These Regulations are prescribed pursuant to the provisions of Article 27 Paragraph 3 of the Personal Information Protection Act (hereafter referred to as “the Act”).
Tourist hotel enterprises shall draw up plans for maintaining the security of personal information files (hereafter referred to as “the Plans”), for the purpose of ensuring the secure maintenance and management of personal information files, to prevent the theft, alteration, impairment, loss or disclosure of personal information.
Tourist hotel enterprises as referred to in the preceding paragraph means companies that have obtained licenses to operate international tourist hotels or ordinary tourist hotels under the Act for the Development of Tourism.
The content of the Plans shall include the relevant organization and procedures prescribed in Articles 3 to 21, and the Plans shall be periodically reviewed and brought into conformity with related laws and regulations as newly prescribed or amended.
A tourist hotel enterprise may assign a specially appointed person or persons, or set up a specially responsible organization, to securely maintain and manage personal information files, allocate appropriate resources, and periodically report to the person in charge of the tourist hotel enterprise.
The responsibilities of the specially appointed person or persons or specially responsible organization as referred to in the preceding paragraph shall be as follows:
1. Planning, prescribing, amending and executing matters concerning plans for maintaining the security of personal information files, and methods of handling personal information after termination of business.
2. Stipulating policies for the protection and management of personal information, as the basis and specific purposes for the collection, processing and use of personal information, and other matters concerning protection, and announcing these to ensure that they are clearly understood by all members of staff.
3. Periodically conducting basic knowledge guidance or specialist education and training for staff members, to ensure that they clearly understand the provisions of laws and regulations relating to personal information protection, the scope of staff members’ responsibilities relating to personal information protection, and the various methods or management measures for protecting personal information.
Tourist hotel enterprises shall identify specific purposes for the collection of personal information; define the classification and scope of the collection, processing and use of personal information, according to the necessities of the specific purposes; and periodically check the situation of personal information in their custody.
Where a check as referred to in the preceding paragraph reveals personal information that is not within the necessary scope of the specific purposes, or that no longer needs to be retained due to the elimination of, or the expiration of a time limit for, a specific purpose, then the said information shall be deleted or destroyed or its collection, processing and use discontinued, as appropriate, in accordance with the provisions of Article 11 Paragraph 3 of the Act.
Tourist hotel enterprises shall determine the current status of laws and regulations pertaining to the protection of personal information that are required to be followed and applied in respect of personal information in their custody.
A tourist hotel enterprise may, in accordance with the defined scope of personal information and defined procedures for the collection, processing and use of personal information, analyze the possible occurrence of risk, and based on the results of risk analysis, set appropriate control measures.
A tourist hotel enterprise shall adopt the following matters for responding to the theft, alteration, damage, impairment or loss of personal information:
1. Adopt appropriate responsive measures to control consequential harm to the parties concerned, and notify the entities concerned.
2. Ascertain the current situation of the incident, and use appropriate means to notify the parties concerned.
3. Formulate preventive mechanisms, to avoid the recurrence of such kind of incident.
Tourist hotel enterprises shall set the following management procedures respectively for ordinary personal information and for personal information as specified in Article 6 of the Act:
1. Examining and confirming whether the collection, processing and use of personal information includes personal information and the specific purposes thereof prescribed in Article 6 of the Act.
2. Examining whether the collection, processing and use of personal information as prescribed in Article 6 of the Act is in compliance with the requirements of applicable laws and regulations.
3. Where personal information does not fall within the ambit of Article 6 of the Act, but is considered to need special management, it may still be managed similarly or by the setting of a special management procedure.
Tourist hotel enterprises shall adopt the following steps for compliance with the provisions of Articles 8 and 9 of the Act concerning obligation to notify:
1. Examine whether the specific purposes of the collection and processing of personal information match the reasons for exemption from notification.
2. Adopt appropriate means of notification in accordance with the situation of the information collection.
A tourist hotel enterprise shall examine whether its collection and processing of personal information has a specific purpose and legal imperative in compliance with the provisions of Article 19 of the Act.
Examination of the use of personal information shall determine whether it is in compliance with the provisions of Article 20 Paragraph 1 of the Act, and is within the scope of the specific purpose of use; when personal information is used outside the scope of the specific purpose, examination shall determine whether there is a legally prescribed condition for use outside the specific purpose.
When a tourist hotel enterprise commissions another to collect, process or use personal information, in whole or in part, it shall conduct proper supervision of the commissioned party as prescribed in Article 8 of the Enforcement Rules of the Act, and set clear contractual requirements concerning the matters and methods of supervision.
