Chapter III Data Collection, Processing and Use by a Non-government Agency |
| Article 19 | Except for the personal data specified under paragraph 1 of Article 6, the collection or processing of personal data by non-government agencies shall be for specific purposes and on one of the following bases:
1.where it is expressly required by law;
2.where there is a contractual or quasi-contractual relationship between the non-government agency and the data subject, and proper security measures have been adopted to ensure the security of the personal data;
3.where the personal data has been manifestly made public by the data subject or publicized legally;
4.where it is necessary for statistics gathering or academic research by an academic institution in pursuit of public interests, provided that such data, as processed by the data provider or as disclosed by the data collector, may not lead to the identification of a specific data subject;
5. where consent has been given by the data subject;
6.where it is necessary for furthering public interests;
7.where the personal data is obtained from publicly available sources unless the data subject has an overriding interest in prohibiting the processing or use of such personal data; or
8.where the rights and interests of the data subject will not be infringed upon.
A data collector or processor shall, on its own initiative or upon the request of the data subject, erase or cease processing or using the personal data when it becomes aware of, or upon being notified by the data subject, that the processing or use of the personal data should be prohibited pursuant to the proviso to subparagraph 7 of the preceding paragraph. |
Info |
| Article 20 | Except for the personal data specified in paragraph 1 of Article 6, non-government agencies shall use personal data only within the necessary scope of the specific purpose of collection; the use of personal data for another purpose shall be only on any of the following bases:
1.where it is expressly required by law;
2.where it is necessary for furthering public interests;
3.where it is to prevent harm to the life, body, freedom, or property of the data subject;
4.where it is to prevent material harm to the rights and interests of others;
5.where it is necessary for statistics gathering or academic research by a government agency or an academic institution for public interests; provided that such data, as provided by the data provider or disclosed by the data collector, may not lead to the identification of a specific data subject;
6.where consent has been given by the data subject; or
7.where it is for the data subject's rights and interests.
When a non-government agency uses personal data for marketing purpose pursuant to the preceding paragraph, upon the data subject's objection to such use, the agency shall cease using the data subject's personal data for marketing.
Non-government agencies, when using the data subject’s personal data for marketing purpose for the first time, shall provide the data subject the ways that he/she can object to such use, and the agency shall pay for the fees therefrom. |
Info |
| Article 20-1 | Non-government agencies possessing personal data files shall implement security and maintenance measures to prevent the theft, alteration, damage, loss, or leakage of personal data.
The regulations on the security and maintenance, management mechanisms, measures to be taken, and other related matters concerning personal data files as referred to under the preceding paragraph shall be prescribed by the competent authority. |
|
| Article 21 | If a cross-border transfer of personal data is carried out by a non-government agency under any of the following circumstances, the competent authority may impose restrictions on such transfer:
1.where major national interests are involved;
2.where an international treaty or agreement so stipulates;
3.where the country receiving the personal data lacks proper regulations on protection of personal data and the data subjects’ rights and interests may consequently be harmed; or
4.where the cross-border transfer of the personal data to a third country (territory) is carried out to circumvent the PDPA. |
Info |