Personal Data Protection

Veolia Taiwan - Guidelines for Personal Data Protection Policy

September 2020

Veolia strongly believes that the respect of the privacy and the protection of personal data are a cause of great concern and a mean to create trust. 

In that perspective, Veolia has specially formulated this guideline in the Republic of China to comply with the requirements of the laws of the Republic of China (such as the "Personal Data Protection Law", etc.) and related Veolia Group policies (such as the "Personal Data Privacy Policy"). ) provide practical advice. 

This guideline applies to all companies established in the Republic of China and controlled 1by Veolia (hereinafter collectively referred to as "Veolia Taiwan") to provide some common standards for the protection of personal data. Each entity company controlled by Veolia Group in the Republic of China shall formulate the "Personal Data Protection Management Policy" in accordance with these guidelines:

 The general manager of each entity company is the contact person of Veolia Group in Taiwan for personal data issues, and he should assign a personal data protection manager (DPM) to assist him in monitoring the entity’s internal compliance with this guideline;

 Each entity company collects, processes, and uses personal data. It should assign a personal data protection administrator to be responsible for the protection, management and maintenance of personal data, and assist DPM and Veolia with regard to personal data issues and monitoring internal control of the guidelines.  Contact compliance and other policies; 

 Employees who process personal data for or on behalf of Veolia Taiwan are responsible for complying with these guidelines in their daily work. 

1Control” means the possession, directly or indirectly, of the power to direct or cause the direction of the management of such entities, whether through the ownership of voting securities, by contract or otherwise.

Veolia Taiwan - Guidelines for Personal Data Protection Policy September 2020


Veolia Taiwan Personal Data Protection Policy Guidelines 
Promulgation on 2020/09/03

 

1. Definition of main terms 2 

"Personal data" refers to a natural person's name, date of birth, ID Card number,  passport number, features, fingerprints, marital status, family information, education background, occupation, medical records, healthcare data, genetic data, data concerning a person's sex life, records of physical examination, criminal records,  contact information, financial conditions, data concerning a person's social activities and any other information that may be used to directly or indirectly identify a natural person.

"Special personal data" refers to personal data related to medical records, medical treatment, genetics, sex life, health checks and criminal history. 

"Personal Data File": refers to a collection of personal data structured to facilitate data retrieval and management by automated or non-automated means.

"Collection ": refers to the act of collecting personal data in any way; "Processing": refers to the act of recording, inputting, storing, compiling/editing,  correcting, duplicating, retrieving, deleting, outputting, connecting or internally transferring data for the purpose of establishing or using a personal data file

" Use": refers to the act of using personal data via any methods other than processing;

"Cross-border transfer": refers to the cross-border processing or use of personal data;

"Data subject": refers to an individual whose personal data is collected, processed or used.

"Personal Data Law": Refers to the Personal Data Protection Law of the Republic of China 

2. Collection 

 Personal data will be collected in a transparent manner 

The parties must be informed of how and why Veolia Taiwan collects, processes,  and uses their personal data so that they can understand and decide whether to provide personal data. 

2The definitions of related terms are in accordance with the relevant provisions of the Personal Data Protection  Law of the Republic of China. For related illustrations, please refer to Annex 1. If the definition and scope of personal data are revised in response to changes in the competent authority or regulations, the revised definition and scope of the relevant regulations shall prevail.

 

Veolia Taiwan - Guidelines for Personal Data Protection Policy 
September2020 

Unless otherwise permitted by the laws of the Republic of China, Veolia Taiwan shall only collect personal data after obtaining the consent of the parties. 

If any personal data is collected from a third party instead of directly from the  Data subject, the Data subject should be informed of the source of the data before processing or use and Veolia Taiwan should be allowed to collect them. 

 The collection, processing or use of personal data shall respect the rights and interests of the Data subject, and shall be conducted in accordance with honesty and credibility, shall not exceed the scope necessary for the specific purpose,  and shall be reasonably related to the purpose of collection. 

It should be sufficient, relevant and not excessive for the purpose of processing of the personal data, and the personal data should only be collected within a  reasonable range of the specific purpose that the parties understand. 