When a tourist hotel enterprise uses personal information for marketing for the first time, it shall provide the parties concerned with a free-of-charge means of expressing refusal to accept the marketing, and after an expression of refusal by a party concerned, shall immediately cease to use that party’s personal information for marketing, and announce this to all of its staff.
Before a tourist hotel enterprise conducts the international transmission of personal information, it shall examine whether the Ministry of Transportation and Communications has issued an applicable order or injunction limiting international transmission under the provisions of Article 21 of the Act, and shall comply therewith.
A tourist hotel enterprise shall adopt the following methods to provide the parties concerned with the means to exercise the rights prescribed in Article 3 of the Act:
1. Confirming that the parties concerned are the subject of the personal information or are duly authorized to act on their behalf.
2. Providing the parties concerned with means of exercising their rights, and complying with the relevant time limits prescribed in Article 13 of the Act.
3. Informing whether there is a charge for necessary costs and expenses.
4. If it is determined that there is a reason why the exercise of their rights by a party concerned may be refused under Articles 10 and 11 of the Act, the reason shall be given in notification to the party concerned.
A tourist hotel enterprise shall adopt the following methods to maintain the accuracy of all personal information in its custody:
1. Examining whether the procedure of collecting, processing and using personal information is correct.
2. When incorrect personal information is discovered, promptly correcting or supplementing it, and informing all parties to whom it has previously been provided for use.
3. Where there is a dispute as to the correctness of personal information, the matter shall be handled as prescribed in Article 11 Paragraph 2 of the Act.
A tourist hotel enterprise may adopt the following information security management measures:
1. When using computer or automatic machine related equipment to collect, process and use personal information, appropriately set rules for use of portable devices or storage media.
2. If the content of personal information under custody has a need for encryption, adopt appropriate encryption mechanisms when collecting, processing or storing the information.
3. When a work process entails a need for backing up personal information, it shall be accorded the same protection as original documents in accordance with the provisions of the Act.
4. Where personal information is recorded on or in paper, magnetic disk, magnetic tape, compact disk, microfiche, IC chip, or other medium, appropriate preventive measures must be adopted to prevent the disclosure of such personal information when the medium is scrapped or transferred to other purpose.
A tourist hotel enterprise may adopt the following personnel management measures:
1. In accordance with operational needs, to a suitable degree setting various limits on the authority of members of staff and controlling their access to personal information.
2. Reviewing the personnel with responsibility for all relevant work procedures involving the collection, processing and use of personal information.
3. Setting confidentiality obligations in contracts with all staff members.
Tourist hotel enterprises must adopt the following environmental management measures in respect of the environment of paper, magnetic disks, magnetic tapes, compact disks, microfiches, IC chips, computers, automatic machines or devices, or other media on or in which personal information is kept:
1. Implementing appropriate methods of input and output control in accordance with differences of business content.
2. Requiring all staff members to keep secure custody of storage media containing personal information.
3. Giving consideration to the establishment of suitable protective equipment or technology for each different media environment.
When another party is commissioned to execute the above acts, the provisions of Article 10 shall apply mutatis mutandis.
After a tourist hotel enterprise terminates business, it may consider taking the following measures in respect of personal information, and keep relevant records as prescribed:
1. Destruction: Record the method, time and location of destruction, and keep proof of method of destruction.
2. Transfer: Record the reason for transfer, the transferee, method, time and location of transfer, and the legal basis for the transferee being permitted to take custody of the personal information.
3. Other deletion or termination of processing or use of personal information: Record the method, time and location of the deletion or termination of processing or use.
A tourist hotel enterprise shall establish a mechanism for auditing the security of personal information, for the purpose of examining, at regular or irregular intervals, matters relating to whether the Plan it has made for maintaining the security of personal information files is being fully and thoroughly executed, or the methods of handling personal information after termination of business.
A tourist hotel enterprise may take appropriate measures, by adopting mechanisms for keeping records of the use of personal information, or the retention of tracking data in automatic machines or devices, or other relevant proof, to provide when necessary for explaining the situation of the execution of its Plan.
A tourist hotel enterprise shall give appropriate consideration to the current situation of business execution, public opinion, technological development, changes in law and regulations, and other pertinent factors, in examining whether the Plan it has made is appropriate, and shall amend the Plan when necessary.
These Regulations shall go into effect on the date as prescribed by the Ministry of Transportation and Communications.