d. Quadruple
29. Restitution for any aggrieved party under DPA shall be governed by the provisions of the __.
a. Code of Commerce
b. Data Privacy Act
c. 1987 Philippine Constitution
d. New Civil Code
30. The act of processing sensitive personal information for unauthorized purposes is punishable
by:
a. 1.5 to 5 years of imprisonment and fine 500,000 to 1,000,000
b. 2 to 7 years of imprisonment and fine 500,000 to 1,000,000
c. 1.5 to 5 years of imprisonment and fine500,000 to 2,000,000
d. 2 to 7 years of imprisonment and fine 500,000 to 2,000,000

1 B 11 B 21 A
2 C 12 C 22 C
3 A 13 B 23 D
4 D 14 B 24 C
5 D 15 D 25 B
6 A 16 A 26 C
7 D 17 D 27 A
8 C 18 B 28 B
9 B 19 C 29 D
10 A 20 C 30 D

Page 22 of 22 0915-2303213  www.resacpareview.com