Privacy Policy

“Customer Privacy Protection” is emphasized at Chunghwa Telecom in compliance with “Personal Data Protection Act” and “Regulations Governing Non-governmental Personal Data Security Protection Designated by the National Communications Commission.” Privacy Policy has been stipulated, along with rigorous privacy security management and protection measures. The scope of application encompasses all groups, branch offices, subsidiaries, and suppliers of the Company.


Internally, we have formulated “Data Governance Policy” and data governance management regulations across six dimensions. Data definition consistency, data quality, and employee data literacy are enhanced by streamlining operational standards and processes. Hence, we ensure that data protection, data compliance, data quality, data operations and maintenance, data tools, and data access and sharing all meet the corporate and regulatory requirements.


Prior to any business promotion, risk assessment will be conducted to examine and ensure data access in compliance with the regulatory requirements and to check if data protection mechanisms are in place to avoid risks in data processing. To take it further in terms of “customer privacy protection,” we proactively introduced ISO 27701 system to assure the effectiveness and legal compliance in the lifecycle of data.


Regarding the collection, processing, use, and protection of personal information and privacy involved in the operation, aside from compliance with government’s relevant laws and regulations, personal information is used within the defined scope of regulatory requirements and will not be disclosed to a third-party via exchange, lease or otherwise at will. Also, relevant actions are implemented in accordance with the “Privacy Protection Policy” stipulated by the Company so as to uphold the security of customer information and privacy.


Customer Privacy Protection Management Mechanisms

Data Governance Operational Structure and Responsibilities

Item Description
Data Governance Committee
  • With the President as the Convener, and the SEVPs of departments of the Headquarters and the Presidents of Business Groups (Laboratories) as the Members, the final decision-making body for issues pertaining to data governance is responsible for the data governance development at Chunghwa Telecom.
  • Main responsibilities include serving as the final decision-making body for data governance issues, establishing data governance policies aligned with business strategies, overseeing the data governance development at the Company, and approving annual objectives.
  • CHT formulates risk handling targets and measures, and fulfils the responsibility of supervising the outsourced suppliers.
  • The Data Governance Committee convenes quarterly.
Data Governance Executive Committee
  • With managers at or above the Assistant Vice President level at the Headquarters, and managers at or above the Vice President level at the Business Groups, acting as the Convener, is entrusted with tasks from the Data Governance Committee and responsible for the upkeep, ongoing promotion, and implementation of the data governance framework within their purview.
  • Main responsibilities include managing and executing data governance frameworks within the designated scope, and undertaking tasks assigned by the Data Governance Committee.
  • Review, oversee, and track all data governance activities.
  • The Data Governance Executive Committee convenes monthly.
 

The data governance organs, structure, and responsibilities at Chunghwa Telecom:

Data Governance Committee (Level-1 Organization): President as the Convener and the final decision-making body for issues of data governance, responsible for the data governance development at Chunghwa Telecom
  • Data Development Department (Level-2 Organization): Stipulation and promotion of corporate data governance regulations and systems; tracking of implementation results
  • Data Governance Team (Level-3 Organization): Data governance implementer to ensure implementation of the data governance system in terms of data protection, data compliance, data quality, data access, data tools, and data maintenance throughout Chunghwa Telecom
  • Privacy Protection Risk Management

    Item Description
    Group-wide risk management
    • The risk management system in line with international personal data and privacy management standards and relevant laws and regulations has been established.
    • Prior to business promotion, CHT conducts privacy impact analysis and identifies internal/external threats and their impact levels and likelihood.
    • CHT formulates risk handling targets and measures, and fulfils the responsibility of supervising the outsourced suppliers.
    • CHT regularly convenes senior-level review meetings as vital references for privacy policy stipulation.
    Information security and privacy protection awareness training
    • For new employees, staff, outsourced personnel (contractors), IT personnel, cybersecurity experts, and dedicated personnel for personal data privacy protection, design training courses tailored to their respective roles and work areas to enhance awareness and skills in cybersecurity and personal data privacy protection.
    • •188 sessions of cybersecurity and privacy protection education or trainings with 229,312 hours in total were organized and accessed by 47,925 participants in 2024.
    Performance Evaluation & Disciplinary Actions
    • “Privacy Policy” upholds “zero tolerance” as the highest principle.
    • Incorporates cybersecurity and privacy protection performance in the employees’ appraisals, which come into force upon approval by the President. The results are reviewed regularly, while failures in target achievement demand improvement.
    • In the event of any conduct that leads to loss from negligence or improper inquiry, access, use or intentional leak of customers’ personal data will render disciplinary actions from demerit to termination of labor contract.
    Internal audit of privacy protection
    • Pursuant to the “Privacy Policy,” “Personal Data Protection Act,” and other pertaining laws and regulations, we conduct internal audits on a regular basis, ceaselessly improving the privacy protection operating procedures.
    • - Branches: self-audit conducted regularly each year
      - Headquarters: annual personal data audit organized once a year
      - Audit Department at Headquarters (directly under the Board of Directors): internal control audits organized each year
    External audit of privacy protection
    • “Privacy Policy” regularly obtained the third-party (SGS-Taiwan)conformity verification.
    • The ISO 27701 management system is introduced to establish a consistent system framework for cybersecurity and privacy protection management.
    • Our Information Security Management System (ISMS) and Personal Information Management System (PIMS) have obtained certifications for ISO 27001, ISO 27701, ISO 27017, ISO 27018, CSA STAR, BS 10012 etc. The scope covers our company's owned operations and 100% of IT infrastructures, including mobile communication networks, fixed-line networks, international long-distance networks, data networks, big data, ICT services, cloud services, customer service, enterprise business, research and development, education and training, and other major business.
    • We conduct external audits and certifications each year, so as to assure the validity and compliance of data lifecycle and offer consumers a better cybersecurity and privacy data protection.
    Enhance Supplier Security
    • Form standardized "cybersecurity complement provisions" and "Personal Data Protection complement provisions" to be included in contracts for procurement or supplier cooperation.
    • Cybersecurity and privacy protection management requirements and penalties are in place for suppliers to ensure that suppliers handle customer personal data in the manner authorized by us. They are not permitted to use our customers' personal information for their own purposes. We also conduct regular supervision and management to ensure compliance with our privacy policy, management requirements and legal regulations.
    • Supervision and Management Approach: Depending on the nature of the commissioned business and the degree of risk, we employs corresponding supervision methods. These methods include daily inspections, supplier self-assessments, regular/irregular meetings, information system security measures, automating third-party risk management tool, on-site audits, requiring suppliers to obtain third-party certification, etc., as necessary.
    • Inspect Items: In accordance with the “Privacy Policy” and management requirements of Chunghwa Telecom, as well as laws and regulations, items as follows are inspected:
      – establishing a mechanism of risk assessment and management of personal data
      – establishing a mechanism of preventing, giving notice of, and responding to a data breach
      – establishing an internal control procedure for the collection, processing, and use of personal data
      – managing data security and personnel
      – promoting awareness, education and training
      – managing facility security
      – establishing an audit mechanism of data security
      – keeping records, log files and relevant evidence
      – implementing integrated and persistent improvements on the security and maintenance of personal data
    • Supervision Results: Suppliers who fail to meet the requirements must make improvements within a given deadline, and the overall supervision results will be included in the management review.

