Personal Data Protection Act Article 6
內容
Enforcement Rules Article 4
Personal data pertaining to a person's "medical records", as referred to under subparagraph 1, paragraph 1 of Article 2 of the PDPA, shall mean the data specified in the subparagraphs of paragraph 2 of Article 67 of the Medical Care Act.
Personal data pertaining to a person's "healthcare data", as referred to under subparagraph 1, paragraph 1 of Article 2 of the PDPA, shall mean medical histories and any other data pertaining to checkups or treatments implemented by physicians or other medical professionals for the purpose of treating, correcting or preventing diseases, harms or disabilities of the human body or for other legitimate medical reasons, or shall mean other data produced from the prescription, medication, operation or disposition based on the findings of the above-mentioned checkups.
Personal data pertaining to a person's "genetic data", as referred to under subparagraph 1, paragraph 1 of Article 2 of the PDPA, shall mean the information on a heredity unit, consisting of one segment of deoxyribonucleic acid (DNA) of the human body, for controlling the specific functions thereof.
Personal data pertaining to a person's "sex life", as referred to under subparagraph 1, paragraph 1 of Article 2 of the PDPA, shall mean the personal data on sexual orientation or sexual habits.
Personal data pertaining to a person's "records of physical examination", as referred to under subparagraph 1, paragraph 1 of Article 2 of the PDPA, shall mean the data produced by medical examinations conducted not for the purpose of diagnosing or treating a specific disease.
Personal data pertaining to a person's "criminal records", as referred to under subparagraph 1, paragraph 1 of Article 2 of the PDPA, shall mean the records of deferred prosecutions, ex officio non-indictments, or a final guilty verdict rendered by a court and its enforcement.
Personal data pertaining to a person's "healthcare data", as referred to under subparagraph 1, paragraph 1 of Article 2 of the PDPA, shall mean medical histories and any other data pertaining to checkups or treatments implemented by physicians or other medical professionals for the purpose of treating, correcting or preventing diseases, harms or disabilities of the human body or for other legitimate medical reasons, or shall mean other data produced from the prescription, medication, operation or disposition based on the findings of the above-mentioned checkups.
Personal data pertaining to a person's "genetic data", as referred to under subparagraph 1, paragraph 1 of Article 2 of the PDPA, shall mean the information on a heredity unit, consisting of one segment of deoxyribonucleic acid (DNA) of the human body, for controlling the specific functions thereof.
Personal data pertaining to a person's "sex life", as referred to under subparagraph 1, paragraph 1 of Article 2 of the PDPA, shall mean the personal data on sexual orientation or sexual habits.
Personal data pertaining to a person's "records of physical examination", as referred to under subparagraph 1, paragraph 1 of Article 2 of the PDPA, shall mean the data produced by medical examinations conducted not for the purpose of diagnosing or treating a specific disease.
Personal data pertaining to a person's "criminal records", as referred to under subparagraph 1, paragraph 1 of Article 2 of the PDPA, shall mean the records of deferred prosecutions, ex officio non-indictments, or a final guilty verdict rendered by a court and its enforcement.
Enforcement Rules Article 9
"Law", as referred to under subparagraph 1 of the proviso to paragraph 1 of Article 6, subparagraph 1, paragraph 2 of Article 8, subparagraph 1 of the proviso to paragraph 1 of Article 16, subparagraph 1, paragraph 1 of Article 19, and subparagraph 1 of the proviso to paragraph 1 of Article 20 of the PDPA, shall mean laws, or those regulations specifically and expressly authorized by laws.
Enforcement Rules Article 10
"Statutory duties", as referred to under subparagraphs 2 and 5 of the proviso to paragraph 1 of Article 6, subparagraphs 2 and 3, paragraph 2 of Article 8, subparagraph 2 of the proviso to paragraph 1 of Article 10, subparagraph 1, paragraph 1 of Article 15, and Article 16 of the PDPA, shall mean the official authority of government agencies prescribed in the following legal instruments:
1. laws, or those regulations authorized by laws;
2. self-governance ordinances;
3. those self-governance regulations authorized by laws or self-governance ordinances; or
4. those regulations authorized by laws or central government regulations to govern the commissioning matters.
