TWSE Market Insights

＜中文版＞

Taiwan has significantly optimized the long-standing “Computer Processing Personal Data Protection Act,” which has been renamed as “Personal Data Protection Act” (hereinafter referred to as the “PDPA”). The new Act aims to enhance personal data protection by expanding the scope of application to include all personal data, regardless of industry, and by incorporating regulations such as criminal liability. For the purpose of responding to the aforementioned key government policies and managing the data of domestic and international securities firms at that time, the Taiwan Stock Exchange Corporation (hereinafter referred to as the “Taiwan Stock Exchange”) conducted personal data inventories using electronic questionnaires to improve efficiency, formulated a “Personal Data Management Policy Statement” to ensure the rights of all stakeholders, established a comprehensive personal data management system, and enhanced information security controls. Additionally, it implemented and obtained certification for the international standard BS 10012 Personal Information Management System (PIMS – Personal Information), becoming the first stock exchange in the world to receive this certification.

Other securities, futures, and related businesses have also actively obtained various personal data management certifications, both domestically and internationally, and have formulated general guidelines for stakeholders’ personal data protection and information security. Many securities firms have based their internal control regulations on the aforementioned guidelines. Although such general guidelines may broadly prohibit improper access and use of data, they fall short of fully and specifically defining the patterns of all possible violations. Therefore, there are still some gray areas that remain unaddressed. Under these circumstances, the Taiwan Stock Exchange has subsequently stipulated more regulations, including the “Operation Directions for Inquiries of Customer Data by Employees of Securities Firms,” and “Establishing Information Security Inspection Mechanisms for Securities Firms.” These regulations help clarify the obligations of securities firms that have signed the “Criteria Governing Handling of Stock Affairs by Public Companies” to properly handle customer personal data in accordance with the PDPA and to conduct regular or occasional audits of personal data management. Any data update, correction, or cancellation must be reported for the records, and the personnel and time involved must be recorded in detail. Securities firms should also establish clear operating procedures for the division of responsibilities between themselves and software and hardware vendors regarding confidentiality protection and damages compensation, when necessary. They should maintain audit trails or identification mechanisms for personal data usage to facilitate the tracking of such data in use.

Even though the infrastructure of the securities market for personal data collection, processing, and utilization is free from vulnerabilities and well protected, the mistake of overlooking something important is inevitable. Therefore, under the precondition of raising public awareness of personal data protection, complaints arising from unfamiliarity with the laws and misunderstandings of operational procedures are increasing. Consequently, the Taiwan Stock Exchange and other securities-related organizations receive numerous complaints through suggestion boxes and other channels on a daily basis. In addition, the Financial Supervisory Commission (hereinafter referred to as the “FSC”), which is the regulatory authority for the securities market, has issued letters to the Taiwan Stock Exchange and other organizations, urging them to promptly investigate alleged violations of the PDPA filed by specific securities firms. Additionally, the related supporting documents should be submitted thereafter.

Regarding the commonly seen infringement of personal data rights, most of these instances are “excessive data collection,” which are easily detected by the parties involved and are a common occurrence in practice. In other words, the core concept of a personal data protection policy emphasizes the principle of data collection minimization. Retaining large amounts of unnecessary data will increase management costs and significantly raise the risk of liability for loss and harm to business goodwill. Therefore, we should avoid the outdated practice of indiscriminately collecting all personal data without carefully deliberating its necessity at the very beginning of the collection process. On the contrary, we should proactively consider the excessive burden on terminal security maintenance.

Secondly, the most commonly seen error is the loss or theft of data, which most parties will only learn about passively afterward through the media or notifications issued by the data collection agency via phone, written notice, or public announcement. These types of personal data protection failures are usually linked to computer data security policies at the practical management level, which are interactive. Non-government agencies’ security controls for personal data in their custody do not necessarily require the same stringent protections as those for internal corporate secrets. However, to mitigate the risk of personal data incidents, securities firms are advised to invest in reasonable maintenance costs and promptly delete data when the specific purpose ceases to exist or the retention period expires.

