Goto Main Content
:::

Select Folders:

Article Content

Article 1
These Regulations are promulgated in accordance with Article 27, Paragraph 3 the Personal Information Protection Act (hereinafter “the Act”).
Article 2
For purposes of these Regulations, the term "competent authority" shall mean the Ministry of Health and Welfare at the central government level, the municipal governments at the municipal level, and the county/city governments at the county/city level.
Article 3
The terms used herein are defined as follows:
I. Western pharmaceutical wholesalers or retailers: A pharmaceutical firm approved for registration in accordance with Article 27, Paragraph 1 of the Pharmaceutical Affairs Act, has a capital of more than NT$30 million, and has recruitment of members or obtains personal information of trading counterparts.
II. Responsible person: Personnel designated by western pharmaceutical wholesalers or retailers to be responsible for establishing and implementing personal information file security and maintenance plans (hereinafter referred to as "Security and Maintenance Plan(s)").
III. Subordinate: Personnel of western pharmaceutical wholesalers or retailers that come in contact with personal information in the course of performing professional duty.
IV. Auditor: Personnel designated by western pharmaceutical wholesalers or retailers to be responsible for auditing the implementation and results of Security and Maintenance Plans.
The responsible person in Subparagraph 2 and auditor in Subparagraph 4 of the preceding paragraph may not be the same person.
Article 4
Western pharmaceutical wholesalers or retailers shall establish the Security and Maintenance Plans specifying the following matters in accordance with the Regulations:
I. The internal control procedures for the collection, processing, and use of personal information.
II. The scope and items of personal information.
III. The management of information security and personnel.
IV. The mechanisms of preventing, reporting, and responding to information leakage.
V. The management of facility security.
VI. The audit mechanisms of data security.
VII. The preservation of use records, log files and relevant evidence.
VIII. The measures for processing personal information after termination of any business relationship.
IX. The integrated and persistent improvement plan on the security and maintenance of personal information.
Article 5
Western pharmaceutical wholesalers or retailers shall make reasonable distribution of operational resources by planning, establishing, reviewing, and revising the security and maintenance measures based on the scale and characteristics of their business, and include these measures in the Security and Maintenance Plans for ensuring the security maintenance and management of personal information and preventing personal information from being stolen, altered, damaged, destroyed or disclosed.
Article 6
Western pharmaceutical wholesalers or retailers shall establish a Security and Maintenance Plan within six months after these Regulations take effect.
Western pharmaceutical wholesalers or retailers shall retain the Security and Maintenance Plan in the preceding paragraph, and the competent authority may periodically send its personnel to inspect the plan.
Article 7
The responsible person is responsible for planning, establishing, revising, and implementing the Security and Maintenance Plan, the measures for processing personal information after termination of any business relationship and related matters. The responsible person shall periodically submit a report to western pharmaceutical wholesalers or retailers.
Article 8
Western pharmaceutical wholesalers or retailers shall identify the specific purpose and necessity of collecting the personal information, define the category or scope of personal information collection, processing, and use, and periodically check the status of personal information in its keeping, while establishing the internal control procedures for the collection, processing, and use of personal information in Article 4, Subparagraph 1, as well as the scope and items of personal information in Subparagraph 2.
If western pharmaceutical wholesalers or retailers find personal information that is not within the necessary scope for the specific purpose or the specific purpose has disappeared, or that no longer needs to be retained due to expiration of the retention period, then the said information shall be deleted, destroyed, discontinued to collect, process or use, or handled by other appropriate measures.
Article 9
Western pharmaceutical wholesalers or retailers shall comply with the category and scope specified in Paragraph 1 of the preceding article while collecting personal information.
Western pharmaceutical wholesalers or retailers shall take necessary protection measures to prevent information leakage while transferring personal information.
Article 10
Western pharmaceutical wholesalers or retailers shall comply with the obligation of notification specified in Articles 8 and 9 of the Act when collecting personal information; they shall also establish the notification method, contents, and notices for direct collection or indirect collection, and shall require subordinates to comply.
Article 11
Western pharmaceutical wholesalers or retailers shall inform the information owner of the western pharmaceutical wholesaler or retailer's registered name and the source of personal information, while using personal information for promotion or marketing in accordance with Article 20, Paragraph 1 of the Act.
Western pharmaceutical wholesalers or retailers shall provide the information owners or their statutory agents with methods of expressing refusal to accept such promotion or marketing, and shall pay necessary expenses, while using personal information for promotion or marketing purposes for the first time. When the information owners or their statutory agents refuse to receive promotion or marketing, western pharmaceutical wholesalers or retailers shall stop using the owner's personal information immediately and inform subordinates.
