個人資料及隱私權說明

凱基金融控股股份有限公司（原為中華開發金融控股股份有限公司）、凱基商業銀行股份有限公司、凱基證券股份有限公司、凱基人壽保險股份有限公司、凱基期貨股份有限公司、凱基證券投資顧問股份有限公司、凱基證券投資信託股份有限公司、凱基保險經紀人股份有限公司、中華開發資本股份有限公司及未來因組織異動於本網站揭露之新增國內子公司（以下簡合稱「本集團」）為提供客戶多元化及更完善的金融產品或其他服務，而需要蒐集、處理、利用或共享您所提供之資料。本集團重視您的隱私權並尊重您所提供的一切資料，並採行適當之安全措施保護您的資料。特依據個人資料保護法、金融機構間資料共享指引等相關法令，訂定隱私權保護須知如下，除法律另有規定或您與本集團另有其他約定外，將依循本隱私權保護須知內容辦理：

網站資料蒐集、處理、利用目的
本網站會記錄您上網之IP位址、上網時間以及在網站內所瀏覽的網頁等資料，這些資料係供本網站管理作業所需，如：內部網站流量和網路行為調查的總量分析，以利於提昇本網站的服務品質。

本須知適用之範圍
1.以本集團名義申請之網域名稱(Domain Name)所架設之網站及行動應用程式（以下統稱本集團網站及應用程式）適用之，但不包含本集團網站及應用程式以外之其他網站連結，倘您點選該連結，您必須參考該連結網站中的隱私權保護須知。
2.本須知所稱之客戶資料包括客戶基本資料、身分核驗資料、帳戶資料、金融商品或服務之交易紀錄、負面資訊、認識客戶(KYC)資料及金融機構加值之資料、電子通訊歷程記錄（如IP位址、上網時間以及在網站內所瀏覽的網頁等資料）或其他經客戶同意共享之資料等。

客戶資料保護措施
為落實對客戶資料保護之權責與責任，本集團採行適當之安全措施保護您的資料，包括但不限於以下之安全措施：
◆ 本集團採行資料使用權限控管，只有經過授權之人員，才能在必要之範圍內，使用您的資料，以避免洩露您的資料，您所提供的資訊若無保存必要時，將確實銷毀。相關人員皆負有保密義務，如有違反者，將受到相關處分。
◆ 本集團採用Secure Socket Layer(SSL)資料保密協定，提升資料傳輸之安全性，除此之外亦使用256位元以上或其他等級之加密技術來保護您的資料。
◆ 本集團設置防火牆、入侵偵測防護系統及防毒機制輔助，以保護儲存資料之伺服器及其他儲存裝置，防止未經授權地侵入行為。
◆ 本集團建置實體上之安全措施，如門禁管制、保全系統並異地儲存您的資料，以因應緊急事件或災害發生時仍能保存您的資料。
◆ 本集團如因業務需要委託相關單位（含供應商）提供服務時，亦會嚴格要求其遵守保密義務，並採取必要之檢查程序以確定其確實遵守。若需提供您的個人資料予第三人時，應符合下列情形或其他法令規定：
　　＊依法令要求經過您的同意。
　　＊司法單位或其他主管機關經合法正式的程序要求時。
　　＊符合法令所允許的國際傳輸。
　　＊為了提供您其他服務或優惠權益，需要與提供該服務或優惠之第三人（含供應商）共用您的資訊時，本網站會在活動時提供充分說明並告知，您可以自由選擇是否接受這項服務或優惠。
◆ 本集團落實資料蒐集、處理及利用管理程序，確保相關業務符合法令之要求及例外適用情形，依據本集團個人資料管理政策暨個人資料告知聲明所列蒐集、處理、利用個人資料之目的，及個人資料利用之對象，於適當、相關及不過度之前提，以最小化原則辦理，並維持資料之正確性及及時更新。
◆ 本集團透過內部規範建立稽核機制，並透過外部個人資料保護相關認證，確保個人資料保護之全面。