In addition, there are other processing and utilization methods that are frequently overlooked. The securities industry, like other financial industries, often faces disputes over whether data collection has gone beyond the intended purpose and whether consent has been obtained from the concerned party when using their data beyond that purpose. Numerous illegal acts are committed against personal data protection laws, with personal data being packaged and sold for profit both domestically and internationally. While such data theft and the illegal sale of personal data may be committed by employees or result from illegal intrusions by external hackers, these acts are not intentional on the part of the Company. However, the sharing of collected personal data within an organization or among related companies is often taken for granted, and violations are commonly observed. Although such acts are not completely prohibited by personal data protection laws, the owner of the personal data must be informed of the scope of the data use, and explicit consent must be obtained from them.

During the period of verifying the aforementioned “Personal Information Management System,” the Taiwan Stock Exchange sent letters to the Ministry of Justice (Note: the newly established “Personal Data Protection Commission,” hereinafter referred to as the “PDPC,” is now in charge) and the FSC, the securities market component authority, to confirm whether the investor account opening, credit information, and transaction data provided to the Taiwan Stock Exchange by securities firms – i.e. personal information obtained through indirect collection methods – are exempt from the legal obligation to disclose such information to the parties involved. Additionally, the Taiwan Stock Exchange must ultimately receive a positive response.

The FSC further announced amendments to the “Regulations Governing Securities Firms,” with Article 35-2 added to confirm that, in addition to directly collecting various credit information on investors, Taiwan Stock Exchanges may collect information indirectly by requesting relevant information from securities firms and institutions approved by the competent authority, and may process or utilize such information. In addition, the FSC determined that the collection, processing, or utilization of such information by the Taiwan Stock Exchange fell within the scope of “non-government agencies to fulfill their statutory obligation” under Paragraph 2-2, Article 8 of the PDPA and was therefore exempt from the obligation of notice under Paragraph 1, Article 9 of the same Act.

In other words, the Taiwan Stock Exchange is not required to notify the parties of the source of personal information before processing or using it and is exempt from providing such information regarding “name of the agency,” “purpose of data collection,” “type of personal data,” “period, region, objects, and method of personal data use,” and “rights and methods exercised by the parties.” However, in order to prevent any data abuse, the FSC also regulates the Taiwan Stock Exchange to ensure that appropriate operating procedures are formulated, including those governing the scope of data collection, the objects of access, and the content of such information. Additionally, it is necessary to submit such procedures for prior approval.

At the beginning of this year (2025), to assist the Finance Committee of the Legislative Yuan in clarifying whether securities firms may exceed the necessary scope in their use of personal data, the FSC specifically instructed the Taiwan Stock Exchange to explain within a designated time frame whether securities firms can use brokerage client information when handling proxy solicitations for shareholder meetings as part of routine supervision of corporate compliance. Additionally, the Commission instructed the Taiwan Stock Exchange to include this detail in management reports when necessary, in order to prevent external disputes. In addition, the Taiwan Stock Exchange should contact the Taiwan Depository and Clearing Corporation (hereinafter referred to as “TDCC”) and other relevant entities to jointly study and regulate securities firms when they intend to use the personal information of brokerage clients to solicit proxies, thereby enhancing the protection of customers’ information. Additionally, they should obtain the client’s consent in advance through a single-sheet written agreement signed at the time of opening an account to fulfill the legal obligation of protecting personal information.

Since the FSC is becoming increasingly stringent on personal information management and inclined to mandate that securities firms provide clients with appropriate reminders and explanations at the time of opening accounts, it is important to ensure that clients are fully informed about the scope of use of their collected personal information. Securities firms may use personal information for intended purposes only after clients have been clearly informed and their consent has been obtained. If clients fail to provide written consent regarding the informed matters, the securities firm should not use the client’s personal information for other business purposes, such as soliciting proxies.

For the sake of protecting the rights and interests of the clients of securities firms and the shareholders of issuing companies, and respecting the personal data autonomy of the parties involved, the FSC has also instructed the Taiwan Stock Exchange to consult with the securities firms that handle proxy solicitations on their behalf. Additionally, it should consider relevant supporting measures and amend the standard specifications for the internal control systems of the securities firms, which should be submitted for review and approval promptly within the specified time limit.

