Personal Data
Management Policy

Personal Data Management Policy

    Article 1 Objective

    This policy is established in compliance with the Personal Data Protection Act, to ensure the effective management of personal data protection, and to promote the reasonable use of personal data, thereby safeguarding the rights of data subjects.

     

    Article 2 Management Objectives

    The management objectives of this policy are as follows:

    1. To comply with all relevant laws and regulations on personal data protection, directives from regulatory authorities, customer contracts, and other related requirements.

    2. To safeguard the legal rights and interests of personal data subjects.

     

    Article 3 Scope and Applicability

    This policy applies to all employees (including contract staff, interns, and part-time personnel) of Cathay FHC and suppliers or third-party partners entrusted by Cathay FHC to collect, process, or utilize personal data (including their employees, users, or agents).

    Subsidiaries should follow this policy and establish their own personal data protection management structures and systems by taking into account the scale and nature of their business.

     

    Article 4 Terms and Definition
    1. Personal Data: Data defined as personal information under the Personal Data Protection Act, its enforcement rules, and related industry regulations.
    2. Collection: The acquisition of personal data by any means.
    3. Processing: Recording, inputting, storing, editing, correcting, duplicating, retrieving, deleting, exporting, linking, or internally transmitting data for the creation or use of personal data files.
    4. Utilization: Using collected personal data for purposes other than processing.
    5. International Transmission: Cross-border processing or utilization of personal data.
    6. Personal Data Management System: The framework and system established to operate, supervise, audit, maintain, and improve the management of personal data protection.
    7. Subsidiaries refer to Cathay Life, CUB, Cathay Century, Cathay Securities, Cathay SITE, Cathay Venture, and other subsidiaries.

     

    Article 5 Organization and Operations
    1. Cathay FHC's Personal Information Management Committee is responsible for supervising and reviewing personal data management mechanisms to ensure compliance with legal requirements and effective operation and implementation. The organization and responsibilities of the committee are managed in accordance with the "Responsibilities and Organizational Regulations of the Cathay Personal Information Management Committee."
    2. The Risk Management Division is responsible for promoting, developing, and assisting business units in establishing personal data management mechanisms and regularly reviewing Cathay FHC’s personal data management operations.
    3. Each unit must collect, process, utilize, and retain personal data in compliance with the Personal Data Protection Act and internal control procedures.
    4. Personal data protection issues should be integrated into Cathay FHC’s risk management system and compliance operations.

     

    Article 6 Principles for Collection, Processing, and Utilization of Personal Data
    1. Identify and inventory personal data processed, assess potential risks related to the collection, processing, and utilization of personal data, and establish appropriate control mechanisms based on risk assessments.
    2. Collect, process, and utilize the minimum necessary personal data fairly and lawfully for legitimate and specific purposes, and update data as necessary to maintain accuracy and integrity, ensuring data security.
    3. Inform data subjects of statutory notification items.
    4. Retain personal data according to legal requirements, contractual agreements, or the necessary duration for business operations, ensuring timely and appropriate disposal through strict access control, record keeping, and timely deletion or cessation of data collection, processing, or utilization.
    5. Respect data subjects' rights to their personal data, including inquiry, access, reproduction, supplementation, correction, cessation of collection, processing or utilization, and deletion.
    6. International transmission of personal data must comply with relevant regulatory requirements and be conducted under conditions of adequate protection.
    7. Ensure the applicability and legality of personal data use under the exceptions allowed by the Personal Data Protection Act.
    8. Establish and implement a personal data protection management system to ensure data protection.
    9. Clearly define employee responsibilities and obligations within the personal data protection management system.
    10. Maintain appropriate records of personal data collection, processing, and utilization.
    11. In case of personal data breaches, promptly report and handle incidents according to Cathay FHC’s personal data protection regulations.
    12. Ensure the confidentiality, security, and integrity of personal data collected from minors by obtaining legal guardian consent as required by law.
    13. Address stakeholder requests related to personal data.
    14. Reference international standards and consider the needs of the group or domestic and foreign branches to establish relevant regulations or control measures.

     

    Article 7 Personal Data Management System Operational Mechanisms

    Personal data management should be operated according to the following procedures to establish, maintain and improve an effective personal data management system:

    1. Planning and Establishment: Establish the personal data management system based on Cathay FHC’s overall strategy and objectives.

    2. Implementation and Operation: Establish or revise necessary control mechanisms based on assessment results.

    3. Supervision and Audit: Ensure policy implementation, management measures authorization by the President, inclusion in internal control and internal audit items for annual audit, and external personal data certification audit at least annually.

    4. Maintenance and Improvement: Improve and maintain the system operation based on audit results and recommendations.

    Article 8 Advocacy and Training

    Each unit shall conduct personal data protection awareness advocacy and education training at least once a year to ensure employees understand relevant legal requirements, responsibilities, and mechanisms, procedures, and measures for personal data protection.

    Article 9 Reporting Procedure

    The Risk Management Division shall submit an annual personal data management report to the Personal Information Management Committee for review, detailing the operation status of Cathay FHC's personal data management system.

     

    Article 10 Zero Tolerance Policy

    Cathay FHC/Group strictly prohibits any intentional, malicious, or knowingly condoned violations of this policy by employees. Such violations shall be handled according to the punitive measures outlined in Article 11.

     

    Article 11 Punitive Measures

    Employees must comply with this policy and internal regulations. Verified violations impacting company interests shall be referred to the Human Resources Division for disciplinary action and legal accountability based on the severity.

    For suppliers or third-party partners whose actions harm Cathay FHC, contractual damage compensation shall be pursued.

     

    Article 12 Cathay FHC shall periodically review this policy to ensure the effectiveness of the personal data protection management system.

     

    Article 13 Matters Not Covered

    Matters not covered in this policy shall be handled in accordance with other relevant internal and external regulations.

     

    Article 14 Establishment and Implementation

    The formulation, amendment, or repeal of this Policy shall be approved by the board of directors. The policy shall come into effect upon the date of adoption.

    Amendments or abolishment shall follow the same procedure.

     



Release date:2024/06/28