The Regulations are prescribed in accordance with Paragraph 3, Article 27 of the Personal Data Protection Act (hereinafter, "the Act").
The competent authorities referred to in the Regulations are the Ministry of the Interior at the central level, municipal governments at the municipal level, and county (city) governments at the county (city) level.
The non-government agencies referred to in the Regulations include the following:
1.Civil associations, cooperatives, and credit unions at every level.
2.Others designated by the central competent authority.
A non-government agency that retains members’ personal data up to an amount of 5,000 shall establish a security and maintenance plan for the protection of personal data files and a guideline on disposing personal data following an association (cooperative) affairs termination (hereinafter, "the Plans and Disposal Regulations") to implement security, maintenance, and management of personal data files to prevent the personal data from being stolen, altered, damaged, destroyed or disclosed.
When establishing the Plans and Disposal Regulations in accordance with the preceding paragraph, a non-government agency shall set proper security, maintenance, and management measures with the following matters included by taking its organization size, characteristics, and the nature and quantity of the personal data to be possessed into consideration as well as referencing the requirements provided in Article 5 to Article 21. The matters of each item of Subparagraph 2 may be consolidated if necessary.
1.The organization size and characteristics of the non-government agency;
2.The security and management measures for the personal data files:
(1)allocating management personnel and reasonable resources;
(2)defining the scope of collection, processing, and use of personal data;
(3)establishing a mechanism of risk assessment and management of personal data;
(4)establishing a mechanism of preventing, giving notice of, and responding to a data breach;
(5)establishing an internal control procedure for the collection, processing, and use of personal data;
(6)establishing measures for equipment security management, data security management, and personnel management;
(7)promoting awareness, education, and training;
(8)establishing an audit mechanism for personal data security and maintenance;
(9)keeping records, log files, and relevant evidence;
(10)implementing integrated and persistent improvements on the security and maintenance of personal data; and
(11)setting a guideline on disposing personal data following an association (cooperative) affairs termination.
For the Plans and Disposal Regulations in Paragraph 1, it shall be filed with the competent authority for future reference within six months from the date on which the non-government agency completes its establishment or registration. For the non-government agency that has completed its establishment or registration before being designated by the competent authority according to Subparagraph 2 in the preceding Article, the Plans and Disposal Regulations shall be filed with the competent authority for future reference within 6 months from the date on which the non-government agency is designated.
A non-government agency that retains personal data under an amount of 5,000, but reaching an amount of 5,000 or more due to direct or indirect collection shall file the Plans and Disposal Regulations with the competent authority for future reference within six months from the date on which the retrained data reaches an amount of 5,000.
A non-government agency shall allocate management personnel and reasonable resources, be in charge of planning, setting, amending, and implementing the Plans and Disposal Regulations or other related matters, as well as periodically reporting to the representative.
A non-government agency shall establish a personal data protection and management policy to publicly announce the specific purpose and legal basis for collecting, processing, and using personal data, or other relevant protection measures at the location of the association (cooperative) address or other proper locations, and in possession of a website, to disclose it on the website homepage, thereby making it known to both the staff and the data subject.
A non-government agency shall periodically review and confirm the status of personal data retained according to the laws and regulations related to personal data protection, and define the scope thereof included in the Plans and Disposal Regulations.
A non-government agency shall assess the potential risk that may occur to personal data in accordance with the scope of personal data set forth in the preceding article and the process by which the personal data is collected, processed, and used. A proper control mechanism shall be established according to the result of the risk assessment.
In response to security breaches, including personal data being stolen, altered, damaged, destroyed, or disclosed (hereinafter, “personal data breach”), a non-government agency shall establish a mechanism of responding, giving notice of, and preventing a data breach as follows:
1.A variety of measures that shall be adopted following the occurrence of a personal data breach, including:
(1)a method for the data subject to control the damages;
(2)a proper method to notify the data subject following the clarification of the facts of the personal data breach; and
(3)the contents of the personal data breach of which the data subject shall be notified, including the facts, necessary responding measures, and consultation service hotline;
2.The recipients that shall given notice and the notification method following the occurrence of the personal data breach.