For the purpose of clarifying the legality of utilizing certain brokerage clients’ information when soliciting proxies for shareholder meetings, the Taiwan Stock Exchange was instructed by the FSC to invite the TDCC, the Taiwan Securities Association (hereinafter referred to as “TSA”), and major securities firms that handle proxy solicitations to discuss relevant operating procedures and to collaboratively revise relevant regulations and supporting measures. The aforementioned meetings were held to exchange opinions on the following issues in order to protect the rights and interests of brokerage clients and issuing company shareholders:

1. If a salesperson uses an investor’s account opening information to contact a specific client for soliciting proxies, does he/she engage in the unauthorized and improper use of the client’s personal information? If the investor’s written consent has been obtained at the time of signing various documents during account opening, is the original scope of authorization specific, clear, and reasonable, and does it clearly cover this type of proxy solicitation? If a securities firm’s stock affairs department handles proxy solicitation, and a salesperson in the brokerage department directly consults with the firm’s clients regarding their preferences, does the sharing of relevant personal information across departments exceed the scope of reasonable use? In addition, how can firewalls be established between different departments? How can we prevent the management of accounts and permissions for data inquiries from being abused?

Note: Referring to the legislative intent of Taiwan’s Personal Data Protection Act, which aims to prevent the infringement of personality rights and promote the reasonable use of personal data, regardless of whether the data originates directly from the parties or is obtained indirectly from a third party, prior consent must be obtained at the time of use. If a shareholder who meets the qualifying requirements entrusts a securities firm to handle stock affairs as a solicitor, the provision of Article 3 of the “Regulations Governing the Use of Proxies for Attendance at Shareholder Meetings of Public Companies” allows for the solicitation of proxies through public announcements, advertisements, signs, broadcasts, videotex, letters, telephones, press conferences, seminars, visits, and inquiries. Therefore, the use of the aforementioned methods in practice, such as passively collecting information at fixed locations or proactively contacting customers with specific stock balances, does not appear to exceed the scope of current regulations regarding the solicitation of proxies for attending shareholder meetings. If the personal information is obtained from other departments within the organization, and the original collector is the securities firm, not a specific individual, then, under these circumstances, even if personal information is collected and used across departments in the name of the organization, it does not constitute an issue of indirect collection. Instead, the issue should be examined at the time the entrusted trading contract was initially signed to determine whether prior consent from the parties was obtained for the purpose of soliciting proxies. Otherwise, it constitutes a use outside the intended purpose, and the investors should be informed and their consent obtained.

2. The Jin-Guan-Zheng-Jiao-Zi No. 1140380406 Letter dated January 23, 2025 issued by the competent authority is as follows: If securities firms use brokerage clients’ personal information for soliciting proxies, they must obtain written consent from the clients at the time of account opening. Also, the account opening personnel should provide appropriate reminders and explanations to the clients for their full understanding of the situation. Clients’ personal information may not be used to solicit proxies without their prior written consent. Under the circumstances, should the respective competent authorities consider whether specific provisions related to the competent authority’s directives should be added to the following provisions, including but not limited to:

 (1) Standard Specifications for Internal Control Systems of Securities Firms (e.g. CA-11110 Account Opening Procedures and Auditing) – Taiwan Stock Exchange

 (2) “Brokerage Order for Securities” Template – TSA

 (3) Standard Specifications for the Internal Control System of Stock Affairs Agency (e.g. CA-30340: Proxy Solicitation Operation) – TDCC.

Note: Many securities-related units have passed domestic and international personal data management certifications. Additionally, general regulations regarding stakeholder personal data protection and information security have been established. Securities firms often rely on the aforementioned general regulations to establish internal control enforcement rules. Although such general regulations may have improper access and use addressed comprehensively, there is lack of specific definitions of potential violations; therefore, it could be nothing but a mere formality. Therefore, it is clearly stipulated in the “Establishing an Information Security Inspection Mechanisms for Securities Firms” that all securities firms that have signed the “Entered into a contract for supply and usage of the centralized securities exchange market contract” must properly handle customer personal data in accordance with the PDPA and regularly or occasionally audit their personal data management. Any data update, correction, or cancellation must be reported for future reference, including detailed records of personnel and timeframes. Securities firms should have the “Division of responsibilities between software and hardware manufacturers regarding confidentiality maintenance and damages” formulated when necessary and should maintain audit trails or identification mechanisms for personal data to facilitate tracking of personal data usage.

