Privacy Policy

Privacy Policy

“Customer Privacy Protection” is emphasized at Chunghwa Telecom in compliance with “Personal Data Protection Act” and “Regulations Governing Non-governmental Personal Data Security Protection Designated by the National Communications Commission.” Privacy Policy has been stipulated, along with rigorous privacy security management and protection measures. Also, a data governance system has been constructed. Data standards and classification are set. Data access management and data owner review mechanisms are exercised to ensure access and sharing of data as well as the availability, integrity, and confidentiality thereof are properly managed and protected. The scope of application encompasses all groups, branch offices, subsidiaries, and suppliers of the Company.

Internally, we have formulated “Data Governance Policy” and relevant regulations regarding data governance to demonstrate the Company’s determination in achieving “zero tolerance” for privacy incidents. The Policy is applied to all CHT business groups, branch offices, subsidiaries, and suppliers.

Prior to any business promotion, risk assessment will be conducted to examine and ensure data access in compliance with the regulatory requirements and to check if data protection mechanisms are in place to avoid risks in data processing. To take it further in terms of “customer privacy protection,” we proactively introduced ISO 27701 system to assure the effectiveness and legal compliance in the lifecycle of data, which has been certified in 2023.

Regarding the collection, processing, use, and protection of personal information and privacy involved in the operation, aside from compliance with government’s relevant laws and regulations, personal information is used within the defined scope of regulatory requirements and will not be disclosed to a third-party via exchange, lease or otherwise at will. Also, relevant actions are implemented in accordance with the “Privacy Protection Policy” stipulated by the Company so as to uphold the security of customer information and privacy.

As a response to the potential innovation, advantage, and impacts arising from the development of AI technology, the 8 Guidelines in the “AI Technology R&D Guidelines” promulgated by the Ministry of Technology are also adopted as a reference for the Company in research, innovation, and development to ensure proper management measures in place in the use of AI technology, reducing the potential concerns from the public on AI technology as well as the risks thereof in order to develop under the premise of customer privacy protection. As such, we shall live up to the core values of “human-oriented,” “sustainable development,” and “diversity inclusion.”

Customer Privacy Protection Management Mechanisms

Data Governance Organs and Responsibilities

The data governance organs, structure, and responsibilities at Chunghwa Telecom:

1. Data Governance Committee (Level-1 Organization)： President as the Convener and the final decision-making body for issues of data governance, responsible for the data governance development at Chunghwa Telecom
2. Data Development Department (Level-2 Organization): Stipulation and promotion of corporate data governance regulations and systems; tracking of implementation results
3. Data Governance Team (Level-3 Organization): Data governance implementer to ensure implementation of the data governance system in terms of data protection, data compliance, data quality, data access, data tools, and data maintenance throughout Chunghwa Telecom

Privacy Protection Risk Management

1. Personal Data and Privacy Risk Management (Group-wide risk management)
   The risk management system in line with international personal data and privacy management standards and relevant laws and regulations has been established, including formulation of data classification management standards and promotion of data governance learning map certification trainings, to improve employees’ personal data privacy and data governance literacy. Also, prior to business promotion, CHT conducts privacy impact analysis, identifies internal/external threats and their impact levels and likelihood, formulates risk handling targets and measures, and fulfils the responsibility of supervising the outsourced suppliers, and regularly convenes senior-level review meetings as vital references for privacy policy stipulation.
   Our performance of cybersecurity and privacy risk management has been incorporated into the monthly tracking by the Risk Management Committee for management. Any material risk issue will be submitted to the Audit Committee or directly reported to the Board of Directors.
2. Performance Evaluation & Disciplinary Actions
   With “zero tolerance” as the highest guiding principle, our Privacy Policy incorporates cybersecurity and privacy protection performance in the employees’ appraisals, which come into force upon approval by the President. The results are reviewed regularly, while failures in target achievement demand improvement. In the event of any conduct that leads to loss from negligence or improper inquiry, access, use or intentional leak of customers’ personal data will render disciplinary actions from demerit to termination of labor contract.
   In order to ensure the cybersecurity implementation by all employees, the performance of cybersecurity and personal data protection is incorporated as part of the performance evaluation of all employees, which has come into force upon approval by the President. The performance is reviewed regularly, and correction is required for any failure to meet the targets.
3. Internal Audit of Privacy Protection
   Pursuant to the “Privacy Policy,” “Personal Data Protection Act,” and other pertaining laws and regulations, we conduct internal audits on a regular basis, ceaselessly strengthening the privacy protection operating procedures to ensure the implementation of personal data and privacy protection and security measures across all operations as well as examine and evaluate the effectiveness of personal data protection measures.
   ‐ Branches: self-audit conducted regularly each year
   ‐ Headquarters: annual personal data audit organized once a year
   ‐ Audit Department at Headquarters (directly under the Board of Directors): internal control audits organized each year
4. External Audit of Privacy Protection
   Our Privacy Policy has obtained the third-party conformity verification. Also, the ISO 27701 management system was introduced to establish a consistent system framework for cybersecurity and privacy protection management, which has been certified in 2023. We conduct external audits and certifications each year (e.g. ISO 27001 / ISO 27011 / ISO 27017 / ISO 27018 / ISO27701 / BS 10012 / CSA STAR Certification with ongoing validity) so as to assure the validity and compliance of data lifecycle. and offer consumers a better cybersecurity and privacy data protection.
5. Enhance Supplier Security
   To effectively assess and manage supply chain security risks, during the procurement process, we selects credible suppliers or collaborators, excludes products with security concerns and manufacturers that may affect national security. Form standardized "cybersecurity complement provisions" and "Personal Data Protection complement provisions" to be included in contracts for procurement or supplier cooperation. Specify cybersecurity and privacy protection management requirements and penalties for suppliers, and further supervise and manage, as needed. We also conduct contract-based monitoring to ensure compliance with our privacy policy and legal regulations.

