DRAFT ENFORCEMENT RULES OF THE PERSONAL DATA PROTECTION ACT

Similar documents
GUIDELINE FOR PROTECTION OF PERSONAL INFORMATION

Data Processing Agreement. <<Health Service Provider>> The National Message Broker Service known as Healthlink

Privacy Guideline. [For Customers]

The Government of the United States of America and the Government of the Swiss Confederation, hereinafter referred to as "the Contracting Parties";

PERSONAL INFORMATION PROTECTION ACT

Official Gazette No. 55 issued on 8 May Data Protection Act. of 14 March 2002

Telekom Austria Group Standard Data Processing Agreement

Template Commission pursuant to Section 11 BDSG

Data Processing Agreement

LAW ON EXPORT AND IMPORT OF ARMS AND MILITARY EQUIPMENT I. INTRODUCTORY PROVISIONS. Subject Matter of the Law. Article 1

Personal Data Protection Act

ACT ON PROMOTION OF INFORMATION AND COMMUNICATIONS NETWORK UTILIZATION AND INFORMATION PROTECTION, ETC.

GENERAL TERMS AND CONDITIONS OF PAESSLER AG

Act XC of on the Freedom of Information by Electronic Means

Environmental Impact Assessment Act

Condominium Management Regulatory Authority of Ontario Access and Privacy Policy

Terms of Service for the JUKI PARTS Website

Act on Access to Information Held by Administrative Organs (Act No. 42 of 1999)

FOIL REGULATIONS FOR HCR

Japan: Law Concerning Access to Information Held by Administrative Organs

Law No. 13 of 2016 Promulgating the Protection of the Privacy of Personal Data Law

LAW ON FOREIGN TRADE IN WEAPONS, MILITARY EQUIPMENT AND DUAL-USE GOODS (Published in the Official Gazette No 7 from February 2, year 2005.

UZBEKISTAN LAW OF THE REPUBLIC OF UZBEKISTAN ON SELECTION ACHIEVEMENTS *

Freedom Of Access To Information Act For The Republika Srpska 18/5/2001

Annex 1: Standard Contractual Clauses (processors)

TRADE UNION AND LABOR RELATIONS ADJUSTMENT ACT. Act No. 5310, Mar. 13, 1997 CHAPTER I. General Provisions

SECTION ONE Objective and Scope, Basis and Definitions

Regulations for the Implementation of Trademark Law

BINDING CORPORATE RULES PRIVACY policy. Telekom Albania. Çaste që na lidhin.

Statutory Instruments. S.I No. 199 of European Communities (General Product Safety) Regulations Published by the Stationary Office Dublin

THE FREEDOM OF INFORMATION ACT, Arrangement of Sections PART I PRELIMINARY

DATA PROCESSING AGREEMENT. between [Customer] (the "Controller") and LINK Mobility (the "Processor")

Appendix 1 Data Processing Agreement

CHAPTER I. Definitions

FOUR SEASONS HOTELS BOGOTÁ PERSONAL DATA TREATMENT POLICY HOTELES CHARLESTON BOGOTÁ S.A.S.

PERSONAL DATA PROCESSING AGREEMENT

The Rental Exchange. Contribution Agreement for Rental Exchange Database. A world of insight

HUNGARY Patent Act Act XXXIII of 1995 as consolidated on March 01, 2015

Chapter 1: Interpretation

SPECIAL ACT ON IMPORTED FOOD SAFETY CONTROL

Nestlé Canada Inc. Privacy Policies and Practices April 13, 2012

1. THE SYSTEM AND INFORMATION ACCESS

Fair Labelling and Advertising Act. Enacted by law No. 5814, Feb. 5, Chapter 1 General Provisions

REPRESENTATIVE OFFICES GENERAL REQUIREMENTS MODULE

Ac t on the Protection of Cultural Property

Effective 08/01/2005 1/6

PO T&C MSD Vietnam Applied for MSD & Intervet Vietnam; Company codes: 0276; 4145; 6560

