TACTICAL TRAINING

Under RA 10173, which of the following terms encompasses a range of operations—including collection, recording, organization, storage, adaptation, retrieval, consultation, use, consolidation, blocking, erasure, or destruction—performed on personal data, regardless of whether the operation is done manually or through automated means?

Which legal basis under RA 10173 is specifically required when the processing of personal data is neither necessary for compliance with a legal obligation, fulfillment of a contract, protection of vital interests, performance of a public authority’s task, nor legitimate interests pursued by the personal information controller or third party?

Which compliance tool, although not explicitly mandated by name in RA 10173, is required under NPC Advisory No. 2017-03 for identifying, assessing, and mitigating risks to the rights and freedoms of data subjects prior to the launch of new or significantly modified processing systems involving sensitive personal information or high-risk data activities?

Under RA 10173 and its implementing rules, which entity bears the primary legal responsibility for ensuring the lawful processing of personal data, including compliance with data subject rights and breach notification requirements, even when the actual processing is outsourced to a third-party service provider?

In accordance with RA 10173 and NPC Circulars, which formal document is required when two or more Personal Information Controllers agree to exchange personal data for a specific purpose, outside the scope of outsourcing, and must clearly define roles, safeguards, duration, and mechanisms for upholding data subject rights?

Which of the following roles, though not vested with ultimate legal accountability for data processing activities, is required under RA 10173 to ensure organizational compliance by monitoring internal data handling practices, managing privacy risks, and serving as a liaison to the National Privacy Commission?

In large-scale organizations with complex data operations, which internal role—though not legally required by RA 10173—may be designated to assist in the implementation of privacy management programs, conduct routine compliance checks, and support the Data Protection Officer in enforcing internal data governance protocols?

Which of the following statements correctly reflects the extent of the enforcement powers of the National Privacy Commission (NPC) under RA 10173 with regard to criminal violations?

In the event of a personal data breach involving sensitive personal information or information that may be used to enable identity fraud, which of the following best describes the obligation of a Personal Information Controller in relation to timely breach reporting?