Full text of 14 articles promulgated by Oder Kung Jing Tzu No. 10214604901 on Apr. 30, 2013
Amendment to Articles 5 and 9 promulgated by Order Kung Jing Tzu 10314603991 on Apr. 18, 2014
Amendment to Articles 2, 3 to 5 and 9 to 13 promulgated by Order Kung Jing Tzu No. 10314612231 on Oct. 24, 2014
These regulations are established in accordance with Paragraph 3, Article 27 of the Personal Information Protection Act (hereinafter referred to as the Act).
Multi-level marketing enterprises shall set up their plans of security measures for the personal information files and the process measures for the personal information after termination of business (hereinafter referred to as personal information protection measures) within two months after they having applied for record by the Fair Trade Commission (hereinafter referred to as the FTC) and enforce above plans and measures certainly.
Multi-level marketing enterprises shall take the following into consideration when they establish personal information protection plans:
(1) allocating management personnel and substantial resources;
(2) defining the scope of personal information to be protected and conducting an audit on a regular basis;
(3) analyzing potential risks arising from the procedures of collection, processing and use of personal information in the defined scope of personal information, and adopting appropriate management measures according to the results of risk analysis;
(4) adopting appropriate response measures against steal, alteration, damage, loss or leakage of personal information to minimize damage to concerned parties, reporting to the authorities and notifying concerned parties through appropriate approaches, and working out mechanisms to prevent recurrences of similar incidents;
(5) conducting education and training on personal information protection for the employees.
Multi-level marketing enterprises shall comply with the following to establish personal information management procedures:
(1) confirming the nature of ordinary personal information and the nature of the special personal information as specified in Article 6 of the Act, and establish separate management procedures for them;
(2) reviewing the specific purposes of the collection and processing of personal information and confirm whether concerned parties need to be informed according to Articles 8 and 9 of the Act;
(3) reviewing whether the collection and processing of personal information is conducted for specific purposes, whether they meet statutory requirements specified in Article 19 of the Act, whether the use of personal information complies with any of the specific purposes prescribed in Paragraph 1 of Article 20 of the Act, and whether the use of personal information outside the specific purposes meets the requirements for the use outside the specific purposes;
(4) conducting appropriate supervision on the commissioned agency according to Article 8 of the Enforcement Rules of the Personal Information Protection Act when the commissioned agency collect, process, or use the entirety or a proportionate part of personal information, and the specific supervision items and methods shall be stipulated in the agreement with the commissioned agency;
(5) the use of personal information for marketing purposes shall be immediately stopped if the concerned party expresses his/her disapproval and all employees shall be instructed to stop using his/her personal information for marketing purposes;notifying the concerned party free measures of refusal at the first marketing action;
(6) prior to engaging in international transmission of personal information, confirming whether the FTC has issued orders or decisions to restrict international transmission of personal information according to Article 21 of the Act and abide by such orders or decisions of the FTC;
(7) where a concerned party exercises his/her rights specified in Article 3 of the Act, confirming whether it is the person whose personal information is in concern and then abide by the regulations on the time limits of processing set forth in Article 13 of the Act.
(8) reviewing whether the procedures of collection, processing, or use of personal information are correct to assure the accuracy of personal information. Where inaccuracy of personal information is discovered, correction, supplementation of personal information or notification of the parties providing such information shall be conducted at the earliest time. Discrepancies over personal information accuracy shall be handled in accordance with Paragraph 2 of Article 11 of the Act;
(9) reviewing whether the specific purposes for keeping personal information no longer exist or the period has expired. Where the specific purposes no longer exist or the period has expired, the personal information in question shall be handled in accordance with Paragraph 3 of Article 10 of the Act.
The plan of security measures for the personal information files set up by multi-level marketing enterprises shall including the follows:
(1) information security management measures;
(2) personnel management measures;
(3) facility security management measures;
(4) participants regulation measures.
The information security management measures stated in Subparagraph 1 of the preceding article shall including the following:
(1) establishment of specifications of portable equipment of storage media when computers or automatic equipment is applied to collect, process, or use personal information;
(2) adoption of appropriate encryption mechanisms for the procedures of collection, processing, or use of personal information when encryption of such personal information is deemed necessary;
(3) adoption of the same protective measures for the originals to safeguard backup copies of personal information in accordance with related regulations set forth in the Act;
(4) adoption of appropriate measures to prevent leakage of personal information when paper-based documents, hard disks, magnetic tape, compact discs, microfilms and integrated circuit chips used to store personal information are scrapped or used for other purposes;
(5) application of appropriate supervision of the commissioned agency according to Article 8 of the Enforcement Rules of the Personal Information Protection Act when the commissioned agency is delegated to implement the aforesaid operations, and the specific supervision items and methods shall be stipulated in the agreement with the commissioned agency.
The personnel management measures stated in Subparagraph 2 of Article 5 shall include the following:
(1) defining the authority of different personnel according to the requirements of their work and controlling of their access to personal information;
(2) reviewing various operating procedures and personnel responsible for the collection, processing and use of personal information;
(3) stipulating the confidentiality obligations of personnel.
The facility security management measures stated in Subparagraph 3 of Article 5 shall include the following:
(1) establishment of measures in accordance with the various operation contents to control access to paper-based documents, hard disks, magnetic tape, compact discs, microfilms and integrated circuit chips used to store personal information;
(2) proper custody of storage media in which personal information is stored;
(3) acquisition of appropriate equipment or technologies to protect the environments in which various storage media are kept.
The participants regulation measures stated in Subparagraph 4 of Article 5 shall include the following:
(1) establishment of the requirements and procedures for the acquisition of the personal information of others from the multi-level marketing enterprises;
(2) establishment of guidelines for collection, processing and use of the personal information acquired by participants from outside the multi-level marketing enterprises when engaging in multi-level marketing.
Multi-level marketing enterprises shall set up the process measures for the personal information after termination of business according to the following approaches and also keep the records for reference:
(1) destruction: including the method, time, location and proof of destruction;
(2) transfer: including the cause, transferee, method, time and location of the transfer, as well as the legal basis for the transferee to keep the personal information;
(3) deletion, suspension of processing, and use of personal information: including the method, time and location of the deletion, suspension of processing, and use of personal information.
Multi-level marketing enterprises shall transmit the electronic copies of their personal information protection measures to the FTC for reference; the same procedure shall apply when revisions are made.
Multi-level marketing enterprises shall review and revise their personal information protection measures in accordance with the development of business operation, technological progress and change of laws and regulations.
Multi-level marketing enterprises shall adopt measures to keep records of use of personal information, to maintain track data of automatic equipment, and to adopt preserving mechanism for other related evidences, in case such material is required to explain how personal information protection measures are implemented.
These regulations shall take effect on the date of promulgation.