Regulations for handling personal information related to insurance solicitation business
Regulations for handling personal information related to insurance solicitation business
Affinity Digital Insurance Services LLC
Chapter 1 General Provisions
Article 1 (Purpose)
The purpose of these regulations is to protect the rights and interests of individuals by stipulating basic matters regarding ensuring the lawful and appropriate handling of personal information related to the insurance agency business at the agency.
Article 2 (Definitions)
The definitions of each term in these regulations are the "Act on the Protection of Personal Information" (hereinafter referred to as the "Personal Information Protection Law"). and the guidelines on the protection of personal information of relevant ministries and agencies.
Article 3 (Application)
These rules apply to employees of the agency (regardless of whether they are engaged in insurance solicitation or not). Apply to.
Article 4 (Basic Policy on the Safe Management of Personal Information)
1. In order to ensure the lawful and appropriate handling of personal information at our agency, we have established a basic policy on the safety management of personal information, including the following matters.
(1) Name of our agency
(2) Contact point for questions and complaints regarding safety management measures
(3) Declaration on the Security Management of Personal Data
(4) Declaration of Continuous Improvement of Basic Policy
(5) Declaration of Compliance with Relevant Laws and Regulations
(6) Purpose of use of personal information
2. The basic policy regarding the safe management of personal information shall be disseminated to the employees of the Agency and announced by posting on the Agency's website and posting at the office.
Chapter 2 Management System
Article 5 (Personal Data Manager)
1. The agency shall make the Country Manager the general person responsible for the execution of business related to the safe management of personal information (personal data management manager).
2. The person responsible for the management of personal data shall have jurisdiction over the following operations.
(1) Approval and dissemination of regulations on the safe management of personal data and criteria for selecting contractors
(2) Appointment of a personal data controller and a controller of "information on identity verification"
(3) Collection of reports from the personal data controller and advice and guidance
(4) Planning of education and training on the safe management of personal data
(5) Other matters related to the safety management of personal data at our agency
Article 6 (Personal Data Controller)
The Personal Data Controller shall have jurisdiction over the following operations:
(1) Management of Designation and Change of Personal Data Handlers
(2) Approval of requests for use of personal data and management of records, etc.
(3) Designation and change of installation location of storage media that handle personal data
(4) Management of setting and changing personal data management categories and permissions
(5) Understanding the status of handling of personal data
(6) Supervision of the status of handling of personal data by contractors
(7) Implementation of education and training on the security management of personal data
(8) Reporting to the person responsible for personal data management
(9) Other matters related to the safe management of personal data in the department in charge
Article 7 (Implementation of Inspections and Audits)
1. The Personal Data Manager shall formulate an inspection or audit implementation plan for the status of compliance with laws and regulations and various regulations concerning the handling of personal data in accordance with the separately stipulated regulations concerning the inspection and audit of the handling status of personal data, and have each department handling personal data conduct inspections or audits on a regular basis.
2. The person responsible for the implementation of the inspection shall be the personal data manager of the department concerned, and the results of the inspection shall be reported to the person in charge of personal data management.
3. The person responsible for conducting the audit shall be a personal information manager other than the department handling the audit, and report the inspection results to the personal data manager.
Article 8 (Review of the System)
Based on the results of the inspection or audit described in the preceding Article, the Personal Data Manager shall review the organizational structure regarding the handling of personal data as necessary.
Article 9 (Confidentiality)
Personal information or personal data obtained through the consignment of insurance services of insurance companies shall not be disclosed to third parties during the continuation of the consignment contract or after the consignment agreement, except as required by laws and regulations or administrative authorities. In addition, if you are required to disclose personal data by law or administrative authorities, you must follow the instructions of the insurance company.
Article 10 (Return of Personal Information at the End of Consignment Agreement, etc.)
1. In the event that the consignment contract with an insurance company is terminated due to the expiration or cancellation of the contract period, the consignment contract must comply with the instructions of the insurance company regarding the handling of personal information or personal data obtained through the entrustment of the insurance company's insurance business.
2. When the insurance company confirms the fulfillment of the obligations set forth in the preceding paragraph, and when the personal information obtained by the insurance company is entrusted with the insurance business of the insurance company, it must cooperate with the insurance company in having another agent newly designated handle the personal data.
Chapter 3 Application
Article 11 (Management Principles)
Personal information and personal data shall be managed appropriately in accordance with these Regulations, and shall be acquired, used, transferred, stored, and disposed of according to their importance.
Article 12 (Purpose of Use)
1. The agency will specify the purpose of use of personal information as much as possible.
2. Personal information shall not be handled beyond the scope necessary to achieve the specified purpose of use without the prior consent of the individual.
3. When changing the purpose of use, it must not be done beyond the scope that is recognized to have considerable relevance to the purpose of use before the change, and the changed purpose of use shall be notified or announced to the person without delay.
Article 13 (Prohibition of Use for Other Purposes)
Personal information or personal data related to the consignment work shall be handled within the scope of the purpose of use notified, announced, or specified by the insurance company to the individual, and personal information or personal data may not be used, processed, or duplicated for any purpose other than the performance of the consignment business. However, apart from the purpose of use notified, announced, or specified by the insurance company, personal information or personal data may be handled within the scope that the Agent has notified, announced, or clearly indicated the purpose of use to the individual.
Article 14 (Proper Acquisition)
Personal information must not be acquired, directly or indirectly, by deception or other wrongful means.
