Information Security and Personal Information Protection Policy

Objective

This policy is formulated in order to ensure the confidentiality, integrity and availability of the information assets belonging to the TaiwanPlus International Audio-Visual Platform (hereinafter referred to as the "Platform") so as to comply with the requirements of relevant laws and regulations such as the "Information and Communication Security Management Act.” This policy also protect them from internal and external, no matter intentional or unintentional, threats, implement the protection and management of personal data and comply with the requirements of the "Personal Data Protection Law".

Scope of Practice

This policy applies to all colleagues of TaiwanPlus, contractors, data users (including custodians) and visitors.

The scope of information and communication safety management covers14 areas to avoid improper use, information leakage, tampering, destruction and other circumstances due to human negligence or act of God, which will cause various potential risks to the platform.

Target

In order to maintain the confidentiality, integrity, availability, legal compliance of the information assets of the Platform, and to ensure the personal privacy of all the users, the following objectives are expected to be achieved through the implementation of this Policy:

This policy is not only to establish a safe and reliable information operational environment to ensure the security of the computer database, systems, equipment and networks of the Platform but also to ensure the sustainable operation of the business of the Platform as well.

To ensure confidentiality, protect the security of business services provided by the Platform, ensure that the accessibility of the information system and related information are authorized abide by the regulations.

To ensure their integrity, protect the security of services provided by the platform and avoid unauthorized modifications.

Establish an everlasting business plan for the Platform to ensure a continuous operation of the Platform's information and communication business services.

To ensure that the implementation of the various business services of the Platform must comply with the requirements of relevant laws and regulations.

The process of collecting, processing, utilizing, storing, transmitting, and destroying personal information is protected by the requirements of the “Personal Information Protection Act” and the “Regulation of the Personal Information Protection Act.”

The personal information security is protected from the risks of theft, tampering, damage, loss, or leakage due to external threats or improper management and use by internal personnel.

Enhance the protection and management of personal information, reduce operational risks, and create a trustworthy umbrella for the safety of personal information and privacy .

Conduct regular risk assessments of personal information management process to verify the range of acceptable liability.

Responsibility

The platform shall establish an information and communication security organization to coordinate the promotion of security matters.

Management level shall participate various of activities actively and support the Information and Communications Security Management System abide by the regulation stipulated in the policy.

This policy shall be followed by all colleagues the Platform, contractors, users (including handlers) and visitors.

All colleagues of the Platform,contractors and users (including handlers) are responsible for notifying security incidents or weaknesses through appropriate notification mechanisms.

Any act endangering the safety of information security will be investigated respectively by civil, criminal and administrative laws according to facts and evidences.

Management Index

In order to achieve objectives stipulated in the Information Security Policy are same to the performance of information security management,it is necessary to formulate the “Information and Communication Completion Plan.”

The Protection of Personal Information

The platform has established a personal information protection organization to define the responsibilities and obligations of relevant personnel.

The Platform has established and implemented a Personal Information Management System (aka PIMS) to confirm the implementation of this Policy, and all employees and contractors shall follow the specifications and requirements of the Personal Information Management System (PIMS).

Personal information of the parties are protected by strict measures and policies of this Platform. The employees but not limited to the platform shall be well trained and educated about how to protect personal information and privacy. It is mandatory for contractors and partners of this Platform to sign terms of confidentiality to fully understand the importance of personal information protection and personal information related legal liabilities. If there is a breach of confidentiality obligations, not only will be subject to strict internal punishment but also will face civil and criminal claims for breaching the confidentiality terms.

The personal data obtained or collected by the Platform for the purpose of operation, including but not limited to the individual's name, date of birth, national identity card, unified number (passport number), characteristics, fingerprints, marriage, family, education, occupation and other personal information, shall comply with the Personal Information Protection Law of Republic of China (hereinafter referred to as the Individual Information Law) and other laws and regulations, and appropriately, fairly and lawfully engage in the collection and processing of personal information. Moreover, according to Article five of the Individual Information Law, the collection, processing or use of personal information shall respect the rights and interests of the parties, act in good faith. It is prohibited to use the personal information out of the scope.

The personal information collected and processed by the platform shall comply with the regulations of the Personal Information Law and the platform's management system. The use of personal information shall be required for the operation or business of the platform before it can be used by colleagues for the platform.

When it is necessary for international transfer of personal information obtained by the Platform, it shall be handled in accordance with Article 21 and relevant provisions of the Personal Information Law and shall not violate our national interests. It is prohibited to transfer personal information either through the third country or evade the provisions of the Personal Information Law. Furthermore, if there are special provisions in international treaties or agreements, or if the Personal Information Protection law of the target country is not completed reached our requirements, the Platform will not carry out international transfers to protect the security of personal information.

When the Platform receives a request for access to or change the personal information, the request shall be accomplished legally by following the procedure of the Personal Information Protection Law.

Reviewing

This policy should be reviewed at least once a year to comply with the latest government laws, technologies and businesses so as to keep this Platform updated. If there are any feedback matters related to the security of information and communications, such as security organizations, competent authorities (or required by laws and regulations),or experts and scholars, they should be included in the discussion topics of the management review meeting.

Implement

This Policy shall be implemented after approval by the “Information and Communications Security and Personal Information Protection Committee” and shall be the same as in its revision.