Personal Data Protection Act Article 19
內容
Enforcement Rules Article 9
"Law", as referred to under subparagraph 1 of the proviso to paragraph 1 of Article 6, subparagraph 1, paragraph 2 of Article 8, subparagraph 1 of the proviso to paragraph 1 of Article 16, subparagraph 1, paragraph 1 of Article 19, and subparagraph 1 of the proviso to paragraph 1 of Article 20 of the PDPA, shall mean laws, or those regulations specifically and expressly authorized by laws.
Enforcement Rules Article 12
"Proper security and maintenance measures", as referred to under subparagraphs 2 and 5 of the proviso to paragraph 1 of Article 6, "security and maintenance measures", as referred to under Article 18, and "proper security measures", as referred to under subparagraph 2, paragraph 1 of Article 19 and paragraph 1 of Article 27 of the PDPA, shall mean the technical or organizational measures taken by a government agency or non-government agency for the purpose of preventing personal data from being stolen, altered, damaged, destroyed or disclosed.
The measures prescribed in the preceding paragraph may include the following and shall be proportionate to the intended purposes of personal data protection:
1. allocating management personnel and reasonable resources;
2. defining the scope of personal data;
3. establishing a mechanism of risk assessment and management of personal data;
4. establishing a mechanism of preventing, giving notice of, and responding to a data breach;
5. establishing an internal control procedure for the collection, processing, and use of personal data;
6. managing data security and personnel;
7. promoting awareness, education and training;
8. managing facility security;
9. establishing an audit mechanism of data security;
10. keeping records, log files and relevant evidence; and
11. implementing integrated and persistent improvements on the security and maintenance of personal data.
The measures prescribed in the preceding paragraph may include the following and shall be proportionate to the intended purposes of personal data protection:
1. allocating management personnel and reasonable resources;
2. defining the scope of personal data;
3. establishing a mechanism of risk assessment and management of personal data;
4. establishing a mechanism of preventing, giving notice of, and responding to a data breach;
5. establishing an internal control procedure for the collection, processing, and use of personal data;
6. managing data security and personnel;
7. promoting awareness, education and training;
8. managing facility security;
9. establishing an audit mechanism of data security;
10. keeping records, log files and relevant evidence; and
11. implementing integrated and persistent improvements on the security and maintenance of personal data.
Enforcement Rules Article 13
Personal data "manifestly made public by the data subject", as referred to under subparagraph 3 of the proviso to paragraph 1 of Article 6, subparagraph 2, paragraph 2 of Article 9, and subparagraph 3, paragraph 1 of Article 19 of the PDPA, shall mean the personal data voluntarily disclosed by the data subject to non-specific persons or a large number of specific persons.
Personal data "publicized legally", as referred to under subparagraph 3 of the proviso to paragraph 1 of Article 6, subparagraph 2, paragraph 2 of Article 9, and subparagraph 3, paragraph 1 of Article 19 of the PDPA, shall mean personal data that has been published, publicly announced or disclosed to the public through other lawful means in accordance with laws or those regulations specifically and expressly authorized by laws.
Personal data "publicized legally", as referred to under subparagraph 3 of the proviso to paragraph 1 of Article 6, subparagraph 2, paragraph 2 of Article 9, and subparagraph 3, paragraph 1 of Article 19 of the PDPA, shall mean personal data that has been published, publicly announced or disclosed to the public through other lawful means in accordance with laws or those regulations specifically and expressly authorized by laws.
Enforcement Rules Article 17
"May not lead to the identification of a specific data subject", as referred to under subparagraph 4 of the proviso to paragraph 1 of Article 6, subparagraph 4, paragraph 2 of Article 9, subparagraph 5 of the proviso to paragraph 1 of Article 16, subparagraph 4, paragraph 1 of Article 19, and subparagraph 5 of the proviso to paragraph 1 of Article 20 of the PDPA, shall mean the personal data replaced with codes, deleted data subject’s name, partially concealed, or processed via other means to the extent that the data subject may not be directly identified.
Enforcement Rules Article 26
A "contractual or quasi-contractual relationship", as referred to under subparagraph 2, paragraph 1 of Article 19 of the PDPA, is not limited to the relationship formed after the amendment to the PDPA has taken into effect.
Enforcement Rules Article 27
A "contractual relationship", as referred to under subparagraph 2, paragraph 1 of Article 19 of the PDPA, shall include the contractual relationship between a non-government agency and a data subject, and also the relationship where a non-government agency and a data subject are either contacting, negotiating or communicating with, receiving delivery from or making delivery to a necessary third party for the purpose of performing the contract between the non-government agency and the data subject.
A "quasi-contractual relationship", as referred to under subparagraph 2, paragraph 1 of Article 19 of the PDPA, shall mean any of the following:
1. any relationships involving the contact and negotiation between a non-government agency and a data subject before the execution of a contract for the purpose of preparing for or negotiating the terms of such contract or transaction; or
2. any relationships involving the communication between a non-government agency and a data subject upon the extinguishment of a contract due to the invalidation, rescission, cancellation or termination thereof or upon the complete performance of a contract, for the purpose of exercising their rights, performing their obligations, or ensuring the integrity of the personal data.
A "quasi-contractual relationship", as referred to under subparagraph 2, paragraph 1 of Article 19 of the PDPA, shall mean any of the following:
1. any relationships involving the contact and negotiation between a non-government agency and a data subject before the execution of a contract for the purpose of preparing for or negotiating the terms of such contract or transaction; or
2. any relationships involving the communication between a non-government agency and a data subject upon the extinguishment of a contract due to the invalidation, rescission, cancellation or termination thereof or upon the complete performance of a contract, for the purpose of exercising their rights, performing their obligations, or ensuring the integrity of the personal data.
Enforcement Rules Article 28
"Publicly available sources", as referred to under subparagraph 7, paragraph 1 of Article 19 of the PDPA, shall mean mass media, the Internet, news, magazines, government gazettes and other channels through which the general public may become aware of or come in contact with and then subsequently obtain personal data.