ReSA - THE REVIEW SCHOOL OF ACCOUNTANCY

CPA Review Batch 46  October 2023 CPA Licensure Examination

RFBT-15
REGULATORY FRAMEWORK for BUSINESS TRANSACTIONS J. DOMINGO  N. SORIANO

E-COMMERCE, DATA PRIVACY & EASE OF DOING BUSINESS

ELECTRONIC COMMERCE ACT
(RA No. 8792)

Objective: The E-Commerce Act (Act) aims

1. to facilitate domestic and international dealings, transactions, arrangements, agreements, contracts and
exchanges and storage of information through the utilization of electronic, optical and similar medium, mode,
instrumentality and technology,
2. to recognize the authenticity and reliability of electronic data messages or electronic documents related to such
activities and
3. to promote the universal use of electronic transactions in the government and by the general public.

Sphere of Application: The Act shall apply to any kind of electronic document used in the context of commercial and non-
commercial activities to include domestic and international dealings, transactions, arrangements, agreements contracts and
exchanges and storage of information.

Definition of Terms: For the purposes of the Act, the following terms are defined, as follows:

"Computer" refers to any device or apparatus singly or interconnected which, by electronic, electro-mechanical, optical
and/or magnetic impulse, or other means with the same function, can receive, record, transmit, store, process, correlate,
analyze, projects, retrieve, and/or produce information, data, text, graphics, figures, voice, video, symbols or other modes of
expression or perform any one or more of these functions.

"Information and Communications System" refers to a system for generating, sending, receiving, storing, or otherwise
processing electronic documents and includes the computer system or other similar device by or in which data is recorded
or stored and any procedures related to the recording or storage of electronic document.

"Originator" refers to a person by whom, or on whose behalf, the electronic document purports to have been created,
generated and/or sent. The term does not include a person acting as an intermediary with respect to that electronic
document.

"Addressee" refers to a person who is intended by the originator to receive the electronic data message or electronic
document, but does not include a person acting as an intermediary with respect to that electronic data message or electronic
data document.

"Intermediary" refers to a person who in behalf of another person and with respect to a particular electronic document
sends, receives and/or stores, provides other services in respect of that electronic data message or electronic document.

"Service provider" refers to a provider of:

1. Online services or network access or the operator of facilities therefor including entities offering the transmission,
routing, or providing of connections for online communications, digital or otherwise, between or among points specified by
a user, of electronic documents of the user's choosing; or
2. The necessary technical means by which electronic documents of an originator may be stored and made accessible to
designated or undesignated third party.

Such service providers shall

a. Have no authority to:
i. modify or alter the content of the electronic document received or
ii. to make any entry therein on behalf of the originator, addressee or any third party unless specifically
authorized to do so,
b. Retain the electronic document in accordance with the specific request or as necessary for the purpose of
performing the services it was engaged to perform.

"Electronic data message" refers to information generated, sent, received or stored by electronic, optical or similar
means.

“Electronic signature" refers to any distinctive mark, characteristic and/or sound in electronic from, representing the
identity of a person and attached to or logically associated with the electronic data message or electronic document or any
methodology or procedures employed or adopted by a person and executed or adopted by such person with the intention of
authenticating or approving an electronic data message or electronic document.

"Electronic key" refers to a secret code which secures and defends sensitive information that crossover public channels
into a form decipherable only with a matching electronic key.

"Electronic document" refers to information or the representation of information, data, figures, symbols or other modes of
written expression, described or however represented, by which a right is established or an obligation extinguished, or
by which a fact may be prove and affirmed, which is receive, recorded, transmitted, stored, processed, retrieved or
produced electronically.

LEGAL RECOGNITION OF ELECTRONIC DATA MESSAGES AND ELECTRONIC DOCUMENTS

Legal Recognition of Electronic Data Messages: Information shall not be denied validity or enforceability solely on
the ground that it is in the form of electronic data message purporting to give rise to such legal effect, or that it is merely
incorporated by reference in that electronic data message.

Page 1 of 22 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
E-COMMERCE, DATA PRIVACY & EASE OF DOING BUSINESS RFBT-15
Legal Recognition of Electronic documents: Electronic documents shall have the legal effect, validity or enforceability
as any other document or legal writing, and:
a. Where the law requires a document to be in writing, that requirement is met by an electronic document if the said
electronic document:
i. maintains its integrity and reliability and
ii. can be authenticated so as to be usable for subsequent reference, in that:
(1) The electronic document has remained complete and unaltered, apart from the addition of any endorsement
and any authorized change, or any change which arises in the normal course of communication, storage and
display; and
(2) The electronic document is reliable in the light of the purpose for which it was generated and in the light of all
relevant circumstances.
b. Paragraph (a) applies whether the requirement therein is in the from of an obligation or whether the law simply
provides consequences for the document not being presented or retained in its original from.
c. Where the law requires that a document be presented or retained in its original form, that requirement is met by an
electronic document if-
i. There exists a reliable assurance as to the integrity of the document from the time when it was first generated in
its final from; and
ii. That document is capable of being displayed to the person to whom it is to be presented: Provided, That no
provision of the Act shall apply to vary any and all requirements of existing laws on formalities required in the execution
of documents for their validity.

For evidentiary purposes, an electronic document shall be the functional equivalent of a written document under existing
laws.

The Act does not modify any statutory any statutory rule relating to admissibility of electronic data massages or
electronic documents, except the rules relating to authentication and best evidence.

Legal Recognition of Electronic Signatures: An electronic signature on the electronic document shall be equivalent to the
signature of a person on a WRITTEN DOCUMENT if:
a. the signature is an electronic signature and
b. proved by showing that a prescribed procedure, not alterable by the parties interested in the electronic document,
existed under which-
i. A method is used to identify the party sought to be bound and to indicate said party's access to the electronic
document necessary for his consent or approval through the electronic signature;
ii. Said method is reliable and appropriate for the purpose for which the electronic document was generated or
communicated, in the light of all circumstances, including any relevant agreement;
iii. It is necessary for the party sought to be bound, in order to proceed further with the transaction to have
executed or provided the electronic signature; and
iv. The other party is authorized and enable to verify the electronic signature and to make the decision to
proceed with the transaction authenticated by the same.
Presumption Relating to Electronic Signatures: In any proceedings involving an electronic signature, it shall be presumed
that,
a. The electronic signature is the signature of the person to whom it correlates; and
b. The electronic signature was affixed by that person with the intention of signing or approving the electronic
document unless
i. the person relying on the electronically designed electronic document knows or has notice of defects in or
unreliability of the signature or
ii. reliance on the electronic signature is not reasonable under the circumstances.
Original Documents:
1. Where the law requires information to be presented or retained in its ORIGINAL FORM, that requirement is met by
an electronic data message or electronic document if:
a. the integrity of the information from the time when it was first generated in its final form, as an electronic
document is shown by evidence aliunde or otherwise; and
b. where otherwise it is required that information be presented, that the information is capable of being displayed to
the person to whom it is to be presented.
2. Paragraph (1) applies whether the requirement therein is in the form of an obligation or whether the law simply
provides consequences for the information not being presented or retained in its original form.
3. For the purpose of subparagraph (a) of paragraph (1):
a. the criteria for assessing integrity shall be whether the information has remained complete and unaltered,
apart from the addition of any endorsement and any change which arises in the normal course of communication,
storage and display ; and
b. the standard of reliability required shall be assessed in the light of purpose for which the information was
generated and in the light of all the relevant circumstances.
Authentication of Electronic Data Messages and Electronic Documents: Until the Supreme Court by appropriate rules
shall have so provided, electronic documents, electronic data messages and electronic signatures, shall be authenticated by
demonstrating, substantiating and validating a claimed identity of a user, device, or another entity is an information or
communication system, among other ways, as follows;
a. The electronic signatures shall be authenticated by proof that a letter, character, number or other symbol in electronic
form representing the persons named in and attached to or logically associated with an electronic data message,
electronic document, or that the appropriate methodology or security procedures, when applicable, were employed
or adopted by such person, with the intention of authenticating or approving in an electronic data message or electronic
document;
b. The electronic data message or electronic document shall be authenticated by proof that an appropriate security
procedure, when applicable was adopted and employed for the purpose of:
i. verifying the originator of an electronic data message or electronic document, or
ii. detecting error or alteration in the communication, content or storage of an electronic document or electronic
data message from a specific point, which, using algorithms or codes, identifying words or numbers, encryptions,
answers back or acknowledgement procedures, or similar security devices.

Page 2 of 22 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
E-COMMERCE, DATA PRIVACY & EASE OF DOING BUSINESS RFBT-15
The Supreme Court may adopt such other authentication procedures, including the use of electronic notarization systems as
necessary and advisable, as well as the certificate of authentication on printed or hard copies of the electronic documents or
electronic data messages by electronic notaries, service providers and other duly recognized or appointed certification
authorities.

Burden of Proof: The person seeking to introduce an electronic data message or electronic document in any legal proceeding
has the burden of proving its authenticity by evidence capable of supporting a finding that the electronic data message or
electronic document is what the person claims it on be.

Integrity of the Information and Communication System: In the absence of evidence to the contrary, the integrity
of the information and communication system in which an electronic data message or electronic document is recorded or stored
may be established in any legal proceeding –
a. By evidence that:
i. at all material times the information and communication system or other similar device was operating in a
manner that did not affect the integrity of the electronic data message or electronic document, and
ii. there are no other reasonable grounds to doubt the integrity of the information and communication system,
b. By showing that the electronic data message or electronic document was recorded or stored by a party to the
proceedings who is adverse in interest to the party using it; or
c. By showing that the electronic data message or electronic document was recorded or stored in the usual and
ordinary course of business by a person who is not a party to the proceedings and who did not act under the control of
the party using the record.

Admissibility and Evidential Weight of Electronic Data Message or electronic document: In any legal proceedings,
nothing in the application of the rules on evidence shall deny the admissibility of an electronic data message or
electronic document in evidence –
a. On the sole ground that it is in electronic form; or
b. On the ground that it is not in the standard written form, and the electronic data message or electronic document
meeting, and complying with the requirements under Legal Recognition of Electronic Data Messages and Electronic
Documents mentioned above, shall be the best evidence of the agreement and transaction contained therein.

In assessing the evidential weight of an electronic data message or electronic document, the following shall be given due regard:
a. the reliability of the manner in which it was generated, stored or communicated,
b. the reliability of the manner in which its originator was identified, and
c. other relevant factors.

Retention of Electronic Data Message or Electronic Document: Notwithstanding any provision of law, rule or regulation
to the contrary –
a. The requirement in any provision of law that certain documents be retained in their original form is satisfied by
retaining them in the form of an electronic data message or electronic document which –
i. Remains accessible so as to be usable for subsequent reference;
ii. Is retained in the format in which it was generated, sent or received, or in a format which can be demonstrated to
accurately represent the electronic data message or electronic document generated, sent or received;
iii. Enables the identification of its originator and addressee, as well as the determination of the date and the
time it was sent or received.
b. The requirement referred to in paragraph (a) is satisfied by using the services of a third party, provided that the
conditions set fourth in subparagraphs (1), (2) and (3) of paragraph (a) are met.

Proof by Affidavit: The matters referred on admissibility and on the presumption of integrity, may be presumed to have
been established by an affidavit given to the best of the deponent's knowledge subject to the rights of parties in interest
as defined in the cross-examination provided below.

Cross – Examination:
1. A deponent of an affidavit referred to above that has been introduced in evidence may be cross-examined as of right
by a party to the proceedings who is adverse in interest to the party who has introduced the affidavit or has caused the
affidavit to be introduced.
2. Any party to the proceedings has the right to cross-examine a person who is not a party to the proceedings and who
did not act under the control of the party using the record proving that the electronic data message or electronic
document was recorded or stored in the usual and ordinary course of business.