3. Processing and Use 

 Personal data should be properly and legally processed and used Veolia Taiwan shall ensure that personal data is processed and used appropriately without adversely affecting the rights of the Data subject. 

The Data subject must be aware of the purpose, method and scope of Veolia  Taiwan’s proposed processing and use of the data, as well as the identity of any person to whom the data may be disclosed or transmitted. 

 Personal data can only be obtained for specific legal purposes, and may not be processed and used in ways that are inconsistent with the specific purpose.

Personal data can only be processed and used for the specific purpose notified to the Data subject when the relevant information was first collected or for any other purpose specifically permitted by law. 

If it is necessary to change the purpose of data processing and use, the Data subject must be informed of the new purpose in advance.

 The processing and use of personal data shall comply with the rights expressly  granted to the Data subject by the laws of the Republic of China 

The Data subject can exercise the following rights with respect to their personal  data, and they cannot be discarded in advance or restricted by special agreement: 

 Inquiry or request for reading;
 Request to make a copy; 

 Request to supplement or correct personal information; 

 Request to stop collection, processing and use; 

 Request deletion. 

 Processing and use special personal data

Special personal data shall not be collected, processed or used in principle.  However, it is not limited to the following situations: 1. the law expressly stipulates. 2. the company is within the scope necessary to perform statutory obligations and has appropriate safety maintenance measures. 3. the personal information disclosed by the parties themselves or other legally disclosed personal information. 4. to use with the written consent of the parties and within the scope of a specific purpose. 

Veolia Taiwan should strengthen the protection of special personal information and ensure that it is not leaked or abused. If it is not required by the relevant business process, the use should be reduced as much as possible. 

 

In view of the above requirements, the following suggestions are recommended:

 Notification of the collection, processing and use of personal data of employees. Can inform employees of the "Declaration on Collection,  Processing and Use of Employees’ Personal Data" (see Annex 2), and obtain  written signatures from employees: 

1. For the incumbent employees who have not practiced the notification, it is  recommended to send the notification by email and obtain the employee's  email confirmation consent; and 

2. For new employees, the above statement should include the new employees' required documents for employment, and ask them to sign and keep record. 

 Processing and use records. When Veolia Taiwan collects, processes, or uses personal data, it shall establish and keep records of the processing and use of personal data to record the following contents: collection unit, collection purpose, collection type, preservation period, recipient or cross-border transfer, etc. ( If any).

 

4. Sharing and Cross-border transfer 

 Data Sharing
Data sharing and transmission to the third parties:

 Without the consent of the Data subject, the personal data shall not be transmitted to any third parties. 

 Accessing, sharing and disclosing records or personal data files containing personal data is limited to those who reasonably need to know such data for the purpose of realizing Veolia Taiwan’s legitimate business and management purposes or enabling Veolia Taiwan to comply with legal requirements. 

 Sharing and transmission of data to Veolia Group or Veolia Taiwan 

When a third party shares or transfers personal data to Veolia Group or  Veolia Taiwan, the person in charge shall ensure that the mentioned third party has a written undertaking that it has obtained personal data in accordance with the law and that such personal data is allowed Veolia group or Veolia Taiwan processing and use it for the specific purposes. 

 If you use the personal data for other purposes, you must obtain the additional consent of the Data subject and comply with the provisions of the Personal Data law. 

 Cross-border transfer

 When any personal data collected, processed and used within the territory of the Republic of China is provided or otherwise shared with any institution, organization or individual outside the Republic of China, the Cross-border transfer occurs.

 If Veolia Taiwan needs to transfer personal data internationally, Veolia Taiwan should evaluate its risk, feasibility and necessity before the transfer,  and take appropriate protective measures. It is not allowed if one of the following situations occurs: 1. Involving significant national interests 2.  There are special provisions in international treaties or agreements; 3. The receiving country has imperfect laws and regulations on the protection of personal data, which may damage the rights and interests of the Data subject; 4. Avoidance of transferring personal data to a third country  (region) by a circuitous method.

 The evaluation of Cross-border transfer requires the confirmation and consent of DPM. 

 Each department must consult the legal and IT departments during evaluation. 

 

5. Save and Archive 

 Personal data must be correct and kept up to date

If an employee learns that Veolia Taiwan holds any incorrect, irrelevant or outdated personal data, he/she should notify the personal data protection administrator and provide necessary corrections and/or updates. Incorrect or outdated information will be destroyed.

