Privacy Protection

Privacy Protection

Privacy Protection Policies and Management 

As financial businesses operated by each subsidiary contain a large amount of personal information, the Group has improved the content of privacy protection through 3 aspects, which are “ Customer Information Confidentiality Measures,Customer Data Sharing Privacy Declaration, and “protection of personal information”. It has incorporated related management measures in the dedicated unit’s “Checklist of self-evaluation on Legal Compliance” conducted every 6 months to self-assess regularly and ensure compliance.

Customer Information Confidentiality 

The Company has formulated the “Customer Information Confidentiality Measures for TCFHC and its Subsidiaries” and has announced it on the official websites of each subsidiary. The content specifies the methods of collecting customer data, storage, and safekeeping methods, information security and protection methods, data classification, scope and items of use, purposes of using, disclosure parties, customer data modification methods, handling of customer's refusal to receive messages of cross-marketing or to allow the Group cross utilize customers' information, and disclosure of subsidiaries that crossly utilize customer data.

Customer Data Sharing Privacy Declaration

To improve the convenience of customers, strengthen the Company’s risk management, and promote cooperation among financial institutions to ensure consumer rights, the Company has formulated the “Regulations for TCFHC Sharing Data between Financial Institutions” under the principle of information security, allowing appropriate use of customer data. The Company has established a control mechanism for sharing data among financial institutions for the Group. It also disclosed the “ Customer Data Sharing Privacy Declaration ” on the Company’s website, which includes customer protection measures when sharing data and methods for protecting customer rights and interests to improve the Group’s transparency in sharing data and customer trust.


Protection of Personal Information 

The Company has formulated the Personal Data Protection Management Policy , which is applicable to the Company, its subsidiaries, and suppliers entrusted by the Company and its subsidiaries to collect, process or use personal data, so as to implement the Group's protection of personal data and privacy rights. Meanwhile, there are Personal Data File Security Maintenance Measures and Personal Data File Security Audit Mechanism . In addition, all subsidiaries are equipped with personal data protection management policies or utilization guidelines. TCB governs the nature of customer data, method of use, retention period, access, transfer, amendment, deletion, disclosure to third parties, and freedom of choice whether to provide relevant personal data and types of data and other customer rights and interests and fully disclose them on the official website to inform customers. Full disclosures or notifications are provided in the products or services. In addition, guidelines are put in place for changing related information, cancelling utilization, and filing grievances.

The Company and its subsidiaries also set up an operational organization for personal data protection management to promote and handle the security audit of personal data files, develop acceptable risk values for personal data files, and conduct risk assessment operations and self-assessment operations for personal data files. In addition, according to the Personal Data Protection Management Policy , the Company should conduct internal audits on a regular basis to check the effectiveness of the personal data protection management system and implementation. If required by competent authorities, an external organization should be entrusted by subsidiaries to conduct the audit. For example, TCB entrusts an accountant to conduct a special audit of personal data protection every year, BNP TCB Life entrusts an accountant to handle the implementation degree inspection every year, and TCBF entrusts an accountant to handle the internal control system with the content of personal data protection is also included in the review, so as to grasp the situation of personal data protection management and to improve. In 2022, TCB and BNP TCB Life obtained the BS 10012: 2017 Personal Information Management System certification, passed regular reviews, and maintained the validity of the certificate. TCS also completed the external verification by Taiwan Personal Information Protection & Administration System (TPIPAS), passed the updated verification successfully, and continued to maintain the validity of TPIPAS verification.

Procedures for Handling Privacy Protection 

In response to security breaches, including personal data being stolen, altered, damaged, destroyed, or disclosed, the Company has established the “Response Notifications and Preventions of Personal Information Breach” for responding timely, reporting, and preventing security breaches. Each subsidiaries has also implemented personal data incident response and reporting procedures. For example, TCB follows the Guidelines for Handling and Reporting Personal Information Security Incidents in handling personal information incidents involving information leaks. For general personal information incidents, the units in charge should be notified first, and the response procedure will include investigating the cause, notifying the parties involved, and discussing corrective and preventive measures. Where it involves customer information and is classified as material event, the Crisis Management Taskforce will be assembled to perform post-incident response measures while staying in close communication with the customer, and issue a standard news release if necessary. In addition, the Group also has regulations such as Personal Data Protection Management Policy and Employee Reward and Punishment Points . Any employee found leaking business secrets or violating internal regulations will receive reprimands, demerits, or even termination of labor contracts as punishment. In 2022, TCFHC Group encountered no personal data leakages, no percentage of information breaches related to personal data, no number of customers affected, and no violation of personal information protection. In addition to no personal data leakage and legal proceedings related to customer privacy, TCB fully monitors the use of customers’ personal data and about 21.53% of customer data is used for the second time without violating relevant laws and agreements with customers.


Training and Education on Privacy Protection

The Group regularly organizes personal information protection training. For instance, TCB provided the “Personal Information Incident Prevention and Emergency Response Courses”, and BNP TCB Life rolled out “Personal Information Protection Courses” on its digital learning platform for raising security and legal awareness on the use of personal information in daily operations.