search
Search
繁中

Privacy Policy

Customer Privacy Protection

Category

Privacy Policy

“Customer Privacy Protection” is emphasized at Chunghwa Telecom in compliance with “Personal Data Protection Act” and “Regulations Governing Non-governmental Personal Data Security Protection Designated by the National Communications Commission.” Privacy Policy has been stipulated, along with rigorous privacy security management and protection measures. Also, a data governance system has been constructed. Data standards and classification are set. Data access management and data owner review mechanisms are exercised to ensure access and sharing of data as well as the availability, integrity, and confidentiality thereof are properly managed and protected. The scope of application encompasses all groups, branch offices, subsidiaries, and suppliers of the Company.


Internally, we have formulated “Data Governance Policy” and relevant regulations regarding data governance to demonstrate the Company’s determination in achieving “zero tolerance” for privacy incidents. The Policy is applied to all CHT business groups, branch offices, subsidiaries, and suppliers.


Prior to any business promotion, risk assessment will be conducted to examine and ensure data access in compliance with the regulatory requirements and to check if data protection mechanisms are in place to avoid risks in data processing. To take it further in terms of “customer privacy protection,” we proactively introduced ISO 27701 system to assure the effectiveness and legal compliance in the lifecycle of data.


Regarding the collection, processing, use, and protection of personal information and privacy involved in the operation, aside from compliance with government’s relevant laws and regulations, personal information is used within the defined scope of regulatory requirements and will not be disclosed to a third-party via exchange, lease or otherwise at will. Also, relevant actions are implemented in accordance with the “Privacy Protection Policy” stipulated by the Company so as to uphold the security of customer information and privacy.


➤ Check out our 《Privacy Policy》《Data Governance Policy》and 《Personal Data Collection Notice》

Customer Privacy Protection Management Mechanisms

Data Governance Operational Structure and Responsibilities

 

The data governance organs, structure, and responsibilities at Chunghwa Telecom:

Data Governance Committee (Level-1 Organization): President as the Convener and the final decision-making body for issues of data governance, responsible for the data governance development at Chunghwa Telecom
  • Data Development Department (Level-2 Organization): Stipulation and promotion of corporate data governance regulations and systems; tracking of implementation results
  • Data Governance Team (Level-3 Organization): Data governance implementer to ensure implementation of the data governance system in terms of data protection, data compliance, data quality, data access, data tools, and data maintenance throughout Chunghwa Telecom

    • Privacy Protection Risk Management

    Item Description
    Group-wide risk management
    • The risk management system in line with international personal data and privacy management standards and relevant laws and regulations has been established.
    • Prior to business promotion, CHT conducts privacy impact analysis and identifies internal/external threats and their impact levels and likelihood.
    • CHT formulates risk handling targets and measures, and fulfils the responsibility of supervising the outsourced suppliers.
    • CHT regularly convenes senior-level review meetings as vital references for privacy policy stipulation.
    Performance Evaluation & Disciplinary Actions
    • “Privacy Policy” upholds “zero tolerance” as the highest principle.
    • Incorporates cybersecurity and privacy protection performance in the employees’ appraisals, which come into force upon approval by the President. The results are reviewed regularly, while failures in target achievement demand improvement.
    • In the event of any conduct that leads to loss from negligence or improper inquiry, access, use or intentional leak of customers’ personal data will render disciplinary actions from demerit to termination of labor contract.
    Internal audit of privacy protection
    • Pursuant to the “Privacy Policy,” “Personal Data Protection Act,” and other pertaining laws and regulations, we conduct internal audits on a regular basis, ceaselessly improving the privacy protection operating procedures.
      • - Branches: self-audit conducted regularly each year
      - Headquarters: annual personal data audit organized once a year
      - Audit Department at Headquarters (directly under the Board of Directors): internal control audits organized each year
    External audit of privacy protection
    • “Privacy Policy” regularly obtained the third-party (SGS-Taiwan)conformity verification.
    • The ISO 27701 management system is introduced to establish a consistent system framework for cybersecurity and privacy protection management.
    • Our Information Security Management System (ISMS) and Personal Information Management System (PIMS) have obtained certifications for ISO 27001, ISO 27701, ISO 27017, ISO 27018, CSA STAR, BS 10012 etc. The scope covers our company's owned operations and 100% of IT infrastructures, including mobile communication networks, fixed-line networks, international long-distance networks, data networks, big data, ICT services, cloud services, customer service, enterprise business, research and development, education and training, and other major business.
    • We conduct external audits and certifications each year, so as to assure the validity and compliance of data lifecycle and offer consumers a better cybersecurity and privacy data protection.
    Enhance Supplier Security
    • Form standardized "cybersecurity complement provisions" and "Personal Data Protection complement provisions" to be included in contracts for procurement or supplier cooperation.
    • Cybersecurity and privacy protection management requirements and penalties are in place for suppliers to ensure that suppliers handle customer personal data in the manner authorized by us. They are not permitted to use our customers' personal information for their own purposes. We also conduct regular supervision and management to ensure compliance with our privacy policy, management requirements and legal regulations.
    • Supervision and Management Approach: Depending on the nature of the commissioned business and the degree of risk, we employs corresponding supervision methods. These methods include daily inspections, supplier self-assessments, regular/irregular meetings, information system security measures, automating third-party risk management tool, on-site audits, requiring suppliers to obtain third-party certification, etc., as necessary.
    • Inspect Items: In accordance with the “Privacy Policy” and management requirements of Chunghwa Telecom, as well as laws and regulations, items as follows are inspected:
      – establishing a mechanism of risk assessment and management of personal data
      – establishing a mechanism of preventing, giving notice of, and responding to a data breach
      – establishing an internal control procedure for the collection, processing, and use of personal data
      – managing data security and personnel
      – promoting awareness, education and training
      – managing facility security
      – establishing an audit mechanism of data security
      – keeping records, log files and relevant evidence
      – implementing integrated and persistent improvements on the security and maintenance of personal data
    • Supervision Results: Suppliers who fail to meet the requirements must make improvements within a given deadline, and the overall supervision results will be included in the management review.
    ➤ Check out our 《Statement of Privacy Policy Conformity》 