    Internal System and Results

    Procedures for Personal Data Incident Prevention, Report, and Response

    A sound mechanism of reporting, emergency response, and follow-up correction for breaches of customer privacy as well as the “Procedures for Personal Data Incident Prevention, Report, and Response” has been established at Chunghwa Telecom. With rigorous protection measures in force, we prevent any unauthorized access, disclosure, use, or tampering of personal data. Exercises are conducted on a regular basis to raise awareness and knowledge of our employees in reporting and response processes.


    Upon detection of potential privacy incident, it is required to complete reporting based on the reporting list of contact in the specified periods. Should a privacy incident be verified, emergency response procedures will be set in motion immediately in line with the existing incident handling procedures to complete the emergency handling in the specified timeframes as follows:

    1. Assess and respond in line with the scope and severity of impacts, where a major privacy incident is to be report to the Cyber Security Department and the CISO.
    2. The privacy data response team is established with emergency response mechanism in place for incident investigation and analysis to determine the root cause, define scope of damage, and preserve relevant evidence of an incent.
    3. Changes of public opinions and client grievance are monitored to learn about the personal data illegally collected, processed, used in the incident and prevent further damage.
    4. Individuals affected and the competent authorities are notified in line with the laws. Where the incident has led to damage to clients’ rights, we provide compensation or legal support to the individuals involved to assist and protect our clients’ rights to the best of our ability.
    5. Review and improvement are conducted in terms of the impacts, damages, and influences of an incident to prevent reoccurrence.
     

    Privacy Incidents

    There were 0 “alleged information breach cases” filed via the customer hotline of Chunghwa Telecom in 2024.



    Specific Data Management Mechanisms

    In alignment with the major areas of Data Management Knowledge (DMBOK) of Data Management Association (DAMA), Chunghwa Telecom constructed its data governance structure of data strategy and hybrid organization and respective responsibilities. Also, the data use system throughout the Company has been established in terms of data quality, data protection, data access/sharing, data tools, data compliance, and data maintenance, so that data can be regulated, authorized, tracked, and protected. As such, it warrants an effective data governance at the Company and the subordinate institutions to achieve consistency, availability, security, and compliance in data asset management that meets international standards.

     
    1. Data Quality: Assurance of definition and monitoring of data with Chunghwa Telecom as well as maintenance of data integrity to elevate data quality
    2. Data Protection: Construction of data protection process with the Company to protect data in transmission and in storage; stipulation of data asset access authorization in line with data classes, and assurance in purposes of privacy protection, confidentiality, and proper access
    3. Data Access/Sharing: Ensuring the availability, integrity, transparency, and compliance of data, enabling effective sharing and reuse of data while reducing the risks of unauthorized access, addition, modification, and deletion of data
    4. Data Tools: Assurance that data governance tools used are monitored and updated, reviewed, and approved following the stipulated procedures
    5. Data Maintenance: Assurance of proper maintenance of databases and data assets of various businesses and logs for data maintenance operation kept
    6. Data Compliance: Assurance in compliance with laws and regulations at the Company and of governments to protect the data security and privacy of itself and customers

    Excellence & Innovation
    Innovation Management
    Interaction
    Latest News Surveys Contact Us Newsletter Subscription Chunghwa Telecom CSR Fan Page

    BACK TO TOP