- 79th Session (2017) Assembly Bill No. 474 Committee on Health and Human Services

2.16 Freedom of Information and Protection of Privacy Act

Data Processing Agreement

HOUSE BILL NO. HB0119

Freedom Of Access To Information Act For The Federation Of Bosnia and Herzegovina

AIA Australia Limited

PROTECTION OF PERSONAL INFORMATION ACT NO. 4 OF 2013

ADMINISTRATIVE PROCEDURES, CODE PROCEDURAT ADMINISTRATIVE, KOD

Policies of the University of North Texas Health Science Center Criminal History Background Checks For Security Sensitive Positions

UNFAIR COMPETITION PREVENTION AND TRADE SECRET PROTECTION ACT

the other Party has otherwise failed to carry out its obligations under this Agreement; or

Article (Threshold Amount of Total Assets Requiring Notification of Special Financial Instruments Business Operator)

Consumer Protection Law,

Authorities Budget Office Policy Guidance

Act CXII of on the Right of Informational Self-Determination and on Freedom of Information 1 CHAPTER I GENERAL PROVISIONS. 1.

803 CMR: DEPARTMENT OF CRIMINAL JUSTICE INFORMATION SERVICES 803 CMR 11.00: CONSUMER REPORTING AGENCY (CRA) Section

ICF Sample Coaching Agreement

Regulations for Application of the Public Procurement Act

COLLEGE OF NATUROPATHIC PHYSICIANS OF BRITISH COLUMBIA

The NATIONAL CONGRESS decrees: CHAPTER I PRELIMINARY PROVISIONS

1. This is the Country Addendum (Vietnam) to the UOB Business Internet Banking Service Agreement (the Agreement ).

STATOIL BINDING CORPORATE RULES - PUBLIC DOCUMENT

The Act on Processing of Personal Data

GENERAL ASSEMBLY OF NORTH CAROLINA SESSION 2009 HOUSE BILL 1403 RATIFIED BILL

Act against Unjustifiable Premiums and Misleading Representations (Tentative translation)

S.I. 7 of 2014 PUBLIC PROCUREMENT ACT. (Act No. 33 of 2008) PUBLIC PROCUREMENT REGULATIONS, 2014 ARRANGEMENTS OF REGULATIONS PART 1 - PRELIMINARY

FREEDOM OF INFORMATION ACT

Act on Regulation of the Transmission of Specified Electronic Mail April 17, 2002 Act No. 26 Final Revision 2009 Consumer Affairs Agency Measures

Interstate Commission for Adult Offender Supervision

PATENT ACT (UNOFFICIAL CLEAR TEXT) I. GENERAL PROVISIONS

#MyIncredibleIndiaContest. Terms & Conditions

CHAPTER [INSERT] DATA PROTECTION BILL Acts [insert] ARRANGEMENT OF SECTIONS PART I PART II

ECHOCARDIOGRAPHY QUALITY IMPROVEMENT PROGRAM FACILITY AGREEMENT

P.I.N.C.O. PARTNERS IN NUTRITION COOPERATIVE JOINT POWERS AGREEMENT FOR

BETWEEN THE REPUBLIC OF AUSTRIA AND MUTUAL LEGAL ASSISTANCE IN CRIMINAL MATTERS

ACCESS AND PRIVACY POLICY

ORDINANCE NO. 7,592 N.S. ADDING CHAPTER 2.99 TO THE BERKELEY MUNICIPAL CODE, ACQUISITION AND USE OF SURVEILLANCE TECHNOLOGY

Electronic Document and Electronic Signature Act Published SG 34/6 April 2001, effective 7 October 2001, amended SG 112/29 December 2001, effective 5

ACT No 486/2013 Coll. of 29 November 2013 concerning customs enforcement of intellectual property rights

Patent Law of the Republic of Kazakhstan

ELECTRONIC COMMUNICATIONS AND TRANSACTIONS ACT, ACT NO. 25 OF 2002 [ASSENTED TO 31 JULY 2002] [DATE OF COMMENCEMENT: 30 AUGUST 2002]

