1. Purpose, Scope and UsersAndroVideo Inc, hereinafter referred to as the "Company", strives to comply with applicable laws and regulations related to Personal Data protection in countries where the Company operates. This Policy sets forth the basic principles by which the Company processes the personal data of consumers, customers, suppliers, business partners, employees and other individuals, and indicates the responsibilities of its business departments and employees while processing personal data.
2. Reference Documents
3. DefinitionsThe following definitions of terms used in this document are drawn from Article 4 of the European Union’s General Data Protection Regulation:
4. Basic Principles Regarding Personal Data Processing
The data protection principles outline the basic responsibilities for organisations handling personal data. Article 5(2) of the GDPR stipulates that "the controller shall be responsible for, and be able to demonstrate, compliance with the principles."
4.1. Lawfulness, Fairness and Transparency
Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
4.2. Purpose Limitation
Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
4.3. Data Minimization
Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. The Company must apply anonymization or pseudonymization to personal data if possible to reduce the risks to the data subjects concerned.
Personal data must be accurate and, where necessary, kept up to date; reasonable steps must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified in a timely manner.
4.5. Storage Period Limitation
Personal data must be kept for no longer than is necessary for the purposes for which the personal data are processed.
4.6. Integrity and confidentiality
Taking into account the state of technology and other available security measures, the implementation cost, and likelihood and severity of personal data risks, the Company must use appropriate technical or organizational measures to process Personal Data in a manner that ensures appropriate security of personal data, including protection against accidental or unlawful destruction, loss, alternation, unauthorized access to, or disclosure.
Data controllers must be responsible for and be able to demonstrate compliance with the principles outlined above.
5. Building Data Protection in Business Activities
In order to demonstrate compliance with the principles of data protection, an organisation should build data protection into its business activities.
5.1. Notification to Data Subjects
(See the Fair Processing Guidelines section.)
5.2. Data Subject's Choice and Consent
(See the Fair Processing Guidelines section.)
The Company must strive tocollect the least amount of personal data possible. If personal data is collected from a third party, DPO(Data Protection Officer) must ensure that the personal data is collected lawfully.
5.4. Use, Retention, and Disposal
The purposes, methods, storage limitation and retention period of personal data must be consistent with the information contained in the Privacy Notice. The Company must maintain the accuracy, integrity, confidentiality and relevance of personal data based on the processing purpose. Adequate security mechanisms designed to protect personal data must be used to prevent personal data from being stolen, misused, or abused, and prevent personal data breaches. DPO is responsible for compliance with the requirements listed in this section.
5.5. Disclosure to Third Parties
Whenever the Company uses a third-party supplier or business partner to process personal data on its behalf, DPO must ensure that this processor will provide security measures to safeguard personal data that are appropriate to the associated risks. For this purpose, the Processor GDPR Compliance Questionnaire must be used.
The Company must contractually require the supplier or business partner to provide the same level of data protection. The supplier or business partner must only process personal data to carry out its contractual obligations towards the Company or upon the instructions of the Company and not for any other purposes. When the Company processes personal data jointly with an independent third party, the Company must explicitly specify its respective responsibilities of and the third party in the relevant contract or any other legal binding document, such as the Supplier Data Processing Agreement.
5.6. Cross-border Transfer of Personal Data
Before transferring personal data out of the European Economic Area (EEA) adequate safeguards must be used including the signing of a Data Transfer Agreement, as required by the European Union and, if required, authorization from the relevant Data Protection Authority must be obtained. The entity receiving the personal data must comply with the principles of personal data processing set forth in Cross Border Data Transfer Procedure.
5.7. Rights of Access by Data Subjects
When acting as a data controller, DPO is responsible to provide data subjects with a reasonable access mechanism to enable them to access their personal data, and must allow them to update, rectify, erase, or transmit their Personal Data, if appropriate or required by law. The access mechanism will be further detailed in the Data Subject Access Request Procedure.
5.8. Data Portability
Data Subjects have the right to receive, upon request, a copy of the data they provided to us in a structured format and to transmit those data to another controller, for free. DPO is responsible to ensure that such requests are processed within one month, are not excessive and do not affect the rights to personal data of other individuals.
5.9. Right to be Forgotten
Upon request, Data Subjects have the right to obtain from the Company the erasure of its personal data. When the Company is acting as a Controller, DPO must take necessary actions (including technical measures) to inform the third-parties who use or process that data to comply with the request.
6. Fair Processing GuidelinesPersonal data must only be processed when explicitly authorised by DPO
The Company must decide whether to perform the Data Protection Impact Assessment for each data processing activity according to the Data Protection Impact Assessment Guidelines.