COMMUNICATION OF ELECTRONIC DATA MESSAGES OR ELECTRONIC DOCUMENTS

Formation of Validity of Electronic Contracts:

1. Except as otherwise agreed by the parties, (1) an offer, (2) the acceptance of an offer and (3) such other
elements required under existing laws for the formation of contracts may be expressed in, demonstrated and
proved by means of electronic data messages or electronic documents and no contract shall be denied validity or
enforceability on the sole ground that it is in the form of an electronic data message or electronic document, or that any or
all of the elements required under existing laws for the formation of contracts is expressed, demonstrated and proved by
means of electronic data messages or electronic documents.
2. Electronic transactions made through networking among banks, or linkages thereof with other entities or networks,
and vice versa:
a. shall be deemed consummated upon the actual dispensing of cash or the debit of one account and the
corresponding credit to another, whether such transaction is initiated by the depositor or by an authorized collecting
party.
b. The obligation of one bank, entity, or person similarly situated to another arising therefrom shall considered
absolute and shall not be subjected to the process of preference of credits.

Recognition by Parties of Electronic Data Message or Electronic document: As between the originator and the
addressee of an electronic data message or electronic document, a declaration of will or other statement shall not be denied
legal effect, validity or enforceability solely on the ground that it is in the form of an electronic data message or electronic
document.

Page 3 of 22 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
E-COMMERCE, DATA PRIVACY & EASE OF DOING BUSINESS RFBT-15
Attribution of Electronic Data Message:
1. The Electronic Data Message or Electronic Document is that of the originator:
a. If it was sent by the originator himself.
b. As between the originator and the addressee, an electronic data message or electronic document is deemed to be
that of the originator if it was sent:
i. by a person who had the authority to act on behalf of the originator with respect to that electronic data
message or electronic document; or
ii. by an information system programmed by, or on behalf of the originator to operate automatically.
2. As between the originator and the addressee, an addressee is entitled to regard an electronic data message or
electronic document as being that of the originator, and to act on that assumption, if:
a. in order to ascertain whether the electronic data message or electronic document was that of the originator, the
addressee properly applied a procedure previously agreed to by the originator for that purpose; or
b. the electronic data message or electronic document as received by the addressee resulted from the actions of a
person whose relationship with the originator or with any agent of the originator enabled that person to
gain access to a method used by the originator to identify electronic data message or electronic documents as his
own.

The above does not apply:

i. as of the time when the addressee has both received notice from the originator that the electronic data message
or electronic document is not that of the originator, and has reasonable time to act accordingly; or
ii. in a case within paragraph (2) sub-paragraph (b), at any time when the addressee knew or should have
known, had it exercised reasonable care of used any agreed procedure, that the electronic data message or electronic
document was not that of the originator.
iii. That the transmission resulted in any error in the electronic data message or electronic document as received.
3. The addressee is entitled to regard each electronic data message or electronic document received as a separate
electronic data message or electronic document and to act on that assumption.

Except
a. To the extent that it duplicates another electronic data message or electronic document and
b. The addressee knew or should have known, had it exercised reasonable care or used any agreed procedure, that
the electronic data message or electronic document was a duplicate.

Error on Electronic Data Message or Electronic Document: The addressee is entitled to regard the electronic data
message or electronic document received as that which the originator intended to send, and to act on that assumption,
unless the addressee knew or should have known, had the addressee exercised reasonable care or used the appropriate
procedure –
a. That the transmission resulted in any error therein or in the electronic data message or electronic document enters
the designated information system, or
b. That electronic data message or electronic document is sent to an information system which is not so designated
by the addressee for the purposes.

Acknowledgement of Receipt of Electronic Data Message or Electronic Document:

General Rule: No acknowledgment of receipt is necessary

Exceptions:
1. If the parties agree to it
2. Originator requested in the EDM/ED

Modes of acknowledgement when required:

1. Agreement as to particular method – to be followed
2. No agreement as to particular method:
a. Any communication by the addressee
b. Any conduct of the addressee sufficient to indicate the receipt to the originator

Instances when the originator can regard non-receipt since there was no acknowledgment:
1. When the originator stated the effect or significance of acknowledgment or the ED is CONDITIONAL upon receipt
2. No statement as to effect/significance – originator gave notice stating that no acknowledgement has been received and
specifying a reasonable time by which acknowledgement is to be received, and no acknowledgement is received within
such reasonable time.

Time of Dispatch of Electronic Data Messages or Electronic Documents: General Rule: the dispatch of an electronic
data message or electronic document occurs when it enters an information system outside the control of the originator
or of the person who sent the electronic data message or electronic document on behalf of the originator.

Except: when otherwise agreed upon.

Time of Receipt of Electronic Data Messages or Electronic Documents. – Unless otherwise agreed between the originator
and the addressee, the time of receipt of an electronic data message or electronic document is as follows:
a. Upon entry in the designated information system – if the parties has designated an information system for the purpose
of receiving electronic data messages or electronic documents
b. Upon retrieval by the addressee:
i. There is a designated information system, but the originator and the addressee are both participants in the
designated information system;
ii. The electronic message or electronic document enters an information system of the address that is not the designated
information system;
c. Upon entry in the information system of the addressee - The parties did not designate an information system.

These rules apply notwithstanding that the place where the information system is located may be different from the place where
the electronic data message or electronic document is deemed to be received.

Page 4 of 22 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
E-COMMERCE, DATA PRIVACY & EASE OF DOING BUSINESS RFBT-15
Place of Dispatch and Receipt of Electronic Data Messages or Electronic Documents: Unless otherwise agreed
between the originator and the addressee, an electronic data message or electronic document is deemed to be:
1. dispatched at the place where the originator has its place of business and
2. received at the place where the addressee has its place of business.
This rule shall apply even if the originator or addressee had used a laptop other portable device to transmit or received his
electronic data message or electronic document. These rules shall also apply to determine the tax situs of such transaction.
For the purpose hereof –
a. If the originator or addressee has more than one place of business is that which has the closest relationship to the
underlying transaction or, where there is no underlying transaction, the principal place of business.
b. If the originator or the addressee does not have a place of business, reference is to be made to its habitual
residence; or
c. The "usual place of residence" in relation to a body corporate, means the place where it is incorporated or
otherwise legally constituted.
Choice of Security Methods: Subject to applicable laws and /or rules and guidelines promulgated by the DTI with other
appropriate government agencies, parties to any electronic transaction shall be free to:
1. Determine the type of level of electronic data message or electronic document security needed, and
2. To select and use or implement appropriate technological methods that suit their need.

ELECTRONIC COMMERCE IN CARRIAGE OF GOODS

Actions Related to Contracts of Carriage of Goods: applies to any action in connection with, or in pursuance of, a contract
of carriage of goods, including but not limited to:
a. (i) furnishing the marks, number, quantity or weight of goods;
(ii) stating or declaring the nature or value of goods;
(iii) issuing a receipt for goods;
(iv) confirming that goods have been loaded;
b. (i) notifying a person of terms and conditions of the contract;
(ii) giving instructions to a carrier;
c. (i) claiming delivery of goods;
(ii) authorizing release of goods;
(iii) giving notice of loss of, or damage to goods;
d. giving any other notice or statement in connection with the performance of the contract;
e. undertaking to deliver goods to a named person or a person authorized to claim delivery;
f. granting, acquiring, renouncing, surrendering, transferring or negotiating rights in goods;
g. acquiring or transferring rights and obligations under the contract.
Transport Documents:
1. Where the law requires that any action referred to contract of carriage of goods be carried out in writing or by using a
paper document, that requirement is met if the action is carried out by using one or more electronic data messages or
electronic documents.
The above applies whether the requirement there in is in the form of an obligation or whether the law simply provides
consequences for failing either to carry out the action in writing or to use a paper document.
2. If (a) a right is to be granted to, or (b) an obligation is to be acquired by, one person and no person, and if the law
requires that, in order to effect this, the right or obligation must be conveyed to that person by the transfer, or use of,
a paper document, that requirement is met if the right or obligation is conveyed by using one or more electronic data
messages or electronic documents: Provided, that a reliable method is used to render such electronic data messages or
electronic documents unique.
For the purposes of above, the standard of reliability required shall be assessed in the light of the purpose for which the
right or obligation was conveyed and in the light of all the circumstances, including any relevant agreement.
3. Where one or more electronic data messages or electronic documents are used to effect any action in subparagraph (f) and
(g) of the above (Actions Related to Contracts of Carriage of Goods), no paper document used to effect any such action is
valid unless the use of electronic data message or electronic document has been terminated and replaced by the used
of paper documents. A paper document issued in these circumstances shall contain a statement of such
termination. The replacement of the electronic data messages or electronic documents by paper documents shall not
affect the rights or obligation of the parties involved.
4. If a rule of law is compulsorily applicable to a contract of carriage of goods which is in, or is evidenced by, a paper
document, that rule shall not be inapplicable to such a contract of carriage of goods which is evidenced by one or more
electronic data messages or electronic documents by reason of the fact that the contract is evidenced by such electronic
data message or electronic documents instead of by a paper document.

ELECTRONIC TRANSACTIONS IN GOVERNMENT

Government Use of Electronic Data Messages, Electronic Documents and Electronic Signature: Notwithstanding any
law to the contrary, within two (2) years from the date of the effectivity of the Act, all departments, bureaus, offices and
agencies of the government, as well as all government-owned and –controlled corporations, that pursuant to law require or
accept the filing of documents, require that documents be created, or retained and/or submitted, issue permits, licenses or
certificates of registration or approval, or provide for the method and manner of payment or settlement of fees and other
obligations to the government, shall –
a. accept the creation, filing or retention of such documents in the form of electronic data messages or electronic documents;
b. issue permits, licenses, or approval in the form of electronic data messages or electronic documents;
c. require and/or accept payments, and issue receipt acknowledging such payments, through systems using electronic data
messages or electronic documents; or
d. transact the government business and/or perform governmental factions using electronic data messages or electronic
documents, and for the purpose, are authorized to adopt and promulgate, after appropriate public hearing and with due
publications in newspapers of general circulation, the appropriate rules, regulations, or guidelines, to, among others, specify
–

Page 5 of 22 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
E-COMMERCE, DATA PRIVACY & EASE OF DOING BUSINESS RFBT-15
1. the manner and format in which such electronic data messages or electronic documents shall be filed, created,
retained or issued;
2. where and when such electronic data messages or electronic documents have to signed, the use of an electronic
signature, the type of electronic signature required;
3. the format of an electronic data message or electronic document and the manner the electronic signature shall be
affixed to the electronic data messages or electronic documents;
4. the control processes and procedures appropriate to ensure adequate integrity, security and confidentiality of
electronic data messages or electronic documents or records of payments;
5. other attributes required to electronic data messages or electronic documents; and
6. the full or limited use of the documents and papers for compliance with the government
requirements: provided, That the Act shall be itself mandate any department of the government, organ of state or
statutory corporation to accept or issue any document in the form of electronic data messages or electronic documents
upon the adoption, promulgation and publication of the appropriate rules, regulations or guidelines.
DATA PRIVACY ACT (RA No. 10173)
DEFINITION OF TERMS
Commission shall refer to the National Privacy Commission created by virtue of this Act.
Consent of the data subject refers to any freely given, specific, informed indication of will, whereby the data subject agrees
to the collection and processing of personal information about and/or relating to him or her. Consent shall be evidenced by
written, electronic or recorded means. It may also be given on behalf of the data subject by an agent specifically authorized by
the data subject to do so.
Data subject refers to an individual whose personal information is processed.
Direct marketing refers to communication by whatever means of any advertising or marketing material which is directed to
particular individuals.
Filing system refers to any act of information relating to natural or juridical persons to the extent that, although the information
is not processed by equipment operating automatically in response to instructions given for that purpose, the set is structured,
either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information
relating to a particular person is readily accessible.
Information and Communications System refers to a system for generating, sending, receiving, storing or otherwise
processing electronic data messages or electronic documents and includes the computer system or other similar device by or
which data is recorded, transmitted or stored and any procedure related to the recording, transmission or storage of electronic
data, electronic message, or electronic document.
Personal information controller refers to a person or organization who controls the collection, holding, processing or use
of personal information, including a person or organization who instructs another person or organization to collect, hold,
process, use, transfer or disclose personal information on his or her behalf. The term excludes:
1. A person or organization who performs such functions as instructed by another person or organization; and
2. An individual who collects, holds, processes or uses personal information in connection with the individual’s personal,
family or household affairs.
Personal information processor refers to any natural or juridical person qualified to act as such under this Act to whom a
personal information controller may outsource the processing of personal data pertaining to a data subject.
SCOPE OF APPLICATION