3.A discussion mechanism of correction and prevention measures following the occurrence of the personal data breach.
Where a personal data breach reaches an amount of 1,000 or more, a non-government agency in the case shall notify, within 72 hours following the disclosure of the breach, the competent authority in writing of information, such as the agency of notification, the time of occurrence, the type of breach, the cause and summary of breach, the damage condition, the possible consequences of personal data infringements, the responding measure to be adopted, when and how to notify the data subject, whether to notify immediately following the discovery of personal data disclosure. Where a municipal or county (city) competent authority receives the notification of the breach, it shall also notify the central competent authority (see the Appendix for a written notification format).
For a material personal data breach, the competent authority may conduct field inspection on the response, notification, and prevention mechanisms of the non-government agency according to Article 22 of the Act, and take any further action depending on the inspection result. The central competent authority, if deeming it necessary, may supervise the municipal or county (city) competent authorities on the improvements to the relevant mechanisms of the non-government agency.
Non-government agency staff shall verify whether the requirements of Article 19 of the Act are met, when collecting and processing general personal data for the purpose of executing its association (cooperative) affairs. When using general personal data, the staff shall verify whether the necessary scope for the specific purpose of collection is met. When using general personal data for the purpose other than the specific purpose, the staff shall verify whether the condition of the proviso to Paragraph 1, Article 20 of the Act is met.
A non-government agency shall comply with the obligation of informing specified in Articles 8 and 9 of the Act when collecting personal data, and for direct collection or indirect collection of personal data, respectively establish the informing methods, contents, and precautions, and require the staff to comply.
Where the central competent authority has made an order or disposition to a non-government agency relating to the restrictions on cross-border transfers of personal data in accordance with the requirements of Article 21 of the Act, the non-government agency shall notify its staff to comply and implement.
The non-government agency, carrying out a cross-border transfer of personal data, shall verify whether it is restricted by the central competent authority, and notify the data subject of the area that the cross-border transfer of its personal data is carried out, and shall supervise the data recipient on the following:
1.the planned scope, category, specific purpose, time period, territory, recipients, and methods of the processing or use of personal data; and
2.the related matters of exercising the rights prescribed in the Article 3 of the Act by the data subject.
When a data subject exercises the rights prescribed in Article 3 of the Act, a non-government agency shall act in accordance with the following provisions:
1.providing a contact person and contact method;
2.confirming whether the individual is the personal data subject itself, or a commissioned representative of the data subject;
3.where there is a reason for refusing the exercise of rights by the data subject based on the provisos prescribed in Article 10, Paragraph 2 or Paragraph 3 of Article 11 of the Act, the data subject shall be notified of the reason for the refusal;
4.informing the data subject of charging basis in the case of charging necessary expenses; and
5.complying with the disposal deadline prescribed in Article 13 of the Act.
For collected and retained personal data files, non-government agencies shall adopt necessary and proper security equipment or protection measures.
The security equipment or protection measures of the preceding paragraph shall include the following:
1.security and protection facilities for paper documents;
2.computers, automatic machine-related equipment, portable equipment or storage media, installed with security and protection systems or encryption mechanisms, for storing electronic files; and
3.where personal data is recorded on or in paper, disks, tapes, CDs, microfilms, integrated circuit chips or other storage media, proper destroying or protection measures shall be adopted to prevent leakage of such personal data when the media is to be scrapped, replaced, or used for other purposes; when another party is commissioned to perform the above, the non-government agency shall supervise the commissioned party in accordance with Article 20.
In order to properly protect the security of personal data, a non-government agency shall adopt appropriate management measures on its staff.
The management measures referred to in the preceding paragraph shall include the following:
1.According to the needs of association (cooperative) affairs, the access rights for the staff shall be appropriately set to control their access to personal data, and the appropriateness and necessity of the access rights shall be periodically verified.
