Full text of 14 articles promulgated by Oder Kung Jing Tzu No. 10214604901 on Apr. 30, 2013
Amendment to Articles 5 and 9 promulgated by Order Kung Jing Tzu 10314603991 on Apr. 18, 2014
Amendment to Articles 2, 3 to 5 and 9 to 13 promulgated by Order Kung Jing Tzu No. 10314612231 on Oct. 24, 2014
Amendment to Article 3 promulgated by Order Kung Jing Tzu No. 11014606781 on Sep. 27, 2021
Amendment to Articles 3, 6-1 and 6-2 promulgated by Order Kung Jing Tzu No. 1111460285 on Mar. 23, 2022

Article 1 
These regulations are established in accordance with Paragraph 3, Article 27 of the Personal Information Protection Act (hereinafter referred to as the Act). 

Article 2 
Multi-level marketing enterprises shall set up their plans of security measures for the personal information files and the process measures for the personal information after termination of business (hereinafter referred to as personal information protection measures) within two months after they having applied for record by the Fair Trade Commission (hereinafter referred to as the FTC) and enforce above plans and measures certainly.  

Article 3 
Multi-level marketing enterprises shall take the following into consideration when establishing their personal information protection plans:

(1)Allocating managing personnel and considerable resources;
(2)Defining the scope of protected personal information and conducting periodical audits;
(3)Analyzing risks likely to arise from the procedures of collection, processing and use of personal information in the defined scope and establishing appropriate control measures according to the results of risk analysis;
(4)Adopting appropriate response measures against theft, alteration, damage, loss and leakage of personal information under their control so that harms to concerned parties could be minimized and working out mechanisms to prevent recurrences of similar incidents;
(5) Education and training for their staff members.

Within 72 hours after discovering personal information leakage, multi-level marketing enterprises shall fill out the Personal Information Infringement Report and Record Sheet (as shown in the attachment) to report to the Fair Trade Commission (hereinafter referred to as FTC) and notify concerned parties in an appropriate approach.

After accepting a report described in the preceding paragraph, the FTC shall take proper supervisory and management measures according to the authority specified in Articles 22 to 25 of the Act.

Article 4 
Multi-level marketing enterprises shall comply with the following to establish personal information management procedures:

(1) confirming the nature of ordinary personal information and the nature of the special personal information as specified in Article 6 of the Act, and establish separate management procedures for them;
(2) reviewing the specific purposes of the collection and processing of personal information and confirm whether concerned parties need to be informed according to Articles 8 and 9 of the Act;
(3) reviewing whether the collection and processing of personal information is conducted for specific purposes, whether they meet statutory requirements specified in Article 19 of the Act, whether the use of personal information complies with any of the specific purposes prescribed in Paragraph 1 of Article 20 of the Act, and whether the use of personal information outside the specific purposes meets the requirements for the use outside the specific purposes;
(4) conducting appropriate supervision on the commissioned agency according to Article 8 of the Enforcement Rules of the Personal Information Protection Act when the commissioned agency collect, process, or use the entirety or a proportionate part of personal information, and the specific supervision items and methods shall be stipulated in the agreement with the commissioned agency;
(5) the use of personal information for marketing purposes shall be immediately stopped if the concerned party expresses his/her disapproval and all employees shall be instructed to stop using his/her personal information for marketing purposes;notifying the concerned party free  measures of refusal at the first marketing action;
(6) prior to engaging in international transmission of personal information, confirming whether the FTC has issued orders or decisions to restrict international transmission of personal information according to Article 21 of the Act and abide by such orders or decisions of the FTC; 
(7) where a concerned party exercises his/her rights specified in Article 3 of the Act, confirming whether it is the person whose personal information is in concern and then abide by the regulations on the time limits of processing set forth in Article 13 of the Act. 
(8) reviewing whether the procedures of collection, processing, or use of personal information are correct to assure the accuracy of personal information. Where inaccuracy of personal information is discovered, correction, supplementation of personal information or notification of the parties providing such information shall be conducted at the earliest time. Discrepancies over personal information accuracy shall be handled in accordance with Paragraph 2 of Article 11 of the Act;
(9) reviewing whether the specific purposes for keeping personal information no longer exist or the period has expired. Where the specific purposes no longer exist or the period has expired, the personal information in question shall be handled in accordance with Paragraph 3 of Article 10 of the Act. 