客戶自我保護措施
本集團雖採行適當之安全措施以保護您的資料，但您的資料安全也需要您的注意及配合：
◆ 若您使用相關憑證、輸入密碼或任何資料時，應避免將任何資料提供予第三人或與第三人共用，您並應妥善保存您的憑證、密碼及任何資料，確保第三人不會取得您的資料。
◆ 若您登入帳戶使用本網站所提供之各項服務功能，請在使用完畢後，確實登出帳戶；使用他人之電腦或公用電腦時，請在您使用的瀏覽器功能選項中設定隱私權等級為高，以關閉cookies及其他瀏覽器紀錄功能，避免他人取得您的資料。
◆ 您應安裝防毒或其他網路防護軟體，並定期更新病毒碼及軟體程式版本，降低感染病毒或遭植入木馬程式、機器人程式等可能因此洩露您資料之情形。
您在提供個人資料予本集團時，請注意以下事項：
◆ 除依法令規定、契約另有訂定或取得您的書面同意外，請勿提供任何如醫療、基因、性生活、健康檢查及犯罪前科等特種（敏感性）個人資料。
◆ 請勿提供任何脅迫性、隱晦性、猥褻性或違害公共秩序之資訊。
◆ 請勿在沒有取得他人同意之前，擅自提供他人之個人資料。
◆ 除依法令之規定及（或）本集團明確之要求外，請勿主動於本集團網站上提供，如身分證、財務資料、護照號碼等個人資料，以避免洩露您的個人資料或招致任何詐騙。

Cookies使用須知
本集團為提供更符合您需求之服務，採用cookies技術，當您瀏覽本集團網站時，網站將「自動」透過瀏覽器記錄您使用網站之習慣及喜好或留存您輸入之相關資訊，您往後瀏覽本集團網站時，無須再重新輸入相同之資訊，而可省去重複及繁瑣之步驟。大部分cookies的有效性只持續一定期間或只限單次造訪，cookies並不包含足以辨識個人身分的資料(如：姓名、電話、地址或電子郵遞地址等)，而是記錄您在網站所做個人首頁的設定資料，一旦您將網頁關閉，該cookies將失去效用。
本集團網頁伺服器僅能讀取cookies中在本網站的活動紀錄，無法讀取您在其他網站的活動紀錄，您可以將瀏覽器功能選項中設定隱私權等級為高，以拒絕使用cookies技術，但您可能將因此無法使用本集團網站之部分相關功能。

客戶權益維護之救濟方式
您得透過電子郵件或致電本集團或共享客戶資料公司，行使下列權利(電子郵件： ir@kgi.com；電話：(02)2763-8800)。惟依法本集團因執行業務所必需者或其他法令之要求，得不依您的請求辦理：
◆ 查詢、請求閱覽或請求製給複製本，而本集團依法得酌收必要成本費用。
◆ 請求補充或更正，惟依法您應為適當之釋明。
◆ 請求停止蒐集、處理、使用及請求刪除。
◆ 請求處理限制。
◆ 請求資料可攜性。
◆ 拒絕自動化剖析。
◆ 拒絕直接行銷目的之個人資料處理。
您不提供個人資料所致權益之影響：您得自由選擇是否提供相關個人資料，惟您若拒絕提供相關個人資料，本集團將無法進行必要之審核、處理及回覆等作業，致無法提供您相關服務。

兒童隱私權保護須知
◆ 對於兒童使用本網站之各項服務時，本集團除保護兒童隱私權外，如有對兒童進行個人或其家庭成員資料之蒐集、利用及向第三者揭露，將依法取得兒童父母或監護人之同意。
◆ 兒童父母或監護人得向本集團申請檢視、更正或刪除兒童之資料。
◆ 本集團確保所蒐集兒童個人資料之隱密性、安全性及完整性。

隱私權保護須知之修改
本集團將會視需要隨時修改本網站群所提供的隱私權保護須知，當本隱私權保護須知修改時，將以醒目標示提醒使用者，恕不個別通知。請您隨時參閱本集團企業網站之隱私權保護須知，以保障權益。

客戶資料共享揭露
◆ 凱基金融控股股份有限公司、凱基商業銀行股份有限公司、凱基證券股份有限公司、凱基人壽保險股份有限公司、凱基期貨股份有限公司、凱基證券投資顧問股份有限公司、凱基證券投資信託股份有限公司(以下簡合稱「共享客戶資料公司」)，為辨識風險、強化風險控管、提升客戶便利性、促進金融機構間跨業合作並確保客戶權益之目的，需共享您所提供的資料，特依據個人資料保護法及金融機構間資料共享指引(以下稱「共享指引」)等相關法令，揭露客戶資料共享內容。
◆ 共享客戶資料公司之客戶資料保護措施及客戶權益維護之救濟方式請詳閱前述「客戶資料保護措施」及「客戶權益維護之救濟方式」。

資料共享之目的及範圍
◆ 共享客戶資料公司為辨識風險、進行風險管控、便利客戶作業(如：減少客戶重複輸入資料)或為合作辦理業務等目的，而共享您所提供的資料。
◆ 共享資料包括客戶基本資料、身分核驗資料、帳戶資料、金融商品或服務之交易紀錄、負面資訊、認識客戶(KYC)資料及金融機構加值之資料、電子通訊歷程記錄(如 IP 位址)、經客戶同意共享之資料、其他依法令規定或因金控爲管理子公司而共享之資料等。

共享客戶資料公司名稱及合作對象
依共享指引第四點之規定，揭露辦理資料共享之公司名稱及合作項目如下表，如未來有新增合作對象及項目，將另行公告。

本集團之國內子公司與其他金融機構辦理資料共享之相關揭露，請洽本集團各子公司網站。

 

To our valued customers:

In order to protect your rights, KGI Financial Holdings Co., Ltd. (formerly known as China Development Financial Holding Corporation, hereinafter referred to as the “Company”) and its domestic subsidiaries and the new domestic subsidiaries publicly announced on this website due to organizational changes in the future (hereinafter collectively referred to as the “Group”) will provide you with diversified services through customer service centers, commodity consulting services, website activities, online applications (services), contact mailboxes on the Group's website, and/or through the use of cookies or other similar technologies, or other lawful channels or methods, collect, process, use and cross-border transfer your personal data in accordance with the law.

In order to protect your rights and interests, the Group hereby, in accordance with Article 8, Paragraph 1 and Article 9, Paragraph 1 of the Personal Data Protection Act (hereinafter referred to as the "PDPA"), notifies you of the following matters: (1) the name of the Company and/or Group, (2) the purpose of the collection, (3) the types of the personal data to be collected, (4) the period, areas, parties, and methods of which the personal data is used, (5) the source of personal data collected, (6) the data subject's rights under Article 3 of the PDPA and the methods for exercising such rights, (7) the data subject's rights and interests that will be affected if he/she elects not to provide his/her personal data.

I. The personal data management practices of the Group are as follows:

• Based on specific lawful purposes, the Group shall collect, process and use personal data within the necessary scope, and shall have legitimate and reasonable connections with the purposes of collection.
• Personal data is collected to the minimum and necessary extent based on specific lawful purposes. The data subject will be clearly informed of the period, parties, areas, and methods regarding use of their personal data.
• Unless otherwise stated by law, the collection, processing or use of children's personal data by the Group shall be subject to special protection.
• Based on the principles of fairness and lawfulness, only relevant and appropriate personal data will be processed.
• Properly manage the personal data held.
• Ensure the accuracy of personal data and correct or supplement such data on its own initiative or upon the request of data subjects.
• The personal data collected will be retained in accordance with the law or for specific lawful purposes, and will be kept for the period required by relevant laws and regulations or within the necessary retention period for the Group’s business needs.
• Respect the rights that the data subject can exercise over their personal data, and such rights shall not be waived or limited contractually in advance, including making an inquiry of, reviewing, requesting a copy of, supplementing, correcting, demanding the cessation of collection, processing or use of, and erasing his/her personal data, etc.
• Appropriate control measures should be adopted to ensure the security of personal data.
• The cross-border transfer of personal data shall comply with relevant laws and regulations, and may only be conducted under appropriate protective measures.
• Appropriateness and legality should be ensured when personal data is used under exceptions permitted by the PDPA.
• Establish and continuously maintain a personal data management system to implement the requirements of personal data protection.
• Identify internal and external stakeholders and the extent of their involvement in the governance and operation of the personal data management system.
• The Group shall properly keep records of the collection, processing or use of personal data.
• The disclosure of personal data to third parties shall comply with the requirements of relevant laws and regulations. If the Group outsources collection, processing or use of personal data to other government agencies/ non-government agencies, it shall supervise the outsourced parties appropriately to meet the requirements of the Group's personal data management.

II. The Group's purposes regarding collection, processing, use and cross-border transfer of your personal data, the types of the personal data and the period, areas, parties and methods of which the personal data is used are as follows:

1. Purposes regarding collection, processing, use and cross-border transfer of your personal data: consumer protection; marketing (including cross-selling); facilitating cross-industry collaboration; enhancement of customer convenience; collection, processing and use of personal data by the financial service industry in accordance with laws and regulations and the needs of financial supervision; financial dispute resolution; financial supervision, administration and inspection; collection, processing and use of personal data by non-governmental agencies as defined by law; contract, quasi-contract or other legal relationship matters; consumer, customer management and services; business and technical information; information (communication) services; information (communication) and database management; information and communication security and management; advertisement or commercial conduct administration; investigation, statistics and research analysis; risk identification; strengthen risk control; supervision and management of the Group; other financial management business; other business operation in accordance with the business registration or the articles of association; other advisory and consultant services; lucky draw event and gift dispatch.
2. Types of personal data: including but not limited to your basic information (e.g., name, ID number, passport number, residence permit, date of birth, domicile/residence/work/email address, contact information, marriage, family, education, occupation, financial situation, transaction information and other related information (including accounting, credit, investment, insurance, etc.), audio, video files, mobile and network media device location information (such as mobile device ID, mobile device location , social network information, Internet Protocol (IP) address, internet browsing trajectories inside and outside the site, cookies) and other information that can directly or indirectly identify an individual as contained in various business application forms or contracts, and all information is subject to the information concerning the relevant business and services between you and the Group and the information provided by you or third parties, or actually collected.
3. Period of use: as a general rule, the retention period for personal data is five years, unless other retention period is necessary for the execution of the business (as the duration of the specific purpose), required by relevant laws and regulations (such as the Money Laundering Control Act, the Business Entity Accounting Act), or stipulated in individual contracts, whichever comes later shall prevail.
4. Parties of use:

4.1. The Group and the overseas branches of the Group.

4.2. The Institutions in relation to the Group's business (e.g., correspondent bank, Joint Credit Information Center, National Credit Card Center of R.O.C., The Taiwan Clearing House, TWSE, Taiwan Futures Exchange, Taipei Exchange, TDCC, Taiwan Integrated Shareholder Service Company, Financial Information Service Co., LTD., credit guarantee institutions, trade associations, stock issue companies, delivery banks, credit card international organizations, other relevant institutions authorized by law to handle stock business affairs, card acquirers and contracted merchant, electronic payment institutions, Taiwan Insurance Institute, Taiwan Insurance Guaranty Fund, Financial Ombudsman Institution, institutions or consultants that have contractual relationships or business transactions with the Group due to business needs (such as lawyers, firms, accountants, vendors), and other institutions designated by the competent authority for the relevant business, including those involved in business operations, as well as supervision, management, inspection, issuance, trading, credit investigation, transactions, delivery, stock affairs, etc., and recipients of internationally transferred personal data not restricted by the central competent authority, companies that are permitted by law to engage in cross-selling or to share and utilize customer data with the Group, entities collaborating with the Group for promotional purposes, outsourced business agencies, and third parties suppliers, companies that have reinsurance business with the Group).

4.3. Financial supervisory authorities, judicial authorities, tax authorities, or agencies with investigative powers according to law, as well as dispute resolution and credit investigation institutions.