The participating entities, including the TDCC, the TSA, Yuanta Securities, KGI Securities, and Fubon Securities, gradually reached a consensus after thorough communication and discussion. The Taiwan Stock Exchange has compiled and submitted the following key points to the FSC:

1. Since investors have already ticked the boxes for consent listed in the standardized contract at the time of opening an account, securities firms, in principle, are not engaging in the intentional misuse of client personal information. In other words, inquiring about the client’s willingness to submit a power of attorney in order to serve the client does not exceed the legally binding scope of reasonable use. However, in terms of the scope of personal information use granted by clients, securities firms currently tend to adopt a “maximum coverage” approach, commonly using broad terms such as “business items to be operated with the approval of the competent authority,” “securities trading-related business,” etc. In addition, the terms and formats for consent to use personal data provided by various businesses are not currently standardized by the competent authorities, resulting in discrepancies in wording and meaning. It may lead to customers’ misunderstandings in some practical cases regarding the specificity and rationality of the scope of authorized use and the clarity of column labeling, resulting in the risk of disputes and complaints about personal data infringement. Therefore, it is advisable to make adjustments to the current columns related to consent for personal data use in order to alleviate public concerns. Regarding similar cross-departmental sharing of personal data, internal information security controls should also be considered, along with the implementation of business firewalls for different departments, to ensure that account and permission management for data access is not abused.

2. Regarding the mandatory and comprehensive requirement for all securities firms to have their clients sign a one-page consent form for using their personal information to solicit proxies, there remain some obstacles to be overcome:

(1) The aforementioned requirements, based on the total number of accounts opened at existing business locations, will not only consume manpower and material resources for notification operations but also significantly increase operating costs. Additionally, the cost of subsequent paper printing is inconsistent with the government’s commitment to sustainable environmental protection. If an additional one-sheet consent form is subsequently issued based on other case-by-case considerations, it could create a cycle of negative impact on business development.

(2) According to the PDPA, the information owner may be informed, and their consent obtained, at the time their information is used. However, investors who possess specific proxy forms for attending shareholders’ meetings and have established discretionary trading accounts with multiple securities firms may have received repeated notifications for proxy solicitation, causing significant disruption in their lives and potentially hindering their willingness to sign these forms. In addition, for investors who have signed the consent forms in advance, granting general consent for the use of their information in all cases involving proxy solicitation for publicly listed companies, if they are not notified in certain instances, they could suddenly accuse the securities firm of violating the principle of fair treatment of consumers, leading to customer complaints.

(3) Currently, those who can engage in proxy solicitation legally include certain securities firms, banks approved by the competent authority, and other businesses. In view of the current planning framework, if the aforementioned stringent regulatory requirements are solely enforced against securities firms’ stock agency services, it would inevitably undermine the importance of fair competition in the industry and create a more favorable business environment for other institutions that may also engage in proxy solicitation but are not subject to regulatory discipline.

3. The Taiwan Stock Exchange will first amend the “Standard Specifications for Internal Control Systems of Securities Firms” and provide a draft version to the TSA for reference in researching and studying the relevant authorization files for the use of personal data in the account opening (master) contract. In addition, regarding the TDCC’s “Standard Specifications for the Internal Control System of Stock Affairs Units,” there is no plan in place to adjust the content accordingly. However, securities firms will be reminded in future promotional and educational training to strictly adhere to relevant personal information protection regulations when soliciting proxies.