The retention time of personal data shall not exceed the time required for the  purpose of collection and processing

Once the specific purpose agreed by the Data subject is achieved, the personal data shall be destroyed or deleted from the IT system of Veolia Taiwan, unless there is a proper reason to extend the retention period or be protected by law.

When unattended, paper files containing personal data should be stored in a locked or otherwise protected desk, filing cabinet, office or controlled area.  Personal data stored electronically on laptops or other portable devices will be protected through access control and stored in accordance with relevant internal policies. 

6. Security and Alert 

 Security measures 

Veolia Taiwan will do its best to prevent illegal or unauthorized processing and use of personal data to prevent its distortion or damage and unauthorized access by third parties. 

 Veolia Taiwan shall take appropriate measures to maintain the confidentiality,

integrity, traceability and availability of the personal data  collected:

● Confidentiality, for example, only authorized personnel can access personal data. 

● Integrity means that the personal data is completely filled out based on the disclosure of the Data subject. 

● Traceability refers to the ability to identify and track the operation records of any user's access, modification or destruction of personal data. 

● Availability means that authorized users can access personal data when needed for authorized purposes. 

 Safety rules mainly include: 

● Access control When a stranger who does not have the appropriate authority or identity certificate is found to access the spying without authorization, it should be reported immediately.

               ● Equipped with lockable desks and cabinets-desks and cabinets for storing                                  personal data should be locked. 

● Shredder or any system capable of destroying confidential files. 


Comply with IT system security policy: 

● In the case of electronic personal data, its access should be protected by appropriate security measures. 

● Personal data processors should ensure that their computers are locked when unattended. 

 Security incident response 

Veolia Taiwan must notify the DPM and IT department of any personal data security incident, record it and propose improvement measures.

Other suggestion

 Notice on websites and platforms in the Republic of China 

Please add the "Privacy Statement" and "Cookies Policy" to the website where  Veolia Taiwan collects information from third parties (customers, etc.) or the  login page on any platform. 

 Contracts involving personal data 

Please specify the proposed "Personal Data Protection Clause" in the contract  (see Annex 3).



 

Veolia Taiwan - Guidelines for Personal Data Protection Policy 

September 2020

Annex 1 

Veolia Taiwan 

Reference description of personal data judgment example 

The definitions of related terms in these Guidelines are in accordance with the relevant provisions of the Personal Data Law of the Republic of China. The types of personal data and their examples can be referred to the following table. If the relevant content or scope is revised in the future due to changes in the competent authority or regulations, the revised content shall prevail. 

• According to the Personal Data Law, "Personal Data" refers to a natural person's name, date of birth, ID Card number, passport number, features, fingerprints,  marital status, family information, education background, occupation, medical records, healthcare data, genetic data, data concerning a person's sex life, records of physical examination, criminal records, contact information, financial conditions,  data concerning a person's social activities and any other information that may be used to directly or indirectly identify a natural person. 

When judging whether the data is personal data, there are two key criteria: i)  whether the data can "identify" the person or select the person from a group of people; or ii) whether a data or a group of data can allow people to "contact" "To the Data subject, for example, website browsing history or location information. If a  piece of data meets any of the above two criteria, it is considered personal data. 

Note: Completely anonymous information is not personal data, as long as the data cannot identify or contact any party. However, if such anonymous information is  likely to be restored to re-identify individuals, and such restoration does not require  a lot of manpower, advanced technology or resources, then such information is still "Personal data" 

Examples profile for personal data

Category 

Example

Examples for “General personal data”

Personal data 

identification

Name, date of birth, gender, nationality, ethnic group,   address, telephone number, email, etc.

Personal data 

identification

Name, date of birth, gender, nationality, ethnic group,   address, telephone number, email, etc.

National IDs and identifier

ID card, passport, driver license, work permit, access card,   health insurance card, residential card, etc.

  Network

  identification data

System account number, IP address, email address and log in   details, token, token protection answer, user digital  certificate, etc.

Education and 

professional data

Employment details, job title, employer, education,   qualification, degree, career, training record, transcript, etc.

