Jump to main content
Chang Hwa Bank logo
Right menu
For the best experience, change the screen to portrait mode.

For the best experience, change the screen to portrait mode.

:::
:::

Personal Information Protection

Policy and Commitments

  1. In order to implement the security maintenance and management of personal data files, in addition to the website announcement "Collection, Processing and Utilization of Personal Data Notifications” and "Customer's Personal Data Protection Declaration", the Bank has established the "Personal Information File Security Management Program", "Personal Data Management Regulations" and "EU and UK Personal Data Management Regulations" for the whole bank to comply with.
    1. Collection, Processing and Utilization of Personal Data Notifications
      In addition to announcements on the Bank's official website, the Bank also provides "Collection, Processing and Utilization of Personal Data Notifications" when collecting personal data, clearly notifying the purpose of collection, type of personal data, period, region, subjects and methods of utilization, and protecting the exercise of the data subjects' rights (including reading, copying, supplementing or correcting, stopping collection, deleting, processing and using personal data, etc.).
    2. Customer's Personal Data Protection Declaration
      The Bank is responsible for properly explaining the nature of the collection, the use of the collection, the exercise of the customer's rights (reviewing, copying, correcting, Opt-in, Opt-out, deleting), the retention period, third-party disclosure (non-official or official authorities) and how to protect personal data.
    3. Chang Hwa Commercial Bank Personal Information File Security Management Program
      The personal data collected, processed and utilized by the Bank in accordance with the provisions of Article 3 of the Measures for the Security Maintenance of Personal Data Files of Non-Governmental Institutions designated by the Financial Supervisory Commission shall apply to the personal data collected, processed and utilized by the Bank in various business processes. Among them, it is also stipulated that when entrusting others (including but not limited to suppliers) to collect, process or use personal data, the trustee shall be appropriately supervised in accordance with Article 8 of the "Enforcement Rules of the Personal Data Protection Act", and the content of it shall be clearly agreed in the entrustment contract or related documents.
    4. Chang Hwa Bank Personal Data Management Regulations
      In order to ensure that the execution of the Bank's various business activities complies with the requirements of the Personal Data Protection Act and relevant laws and regulations, the Bank authorizes the formulation of the Bank's personal data management standards in accordance with Article 15 of the Personal Information File Security Management Program, specifying the Bank's personal data management objectives, personal data security management measures, personal data file inventory and risk assessment operations, personal data security audits and self-assessments, etc.
    5. Chang Hwa Bank EU and UK Personal Data Management Regulations
      In order to comply with the EU's "General Data Protection Regulation" (GDPR) and the UK's "Data Protection Act 2018" (DPA 2018), the Bank authorized the establishment of "EU and UK Personal Data Management Regulations" in accordance with Article 15 of the Personal Information File Security Management Program, specifying the protection object and scope of application, setting up a Data Protection Officer, EU and UK personal data processing regulations, impact assessment and personal data inventory, etc. 
  2. For the management of personal information disclosed by the supplier, the Bank's "Guidelines on Internal Operations Entrusted to Others" stipulates that third-party suppliers should keep customer data confidential and take security measures to ensure that personal information is not leaked.
  3. No personal data security incidents occurred in 2024.
  4. Without prejudice to relevant regulations and agreements with customers, in 2024, the Bank reused customer data from approximately 6,852 customers (0.10%) for purposes such as marketing or improving the quality of product services.

