Article 1
These Regulations are promulgated in accordance with Article 27, Paragraph 3 the Personal Data Protection Act (hereinafter “the Act”).
Article 2
For purposes of these Regulations, the term "competent authority" shall mean the Ministry of Health and Welfare at the central government level, the municipal governments at the municipal level, and the county/city governments at the county/city level.
Article 3
The terms used herein are defined as follows:
I. Food businesses: A business that is in accordance with Article 3, Paragraph 7 of Act Governing Food Safety and Sanitation, has registered as a corporation, business or factory with a capital of more than NT$30 million, and has recruitment of members or obtains personal information of trading counterparts. The scope of the industry is as follows:
(I) Manufacture of Processing and Preserving of Meat
(II) Manufacture of Grain Mill Products, Starches and Starch Products
(III) Wholesale of Food and Beverages
(IV) Restaurants and Beverage Shops that are not affiliated with Hotels, Tourist Hotels, Airports or Department Stores, and Other Food and Beverage Service Activities that are not via Stalls.
II. Responsible person: Personnel designated by food businesses to be responsible for establishing and implementing personal information file security and maintenance plans (hereinafter referred to as "Security and Maintenance Plans").
III. Subordinate: Personnel of food businesses that come in contact with personal information in the course of performing professional duty.
IV. Auditor: Personnel designated by food businesses to be responsible for auditing the implementation and results of Security and Maintenance Plans.
The responsible person in Subparagraph 2 and auditor in Subparagraph 4 of the preceding paragraph may not be the same person.
Article 4
Food businesses shall establish the Security and Maintenance Plans specifying the following matters in accordance with the Regulations:
I. The internal control procedures for the collection, processing, and use of personal information.
II. The scope and items of personal information.
III. The management of information security and personnel.
IV. The mechanisms of preventing, reporting, and responding to information leakage.
V. The management of facility security.
VI. The audit mechanisms of data security.
VII. The preservation of use records, log files and relevant evidence.
VIII. The measures for processing personal information after termination of any business relationship.
IX. The integrated and persistent improvement plan on the security and maintenance of personal information.
Article 5
Food businesses shall make reasonable distribution of operational resources by planning, establishing, reviewing, and revising the security and maintenance measures based on the scale and characteristics of their business, and include these measures in the Security and Maintenance Plans for ensuring the security maintenance and management of personal information and preventing personal information from being stolen, altered, damaged, destroyed or disclosed.
Article 6
Food businesses shall establish Security and Maintenance Plans within six months after these Regulations take effect.
Food businesses shall retain the Security and Maintenance Plans in the preceding paragraph, and the competent authority may periodically send its personnel to inspect the plan.
Article 7
The responsible person is responsible for planning, establishing, revising, and implementing the Security and Maintenance Plans, the measures for processing personal information after termination of any business relationship and related matters. The responsible person shall periodically submit a report to food businesses.
Article 8
Food businesses shall identify the specific purpose and necessity of collecting the personal information, define the category or scope of personal information collection, processing, and use, and periodically check the status of personal information in its keeping, while establishing the internal control procedures for the collection, processing, and use of personal information in Article 4, Subparagraph 1, as well as the scope and items of personal information in Subparagraph 2.
If food businesses find personal information that is not within the necessary scope for the specific purpose or the specific purpose has disappeared, or that no longer needs to be retained due to expiration of the retention period, then the said information shall be deleted, destroyed, discontinued to collect, process or use, or handled by other appropriate measures.
Article 9
Food businesses shall comply with the category and scope specified in Paragraph 1 of the preceding article while collecting personal information.
Food businesses shall take necessary protection measures to prevent information leakage while transferring personal information.
Article 10
Food businesses shall comply with the obligation of notification specified in Articles 8 and 9 of the Act when collecting personal information; they shall also establish the notification method, contents, and notices for direct collection or indirect collection, and shall require subordinates to comply.
Article 11
Before transferring personal information internationally, food businesses shall verify if such transfer is restricted by the central competent authority and inform the information owner of the country or region where the personal information will be transferred to.
Article 12
Food businesses shall inform the information owner of the food businesses’ registered name and the source of personal information, while using personal information for publicity, promotion or marketing in accordance with Paragraph 1 of Article 20 of the Act.
Food businesses shall provide the information owners or their statutory agents with methods of expressing refusal to accept such publicity, promotion or marketing, and shall pay necessary expenses, while using personal information for publicity, promotion or marketing purposes for the first time. When the information owners or their statutory agents refuse to receive publicity, promotion or marketing, food businesses shall stop using the owner's personal information immediately and inform subordinates.
Article 13
Food businesses shall conduct proper supervision on the commissioned party in accordance with Article 8 of the Enforcement Rules of the Act, and shall set clear contractual requirements in the contract or related documents, while commissioning a third party to collect, process, or use all or a part of personal information.