Economicand 

financial 

information

Bank account number, authentication information (token),   account balance (including amount of funds, record of  payment and receipt, etc.), property information, credit  history, credit information, transaction and consumption   record, water bill, as well as virtual property information, e.g.  virtual currency, in-app purchase, game Cd Key, etc.

Communication and correspondence

Correspondence and content, SMS, MMS, email, and data  describing personal communication (usually called metadata),  etc.

 

 

Contact 

information

Contact, friend list, group list, email list, etc.

Browsing history 

Tracking usage data of user stored by logging, including  website browsing history, history of use of software, clicking  history, etc.

Device identifier 

Data describing the basic information of personal device, e.g.   serial number of a hardware, device MAC address, software  list, Unique Device Identifier (IMEI/android 

ID/IDFA/OPENUDID/GUID, IMSI information in SIM card), etc.

Location data 

Location data, history of hotels check-in, latitude and   longitude, and data that is able to precisely pinpoint a Data  Subject, etc.

Examples for "Special personal data"

Personal health,  medical care data

Medical record in relation to illness and diagnostics and   treatment, e.g., illness, hospitalization, prescription, test  report, surgery and anesthesia record, nursing record, drug  and food allergy information, diagnosis and treatment plan,   family disease history, present illness, history of previous  infectious disease, as well as information in relation to  personal wellbeing and weight, height, lung, etc.

Personal biometric 

Genetic data, fingerprint, voice fingerprint, palm print, auricle 

ID data 

shape, iris scan, facial features, etc.

Other data 

Sexual orientation, sex life, criminal record, etc. 

PS: Areas outside of Taiwan may be considered as special  personal data (or “sensitive personal data”): sexual   orientation, sexual life, marriage history, religion, undisclosed  criminal records.

 

● “Special personal data” refers to personal data related to medical records,  medical treatment, genetics, sex life, health checks and criminal history.

 

Reminder: If the Data subject is a resident of the European Union, it may also belong to the personal data related to the most private part of the person's life, or the personal data that may cause discrimination against the person or pose a serious risk if abused or damaged. In particular, Personal data is considered “Sensitive personal data” if it reveals personal aspects such as racial or ethnic origin, present and future health status, genetic information, biometric data, religious, philosophical and moral beliefs, political views,  sexual preference or sex life, location or financial status. Personal data of minors who are below the age of 14 is generally considered Sensitive Personal  Information under the EU General Data Protection Regulation (GDPR). 

● “Cross-border Transfer” can be a one-off activity, such as copying Personal  Information in the thumb drive and courier to an international organization,  or a continuing activity, such as granting remote access to an information system that is used and hosted in the Republic of China to a legal entity outside Republic of China.

 

Veolia Taiwan - Guidelines for Personal Data Protection Policy September 2020 

Annex 2 

Veolia Taiwan 

Declaration on Collection, Processing and Use of Employees' Personal Data 

This declaration informs the employees of Veolia Taiwan ("employees") about [Veolia Taiwan entity company name] (hereinafter referred to as “the Company”) how to collect, disclose, store, transmit, process and use employees' personal data. 

1. Specific purpose: employees understand and agree that the company, its parent  company, subsidiaries and other affiliated companies within Veolia Group (whether located within or outside the Republic of China) (collectively referred to as "Veolia  Group") The right to collect, use, disclose, process, use or transmit personal data of  employees within and outside the Republic of China for one or more of the following purposes: 

(1). Hold and keep my personal data and employment records to fulfill any laws,  regulations and requirements related to document preservation or auditing requirements; 

(2). Implement and/or manage my employment benefits; 

(3). It is convenient to contact me or my designated emergency contact person in  an emergency; 

(4). In the workplace (such as reception or public areas) through surveillance  cameras to monitor places and property; 

(5). Supervise, monitor, monitor and/or manage my use of equipment, Internet,  network, infrastructure (access control and security systems) or facilities that Veolia Taiwan may provide from time to time, including but not limited to IT  (information technology) equipment and services and the company’s email account; 

(6). Manage entry-related matters and/or work permits or work permit matters; 

(7). Manage or terminate my employment relationship or working relationship  with Veolia Taiwan, including recruitment and training, employment benefits  and salary management, performance review, personal and professional  development, or disciplinary actions; 