Pursuant to the Jin-Guan-Zheng-Jiao-Zi No. 1140380406 Letter dated January 23, 2025 and Jin-Guan-Zheng-Jiao-Zi No. 11401352021 Letter dated May 5, 2025 from the FSC, the Taiwan Stock Exchange hereby approves the addition of Standard Specifications for Internal Control Systems of Securities Firms (including “Internal Control System CA-11160 – Customer Information Protection Operations,” “Internal Audit Enforcement Rules AA-11160 – Audit of Customer Information Protection Operations,” and “Audit Detailed Form FA-11160-S”) in accordance with the resolutions in the aforementioned meeting minutes. The operating procedures and control focuses are as follows:

1. Operating procedures for new customers:

(1) When a “Brokerage Order for Securities” is signed, the Company must inform the client of the specific purpose of data collection and the clear scope of data processing or use as set out in the “Notice on Collection, Processing, and Use of Personal Information” provided by the client lawfully.

(2) The Company shall simultaneously disclose the comprehensive contents of the aforementioned Notice on its official website, mobile application (APP), or through other means sufficient to make this information available and accessible to customers.

(3) If any changes are made to the business operations or customer services, the Company shall promptly disclose the latest version of the notice for reference through the aforementioned methods to inform customers of their legitimate and reasonable connection to the original purpose of data collection. Except for the circumstances listed in the proviso to Paragraph 1, Article 20 of the PDPA, the use of personal data shall not exceed the scope necessary for the originally intended purpose of collection.

2. Operating procedures for existing customers:

(1) If there is any change in business operations or customer service that subsequently affects the content of the notice, the Company should immediately announce the latest version of the notice in a manner that sufficiently informs customers.

(2) The Company should confirm that the customer understands the content of the updated notice and that it remains legitimately and reasonably related to the purpose of the original data collection.

3. Preventing data leakage or improper access:

(1) Companies must strictly adhere to the planning, management procedures, security auditing, and other requirements of the “Regulations Governing Security Measures of the Personal Information File for Non-government Agencies Designated by Financial Supervisory Commission” for the personal data files on hand.

(2) Companies should establish access control and protection and monitoring mechanisms to prevent crimes from occurring, such as fraud.

4. The Company for protecting the personal data autonomy shall provide convenient channels such as a service hotline to customers in order to exercise their right to request information at any time as provided in Article 3 of the “PDPA.” Unless otherwise provided by law, the Company may not refuse such a request.

Regarding the template of the outdated “Data Collection, Processing, and Use of Personal Data Consent Form” announced and implemented in 2012, it is proposed to collaborate with the Executive Yuan in establishing a PDPC to safeguard information privacy rights and promote the rational use of personal data after consulting with the securities-related units involved in this case. The TSA shall refine its personal information protection operations based on the current version.

First of all, the purpose of collecting customers’ personal information should be limited to the categories of “securities, futures, securities investment trusts and consulting-related businesses” (such as entrusted trade in domestic and foreign securities, and wealth management), “consumer and client management and services” (such as proxy solicitation), “collection, processing, and use of information by the financial services industry in accordance with the governing laws and regulations and for financial supervision needs” (such as inquiries from judicial or competent authorities), other operations that fall within the scope of business registration or organizational charters (such as joint marketing, cooperative promotion), and “other contracts, similar contracts, or legal relationship matters.” The principle of listing and generalization should be adopted to ensure comprehensiveness.

Secondly, since the special personal information listed in Article 6 of the PDPA is clearly unrelated to the daily operations of securities firms, it is explicitly stipulated that it may not be collected for any reason. In addition, the operational principles of the aforementioned securities firm’s internal control system, as well as the regulations regarding the protection of client data, are fully disclosed in the notes of the file to remind investors before signing the agreement and to help securities firms understand their relevant legal compliance obligations.

In addition, consider omitting the column designated for client signatures in the template. However, securities firms will provide a separate “signature form” as needed to evidence that clients have been clearly informed, mitigate potential legal risks, and improve the efficiency of the account opening process. The names of various account-opening-related files will be summarized in the separate “signature form” to eliminate the need for clients to sign multiple files individually. In response to the adjustment of the signature column to “signature form” for a collective process, the name of this file has been changed to “Notice on Collection, Processing, and Use of Personal Information.”