Applicability:
1. The processing of all types of personal information and
2. To any natural and juridical person involved in personal information processing including those personal
information controllers and processors who, although not found or established in the Philippines, use equipment that are
located in the Philippines, or those who maintain an office, branch or agency in the Philippines subject to the immediately
succeeding paragraph.
Does not apply to:
1. Information about any individual who is or was an officer or employee of a government institution that relates to the
position or functions of the individual, including:
a. The fact that the individual is or was an officer or employee of the government institution;
b. The title, business address and office telephone number of the individual;
c. The classification, salary range and responsibilities of the position held by the individual; and
d. The name of the individual on a document prepared by the individual in the course of employment with the government;
2. Information about an individual who is or was performing service under contract for a government institution that
relates to the services performed, including the terms of the contract, and the name of the individual given in the course
of the performance of those services;
3. Information relating to any discretionary benefit of a financial nature such as the granting of a license or permit given
by the government to an individual, including the name of the individual and the exact nature of the benefit;
4. Personal information processed for journalistic, artistic, literary or research purposes;
5. Information necessary in order to carry out the functions of public authority which includes the processing of personal
data for the performance by the independent, central monetary authority and law enforcement and regulatory agencies of
their constitutionally and statutorily mandated functions.
No amendments or repeal to the following laws:
a. Republic Act No. 1405, otherwise known as the Secrecy of Bank Deposits Act;
b. Republic Act No. 6426, otherwise known as the Foreign Currency Deposit Act; and
c. Republic Act No. 9510, otherwise known as the Credit Information System Act (CISA);
6. Information necessary for banks and other financial institutions under the jurisdiction of the independent, central
monetary authority or Bangko Sentral ng Pilipinas to comply with the CISA and Republic Act No. 9160, as amended,
otherwise known as the Anti-Money Laundering Act and other applicable laws; and
7. Personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those
foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.

Page 6 of 22 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
E-COMMERCE, DATA PRIVACY & EASE OF DOING BUSINESS RFBT-15
Protection Afforded to Journalists and Their Sources: No amendment or repeal of Republic Act No. 53, which affords the
publishers, editors or duly accredited reporters of any newspaper, magazine or periodical of general circulation protection
from being compelled to reveal the source of any news report or information appearing in said publication which was
related in any confidence to such publisher, editor, or reporter.
Extraterritorial Application: The Data Privacy Act applies to an act done or practice engaged in and outside of the Philippines
by an entity if:
1. The act, practice or processing relates to personal information about a Philippine citizen or a resident;
2. The entity has a link with the Philippines, and the entity is processing personal information in the Philippines or even if
the processing is outside the Philippines as long as it is about Philippine citizens or residents such as, but not limited to,
the following:
a. A contract is entered in the Philippines;
b. A juridical entity unincorporated in the Philippines but has central management and control in the country; and
c. An entity that has a branch, agency, office or subsidiary in the Philippines and the parent or affiliate of the
Philippine entity has access to personal information; and
3. The entity has other links in the Philippines such as, but not limited to:
a. The entity carries on business in the Philippines; and
b. The personal information was collected or held by an entity in the Philippines.
DATA PRIVACY PRINCIPLES
The processing of personal information shall be allowed, subject to:
1. Compliance with the requirements of the Data Privacy Act and other laws allowing disclosure of information to the public
and
2. Adherence to the following principles:
a. Principle of Proportionality: The Processing of Personal data shall be adequate, relevant, suitable, necessary, and
not excessive in relation to a declared and specified purpose. Personal Data shall be processed by the Company only
if the purpose of the Processing could not reasonably be fulfilled by other means.
b. Principle of Legitimate Purpose: The Processing of Personal Data by the Company shall be compatible with a
declared and specified purpose which must not be contrary to law, morals, or public policy.
c. Principle of Transparency: The Data Subject must be aware of the nature, purpose, and extent of the Processing of
his or her Personal Data by the Company, including the risks and safeguards involved, the identity of persons and
entities involved in processing his or her Personal Data, his or her rights as a Data Subject, and how these can be
exercised. Any information and communication relating to the Processing of Personal Data should be easy to access
and understand, using clear and plain language.
PROCESSING OF PERSONAL INFORMATION
Processing refers to any operation or any set of operations performed upon personal information including, but not limited to:
1. Collection,
2. Recording,
3. Organization,
4. Storage,
5. Updating Or Modification,
6. Retrieval,
7. Consultation,
8. Use,
9. Consolidation,
10. Blocking,
11. Erasure Or
12. Destruction of data.
PERSONAL INFORMATION, whether recorded in a material form or not, are those from which the identity of an individual:
1. is apparent, or
2. can be reasonably and directly ascertained by the entity holding the information, or
3. when put together with other information would directly and certainly identify an individual
Examples: include the Data Owner’s Name, Home address and Phone number
Personal information must be:
1. Collected for specified and legitimate purposes determined and declared before, or as soon as reasonably practicable after
collection, and later processed in a way compatible with such declared, specified and legitimate purposes only;
2. Processed fairly and lawfully;
3. Accurate, relevant and, where necessary for purposes for which it is to be used the processing of personal information,
kept up to date; inaccurate or incomplete data must be rectified, supplemented, destroyed or their further processing
restricted;
4. Adequate and not excessive in relation to the purposes for which they are collected and processed;
5. Retained only for as long as necessary for the fulfillment of the purposes for which the data was obtained or for the
establishment, exercise or defense of legal claims, or for legitimate business purposes, or as provided by law; and
6. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the
data were collected and processed: Provided, That personal information collected for other purposes may lie processed for
historical, statistical or scientific purposes, and in cases laid down in law may be stored for longer periods: Provided, further,
That adequate safeguards are guaranteed by said laws authorizing their processing.
The personal information controller must ensure implementation of personal information processing principles set out herein.
Criteria for Lawful Processing of Personal Information: The processing of personal information shall be permitted only if
not otherwise prohibited by law, and when at least one of the following conditions exists:
1. The data subject has given his or her consent;
2. The processing of personal information is necessary and is related to the fulfillment of a contract with the data subject
or in order to take steps at the request of the data subject prior to entering into a contract;
3. The processing is necessary for compliance with a legal obligation to which the personal information controller is
subject;
4. The processing is necessary to protect vitally important interests of the data subject, including life and health;

Page 7 of 22 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
E-COMMERCE, DATA PRIVACY & EASE OF DOING BUSINESS RFBT-15
5. The processing is necessary in order to respond to national emergency, to comply with the requirements of public
order and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data
for the fulfillment of its mandate; or
6. The processing is necessary for the purposes of the legitimate interests pursued by the personal information controller
or by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental
rights and freedoms of the data subject which require protection under the Philippine Constitution.
PRIVILEGED INFORMATION refers to any and all forms of data which under the Rules of Court and other pertinent laws
constitute privileged communication.
Examples include:
1. Attorney-client privileged information
2. Doctor-patient privileged information
3. Marital privilege communication
4. Priest-confessor privileged information
SENSITIVE PERSONAL INFORMATION refers to personal information:
1. About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
2. About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed
or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such
proceedings;
3. Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers,
previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
4. Specifically established by an executive order or an act of Congress to be kept classified.
Sensitive Personal Information and Privileged Information: The processing of sensitive personal information and
privileged information shall be prohibited, except in the following cases:
1. The data subject has given his or her consent, specific to the purpose prior to the processing, or in the case of privileged
information, all parties to the exchange have given their consent prior to processing;
2. The processing of the same is provided for by existing laws and regulations, provided:
a. Such regulatory enactments guarantee the protection of the sensitive personal information and the privileged
information; and
b. The consent of the data subjects are not required by law or regulation permitting the processing of the sensitive
personal information or the privileged information;
3. The processing is necessary to protect the life and health of the data subject or another person, and the data subject
is not legally or physically able to express his or her consent prior to the processing;
4. The processing is necessary to achieve the lawful and noncommercial objectives of public organizations and their
associations: provided:
a. That such processing is only confined and related to the bona fide members of these organizations or their associations;
b. That the sensitive personal information are not transferred to third parties; and
c. That consent of the data subject was obtained prior to processing;
5. The processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical
treatment institution, and an adequate level of protection of personal information is ensured; or
6. The processing concerns such personal information as is necessary for the protection of lawful rights and interests of
natural or legal persons in court proceedings, or the establishment, exercise or defense of legal claims, or when provided
to government or public authority.
Subcontract of Personal Information: A personal information controller may subcontract the processing of personal
information.
The personal information controller shall be responsible for ensuring that proper safeguards are in place to ensure :
1. The confidentiality of the personal information processed,
2. Prevent its use for unauthorized purposes, and generally,
3. Comply with the requirements of the Data Privacy Act and other laws for processing of personal information.
The personal information processor shall comply with all the requirements of the Data Privacy Act and other applicable laws.
Extension of Privileged Communication: Personal information controllers may invoke the principle of privileged
communication over privileged information that they lawfully control or process. Subject to existing laws and regulations, any
evidence gathered on privileged information is inadmissible.
RIGHTS OF THE DATA SUBJECT
Rights of the Data Subject:
1. Right to Informed Consent – The data subject shall be informed whether personal information pertaining to him or her
shall be, are being or have been processed;
The following information must be provided before the entry of the personal information into the processing system, or at
the next practical opportunity:
a. Description of the personal information to be entered into the system;
b. Purposes for which they are being or are to be processed;
c. Scope and method of the personal information processing;
d. The recipients or classes of recipients to whom they are or may be disclosed;
e. Methods utilized for automated access, if the same is allowed by the data subject, and the extent to which such access
is authorized;
f. The identity and contact details of the personal information controller or its representative;
g. The period for which the information will be stored; and
h. The existence of their rights, i.e., to access, correction, as well as the right to lodge a complaint before the
Commission.
2. Right to Object: The data subject shall have the right to object to the processing of his or her personal data, including
processing for direct marketing, automated processing or profiling.
3. Right to Withhold Consent: The data subject shall be notified and given an opportunity to withhold consent to the
processing in case of changes or any amendment to the information supplied or declared to the data subject in the preceding
paragraph

