Customer Privacy Protection

Customer Privacy Protection

When customers access services of Chunghwa Telecom, we collect their personal/private data out of the regulatory requirement for identity verification or the needs for service provision.

Nature of Information Captured: Types and Content of Data Collected

Use of The Collected Information

Regarding the use of the personal data of customers, the data are used within the necessary scope specified at the time of collection and pursuant to the laws and regulations. The personal data of customers will not be disclosed to a third party, processed or used in places other than areas Chunghwa Telecom operates, or otherwise beyond the purposes of collection, unless consented by the customers or specified otherwise by the laws or regulations. If it is necessary to entrust an affiliate or a third party (such as logistics or information service providers) to provide services, we shall enforce supervision as appropriate to assure the security of the personal data of customers.

Possibility For Customers To Decide How Private Data Is Collected, Used, Retained And Processed

To protect the rights of customers, a variety of channels (including websites, apps, stores, and customer hotline) are available at Chunghwa Telecom for customers to access and learn about the types of personal information collected and the methods for collection, processing, use, or disclosure of such to a third party as well as the rights customers may exercise.
The rights available for customers to exercise are as follows:

• Opt-out
  with the right to opt-out at any time, unless restricted by the laws or regulations, or that the opt-out by customers will render impact to the contract that is in their favor.
• Opt-in
  Unless otherwise provided by the laws or regulations, purposes of our collection or processing of the personal data of customers shall be specified and be subject to the consent of the customers.
• Access to data held by the Company
  Customers are entitled to inquire or to request to view the personal data thereof we hold, or to request a copy of such from us.
• Requests to edit data
  Customers are entitled to supplement or correct their personal data.
• Requests for deletion
  Unless otherwise provided by the laws or regulations, upon termination of the contractual relationship with us, customers are entitled to request erasure, or cessation of processing or use, of personal data from us.
• Request data be transferred to other service providers
  In compliance with the requirements by the competent authority of the telecommunications industry, the operator ought to verify the data of customers with new application for telecommunications business in line with the pertaining laws and regulations. Also, in compliance with fraud prevention, we do not provide transfer of personal data of customers to other telecom operators, except for the service of number portability available upon customer application.

Data Retention Period

Upon termination of contractual relationship between customers and us, we will maintain and use customer’s personal information within the scope and deleting data after a defined amount of time or permitted by the laws and regulations and retain (non-personal) data generated thereby in a form that does not identify the customer. We will not collect personal data from third parties (except when required by law).

Data Use and Protection

To provide services and information of better quality that meet the needs of customers, elevate customer experiences, and maintain customer relationship, we use customers’ data for analyses, whereas customers may request stop to such use at any given time.

We have formulated personal data protection policy and relevant regulations regarding personal data of customers, which apply to all employees and contractors (contractors, personnel of subsidiaries stationed at the Company for service, suppliers, and partners included). Also, monitoring is in place 100% with rigorous protection measures to prevent any unauthorized access, disclosure, use, or tampering of personal data in order to protect customers’ rights.
Our data protection measures are as follows:

1. All the systems and IDCs involving sensitive materials, personal data, or critical infrastructure services (facilities) have been included in the protection scope of anomaly detection of CHT SOC; aside from defense mechanisms like multi-layered network isolation and filtering, regular white hat security tests, host/website/open-source software vulnerability management, and email APT blocking, through management of information security equipment and operating system logs, multi-dimensional correlation analysis is performed to determine cybersecurity/privacy incidents for early warnings to ensure data security; third-party certification to ISO 27001 has been obtained.
2. In data analysis and processing, through access control in line with ISO 27001 standard and technical measures such as transmission encryption and de-identified data presentation, the personal data and privacy of customers are ensured without compromising the rights of individuals involved.
3. Permissions are granted in accordance with the principles of need-to-know basis and the minimum permission required for work execution.
4. Records of inquiries of customer’s personal data by employees are kept, which are verified and reviewed systematically to prevent any improper use.
5. Prior to use of customer data, the system checks and removes any customer who do not accept such use.

Policy for Disclosure to Third Parties

Personal data and privacy will not be disclosed to a third party by means of exchange, lease, or otherwise at will, unless consented by the customers or specified otherwise by laws and regulations, We may share personal data and privacy with a third party:

• Prosecutors / Investigation Bureau / Police Department / Other Governmental Agencies ：We are liable to protect customer’s secrecy of correspondence and privacy from illegal infringement in accordance with the laws. Only when government agency or law enforcement agency presents Chunghwa Telecom a letter in line with the laws to request access or inquire information of customers to protect public security, fight crimes, or maintain social order can we provide customer information thereto.

Requests for Customer Information Received from Government or Law Enforcement Agencies

We are liable to protect customer’s secrecy of correspondence and privacy from illegal infringement in accordance with the laws. Only when government agency or law enforcement agency presents Chunghwa Telecom a letter in line with the laws to request access or inquire information of customers to protect public security, fight crimes, or maintain social order can we provide customer information thereto.

In compliance with the requirements, dedicated departments and rigorous review procedures for access are in place. Relevant information can only be provided in accordance with the laws upon criteria met, which will not be available otherwise.

In 2022, 1,374,084 requests were made by the government or law enforcement agencies for inquiries of our user information. The ratio of provision was 55.60%(763,991 requests) and that of rejection 44.4%(610,093 requests), most of which were primary due to inconformity to the relevant laws and regulations or source data error.

Personal Data and Privacy Protection Consultation and Grievance Channels

A variety of means are available for customers to exercise their rights with Chunghwa Telecom. In addition, customers with questions or concerns regarding personal data or privacy may send feedbacks or appeals by means of following channels, which will be explained by dedicated staff in a professional manner.

Personal Data and Privacy Protection Grievance Escalation Channels