Personal Data Protection Act (hereinafter the Act).

Article 1 The Regulations is enacted in accordance with Paragraph 3, Article 27 of the Personal Data Protection Act (hereinafter the Act).

Article 2 The non-government agencies referred to in the Regulations shall include the following:
1.Weather forecast enterprise;
2.Marine forecast enterprise;
3.Weather and marine forecast enterprise.
The competent authority referred to in the Regulations is the Ministry of Transportation and Communications.

Article 3 Non-government agencies shall establish their personal information security maintenance plan and personal data disposal procedure following business termination (hereinafter the “Plan and Procedure”) to implement the security maintenance and management of personal information files and prevent such personal data from being stolen, altered, damaged, destroyed, or disclosed.
Non-government agencies shall implement the Plan and Procedure as established. The Central Weather Administration (hereinafter CWA) may require non-government agencies to submit the implementation status of the Plan and Procedure and the non-government agencies shall make such submission in writing before the designated deadline.

Article 4 When a non-government agency establishes the Plan and Procedure in accordance with the previous Article, it shall, with reference to the provisions under Articles 5 to 20 and depending on the scale and features of its organization and the nature and quantity of personal data in its possession, establish personal data file security management measures which include the following:
1.Organizational scale and features of the non-government agency;
2. Security management measures for personal information files:
(1) Allocation of managing personnel and reasonable resource;
(2) Definition of the scope of personal data collection, processing, and utilization;
(3) Mechanism for personal data risk assessment and management;
(4) Mechanism for data breach prevention, report and response;
(5) Internal control procedures for personal data collection, processing and utilization;
(6) Management measures for equipment safety, data security and personnel management;
(7) Education and training to raise awareness;
(8) Auditing mechanism for data security maintenance;
(9) Preservation of use records, log files and evidence;
(10) Overall and continuous improvement of personal data security and maintenance;
(11) Procedures for disposal of personal data after business termination.

Article 5 For the security maintenance, and management of personal data files, non-government agencies may designate dedicated person(s) or unit(s) and allocate proper resources.
The establishment or revision of the Plan and Procedure shall be approved by the representative of the non-government agency or a person with his/her authorization.
The person(s) or unit(s) in charge of personnel data file security maintenance and management shall submit, on a regular basis, written reports of the execution status of their task to the representative of the non-government agency or person with his/her authorization.
The non-government agency shall keep the Plan and Procedure as established in its office for future reference, and the competent authority may send personnel for inspection thereof.

Article 6 Non-government agencies shall, in accordance with personal data protection laws and regulations, check and confirm on a regular basis the current status of the personal data in their possession and define the scope thereof which is covered by the Plan and Procedure.

Article 7 In accordance with the scope of personal data defined under the previous Article and their process of collection, processing and utilization of personal data, non-government agencies shall evaluate the possible personal data risks and establish a proper control mechanism based on the results of such risk evaluation.

Article 8 Non-government agencies shall adopt the following measures in case of security incidents such as theft, alteration, damage, destruction, or leakage of the personal data in their possession:
1.Proper response measures to control the damage to the party/parties concerned.
2.Verification of the status of the incident and proper communication to the party/parties concerned. Said communication shall include the fact of the personal data incident, and the response measures taken and the consultation service hotline provided by the non-government agency.
3.Mechanism to prevent occurrence of similar incidents.
The non-government agency shall file a personal data breach incident report and record form to CWA within 72 hours of discovery of the foregoing incident. If the incident is not reported before the deadline, the reasons for the delay shall be provided (see Attachment for format).
After the foregoing incident is reported, the competent authority may undertake proper supervisory and management measures based on its authority granted under Articles 22 to 26 of the Act.

Article 9 When collecting and processing regular personal data for the purpose of business activities, non-government agency personnel shall confirm if such collection and processing comply with the constituent elements prescribed in Article 19 of the Act. When utilizing the data, they shall confirm whether such utilization is within the necessary scope of the specific purposes of collection. When utilizing the data outside the specific purposes, they shall confirm if such utilization comply with the proviso set forth in Paragraph 1 , Article 21 of the Act.

Article 10 When collecting personal data, non-government agencies shall fulfill the obligation to inform under Articles 8 and 9 of the Act, distinguish between direct and indirect collection of personal data, establish different methods, contents and points to notice for informing data subjects, and request that their personnel act accordingly.

Article 11 When commissioning others to collect, process or utilize all or part of the personal data in their possession, non-government agencies shall supervise the commissioned party/parties in accordance with Article 8 of the Enforcement Rules of the Act.
When performing the supervision under the preceding Paragraph, non-government agencies shall expressly agree with the commissioned party/parties on the matters and manner of supervision.