Page 8 of 22 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
E-COMMERCE, DATA PRIVACY & EASE OF DOING BUSINESS RFBT-15
Amendment of information: Any information supplied or declaration made to the data subject on these matters shall not
be amended without prior notification of data subject. Except: the notification shall not apply should the personal
information be needed pursuant to a subpoena or when the collection and processing are for obvious purposes, including
when it is necessary for the performance of or in relation to a contract or service or when necessary or desirable in the
context of an employer-employee relationship, between the collector and the data subject, or when the information is being
collected and processed as a result of legal obligation.
4. Right to Access: The data subject has reasonable access to, upon demand, the following:
a. Contents of his or her personal information that were processed;
b. Sources from which personal information were obtained;
c. Names and addresses of recipients of the personal information;
d. Manner by which such data were processed;
e. Reasons for the disclosure of the personal information to recipients;
f. Information on automated processes where the data will or likely to be made as the sole basis for any decision
significantly affecting or will affect the data subject;
g. Date when his or her personal information concerning the data subject were last accessed and modified; and
h. The designation, or name or identity and address of the personal information controller.
5. Right to Correction: The data subject shall have the right to dispute the inaccuracy or error in the personal information
and have the personal information controller correct it immediately and accordingly, unless the request is vexatious or
otherwise unreasonable.
If the personal information have been corrected, the personal information controller shall ensure the accessibility of
both the new and the retracted information and the simultaneous receipt of the new and the retracted information
by recipients thereof: Provided, That the third parties who have previously received such processed personal information
shall he informed of its inaccuracy and its rectification upon reasonable request of the data subject;
6. Right to Erasure: the data subject shall have the right to suspend, withdraw or order the blocking, removal or
destruction of his or her personal information from the personal information controller’s filing system upon discovery
and substantial proof that the personal information are incomplete, outdated, false, unlawfully obtained, used for
unauthorized purposes or are no longer necessary for the purposes for which they were collected. In this case, the personal
information controller may notify third parties who have previously received such processed personal information;
7. Right to Damages: The data subject shall be indemnified for any damages sustained due to such inaccurate,
incomplete, outdated, false, unlawfully obtained or unauthorized use of personal information.
8. Right to Data Portability: The right of the data subject to obtain from the personal information controller a copy of
data, where personal information is processed:
a. by electronic means and
b. in a structured and commonly used format.
The Commission may specify the electronic format referred to above, as well as the technical standards, modalities and
procedures for their transfer.
Transmissibility of Rights of the Data Subject: The lawful heirs and assigns of the data subject may invoke the rights
of the data subject for which he or she is an heir or assignee at any time after the death of the data subject or when the
data subject is incapacitated or incapable of exercising the rights as enumerated above.
Non-Applicability of Rights: The above rights of a data subject are not applicable:
1. If the processed personal information are used only for the needs of scientific and statistical research and, on the
basis of such, no activities are carried out and no decisions are taken regarding the data subject: Provided, That
the personal information shall be held under strict confidentiality and shall be used only for the declared purpose; and
2. To processing of personal information gathered for the purpose of investigations in relation to any criminal,
administrative or tax liabilities of a data subject.
SECURITY OF PERSONAL INFORMATION
Security of Personal Information:
1. The personal information controller must implement reasonable and appropriate organizational, physical and technical
measures intended for the protection of personal information against any accidental or unlawful destruction,
alteration and disclosure, as well as against any other unlawful processing.
2. The personal information controller shall implement reasonable and appropriate measures to protect personal information
against natural dangers such as accidental loss or destruction, and human dangers such as unlawful access, fraudulent
misuse, unlawful destruction, alteration and contamination.
3. The determination of the appropriate level of security must take into account (1) the nature of the personal
information to be protected, (2) the risks represented by the processing, (3) the size of the organization and complexity
of its operations, (4) current data privacy best practices and (5) the cost of security implementation.
Subject to guidelines as the Commission may issue from time to time, the measures implemented must include:
a. Safeguards to protect its computer network against accidental, unlawful or unauthorized usage or interference with
or hindering of their functioning or availability;
b. A security policy with respect to the processing of personal information;
c. A process for identifying and accessing reasonably foreseeable vulnerabilities in its computer networks, and
for taking preventive, corrective and mitigating action against security incidents that can lead to a security breach;
and
d. Regular monitoring for security breaches and a process for taking preventive, corrective and mitigating action against
security incidents that can lead to a security breach.
4. The personal information controller must further ensure that third parties processing personal information on its behalf
shall implement the security measures required by this provision.
5. The employees, agents or representatives of a personal information controller who are involved in the processing of
personal information shall operate and hold personal information under strict confidentiality if the personal information
are not intended for public disclosure. This obligation shall continue even after leaving the public service, transfer to another
position or upon termination of employment or contractual relations.
6. The personal information controller shall promptly notify the Commission and affected data subjects when sensitive
personal information or other information that may, under the circumstances, be used to enable identity fraud are
reasonably believed to have been acquired by an unauthorized person, and the personal information controller or the
Commission believes that such unauthorized acquisition is likely to give rise to a real risk of serious harm to any
affected data subject.

Page 9 of 22 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
E-COMMERCE, DATA PRIVACY & EASE OF DOING BUSINESS RFBT-15
Notification to the Commission: The notification shall at least describe the nature of the breach, the sensitive personal
information possibly involved, and the measures taken by the entity to address the breach. Notification may be delayed
only to the extent necessary to determine the scope of the breach, to prevent further disclosures, or to restore reasonable
integrity to the information and communications system.
a. In evaluating if notification is unwarranted, the Commission may take into account compliance by the personal
information controller with this provision and existence of good faith in the acquisition of personal information.
b. The Commission may exempt a personal information controller from notification where, in its reasonable judgment,
such notification would not be in the public interest or in the interests of the affected data subjects.
c. The Commission may authorize postponement of notification where it may hinder the progress of a criminal
investigation related to a serious breach.
Period to report: If there is likelihood of risk to individuals, the data processor must report data breaches within 72 hours.
ACCOUNTABILITY FOR TRANSFER OF PERSONAL INFORMATION
Principle of Accountability: Each personal information controller is responsible for personal information under its control or
custody, including information that have been transferred to a third party for processing, whether domestically or internationally,
subject to cross-border arrangement and cooperation.
1. The personal information controller is accountable for complying with the requirements of the Data Privacy Act and
shall use contractual or other reasonable means to provide a comparable level of protection while the information are being
processed by a third party.
2. Data Protection Officer: The personal information controller shall designate an individual or individuals who are
accountable for the organization’s compliance with the Data Privacy Act. The identity of the individual(s) so designated
shall be made known to any data subject upon request.
SECURITY OF SENSITIVE PERSONAL INFORMATION IN GOVERNMENT
Responsibility of Heads of Agencies: All sensitive personal information maintained by the government, its agencies and
instrumentalities shall be secured, as far as practicable, with the use of the most appropriate standard recognized by the
information and communications technology industry, and as recommended by the Commission.

The head of each government agency or instrumentality shall be responsible for complying with the security
requirements mentioned while the Commission shall monitor the compliance and may recommend the necessary action in
order to satisfy the minimum standards.

Requirements Relating to Access by Agency Personnel to Sensitive Personal Information:

1. On-site and Online Access – Except as may be allowed through guidelines to be issued by the Commission, no employee
of the government shall have access to sensitive personal information on government property or through online facilities
unless the employee has received a security clearance from the head of the source agency.
2. Off-site Access – Unless otherwise provided in guidelines to be issued by the Commission, sensitive personal information
maintained by an agency may not be transported or accessed from a location off government property unless a
request for such transportation or access is submitted and approved by the head of the agency in accordance with
the following guidelines:
a. Deadline for Approval or Disapproval – In the case of any request submitted to the head of an agency, such head
of the agency shall approve or disapprove the request within two (2) business days after the date of submission of
the request.
In case there is no action by the head of the agency, then such request is considered disapproved;
b. Limitation to 1,000 Records – If a request is approved, the head of the agency shall limit the access to not more
than one thousand (1,000) records at a time; and
c. Encryption – Any technology used to store, transport or access sensitive personal information for purposes of off-site
access approved under this subsection shall be secured by the use of the most secure encryption standard
recognized by the Commission.

Applicability to Government Contractors: In entering into any contract that may involve accessing or requiring sensitive
personal information from one thousand (1,000) or more individuals, an agency shall require a contractor and its
employees to register their personal information processing system with the Commission in accordance with the Data
Privacy Act and to comply with the other provisions of said Act, in the same manner as agencies and government employees
comply with such requirements.

UNLAWFUL ACTS AND PENALTIES

1. Unauthorized Processing: any person who process personal information without the consent of the data subject, or
without being authorized under the Data Privacy Act or any existing law. Penalties:

Imprisonment Fine
Personal Information 1 to 3 years P500,000 – P2,000,000
Sensitive Personal Information 3 to 6 years P500,000 – P4,000,000

2. Access – any person who, due to negligence, provided access to personal information without being authorized under the
Data Privacy Act or any existing law. Penalties:

Imprisonment Fine
Personal Information 1 to 3 years P500,000 – P2,000,000
Sensitive Personal Information 3 to 6 years P500,000 – P4,000,000

3. Improper Disposal – any person who knowingly or negligently dispose, discard or abandon the personal information of
an individual in an area accessible to the public or has otherwise placed the personal information of an individual in its
container for trash collection. Penalties:

Imprisonment Fine
Personal Information 6 mos. to 2 years P100,000 – P500,000
Sensitive Personal Information 1 to 3 years P100,000 – P1,000,000

Page 10 of 22 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
E-COMMERCE, DATA PRIVACY & EASE OF DOING BUSINESS RFBT-15

4. Processing for Unauthorized Purposes - processing personal information for purposes not authorized by the data
subject, or otherwise authorized under this Act or under existing laws. Penalties:

Imprisonment Fine
Personal Information 1 year and 6 mos. to 5 years P500,000 – P1,000,000
Sensitive Personal Information 2 to 7 years P500,000 – P2,000,000

5. Unauthorized Access or Intentional Breach – any person who knowingly and unlawfully, or violating data confidentiality
and security data systems, breaks in any way into any system where personal and sensitive personal information is stored.
Penalty shall be imprisonment of 1 year to 3 years and a fine of P500,000 to P2,000,000.

6. Concealment of Security Breaches Involving Sensitive Personal Information. – any person who, after having
knowledge of a security breach and of the obligation to notify the Commission, intentionally or by omission conceals the
fact of such security breach. The penalty shall be imprisonment of 1 year and 6 months to 5 years and a fine of P500,000
to P1,000,000.

7. Malicious Disclosure – Any personal information controller or personal information processor or any of its officials,
employees or agents, who, with malice or in bad faith, discloses unwarranted or false information relative to any personal
information or personal sensitive information obtained by him or her. The penalty shall be imprisonment of 1 year and 6
months to 5 years and a fine of P500,000 to P1,000,000.

8. Unauthorized Disclosure. – Any personal information controller or personal information processor or any of its officials,
employees or agents, who discloses to a third party personal or sensitive personal information, not covered by Malicious
Disclosure above, without the consent of the data subject. The penalties:

Imprisonment Fine
Personal Information 1 year to 3 years P500,000 – P1,000,000
Sensitive Personal Information 3 to 5 years P500,000 – P2,000,000

shall he subject to imprisonment ranging from one (1) year to three (3) years and a fine of not less than Five hundred
thousand pesos (Php500,000.00) but not more than One million pesos (Php1,000,000.00).

9. Combination or Series of Acts – Any combination or series of acts as defined in above shall make the person subject to
imprisonment 3 to 6 years and a fine of P1,000,000 to P5,000,000.