Freedom of Information Law (1998 as amended 2006)

Policy To Protect Personal Information

Document Retention and Archival Policy

DocuSign Envelope ID: D3C1EE91-4BC9-4BA9-B2CF-C0DE318DB461

AWS Certification Program Agreement

LAW CONCERNING THE DISCLOSURE OF INFORMATION HELD BY ADMINISTRATIVE ORGANS (JAPAN) Law No. 42 of 1999 (effective April 1, 2001) *

Bylaws of The San Francisco Maritime National Park Association. A California Nonprofit Public Benefit Corporation

Document Retention and Archival Policy

SECTION I. GENERAL PROVISIONS

Processor Agreement SURF Model Agreement

Attorney Grievance Commission of Maryland. Administrative and Procedural Guidelines

This unofficial translation is provided for information purposes only and has no legal force. Data Protection Act.

Transcription:

DRAFT ENFORCEMENT RULES OF THE PERSONAL DATA PROTECTION ACT Marcus CLINCH marcus.clinch@eigerlaw.com Indy LIU indy.liu@eigerlaw.com www.eigerlaw.com

Page - 1 This is an unofficial English translation prepared by Eiger Law of the draft Enforcement Rules of the Personal Data Protection Act (amended) announced by the Ministry of Justice on 27 October 2011. The original Chinese draft may be found at: http://www.moj.gov.tw/public/attachment/1102710165577.pdf Article 1 The Enforcement Rules are enacted in accordance with Article 55 of the Personal Data Protection Act (hereinafter referred as the Act ). Article 2 Individual referred to in the Act means currently living natural person. Article 3 Identifying personal information in an indirect manner referred to under Subparagraph 1, Article 2 means that the identification of a specific person cannot be made by the information alone and must be done in comparison, combination, or connection with other information, except if the consultation is difficult or if the cost or the time required for specificity is excessive. Article 4 Personal information in medical records referred to under Subparagraph 1, Article 2 of the Act means the following information: 1. Medical records prepared by a doctor during the performance of duty in accordance with the Physicians Act. 2. Various inspection and examination reports and information. 3. Records prepared pursuance to the performance of duties by various types of medical staff. (provided by the Department of Health) Personal medical information referred to under Subparagraph 1, Article 2 of the Act means all or part of the personal information produced pursuant to visitation, diagnosis and treatment, other than the above medical records, for the purpose of treating, correcting or preventing human illness, injury or handicap, or any prescription, drug use, method use or disposition for the purpose of treatment based on the results of visitation or diagnosis. (provided by the Department of Health) Genomic personal information referred to under Subparagraph 1, Article 2 of the Act means a section of genetic unit information composed of DNA and with specific biological control functions. (provided by Department of Health) Sex life personal information referred to under Subparagraph 1, Article 2 of the Act means personal information about sexual orientation or sexual habits.

Page - 2 Personal information of health examination referred to under Subparagraph 1, Article 2 of the Act means generally all or part of medical visits for persons with no obvious symptoms of an illness and for purpose other than diagnosis or treatment for specific illness. (provided by the Department of Health) Personal information of criminal records referred to under Subparagraph 1, Article 2 of the Act means records of deferred prosecution, non-prosecution under the authorities or a confirmed crime through a court judgment. Article 5 Personal information files referred to in Subparagraph 2, Article 2 of the Act include back-up files and tracking records. Article 6 Deletion referred to under Subparagraph 4, Article 2 of the Act means deleting stored personal information from personal information files. With regard to the previous Paragraph, if the tracking records are necessary for subsequent verification, comparison or proof, the files do not need to be deleted. Internal transmission referred to under Subparagraph 4, Article 2 of the Act means information transmission within a government agency or nongovernment agency itself. Article 7 Any juridical person, organization or natural person engaged by another person to collect, process or use information shall perform in accordance with the provisions applicable to the engaging principal. In situations under the previous Paragraph, the parties shall exercise the rights under the Act against the engaging principal. Article 8 If a principal engages another person to collect, process or use all or part of personal information, the principal shall exercise appropriate supervision over the agent.