2.The nature of each relative association (cooperative) affairs shall be examined, and personnel in charge of the collection, processing, use, and other procedures of personal data shall be regulated.
3.The staff are required to properly retain storage media containing personal data, and follow retaining and confidentiality obligations.
4.The staff are required to hand over the personal data retained for implementing association (cooperative) affairs upon change or termination of employment. They are prohibited from using the data after its position, and shall execute a confidential affidavit.
A non-government agency which uses information and communications technology system to collect, process or use up to 5,000 personal data of association (cooperative) members or more, shall take the following information security measures:
1.mechanisms for user identity verification and protection;
2.masking mechanisms for displaying personal data;
3.security encryption mechanisms for Internet transmission;
4.access control and protection monitoring measures of personal data files and databases;
5.countermeasures against external network intrusion; and
6.monitoring and responding mechanisms against unlawful or abnormal usage.
The measures prescribed in Subparagraphs 5 and 6 in the preceding paragraph shall be periodically exercised and reviewed for improvement.
A non-government agency shall promote basic awareness and education and training of personal data to the staff regularly or irregularly for them to comprehend the requirements of relevant laws and regulations, the responsibility scope of the staff and various mechanisms, procedures or measures in regard to personal data protection.
To ensure the implementation of the Plans and Disposal Regulations, a non-government agency shall measure reasonable allocation of resources to establish maintenance and audit mechanism of personal data security, and designate proper personnel to conduct examination on the execution of the Plans and Disposal Regulations at least semi-annually according to its organization size and characteristics.
The examination result referred to in the preceding paragraph shall be reported to the representative, and relevant records shall be kept for a duration of at least five years.
In the case of discovering that the Plans and Disposal Regulations is not or is at the risk of not complying with the laws according to the examination result referred to in Paragraph 1, the non-government agency shall improve immediately.
After executing various personal data protection mechanisms, procedures, and measures prescribed in the Plans and Disposal Regulations, the non-government agency shall record the usage of such personal data and keep the log files or relevant evidence.
After erasing, ceasing processing or using of the retained personal data, the non-government agency shall keep the following records:
1.the method, time or location of deleting, ceasing processing or using; and
2.in the case that the personal data deleted, ceased processing or using is transferred to another party, the reason, recipients, method, time, location of transfer, and the legal basis for the recipients to collect, process or use the personal data.
The log files, relevant evidence and records referred to in the preceding two subparagraphs shall be kept for at least five years. However, this provision does not apply where otherwise prescribed by laws or provided in the contract.
A non-government agency shall duly take into consideration the association (cooperative) affairs and execution of the Plans and Disposal Regulations, public opinions, technical development and revisions of relevant laws and regulation or other factors to review the Plans and Disposal Regulations established, and revise it if necessary. In the event of revision, the revised Plan and Guideline shall be filed with the competent authority for future reference within 15 days.
In the case that a non-government agency commissions another party to collect, process or use all or part of the personal data, the commissioning agency shall properly supervise as prescribed in Article 8 of the Enforcement Rules of the Act.
To conduct the supervision prescribed in the preceding paragraph, the non-government agency shall set clear contractual requirements concerning the matters and methods of supervision.
Upon the termination of its association (cooperative) affairs, the non-government agency shall be prohibited from using the retained personal data, and shall processs such data in the following manners. The relative records shall be kept for a duration of at least five years.
1.Destruction: the method, time, and location of destruction, and the proof of the destruction;
2.Transfer: the reason, recipients, method, time, and location of transfer, and the legal basis that the receiving party is allowed to retain the personal data; and
3.Other deleting, ceasing processing or using of personal data: the method, time or location of deleting, ceasing processing or using.
Prior to the promulgation of the Regulations, non-government agencies that hold personal data up to or more than an amount of 5,000 without establishing the Plans and Disposal Regulations shall establish it as required by the Regulations, and file the Plans and Disposal Regulations with the competent authority for future reference within six months from the date of the promulgation of the Regulations.
The Regulations shall become effective on the date of promulgation.