Extent of Liability:
1. Juridical Persons: If the offender is a corporation, partnership or any juridical person, the penalty shall be imposed upon
the responsible officers, as the case may be, who participated in, or by their gross negligence, allowed the commission
of the crime. If the offender is a juridical person, the court may suspend or revoke any of its rights under the Data Privacy
Act.
2. Alien: If the offender is an alien, he or she shall, in addition to the penalties above, be deported without further
proceedings after serving the penalties prescribed.
3. Large-Scale: The maximum penalty in the scale of penalties respectively provided shall be imposed when the personal
information of at least one hundred (100) persons is harmed, affected or involved as the result of the above-mentioned
actions.
4. Public Official or Employee: If the offender is a public official or employee and he or she is found guilty of Improper
Disposal of Personal Information and Sensitive Personal Information and Processing of Personal Information and Sensitive
Personal Information for Unauthorized Persons, he or she shall, in addition to the penalties prescribed, suffer perpetual
or temporary absolute disqualification from office, as the case may be.
5. Offense Committed by Public Officer: When the offender or the person responsible for the offense is a public officer as
defined in the Administrative Code of the Philippines in the exercise of his or her duties, an accessory penalty consisting
in the disqualification to occupy public office for a term double the term of criminal penalty imposed shall he
applied.
6. Restitution: Restitution for any aggrieved party shall be governed by the provisions of the New Civil Code.

DATA BREACH NOTIFICATION

NOTIFICATION OF THE COMMISSION: The personal information controller shall notify the Commission of a personal data
breach subject to the following procedures:

When Notification Should be Done: The Commission shall be notified within seventy-two (72) hours upon knowledge of
or the reasonable belief by the personal information controller or personal information processor that a personal data breach
has occurred.

Delay in Notification: Notification may only be delayed to the extent necessary to determine the scope of the breach, to
prevent further disclosures, or to restore reasonable integrity to the information and communications system. The personal
information controller need not be absolutely certain of the scope of the breach prior to notification. Its inability to immediately
secure or restore integrity to the information and communications system shall not be a ground for any delay in notification, if
such delay would be prejudicial to the rights of the data subjects. Delay in notification shall not be excused if it is used to
perpetuate fraud or to conceal the personal data breach.

When delay is prohibited: There shall be no delay in the notification if the breach involves at least one hundred (100) data
subjects, or the disclosure of sensitive personal information will harm or adversely affect the data subject. In both instances,
the Commission shall be notified within the 72-hour period based on available information. The full report of the personal data
breach must be submitted within five (5) days, unless the personal information controller is granted additional time by the
Commission to comply.

Content of Notification: The notification shall include, but not be limited to:

Page 11 of 22 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
E-COMMERCE, DATA PRIVACY & EASE OF DOING BUSINESS RFBT-15
1. Nature of the Breach
a. description of how the breach occurred and the vulnerability of the data processing system that allowed the breach;
b. a chronology of the events leading up to the loss of control over the personal data;
c. approximate number of data subjects or records involved;
d. description or nature of the personal data breach;
e. description of the likely consequences of the personal data breach; and
f. name and contact details of the data protection officer or any other accountable persons.
2. Personal Data Possibly Involved
a. description of sensitive personal information involved; and
b. description of other information involved that may be used to enable identity fraud.
3. Measures Taken to Address the Breach
a. description of the measures taken or proposed to be taken to address the breach;
b. actions being taken to secure or recover the personal data that were compromised;
c. actions performed or proposed to mitigate possible harm or negative consequences, and limit the damage or distress
to those affected by the incident;
d. action being taken to inform the data subjects affected by the incident, or reasons for any delay in the notification;
e. the measures being taken to prevent a recurrence of the incident.
The Commission reserves the right to require additional information, if necessary.
Form: Notification shall be in the form of a report, whether written or electronic, containing the required contents of notification:
Provided, that the report shall also include the name and contact details of the data protection officer and a designated
representative of the personal information controller: Provided further, that, where applicable, the manner of notification of the
data subjects shall also be included in the report. Where notification is transmitted by electronic mail, the personal information
controller shall ensure the secure transmission thereof. Upon receipt of the notification, the Commission shall send a
confirmation to the personal information controller. A report is not deemed filed without such confirmation. Where the
notification is through a written report, the received copy retained by the personal information controller shall constitute proof
of such confirmation
SUBCONTRACT OF PERSONAL INFORMATION
SUBCONTRACT OF PERSONAL DATA: A personal information controller may subcontract or outsource the processing of
personal data: Provided, that the personal information controller shall use contractual or other reasonable means to ensure that
proper safeguards are in place, to ensure the confidentiality, integrity and availability of the personal data processed, prevent
its use for unauthorized purposes, and generally, comply with the requirements of the Act, these Rules, other applicable laws
for processing of personal data, and other issuances of the Commission.
AGREEMENTS FOR OUTSOURCING: Processing by a personal information processor shall be governed by a contract or other
legal act that binds the personal information processor to the personal information controller.
a. The contract or legal act shall set out the subject-matter and duration of the processing, the nature and purpose of the
processing, the type of personal data and categories of data subjects, the obligations and rights of the personal information
controller, and the geographic location of the processing under the subcontracting agreement.
b. The contract or other legal act shall stipulate, in particular, that the personal information processor shall:
1. Process the personal data only upon the documented instructions of the personal information controller, including
transfers of personal data to another country or an international organization, unless such transfer is authorized by
law;
2. Ensure that an obligation of confidentiality is imposed on persons authorized to process the personal data;
3. Implement appropriate security measures and comply with the Act, these Rules, and other issuances of the
Commission;
4. Not engage another processor without prior instruction from the personal information controller: Provided, that any
such arrangement shall ensure that the same obligations for data protection under the contract or legal act are
implemented, taking into account the nature of the processing;
5. Assist the personal information controller, by appropriate technical and organizational measures and to the extent
possible, fulfill the obligation to respond to requests by data subjects relative to the exercise of their rights;
6. Assist the personal information controller in ensuring compliance with the Act, these Rules, other relevant laws, and
other issuances of the Commission, taking into account the nature of processing and the information available to the
personal information processor;
7. At the choice of the personal information controller, delete or return all personal data to the personal information
controller after the end of the provision of services relating to the processing: Provided, that this includes deleting
existing copies unless storage is authorized by the Act or another law;
8. Make available to the personal information controller all information necessary to demonstrate compliance with the
obligations laid down in the Act, and allow for and contribute to audits, including inspections, conducted by the personal
information controller or another auditor mandated by the latter;
9. Immediately inform the personal information controller if, in its opinion, an instruction infringes the Act, these Rules,
or any other issuance of the Commission.
DUTY OF PERSONAL INFORMATION PROCESSOR: The personal information processor shall comply with the requirements
of the Act, these Rules, other applicable laws, and other issuances of the Commission, in addition to obligations provided in a
contract, or other legal act with a personal information controller.
REGISTRATION AND COMPLIANCE REQUIREMENTS
ENFORCEMENT OF THE DATA PRIVACY ACT: Pursuant to the mandate of the Commission to administer and implement the
Act, and to ensure the compliance of personal information controllers with its obligations under the law, the Commission requires
the following:
a. Registration of personal data processing systems operating in the country that involves accessing or requiring sensitive
personal information of at least one thousand (1,000) individuals, including the personal data processing system of
contractors, and their personnel, entering into contracts with government agencies;
b. Notification of automated processing operations where the processing becomes the sole basis of making decisions that
would significantly affect the data subject;
c. Annual report of the summary of documented security incidents and personal data breaches;
d. Compliance with other requirements that may be provided in other issuances of the Commission.

Page 12 of 22 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
E-COMMERCE, DATA PRIVACY & EASE OF DOING BUSINESS RFBT-15
REGISTRATION OF PERSONAL DATA PROCESSING SYSTEMS.
The personal information controller or personal information processor that employs fewer than two hundred fifty (250) persons
shall not be required to register unless the processing it carries out is likely to pose a risk to the rights and freedoms of data
subjects, the processing is not occasional, or the processing includes sensitive personal information of at least one thousand
(1,000) individuals.
Contents: The contents of registration shall include:
1. The name and address of the personal information controller or personal information processor, and of its representative,
if any, including their contact details;
2. The purpose or purposes of the processing, and whether processing is being done under an outsourcing or subcontracting
agreement;
3. A description of the category or categories of data subjects, and of the data or categories of data relating to them;
4. The recipients or categories of recipients to whom the data might be disclosed;
5. Proposed transfers of personal data outside the Philippines;
6. A general description of privacy and security measures for data protection;
7. Brief description of the data processing system;
8. Copy of all policies relating to data governance, data privacy, and information security;
9. Attestation to all certifications attained that are related to information and communications processing; and
10. Name and contact details of the compliance or data protection officer, which shall immediately be updated in case of
changes.

Procedure: The procedure for registration shall be in accordance with these Rules and other issuances of the Commission.
NOTIFICATION OF AUTOMATED PROCESSING OPERATIONS. The personal information controller carrying out any wholly
or partly automated processing operations or set of such operations intended to serve a single purpose or several related
purposes shall notify the Commission when the automated processing becomes the sole basis for making decisions about a data
subject, and when the decision would significantly affect the data subject.
a. The notification shall include the following information:
1. Purpose of processing;
2. Categories of personal data to undergo processing;
3. Category or categories of data subject;
4. Consent forms or manner of obtaining consent;
5. The recipients or categories of recipients to whom the data are to be disclosed;
6. The length of time the data are to be stored;
7. Methods and logic utilized for automated processing;
8. Decisions relating to the data subject that would be made on the basis of processed data or that would significantly
affect the rights and freedoms of data subject; and
9. Names and contact details of the compliance or data protection officer.
b. No decision with legal effects concerning a data subject shall be made solely on the basis of automated processing without
the consent of the data subject.
REVIEW BY THE COMMISSION: The following are subject to the review of the Commission, upon its own initiative or upon
the filing of a complaint by a data subject:
a. Compliance by a personal information controller or personal information processor with the Act, these Rules, and other
issuances of the Commission;
b. Compliance by a personal information controller or personal information processor with the requirement of establishing
adequate safeguards for data privacy and security;
c. Any data sharing agreement, outsourcing contract, and similar contracts involving the processing of personal data, and its
implementation;
d. Any off-site or online access to sensitive personal data in government allowed by a head of agency;
e. Processing of personal data for research purposes, public functions, or commercial activities;
f. Any reported violation of the rights and freedoms of data subjects;
g. Other matters necessary to ensure the effective implementation and administration of the Act, these Rules, and other
issuances of the Commission

EASE OF DOING BUSINESS ACT

(RA No. 11032)

DECLARATION OF POLICY: It is hereby declared the policy of the State to promote integrity, accountability, proper
management of public affairs and public property as well as to establish effective practices, aimed at efficient turnaround of the
delivery of government services and the prevention of graft and corruption in government. Towards this end, the State shall
maintain honesty and responsibility among its public officials and employees, and shall take appropriate measures to promote
transparency in each agency with regard to the manner of transacting with the public, which shall encompass a program for
the adoption of simplified requirements and procedures that will reduce red tape and expedite business and nonbusiness related
transactions in government.

