ARTS-PRTC CPA Review

(Academic Review & Training School, Inc)

4F Anelle Bldg., Biak na Bato St. cor PNR Road, Tabuco, Naga City
 0917 6361700; 054 811-1877  arts-prtc@gmail.com; f: Arts-Prtc Cpa Review

ATTY. MICHAEL B. BONGALONTA CPA,MICB,MBA,CTT,DBA, MRIS,MRITAX

DATA PRIVACY ACT 2023
a) Data protection is about securing personal data, and
data privacy is about controlling how personal data is
1. Who is responsible for enforcing the Data Privacy used.
Act?
b) Data protection is about controlling how personal
A. The Department of Information and data is used, and data privacy is about securing
Communications Technology personal data.
B. The National Privacy Commission
c) Data protection and data privacy refer to the same
C. The Department of Justice
thing.
D. The Department of Trade and Industry
d) None of the above.

2. What is the purpose of the Data Privacy Act?

A. To protect the personal data of individuals 4. Which of the following is an example of a data
B. To promote business transactions privacy violation?
C. To limit internet access to sensitive information
D. To restrict the use of technology by government a) A company accidentally releases employee salaries
agencies b) A student posts a photo of their teacher online
without permission
3. What are the penalties for violating the Data Privacy c) A government agency collects data on citizens
Act?
without their consent
A. Imprisonment and a fine d) All of the above
B. Suspension of business operations
C. Warning letters and court hearings
D. Community service and a written apology
5. What is informed consent?

4. What is considered personal data under the Data a) Permission given by a data subject for their
Privacy Act? personal data to be used or processed.

A. Any information about an individual b) Permission given by a data controller to a data

B. Financial information subject to use their personal data.
C. Medical records
c) Permission given by a government agency to collect
D. All of the above
personal data on citizens.

d) None of the above.

5. Who can access personal data under the Data
Privacy Act?

A. Anyone who requests it 6. What is the maximum fine for a data protection
B. Only the individual whose data is being accessed violation under the GDPR?
C. Employees of the organization holding the data
D. Government agencies with proper clearance a) €20,000
b) €500,000
c) €1 million
1. What is the purpose of data privacy laws? d) €20 million or 4% of the company's global annual
revenue, whichever is greater.
a) To protect personal information
b) To allow companies to use personal information as
they see fit 7. Which of the following is not a key principle of data
c) To allow the government access to personal protection?
information
d) None of the above a) Lawfulness, fairness and transparency
b) Accuracy
c) Purpose limitation
2. Which of the following is considered personal data? d) Freedom of speech

a) Name and address

b) Religion 8. What is a data controller?
c) Political affiliation
d) All of the above a) The person who owns the data
b) The person who uses the data
c) The person who decides how and why the data is
3. What is the difference between data protection and used
data privacy? d) None of the above
9. What is a data subject? b) To allow individuals to access their personal data

a) The person who owns the data c) To allow individuals to restrict the processing of
b) The person who uses the data their personal data
c) The person who the data is about
d) None of the above d) None of the above

10. What is a data processor?

18. What is the purpose of the right to restrict
a) The person who owns the data processing?
b) The person who uses the data
c) The person who processes the data on behalf of the a) To allow individuals to have personal data deleted or
data controller removed if there is no compelling reason for its
d) None of the above continued processing

b) To allow individuals to access their personal data

11. What is the legal basis for processing personal data
c) To allow individuals to restrict the processing of
under the GDPR? their personal data
a) Consent d) None of the above
b) Contractual necessity
c) Legal obligation
d) All of the above
19. What is the purpose of the right to data portability?

