Regulations Regarding the Security Protection Plan for the Processing of Personal Information Files in Tourism Industry-related Non-government Agencies Designated by the Ministry of Transportation and Communications

2022-04-01
播放模式
手機睡眠
語音選擇
Article 1
These regulations are enacted in accordance with Paragraph 3 of Article 27 of the Personal Data Protection Act (hereinafter referred to as the act).
Article 2
The competent authorities referred to in these regulations shall be the Ministry of Transportation and Communications in the central government, the special municipality government in special municipalities, and the county/city government in counties/cities.
Article 3
The non-government agencies referred to in these regulations shall include the following:
1. Tourist hotel enterprise
2. Hotel enterprise
3. Home stay facility
4. Travel agency
5. Tourist amusement enterprise
The consumers referred to in these regulations shall be people making transactions for the purpose of consuming to purchase products or use services
Article 4
Non-government agencies in possession of 8,000 or more entries of personal data shall act according to these regulations to plan, establish, revise and implement their personal information protection plan and their personal data disposal procedure (together hereinafter referred to as the plan and disposal procedure) after termination of business operations
Those required to establish the plan and disposal procedure according to the preceding paragraph shall complete the task within six months after these regulations take effect. Any non-government agency with 8,000 or more personal data entries after these regulations take effect shall complete the task within six months after the number of personal data entries in its possession achieves 8,000.
If the number of personal data entries decreases in two consecutive years to less than 8,000 after establishing the plan and disposal procedure according to the two preceding paragraphs, the non-government agency may suspend implementation of all or part of the plan and disposal procedure. Nevertheless, if the number of personal data entries in its possession achieves 8,000 again, the non-government agency shall resume implementation of the plan and procedure within 30 days.
The number of personal data entries described in the three preceding paragraphs shall be calculated in accordance with the accumulated personal data entries in the possession of a non-government agency. If the number of personal data entries in the possession of a non-government agency is less than 8,000, the non-government agency shall provide evidence to prove it.
Once a non-government agency is notified by the competent authority to provide the results of implementation of the plan and disposal procedure, it shall present the results in writing within 30 days after receiving the notification.
Article 5
When establishing the plan and disposal procedure according to the preceding article, non-government agencies shall refer to Articles 6 to 21 with their organizational scale and characteristics, as well as the nature and quantity of the personal data in their possessions taken into consideration and establish appropriate security maintenance and management measures which shall include the following whereas the items listed in Subparagraphs may also be included if necessary:
1. The organizational scale and characteristics of the non-government agency
2. The measures for personal data file protection
(1) Allocation of managing personnel and reasonable resources
(2) Definition of the scope of personal data collection, processing and utilization
(3) Establishment of a mechanism for personal data risk assessment and management
(4) Establishment of a mechanism for data breach prevention, reporting and response
(5) Establishment of internal control procedures for personal data collection, processing and utilization
(6) Establishment of measures for equipment safety, data safety and personnel management
(7) Awareness promotion and training
(8) Establishment of a mechanism for personal data safety maintenance and auditing
(9) Preservation of use records, log files and evidence
(10) Continuous improvement of person data safety maintenance。
(11) Procedures for disposal of personal data after business operation termination
Article 6
Each non-government agency shall reasonably allocate its management resources in accordance with its business scale and characteristics, establish a managing organization to protect personal data files, and assign adequate personnel and resources for planning, establishing, revising and implementing the plan and disposal procedure.
The establishment or revisions of the plan and disposal procedure shall require the approval of the representative of the non-government agency or personnel authorized by the representative.
The personnel data file protection organization shall present task execution condition reports in writing to the representative of the non-government agency or personnel authorized by the representative on a regular basis.
Each non-government agency is required to keep the personal data protection plan in the office for future reference, and the competent authority may send personnel to inspect the plan.
Article 7
Each non-government agency shall act according to personal data protection regulations to check and confirm the condition of the personal data in its custody and assure the data are covered by the plan and the disposal procedure.