4.4. Parties agreed by the customer (e.g., companies engage in cross-selling or collaborative use of customer data with the Group, companies collaborating with the Group to promote business).

5. Areas of use: the utilization areas of your registered personal data that may be used include both domestic and foreign locations of the aforementioned parties, including Taiwan (including Taiwan, Kinmen, Penghu, and Matsu regions), the locations of the Group’s overseas offices, the locations of correspondent banks, the locations of outsourced business agencies, the locations of business partners’ operation offices, etc.

6. Methods of use: processing and use by automatic machines or other non-automatic methods in compliance with relevant laws and regulations of personal data protection, including but not limited to written, electronic or cross-border transfer.

III. Source of personal data collected：

1. Direct collection from customers by the Group.
2. Information voluntarily disclosed by customers in public domain or lawfully disclosed by others.
3. Lawfully collected by the Group from third parties (e.g., persons acting as agents, representatives, or assistants of the data subject, third parties with whom the Group has relationships for data sharing, joint promotions, or other collaborations, or third parties engaged by the Group in connection with various business operations).

IV. In accordance with Article 3 of the PDPA and GDPR requirements, you may request to exercise the following rights concerning your personal data held by the Group using the contact information (e-mail: ir@kgi.com; telephone: (02)2763-8800) that the Group provided:

1. Excluding the circumstances described in Article 10 of the PDPA, you may inquire, request to review, and request to obtain copies of your personal data from the Group. However, the Group may charge a fee to cover its necessary costs in accordance with Article 14 of the PDPA.
2. You may request to supplement or correct your personal data from the Group. However, in accordance with Article 19 of the Enforcement Rules of the PDPA, you shall appropriately explain the reasons and facts.
3. In the event the Group violates the provisions of the PDPA in collecting, processing, or using your personal data, you may request the Group to erase the personal data collected or cease collecting, processing or using the personal data according to Article 11, Paragraph 4 of the PDPA.
4. According to Article 11, Paragraph 2 of the PDPA, in the event of a dispute regarding the accuracy of the personal data, you may request the Group to cease processing or using your personal data. However, according to the provision in the same paragraph, this provision does not apply as the processing or use is either necessary for the Group to fulfill its official or business duty, or has been agreed to by you in writing, and the dispute has been recorded.
5. According to Article 11, Paragraph 3 of the PDPA, when the specific purpose of personal data collection no longer exists, or upon expiration of the relevant period, you may request the Group to erase or cease processing or using your personal data. However, according to the provision in the same paragraph, this provision does not apply as the processing or use is either necessary for the Group to fulfill its official or business duty or has been agreed to by you in writing.
6. You may request for restriction of processing and data portability from the Group.
7. You may request not to be subject to automated profiling your personal data and not to process your personal data for direct marketing purposes from the Group.

V. If the Company collects your personal data as lawfully provided by its subsidiaries, the Company hereby informs you of the above in accordance with Article 9, Paragraph 1 of the PDPA. You may also refer to the respective subsidiaries’ official websites for relevant personal data notification information.

For the exercise of the above rights, if such exercise of rights fails to comply with the application procedure, or where the Group bears the obligation to preserve the personal data according to the laws, or where the laws specified otherwise, it may not be handled according to your request. You may choose, on your own decision, whether to provide relevant personal data and the type of data. However, if the personal data and type of data that you refuse to provide is necessary for the business review or operation, the Group may not be able to perform necessary operations such that relevant services cannot be provided to you, or optimal services cannot be provided.

In addition, please carefully read the above statements before providing, registering, or using your personal data on this website. If you continue to use this website, or complete and submit your personal data, it will be deemed that you have fully understood and agreed to the above statements.

The Group will collect, process, use and internationally transfer your personal data in accordance with the content of this notification statement. Within the scope of this notification statement, the Group will not provide separate or repeated notifications regarding the collection, processing, use, and international transfer of your personal data.

To protect your rights and interests, please carefully read the above notification. However, in response to changes in the social environment, laws, and technological advancements, and to protect customers' personal data rights, the Group reserves the right to revise this notification statement at any time and will promptly update it on the website.

 

(202604 version)