a) To allow individuals to have personal data deleted or

12. Which of the following is considered sensitive
removed if there is no compelling reason for its
personal data?
continued processing
a) Name
b) To allow individuals to access their personal data
b) Email address
c) Race or ethnicity c) To allow individuals to receive a copy of their
d) All of the above personal data in a structured, commonly used and
machine-readable format, and transfer it to another
controller.
13. What is a data breach?
d) None of the above
a) When personal data is accidentally or unlawfully
destroyed, lost, altered, or disclosed.
b) When personal data is securely stored.
c) When personal data is used for a lawful purpose. 20. What is the purpose of the right to object?
d) None of the above
a) To allow individuals to have personal data deleted or
removed if there is no compelling reason for its
14. What action should a company take if there has continued processing
been a data breach?
b) To allow individuals to access their personal data
a) Inform the relevant authorities within 72 hours
c) To allow individuals to object to the processing of
b) Inform the affected individuals if there is a high risk
their personal data in certain circumstances, such as
to their rights and freedoms
for direct marketing purposes.
c) Both a and b
d) None of the above d) None of the above

15. What is the purpose of a Privacy Impact

Assessment? 21. What is the purpose of the right to rectification?

a) To identify and mitigate the risks associated with a) To allow individuals to have personal data deleted or
the processing of personal data removed if there is no compelling reason for its
b) To collect personal data continued processing
c) To sell personal data
d) None of the above b) To allow individuals to access their personal data

c) To allow individuals to have inaccurate personal

16. What is pseudonymisation? data corrected or completed if it is incomplete.

a) The process of encrypting personal data d) None of the above

b) The process of making personal data anonymous
c) The process of replacing personal data with a
pseudonym or code 22. What is the purpose of the right to information?
d) None of the above
a) To allow individuals to have personal data deleted or
removed if there is no compelling reason for its
17. What is the purpose of the right to erasure? continued processing

a) To allow individuals to have personal data deleted or b) To allow individuals to access their personal data
removed if there is no compelling reason for its
continued processing c) To allow individuals to know about the processing of
their personal data.
d) None of the above b) To collect personal data

c) To sell personal data

23. What is a data protection officer? d) None of the above

a) The person who owns the data

b) The person who uses the data
c) The person who ensures that an organization is 30. What is a data protection officer?
compliant with data protection regulations a) The person who owns the data
d) None of the above
b) The person who uses the data

24. In the context of data privacy, what is a transfer of c) The person who ensures that an organization is
personal data? compliant with data protection regulations

a) When personal data is copied to a different storage d) None of the above

location
b) When personal data is sent to another organization
or country
31. What is the difference between personal data and
c) When personal data is deleted
sensitive personal data?
d) Both a and c
a) Personal data is any information that relates to an
identified or identifiable natural person, and sensitive
25. What is the purpose of the Privacy and Electronic
personal data is personal data that includes racial or
Communications Regulations?
ethnic origin, political opinions, religious beliefs, trade
a) To regulate how businesses can use cookies on their union membership, genetic or biometric data,
websites information concerning health, or information
b) To restrict unsolicited marketing emails and texts concerning a natural person’s sex life or sexual
c) Both a and b orientation.
d) None of the above
b) Personal data is any information that is personal,
and sensitive personal data is any information that is
26. What is a cookie? not personal.

a) A type of cake c) Personal data is any information that is related to a

b) A small text file that a website stores on a user's person's professional life, and sensitive personal data
computer or device to remember information about is any information that is related to their personal life.
them
d) None of the above.
c) A type of virus
d) None of the above

32. What is the principle of data minimization?

27. What is the difference between a first-party cookie
and a third-party cookie? a) Ensuring that personal data is only used for the
purpose for which it was collected
a) A first-party cookie is set by the website that the
user is visiting, and a third-party cookie is set by a b) Ensuring that personal data is processed in a
different website that is embedded in the first website. transparent manner

b) A first-party cookie is set by the user, and a third- c) Ensuring that personal data is only collected and
party cookie is set by the website. held if it is necessary for the purpose for which it was
collected
c) A first-party cookie is set by the government, and a
third-party cookie is set by a private company. d) None of the above

d) None of the above

33. What is the role of the Information Commissioner’s
Office (ICO)?
28. Which of the following actions is not allowed under
the GDPR? a) To enforce data protection legislation and
investigate potential violations
a) Collecting personal data without informed consent b) To sell personal data
c) To collect personal data
b) Selling personal data without consent
d) None of the above
c) Processing personal data for a different purpose
than originally stated
34. Which of the following is not considered personal
d) All of the above data?