DEFINITION OF TERMS:

Action refers to the written approval or disapproval made by a government office or agency on the application
or request submitted by an applicant or requesting party for processing;
Business One a single common site or location, or a single online website or portal designated for the Business Permit
Stop Shop and Licensing System (BPLS) of an LGU to receive and process applications, receive payments, and issue
(BOSS) approved licenses, clearances, permits, or authorizations;
Business- a set of regulatory requirements that a business entity must comply with to engage, operate or continue
related to operate a business, such as, but not limited to, collection or preparation of a number of documents,
transactions submission to national and local government authorities, approval of application submitted, and receipt
of a formal certificate or certificates, permits, licenses which include primary and secondary, clearances
and such similar authorization or documents which confer eligibility to operate or continue to operate as
a legitimate business

Page 13 of 22 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
E-COMMERCE, DATA PRIVACY & EASE OF DOING BUSINESS RFBT-15
Complex applications or requests submitted by applicants or requesting parties of a government office which
transactions necessitate evaluation in the resolution of complicated issues by an officer or employee of said government
office, such transactions to be determined by the office concerned;
Fixer any individual whether or not officially involved in the operation of a government office or agency who
has access to people working therein, and whether or not in collusion with them, facilitates speedy
completion of transactions for pecuniary gain or any other advantage or consideration;
Government the process or transaction between applicants or requesting parties and government offices or agencies
service involving applications for any privilege, right, reward, license, clearance, permit or authorization,
concession, of for any modification, renewal or extension of the enumerated applications or requests which
are acted upon in the ordinary course of business of the agency or office concerned
Highly technical an application which requires the use of technical knowledge, specialized skills and/or training in the
application processing and/or evaluation thereof
Nonbusiness all other government transactions not falling under Section 4 (c) of this Act
transactions
Officer or a person employed in a government office or agency required to perform specific duties and
employee responsibilities related to the application or request submitted by an applicant or requesting party for
processing
Processing time the time consumed by an LGU or national government agency (NGA) from the receipt of an application or
request with complete requirements, accompanying documents and payment of fees to the issuance of
certification or such similar documents approving or disapproving an application or request
Red tape any regulation, rule, or administrative procedure or system that is ineffective or detrimental in achieving
its intended objectives and, as a result, produces slow, suboptimal, and undesirable social outcomes
Regulation any legal instrument that gives effect to a government policy intervention and includes licensing, imposing
information obligation, compliance to standards or payment of any form of fee, levy, charge or any other
statutory and regulatory requirements necessary to carry out activity
Simple applications or requests submitted by applicants or requesting parties of a government office or agency
transactions which only require ministerial actions on the part of the public officer or employee, or that which present
only inconsequential issues for the resolution by an officer or employee of said government.

COVERAGE: all government offices and agencies including LGUs, GOCCs and other government instrumentalities, whether
located in the Philippines or abroad, that provide services covering business and nonbusiness related transactions.

Business-related transactions - a set of regulatory requirements that a business entity must comply with to engage, operate
or continue to operate a business.

Non-business transactions - all other government transactions.

REENGINEERING OF SYSTEMS AND PROCEDURES: All offices and agencies which provide government services are hereby
mandated to regularly undertake cost compliance analysis, time and motion studies, undergo evaluation and improvement of
their transaction systems and procedures and reengineer the same if deemed necessary to reduce bureaucratic red tape and
processing time.

The Anti-Red Tape Authority shall coordinate with all government offices covered under this Act in the review of existing laws,
executive issuances and local ordinances, and recommend the repeal of the same if deemed outdated, redundant, and adds
undue regulatory burden to the transacting public.

All proposed regulations of government agencies shall undergo regulatory impact assessment to establish if the proposed
regulation does not add undue regulatory burden and cost to these agencies and the applicants or requesting parties: Provided,
That when necessary, any proposed regulation may undergo pilot implementation to assess regulatory impact.

All LGUs and NGAs are directed to initiate review of existing policies and operations and commence with the reengineering of
their systems and procedures in compliance with the provisions of this Act, pending the approval of the implementing rules and
regulations (IRR) thereof.

CITIZEN’S CHARTER: All government agencies including departments, bureaus, offices, instrumentalities, or government-
owned and/or –controlled corporations, or LGUs shall set up their respective most current and updated service standards to be
known as the Citizen’s Charter in the form of information billboards which shall be posted at the main entrance of offices or at
the most conspicuous place, in their respective websites and in the form of published materials written either in English, Filipino,
or in the local dialect, that detail:
a. A comprehensive and uniform checklist of requirements for each type of application or request;
b. The procedure to obtain a particular service;
c. The person/s responsible for each step;
d. The maximum time to conclude the process;
e. The document/s to be presented by the applicant or requesting party, if necessary;
f. The amount of fees, if necessary; and
g. The procedure for filing complaints.

RULES IN ACCESSING GOVERNMENT SERVICES

ACCEPTANCE OF APPLICATIONS OR REQUESTS

1. All officers or employees shall accept written applications, requests, and/or documents being submitted by applicants or
requesting parties of the offices or agencies.
2. The receiving officer or employee shall perform a preliminary assessment of the application or request submitted with
its supporting documents to ensure a more expeditious action on the application or request. The receiving officer or
employee shall immediately inform the applicant or requesting party of any deficiency in the accompanying
requirements, which shall be limited to those enumerated in the Citizen's Charter.
3. The receiving officer or employee shall assign a unique identification number to an application or request, which shall
be the identifying number for all subsequent transactions between the government and the applicant or requesting party
regarding such specific application or request.
4. The receiving officer or employee shall issue an acknowledgement receipt containing the seal of the agency, the name
of the responsible officer or employee, his/her unit and designation, and the date and time of receipt of such application or
request.

Page 14 of 22 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
E-COMMERCE, DATA PRIVACY & EASE OF DOING BUSINESS RFBT-15
ACTIONS OF OFFICERS:
1. PRESCRIBED PERIODS TO PROCESS: All applications or requests submitted shall be acted upon by the assigned officer
or employee within the prescribed processing time stated in the Citizen's Charter which shall not be longer than:

TYPE OF TRANSACTION PERIOD TO PROCESS

Simple Transactions - applications or requests submitted by 3 working days from date of receipt
applicants or requesting parties of a government office or
agency which
a. only require ministerial actions on the part of the
public officer or employee, or
b. that which present only inconsequential issues for the
resolution by an officer or employee of said government
office

Complex Transactions - applications or requests submitted 7 working days from date of receipt
by applicants or requesting parties of a government office
which necessitate evaluation in the resolution of
complicated issues by an officer or employee of said
government office, such transactions to be determined by the
office concerned.

Highly technical application – an application which requires Whichever is shorter between:

the use of technical knowledge, specialized skill and/or a. 20 working days or
training in the process and/or evaluation thereof. b. As determined by the government agency or
instrumentality concerned.
Applications or requests involving activities which pose
danger to public health, public safety, public morals,
public policy.

If the application or request for license, clearance, permit, the Sanggunian concerned shall be given a period of
certification or authorization shall require the approval of the forty-five (45) working days to act on the
local Sanggunian (Sangguniang Bayan, Sangguniang application or request, which can be extended for
Panlungsod, or the Sangguniang Panlalawigan as the case may another twenty (20) working days.
be)
If the local Sanggunian concerned has denied the
application or request, the reason for the denial, as
well as the remedial measures that maybe taken by
the applicant shall be cited by the concerned
Sanggunian

2. EXTENSTION: The maximum time prescribed above may be extended only once for the same number of days, which
shall be indicated in the Citizen's Charter. Prior to the lapse of the processing time, the office or agency concerned shall
notify the applicant or requesting party in writing of the reason for the extension and final date of release of the
government service/s requested. Such written notification shall be signed by the applicant or requesting party to serve as
proof of notice.

3. ADJUSTMENT/SUSPENSION OF PERIOD TO PROCESS: In cases where the cause of delay is due to force majeure or
natural or man-made disasters, which result to damage or destruction of documents, and/or system failure of the
computerized or automatic processing, the prescribed processing times mandated in this Act shall be suspended and
appropriate adjustments shall be made.

AUTOMATIC APPROVAL OR EXTENSION OF LICENSE, CLEARANCE, PERMIT, CERTIFICATION OR AUTHORIZATION:

1. If a government office or agency fails to approve or disapprove an original application or request for issuance of license,
clearance, permit, certification or authorization within the prescribed processing time, said application or request shall
be deemed approved: Provided, That all required documents have been submitted and all required fees and
charges have been paid.
2. The acknowledgement receipt together with the official receipt for payment of all required fees issued to the applicant
or requesting party shall be enough proof or has the same force and effect of a license, clearance, permit, certification
or authorization under this automatic approval mechanism.
3. If a government office or agency fails to act on an application or request for renewal of a license, clearance, permit,
certification or authorization subject for renewal within the prescribed processing time, said license, clearance, permit,
certification or authorization shall automatically be extended: Provided, That the Authority, in coordination with the Civil
Service Commission (CSC), Department of Trade and Industry (DTI) , Securities and Exchange Commission (SEC),
Department of the Interior and Local Government (DILG) and other agencies which shall formulate the IRR of this Act, shall
provide a listing of simple, complex, highly technical applications, and activities which pose danger to public
health, public safety, public morals or to public policy.

DENIAL OF APPLICATION OF REQUEST FOR ACCESS TO GOVERNMENT SERVICE:

Any denial of application or request for access to government service shall be:
1. Fully explained in writing,
2. Stating the name of the person making the denial and
3. the grounds upon which such denial is based.

Any denial of application or request is deemed to have been made with the permission or clearance from the highest
authority having jurisdiction over the government office or agency concerned.

LIMITATION OF SIGNATORIES
The number of signatories in any document shall be limited to a maximum of three (3) signatures which shall represent
officers directly supervising the office or agency concerned: Provided, That in case the authorized signatory is on official
business or official leave, an alternate shall be designated as signatory.

Page 15 of 22 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
E-COMMERCE, DATA PRIVACY & EASE OF DOING BUSINESS RFBT-15
Electronic signatures or pre-signed license, clearance, permit, certification or authorization with adequate security and
control mechanism may be used.

ELECTRONIC VERSIONS OF LICENSES, CLEARANCES, PERMITS, CERTIFICATIONS OR AUTHORIZATION

All government agencies covered shall, when applicable, develop electronic versions of licenses, clearances, permits,
certifications or authorizations with the same level of authority as that of the signed hard copy, which may be printed by the
applicants or requesting parties in the convenience of their offices.

ADOPTION OF WORKING SCHEDULES TO SERVE APPLICANTS OR REQUESTING PARTIES

Heads of offices and agencies which render government services shall adopt appropriate working schedules to ensure that
all applicants or requesting parties who are within their premises prior to the end of official working hours are
attended to and served even during lunch break and after regular working hours.

STREAMLINED PROCEDURES IN LOCAL GOVERNMENT UNITS:

The LGUs are mandated to implement the following revised guidelines in the issuance of business licenses, clearances, permits,
certifications or authorizations:
a. A single or unified business application form shall be used in processing new applications for business permits and
business renewals which consolidates all the information of the applicant or requesting party by various local government
departments, such as, but not limited to, the local taxes and clearances, building clearance, sanitary permit, zoning
clearance, and other specific LGU requirements, as the case may be, including the fire clearance from the Bureau of Fire
Protection (BFP).

The unified form shall be made available online using technology-neutral platforms such as, but not limited to, the central
business portal or the city/municipality's website and various channels for dissemination. Hard copies of the unified
forms shall likewise be made available at all times in designated areas of the concerned office and/or agency.

b. A one-stop business facilitation service, hereinafter referred to as the business one stop shop, (BOSS) for the
city/municipality's business permitting and licensing system to receive and process manual and/or electronic submission of
application for license, clearance, permit, certification or authorization shall be established within the
cities/municipalities’ Negosyo Center as provided for under Republic Act No. 10644, otherwise known as the "Go
Negosyo Act".

There shall be a queuing mechanism in the BOSS to better manage the flow of applications among the LGUs' departments
receiving and processing applications. LGUs shall implement colocation of the offices of the treasury, business permits
and licensing office, zoning office, including the BFP, and other relevant city/municipality offices, departments, among
others, engaged in starting a business, dealing with construction permits.

c. Cities/Municipalities are mandated to automate their business permitting and licensing system or set up an
electronic BOSS within a period of three (3) years upon the effectivity of this Act for a more efficient business
registration processes.

