Regulations Governing the Security and Maintenance of Personal Data Files in the Postal Industry
2025-07-07
手機睡眠
語音選擇
Article 1
These Regulations are enacted in accordance with Paragraph 3, Article 27 of the Personal Data Protection Act (hereinafter referred to as “the Act”).
Article 2
Postal service providers shall establish a Personal Data File Security and Maintenance Plan (hereinafter referred to as “the Plan”) to ensure the proper protection and management of personal data files, and to prevent theft, alteration, damage, destruction, or disclosure of personal data.
The Plan shall include the organizational structure, procedures, and methods for processing personal data after business termination as prescribed in Articles 3 through 23. The Plan shall be regularly reviewed and revised in accordance with applicable laws and regulations.
The Plan shall include the organizational structure, procedures, and methods for processing personal data after business termination as prescribed in Articles 3 through 23. The Plan shall be regularly reviewed and revised in accordance with applicable laws and regulations.
Article 3
Postal service providers shall designate dedicated personnel or establish a specialized unit for the security and maintenance of personal data file security, and allocate adequate resources accordingly.
The responsibilities of the designated personnel or unit shall include:
I. Planning, formulating, revising, and implementing matters related to the Plan.
II. Establishing a personal data protection policy, clearly stating the legal basis, specific purposes, and other relevant protection measures for the collection, processing, and use of personal data, and ensuring that all personnel are fully informed.
The responsibilities of the designated personnel or unit shall include:
I. Planning, formulating, revising, and implementing matters related to the Plan.
II. Establishing a personal data protection policy, clearly stating the legal basis, specific purposes, and other relevant protection measures for the collection, processing, and use of personal data, and ensuring that all personnel are fully informed.
Article 4
Postal service providers shall comply with all applicable personal data protection laws and regulations, define the specific purposes, categories, and necessary scope for the collection, processing, and use of personal data, and regularly audit the status of retained personal data.
If any personal data is found to fall outside the necessary scope of the defined purpose, or if the purpose no longer exists or the retention period has expired and retention is no longer necessary, the personal data shall be erased or the processing and use shall be discontinued in accordance with Paragraph 3, Article 11 of the Act.
If any personal data is found to fall outside the necessary scope of the defined purpose, or if the purpose no longer exists or the retention period has expired and retention is no longer necessary, the personal data shall be erased or the processing and use shall be discontinued in accordance with Paragraph 3, Article 11 of the Act.
Article 5
Based on the scope of personal data defined in the preceding article and the processes for its collection, processing, and use, postal service providers shall analyze potential risks and develop appropriate control measures based on the results of such risk analysis.
Article 6
To address security incidents involving the theft, alteration, damage, loss, or leakage of personal data, postal service providers shall establish the following response, notification, and prevention mechanisms:
I. Implementing appropriate response measures to mitigate harm to affected data subjects and notify the Ministry of Transportation and Communications (MOTC) and relevant authorities.
II. Investigating the incident and notifying the affected data subjects with due procedure. The notice shall include facts regarding the data breach, the measures taken in response, and contact information for consultation services.
III. Developing preventive mechanisms to avoid recurrence of similar incidents.
For material and high-profile personal data security incidents, including cases under the attention of the Executive Yuan, Legislative Yuan, or Control Yuan, or those widely reported by the media, the MOTC and relevant authorities shall be notified within 24 hours of the incident. For general personal data security incidents not meeting the above criteria, notification shall be made within 72 hours.
I. Implementing appropriate response measures to mitigate harm to affected data subjects and notify the Ministry of Transportation and Communications (MOTC) and relevant authorities.
II. Investigating the incident and notifying the affected data subjects with due procedure. The notice shall include facts regarding the data breach, the measures taken in response, and contact information for consultation services.
III. Developing preventive mechanisms to avoid recurrence of similar incidents.
For material and high-profile personal data security incidents, including cases under the attention of the Executive Yuan, Legislative Yuan, or Control Yuan, or those widely reported by the media, the MOTC and relevant authorities shall be notified within 24 hours of the incident. For general personal data security incidents not meeting the above criteria, notification shall be made within 72 hours.
Article 7
Postal service providers shall regularly provide personnel with foundational awareness training or professional education on personal data protection. This training shall ensure that employees understand applicable laws and regulations, their respective responsibilities, and the mechanisms, procedures, and measures for safeguarding personal data.
Article 8
Postal service providers shall establish separate management procedures for general personal data and the special categories of personal data defined under Article 6 of the Act.
When collecting, processing, and using special categories of personal data, postal service providers shall review the specific purpose and whether the processing meets the legal requirements. If such data is processed based on the written consent of the data subject, the provider shall ensure compliance with the provisions of Paragraph 2, Article 6 of the Act, as well as Paragraphs 1, 2, and 4 of Article 7 as referenced therein.
