Amended on December 23, 2021
Article 3 The terms used in the Regulations shall be defined as follows:
1."Personal information management representative" shall mean the president of the
clearinghouse or an officer directly authorized by the president, who takes charge
of supervising the design, formulation, execution, and revision of the Plan and
its relevant decision making.
2."Personal information internal assessor representative" shall mean an officer
authorized by the president of the clearinghouse to take charge of supervising
internal assessors evaluating the performance of the Plan.
3."Relevant staff" shall mean employees of the clearinghouse who have to access
personal information in the process of business execution, including the fixed-term
and non-fixed-term contract employees and dispatched workers of the clearinghouse.
Article 4 The clearinghouse shall organize a task force for security maintenance of personal
information files and allocate appropriate resources so as to be responsible for the
design, formulation, execution, and revision of relevant procedures under the Plan.
The staffing of the task force for security maintenance of personal information files
includes the personal information management representative and the internal assessor.
When the personal information management representative is served by an officer other
than the president, this representative shall submit a written report about the task
execution of the task force mentioned above to the president regularly.
Article 9 The clearinghouse shall, in coping with personal information under its possession
stolen, tampered, damaged, destroyed, leaked, or other incidents, establish relevant
procedures for the following actions:
1. Adopting proper contingency plans to reduce or control damages to the Parties
caused by the incidents.
2. Investigating the incident clearly and notifying the Parties in a timely manner.
Content of the notification shall include the facts about incidents, measures to
resolve incidents, and contact information for the consulting service.
3. Avoiding recurrence of such a similar incident.
When the clearinghouse has an incident described in the preceding paragraph, the
clearinghouse shall immediately notify personnel of the Central Bank of the Republic
of China (Taiwan) (hereafter referred to as "the Bank") in charge of accepting
reporting by phone, and within 72 hours, send a form to the Bank via electronic mail
according to the format of the attached form; in addition, within 7 business days
starting from the next day following the day of notification, the clearinghouse shall
report to the Bank in writing the facts of the incident, whether the breached personal
information has been illegally utilized, how the interests of the principal have been
damaged, and response measures taken.
After receiving the notification of the clearinghouse, the Bank may, by the
authority vested under Articles 22 ~ 25 of the Act, take appropriate supervisory
and administrative measures.
Article 15 Prior to carrying out international transmission of personal information, the
clearinghouse shall check whether such transmission is restricted by the Bank and
comply with the relevant rules.