1. laws, or those regulations authorized by laws;
2. self-governance ordinances;
3. those self-governance regulations authorized by laws or self-governance ordinances; or
4. those regulations authorized by laws or central government regulations to govern the commissioning matters.
Enforcement Rules Article 11
"Statutory obligations", as referred to under subparagraphs 2 and 5 of the proviso to paragraph 1 of Article 6, and subparagraph 2, paragraph 2 of Article 8 of the PDPA, shall mean the obligations of non-government agencies prescribed by laws or those regulations specifically and expressly authorized by laws.
Enforcement Rules Article 12
"Proper security and maintenance measures", as referred to under subparagraphs 2 and 5 of the proviso to paragraph 1 of Article 6, "security and maintenance measures", as referred to under Article 18, and "proper security measures", as referred to under subparagraph 2, paragraph 1 of Article 19 and paragraph 1 of Article 27 of the PDPA, shall mean the technical or organizational measures taken by a government agency or non-government agency for the purpose of preventing personal data from being stolen, altered, damaged, destroyed or disclosed.
The measures prescribed in the preceding paragraph may include the following and shall be proportionate to the intended purposes of personal data protection:
1. allocating management personnel and reasonable resources;
2. defining the scope of personal data;
3. establishing a mechanism of risk assessment and management of personal data;
4. establishing a mechanism of preventing, giving notice of, and responding to a data breach;
5. establishing an internal control procedure for the collection, processing, and use of personal data;
6. managing data security and personnel;
7. promoting awareness, education and training;
8. managing facility security;
9. establishing an audit mechanism of data security;
10. keeping records, log files and relevant evidence; and
11. implementing integrated and persistent improvements on the security and maintenance of personal data.
The measures prescribed in the preceding paragraph may include the following and shall be proportionate to the intended purposes of personal data protection:
1. allocating management personnel and reasonable resources;
2. defining the scope of personal data;
3. establishing a mechanism of risk assessment and management of personal data;
4. establishing a mechanism of preventing, giving notice of, and responding to a data breach;
5. establishing an internal control procedure for the collection, processing, and use of personal data;
6. managing data security and personnel;
7. promoting awareness, education and training;
8. managing facility security;
9. establishing an audit mechanism of data security;
10. keeping records, log files and relevant evidence; and
11. implementing integrated and persistent improvements on the security and maintenance of personal data.
Enforcement Rules Article 13
Personal data "manifestly made public by the data subject", as referred to under subparagraph 3 of the proviso to paragraph 1 of Article 6, subparagraph 2, paragraph 2 of Article 9, and subparagraph 3, paragraph 1 of Article 19 of the PDPA, shall mean the personal data voluntarily disclosed by the data subject to non-specific persons or a large number of specific persons.
Personal data "publicized legally", as referred to under subparagraph 3 of the proviso to paragraph 1 of Article 6, subparagraph 2, paragraph 2 of Article 9, and subparagraph 3, paragraph 1 of Article 19 of the PDPA, shall mean personal data that has been published, publicly announced or disclosed to the public through other lawful means in accordance with laws or those regulations specifically and expressly authorized by laws.
Personal data "publicized legally", as referred to under subparagraph 3 of the proviso to paragraph 1 of Article 6, subparagraph 2, paragraph 2 of Article 9, and subparagraph 3, paragraph 1 of Article 19 of the PDPA, shall mean personal data that has been published, publicly announced or disclosed to the public through other lawful means in accordance with laws or those regulations specifically and expressly authorized by laws.
Enforcement Rules Article 14
In accordance with the Electronic Signatures Act, a data subject's "consent in writing", as referred to under subparagraph 6 of the proviso to paragraph 1 of Article 6, paragraph 2 and 3 of the proviso to Article 11 of the PDPA, may be given in an electronic form.
Enforcement Rules Article 17
"May not lead to the identification of a specific data subject", as referred to under subparagraph 4 of the proviso to paragraph 1 of Article 6, subparagraph 4, paragraph 2 of Article 9, subparagraph 5 of the proviso to paragraph 1 of Article 16, subparagraph 4, paragraph 1 of Article 19, and subparagraph 5 of the proviso to paragraph 1 of Article 20 of the PDPA, shall mean the personal data replaced with codes, deleted data subject’s name, partially concealed, or processed via other means to the extent that the data subject may not be directly identified.