Article 14
Food businesses may take the following measures when the information owners or their statutory agents exercise their rights as stipulated in Article 3 of the Act:
I. Provide a contact person and contact method.
II. Confirm whether the individual is the information owner, statutory agent, or a duly authorized representative of the information owner.
III. Where there is a reason for refusing the exercise of rights by the information owner based on the provisos prescribed in Article 10, Paragraph 2 or Paragraph 3 of Article 11 of the Act, the reason for the refusal shall be notified to the information owner or statutory agent.
IV. Comply with the disposal deadline set forth in Article 13 of the Act.
V. Inform the information owner or statutory agent of necessary expenses that may be charged in accordance with Article 14 of the Act.
Article 15
The management measures of information security and personnel established by food businesses in Article 4, Subparagraph 3 shall include the following matters:
I. Establish management mechanisms based on business needs, set different access rights for subordinates to control their access to personal information, and periodically verify the appropriateness and necessity of access rights.
II. Examine the nature of businesses and designate personnel responsible for personal information collection, processing, use, and other procedures.
III. Require subordinates to properly retain storage media containing personal information, and agree on safekeeping and confidentiality obligations.
IV. Cancel the ID number of subordinates after termination of employment. The subordinates are required to hand over the documents and data obtained from the work and may not take or use the documents and data after termination of employment.
Article 16
Food businesses shall take the following data protection measures if they provide services on an e-commerce platform:
I. Mechanisms for user verification and protection.
II. Masking mechanisms for displaying personal data.
III. Security encryption mechanisms for Internet transmission.
IV. Access control and protection monitoring measures of personal data files and databases.
V. Countermeasures against external network intrusion.
VI. Monitoring and responding mechanisms against unlawful or abnormal usage.
The so-called e-commerce as referred to in the preceding paragraph refers to advertisements, promotions, supply, order, delivery or other commercial activities carried out via the Internet.
The measures prescribed in Subparagraphs 5 and 6 in the preceding paragraph shall be periodically exercised and reviewed for improvement.
Article 17
The incident prevention, reporting, and response mechanisms established by food businesses in accordance with Article 4, Subparagraph 4 shall include the following matters:
I. Take appropriate measures to control the damages to the information owner due to the incident and report to the municipal and county (city) competent authorities and the central competent authority within 72 hours after discovering the incident.
II. Investigate the cause of the incident and damages, notify the information owners or statutory agents, and report the incident to the competent authority.
III. Examine deficiencies and formulate preventive and improvement measures to avoid the reoccurrence of such kind of incident.
When personal information theft, leakage, tampering, or other incidents occur, food businesses shall rapidly handle the incident according to the prevention, reporting, and response mechanisms in the preceding paragraph to protect the rights and interests of the personal information owners.
When an incident mentioned in the preceding paragraph occurs to a food business, the competent authority may conduct inspections by having their staff enter the premises, order relevant personnel to provide necessary explanations, cooperate on adopting relevant measures, or provide supporting documents in accordance with the provisions of Paragraph 1 of Article 22 of the Act and take any further action depending on the inspection result.
Please see the attachment for the report form referred to in Subparagraph 1 of Paragraph 1.
Article 18
The management measures of facility security established by food businesses in Article 4, Subparagraph 5 shall include the following matters:
I. Security and protection facilities and management procedures for paper documents.
II. Security systems or encryption mechanisms installed on computers or automated machines for storing electronic files.
III. Establish procedures for destroying paper and electronic documents. Suitable measures for preventing personal information leakage must be taken when computers, automated machines, or other storage media is to be discarded, replaced, or used for other purposes.
Article 19
Auditors shall regularly or irregularly audit the implementation status and results of the Security and Maintenance Plans in accordance with Article 4, Subparagraph 6, and report audit results to food businesses.
Article 20
The preservation measures of use records, log files, and relevant evidence established by food businesses in Article 4, Subparagraph 7 shall include the following matters:
I. Retention of personal information use records.
II. Retention of log files of automated machines or other relevant evidence.
Article 21
The disposal measures for personal information after termination of business established by food businesses in Article 4, Subparagraph 8 shall include the following matters:
I. Destruction: Method, time, place, and proof of destruction.
II. Transfer: Reason, subject, method, time, place, and legal basis for the recipient to retain the personal information.
III. Delete or discontinue to process or use: Method, time, or place.
The measure in the preceding paragraph shall be documented, and retained for at least five years.
Article 22
Food businesses shall take into account the implementation status of their Security and Maintenance Plans, technological developments, amendments of laws, or other factors when establishing the integrated and persistent improvement plan on the security and maintenance of personal information in accordance with Article 4, Subparagraph 9. Food businesses shall examine the appropriateness of Security and Maintenance Plans regularly and revise the plans when necessary.
Article 23
These Regulations shall come into force from the date of promulgation.