Cities/Municipalities with electronic BOSS shall develop electronic versions of licenses, clearances, permits, certifications
or authorizations with the same level of authority, which may be printed by businesses in the convenience of their
offices. The DICT shall make available to LGUs the software for the computerization of the business permit and licensing
system. The DICT, DTI, and DILG, shall provide technical assistance in the planning and implementation of a computerized
or software-enabled business permitting and licensing system.

d. To lessen the transaction requirements, other local clearances such as, but not limited to, sanitary permits,
environmental and agricultural clearances shall be issued together with the business permit.

e. Business permits shall be valid for a period of one (1) year. The city/municipality may have the option to renew
business permits within the first month of the year or on the anniversary date of the issuance of the business
permit.

f. Barangay clearances and permits related to doing business shall be applied, issued, and collected at the
city/municipality in accordance with the prescribed processing time of this Act: Provided, That the share in the
collections shall be remitted to the respective barangays. The pertinent provisions of Republic Act No. 7160, otherwise
known as "The Local Government Code of 1991", specifically Article IV, Section 152(c) is hereby amended accordingly.
VIOLATIONS AND PERSONS LIABLE: Any person who performs or cause the performance of the following acts shall be
liable:
a. Refusal to accept application or request with complete requirements being submitted by an applicant or requesting party
without due cause;
b. Imposition of additional requirements other than those listed in the Citizen’s Charter;
c. Imposition of additional costs not reflected in the Citizen’s Charter;
d. Failure to give the applicant or requesting party a written notice on the disapproval of an application or request;
e. Failure to render government services within the prescribed processing time on any application or request without due
cause;
f. Failure to attend to applicants or requesting parties who are within the premises of the office or agency concerned prior to
the end of official working hours and during lunch break;
g. Failure or refusal to issue official receipts; and
h. Fixing and/or collusion with fixers in consideration of economic and/or other gain or advantage."

Penalties and Liabilities: Any violations of the above will warrant the following penalties and liabilities.
a. First Offense: Administrative liability with 6 months suspension: Provided, however, That in the case of fixing and/or
collusion with fixers, the penalty below shall apply.
b. Second Offense: Administrative liability and criminal liability of dismissal from the service, perpetual disqualification from
holding public office and forfeiture of retirement benefits and imprisonment of 1 to 6 years with a fine of not less than
P500,000.00, but not more than P2,000,000.00.

Criminal liability shall also be incurred through the commission of bribery, extortion, or when the violation was done deliberately
and maliciously to solicit favor in cash or in kind. In such cases, the pertinent provisions of the Revised Penal Code and other
special laws shall apply.

Page 16 of 22 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
E-COMMERCE, DATA PRIVACY & EASE OF DOING BUSINESS RFBT-15
RANKING OF THE PHILIPPINES IN THE WORLD BANK’S ANNUAL DOING BUSINESS REPORT:
1. 2016 – 103rd
2. 2017 – 99th
3. 2018 – 113th
4. 2019 – 124th
5. 2020 – 95th

MULTIPLE CHOICE QUESTIONS

E- COMMERCE ACT

1. The Electronic Commerce Act applies to any kind of data message and electronic document used in the context of __
activities to include __ dealings, transactions, arrangements, agreements, contracts, and exchanges and storage of
information.
A. Commercial and non-commercial; domestic and international
B. Only commercial; domestic and international
C. Only commercial; only domestic
D. Commercial and non-commercial; only domestic
2. It refers to information generated, sent, received, or stored by optical or similar means.
A. Electronic key
B. Electronic data message
C. Electronic signature
D. Electronic document
3. It refers to any distinctive mark, characteristic and/or sound in electronic form, representing the identity of a person
and attached to or logically associated with the electronic data message or electronic document
A. Electronic key
B. Electronic data message
C. Electronic signature
D. Electronic document
4. It refers to information or the representation of information, data, figures, symbols or other modes of written
expression, described or however represented, by which a right is established or an obligation extinguished, or by
which a fact may be prove and affirmed, which is receive, recorded, transmitted, stored, processed, retrieved or
produced electronically.
A. Electronic key
B. Electronic data message
C. Electronic signature
D. Electronic document
5. It refers to a secret code which secures and defends sensitive information that cross over public channels into a form
decipherable only with a matching electronic key.
A. Electronic key
B. Electronic data message
C. Electronic signature
D. Electronic document
6. First Statement: Information shall be denied legal effect, validity or enforceability solely on the grounds that it is in
the data message purporting to give rise to such legal effect, or that it is merely referred to in that electronic data
message.
Second Statement: For evidentiary purposes, an electronic document shall be the functional equivalent of a written
document under existing laws.
A. Only the first statement is true.
B. Only the second statement is true.
C. Both of the statements are true.
D. None of the statements is true.
7. In any proceedings involving an electronic signature, it shall be presumed that (a) The electronic signature is the
signature of the person to whom it correlates; and (b) The electronic signature was affixed by that person with the
intention of signing or approving the electronic document even if the person relying on the electronically signed
electronic document knows or has noticed of defects in or unreliability of the signature or reliance on the electronic
signature is not reasonable under the circumstances.
A. (a) only
B. (b) only
C. Both (a) and (b)
D. Neither (a) and (b)
8. Who has the burden of proving the authenticity of an electronic data message or electronic document in any legal
proceeding?
A. The person who sent the electronic data message
B. The person who signed the electronic document
C. The person denying the authenticity of said electronic data message or electronic document
D. The person seeking to introduce said electronic data message or electronic document
9. What may be presumed to have been established by an affidavit given to the best of the deponent’s knowledge?
A. Admissibility of electronic evidence only
B. Admissibility and presumption of integrity of electronic evidence
C. Presumption of integrity of electronic evidence only
D. None of the above
10. First Statement: As between the originator and the addressee of an electronic data message or electronic document,
a declaration of will or other statement shall not be denied legal effect, validity or enforceability solely on the ground
that it is in the form of an electronic data message.
Second Statement: An electronic data message or electronic document is that of the originator if it was sent by the
originator himself.

Page 17 of 22 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
E-COMMERCE, DATA PRIVACY & EASE OF DOING BUSINESS RFBT-15
A. Only the first statement is true.
B. Only the second statement is true.
C. Both of the statements are true.
D. None of the statements is true.
11. On March 1, 2019, Alvin sent an email to Simon offering to sell his cellphone for P15,000. In the same email, Alvin
wrote that Simon shall have 10 days from acknowledging the receipt of Alvin’s email to decide whether to accept his
offer or not. The required acknowledgment must be sent on or before March 5, 2019. Simon, without acknowledging
Alvin’s email, replied 5 days after, signifying his acceptance of Alvin’s offer.
Is there a contract perfected?
A. Yes, because there is a meeting of the minds.
B. Yes, because Simon accepted Alvin’s offer before the expiration of the 10-day period.
C. None, because Alvin is not in writing, hence an unacceptable offer.
D. None, because Alvin’s offer is ineffective since Simon failed to acknowledge Alvin’s email.
12. When is an electronic data message or electronic document considered dispatched?
A. As agreed by the parties
B. When it enters an information system outside the control of the originator or his agent
C. When it enters an information system still within the control of the originator or his agent
D. Never, since anything electronic cannot be dispatched
13. When is an electronic data message or electronic document considered received if it was sent to an information system
of the addressee that is not the designated information system?
A. As agreed by the parties
B. At the time when the electronic data message or electronic document enters the designated information
system
C. At the time when the electronic data message or electronic document is retrieved by the addressee
D. At the time when the electronic data message or electronic document enters an information system of the
addressee
14. Where is the place of dispatch of electronic data messages or electronic documents if the originator has more than one
place of business and there is an underlying transaction?
A. Place which has the closest relationship to the underlying transaction
B. Principal place of business
C. Habitual residence
D. Place where the server is located
15. Where is the place of receipt of electronic data messages or electronic documents if the addressee has no place of
business?
A. Place which has the closest relationship to the underlying transaction
B. Principal place of business
C. Habitual residence
D. Place where the server is located
16. Which government agency is empowered to promulgate rules and regulations for the implementation of the Electronic
Commerce Act?
A. Department of Trade and Industry (DTI)
B. Department of Transportation and Communication (DOTC)
C. Department of Information and Communications Technology (DICT)
D. Supreme Court (SC)
17. First Statement: Where the requires that any action referred to contract of carriage of goods be carried out in writing
or by using a paper document, that requirement is met if the action is carried out by using one or more electronic data
messages or electronic documents.
Second Statement: The "usual place of residence" in relation to a body corporate, means the place where it is incorporated
or otherwise legally constituted.
A. Only the first statement is true.
B. Only the second statement is true.
C. Both of the statements are true.
D. None of the statements is true.
18. On March 1, 2019, Donald, through a text message, offered to sell his land to Hillary for P10,000. Hillary accepted
Donald’s offer by sending an email to Donald on March 2, 2019, which Donald was able to read on March 3, 2019. On
March 4, 2019, wondering if Donald received her email, Hillary sent a text message to Donald signifying once again
her acceptance of Donald’s offer, to which Donald immediately replied, “K”. Is there an enforceable contract of sale?
A. Yes, because the offer and the acceptance in electronic form satisfy the requirement that a sale of land be in
writing.
B. Yes, because a contract of sale of land is enforceable whether executed in writing or not.
C. No, the offer and the acceptance were not reduced into writing.
D. No, there was no valid contract at all.
19. On March 1, 2019, Donald, through a text message, offered to sell his land to Hillary for P10,000. Hillary accepted Donald’s
offer by sending an email to Donald on March 2, 2019, which Donald was able to read on March 3, 2019. On March 4,
2019, wondering if Donald received her email, Hillary sent a text message to Donald signifying once again her acceptance
of Donald’s offer, to which a recipient (Donald’s wife) immediately replied, “Sorry, but Donald just died a few hours ago”.
Is there a perfected contract of sale?
A. No, because Hillary’s acceptance was not made in a text message.
B. No, because Donald has already died and can no longer perform any contractual obligation.
C. Yes, because the knowledge of Donald’s wife of Hillary’s acceptance through a text message on March 4, 2019
perfects the contract since she is a legal heir of Donald.
D. Yes, because the email Hillary sent on March 2, 2019 signifying her acceptance was read by Donald on March 3,
2019.
20. On March 1, 2019, Donald, through a text message, offered to sell his land to Hillary for P10,000. Hillary accepted Donald’s
offer by sending an email to Donald on March 2, 2019, which Donald was able to read on March 3, 2019. On March 4,
2019, wondering if Donald received her email, Hillary sent a text message to Donald signifying once again her acceptance
of Donald’s offer, to which Donald immediately replied, “K”. When was the contract of sale of land perfected?
A. March 1, 2019 C. March 3, 2019
B. March 2, 2019 D. March 4, 2019

Page 18 of 22 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
E-COMMERCE, DATA PRIVACY & EASE OF DOING BUSINESS RFBT-15
1 A 6 B 11 D 16 A
2 B 7 A 12 A 17 C
3 C 8 D 13 A 18 A
4 D 9 B 14 A 19 D
5 A 10 C 15 C 20 C

