Article 9
The clearinghouse shall, in dealing with personal information under its possession stolen, tampered, damaged, destroyed, leaked, or other incidents, establish relevant procedures for the following actions:

1. Adopting proper contingency plans to reduce or control damages to the Parties caused by the incidents.

2. Investigating the incident and notifying the Parties in a timely manner. Content of the notification shall include the relevant facts about the incident, measures to resolve the incident, and contact information of the consulting service.

3. Avoiding recurrence of similar incidents.

When the clearinghouse has an incident similar to what is described in the preceding paragraph, the clearinghouse shall immediately notify the personnel of the Central Bank of the Republic of China (Taiwan) (hereafter referred to as "the Bank") in charge of accepting reporting by phone, and, within 36 hours, send a form to the Bank via electronic mail in the format of the attached form. However, in the event of any of the following situations, the clearinghouse shall immediately notify the Bank by phone and promptly send a form to the Bank via electronic mail in the format of the attached form:

1.The incident involves breach of personal data that is of concern to the Executive Yuan, Legislative Yuan or Control Yuan.

2.The incident involves breach of personal data that has been widely reported in the media. For example, it is reported in the national news section of print media, or it is a feature story discussed in electronic media.

The clearinghouse shall, within 7 business days from the next day following the phone notification under the preceding paragraph, report to the Bank in writing the facts of the incident, whether the breached data have been unlawfully utilized, any damage to the interests of the Parties, and response actions taken. However in case any situation under the proviso of the preceding paragraph exists, the clearinghouse shall submit such a report to the Bank in writing on the next business day following the phone notification.

After receiving the notification of the clearinghouse, the Bank may, by the authority vested under Articles 22-26 of the Act, take appropriate supervisory and administrative measures.

Article 9-1
The clearinghouse should cooperate with the Bank in the following actions:

1.The administrative examination of personal data protection conducted by the Bank every year.

2.Administrative investigation and reinspection of the incidents specified in Paragraph 1 of the preceding article.

For improvement actions to be taken as advised in the administrative examination or administrative investigation and reinspection mentioned in the preceding paragraph, the clearinghouse shall propose concrete improvement measures and report subsequently actions taken to the Bank.