Page - 3 The supervision under the previous Paragraph shall include at least the following: 1. Expected scope of collection, process or use of personal information, type, specific purpose and period. 2. Required measures to be undertaken by the agent in accordance with Paragraph 2, Article 9. 3. If there is a sub-agent, the agreed sub-agent. 4. The matters to be notified to the principal and remedy measures to be undertaken in case of violation of personal information protection legislation or provision of engagement contract by the agent or its employee. 5. Matters for which the principal gave reservation instructions to the agent. 6. The return of media in which personal information is stored and the deletion of stored personal information held by the agent, upon termination or cancellation of engagement of relationship. With regard to the supervision under Paragraph 1, the principal shall regularly confirm the performance status of the agent and document the confirmation results. The agent shall only collect, process or use personal information within the scope of the principal s instructions. If the agent deems that the principal s instructions violate the Act or any order published in accordance with the Act, it shall immediately notify the principal. Article 9 Appropriate safety maintenance measures, safety maintenance matters or appropriate safety measures referred to in the Act mean technical or organizational required measures undertaken by government agency or nongovernment agency for the purpose of preventing theft, alteration, destruction, loss, or disclosure of personal information. The required measures in the previous Paragraph shall include the following: 1. Establishment of management organizations, with proper resources allocated. 2. Definition of the scope of personal information.

Page - 4 3. Risk assessment and management mechanism of personal information. 4. Incident prevention, reporting and response mechanism. 5. Internal management procedures for collection, processing and use of personal information. 6. Information security management and staff management. 7. Promotion and training of awareness. 8. Equipment security management. 9. Information security audit mechanism. 10. Safekeeping of required use records, tracking records and evidence. 11. Overall continuous improvement of safe maintenance of personal information. With regard to the required measures under Paragraph 1, the expenses required shall be commensurate with the purpose of personal information protection. Article 10 The party s voluntary disclosure referred to in the Act means the party voluntarily makes a disclosure to an unidentified person or multiple identified persons. Personal information that has been legally publicized referred to in the Act means personal information that has been rendered public through public display, public announcement, or other legal manners in accordance with laws. Article 11 With regard to the manners for expression of intent in writing referred to in Article 7 of the Act, if the contents of the information can be fully presented in its integrity and remains accessible for subsequent reference, with the consent by the collector and the party, it may be done by electronic records. Article 12 If the independent expression of intent in writing pursuance to Paragraph 2, Article 7 of the Act is done in the same document as other expressions of intent, it shall be indicated in a suitable location for the party s awareness and subsequent confirmation and consent.

Page - 5 Article 13 Notices provided under Articles 8, 9 and 54 of the Act shall be done in writing, by telephone, fax, electronic records or in other appropriate manners. Article 14 Processed information or disclosing method being deidentification of a specific party referred to under Subparagraph 4 of Paragraph 2 of Article 9, Subparagraph 5 of the proviso of Article 16, Subparagraph 4 of Paragraph 1 of Article 19 and Subparagraph 5 of the proviso of Article 20 means the personal information is coded, anonymous or processed in another disclosure manner to be deidentification of specific individuals, or to let the identification only possible with excessive expense or time. Article 15 When a party requests a correction or to supplement personal information with a government agency or non-government agency in accordance with Paragraph 1, Article 11 of the Act, a proper interpretation shall be provided. Article 16 Cease of specific purpose referred to under Paragraph 3, Article 11 of the Act means any of the following: 1. A government agency has been dissolved or reorganized and no longer has any division that handles the process. 2. A non-government agency ceases business, is dissolved or has a change of business scope that is inconsistent with the original purpose of collection. 3. The specific purpose has been achieved and there is no need to continue the use. 4. Other reasons proving that the specific purpose cannot be achieved or no longer exists. Article 17 Any of the following shall be deemed required for performing the duty or business under the proviso of Paragraph 3, Article 11 of the Act: 1. A retention period is provided by laws or contracts. 2. There is reason to deem that the deletion will infringe upon the party s interest that should be protected. 3. Deletion is not possible due to special storage manner or deletion is only possible at excessive cost. 4. Other justification that deletion should not be performed.

