Chang Hwa Bank|Corporate Social Responsibility-Personal Information Protection

For the best experience, change the screen to portrait mode.

:::

Personal Information Protection

Policy Commitments

In order to implement the security maintenance and management of personal data files, in addition to the website announcement “Customer’s Personal Data Protection Declaration”, the Bank has established the “Personal Information File Security Management Program”, “Personal Data Management Regulations” and “EU and UK Personal Data Management Regulations” for the whole bank to comply with, regularly conduct self-assessment operations to review the current status of personal data protection implementation, ensure that the execution of the Bank’s various businesses comply with relevant laws and regulations such as personal data protection, and prevent the occurrence of security incidents such as theft, alteration, destruction, loss or leakage of personal data, so as to protect the rights of the parties concerned.For the management of personal information disclosed by the supplier, the Bank’s “Guidelines on Internal Operations Entrusted to Others” also stipulate that third-party suppliers should keep customer data confidential and take security measures to ensure that personal information is not leaked.

Customer’s Personal Data Protection Declaration
In addition to providing "Collection, Processing and Utilization of Personal Data Notifications" at the time of collection, in order to make customers understand that the Bank protects the security of personal data in accordance with the Personal Data Protection Act and related laws and regulations, the Bank is responsible for properly explaining the nature of the collection, the use of the collection, the exercise of the customer’s rights (reviewing, copying, correcting, Opt-in, Opt-out, deleting), the retention period, third-party disclosure (non-official or official authorities) and how to protect personal data.
Chang Hwa Commercial Bank Personal Information File Security Management Program
The personal data collected, processed and utilized by the Bank in accordance with the provisions of Article 3 of the Measures for the Security Maintenance of Personal Data Files of Non-Governmental Institutions designated by the Financial Supervisory Commission shall apply to the personal data collected, processed and utilized by the Bank in various business processes.Among them, it is also stipulated that when entrusting others (including but not limited to suppliers) to collect, process or use personal data, the trustee shall be appropriately supervised in accordance with Article 8 of the “Enforcement Rules of the Personal Data Protection Act”, and the content of it shall be clearly agreed in the entrustment contract or related documents.

Chang Hwa Bank Personal Data Management Regulations
In order to ensure that the execution of the Bank’s various business activities complies with the requirements of the Personal Data Protection Act and relevant laws and regulations, the Bank authorizes the formulation of the Bank’s personal data management standards in accordance with Article 15 of the Personal Information File Security Maintenance Program, specifying the Bank’s personal data management objectives, personal data security management measures, personal data file inventory and risk assessment operations, personal data security audits and selfassessments, etc.
Chang Hwa Bank EU and UK Personal Data Management Regulations
In order to comply with the EU’s “General Data Protection Regulation” (GDPR) and the UK’s “Data Protection Act 2018” (DPA 2018), the Bank authorized the establishment of "EU and UK Personal Data Management Regulations", specifying the protection object and scope of application, setting up a Data Protection Officer, EU and UK personal data processing regulations, impact assessment and personal data inventory, etc.

Personal Information Management System

Implementation Procedure of the Bank's Personal Information Protection：

Implementation Procedure of the Bank's Personal Information Protection

Management Framework

The Bank effectively manages its personal information through its personal information file security maintenance and management system. In order to establish the personal data management system of the Bank, according to the scale and characteristics of the business, the Head of each Division of the Head Office shall serve as the personal data protection management personnel, form a personal data protection management group (hereinafter referred to as the personal data management group), and the EVP and Chief Compliance Officer shall act as the convener, be responsible for supervising the operation of the personal data management group and the overall management of the required resources, and review the operation of the personal data management system of the Bank and the relevant handling conditions to ensure that the execution of each business complies with the relevant laws and regulations such as personal data protection.
Each unit of the Bank has set up four personal data execution windows to handle personal data-related matters (including accepting requests for the exercise of the rights of the parties, reporting personal data security incidents, etc.), and through continuous education and regular education and training to ensure that the purpose of effective management of personal data is achieved.

Management Methods
Through the three-line defense mechanism of risk management, the Bank implements the security maintenance management of personal data and integrates it into the Bank’s compliance with laws and regulations and risk management system.