6.1. Notices to Data Subjects
At the time of collection or before collecting personal data for any kind of processing activities including but not limited to selling products, services, or marketing activities, DPO is responsible to properly inform data subjects of the following: the types of personal data collected, the purposes of the processing, processing methods, the data subjects' rights with respect to their personal data, the retention period, potential international data transfers, if data will be shared with third parties and the Company’s security measures to protect personal data. This information is provided through Privacy Notice.
If your company has multiple data processing activities, you will need to develop different notices which will differ depending on the processing activity and the categories of personal data collected – for example, one Notice might be written for mailing purposes, and a different one for shipping purposes.
Where personal data is being shared with a third party, DPOmust ensure that data subjects have been notified of this through a Privacy Notice.
Where personal data is being transferred to a third country according to Cross Border Data Transfer Policy, the Privacy Notice should reflect this and clearly state to where, and to which entity personal data is being transferred.
Where sensitive personal data is being collected, the Data Protection Officer must make sure that the Privacy Notice explicitly states the purpose for which this sensitive personal data is being collected.
6.2. Obtaining Consents
Whenever personal data processing is based on the data subject's consent, or other lawful grounds, DPO is responsible for retaining a record of such consent. DPO is responsible for providing data subjects with options to provide the consent and must inform and ensure that their consent (whenever consent is used as the lawful ground for processing) can be withdrawn at any time.
Where collection of personal data relates to a child under the age of 16, DPO must ensure that parental consent is given prior to the collection using the Parental Consent Form.
When requests to correct, amend or destroy personal data records, must ensure that these requests are handled within a reasonable time frame. DPO must also record the requests and keep a log of these.
Personal data must only be processed for the purpose for which they were originally collected. In the event that the Company wants to process collected personal data for another purpose, the Company must seek the consent of its data subjects in clear and concise writing. Any such request should include the original purpose for which data was collected, and also the new, or additional, purpose(s). The request must also include the reason for the change in purpose(s). The Data Protection Officer is responsible for complying with the rules in this paragraph.
Now and in the future, DPO must ensure that collection methods are compliant with relevant law, good practices and industry standards.
DPO is responsible for creating and maintaining a Register of the Privacy Notices.
7. Organization and ResponsibilitiesThe responsibility for ensuring appropriate personal data processing lies with everyone who works for or with the Company and has access to personal data processed by the Company.
8. Guidelines for Establishing the Lead Supervisory Authority
8.1. Necessity to Establish the Lead Supervisory AuthorityIdentifying a Lead supervisory authority is only relevant if the Company carries out the cross-border processing of personal data.
8.2. Main Establishment and the Lead Supervisory Authority
8.2.1. Main Establishment for the Data ControllerThe Company's Headquarter needs to identify the main establishment so that the lead supervisory authority can be determined.
8.2.2. Main Establishment for the Data ProcessorWhen the Company is acting as a data processor, then the main establishment will be the place of central administration. In case the place of central administration is not located in the EU, the main establishment will be the establishment in the EU where the main processing activities take place.
8.2.3. Main Establishment for Non-EU Companies for Data Controllers and ProcessorsIf the Company does not have a main establishment in the EU, and it has subsidiaries in the EU, then the competent supervisory authority is the local supervisory authority.
9. Response to Personal Data Breach IncidentsWhen the Company learns of a suspected or actual personal data breach, DPO must perform an internal investigation and take appropriate remedial measures in a timely manner, according to the Data Breach Policy. Where there is any risk to the rights and freedoms of data subjects, the Company must notify the relevant data protection authorities without undue delay and, when possible, within 72 hours.
The Audit Department or Legal department is responsible for auditing how well business departments implement this Policy.
10. Audit and Accountability
11. Conflicts of Law
12. Managing records kept on the basis of this document
|Record name||Storage location||Person responsible for storage||Controls for record protection||Retention time|
|Data Subject Consent Forms||Taiwan HQ Office||Data Protection Officer||Only authorized persons may access the forms||5 years|
|Data Subject Consent Withdrawal Form||Taiwan HQ Office||Data Protection Officer||Only authorized persons may access the forms||5 years|
|Parental Consent Form||Taiwan HQ Office||Data Protection Officer||Only authorized persons may access the forms||5 years|
|Parental Consent Withdrawal Form||Taiwan HQ Office||Data Protection Officer||Only authorized persons may access the forms||5 years|
|Supplier Data Processing Agreements||Taiwan HQ Office||Data Protection Officer||Only authorized persons may access the folder||5 years after the agreement has expired|
|Register of Privacy Notices||Taiwan HQ Office||Data Protection Officer||Only authorized persons may access the folder||Permanently|