Page - 6 Article 18 Notice in an appropriate manner referred to in Article 12 of the Act means notice in time in writing, by telephone, fax, electronic records or other manner allowing the party to know or making it possible for the party to know. However, if the cost is excessive, the Internet, news media or other manner allowing public knowledge may be used in consideration of the technical feasibility and protection of the party s privacy. Notice to a party in accordance with Article 12 of the Act shall include the fact that the personal information has been infringed upon and the corresponding measures that have been undertaken. Article 19 When a government agency publicizes in accordance with Article 17 of the Act, it shall be done so within 1 month from the establishment of a personal information file. The same shall be applicable in case of alteration. The publication manner shall be specific and shall prevent unauthorized alteration. Other proper manners referred to under Article 17 of the Act mean newspaper, magazine, government gazette, electronic newsletter or other manner available for public viewing. Article 20 When a government agency maintains a personal information file, rules for personal information security maintenance shall be established. The provisions of these rules shall include matters provided under Paragraph 2, Article 9. Article 21 Dedicated person referred to under Article 18 of the Act means personnel with a professional capability of management and maintenance of personal information files who can perform regular safety and maintenance work for files and information of the authority. To ensure that the dedicated person possesses the capability to perform safety and maintenance matters, the government agency shall perform or procure relevant professional training for the dedicated person.

Page - 7 Article 22 Contract or relationship similar to contract referred to under Subparagraph 2, Paragraph 1, Article 19 of the Act is not limited to those established after the implementation of the revision of the Act. Article 23 Relationship similar to contract referred to under Subparagraph 2, Paragraph 1, Article 19 of the Act means any of the following: 1. Any act of contact or negotiation between the non-government agency and the party before entering into the contract for the purpose of preparing or negotiating the establishment of the contract or for the purpose of engaging in the transaction. 2. When the contract is invalid, rescinded, cancelled, terminated or ended following performance, the act of contact between the non-government agency and the party for the purpose of exercising the right, performing the obligation, or confirmation of the integrity of personal information.

Page - 8 Article 24 In performing inspection in accordance with Article 22 of the Act, the inspection authority shall pay attention to confidentiality and reputation of the inspected party. Article 25 In seizing or reproducing personal information or any file thereof that may be forfeited or that may serve as evidence in accordance with Paragraph 2, Article 22 of the Act, the central competent authority for the specific business or municipality or county (city) government shall provide receipt, specifying the name, quantity, owner, location and time. After performing inspection in accordance with Article 22 of the Act, the central competent authority for the specific business or the municipality or county (city) government shall make records. If the record under the previous Paragraph is prepared on site, it shall be reviewed and signed by the inspected party and a copy shall be delivered to the inspected party. If the inspected party refuses to sign, the reason shall be specified. If the record is prepared afterwards, it shall be delivered to the inspected party and the inspected party shall be informed that it may express its opinion within a certain deadline. Article 26 Public interest organization referred to under Article 52 of the Act means any public interest organization, juridical person and administrative entity established in accordance with the Civil Code or other laws, with the professional capability for personal information protection. Article 27 After the implementation of the amendment, personal information provided

Page - 9 by the party that has already been collected or processed before the implementation of the amendment may continue to be processed and used within the specific purpose in accordance with provisions of the Act in relation to personal information protection. Any use outside the specific purpose shall be in accordance with the provisions after implementation of the amendment. Article Article 2824 The In Enforcement performing inspection Rules shall in be accordance implemented with from Article its 22 date of of the promulgation. Act, the insp a certain deadline. The implementation date for the revised provisions of these Enforcement Rules shall be determined by order of the Executive Yuan. Article 26 Public interest o professional capability for personal information protection.

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback