• Font Size:
  • S
  • M
  • L

History

Title:

Enforcement Rules of the Personal Data Protection Act  CH

Amended Date: 2016.03.02 

Title: Enforcement Rules of the Personal Information Protection Act(2012.09.26)
Date:
Article 1     These Rules are enacted according to Article 55 of the Personal Information Protection Act ("the Act").
Article 2     "Individual" referred to in the Act shall mean a living natural person.
Article 3     “Other information which may be used to identify a natural person indirectly” referred to in Item 1 of Article 2 of the Act shall mean that the government agency or the non-government agency possessing the information can not directly identify the specific person without comparing to, combining with or connecting to other information.
Article 4     Personal information of “medical record” referred to in Item 1 of Article 2 of the Act shall mean the information listed in Paragraph 2 of Article 67 of the Medical Care Act.
    Personal information of “medical treatment” referred to in Item 1 of Article 2 of the Act shall mean medical records and other checkups or treatments made by doctors or other medical personnel for the purpose of treating, correcting or preventing the diseases, harms or disabilities of human body or for other medical due reasons, or shall mean other personal information produced through prescription, medication, operation or disposition based on the above results of checkups.
    “Genetic information” referred to in Item 1of Article 2 of the Act shall mean the message of heredity unit, consisting of one segment of deoxyribonucleic acid (DNA) of human body, for controlling the specific functions of human body.
    Personal information of “sexual life” referred to in Item 1of Article 2 of the Act shall mean the personal information of sexual orientation or sexual habit.
    Personal information of “health examination” referred to in Item 1 of Article 2 of the Act shall mean the information produced by medical examination not for the purpose of diagnosing or treating a specific disease.
    Personal information of “criminal record” referred to in Item 1 of Article 2 of the Act shall mean the records of a decision to defer the prosecution, a decision not to prosecute ex officio or a final guilty judgment or its enforcement.
Article 5     “Personal information files” referred to in Item 2 of Article 2 of the Act includes the backup files.
Article 6     “Deletion” referred to in Item 4 of Article 2 of the Act shall mean to make the stored personal information disappear from the personal information file.
    “Internal transmit” referred to in Item 4 of Article 2 of the Act shall mean the internal transmission of information within the government agency or the non-government agency.
Article 7     The collection, processing or use of personal information by the commissioned juristic person, group or natural person shall apply to the same laws and regulations applicable to the commissioning agency.
Article 8     When commissioning others to collect, process or use personal information, the commissioning agency shall properly supervise the commissioned agency.
    The supervision prescribed in the preceding paragraph shall contain at least the followings:
  1. the planned scope, classification, specific purpose and time period of collecting, processing or using personal information;
  2. the measures taken by the commissioned agency in accordance with Paragraph 2 of Article 12;
  3. the third party, if any, further commissioned by the commissioned agency;
  4. the matters to be notified to the commissioning agency and the remedial measures to be taken when the commissioned agency or its employees violate the Act, other personal information protection related laws or their regulations;
  5. the matters of a reserved instruction, if there are any reserved instruction(s) given to the commissioned agency by the commissioning agency; and
  6. the return of any instrument containing personal information and the deletion of any personal information stored and possessed by the commissioned agency as a result of performing the commission agreement, when the commission agreement is terminated or rescinded.
    For the purpose of supervision prescribed in Paragraph 1, the commissioning agency shall periodically confirm the implementation status of the commissioned agency and record the result of such confirmation.
    The commissioned agency may collect process or use personal information but only to the extent within the commissioning agency’s instruction. If considering that the commissioning agency’s instruction violates the Act, other personal information protection related laws or their regulations, the commissioned agency shall notify the commissioning agency immediately.
Article 9     “Law” referred to in Item 1 of Paragraph 1 of Article 6, Item 1 of Paragraph 2 of Article 8, Item 1 of Paragraph 1 of Article 16, Item 1 of Paragraph 1 of Article 19, and Item 1of Paragraph 1 of Article 20 of the Act shall mean the laws or regulations specifically and clearly authorized by laws.
Article 10     “Legal duty” referred to in Item 2 of Paragraph 1 of Article 6, Item 2 and 3 of Paragraph 2 of Article 8, Item 2 of Article 10, Item 1 of Article 15, and Article 16 of the Act shall mean the obligations of government agency prescribed in the following laws:
  1. laws and regulations authorized by laws;