Since the aforementioned template “Notice on Collection, Processing, and Use of Personal Information” represents a crucial document at the forefront of interactions between securities firms and clients, the FSC has internally reviewed each of its business items, including trading, management, and legal affairs. The FSC, after reviewing the opinions of all parties involved, has responded in writing to Operation Division III of the TSA. They recommend that individuals whose 

personal data has been collected should be informed individually, as referenced in the Far-Lu-Zi No. 10203511430 letter issued by the Ministry of Justice. This should be done rather than through a simple display (posting), online announcement, or general notification, which may not be sufficient to ensure that the parties are fully aware of or can easily understand the content of the notice. In addition, if information is used outside its intended purpose, the purpose and scope of data use beyond that intended purpose, as well as the impact of consent on the rights and interests of individuals, must be clearly disclosed in accordance with the provisions of the PDPA, with the consent of each customer obtained accordingly. In addition, regarding the customer signature column in the original template and the collection, processing, and use of personal data for an intended purpose, an “agree or not” checkbox should be retained and used.

In summary, the amendments to the notice template were discussed and approved by the Legal Affairs and Law Compliance Committee of the TSA, with the approval of the FSC, and by referring to and adopting the practical operating model of securities firms. A separate signature column is not included; instead, an “agreement or not” checkbox is added to the signature form, along with clear text indicating its purpose. A goodwill reminder indicating that unchecked boxes will be deemed as “agreed,” is also provided. The FSC’s approval was finally obtained after successfully coordinating and explaining the important piece of the puzzle in enhancing personal information protection within the securities industry.

Taiwan has established a diverse “Advisory Committee for the Development of a National Human Rights Action Plan” in response to initiatives from academia, the private sector, and the United Nations’ long-standing appeal for each country to develop relevant plans. The Executive Yuan is to lead the formation of the “National Human Rights Action Plan” as a commitment to fundamental human rights protections, including “digital human rights,” which are closely linked to people’s daily lives. Under the circumstances, the government has established an independent supervisory body responsible for personal data protection, namely the “Personal Data Protection Commission” (hereinafter referred to as the “PDPC”) as stipulated in Article 1-1 of the PDPA by referring to the personal data protection regulatory models of other countries, such as the European Union, Japan, and South Korea; which is listed as a priority policy focus in the near future.

It is learned by referring to the amendments made to certain provisions of the PDPA, which were submitted by the Executive Yuan to the Legislative Yuan for review on March 27, 2025. Additionally, these amendments were approved by the Legislative Yuan on third reading at the 5th meeting of the 4th term of the 11th Legislative Yuan on October 17, 2025. The Taiwanese government has decided to comprehensively enhance the legality and credibility of the collection, processing, and use of personal data from the top down, with no questions asked. The latest amendments to the PDPA are hereby provided for reference:

1. Coordinate the supervisory functions of competent authorities (Articles 12, 18, and 20-1): Add reporting obligations for personal data incidents, accept reports related to personal data leaks collectively, and monitor the evolution of incidents that occur. Units experiencing incidents must promptly adopt responsive measures and maintain relevant records. In addition, the PDPC will establish general security maintenance and management regulations to serve as a benchmark for future law enforcement, enhancing compliance with the PDPA and security controls by both government and non-government agencies.

2. Enhance the supervision and management of personal data within government agencies (Articles 18 and 21-1 to 21-4): Request government agencies to establish a “Director of Personal Data Protection” to oversee the management and protection of personal data. The head of each agency shall have an appropriate individual appointed to serve concurrently in this capacity in order to plan and cultivate a culture of personal data protection within government agencies. In addition, a dual internal and external oversight mechanism shall be established for government agencies. Internally, superior agencies will oversee their subordinates, while externally, the competent authority under the PDPA shall conduct external audits and administrative inspections. The dual approaches are adopted to enhance efforts in personal data protection.

3. A separate transition period will be established for non-government agencies (Article 51-1): Since a sudden change in the current supervisory authority may cause unnecessary impacts without ensuring supervisory effectiveness, a special transition mechanism will be established for non-government agencies to gradually achieve the goal of unified supervisory rights over personal information protection matters. In other words, the PDPC will temporarily oversee businesses that are without a clearly defined supervisory authority. The businesses that have a clearly defined supervisory authority will be temporarily supervised by that authority within six years in accordance with the scope announced by the Executive Yuan. This is subject to a regular listing review every two years to gradually achieve the goal of unified supervisory rights.