If general personal data requires special management, corresponding procedures may be established in reference to those applicable to special categories of personal data.
When collecting, processing, and using special categories of personal data, postal service providers shall review the specific purpose and whether the processing meets the legal requirements. If such data is processed based on the written consent of the data subject, the provider shall ensure compliance with the provisions of Paragraph 2, Article 6 of the Act, as well as Paragraphs 1, 2, and 4 of Article 7 as referenced therein.
If general personal data requires special management, corresponding procedures may be established in reference to those applicable to special categories of personal data.
Article 9
Postal service providers shall fulfill their obligation to inform, as stipulated under Articles 8 and 9 of the Act, through the following measures:
I. Reviewing whether the specific purpose for the collection and processing of personal data qualifies for exemption from the obligation to inform.
II. Adopting an appropriate method of informing based on the circumstances of data collection.
I. Reviewing whether the specific purpose for the collection and processing of personal data qualifies for exemption from the obligation to inform.
II. Adopting an appropriate method of informing based on the circumstances of data collection.
Article 10
Postal service providers shall review whether the collection and processing of personal data meet the specific purposes and legal requirements set forth in Article 19 of the Act.
They shall also review whether the use of personal data complies with Paragraph 1, Article 20 of the Act; i.e., use within the scope of the specified purpose. If personal data is to be used beyond the specified purpose, the provider shall verify whether it meets the legal requirements for such use.
They shall also review whether the use of personal data complies with Paragraph 1, Article 20 of the Act; i.e., use within the scope of the specified purpose. If personal data is to be used beyond the specified purpose, the provider shall verify whether it meets the legal requirements for such use.
Article 11
When a postal service provider commissions another party to collect, process, or use personal data in whole or in part, it shall supervise the commissioned party in accordance with Article 8 of the Enforcement Rules of the Personal Data Protection Act and clearly stipulate the relevant supervisory measures. These requirements shall be explicitly stated in the contract or related documents.
Article 12
When using personal data for marketing purposes for the first time, postal service providers shall offer the data subject a free and convenient method to opt out of marketing. If the data subject opts out, the provider shall immediately cease using their personal data for marketing purposes and shall inform all relevant personnel accordingly.
Article 13
Before any cross-border transfer of personal data, postal service providers shall, in accordance with Article 21 of the Act, verify whether any restrictions, orders, or dispositions apply to such cross-border transfers and ensure compliance therewith.
Article 14
Postal service providers shall enable data subjects to exercise their rights as prescribed in Article 3 of the Act by:
I. Verifying the identity of the personal data subject or the validity of their authorization.
II. Providing appropriate channels for the data subject to exercise their rights and complying with the processing deadlines stipulated in Article 13 of the Act.
III. Informing the data subject whether any necessary administrative costs will be charged.
IV. If any reason for denying the request exists under Articles 10 or 11 of the Act, such denial shall be communicated to the data subject with justification.
I. Verifying the identity of the personal data subject or the validity of their authorization.
II. Providing appropriate channels for the data subject to exercise their rights and complying with the processing deadlines stipulated in Article 13 of the Act.
III. Informing the data subject whether any necessary administrative costs will be charged.
IV. If any reason for denying the request exists under Articles 10 or 11 of the Act, such denial shall be communicated to the data subject with justification.
Article 15
To maintain the accuracy of retained personal data, postal service providers shall take the following measures:
I. Verifying the accuracy of personal data during the collection, processing, or use stages.
II. When inaccuracies are discovered, promptly correcting or supplementing the personal data and notifying any parties to whom the data was previously disclosed.
III. In the event of a dispute regarding the accuracy of personal data, it shall be processed in accordance with Paragraphs 1, 2, and 5 of Article 11 of the Act.
I. Verifying the accuracy of personal data during the collection, processing, or use stages.
II. When inaccuracies are discovered, promptly correcting or supplementing the personal data and notifying any parties to whom the data was previously disclosed.
III. In the event of a dispute regarding the accuracy of personal data, it shall be processed in accordance with Paragraphs 1, 2, and 5 of Article 11 of the Act.
Article 16
Postal service providers shall adopt the following data security management measures:
I. Establishing usage guidelines for various types of equipment or storage media, and taking appropriate measures to prevent data from being disclosed when such equipment or media is decommissioned or repurposed.
II. Where necessary, adopting appropriate encryption mechanisms during the collection, processing, or use of personal data to ensure its protection.
III. When it is necessary to back up personal data during operations, the backup shall be protected in the same manner as the original in accordance with the provisions of the Act.