DATA PRIVACY ACT

1. It refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent
or can be reasonably and directly ascertained by the entity holding the information, or when put together with other
information would directly and certainly identify an individual.
A. Data subject
B. Personal information
C. Privileged information
D. Sensitive personal information
2. It refers to any and all forms of data which under the Rules of Court and other pertinent laws constitute privileged
communication.
A. Data subject
B. Personal information
C. Privileged information
D. Sensitive personal information
3. First Statement: DPA applies to the processing of all types of personal information and to any natural and juridical person
involved in personal information processing including those personal information controllers and processors who, although
not found or established in the Philippines, use equipment that are located in the Philippines, or those who maintain an
office, branch or agency in the Philippines, except when DPA is not applicable, subject to the requirements of extraterritorial
application.
Second Statement: The Data Privacy Act is applicable to Information about any individual who is or was an officer or
employee of a government institution that relates to the position or functions of the individual.
A. Only the first statement is true.
B. Only the second statement is true.
C. Both of the statements are true.
D. None of the statements is true.
4. Which information is/are not covered by the Data Privacy Act?
A. About an individual who is or was performing service under contract for a government institution that
relates to the services performed
B. Relating to any discretionary benefit of a financial nature such as the granting of a license or permit given
by the government to an individual
C. Processed for journalistic, artistic, literary or research purposes
D. All of the above
5. Which information is/are not covered by the Data Privacy Act?
A. Necessary in order to carry out the functions of public authority
B. Necessary for banks and other financial institutions under the jurisdiction of the independent, central
monetary authority or Bangko Sentral ng Pilipinas to comply with RA 9510, and RA 9160, as amended
C. Originally collected from residents of foreign jurisdictions in accordance with the laws of those foreign
jurisdictions,
D. All of the above
6. First Statement: The Data Privacy Act did not amend or repeal the provisions of RA 53, which affords the publishers,
editors or duly accredited reporters of any newspaper, magazine or periodical of general circulation protection from being
compelled to reveal the source of any news report or information appearing in said publication which was related in any
confidence to such publisher, editor, or reporter.
Second Statement: The Data Privacy Act applies to an act done or practice engaged within the Philippines by an entity
only and does not apply to those done and engaged outside of the Philippines.
A. Only the first statement is true.
B. Only the second statement is true.
C. Both of the statements are true.
D. None of the statements is true.
7. Which of the following is/are the functions of the National Privacy Commission?
A. Ensure compliance of personal information controllers with the DPA
B. Issue cease and desist orders, impose a temporary or permanent ban on the processing of personal
information, upon finding that the processing will be detrimental to national security and public interest
C. Compel or petition any entity, government agency or instrumentality to abide by its orders or take
action on a matter affecting data privacy
D. All of the above
8. First Statement: The National Privacy Commission shall ensure at all times the confidentiality of any personal information
that comes to its knowledge and possession.
Second Statement: The National Privacy Commission is attached to the Department of Information and Communications
Technology (DICT).
A. Only the first statement is true.
B. Only the second statement is true.
C. Both of the statements are true.
D. None of the statements is true.

Page 19 of 22 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
E-COMMERCE, DATA PRIVACY & EASE OF DOING BUSINESS RFBT-15
9. Who heads the National Privacy Commission?
A. Privacy Chairman
B. Privacy Commissioner
C. Privacy President
D. Privacy Head
10. What are the two responsibilities of the Deputy Privacy Commissioners?
A. Data Processing Systems and Policies and Planning
B. Data Collection Systems and Policies and Planning
C. Data Processing Systems and Finance
D. Data Privacy Systems and Policies and Performance
19. Who appoints the officers of the National Privacy Commission?
A. DICT Secretary
B. President
C. Executive Secretary
D. DTI Secretary
20. How long is the term of a Privacy Commissioner?
A. 1 year
B. 2 years
C. 3 years
D. 5 years
21. What is/are the qualifications of a Privacy Commissioner?
A. At least 36 years of age
B. Of good moral character, unquestionable integrity, and known probity
C. A recognized expert in the field of information technology only
D. All of the above
22. A Deputy Privacy Commissioner shall enjoy the benefits, privileges, and emoluments equivalent to the rank of:
A. Secretary
B. Undersecretary
C. Assistant Secretary
23. The processing of personal information adheres to which principle/s?
A. Transparency
B. Legitimate purpose
C. Proportionality
D. All of the above
24. Who must ensure implementation of personal information principles set out in the Data Privacy Act?
A. Personal information controller
B. Personal information processor
C. Privacy Commissioner
D. Deputy Privacy Commissioner
25. When is processing of personal information lawful?
A. Data subject gave his or her consent
B. When necessary or related to the fulfillment of a contract with the data subject or in order to take steps at the
request of the data subject prior to entering into a contract
C. When necessary for compliance with a legal obligation to which the personal information controller is subject
D. All of the above
26. When is processing of personal information lawful?
A. When necessary to protect the life and health of the data subject or another person, even when the data subject is
legally or physically able to express his or her consent prior to the processing
B. When necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical treatment
institution, and an adequate level of protection of personal information is ensured
C. When not necessary for the protection of lawful rights and interests of natural or legal persons in court proceedings,
or the establishment, exercise or defense of legal claims, or when provided to government or public authority
D. None of the above
27. First Statement: A personal information controller may subcontract the processing of personal information.
Second Statement: Personal information controllers may invoke the principle of privileged communication over
privileged information that they lawfully control or process.
a. Only the first statement is true.
b. Only the second statement is true.
c. Both of the statements are true.
d. None of the statements is true.
28. First Statement: The lawful heirs and assigns of the data subject may invoke the rights of the data subject for, which
he or she is an heir or assignee at any time after the death of the data subject or when the data subject is incapacitated
or incapable of exercising the rights of the data subject.
Second Statement: The rules on rights, its transmissibility, and portability are not applicable if the processed personal
information are used only for the needs of scientific and statistical research and, on the basis of such, no activities are
carried out and no decisions are taken regarding the data subject.
A. Only the first statement is true.
B. Only the second statement is true.
C. Both of the statements are true.
D. None of the statements is true.
29. In case of privacy breach, who is mandated to notify the National Privacy Commission?
A. Personal information controller
B. Personal information processor
C. President
D. Independent auditor

Page 20 of 22 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
E-COMMERCE, DATA PRIVACY & EASE OF DOING BUSINESS RFBT-15
30. Except as may be allowed through guidelines to be issued by the National Privacy Commission, no employee of the
government shall have access to sensitive personal information on government property or through online facilities
unless the employee has received a security clearance from the __ of the source agency.
A. Personal information controller
B. Personal information processor
C. Head
D. Lawyer
31. In the case of any request submitted to the head of an agency, such head of the agency shall approve or disapprove
the request __ after the date of submission of the request.
A. One calendar day
B. Two calendar days
C. One business day
D. Two business days
32. In entering into any contract that may involve accessing or requiring sensitive personal information from __, an agency
shall require a contractor and its employees to register their personal information processing system with the National
Privacy Commission in accordance with the DPA and to comply with the other provisions of the DPA including the
immediately preceding section, in the same manner as agencies and government employees comply with such
requirements.
A. 100 or more individuals
B. 500 or more individuals
C. 1,000 or more individuals
D. 5,000 or more individuals
33. If the offender is a corporation, partnership or any juridical person, the penalty shall be imposed upon the __.
A. Directors
B. Responsible officers
C. Incorporators
D. Stockholders/Partners
34. First Statement: If the offender under DPA is a juridical person, the court may suspend or revoke any of its rights under
the DPA.
Second Statement: If the offender under DPA is an alien, he or she shall, in addition to the penalties herein prescribed,
be deported without further proceedings after serving the penalties prescribed.
A. Only the first statement is true.
B. Only the second statement is true.
C. Both of the statements are true.
D. None of the statements is true.
35. The __ penalty in the scale of penalties respectively provided for the preceding offenses shall be imposed when the
personal information of at least __ persons is harmed, affected or involved as the result of the punishable actions.
A. Maximum; 100
B. Maximum; 1,000
C. Minimum; 100
D. Minimum; 1,000
36. When the offender or the person responsible for the offense under DPA is a public officer as defined in the Administrative Code
of the Philippines in the exercise of his or her duties, an accessory penalty consisting in the disqualification to occupy public
office for a term __ the term of criminal penalty imposed shall he applied.
A. Same as
B. Double
C. Triple
D. Quadruple
37. Restitution for any aggrieved party under DPA shall be governed by the provisions of the __.
A. Code of Commerce
B. Data Privacy Act
C. 1987 Philippine Constitution
D. New Civil Code
38. The act of processing sensitive personal information for unauthorized purposes is punishable by:
A. 1.5 to 5 years of imprisonment and fine 500,000 to 1,000,000
B. 2 to 7 years of imprisonment and fine 500,000 to 1,000,000
C. 1.5 to 5 years of imprisonment and fine500,000 to 2,000,000
D. 2 to 7 years of imprisonment and fine 500,000 to 2,000,000

1 B 11 B 21 A
2 C 12 C 22 C
3 A 13 B 23 D
4 D 14 B 24 C
5 D 15 D 25 B
6 A 16 A 26 C
7 D 17 D 27 A
8 C 18 B 28 B
9 B 19 C 29 D
10 A 20 C 30 D

Page 21 of 22 0915-2303213  www.resacpareview.com

ReSA – THE REVIEW SCHOOL OF ACCOUNTANCY
E-COMMERCE, DATA PRIVACY & EASE OF DOING BUSINESS RFBT-15
EASE OF DOING BUSINESS

1. Under the Ease of Doing Business Act, this has been defined as a set of regulatory requirements that a business entity
must comply with to engage or operate or continue to operate a business:
A. Business-related transaction
B. License
C. Non-business transactions
D. Complex transactions
2. After acceptance of the written applications, requests, and/or documents, who shall perform the preliminary assessment
of the application or request?
A. The receiving officer
B. The direct supervisor of the receiving officer
C. The head of the agency
D. The Anti-Red Tape Authority
3. A transaction which present only inconsequential issues for the resolution by an officer or employee of the concerned
government office is known as:
A. Simple transaction
B. Complex transaction
C. Highly-technical transaction
D. A transaction that will require the approval of a local sanggunian
4. For this type of transactions, the Ease of Doing Business Act allows a maximum of 20 working days to process. Which one
is an exception?
A. an application or request which requires the use of technical knowledge, specialized skill and/or training in the
process and/or evaluation thereof.
B. An application involving activities which pose danger to public health
C. A request involving activities which pose danger to public safety
D. Applications or requests submitted by applicants or requesting parties of a government office which necessitate
evaluation in the resolution of complicated issues by an officer or employee of said government office, such
transactions to be determined by the office concerned
5. An application which requires the use of technical knowledge, specialized skill and/or training in the process and/or
evaluation thereof.
A. Simple Transaction
B. Complex Transaction
C. Highly-Technical Transaction
D. None of the choices
6. If the approval of the local Sanggunian is required, the processing time of the application or request, the approval of the
Sanggunian concerned shall be given a period of ____________.
A. 20 calendar days
B. 45 calendar days
C. 20 working days
D. 45 working days
7. If a transaction is categorized as complex, it shall be processed not more than 7 working days from the date of receipt,
which is also the number of days indicated in the citizens’ charter. The maximum time for extension that may be granted
is:
A. 3 working days
B. 7 working days
C. 20 working days
D. 45 working days
8. If a government office fails to approve or disapprove an application within the prescribed processing time:
A. It shall be deemed approved
B. It shall be deemed denied
C. It shall be deemed approved only if all the required documents have been submitted and all required fees and
charges have been paid
D. It shall be deemed denied if all the required documents have not been submitted even if all required fees and
charges have been paid
9. The number of signatories in any document shall be limited to a maximum of ___ signatures which shall represent officers
directly supervising the office or agency concerned.
A. 1
B. 3
C. 5
D. 7
10. Mr. X went to a government agency and arrived at 4:58pm. He was 12 th in the number of persons who sill be submitting
an application for a government license. The agency closes at 5:00pm and it takes on average 20mins to process the
submission which means only 1 applicant will be processed before closing time. In this case,
A. Mr. X would have to go back the following day and will be considered 11th in the processing queue.
B. Mr. X would have to go back the following day and obtain a new queueing number.
C. Mr. X would not have to go back as his application is still required to be processed that same day.
D. Mr. X can be considered a priority.

1 A 6 D
2 A 7 B
3 A 8 C
4 D 9 B
5 C 10 C

Page 22 of 22 0915-2303213  www.resacpareview.com