Article 8
According to the range of personal data and the procedures of collection, processing and utilization of personal data, each non-government agency shall evaluate likely personal data risks and establish an appropriate control mechanism based on the results of evaluation.
Article 9
Each non-government agency shall set up the following response, reporting and prevention mechanisms in case theft, alteration, damage, destruction, leakage or other personal data safety incidents take place:
1. Response measures to be taken after an incident, including the methods for reducing or controlling the damages of the party or parties in concern as well as the appropriate approaches to notify the party or parties in concern and the content of such notifications
2. The party or parties to report to after an incident and the ways to report
3. A mechanism for discussing and establishing corrective and preventive measures after an incident
If a Personal data breach is deemed likely to endanger its normal operation or affect the interests of a large number of concerned parties, the non-government agency in question shall report the incident to the competent authority in the format shown in the appendix within 72 hours after finding out about the incident. It the incident is reported to the local competent authority, a carbon copy shall also be sent to the central competent authority.
If unable to report to the competent authority within the given timeline or provide all the required information at the time of reporting, the non-government agency shall present the causes of delay or provide the information in stages.
After receiving the report described in Paragraph 2, the competent authority may act according to Articles 22 to 25 of the act and take appropriate supervisory measures. If necessary, the central competent authority may act as a supervisor when the local competent authority oversees the efforts of the non-government agency to improve related mechanisms.
  • Personal Data Breach Reportingand Record Sheet.pdf
Article 10
When collecting and processing regular personal data to execute their duties, the staff members of a non-government agency shall confirm if their operations comply with the constituent elements prescribed in Article 19 of the act. When utilizing the data, they shall confirm whether the conduct is within the necessary range of the specific purposes of collection. When utilizing the data outside the specific purposes, they shall confirm if the practice comply with the proviso set forth in Paragraph 1 of Article 21 of the act.
Article 11
When collecting personal data, each non-government agency has the obligation to inform data subjects as described in Articles 8 and 9 of the act, establish separate informing approaches as well as different types of content and notice appropriate for direct collection and indirect collection, and request its staff members to act accordingly.
Article 12
When the central competent authority restricts a non-government agency from transmitting personal data overseas by citing Article 21 of the act, the non-government agency shall notify all of its staff members to comply.
When transmitting personal data overseas, a non-government agency shall confirm whether the practice is restricted by the central competent authority as well as inform the party or parties in concern of the region or regions their personal data will be transmitted to and supervise the data recipient or recipients with regard to the following:
1. The range and type of personal data to be processed or utilized, the specific purposes, duration, area, subjects and approaches
2. Information associated with the rights specified in Article 3 of the act
Article 13
Non-government agencies shall act according to the following when personal data subjects exercise the rights specified in Article 3 of the act:
1. Provide information regarding the contact person or persons and contact methods.
2. Confirm the data subject is the party in concern or the designated agent.
3. Notify the party or parties in concern with the reasons attached when refusing to allow the party or parties in concern to exercise the rights when the situation complies with the condition described in any of the subparagraphs of the proviso in Article 10, the proviso in Paragraph 2 or the proviso in Paragraph 3 of the act.
4. Inform the party or parties in concern of the charging standard when a fee is to be collected.
5. Abide by the processing time regulation set forth in Article 13 of the act.
Article 14
All non-government agencies shall install appropriate equipment or adopt protective measures for the personal data files collected and in their custody.
The equipment or protective measures stated in the preceding paragraph shall include the following:
1. Equipment to safeguard the hard copy files
2. Computers for storing electronic files, automatic equipment, portable equipment or storage media with a safety protection system or an encryption mechanism
3. When hard copies, hard disks, magnetic tapes, compact discs, microfilms, IC chips or other storage media used for storing personal data are to be scrapped, replaced or used for other purposes, the data therein shall be destroyed properly or appropriate measures shall be taken to prevent personal data leakage. When others are commissioned to perform the task, the non-government agency in concern shall properly supervise in accordance with the Article 20 of the act.