(8). Investigate any suspected or actual fraud, misrepresentation, misconduct,  negligence or negligence during the performance of my job duties, illegal acts or any unacceptable or prohibited acts stipulated in the employee manual or  other internal policies of the company, any investigation conducted by any local or foreign government, or any illegal act;

(9). Conduct due diligence or other monitoring and screening activities (including  background checks) in accordance with legal or regulatory obligations or risk management that may be required by law or the company may have  implemented; 

(10). Respond to information requests made by public and government or regulatory agencies and judicial organs for auditing, legality, investigation and  inspection purposes; 

(11). Respond to legal procedures, seek legal rights and remedies, defend the  litigation and deal with any complaints or claims; 

(12). Screening and handling conflicts of interest; 

(13). Respond to requests for recommendation letters and background investigations submitted by any organization or institution (including my former  or prospective employers or their agents); 

(14). Keep personal data for the purpose of complying with applicable laws and  regulations; or 

(15). Other purposes related to any of the above, or other purposes necessary for the promotion of employment supervision or management. (Collectively  “Purpose”) 

2. During the duration of the employment relationship between the Company and its  employees, the Company may from time to time collect, process and use the  personal data of the author based on the employment relationship, including but  not limited to: according to the registration form of the company’s new recruits Applicants' personal information fields, including but not limited to employee  name, household registration and mailing address, home and mobile phone, E-mail, photo, and any other personally identifiable information such as ID  number, license number, gender, birth Date, blood type, family status and member information, physical status, education, professional license, work  experience and resignation history, financial institution information (including account number, bank name, bank address) and other financial information,  specific information of my relatives and/or children Personal data, specific  personal data of my emergency contact person, former supervisor information  and other information, as well as physical examination or health examination  records. To the extent permitted by law, the company may also collect special personal data related to me, including personal health check information, or other  medical records, treatment records, non-public criminal records, etc. submitted  only for sick leave applications, and/or me updates to the personal data provided  to the Company (collectively referred to as "personal data")

3. The Company will protect and protect employees' personal data from any unauthorized access, modification, dissemination, disclosure or deletion. The employee further acknowledges and agrees that the employee’s personal data may be transmitted or disclosed to the following parties (located within or outside the Republic of China) for any of the foregoing purposes: the affiliated companies or member companies of Veolia Group, government agencies, judicial agencies, and /or industry associations, or third-party vendors appointed as consultants or service providers, including but not limited to third-party providers that manage payroll and IT services, insurance brokers, insurance companies, bankers, and medical practitioners who provide medical services to employees, any actual or potential purchasers of all or part of the company’s business, or purchasers or subscribers of the company’s shares and their advisors during any merger,  acquisition or public offering. 

4. From time to time, the Company may provide employees with specific company computers, company email accounts, mobile devices, telephones, printers, faxes,  or any equipment that can be viewed or connected to the Company’s systems  ("Company property") for Employees perform their duties during the work of the company. Employees agree to abide by the relevant IT and system usage policies announced by the Company, and employees recognize that the company's property should be used for work-related purposes. The employee further acknowledges that any material or information appearing or generated on the Company’s property is presumed to be for work-related purposes or the work product of the Company or its customers. Employees agree that the Company has the right to monitor employees’ use of Company property, access, copy, and use employees’ company email accounts and all file data, online accounts provided by the Company, and communication logs stored in Company property (including chat records of employees in third-party communication software on the  Company’s computers and mobile devices). The purpose is to provide IT support to employees, keep specific files, conduct investigations required by relevant laws,  regulations, and government orders, and conduct necessary internal investigations or audits of the Company, and evaluate the work performance of employees based on the Company’s property files and data. Employees recognize the  Company's monitoring of Company’s property and any materials or data in the Company's IT system. The employees agree that such monitoring will continue from the time the employees enter the Company. 

5. The Company may ask employees to provide specific personal data of other people  (such as employees’ close relatives or family members) from time to time for the purpose of including but not limited to managing the employment relationship between employees and the Company or contacting these people in an emergency, declare conflicts of interest, submit tax returns, forms, and handle any company group insurance plans, etc. Employees have the responsibility to obtain the necessary consent of these personnel whose personal data is provided to the  Company and confirm that when disclosing the personal data of these personnel to the Company, the employees have informed them of the fact that the company collects, processes and uses their personal data and have obtained the individual consent of these personnel. 

