The latest version is released on the website
In view of the fact that information security is the basis for maintaining the safe operation of various services, in order to ensure that Dentall Co., Ltd. (hereinafter referred to as the company) has a consensus to implement the mission of information security, an information security policy (hereinafter referred to as this document) has been formulated to ensure that it is the highest guiding principle for the company's information security management system.
The company's information security goal is to ensure the confidentiality, integrity and availability of the core system management business (meaning information systems and related management activities within the scope of ISO27001 certification). And define and measure quantitative indicators of information security performance according to each level and function to confirm the implementation status of the information security management system and whether the information security objectives have been achieved.
Confidentiality:
Any sensitive information of the company should be prevented from being leaked on the Internet.
Integrity:
The accuracy of the company's sensitive information should be ensured.
Availability:
The important data held by the company should be ensured to be backed up.
Our company
In order to ensure the effective operation of the information security management system, the information security organization and rights and responsibilities should be clearly defined to promote and maintain the progress of various management, execution and review tasks.
An information security organization should be established to coordinate the promotion of information security matters.
Management should actively participate in and support the information security management system, provide relevant resources, and allocate appropriate rights and responsibilities.
All organizations and personnel within the applicable scope shall abide by this policy, intellectual property rights and personal data protection laws.
Organizations and personnel within the applicable scope are responsible for reporting information security incidents or weaknesses through appropriate mechanisms.
The effectiveness and sustainability of information security should be ensured in a repetitive and step-by-step spirit based on the cyclical model of Plan, Execution (Do), Check and Continuous Improvement (Action).
This document should be evaluated and reviewed at least once a year, taking into account the latest status of laws and regulations, technological changes, expectations of interested parties, business activities, internal management and resources, etc., to ensure the effectiveness of information security practices.
This document shall be revised based on the review results and will not take effect until issued by the Chief Technology Officer.
After this document is formulated or revised, stakeholders, such as employees, suppliers, customers, external auditors, etc., should be informed through appropriate means (e.g., E-mail or website announcement).
The latest version is released on the website
In order to implement the protection and management of personal data and comply with the requirements of the "Personal Data Protection Act" of the Republic of China and its implementation rules, Dentall Co., Ltd. (hereinafter referred to as the company) refers to the "Information Security Management System (ISO/IEC 27001)" " and "Privacy Information Management System (ISO/IEC 27701)" to ensure the security of sensitive information, personal data and related systems, equipment and network communications, and effectively reduce the theft of information assets due to human negligence, intentional or natural disasters, etc.
To avoid risks such as improper use, leakage, tampering or damage, a personal data protection and management policy (hereinafter referred to as this policy) has been formulated.
Implement personal information protection and reduce operational risks
All employees implement the Personal Information Management System (PIMS) to strengthen and standardize the protection of personal information and avoid risks such as leakage, destruction or loss due to external threats or improper management by internal personnel, and choose appropriate protection measures to reduce risks to an acceptable level and continue to monitor, review and audit the personal data protection system.
The goals of our company's personal data protection management are as follows:
Comply with the "Personal Data Protection Law", "Personal Data Protection Law Enforcement Rules" and relevant standards and regulatory requirements, the process of collecting, processing, utilizing, storing, transmitting and destroying personal data is protected.
Protect the security of personal data related to the company's business and avoid risks of theft, tampering, damage, loss, or leakage due to external threats or improper management and use by internal personnel.
Improve the protection and management capabilities of personal data, reduce operational risks, and create a trustworthy personal data protection and privacy environment.
Enhance colleagues' personal data protection security awareness, personal data protection publicity and education training is held from time to time every year.
Conduct personal data file risk assessments every year based on the personal data operation process to identify acceptable risk levels and implement risk management.
