No Support JavaScript
Main Content Area
:::

Content

Title: Operation Directions Governing the Interconnection of MyData Ch
Date: 2023.01.30
Legislative: 1. Promulgated by EXECUTIVE YUAN Order No.1101500560B on 15th, April 2021.
2. Amended and promulgated by EXECUTIVE YUAN Order No. 11230000781 on 30th, January 2023.
Content:
  1. These Implementation Directions are established for facilitating operation of the Autonomous Use of Personally Related Data (MyData) platform, creating personalized services for users, allowing the immediate and single-time download and use of personally related data upon the data subject’s consent, and protecting information security and personal privacy.
  2. The Autonomous Use of Personally Related Data (MyData) platform is developed, operated and managed by the Ministry of Digital Affairs (moda).
  3. Terms used in these Implementation Directions are defined as follows:
    1. The “Autonomous Use of Personally Related Data (MyData) platform” (hereinafter, the “platform”) means the platform developed by the moda that, upon identity verification of and consent by a natural or legal person (hereinafter, a “data subject”), provides the immediate and single-time download, interconnection, and use of the data subject’s personally related data.
    2. A “data provider” means an organization specified under Article 4 that stores or retains a data subject’s personally related data, interconnects to the platform, and makes the immediate and single-time transfer of personally related data, upon the data subject’s identity verification and consent processed either on the platform or via a recognized third-party identity verification agency.
    3. A “service provider” means an organization specified under Article 4 that provides value-added services to a data subject, interconnects to the platform, and gains the immediate and single-time access to personally related data for use in a service to the data subject, upon the data subject’s identity verification and consent processed either on the Platform or via a recognized third-party identity verification agency.
  4. The following organizations may apply to the moda for approval as a data provider or a service provider.
  1. The Executive Yuan, and its level 2 and level 3 subordinate authorities (agencies).
  2. Yuans other than the Executive Yuan, and their subordinate authorities (agencies).
  3. Municipality and county (city) governments, and their level 1 subordinate authorities (agencies).
  4. Colleges and universities that have obtained approval from the Ministry of Education.
  5. State-owned enterprises that have obtained approval from their respective competent authorities.
  6. Financial institutions and peripheral entities under the jurisdiction of the Financial Supervisory Commission (FSC) that have obtained approval from the FSC.
  1. Organization applicants for interconnection to the platform in accordance with the preceding article shall, as a general rule, apply on a service-specific basis for approval for the testing & trial, official operation, change, or termination of the interconnection, which application shall be processed in the following manner:
    1. Testing & trial, official operation of the interconnection:
1. Authorities (agencies) specified in Subparagraphs 1 to 3 of the preceding article shall fill out and submit the application form to the moda.
2. Colleges and universities specified under Subparagraph 4 of the preceding article shall fill out and submit the application form to the Ministry of Education for approval. Upon approval by the Ministry of Education, the application shall be forwarded to the moda. If the Ministry of Education does not approve, it shall notify the applicant accordingly.
3. State-owned enterprises specified under Subparagraph 5 of the preceding article shall fill out and submit the application form to their respective competent authority. Upon approval by the competent authority in question, the application shall be forwarded to the moda. If the competent authority does not approve, it shall notify the applicant accordingly.
4. Financial institutions and peripheral entities specified under Subparagraph 6 of the preceding article shall fill out and submit the application form to the FSC. Upon approval by the FSC, the application shall be forwarded to the moda. If the FSC does not approve, it shall notify the applicant accordingly.
5. Where a service provider applies for interconnection in accordance with Subparagraphs 1 to 3 of the preceding article, the moda shall review the applicant’s service objectives and contents, terms of service provided to data subjects, and the data transferred via interconnection. For interconnection approved upon review, matters of information security and person data protection shall be processed in accordance with the Cyber Security Management Act, the Personal Data Protection Act, and other applicable laws and regulations.