    Internal System and Results

    Procedures for Personal Data Incident Prevention, Report, and Response

    A sound mechanism of reporting, emergency response, and follow-up correction for breaches of customer privacy as well as the “Procedures for Personal Data Incident Prevention, Report, and Response” has been established at Chunghwa Telecom. With rigorous protection measures in force, we prevent any unauthorized access, disclosure, use, or tampering of personal data. Exercises are conducted on a regular basis to raise awareness and knowledge of our employees in reporting and response processes.


    Upon detection of potential privacy incident, it is required to complete reporting based on the reporting list of contact in the specified periods. Should a privacy incident be verified, emergency response procedures will be set in motion immediately in line with the existing incident handling procedures to complete the emergency handling in the specified timeframes as follows:

    1. Assess and respond in line with the scope and severity of impacts, where a major privacy incident is to be report to the Cyber Security Department and the CISO.
    2. The privacy data response team is established with emergency response mechanism in place for incident investigation and analysis to determine the root cause, define scope of damage, and preserve relevant evidence of an incent.
    3. Changes of public opinions and client grievance are monitored to learn about the personal data illegally collected, processed, used in the incident and prevent further damage.
    4. Individuals affected and the competent authorities are notified in line with the laws. Where the incident has led to damage to clients’ rights, we provide compensation or legal support to the individuals involved to assist and protect our clients’ rights to the best of our ability.
    5. Review and improvement are conducted in terms of the impacts, damages, and influences of an incident to prevent reoccurrence.
     

    Privacy Incidents

    There were 990 “alleged information breach cases” filed via the customer hotline of Chunghwa Telecom in 2023, of which 11 were notified by the National Communications Commission (NCC) and 979 submitted via the customer service hotline (accounting for 0.0028% of the customer hotline service provided of the year). All the cases were investigated and verified that there had not been any fact of privacy breach.



    Specific Data Management Mechanisms

    In alignment with the major areas of Data Management Knowledge (DMBOK) of Data Management Association (DAMA), Chunghwa Telecom constructed its data governance structure of three-level organization and respective responsibilities. Also, the data use system throughout the Company has been constructed in terms of data quality, data protection, data access/sharing, data tools, data compliance, and data maintenance, so that data can be regulated, authorized, tracked, and protected. As such, it warrants an effective data governance at the Company and the subordinate entities to achieve consistency, availability, security, and compliance in data asset management that meets international standards.

     
    1. Data Quality: Assurance of definition and monitoring of data with Chunghwa Telecom as well as maintenance of data integrity to elevate data quality
    2. Data Protection: Construction of data protection process with the Company to protect data in transmission and in storage; stipulation of data asset access authorization in line with data classes, and assurance in purposes of privacy protection, confidentiality, and proper access
    3. Data Access/Sharing: Assurance of proper access permission granted by Chunghwa Telecom at the right time to access of right data so as to ensure the availability, integrity, and confidentiality of data
    4. Data Tools: Assurance that data governance tools used are monitored and updated, reviewed, and approved following the stipulated procedures
    5. Data Maintenance: Assurance of proper maintenance of databases and data assets of various businesses and logs for data maintenance operation kept
    6. Data Compliance: Assurance in compliance with laws and regulations at the Company and of governments to protect the data security and privacy of itself and customers
    Sustainable Governance
    Sustainable Development Vision UN SDGs Sustainable Development Organization Stakeholder Engagement Materiality Survey
    Materiality Material ESG Performances
    Corporate Governance
    Board of Directors Executive Performance & Remuneration Ethical Management Tax Strategy Risk & Crisis Management
    Human Rights Management Internal Audit NYSE section 303A
    Excellence & Innovation
    Innovation Management
    Sustainable Supply Chain
    Telecom Industry Value Chain CHT Sustainable Supply Chain Initiatives Supplier Anti Corruption Supplier ESG Program Supplier Selection Mechanism
    Supplier Development Program
    Customer Care
    Customer Relationship Management Cybersecurity Privacy Protection Stable Network Services
    Happy Workplace
    Workforce Structure Diversity & Equality Anti-discrimination & Anti-harassment Performance Appraisal and Remuneration Benefits
    Training & Development Occupational Health & Safety
    Environmental Sustainability
    Environmental Sustainability Strategies and Goal Climate Strategy TCFD Energy Management Program GHG Emissions
    Resource Management Environmental Sustainability Actions Biodiversity
    Social Inclusion
    Corporate Citizenship / Philanthropy Strategies 5I SDGs Initiative 5G Plastic Free Day Digital Inclusion
    Interaction
    Latest News Surveys Contact Us Newsletter Subscription Chunghwa Telecom CSR Fan Page
    Sustainability (ESG) Report SASB Report TCFD Report TNFD Report

    BACK TO TOP