Article 12 When the competent authority imposes order or sanction on a non-government agency to restrict international transmission of personal data under Article 21 of the Act, the non-government agency shall notify all of its staff members to comply.
When internationally transmitting personal data, non-government agencies shall confirm whether such transmission is restricted by the competent authority, inform the subject(s) of the region(s) to which their personal data will be transmitted, and supervise the data recipient(s) with regard to the following:
1.The proposed scope, type, specific purpose, duration, area, target, and approach of personal data processing or utilization;
2.Matters concerning the subject’s rights under Article 3 of the Act.

Article 13 When personal data subjects exercise the rights stipulated in Article 3 of the Act, non-government agencies shall:
1.Provide person(s) and method(s) for contact;
2.Confirm that the party is the data subject themselves or a designated agent.
3.Inform the subject of the reasons when refusing their exercise of the rights in accordance with the conditions under the subparagraphs of the proviso in Article 10, or the proviso of Paragraph 2 or 3, Article 11 of the Act;
4.Inform the subject of the charging standard when a fee is to be collected;
5.Abide by the processing deadline set forth in Article 13 of the Act.

Article 14 Non-government agencies shall adopt necessary and proper security equipment or protective measures for the personal data files in their possession.
The foregoing safety equipment or protective measures shall include the following:
1.Equipment to safeguard hard copy files.
2.Security protection system or encryption mechanism for the computers, automated machine-related equipment, and portable equipment or storage media where electronic files and database are stored.
3.Proper destruction or prevention measures when the hard copies, hard disks, magnetic tapes, compact discs, microfilms, IC chips or other storage media used for storing personal data are to be scrapped, replaced or used for other purposes. Where such task is commissioned to others, non-government agencies shall supervised the commissioned party in accordance with Article 11 of the Regulations.

Article 15 To ensure personal data protection, non-government agencies shall adopt appropriate personnel management measures.
The foregoing management measures shall include the following:
1.Setting different levels of access according to the needs of personnel’s business activities, monitoring their contact with personal data, and regularly reviewing the propriety and necessity of access contents.
2.Reviewing the nature of relevant business activities, and designating personnel to be in charge of the process of personal data collection, processing and utilization.
3.Requesting proper safeguarding of personal data storage media by personnel, and agreeing on the obligation to safeguard and keep confidential.
4.In case of personnel change or departure, the personal data in relevant personnel’s possession for the purpose of business activities shall be handed over and continued use thereof disallowed, and a confidentiality agreement shall be signed.

Article 16 When collecting, processing or utilizing personal data by using an information or communications system, non-government agencies shall adopt the following data protection and management measures to safeguard the personal data in their possession:
1.Mechanism to confirm and protect user identity;
2.Code-hiding mechanism for personal data display;
3.Encryption mechanism for safe online transmissions;
4.Mechanism to control and monitor access to personal data files and databases;
5.Countermeasures to prevent invasions from external networks;
6.Mechanism to monitor and respond to unlawful or abnormal utilization.

Article 17 Non-government agencies are required to conduct basic personal data protection awareness education and training on an irregular basis so that their personnel understand the requirements under relevant laws and regulations, the scope of their responsibilities, and various personal data protection mechanisms, procedures and measures.

Article 18 Non-government agencies shall establish a personal data security audit mechanism to verify regularly or from time to time whether the Plan and Procedure or other related matters are implemented.

Article 19 When implementing personal date protection mechanisms, procedures or measures under the Plan and Procedure, non-government agencies shall record the status of personal data utilization and keep the log files or related evidence.
After deleting or suspending the processing or utilization of the personal data in their possession, non-government agencies shall keep a record of the following:
1. The method, time, or location of the deletion or suspension of processing or utilization of personal data;
2.Where the personal data which is deleted or whose processing or utilization is suspended is transferred to another party, the reason, recipient, method, time, location of the transfer, and the legal basis for the recipient’s collection, processing or utilization of the personal data.
The log files, related evidence and records under the two preceding Paragraphs shall be kept for at least five years unless otherwise stipulated by or contract.

Article 20 Non-government agencies shall review, and revise where necessary, their Plan and Procedure by taking into account the implementation of their business and the Plan and Procedure, public opinion, technological development, and addition or amendment to related laws and regulations.

Article 21 After business termination, non-government agencies may not continue to utilize the personal data in its possession and shall carry out the following, the related records of which shall be kept for at least five years:
1. Destruction: method, time, location, and proof of the destruction.
2. Transfer: reason, recipient, method, time and location of the transfer, and legal basis for the recipient’s possession of the personal data.
3. Deletion or suspension of the processing or utilization of personal data: method, time and location of the deletion or suspension.

Article 22 These Regulations shall take effect on the day of promulgation.