Article 12
Western pharmaceutical wholesalers or retailers shall conduct proper supervision on the commissioned party in accordance with Article 8 of the Enforcement Rules of the Act, and shall set clear contractual requirements in the contract or related documents, while commissioning a third party to collect, process, or use all or a part of personal information.
Article 13
Western pharmaceutical wholesalers or retailers shall adopt the following actions to provide the information owners or their statutory agents with the means to exercise the rights prescribed in Article 3 of the Act:
I. Provide a contact person and contact method.
II. Confirm whether the individual is the information owner, statutory agent, or a duly authorized representative of the information owner.
III. Where there is a reason for refusing the exercise of rights by the information owner based on the provisos prescribed in Article 10, Paragraph 2 or Paragraph 3 of Article 11, the reason for the refusal shall be notified to the information owner or statutory agent.
IV. Comply with the disposal deadline set forth in Article 13 of the Act.
V. Inform the information owner or statutory agent of necessary expenses that may be charged in accordance with Article 14 of the Act.
Article 14
The incident prevention, reporting, and response mechanisms established by western pharmaceutical wholesalers or retailers in Article 4, Subparagraph 4 shall include the following matters:
I. Take appropriate measures to control the damages to the owners of personal information due to the incident.
II. Investigate the cause of the incident and damages, notify the information owners or statutory agents using an appropriate method, and report the incident to the competent authority.
III. Formulate improvement measures to prevent the incident from happening again.
When personal information is theft, leakage, tampering, or other incidents occur, western pharmaceutical wholesalers or retailers shall rapidly handle the incident according to the prevention, reporting, and response mechanisms in the preceding paragraph to protect the rights and interests of the personal information owners.
Reporting procedures and document formats in Subparagraph 2 of Paragraph 1 shall be prescribed by the municipal or county (city) competent authority.
Article 15
The management measures of facility security established by western pharmaceutical wholesalers or retailers in Article 4, Subparagraph 5 shall include the following matters:
I. Security and protection facilities and management procedures for paper documents.
II. Security systems or encryption mechanisms installed on computers or automated machines for storing electronic files.
III. Establish procedures for destroying paper documents. Suitable measures for preventing personal information leakage must be taken when computers, automated machines, or other storage media is to be discarded, replaced, or used for other purposes.
Article 16
The management measures of information security and personnel established by western pharmaceutical wholesalers or retailers in Article 4, Subparagraph 3 shall include the following matters:
I. Establish management mechanisms based on business needs, set different access rights for subordinates to control their access to personal information, and periodically verify the appropriateness and necessity of access rights.
II. Examine the nature of businesses and designate personnel responsible for personal information collection, processing, use, and other procedures.
III. Require subordinates to properly retain storage media containing personal information, and agree on safekeeping and confidentiality obligations.
IV. Cancel the ID number of subordinates after termination of employment. The subordinates are required to hand over the documents and data obtained from the work and may not take or use the documents and data after termination of employment.
Article 17
Auditors shall regularly or irregularly audit the implementation status and results of the Security and Maintenance Plan in accordance with Article 4, Subparagraph 6, and report audit results to western pharmaceutical wholesalers or retailers.
Article 18
The preservation measures of use records, log files, and relevant evidence established by western pharmaceutical wholesalers or retailers in Article 4, Subparagraph 7 shall include the following matters:
I. Retention of personal information use records.
II. Retention of log files of automated machines or other relevant evidence.
Article 19
The disposal measures for personal information after termination of business established by western pharmaceutical wholesalers or retailers in Article 4, Subparagraph 8 shall include the following matters:
I. Destruction: Method, time, place, and proof of destruction.
II. Transfer: Reason, subject, method, time, place, and legal basis for the recipient to retain the personal information.
III. Delete or discontinue to process or use: Method, time, or place.
The measure in the preceding paragraph shall be documented, and retained for at least five years.
Article 20
Western pharmaceuticals wholesalers or retailers shall take into account the implementation status of Security and Maintenance Plans, technological developments, amendments of laws, or other factors when establishing the integrated and persistent improvement plan on the security and maintenance of personal information in accordance with Article 4, Subparagraph 9. Western pharmaceuticals wholesalers or retailers shall examine the appropriateness of Security and Maintenance Plans regularly and revise the plans when necessary.
Article 21
These Regulations shall come into force from the date of promulgation.