Personal Information Management System

  1. Management Framework
    1. Implementation Procedure of the Bank's Personal Information ProtectionIn order to establish the personal data management system of the Bank, according to the scale and characteristics of the business, the Head of each Division of the Head Office shall serve as the personal data protection management personnel, form a personal data protection management group (hereinafter referred to as the personal data management group), and the EVP and Chief Compliance Officer shall act as the convener, be responsible for supervising the operation of the personal data management group and the overall management of the required resources, and review the operation of the personal data management system of the Bank and the relevant handling conditions to ensure that the execution of each business complies with the relevant laws and regulations such as personal data protection.
    2. Each unit of the Bank has set up four personal data execution windows to handle personal data-related matters (including accepting requests for the exercise of the rights of the parties, reporting personal data security incidents, etc.), and through continuous education and regular education and training to ensure that the purpose of effective management of personal data is achieved. 
  2. Management Methods
    Through the three-line defense mechanism of risk management, the Bank implements the security maintenance management of personal data and integrates it into the Bank's compliance with laws and regulations and risk management system.
    1. Use secure hardware and software equipment, data processing systems and mechanisms to store and safeguard customer personal data, implement strict protective measures to prevent unauthorized personnel access, and in accordance with relevant government laws and information management principles, establish firewalls to prevent illegal intrusion and malicious program damage, so as to prevent illegal acquisition or alteration of personal data.
    2. Each unit regularly inventories and reviews personal data collected, processed and utilized by all businesses across the Bank, and updates the file inventory to ensure a firm grasp of the personal data involved and its management processes. Each unit implements relevant internal control procedures for operational activities involving personal data, conducts self-inspection of personal data protection items, reviews control conditions and promptly takes corrective and improvement measures.
    3. The Bank's Risk Management Division coordinates risk assessment operations, compiles risk assessment results and risk improvement plans in accordance with the "Operational Risk Control and Self-Assessment System Implementation Rules." The scope and business of personal data defined by the Bank involves the process of collecting, processing and using personal data, evaluates the risks of personal data protection that may arise, and formulates appropriate and effective control plans based on the results of risk assessment. 
  3. Incident Reporting and Addressing
    1. In the event of personal data theft, leakage, tampering, damage, loss, or other security incidents that infringe upon the rights and interests of the parties concerned, the personal data enforcement window of the accident-occurring unit shall immediately determine the incident level, cause, and scope of impact, notify the relevant management unit with the "Personal Data Security Incident Notification Form" and discuss emergency Contingency measures, continuous tracking of the subsequent development and handling of the accident, conducting post-event reviews, improvement plans, and deliberations on corrective and preventive measures. Finally, it should be submitted to Personal Data Protection Management Group.
    2. In the event of a major personal data security incident that endangers normal operations or the rights and interests of a large number of parties, the Bank's Compliance Division shall notify the Financial Supervisory Commission within 72 hours according to the regulations. Additionally, impartial and independently certified experts were engaged to conduct comprehensive assessments and reviews.
    3. Parties will be notified of the incident details and remedial actions, and a consultation hotline will be provided.
    4. The Bank adopts a zero-tolerance attitude towards personal data leakage, and personnel at all levels shall abide by the relevant personal data protection policies and internal control procedures. Those who violate the circumstances are transferred to the Bank's Personnel Review Committee. If relevant civil compensation, criminal liability, or administrative sanctions is involved, the Bank may terminate their employment relationship or appointment relationship and consider the circumstances to pursue their legal liabilities.
  4. Assessment Mechanism
    1. Each management unit of the head office conducts self-assessment and submits a self-assessment report regularly, to ensure that the execution of the Bank's various businesses comply with relevant laws and regulations such as personal data protection, and to prevent the occurrence of security incidents such as theft, alteration, destruction, loss or leakage of personal data, and plans and implements improvements in relation to possible violations of the Personal Data Protection Act, and detailing the improvement programs and the preventive measures taken in the above-mentioned reports.
      ►The self-assessment report on the implementation of personal data protection by each management unit of the Bank in 2024 has been submitted to the Personal Information Management Group for deliberation and was reviewed by the 75th session of the 27th Board of Managing Directors.
    2. The Bank commissions a professional accounting firm to handle ad-hoc audit of the personal information protection mechanism regularly.
      ►In 2024, the Bank appointed an accountant to handle ad-hoc audit of the personal information protection mechanism. The verification result is "No major abnormalities have been found." It has been reported to the Board of Directors for approval and submitted to the competent authority for review.
    3. The Bank adopts BS 10012 Personal Information Management System.
      ►The effectiveness of the BS 10012 personal information management system is continuously verified. In 2024 through an external review to confirm that the system meets international standards and evaluate the effectiveness of the management system. 
  5. Education and Training
    The Bank held a digital course on the promotion and guidelines for the personal information management system in 2024, with a total of 6,771 participants. Through the establishment of personal information infringement cases and the promotion of key points of personal information protection, employees were fully informed of the relevant legal requirements to comply with the personal information management regulations.
  • ::: © All rights reserved.
  • Customer service center single representative number:412-2222
  • Mobile please dial 02-412222/0800-365-889(Local call only)