• Font Size:
  • S
  • M
  • L

Article NO. Content

Title:

Reference Guidelines on the Protection of the Information and Communication Systems of Service Enterprises in Securities and Futures Markets  CH

Announced Date: 2024.01.09 (Articles 15 amended,English version coming soon)
Current English version amended on 2022.04.26 
Categories: Information Operations
Article Content Chapter Content Search Article No. Search Legislative History Chinese
Article 26     (Protection of Personal Data)
  1. The following data safety management measures shall be adopted to protect the safety of personal data held:
    1. Use of each type of equipment or storage medium shall be regulated. Appropriate measures shall be taken against data leak when any equipment or medium is discarded or used for other purposes.
    2. Appropriate measures of encryption shall be taken when personal data held that needs to be encrypted are collected, processed, or used.
    3. Where it is necessary to backup persona data in the course of operation, the backup data shall be protected appropriately.
  2. The following safety management measures shall be adopted for the relevant equipment if personal data held is stored in a hard copy, disc, magnetic film, optical disk, microfilm, integrated circuit chip, computer, automated machine or equipment, or other medium:
    1. Access shall be properly restricted.
    2. Methods of safekeeping media shall be prescribed.
    3. Appropriate protective equipment or technology shall be installed by the characteristics and environment of each medium.
  3. For the purposes of protecting the safety of personal data held, the level of authority of relevant personnel to access personal data shall be determined by the need to execute business, their access shall be controlled, and confidentiality obligations shall be entered into with the personnel.
  4. It shall be confirmed that risk assessment and control are performed of personal data held in the core systems and all computer systems.
  5. A core system or computer system shall keep audit trails of the use of personal data (such as login accounts, system functions, times, system names, inquiry commands or results) or have in place an identification mechanism to facilitate tracking of the use of personal data in the event of a leak.
  6. A data leak protection mechanism shall be established to control transmission of personal data through copying through an input/output device, communication software, or system operation to a webpage or network file, etc. The relevant records, trails, and evidence shall be retained.
  7. The following records shall be retained in the event of an erasure or suspension of processing or use of personal data held:
    1. Method and time of said erasure or suspension.
    2. Where the personal data is transferred to others after the erasure or suspension, the reason of the transfer, party to which the personal data is transferred, method of transfer, time of transfer, and legal basis for said party’s collection, processing, or use.