The company obtains or collects the natural person's name, date of birth, national identity card number, passport number, characteristics, fingerprints, marriage, family, education, occupation, medical records, medical treatment, genes, and sexual life, health examination, criminal record, contact information, financial situation, social activities and other information that can directly or indirectly identify the individual should comply with the Republic of China's "Personal Data Protection Law" (hereinafter referred to as the Personal Information Law) and other laws and regulations, and shall not the collection and processing of personal data is excessive and fit for purpose, relevant and appropriate, and fair and lawful. In addition, in accordance with Article 5 of the Personal Information Law, the collection, processing or use of personal information shall respect the rights and interests of the parties concerned, be done in good faith and in good faith, shall not exceed the necessary scope for the specific purpose, and shall be legitimate and consistent with the purpose of collection.
When the Company uses personal data, it shall be within the scope necessary for the specific purpose of the Personal Information Act. If it needs to be used for purposes other than the specific purpose, it will be handled in accordance with the provisions of Article 20 of the Personal Information Law; if necessary If it is necessary to obtain the consent of the parties, the Company shall obtain the consent of the parties in accordance with the law.
The personal information collected and processed by the Company shall comply with the provisions of the Personal Information Law and the Company's personal information management system, and only when the use of personal information is necessary for the Company's operations or business can it be used by the Company's employees.
If there is a need for international transfer of the personal data obtained by the Company, it will be handled in compliance with the principles of not violating the vital interests of the country, not transferring to third countries (regions) in roundabout ways, or using personal data to circumvent the provisions of personal information laws.
In addition, if there are special provisions in international treaties or agreements, or if the data receiving country's laws and regulations on the protection of personal data are not perfect, which may damage the rights and interests of the parties, the Company will not conduct international transmission to maintain the security of personal data.
When the Company receives a request for access or change of personal data, it shall allow the individual to conduct an inquiry or request to read, copy, correct, request to stop collection, processing, use, deletion, or supplement the personal data of the individual concerned within the legal scope in accordance with the Personal Information Law and the procedures established by the Company.
The company has an obligation to keep confidential the personal information it possesses for business purposes and shall not disclose it to a third party. Except in the following circumstances, it shall comply with Article 20 of the Personal Information Law and relevant laws and regulations, and inquiries shall be made through official documents:
It is necessary for judicial authorities, supervisory authorities or police authorities to investigate crimes or investigate evidence.
Other government agencies need it for the execution of public powers and for legitimate reasons.
Agencies (institutions) related to public safety are required for emergency rescue.
The Company's use of personal information, except for the information stipulated in Paragraph 1 of Article 6 of the Personal Information Law, shall be within the scope necessary for the specific purpose of collection. However, under any of the circumstances listed in Article 19 or 20 of the Personal Information Law, it may be used for other than specific purposes.
The company has established a personal data protection organization to clearly define the responsibilities and obligations of relevant personnel.
The company has established and implemented a Personal Information Management System (PIMS) to confirm the implementation of this policy; all employees and outsourced vendors should comply with the specifications and requirements of the Personal Information Management System (PIMS) and regularly review the Personal Information Management System (PIMS) operation.
The company adopts strict measures and policies to protect the personal information of the parties. All faculty, staff and interns of the company shall receive complete education and training on personal information law and privacy protection.
If there is any leakage of personal information, civil, criminal and administrative responsibilities will be pursued in accordance with the law.
Our company's outsourced vendors or partners should sign confidentiality contracts when cooperating with our company, so that they can fully understand the importance of personal data protection and the legal liability for leaking personal information. If there is any violation of confidentiality obligations, civil and criminal liability will be pursued in accordance with the law.
The company's personal data protection and management resolution matters should be included in the report of the "Information Security Management Committee", and meeting minutes involving major resolutions should be submitted to the competent authorities and interested parties (such as the company's employees and other related parties to the company, etc.), such as any feedback matters will be included in the discussion agenda at the next Management Committee meeting.
The company's personal data protection policy will be revised appropriately every year or due to changes in circumstances or amendments to laws, etc., and will be implemented after approval by the company's "Information Security Management Committee". The same applies to revisions.
After this policy is approved, it should be communicated to all personnel in an appropriate manner for implementation.