Privacy Protection

Privacy Protection

Privacy Protection Policies and Management

As financial businesses operated by each subsidiary contain a large amount of personal information, the Group has improved the content of privacy protection through 3 aspects, which are Customer Information Confidentiality Measures, Customer Data Sharing Privacy Declaration, and protection of personal information. It has incorporated related management measures in the dedicated unit’s "Checklist of self-evaluation on Legal Compliance" conducted every 6 months to self-assess regularly and ensure compliance.

Customer Information Confidentiality

To provide customers with more complete and diverse financial products or services, the Company has the "TCFHC Customer Information Confidentiality Measures" in place and has announced it on the official websites of respective subsidiaries. They include specific information on how customer data are collected, stored and retained, data security and protection, data classification, scope and items of utilization, purpose of data utilization, to whom the data are disclosed to, how to change and modify customer data, what to do if customers are unwilling to receive information on shared marketing events of the Group or unwilling to allow inter-utilization of their data throughout the Group, and disclosure of subsidiaries among which customer data are disclosed and utilized interchangeably.

Customer Data Sharing Privacy Declaration

To improve the convenience of customers, strengthen the Company’s risk management, and promote cooperation among financial institutions to ensure consumer rights, the Company has formulated the "Regulations for TCFHC Sharing Data between Financial Institutions" under the principle of information security, allowing appropriate use of customer data. The Company has established a control mechanism for sharing data among financial institutions for the Group. It also disclosed the "Customer Data Sharing Privacy Protection Declaration" on the Company’s website, which includes customer protection measures when sharing data and methods for protecting customer rights and interests to improve the Group’s transparency in sharing data and customer trust.

Protection of Personal Information

The Company has formulated the "Personal Data Protection Management Policy", which is applicable to the Company, its subsidiaries, and suppliers entrusted by the Company and its subsidiaries to collect, process or use personal data, so as to implement the Group’s protection of personal data and privacy rights. Meanwhile, there are "Personal Data File Security Maintenance Measures" and "Personal Data File Security Audit Mechanism". In addition, all subsidiaries are equipped with personal data protection management policies or utilization guidelines. For example, TCB governs the "nature of customer data", "method of use", "retention period", "access, transfer, amendment, deletion", "disclosure to third parties", and "freedom of choice whether to provide relevant personal data and types of data" and other customer rights and interests and fully disclose them on the official website to inform customers. Full disclosures or notifications are provided in the products or services. In addition, guidelines are put in place for changing related information, cancelling utilization, and filing grievances.

The Company and its subsidiaries also set up an operational organization for personal data protection management to promote and handle the security audit of personal data files, develop acceptable risk values for personal data files, and conduct risk assessment operations and self-assessment operations for personal data files. In addition, according to the "Personal Data Protection Management Policy", the Company should conduct internal audits on a regular basis to check the effectiveness of the personal data protection management system and implementation. If required by competent authorities, an external organization should be entrusted by subsidiaries to conduct the audit. For example, TCB entrusts an accountant to conduct a special audit of personal data protection every year, BNP TCB Life entrusts an accountant to handle the implementation degree inspection every year, and TCBF entrusts an accountant to handle the internal control system with the content of personal data protection, so as to grasp the situation of personal data protection management and to improve. In 2023, TCB and BNP TCB Life obtained the "BS 10012:2017 Personal Information Management System" certification, passed regular reviews, and maintained the validity of the certificate. TCS also completed the external verification by Taiwan Personal Information Protection & Administration System (TPIPAS), passed the verification update successfully, and continued to maintain the validity of TPIPAS verification.


Procedures for Handling Privacy Protection

In response to security breaches, including personal data being stolen, altered, damaged, destroyed, or disclosed, the Company has established the "Response Notifications and Preventions of Personal Information Breach". Each subsidiaries has also implemented personal data incident response and reporting procedures. For example, TCB follows the "Guidelines for Handling and Reporting Personal Information Security Incidents" in handling personal information incidents involving information leaks. For general personal information incidents, the units in charge should be notified first, and the response procedure will include investigating the cause, notifying the parties involved, and discussing corrective and preventive measures. Where it involves customer information and is classified as material event, the Crisis Management Task Force will be assembled to perform post-incident response measures while staying in close communication with the customer, and issue a standard news release if necessary. In addition, the Group also has regulations such as "Personal Data Protection Management Policy" and "Employee Reward and Punishment Points". Any employee found leaking business secrets or violating internal regulations will receive reprimands, demerits, or even termination of labor contracts as punishment. In addition, if suppliers and their staff violate applicable regulations governing personal data protection or agreements on the protection of personal data to result in damages borne by the Company or its subsidiaries, they are responsible for indemnification, too. In 2023, TCFHC Group encountered no data leakages, no percentage of information breaches related to personal data, no number of customers affected, and no violation of personal information protection. In addition to no personal data leakage and legal proceedings related to customer privacy, TCB fully monitors the use of customers’ personal data and about 54.45% of customer data is used for the 2nd time without violating relevant laws and agreements with customers.


Training and Education on Privacy Protection

The Group regularly organizes personal information protection training. For example, TCB provided the "Personal Information Incident Prevention and Emergency Response Courses", and BNP TCB Life rolled out "Personal Information Protection Courses" on its digital learning platform for raising security and legal awareness on the use of personal information in daily operations.