These Regulations are promulgated in accordance with Article 27, Paragraph 3 of the Personal Data Protection Act (hereinafter “the Act”).
For purposes of these Regulations, the term “competent authority” shall mean the Ministry of Health and Welfare at the central government level, the municipal governments at the municipal level, and the county/city governments at the county/city level.
The terms used herein are defined as follows:
I. Cosmetic wholesalers or retailers: An entity that is engaged in the wholesale or retail of cosmetics, has registered as a corporation, business, or limited partnership with a capital of more than NT$30 million, and has recruitment of members or obtains personal information of trading counterparts.
II. Responsible person: Personnel designated by cosmetic wholesalers or retailers to be responsible for establishing and implementing personal information file security and maintenance plans (hereinafter referred to as “Security and Maintenance Plan(s)”).
III. Subordinate: Personnel of cosmetic wholesalers or retailers that come in contact with personal information in the course of performing professional duty.
IV. Auditor: Personnel designated by cosmetic wholesalers or retailers to be responsible for auditing the implementation and results of Security and Maintenance Plans.
The responsible person in Subparagraph 2 and the auditor in Subparagraph 4 of the preceding paragraph may not be the same person.
Cosmetic wholesalers or retailers shall establish the Security and Maintenance Plans specifying the following matters in accordance with the Regulations:
I. The internal control procedures for the collection, processing, and use of personal information.
II. The scope and items of personal information.
III. The management of information security and personnel.
IV. The mechanisms of preventing, reporting, and responding to information leakage.
V. The management of facility security.
VI. The audit mechanisms of data security.
VII. The preservation of use records, log files, and relevant evidence.
VIII. The measures for processing personal information after the termination business.
IX. The integrated and persistent improvement plan on the security and maintenance of personal information.
Cosmetic wholesalers or retailers shall make reasonable distribution of operational resources to planning, establishing, reviewing, and revising the security and maintenance measures based on the scale and characteristics of their business, and include these measures in the Security and Maintenance Plans for ensuring the security maintenance and management of personal information and preventing personal information from being stolen, altered, damaged, destroyed or disclosed.
Cosmetic wholesalers or retailers shall establish a Security and Maintenance Plan within six months after these Regulations take effect.
Cosmetic wholesalers or retailers shall retain the Security and Maintenance Plan in the preceding paragraph, and the competent authority may periodically send its personnel to inspect the plan.
The responsible person is responsible for planning, establishing, revising, and implementing the Security and Maintenance Plan, the measures for processing personal information after termination of any business relationship and related matters. The responsible person shall periodically submit a report to cosmetic wholesalers or retailers.
Cosmetic wholesalers or retailers shall identify the specific purpose and necessity of collecting the personal information, define the category or scope of personal information collection, processing, and use, and periodically check the status of personal information in its keeping, while establishing the internal control procedures for the collection, processing, and use of personal information in Article 4, Subparagraph 1, as well as the scope and items of personal information in Subparagraph 2.
If cosmetic wholesalers or retailers find personal information that is not within the necessary scope for the specific purpose or the specific purpose has disappeared, or that no longer needs to be retained due to expiration of the retention period, then the said information shall be deleted, destroyed, discontinued to collect, process or use, or handled by other appropriate measures.
Cosmetic wholesalers or retailers shall comply with the category and scope specified in Paragraph 1 of the preceding article while collecting personal information.
Cosmetic wholesalers or retailers shall take necessary protection measures to prevent information leakage while transferring personal information.
Cosmetic wholesalers or retailers shall comply with the obligation of notification specified in Articles 8 and 9 of the Act when collecting personal information; they shall also establish the notification method, contents, and notices for direct collection or indirect collection, and shall require subordinates to comply.
Before transferring the personal information internationally, cosmetic wholesalers or retailers shall check whether it is restricted by the central authority, and inform the subject of the country or region to which the information is intended to be transferred.
Cosmetic wholesalers or retailers shall inform the information owner of the cosmetic wholesaler or retailer's registered name and the source of personal information, while using personal information for promotion or marketing in accordance with Article 20, Paragraph 1 of the Act.
Cosmetic wholesalers or retailers shall provide the information owners or their statutory agents with methods of expressing refusal to accept such promotion or marketing, and shall pay necessary expenses, while using personal information for promotion or marketing purposes for the first time. When the information owners or their statutory agents refuse to receive promotion or marketing, western pharmaceutical wholesalers or retailers shall stop using the owner's personal information immediately and inform subordinates.
Cosmetic wholesalers or retailers shall conduct proper supervision on the commissioned party in accordance with Article 8 of the Enforcement Rules of the Act, and shall set clear contractual requirements in the contract or related documents, while commissioning a third party to collect, process, or use all or a part of personal information.