6. Employees understand the importance of keeping their personal information  up-to-date in the company's records, and they should promptly notify the human resources department after their relevant personal information is updated. 

7. If any employee intends to exercise any of the following personal rights, he or she  should submit a written application to the human resources department of the Company by providing proof of identity: 

a.Inquiry or request to read, request to make a copy; request to supplement or  correct, request to stop collection, processing, use, request to delete. b.The right to request to update or correct his personal data; or 

c. Any other legal rights granted by the laws of the Republic of China. 

The employee acknowledges that, within the scope permitted by the laws of the  Republic of China, if the Company cannot accept the employee’s above request or it is not practical to comply with the above request, the Company has the right to provide the employee with a reason for rejection within a reasonable time. Or partly refuse to accept the employee's request.

8. All employment records are kept by the [Human Resources] Department of the company. You can contact the [Human Resources] Department of the Company  through any of the following methods: 

phone: 

address: 

Recipient: 

e-mail: 

9. The employee acknowledges that the Company has the right to modify this statement, and communicates it orally, in writing, telephone, message, e-mail, fax,  file or other means (any of the above methods are sufficient) sufficient to make  the employee aware of the above situation and to provides the revised summary to the employee or forwards the summary to the employee in the above manner. 

10. The employees understand that if the employee refuses or fails to provide  personal data and/or special personal data in accordance with the Company’s  reasonable requirements, the Company may not be able to collect, use or process  personal data and/or special personal data as described above. Unable to carry out related personnel management work for the employee, including but not limited  to employee management, payment of salaries and bonuses, provision of insurance and other benefits. 

11. The employee understands that if the personal information provided is insufficient, incorrect, or not updated in time, or not provided, or requested to  delete or stop processing after it is provided, the Company will not be able to carry  out related personnel management work for employees, including but not limited  to staff management, payment of salaries and bonuses, provision of insurance and  other rights or benefits. 

(Continued signature page)

 

(Signature page) 

I hereby acknowledge that I have read and understood the above notice and related  declaration in detail, and agree that the Company can collect, disclose, process and use my personal data in accordance with this Declaration. 

Author's signature 

Date:

Veolia Taiwan - Guidelines for Personal Data Protection Policy September 2020 

Annex 3 

Veolia Taiwan 

Personal data protection clause 

Personal data protection clause 

1.1. Both parties undertake to collect, use and process all personal data (if any)  obtained from the performance of the contract/agreement ("Personal Data") in compliance with the "Personal Data Protection Law" and other relevant regulations of the Republic of China. 

1.2. Either party can only use "Personal Data" for the purpose of performing the contract/agreement, and shall not exceed the necessary scope stipulated in the contract/agreement or use, transmit, share or otherwise use and process for purposes other than the performance of the contract/agreement. If a party intends to process or use personal data beyond the scope of the purpose of performing the contract/agreement or use the personal data for other purposes,  it shall obtain the written consent of the party concerned and shall be responsible for its use or processing of personal data. 

1.3. After the contract/agreement is canceled or terminated, unless otherwise obtained by the parties’ written consent or legal permission, one of the parties that obtains personal data as a result of the performance of the contract/agreement shall immediately stop using or processing or delete or anonymize the personal data at the request of the other party. 

1.4. When the parties transmit or share personal data or other information in accordance with the contract/agreement, they shall ensure the legality of such data to one party, including but not limited to obtaining the consent of the Data subject and the authorization of a third party authorized, etc.. 

1.5. For the personal data collected, used or processed for the purpose of fulfilling this contract/agreement, when the Data subject request personal rights to any party in accordance with the law, or when it is necessary to resolve the dispute between the parties, or when any party faces the competent authority, law enforcement agencies or courts in investigations or orders, the other party shall provide reasonable cooperation. 

1.6. Both parties shall ensure that their employees, subcontractors or other third parties entrusted for the purpose of performing the contract/agreement process and use personal data in accordance with the requirements of this Clause.