Article 15
To assure the safety of the personal data in its custody, each non-government agency shall adopt appropriate measures to control its staff members.
The control measures shall include the following:
1. Define the levels of authority of different staff members according to the needs in business operations.
2. Review the nature of various business operations and designate personnel to be in charge throughout the process of personal data collection, processing and utilization.
3. Request all staff members to guard the personal data storage media carefully and sign with them agreements on the obligation to safeguard the storage media and keep related information confidential.
4. When staff member transfers or employment separation takes place, the personal data in the possession of the original workers shall be handed over in advance. Continued use of such information outside the premises of the non-government agency shall be disallowed, and such workers shall also sign a confidentiality affidavit.
Article 16
When the number of entries of personal data of consumers collected, processed or utilized by using an information system or communications system achieves 8.000 while the non-government agency also operates an e-commerce service system, the following data protection and management measures shall be adopted:
1. A mechanism to confirm user identity and protect the personal data
2. A code-hiding mechanism for display of personal data
3. An encryption mechanism for safety protection in online transmissions
4. Measures to monitor and control access to personal data and database
5. Countermeasures for preventing invasions from external networks
6. A mechanism to monitor and respond to unlawful or abnormal use
Drilling, review and improvement of the measures specified in Subparagraphs 5 and 6 of the preceding paragraph shall be conducted on a regular basis.
The e-commerce stated in Paragraph 1 refers to business activities for products or services, conducted online, including advertising, marketing, supply, ordering and delivery.
Article 17
Non-government agencies are required to conduct basic personal data protection awareness promotion and training on an irregular basis to make their staff members understand what related regulations require them to do, the range of their responsibilities as well as the mechanisms, procedures and measures associated with protection of personal data.
Article 18
To ensure the plan and disposal procedure can be implemented properly, each non-government agency shall act according to the scale and characteristics of its organization to allocate its resources reasonably, establish auditing mechanisms for personal data protection and designate appropriate personnel to inspect the implementation of the plan and disposal procedure at least once a year.
The inspection results shall be reported to the representative of the non-government agency and the records shall be kept for at least five years.
If the inspection results indicate that the plan and disposal procedure are incompliant with related regulations or likely to fail to comply with related regulations, improvements shall be made immediately.
Article 19
When activating any of the personal date protection mechanisms, procedures or measures specified in the plan and disposal procedure, the non-government agency shall record the use of personal data and keep the log files or related evidence.
After deleting, suspending processing or utilizing personal data in its possession, the non-government agency shall keep the following records:
1. The methods applied to delete or suspend processing or utilization of personal data, and the time and location
2. The reason or reasons for transferring personal data to another party or parties, the party or parties transferred to, the method, time, location and the legal basis for the recipient or recipients to collect, process or utilize the personal data when the data to be deleted or suspended processing or utilization are transferred
The log files of the personal data described in the two preceding paragraphs, related evidence and records shall be guarded for at least five years unless it is stipulated otherwise in related regulations or contracts.
Article 20
All non-government agencies shall review the plan and disposal procedure in accordance with the results of implementation, public opinion, technological development and addition or amendment to related regulations and make revisions if necessary.
Article 21
When commissioning others to collect, process or utilize all of part of the personal data in its possession, the non-government agency shall supervise the commissioned party or parties in accordance with Article 8 of the Enforcement Rules of the Personal Data Protection Act.
When performing the supervision described in the preceding paragraph, the non-government agency shall make a precise agreement with the commissioned party or parties on matters regarding the content and approaches of supervision.
Article 22
A non-government agency terminating its operation may not continue to use the personal data originally in its possession and shall handle the data through the following approaches and guard related records for at least five years:
1. Destruction: The method, time and location, and proof of destruction
2. Transfer: Causes of transfer, the party or parties transferred to, the method, time, location and the legal basis for the recipient or recipients to possess the personal data
3. Deletion, suspension of personal data processing or utilization: the methods of deletion and suspension, time and location
Article 23
These regulations shall take effect on the day they are promulgated.