  2. self-government ordinances;
  3. self-government regulations authorized by laws or self-government ordinances; or
  4. regulations on the commissioning of matters authorized by laws or central government regulations.
Article 11     “Legal obligation” referred to in Item 2 of Paragraph 1 of Article 6 and Item 2 of Paragraph 2 of Article 8 of the Act shall mean the obligations of the non-government agency prescribed by laws or regulations specifically and clearly authorized by laws.
Article 12     “Proper security measures” referred to in Item 2 of Paragraph 1 of Article 6, “security and maintenance” referred to in Article 18, and “proper security measures” referred to in Paragraph 1 of Article 27 of the Act shall mean the technical or organizational measures taken by the government agency or the non-government agency for the purpose of preventing personal information from being stolen, altered, damaged, destroyed or disclosed.
    The measures prescribed in the preceding paragraph may include the following matters and shall follow the principle of appropriate proportionality to achieve the objective of personal information protection:
  1. allocating management personnel and substantial resources;
  2. defining the scope of personal information;
  3. establishing the mechanism of risk evaluation and management of personal information;
  4. establishing the mechanism of preventing, giving notice of, and responding to accidents;
  5. establishing an internal management procedure of collecting, processing, and using personal information;
  6. managing information security and personnel;
  7. promoting acknowledgement, education and training;
  8. managing facility security;
  9. establishing a mechanism of auditing information security;
  10. keeping records of the use, locus information and proof; and
  11. Integrated persistent improvements on the security and maintenance of personal information.
Article 13     “The personal information disclosed by the Party himself/herself” referred to in Item 3 of Paragraph 1 of Article 6, Item 2 of Paragraph 2 of Article 9, and Item 3 of Paragraph 1 of Article 19 of the Act shall mean the personal information disclosed by the Party himself/herself to the general public or specific persons.
    “Personal information which has been publicized legally” referred to in Item 3 of Paragraph 1 of Article 6, Item 2 of Paragraph 2 of Article 9, and Item 3 of Paragraph 1 of Article 19 of the Act shall mean personal information which has been declared or announced in accordance with laws or regulations specifically and clearly authorized by laws, or publicized by means of other legal manners.
Article 14     Pursuant to the Electronic Signatures Act, the “written consent” referred to in Article 7 of the Act can be made by means of electronic record.
Article 15     If the “written consent made by the Party” referred to in Paragraph 2 of Article 7 of the Act is made together with other expressions of intent in the same document, the collector shall make the Party aware of the contents in an appropriate location and confirm the Party’s consent.
Article 16     The methods of notification referred to in Article 8, Article 9, and Article 54 of the Act may be made by means of words, written document, telephone, text message, email, facsimile, electronic record or other manners which is sufficient to make or likely make the Party know such notification.
Article 17     “The information may not lead to the identification of a certain person after the treatment of the provider or the disclosure of the collector” referred to in Item 4 of Paragraph 2 of Article 9, Item 5 of the exception of Article 16, Item 4 of Paragraph 1 of Article 19, and Item 5 of the exception of Paragraph 1 of Article 20 of the Act shall mean the personal information processed by ways of code, anonymity, hiding parts of information or other manners so as to fail to identify such a specific person.
Article 18     “The major interests of a third person may be affected” referred to in Item 3 of Article 10 of the Act shall mean that the life, health, freedom, property or other important interests of a third person may be affected.
Article 19     When requesting the government agency or the non-government agency to correct or supplement his/her personal information, the Party shall make an appropriate explanation.
Article 20     “The specific purpose no longer existing” referred to in Paragraph 3 of Article 11 of the Act shall mean one of the following circumstances:
  1. the government agency has been dissolved or re-organized but no agency to succeed its business;
  2. the non-government agency has ceased its business or been dissolved but no agency to succeed its business; or the non-government agency has changed its business category which thus is inconsistent with its original purpose of collecting personal information;
  3. the specific purpose has been reached and thus there is no need to continue the processing and use of personal information; and
  4. other reasons which are sufficient to make sure that the specific purpose will not be able to reach or no longer exists.
Article 21     “The necessity for the performance of an official duty or fulfillment of a legal obligation” referred to in the exception of Paragraph 3 of Article 11 of the Act shall mean one of the following circumstances:
