July 2023
Elizabeth Pai and Hannah Kuo
Pursuant to the authorization under Article 27, Paragraph 3 of the Personal Data Protection Act, the Ministry of Economic Affairs (hereinafter, the “MOEA”) pre-announced the formulation of the Regulations for the Security and the Maintenance of Personal Data Files in Retail Sale in Non-specialized Stores (hereinafter, the “Draft”), requiring department stores, hypermarkets, supermarkets, convenience stores, and other general retail businesses that have a capital of more than NT$10 million, recruit members or obtain the personal data of trading counterparties, or are designated by the MOEA (hereinafter, the “Businesses”) to formulate a personal data file security maintenance plan (hereinafter, the “Security Maintenance Plan”) to carry out the security maintenance of personal data. The key points of the Draft are provided as follows:
1. The Businesses shall plan, formulate, review, and revise personal data security maintenance measures, and designate responsible dedicated personnel according to their business scale and characteristics and in consideration of the reasonable allocation of operating resources (Articles 4 to 5 of the Draft).
2. The Businesses shall regularly check the status of retained personal data based on the specific purposes of collection and handle them appropriately (Article 7 of the Draft).
3. Before transmitting personal data internationally, the Businesses shall examine whether there are restrictions imposed by the competent central authority and inform the data subject of the country or region to which the transmission is intended (Article 8 of the Draft).
4. The Businesses shall establish data security management and personnel management measures, information security measures, equipment security management measures, and personal data processing methods after the termination of business, and shall also regularly conduct awareness campaigns and education and training for employees (Articles 9 to 11, 13, and 16 of the Draft).
5. If personal data held by the Businesses are stolen, leaked, tampered with, or otherwise infringed, they shall notify the competent authority within 72 hours and inform consumers in an appropriate manner (Article 12 of the Draft).
6. The Businesses shall establish a data security audit mechanism, designate auditors to regularly audit the implementation and effectiveness of the Security Maintenance Plan, and report to the company’s legal representative (Article 14 of the Draft).
7. The Businesses shall retain usage records of personal data, machine and equipment log files, and other evidentiary data for at least five years (Article 15 of the Draft).
8. When the Businesses entrust others to collect, process, or use personal data, they shall properly supervise the entrusted party and clearly stipulate the details in the commissioning contract or relevant documents (Article 19 of the Draft).
9. When the Business uses personal data for promotion, advertising, or marketing, they shall inform consumers of the registered name of the Business and the source of personal data. They shall also provide consumers with a way to refuse to receive promotions, advertising, or marketing. Once the consumers indicate their refusal, the Operator shall immediately stop using their personal data (Article 20 of the Draft).
According to the plan of the Draft, the Businesses are required to complete the formulation of the Personal Data File Maintenance Plan within six months after the formal regulations are promulgated. If the Businesses fail to formulate the above-mentioned Security Maintenance Plan or do not adopt appropriate security measures pursuant to the regulations, they may be subject to a fine of NT$20,000 to NT$2,000,000 under Article 48 of the Personal Data Protection Act, as amended on May 31 of this year. In case of a material violation, a fine of NT$150,000 to NT$15,000,000 may be imposed. The Businesses are advised to pay attention.
The contents of all materials (Content) available on the website belong to and remain with Lee, Tsai & Partners. All rights are reserved by Lee, Tsai & Partners, and the Content may not be reproduced, downloaded, disseminated, published, or transferred in any form or by any means, except with the prior permission of Lee, Tsai & Partners.
The Content is for informational purposes only and is not offered as legal or professional advice on any particular issue or case. The Content may not reflect the most current legal and regulatory developments. Lee, Tsai & Partners and the editors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The contributing authors’ opinions do not represent the position of Lee, Tsai & Partners. If the reader has any suggestions or questions, please do not hesitate to contact Lee, Tsai & Partners.