6. Where a service provider applies for interconnection in accordance with Subparagraphs 4 to 6, the Ministry of Education, the competent authority of the state-owned enterprise in question, or the FSC shall review the applicant’s service objectives and contents, terms of service provided to the parties, and the data transferred via interconnection. For interconnection approved upon review, the approving authority or a third-party agency recognized thereby shall audit the interconnection’s compliance with the laws and regulations on information security and personal data protection, and follow up on improvements required by such audits.
    1. To change or terminate the interconnection, the applicant shall fill out the application form and file for approval in accordance with the provisions of the preceding subparagraph, seven working days in advance before the prospective change or termination.
    2. Where an applicant has terminated the interconnection, it may file for restoration of the interconnection in accordance with procedures described in Subparagraph 1.
    3. The forms to be used for application specified under the preceding three subparagraphs shall be otherwise announced by the moda on the platform.
The moda shall notify the applicant of the results of the application filed under the preceding paragraph by telephone or email, unless the Ministry of Education, the competent authority of the state-owned enterprise in question, or the FSC rejects the application.
  1. Organizations interconnected to the platform shall comply with the following provisions:
  1. The data provider shall:
    1. Adopt a level of data subject identity certification that is appropriate to the needs of secure use of the data subject’s personally related data.
    2. Provide accurate personally related data of the data subject.
  2. The service provider shall:
    1. Follow the principle of minimization in collecting the data subject’s personally related data, and use the data in accordance with the purpose of collection.
    2. Prior to seeking consent from the data subject to download the personally related data, provide the data subject with the terms of service, so as to ensure that the data subject is informed.
    3. Ownership of the data subject’s personally related data obtained via interconnection to the platform shall remain with the data subject.
  3. In the event of a temporary suspension of the interconnection to the platform, an seven working days’ advance notice thereon shall be announced on the service platform of the organization, and provided to the platform by email or by post, except in case of an emergency.
  1. Information security controls and audits:
    1. The data provider and the service provider shall document transfers of data subjects’ data, retain such records for at least two years, and cooperate with audits conducted by the moda, the Ministry of Education, the competent authority of the state-owned enterprise in question, or the FSC. The records shall cover at least the title of the data transferred, time of transfer, recipient, identity of the data subject, and whether the data transfer was successful. Where the data provider or service provider has rules establishing a longer retention period, such rules shall prevail.
    2. The service provider shall conduct annual internal audits on its procedures for the collection, processing, and use of the data subject’s data, and produce audit records. The service provider shall retain such records for at least two years, and cooperate with audits conducted by the moda, the Ministry of Education, the competent authority of the state-owned enterprise in question, or the FSC. Where the data provider has rules establishing a longer retention period, such rules shall prevail.
    3. Where the data provider experiences an incident of personally related data inaccuracy, or an information security breach, it shall be solely responsible for handling the incident in accordance with the applicable laws and regulations. The moda may terminate the interconnection under such circumstances.
    4. Where the service provider experiences a violation of illegal use of personally related data or an incident of information security breach, it shall be solely responsible for handling the violation or incident in accordance with the applicable laws and regulations. The moda may terminate the interconnection under such circumstances.
  2. Matters of information security and personal data protection associated with the interconnection to the platform by the data provider or the service provider shall be processed in accordance with the Cyber Security Management Act, the Personal Data Protection Act, and other applicable laws and regulations. Colleges and universities shall also comply with the applicable regulations and directions of the Ministry of Education. State-owned enterprises shall also comply with the applicable regulations and directions of their respective competent authorities. Financial institutions and peripheral entities under the jurisdiction of the FSC shall also comply with the applicable regulations and directions of the FSC.
  3. If an entity violates the provisions of these Implementation Directions, the moda may terminate the interconnection in question. The violator shall also be liable in accordance with applicable laws and regulations.
  4. The platform may adjust, temporarily suspend, or terminate its services based on considerations of the law, technology, market development, or government policy. Prior to any prospective adjustment, temporary suspension, or termination of service, an announcement thereon shall be made on the platform seven working days in advance, except in case of an emergency.