  1. the retention period prescribed by laws and regulations or agreed in a contract;
  2. sufficient reasons to consider that such deletion will affect the Party’s interests which are worthy of protection; and
  3. other justifications not to delete.
Article 22     “Appropriate methods of notification” referred to in Article 12 of the Act shall mean prompt words, written document, telephone, text message, email, facsimile, electronic record or other manners which will be sufficient to make or likely make the Party know such notification. However, if the notification costs too much, in consideration of the technical feasibility and privacy protection of the Party, such notification may be made via internet, news media or other appropriate manners to notice.
    The contents of “notification to the Party” referred to in Article 12 of the Act shall include the fact that personal information has been infringed and the responding measures which have been taken.
Article 23     “To publicize” referred to in Article 17 of the Act shall be made by the government agency within one month after building the personal information files. This provision is also applicable to any alteration thereof. The methods of publication shall be specified and prevented from being changed at will.
    “Other proper means” referred to in Article 17 of the Act shall mean publicizing by means of government gazette, newspaper, magazine, electronic newspaper or other manners which the general public has the access of review.
Article 24     The government agency keeping personal information files shall prescribe rules governing the security and maintenance of personal information.
Article 25     “Personnel(s)” referred to in Article 18 of the Act shall mean personnel with the ability to manage and maintain personal information files and to sufficiently perform the regular task of securing and maintaining personal information for the agency.
    To equip the personnel with the ability of securing and maintaining personal information, the government agency shall hold the relevant education and training or make the personnel to take such education training.
Article 26     “Contract or quasi-contract” referred to in Item 2 of Paragraph 1 of Article 19 of the Act is not limited to a contract or quasi-contract formed after the amendment and enforcement of the Act.
Article 27     “Contractual relationship” referred to in Item 2 of Paragraph 1 of Article 19 of the Act includes the contract and, in order to perform the contract between the non-government agency and the Party, the conducts of contacting with, negotiating with, receiving delivery from or delivering to a necessary third party.
    “Quasi-contract” referred to in Item 2 of Paragraph 1 of Article 19 of the Act shall mean one of following circumstances:
  1. in order to prepare or conclude a contract or transaction, the conduct of contact or negotiation between the non-government agency and the Party before the forming of a contract; and
  2. in order to exercise rights, perform duties or ensure the completeness of personal information, the conduct of contact between the non-government agency and the Party when the contract is extinguished due to voidance, voidableness, rescission or termination, or is executed.
Article 28     “Publicly available resources” referred to in Item 7 of Paragraph 1 of Article 19 of the Act shall mean mass media, internet, news, magazine, government gazette and other accesses through which the general public may be aware of or contact, and thus obtain personal information.
Article 29     During the performance of inspection in accordance with Article 22 of the Act, attention shall be drawn to the confidentiality and the reputation of the inspected.
Article 30     When “the personal information or its files which may be confiscated or served as evidence are detained or duplicated” in accordance with Paragraph 2 of Article 22 of the Act, a receipt specifying the name, quantity, the owner, place and time shall be issued.
    The records shall be made after performing the inspection in accordance with Paragraphs 1 and 2 of Article 22 of the Act.
    The records made on the spot in accordance with the preceding paragraph shall be reviewed and signed by the inspected. The copy of the records shall be promptly given to the inspected. If the inspected refuses to sign, the reason of such refusal shall be stated.
    If the records are made afterwards, they shall be delivered to the inspected, whom shall be notified that he/she may make statements within a certain period of time.
Article 31     “A Charitable group” referred to in Paragraph 1 of Article 52 of the Act shall mean a non-profit association, corporation, or administrative corporation established in accordance with the Civil Code or other laws and having the professional ability regarding the protection of personal information.
Article 32     The collected or processed personal information provided by the Party before the amendment and enforcement of the Act can be continuously processed and, within the specific purpose, used after the amendment and enforcement of the Act. The use outside the specific purpose shall be made in accordance with the provisions after the amendment and enforcement of the Act.
Article 33     The effective date of these Enforcement Rules shall be promulgated by the Ministry of Justice.