• Supervision and Management Approach：Depending on the nature of the commissioned business and the degree of risk, We employs corresponding supervision methods. These methods include daily inspections, supplier self-assessments, regular/irregular meetings, information system security measures, automating third-party risk management tool, on-site audits, requiring suppliers to obtain third-party certification, etc., as necessary.
• Inspect Items：Following the template of the "Personal Data Security Audit Checklist" published by the competent authority under the Personal Data Protection Act, the audit includes the following:

establishing a mechanism of risk assessment and management of personal data establishing a mechanism of preventing, giving notice of, and responding to a data breach establishing an internal control procedure for the collection, processing, and use of personal data

managing data security and personnel promoting awareness, education and training managing facility security

establishing an audit mechanism of data security keeping records, log files and relevant evidence implementing integrated and persistent improvements on the security and maintenance of personal data

• Supervision Results：Suppliers who fail to meet the requirements must make improvements within a given deadline, and the overall supervision results will be included in the management review.

Internal System and Results

Procedures for Personal Data Incident Prevention, Report, and Response

A sound mechanism of reporting, emergency response, and follow-up correction for breaches of customer privacy as well as the “Procedures for Personal Data Incident Prevention, Report, and Response” has been established at Chunghwa Telecom. With rigorous protection measures in force, we prevent any unauthorized access, disclosure, use, or tampering of personal data. Exercises are conducted on a regular basis to raise awareness and knowledge of our employees in reporting and response processes.

Upon detection of potential privacy incident, it is required to complete reporting based on the reporting list of contact in the specified periods. Should a privacy incident be verified, emergency response procedures will be set in motion immediately in line with the existing incident handling procedures to complete the emergency handling in the specified timeframes as follows:

1. Assess and respond in line with the scope and severity of impacts, where a major privacy incident is to be report to the Cyber Security Department and the CISO.
2. The privacy data response team is established with emergency response mechanism in place for incident investigation and analysis to determine the root cause, define scope of damage, and preserve relevant evidence of an incent.
3. Changes of public opinions and client grievance are monitored to learn about the personal data illegally collected, processed, used in the incident and prevent further damage.
4. Individuals affected and the competent authorities are notified in line with the laws. Where the incident has led to damage to clients’ rights, we provide compensation or legal support to the individuals involved to assist and protect our clients’ rights to the best of our ability.
5. Review and improvement are conducted in terms of the impacts, damages, and influences of an incident to prevent reoccurrence.。

Privacy Incidents

There were 10 “alleged information breach cases” filed via the customer hotline of Chunghwa Telecom in 2022, of which 7 were notified by the National Communications Commission (NCC) and 3 submitted via the customer service hotline (accounting for 0.00001% of the customer hotline service provided of the year). All the cases were investigated and verified that there had not been any fact of privacy breach.

Specific Data Management Mechanisms

In alignment with the major areas of Data Management Knowledge (DMBOK) of Data Management Association (DAMA), Chunghwa Telecom constructed its data governance structure of three-level organization and respective responsibilities. Also, the data use system throughout the Company has been constructed in terms of data quality, data protection, data access/sharing, data tools, data compliance, and data maintenance, so that data can be regulated, authorized, tracked, and protected. As such, it warrants an effective data governance at the Company and the subordinate entities to achieve consistency, availability, security, and compliance in data asset management that meets international standards.

1. Data Quality: Assurance of definition and monitoring of data with Chunghwa Telecom as well as maintenance of data integrity to elevate data quality
2. Data Protection: Construction of data protection process with the Company to protect data in transmission and in storage; stipulation of data asset access authorization in line with data classes, and assurance in purposes of privacy protection, confidentiality, and proper access
3. Data Access/Sharing: Assurance of proper access permission granted by Chunghwa Telecom at the right time to access of right data so as to ensure the availability, integrity, and confidentiality of data
4. Data Tools: Assurance that data governance tools used are monitored and updated, reviewed, and approved following the stipulated procedures
5. Data Maintenance: Assurance of proper maintenance of databases and data assets of various businesses and logs for data maintenance operation kept
6. Data Compliance: Assurance in compliance with laws and regulations at the Company and of governments to protect the data security and privacy of itself and customers