Newsletter
MOHW announced the Enforcement Regulations Governing the Personal Information Files Security Maintenance Plan for Drug Wholesalers and Retailers
MOHW announced the Enforcement Regulations Governing the Personal Information Files Security Maintenance Plan for Drug Wholesalers and Retailers
To strengthen the protection of personal data, on November 12, 2020, the Ministry of Health and Welfare (MOHW) announced the Enforcement Regulations Governing the Personal Information Files Security Maintenance Plan for Drug Wholesalers and Retailers (“Regulations”) under the authorization of Paragraph 3, Article 27 of the Personal Data Protection Act (“PDPA”). The Regulations require drug wholesalers/retailers (i) with capital of NT$30 million or more and (ii) recruiting members or collecting the personal data of their trading parties (“Applicable Businesses”) to establish a personal information files security maintenance plan (“Security Maintenance Plan”) within six months after the Regulations took effect. Moreover, the central and local competent authorities may conduct a regular inspection on their Security Maintenance Plans. The key points of the Regulations are as follows:
Similar to other regulations promulgated by other central competent authorities for personal information files security maintenance, the Regulations require Applicable Businesses to include the following matters in their Security Maintenance Plans:
1. Internal management procedures for collection, processing, and use of personal data.
2. The scope and items of personal data.
3. Data security management and personnel management.
4. Mechanism for prevention, notification and handling of incidents.
5. Facility security management.
6. Data security auditing mechanism.
7. Maintenance of access records, track log files, and relevant evidence.
8. Disposal measures for personal data after the termination of business operations.
9. Continuous improvement of security and maintenance measures.
In addition, the Regulations require that Applicable Businesses assign dedicated staff to establish and implement their Security Maintenance Plans and require internal auditors to audit the implementation and effectiveness of Security Maintenance Plans. Such two roles cannot be served by the same person so as to ensure an independent and effective auditing mechanism (Article 3 of the Regulations). Applicable Businesses shall inform data subjects of their registered name and the source(s) from which their personal data was collected when using their personal data for promotion or marketing purposes (Article 11 of the Regulations). Where Applicable Businesses commission data processors to collect, process or use personal data, they must stipulate in the commission agreement or other relevant documents the supervision measures prescribed under Article 8 of the Enforcement Rules of the PDPA (Article 12 of the Regulations). In the event of a data breach, Applicable Businesses must properly notify the data subjects and report to the competent authority after identifying the cause of the incident and the loss and damage arising therefrom. The reporting procedures and forms shall be further stipulated by the local competent authorities (Article 14 of the Regulations).
If you have any questions about the Regulations or require any assistance, please feel free to contact our Personal Data Protection Practice Group.