Article 15 (Notification, Announcement and Indication of the Purpose of Use)
1. When acquiring personal information, the Agency shall notify the person of the purpose of use unless the purpose of use of the Agency has been announced in advance.
2. When acquiring personal information of the person directly from the person in writing, the agency will clearly indicate the purpose of use to the person in advance. However, this does not apply when it is urgently necessary for the protection of human life, body or property.
Article 16 (Sensitive Information)
Sensitive information refers to special care-required personal information stipulated in Article 2, Paragraph 3 of the Personal Information Protection Act, as well as information on permanent domicile, health and medical care (Article 53-10 of the Enforcement Regulations of the Insurance Business Act and Article 5 of the Guidelines for the Protection of Personal Information in the Financial Field), and shall not be acquired, used, or provided to third parties except to the extent necessary for the performance of insurance agency business.
Article 17 (Specific Personal Information)
In the performance of insurance agency business, the agency will not collect, store, use, or provide to third parties specific personal information as stipulated in the "Act on the Use of Numbers to Identify a Specific Individual in Administrative Procedures."
Article 18 (Ensuring the Accuracy of Personal Information)
The agency shall keep personal data accurate and up-to-date to the extent necessary to achieve the purpose of use.
Article 19 (Personal Data Management Ledger)
In order to develop a means to confirm the status of handling of personal data, the Personal Data Manager shall prepare a ledger, etc. containing the following matters and review it as appropriate.
(1) Acquisition of projects
(2) Purpose of use
(3) Storage location, storage method, storage period
(4) Manage deployment
(5) Access Control Status
Article 20 (Security Control Measures)
1. The agency shall take organizational, human, and technically necessary and appropriate measures (hereinafter referred to as "security management measures") to prevent leakage, loss, or damage of personal data handled and to otherwise safely manage personal data. Shall be taken.
2. As an organizational security control measure, we will establish handling regulations related to the safe management of personal data. Handling regulations shall be stipulated for each management stage of personal data: "acquisition and input," "use and processing," "storage and preservation," "transfer and transmission," "deletion and disposal," and "response to leakage cases, etc."
Article 21 (Response to Leakage)
1. In the event that an employee discovers an accident or a case that may leak personal information or personal data, the employee must immediately report to the personal data manager to that effect and receive instructions from the personal data manager.
2. The Personal Data Controller shall immediately report to the Personal Data Manager that an incident has occurred that has occurred or may cause a leakage of personal information or personal data.
3. The person responsible for the management of personal data must immediately report to the insurance company that an incident or a likely leakage of personal information or personal data has occurred.
Article 22 (Supervision of Employees)
1. The agency will conduct necessary and appropriate supervision of its employees to ensure the safe management of personal data.
2. The agency requests employees to submit written pledges, etc. regarding the protection and proper handling of personal information.
Article 23 (Education and Guidance of Employees)
1. Education and guidance policies for employees regarding the protection and proper handling of personal information shall be planned and determined by the person in charge of personal data management.
2. Employees must receive training on the proper management of personal information designated by the person in charge of personal data management.
Article 24 (Supervision of Contractors)
1. The Personal Data Manager must obtain the approval of the insurance company in advance when outsourcing all or part of the handling of personal data.
2. The Personal Data Manager shall conduct necessary and appropriate supervision of the contractor in accordance with the separately stipulated regulations concerning the outsourcing of personal data so that the safe management of the entrusted personal data can be ensured.
3. The Personal Data Manager shall implement the following items to the contractor.
(1) Select a contractor after confirming that the contractor's personal information protection system is sufficient.
(2) Conclude a consignment agreement, etc. with a consignee that includes the following matters.
(1) Authority for supervision, auditing, and collection of reports of the consignor
(2) Prohibition of leakage, theft, falsification, and unintended use of personal data by contractors
(3) Conditions for re-consignment
(4) Responsibility of the contractor in the event of a leak, etc.
Article 25 (Restrictions on Provision to Third Parties)
The agency will not provide personal data to third parties without the prior consent of the individual, except as required by law.
Article 26 (Disclosure, Correction and Suspension of Use of Personal Data)
1. If the Agent receives a request for disclosure, correction, suspension of use, etc. of personal data related to insurance agency business based on the Personal Information Protection Law, the Agent shall notify the insurance company to that effect.
2. If we receive inquiries, etc. regarding personal data related to insurance agency business that are not based on the Personal Information Protection Law, we may respond after appropriately verifying your identity.
Article 27 (Response to Complaints)
1. The contact point for complaints regarding the handling of personal information at the agency shall be the personal data controller.
2. If an employee receives a complaint regarding the handling of personal information, the employee must immediately report it to the personal data manager and receive instructions from the personal data manager.
3. The Personal Data Controller shall promptly report to the Personal Data Manager that the complaint has been received.
4. The person responsible for the management of personal data must promptly report to the insurance company that the complaint has been received.
Article 28 (Penalties / Disciplinary Action in Case of Violation)
The agency will take disciplinary action against employees who violate these regulations in accordance with the employment regulations, etc.
Article 29 (Revision and Abolition)
The revision or abolition of these Rules shall be made by decision of the agent owner or by resolution of the Board of Directors.
<附则>
Article 1 These regulations shall be implemented from September 1, 2021.
above
Personal data controllers, etc. at the agency
|
Personal Data Controller |
|
Qiu Dan |
|
Administrator of identity verification information (*) |
|
Qiu Dan |