RA 10173 Practice

What is the short title of Republic Act No. 10173?

Answer: Data Privacy Act of 2012.

What term refers to an individual whose personal information is processed?

Answer: Data subject.

Who controls the collection, holding, or use of personal information?

Answer: Personal information controller.

What term describes information about an individual's race, health, or political affiliations?

Answer: Sensitive personal information.

What entity is created under Section 7 to administer the Data Privacy Act?

Answer: National Privacy Commission.

What term refers to operations like collection, storage, or destruction of personal data?

Answer: Processing.

What type of information is protected under the Rules of Court as confidential communication?

Answer: Privileged information.

What term refers to marketing communications directed to specific individuals?

Answer: Direct marketing.

Who processes personal data on behalf of a personal information controller?

Answer: Personal information processor.

What term refers to a structured set of information accessible by reference to individuals?

Answer: Filing system.

Situation: A bank collects customer data for loan applications but later uses it for promotional emails. Question: Which principle of lawful processing under Section 11 did the bank violate?

Answer: Collection for specified and legitimate purposes (proportionality and transparency).

Situation: A hospital shares a patient's medical records with a research institution without consent. Question: Under Section 13, is this allowed without the patient's consent?

Answer: No, unless there is legal authorization or the processing protects the patient's life/health and consent cannot be given.

Situation: A company processes employee data to comply with BIR tax reporting. Question: Which criterion under Section 12 justifies this processing?

Answer: Compliance with a legal obligation.

Situation: A website stores user data indefinitely despite no longer offering services. Question: Which data privacy principle under Section 11(e) is violated?

Answer: Retention only for as long as necessary.

Situation: A foreign e-commerce company with a Philippine branch processes data of Filipino customers. Question: Does the Data Privacy Act apply to this company under Section 6?

Answer: Yes, due to extraterritorial application (presence of a Philippine branch).

Situation: A school publishes student grades on a public bulletin board. Question: Which principle under Section 11 is violated?

Answer: Protection of data in a form that permits identification beyond necessity.

Situation: A journalist publishes a story using personal data obtained confidentially. Question: Is this exempt under Section 4(d)?

Answer: Yes, if the processing is for journalistic purposes.

Situation: A government employee's job title and office address are disclosed in a public directory. Question: Is this prohibited under Section 4(a)?

Answer: No, such information is exempt under the law.

Situation: A customer sues a telecom company for selling their data to third parties without consent. Question: Which right of the data subject under Section 16 is violated?

Answer: Right to object to processing for direct marketing.

Situation: A company fails to report a data breach affecting 100 clients. Question: Which NPC function under Section 7(b) is relevant for addressing this?

Answer: Investigation of complaints and imposition of sanctions.

Situation: A Philippine citizen's data is processed by a foreign company without a Philippine office. Question: Does the Data Privacy Act apply under Section 6(a)?

Answer: Yes, if the data subject is a Philippine citizen/resident.

Situation: A marketing firm uses an individual's personal data to promote products via SMS. Question: What type of activity under Section 3(d) is this?

Answer: Direct marketing.

Situation: A data subject requests a copy of their personal data held by an insurance company. Question: Which right under Section 16(a) is exercised here?

Answer: Right to access.

Situation: A company processes employee biometric data for attendance tracking. Question: What type of information under Section 3(l) is this?

Answer: Sensitive personal information.

Situation: A data subject withdraws consent for data processing after initially agreeing. Question: What obligation arises for the controller under Section 11?

Answer: Cease processing unless another lawful criterion applies.

Situation: A hospital shares a patient's HIV status with unauthorized staff. Question: Which type of information under Section 3(l)(2) is disclosed?

Answer: Sensitive personal information.

Situation: A bank refuses to correct a customer's outdated address in its records. Question: Which right under Section 16(c) is violated?

Answer: Right to rectify.

Situation: A social media app collects data from minors without parental consent. Question: Which provision under Section 13 is violated?

Answer: Processing sensitive personal information without valid consent.

Situation: A company uses CCTV footage to monitor employee productivity. Question: Under Section 12(f), is this lawful if employee rights are prioritized?

Answer: Only if legitimate interests override the employees' privacy rights.

Situation: A data breach exposes credit card details of 10,000 customers. Question: Which NPC function under Section 7(c) applies to mitigate harm?

Answer: Issuing a cease-and-desist order or temporary processing ban.