Content: |
Amended on December 23, 2021
Article 3 The terms used in the Regulations shall be defined as follows: 1."Personal information management representative" shall mean the president of the clearinghouse or an officer directly authorized by the president, who takes charge of supervising the design, formulation, execution, and revision of the Plan and its relevant decision making. 2."Personal information internal assessor representative" shall mean an officer authorized by the president of the clearinghouse to take charge of supervising internal assessors evaluating the performance of the Plan. 3."Relevant staff" shall mean employees of the clearinghouse who have to access personal information in the process of business execution, including the fixed-term and non-fixed-term contract employees and dispatched workers of the clearinghouse. Article 4 The clearinghouse shall organize a task force for security maintenance of personal information files and allocate appropriate resources so as to be responsible for the design, formulation, execution, and revision of relevant procedures under the Plan. The staffing of the task force for security maintenance of personal information files includes the personal information management representative and the internal assessor. When the personal information management representative is served by an officer other than the president, this representative shall submit a written report about the task execution of the task force mentioned above to the president regularly. Article 9 The clearinghouse shall, in coping with personal information under its possession stolen, tampered, damaged, destroyed, leaked, or other incidents, establish relevant procedures for the following actions: 1. Adopting proper contingency plans to reduce or control damages to the Parties caused by the incidents. 2. Investigating the incident clearly and notifying the Parties in a timely manner. Content of the notification shall include the facts about incidents, measures to resolve incidents, and contact information for the consulting service. 3. Avoiding recurrence of such a similar incident. When the clearinghouse has an incident described in the preceding paragraph, the clearinghouse shall immediately notify personnel of the Central Bank of the Republic of China (Taiwan) (hereafter referred to as "the Bank") in charge of accepting reporting by phone, and within 72 hours, send a form to the Bank via electronic mail according to the format of the attached form; in addition, within 7 business days starting from the next day following the day of notification, the clearinghouse shall report to the Bank in writing the facts of the incident, whether the breached personal information has been illegally utilized, how the interests of the principal have been damaged, and response measures taken. After receiving the notification of the clearinghouse, the Bank may, by the authority vested under Articles 22 ~ 25 of the Act, take appropriate supervisory and administrative measures. Article 15 Prior to carrying out international transmission of personal information, the clearinghouse shall check whether such transmission is restricted by the Bank and comply with the relevant rules.
|