跳到主要內容區塊

Hamastar co. Website

Regarding Hamastar

Art editor Img

Personal Data Management Policy

I、Purpose

To implement the protection and management of personal data and meet the requirements of the Personal Data Protection Law (hereinafter referred to as the Personal Information Law), HamaStar Technology Co., Ltd. (hereinafter referred to as the company) has formulated a personal data management policy (hereinafter referred to as this policy).

 

II、Scope of Application

This policy applies to all employees and outsourced personnel of the company.

III、Definition of Terms

(I)、Personal Information:

Refers to the name, date of birth, unified national ID card number, passport number, characteristics, fingerprints, marriage, family, education, occupation, medical history, medical treatment, genetics, health check, criminal history, contact information, financial status, society activities and other personal data such as data that can directly identify the individual. 

(II)、The parties:

Refers to the person of the personal data.

(III)、Stakeholders:

Refers to personal data subjects, customers, outsourced or cooperative vendors, or other related persons or units related to the company's business.

 

IV、Goal

(I)、According to Personal Information Protection Atc, Rules for the Protection of Personal Data Act and BS 10012 request, Protect the process of collecting, processing, using, storing, transmitting, and destroying personal data.

(II)、To protect the security of personal data related to the company's business, avoid risks such as theft, alteration, damage, loss, or leakage due to external threats or improper management and use of internal personnel.

(III)、Improve the ability to protect and manage personal data, reduce operational risks, and create trustworthy personal data protection and privacy environment.

(IV)、To enhance the safety awareness of personal data protection of all personnel, conduct regular personal data protection publicity education and training every year.

(V)、Periodically conduct risk assessments on the personal data process and identify the tolerable risk levels. 

 

V、 Principles

(I)、Collection and processing of personal data

The company's operations need to obtain or collect, including but not limited to the name of the individual, the date of birth, the uniform number of the national identity card, passport number, characteristics, fingerprints, marriage, family, education, occupation, medical history, medical treatment, genetics, Personal data such as health check, criminal history, contact information, financial situation, social activities, and other data that can directly or indirectly identify the individual should follow my country’s personal information law and other laws and regulations, not excessive and in line with the purpose, relevant, appropriate and fair Engage in the collection and processing of personal data legally. In additionally, in accordance with Article 5 of the Personal Information Law, the collection, processing or use of personal data shall respect the rights and interests of the parties concerned, and shall act in accordance with honesty and credibility, and shall not exceed the necessary scope of the specific purpose and shall be justified with the purpose of the collection and reasonable connection.

(II)、Use of personal data and international transmission

A. When the company uses personal data, in addition to the necessary scope for the specific purpose of the personal information law, if it needs to be used for other than the specific purpose,  it will be handled in accordance with the provisions of Article 20 of the personal information law; If it is necessary to obtain the written consent of the parties, the company shall obtain the written consent of the parties according to the law.

B. The personal data collected and processed by the company shall comply with my country's personal information law and the company's personal data management system, and the use of personal data is required by the company's operations or business before it can be used by the company's contractors.

C. If the personal data obtained by the company is necessary for international transmission, it will be handled in according with the principles of not violating major national interests, not  transmitting to third countries in a roundabout way, or using personal data to circumvent the provisions of personal information laws, and , If there are special provisions in international            treaties or agreements, or the data receiving country does not have complete laws and regulations for the protection of personal data, which may damage the rights and interests of the parties, the company will not conduct international transmission to maintain the security of personal data.

(III)、Access and change of personal information

When the company receives a request for access to or change of personal data, it shall, in accordance with Article 3 of the Personal Information Law and the procedures established by the company, to conduct personal data inquiries within the legal scope, or request to read, request to make a copy, request to add or correct, request to stop collection, processing, use, request to delete.

(IV)、Exceptional application of personal data

A. The company is obliged to keep confidential the personal data owned by the company. Except for the request of the parties or the following circumstances, it shall comply with Article 20 of the Personal Information Law and relevant laws and regulations and shall be in official documents or other provable documents. Ways to query, the company shall not disclose to third      parties:

(A). Judicial agencies, supervisory agencies, or police agencies are required for criminal investigation or investigation of evidence.

(B). The company's target business authority is required to conduct business inspections.

(C). Other government agencies need to perform public power and have legitimate reasons.

(D). The agency (institutions) related to public life safety are needed for emergency relief.

B. According to the Article 20 the Personal Information Law, the company's use of personal data shall be within the scope necessary for the specific purpose of the collection, in addition to the  data specified in the first paragraph of Article 6 of the Personal Information Law. However, in any of the following situations, it may be used for specific purposes:

(A).  The law expressly stipulates.

(B).  Necessary for the promotion of public interest.

(C). To avoid the danger to the person's life, body, freedom, or property.

(D). To prevent major harm to the rights and interests of others.

(E). Public agencies or academic research institutions are necessary for statistical or academic research based on the public interest, and the data is processed by the provider or the collector            cannot identify the specific party according to its disclosure method.

(F). With the consent of the parties.

(G). Conducive to the rights and interests of the parties.

(V)、Protection of personal data

A. The company has established an asset management committee to clearly define the responsibilities and obligations of relevant personnel, and set up an executive team, and handle              personal asset file update and safety maintenance management matters in accordance with relevant laws and regulations.

B. The company has established and implemented a personal information management system (Personal Information Management System, hereinafter referred to as PIMS) to confirm the          implementation of this policy; all personnel and outsourced vendors should comply with the specifications and requirements of PIMS, and regularly review the operation of PIMS.

C. Personal data files should establish a management system, hierarchical and classified management, and establish safety management standards for contacts.

D. Personal data input, output, access, update, destruction or sharing and other processing activities shall determine the scope of use and access or access permissions.

E. To ensure the security of personal data, the access security of personal data files in the information system should be strengthened, and a security protection mechanism should be                  established to prevent unauthorized access to maintain the privacy of personal data and regularly check.

F. If personal data files are stored on a personal computer, an identifiable login passcode should be set on the computer, and other auxiliary security measures should be considered based on    the business and importance.

G. All departments of the company should take emergency response measures in the event of a personal data file being maliciously damaged, or inadvertently operated and other security        incidents.

H. The company adopts strict measures and policies to protect the personal data of the parties concerned, and all personnel have received complete personal information protection related      education and training. If there is any leakage of personal information, the civil, criminal, and administrative responsibilities will be investigated in accordance with the law.

I. When the company’s outsourced or cooperating manufacturers are involved in business dealings with the company, they should sign a confidentiality contract to make them fully aware of    the importance of personal data protection and the legal responsibility for leaking personal data. If there is a breach of confidentiality obligations, the civil and criminal liabilities will be              investigated according to the law.

(VI)、Participation and expectations of stakeholders

The company’s personal data protection and management resolutions should be included in the report of the asset management committee meeting, and meeting involving major resolutions should be reported to the interested parties. If there is any feedback, it will be discussed in the next asset management committee meeting.

VI、Review

At least one review meeting of the asset management committee is held every year to ensure the effective operation of the company's personal information management policies, corrective and preventive measures, and related individual asset issues.

VII、Implementation

The company’s personal data management policy is revised regularly every year or due to changes in the times or amendments to laws and regulations. After the personal information protection chief and convener is announced, it will be announced and implemented, and the revisions will be the same.