|
Article 6
|
Personal information of medical records, medical treatment, genetic information, sexual life, health examination and criminal records should not be collected, processed or used. However, the following situations are not subject to the limits set in the preceding sentence:
- when in accordance with law;
- when it is necessary for a government agency to perform its legal duties or for a non- government agency to fulfill its legal obligation, and proper security measures are adopted prior or subsequent to such collection, processing or use;
- when the Party has made public such information by himself, or when the information concerned has been publicized legally;
- where it is necessary to perform statistical or other academic research, a government agency or an academic research institution collects, processes, or uses personal information for the purpose of medical treatment, public health, or crime prevention. The information may not lead to the identification of a specific person after its processing by the provider, or from the disclosure by the collector;
- where it is necessary to assist a government agency in performing its legal duties or a non-government agency in fulfilling its legal obligations, and proper security measures are adopted prior or subsequent to such collection, processing, or use;
- where the Party has consented in writing; unless such consent exceeds the necessary scope of the specific purpose; the collection, processing or use merely with the consent of the Party is prohibited by other statutes; or such consent is against the Party’s will.
Article 8 and Article 9 shall apply mutatis mutandis to the collection, processing, or use of personal information in accordance with the preceding Paragraph; Paragraphs 1, 2 and 4 of Article 7 shall apply mutatis mutandis to the written consent specified in Item 6 of the preceding Paragraph. The notification should be in written form.
|
|
Article 18
|
The government agency which keeps personal information files should assign personnel(s) on security and maintenance of those files to prevent them from being stolen, altered, damaged, destroyed or disclosed.
|
|
Article 19
|
Except for the personal data specified under paragraph 1 of Article 6, the collection or processing of personal data by non-government agencies shall be for specific purposes and on one of the following bases:
1. where it is expressly required by law;
2. where there is a contractual or quasi-contractual relationship between the non-government agency and the data subject, and proper security measures have been adopted to ensure the security of the personal data;
3. where the personal data has been manifestly made public by the data subject or publicized legally;
4. where it is necessary for statistics gathering or academic research by an academic institution in pursuit of public interests, provided that such data, as processed by the data provider or as disclosed by the data collector, may not lead to the identification of a specific data subject;
5. where consent has been given by the data subject;
6. where it is necessary for furthering public interests;
7. where the personal data is obtained from publicly available sources unless the data subject has an overriding interest in prohibiting the processing or use of such personal data; or
8. where the rights and interests of the data subject will not be infringed upon.
A data collector or processor shall, on its own initiative or upon the request of the data subject, erase or cease processing or using the personal data when it becomes aware of, or upon being notified by the data subject, that the processing or use of the personal data should be prohibited pursuant to the proviso to subparagraph 7 of the preceding paragraph.
|
|
Article 27
|
Non-government agencies in possession of personal data files shall implement proper security measures to prevent the personal data from being stolen, altered, damaged, destroyed or disclosed.
The central government authorities in charge of the industries concerned may designate and order certain non-government agencies to establish a security and maintenance plan for the protection of personal data files and rules on disposing personal data following a business termination.
Matters such as standards on setting forth the aforementioned plans and disposal regulations shall be expressly established by the central government authority in charge of the industry concerned.
|