Cosmetic wholesalers or retailers shall adopt the following actions to provide the information owners or their statutory agents with the means to exercise the rights prescribed in Article 3 of the Act:
I. Provide a contact person and contact method.
II. Confirm whether the individual is the information owner, statutory agent, or a duly authorized representative of the information owner.
III. Where there is a reason for refusing the exercise of rights by the information owner based on the provisos prescribed in Article 10, Paragraph 2 or Paragraph 3 of Article 11, the reason for the refusal shall be notified to the information owner or statutory agent.
IV. Comply with the disposal deadline set forth in Article 13 of the Act.
V. Inform the information owner or statutory agent of necessary expenses that may be charged in accordance with Article 14 of the Act.
The management measures of information security and personnel established by cosmetic wholesalers or retailers in Article 4, Subparagraph 3 shall include the following matters:
I. Establish management mechanisms based on business needs, set different access rights for subordinates to control their access to personal information, and periodically verify the appropriateness and necessity of access rights.
II. Examine the nature of businesses and designate personnel responsible for personal information collection, processing, use, and other procedures.
III. Require subordinates to properly retain storage media containing personal information, and agree on safekeeping and confidentiality obligations.
IV. Cancel the ID number of subordinates after termination of employment. The subordinates are required to hand over the documents and data obtained from the work and may not take or use the documents and data after termination of employment.
Cosmetic wholesalers or retailers which provide e-commerce service system, should adopted following information security measures:
I. User identity confirmation and protection mechanism.
II. Data masking mechanism for personal information display.
III. Security encryption mechanism for Internet data transmission.
IV. Access control and protection monitoring measures for personal data files and databases.
V. Prevention mechanism of external network intrusion.
VI. The monitoring and responding countermeasures of illegal or abnormal use of the system.
The term “e-commerce” of the preceding paragraph refers to the advertising, marketing, supply, ordering, delivery or other commercial transactions of goods or services via the Internet.
The countermeasures and mechanism of Subparagraph 5 and 6 of Paragraph 1 should be regularly rehearsed and reviewed for improvement.
Cosmetic wholesalers or retailers shall establish a mechanism for prevention, notification and response to accidents in accordance with Article 4, Paragraph 4, which shall include the following matters:
I. Take appropriate measures to control the damage caused by the accident and notify the competent authorities of the city or county (city) and the central government within 72 hours from the time the accident is discovered.
II. Identify the cause of the accident and the damage, and notify the parties involved or their legal representatives.
III. Review the defects and formulate preventive and improvement measures to prevent the recurrence of the accident.
Cosmetic wholesalers or retailers in the event of theft, leakage, tampering, or other infringement of personal information, the Company shall follow the prevention, notification, and response mechanisms for the preceding paragraph incidents to promptly address the situation and protect the rights and interests of the parties involved.
Cosmetic wholesalers or retailers in the event of the preceding paragraph accident, the competent authorities in accordance with the provisions of Article 22, paragraph 1 of the Act could inspect, inquiry the relevant personnel for the necessary explanation, order for cooperation or provide relevant information, and take further action depending on the inspection result.
The format of the notification in Paragraph 1, Subparagraph 1 as attached.
The management measures of facility security established by cosmetic wholesalers or retailers in Article 4, Subparagraph 5 shall include the following matters:
I. Security and protection facilities and management procedures for paper documents.
II. Security systems or encryption mechanisms installed on computers or automated machines for storing electronic files.
III. Establish procedures for destroying paper documents. Suitable measures for preventing personal information leakage must be taken when computers, automated machines, or other storage media is to be discarded, replaced, or used for other purposes.
Auditors shall regularly or irregularly audit the implementation status and results of the Security and Maintenance Plan in accordance with Article 4, Subparagraph 6, and report audit results to cosmetic wholesalers or retailers.
The preservation measures of use records, log files, and relevant evidence established by cosmetic wholesalers or retailers in Article 4, Subparagraph 7 shall include the following matters:
I. Retention of personal information use records.
II. Retention of log files of automated machines or other relevant evidence.
The disposal measures for personal information after termination of business established by Cosmetic wholesalers or retailers in Article 4, Subparagraph 8 shall include the following matters:
I. Destruction: Method, time, place, and proof of destruction.
II. Transfer: Reason, subject, method, time, place, and legal basis for the recipient to retain the personal information.
III. Delete or discontinue to process or use: Method, time, or place.
The measure in the preceding paragraph shall be documented, and retained for at least five years.
Cosmetic wholesalers or retailers shall take into account the implementation status of Security and Maintenance Plans, technological developments, amendments of laws, or other factors when establishing the integrated and persistent improvement plan on the security and maintenance of personal information in accordance with Article 4, Subparagraph 9. cosmetic wholesalers or retailers shall examine the appropriateness of Security and Maintenance Plans regularly and revise the plans when necessary.
These Regulations shall come into force from the date of promulgation.