For operational activities involving personal data, each unit shall effectively implement relevant internal control procedures in accordance with the “Personal Data Management Regulations”, and implement self-inspection of personal data protection items, and immediately take corrective and improvement measures for items found in the audit.
Each unit shall regularly check the personal data collected, processed and used by all businesses in the Bank, and add or regularly update the personal data file inventory and information personal data file inventory. The scope and business of personal data defined by the Bank involves the process of collecting, processing and using personal data, evaluates the risks of personal data protection that may arise, and formulates appropriate and effective control plans based on the results of risk assessment.
The Bank uses secure hardware and software equipment and mechanisms to store customer data. The customer’s personal data is fully maintained in the Bank’s data processing system, and strict protective measures are taken to prevent unauthorized personnel from contacting, and in accordance with relevant government laws and regulations and information management principles, a firewall is set up to prevent unauthorized intrusion and malware damage, so as to prevent the illegal acquisition or alteration of personal data.
The Bank’s Risk Management Division coordinates the risk assessment operations, compiles risk assessment results and risk improvement plans in accordance with the “Operational Risk Control and Self-Assessment System Implementation Rules”; each division of the head office reviews the current status of personal data security maintenance operations and assesses personal data management risks, plan and implement improvements on possible violations, and the Compliance Division will compile the aforementioned self-assessment situation and submit a report to the personal information management team and the Board of Managing Directors of the Bank.
The Internal Auditing Division of the Bank shall handle the personal data protection self-inspection work and the personal data security maintenance audit work carried out by the self-inspection unit, and in accordance with Implementation Rules of Internal Audit and Internal Control System of Financial Holding Companies and Banking Industries, the Compliance Division shall periodically entrust the accountant to handle the project audit of the personal data protection mechanism.
The Bank announced on the official website “Chang Hwa Bank’s Collection, Processing and Utilization of Personal Data Notifications”, clearly notifying the Bank of the purpose of collecting customers’ personal data, the type of personal data, and the period, region, object and method of personal data utilization, and protecting the rights of the parties exercising (including reading, copying, supplementing or correcting, stopping collection, deleting, processing and using personal data, etc.).

Incident Reporting and Addressing

In the event of personal data theft, leakage, tampering, damage, loss, or other security incidents that infringe upon the rights and interests of the parties concerned, the personal data enforcement window of the accident-occurring unit shall notify the relevant business supervisory unit with the “Personal Data Security Incident Notification Form” and discuss emergency Contingency measures, continuous tracking of the subsequent development and handling of the accident, conducting post-event reviews, improvement plans, and deliberations on corrective and preventive measures.
In the event of a major personal data security incident that endangers normal operations or the rights and interests of a large number of parties, the Bank’s Compliance Division shall notify the Financial Supervisory Commission within 72 hours according to the regulations.
The Bank adopts a zero-tolerance attitude towards personal data leakage, and personnel at all levels shall abide by the relevant personal data protection policies and internal control procedures. Those who violate the circumstances are transferred to the Bank’s Personnel Review Committee. If relevant civil compensation , criminal liability, or administrative sanctions is involved, the Bank may terminate their employment relationship or appointment relationship and consider the circumstances to pursue their legal liabilities.

Assessment Mechanism

Each Division of the head office conducts self-assessment and submits a self-assessment report regularly, and plans and implements improvements in relation to possible violations of the Personal Data Protection Act, and detailing the improvement programs and the preventive measures taken in the above-mentioned reports.
► The self-assessment report on the implementation of personal data protection by each unit of the Bank in 2022 has been submitted to the Personal Information Management Group for deliberation and was reviewed by the 126th session of the Board of Managing Directors.
The Bank commissions a professional accounting firm to handle ad-hoc audit of the personal information protection mechanism.
► In 2022, the Bank appointed an accountant to handle ad-hoc audit of the personal information protection mechanism. The verification result is that no major abnormalities have been found. It has been reported to the 38th meeting of the 26th Board of Directors for approval and submitted to the competent authority for review.
The Bank adopts BS 10012 Personal Information Management System.
► The effectiveness of the BS 10012 personal information management system is continuously verified. In 2022 through an external review to confirm that the system meets international standards and evaluate the effectiveness of the management system.

Education and Training
The Bank held a digital course on the promotion and guidelines for the personal information management system in 2022, with a total of 6,431 participants.Through the establishment of personal information infringement cases and the promotion of key points of personal information protection, employees were fully informed of the relevant legal requirements to comply with the personal information management regulations.

Implementation Status

1 confirmed personal data security incident from a regulatory complaint in 2022 (impacting 1 person)

Improvement measures
The Bank shall not disclose customer information to any third party without the consent of the customer, and strengthen education and training to implement the protection of customer personal information.

Without prejudice to relevant regulations and agreements with customers, in 2022, the Bank conducted reuse for about 101,000 (1.47%) customers for purposes such as marketing or improving the quality of product services (statistics from the fourth quarter).

Personal Information File Security Management Program

Chang Hwa Commercial Bank Personal Information File Security Management Program