IV. When personal data is stored on physical media such as paper, magnetic disks, tapes, optical discs, microfilm, or integrated circuit chips, appropriate protective measures shall be taken upon decommissioning or repurposing to prevent data from being disclosed from such media.
I. Establishing usage guidelines for various types of equipment or storage media, and taking appropriate measures to prevent data from being disclosed when such equipment or media is decommissioned or repurposed.
II. Where necessary, adopting appropriate encryption mechanisms during the collection, processing, or use of personal data to ensure its protection.
III. When it is necessary to back up personal data during operations, the backup shall be protected in the same manner as the original in accordance with the provisions of the Act.
IV. When personal data is stored on physical media such as paper, magnetic disks, tapes, optical discs, microfilm, or integrated circuit chips, appropriate protective measures shall be taken upon decommissioning or repurposing to prevent data from being disclosed from such media.
Article 17
For the physical media containing personal data as described in Subparagraph 4 of the preceding article, postal service providers shall implement the following environmental management measures:
I. Implementing appropriate access control measures based on the nature of operational activities.
II. Proper safeguarding of storage media containing personal data by the personnel concerned.
III. Based on the environmental conditions in which different media are stored, considering installing suitable protective equipment or technologies.
I. Implementing appropriate access control measures based on the nature of operational activities.
II. Proper safeguarding of storage media containing personal data by the personnel concerned.
III. Based on the environmental conditions in which different media are stored, considering installing suitable protective equipment or technologies.
Article 18
Postal service providers shall adopt the following personnel management measures:
I. Setting appropriate levels of access and controlling the extent to which personnel may access personal data, based on the needs of their respective job responsibilities.
II. Reviewing the personnel responsible for the collection, processing, and use of personal data within each relevant business process.
III. Establishing confidentiality obligations with the personnel concerned through formal agreements.
I. Setting appropriate levels of access and controlling the extent to which personnel may access personal data, based on the needs of their respective job responsibilities.
II. Reviewing the personnel responsible for the collection, processing, and use of personal data within each relevant business process.
III. Establishing confidentiality obligations with the personnel concerned through formal agreements.
Article 19
When postal service providers use information and communication systems to collect, process, or use personal data, they shall implement the following data security management measures to protect the security of the retained personal data:
I. User identity authentication and protection mechanisms.
II. Masking mechanisms for the display of personal data.
III. Secure encryption mechanisms for internet data transmission.
IV. Access control and protective monitoring mechanisms for personal data files and databases.
V. Measures to prevent external network intrusions.
VI. Monitoring and response mechanisms for unauthorized or abnormal system access.
I. User identity authentication and protection mechanisms.
II. Masking mechanisms for the display of personal data.
III. Secure encryption mechanisms for internet data transmission.
IV. Access control and protective monitoring mechanisms for personal data files and databases.
V. Measures to prevent external network intrusions.
VI. Monitoring and response mechanisms for unauthorized or abnormal system access.
Article 20
Upon business termination, postal service providers shall process personal data using the following methods and retain relevant records:
I. Destruction: The method, time, location of destruction, and the method used to verify destruction.
II. Transfer: The reason for transfer, recipient, method, time, location, and the legal basis for the recipient to retain the personal data.
III. Other erasure or cessation of processing or use of personal data: The method, time, or location of erasure or cessation of processing or use.
The trace data, supporting evidence, and relevant records for the preceding actions shall be retained for at least five years. This requirement does not apply where otherwise stipulated by law.
I. Destruction: The method, time, location of destruction, and the method used to verify destruction.
II. Transfer: The reason for transfer, recipient, method, time, location, and the legal basis for the recipient to retain the personal data.
III. Other erasure or cessation of processing or use of personal data: The method, time, or location of erasure or cessation of processing or use.
The trace data, supporting evidence, and relevant records for the preceding actions shall be retained for at least five years. This requirement does not apply where otherwise stipulated by law.
Article 21
Postal service providers shall establish a personal data security audit mechanism to regularly and irregularly inspect whether the Plan is being properly implemented.
If the audit results indicate any potential legal non-compliance, the postal service provider shall promptly plan and implement corrective and preventive measures.
If the audit results indicate any potential legal non-compliance, the postal service provider shall promptly plan and implement corrective and preventive measures.
Article 22
Postal service providers shall take appropriate measures to retain usage logs of personal data, trace data from automated equipment, or other relevant evidence to demonstrate implementation of the Plan when necessary.
Article 23
To continuously improve the security and maintenance of personal data, postal service providers shall review the Plan in response to relevant factors including but not limited to operational practices, public opinion, technological developments, legal changes and revise it as necessary.
Article 24
These Regulations shall take effect on the date of promulgation.