a) An anonymous email address

b) An IP address
29. What is the purpose of data protection impact c) A cookie ID
assessments? d) None of the above

a) To identify and mitigate the risks associated with

the processing of personal data
35. What is the purpose of Privacy by Design and by b) To allow individuals to access their personal data
Default?
c) To allow individuals to restrict the processing of
a) To ensure that data protection and privacy are built their personal data
into systems and processes from the beginning
d) None of the above
b) To ensure that personal data is collected without
informed consent

c) To ensure that personal data is used for marketing 42. What is a data controller?
purposes a) The person who owns the data
d) None of the above b) The person who processes the data
c) The person who decides how and why the data is
processed
d) None of the above
36. Which of the following is not required under the
GDPR? 43. What is the purpose of data protection laws?
a) Consent to be obtained for every specific use of a) To protect personal data
personal data
b) A privacy policy to be provided to data subjects b) To allow organizations to use personal data as they
c) The appointment of a data protection officer see fit
d) All of the above are required under the GDPR.
c) To allow the government access to personal data

37. What is a data subject access request? d) None of the above

a) A request made by a data subject for access to their

personal data 44. What is the principle of accountability under the
b) A request made by a data controller for access to a GDPR?
data subject's personal data a) To ensure that organizations are responsible for
c) A request made by a government agency for access complying with data protection laws
to personal data b) To ensure that individuals are responsible for
d) None of the above protecting their own personal data

c) To ensure that data processors are responsible for

data protection
38. What is a data protection impact assessment?
d) None of the above
a) A process for identifying and mitigating risks
associated with the processing of personal data

b) A process for collecting personal data 45. Which of the following is a legal basis for
processing personal data?
c) A process for selling personal data
a) Agreement
d) None of the above b) Contractual necessity
c) Legal obligation
d) All of the above
39. What is a data breach?

a) An unauthorized access to or disclosure of personal 46. Which of the following is a legitimate interest for
data processing personal data?

b) A lawful use of personal data a) Marketing

b) Fraud prevention
c) A request made by a data subject for access to their c) Research
personal data d) All of the above

d) None of the above

47. What is the purpose of data subject rights?

a) To give individuals control over their personal data

40. Which of the following is not a consequence of a
data breach? b) To give data controllers the right to use personal
data as they see fit
a) Loss of trust from customers
b) Financial penalties c) To give governments access to personal data
c) Legal action
d) None of the above d) None of the above

41. What is the purpose of the right to be forgotten? 48. What is the difference between a data controller
a) To allow individuals to have personal data deleted or and a data processor?
removed if there is no compelling reason for its
continued processing
a) A data controller processes personal data on behalf 54. What is the purpose of a data protection officer?
of another organization, and a data processor is
responsible for the processing of personal data. a) To ensure that organizations are compliant with
data protection legislation
b) A data controller is responsible for the processing of
personal data, and a data processor processes
personal data on behalf of the data controller.

c) A data controller owns the personal data, and a data

processor uses the personal data.

d) None of the above.

49. What is the purpose of the right to rectification?

a) To allow individuals to have personal data deleted or

removed if there is no compelling reason for its
continued processing

b) To allow individuals to access their personal data

c) To allow individuals to have inaccurate personal

data corrected or completed if it is incomplete.

d) None of the above

50. What is the purpose of a privacy notice?

a) To inform individuals about the processing of their

personal data

b) To collect personal data

c) To sell personal data

d) None of the above

51. Which of the following is not a right under the

GDPR?

a) The right to restrict processing

b) The right to access personal data

c) The right to collect personal data

d) None of the above

52. What is the purpose of the Privacy and Electronic

Communications Regulations?

a) To regulate how businesses can use cookies on their

websites

b) To restrict unsolicited marketing emails and texts

c) Both a and b

d) None of the above

53. What is data portability?

a) The ability for individuals to receive a copy of their

personal data in a structured, commonly used and
machine-readable format, and transfer it to another
controller.

b) The ability for a government agency to collect

personal data

c) The ability for a company to sell personal data

d) None of the above