Article 5
The plan of security measures for the personal information files set up by multi-level marketing enterprises shall including the follows: 

(1) information security management measures;
(2) personnel management measures;
(3) facility security management measures;
(4) participants regulation measures.

Article 6
The information security management measures stated in Subparagraph 1 of the preceding article shall including the following:

(1) establishment of specifications of portable equipment of storage media when computers or automatic equipment is applied to collect, process, or use personal information;
(2) adoption of appropriate encryption mechanisms for the procedures of collection, processing, or use of personal information when encryption of such personal information is deemed necessary;
(3) adoption of the same protective measures for the originals to safeguard backup copies of personal information in accordance with related regulations set forth in the Act;
(4) adoption of appropriate measures to prevent leakage of personal information when paper-based documents, hard disks, magnetic tape, compact discs, microfilms and integrated circuit chips used to store personal information are scrapped or used for other purposes;
(5) application of appropriate supervision of the commissioned agency according to Article 8 of the Enforcement Rules of the Personal Information Protection Act when the commissioned agency is delegated to implement the aforesaid operations, and the specific supervision items and methods shall be stipulated in the agreement with the commissioned agency.

Article 6-1
Multi-level marketing enterprises providing e-commerce services shall adotp the following information security measures:

(1)User identity confirmation and protection mechanisms;
(2) Code injection mechanisms for personal information display;
(3) Internet transmission security and encryption mechanisms;
(4) Personal information file and database access control, as well as protection and monitoring measures;
(5) Countermeasures against invasions from external networks;
(6)Mechanisms for monitoring and responding to illegal or abnormal use of personal information.

The e-commerce mentioned in the preceding paragraph refers to all kinds of business activities conducted through the Internet to advertise, market, supply and order products or services.

The measures specified in Subparagraphs 5 and 6 of the preceding paragraph shall be exercised and reviewed regularly to make improvements.

Article 6-2
Before transmitting personal information internationally, multi-level marketing enterprises shall make sure such transmissions complies with the international transmission restrictions set forth in Article 21 of the Act, inform enterprises of the regions the personal information will be transmitted to and also supervise on the following matters regarding the information receivers:

(1)The range, type, specific purpose, duration, area, object and approach of the intended processing or use of the personal information;
(2)Matters associated with concerned parties’exercise of the rights specified in Article 3 of the Act.

Article 7
The personnel management measures stated in Subparagraph 2 of Article 5 shall include the following: 

(1) defining the authority of different personnel according to the requirements of their work and controlling of their access to personal information;
(2) reviewing various operating procedures and personnel responsible for the collection, processing and use of personal information;
(3) stipulating the confidentiality obligations of personnel.

Article 8
The facility security management measures stated in Subparagraph 3 of Article 5 shall include the following: 

(1) establishment of measures in accordance with the various operation contents to control access to paper-based documents, hard disks, magnetic tape, compact discs, microfilms and integrated circuit chips used to store personal information;
(2) proper custody of storage media in which personal information is stored;
(3) acquisition of appropriate equipment or technologies to protect the environments in which various storage media are kept.

Article 9
The participants regulation measures stated in Subparagraph 4 of Article 5 shall include the following:

(1) establishment of the requirements and procedures for the acquisition of the personal information of others from the multi-level marketing enterprises;
(2) establishment of guidelines for collection, processing and use of the personal information acquired by participants from outside the multi-level marketing enterprises when engaging in multi-level marketing.

Article 10
Multi-level marketing enterprises shall set up the process measures for the personal information after termination of business according to the following approaches and also keep the records for reference:

(1) destruction: including the method, time, location and proof of destruction; 
(2) transfer: including the cause, transferee, method, time and location of the transfer, as well as the legal basis for the transferee to keep the personal information;
(3) deletion, suspension of processing, and use of personal information: including the method, time and location of the deletion, suspension of processing, and use of personal information.

Article 11
Multi-level marketing enterprises shall transmit the electronic copies of their personal information protection measures to the FTC for reference; the same procedure shall apply when revisions are made. 

Article 12
Multi-level marketing enterprises shall review and revise their personal information protection measures in accordance with the development of business operation, technological progress and change of laws and regulations. 

Article 13
Multi-level marketing enterprises shall adopt measures to keep records of use of personal information, to maintain track data of automatic equipment, and to adopt preserving mechanism for other related evidences,  in case such material is required to explain how personal information protection measures are implemented. 

Article 14
These regulations shall take effect on the date of promulgation.