Privacy Protection Procedure for UMC Websites
UMC

1. Purpose


The purpose of this “Privacy Protection Procedure (hereinafter referred to as “Procedure”)” is to protect the personal data collected, processed, used and internationally transferred by United Microelectronics Corporation (hereinafter referred to as “UMC”), and to prevent such personal data from being stolen, altered, damaged, destroyed, or disclosed, which could cause damage to the privacy rights and interests of individuals.


2. Scope


This Procedure applies to individuals who provide personal data to UMC; both within and/or outside of UMC, such individuals are referred to as “Data Subjects”, “Data Subjects” include but not limit to: UMC’s employees, suppliers, and contractors; employees of UMC's customers, suppliers, contractors, and other business partners; as well as UMC's job applicants, website visitors, and visitors to UMC.


3. Personal Data Security Management Procedures


UMC is establishing different retention periods for personal data depending on the purpose of collection and use. In addition, UMC will implement appropriate technical and organizational security measures in compliance with legal requirements or industry standards. These measures are designed to prevent security breaches, which may result in the accidental or unlawful damage, destruction, alteration, disclosure, access, transfer, storage, or processing of personal data (hereinafter referred to as “Personal Data Security Incidents”).


3.1 UMC has allocated personnel and resources to regularly implement supervision measures for the protection of personal data, thereby ensuring the effective implementation of internal protection measures.


3.2 UMC will conduct regular and timely monitoring of personal data files held by each of its unit (function/division), as well as their procedures for collecting, processing, or using personal data. Based on these monitoring, lists of personal data files and working flow documents explaining the procedures for handling personal data will be created as required by UMC. The personal data files will be classified and managed according to different scopes, such as general personal data and sensitive personal data.


3.3 UMC will periodically assess the legal and other risks that associated with the collection, processing, or use of personal data, and establish appropriate control and response measures.


3.4 UMC has implemented control mechanisms for data, system, and network access, as well as protection mechanisms for devices and peripheral environments related to personal data handling. These measures aim to ensure file security and prevent data leakage or theft. Regarding personal data files processing, UMC has established monitoring measures to ensure the use of secure and well-controlled software and hardware devices, and has adopted protective and monitoring software for personal data protection and recording.


3.5 Regarding the necessity of encrypting personal data, UMC will adopt appropriate encryption measures during its collection, processing, and use. In the case of personal data that requires backup/archiving, UMC will take appropriate protective measures for the data backup/archiving.


3.6 When transmitting personal data, UMC will take appropriate security measures based on the different methods of transmission. If personal data is to be transferred internationally, UMC will review whether there are any restrictions imposed by the competent authorities and inform the Data Subjects of the region to which their personal data will be transferred. At the same time, UMC will take appropriate supervision over the data recipients.


3.7 To safeguard the security of personal data, UMC has established strict confidentiality obligations for employees and implemented appropriate controls and configurations for the management of personal data.


3.8 UMC will provide regular education and training to our employees on personal data protection, management systems, and relevant laws and regulations. This will improve their understanding of the importance of personal data protection, increase their awareness of the legality and security of collecting, processing, and using personal data and help them properly safeguard personal data.


4. Procedures for Collecting, Processing, and Using Personal Data.


4.1 UMC shall collect, process, and use personal data in good faith, only for specific purposes, and in a manner reasonably connected to the intended purposes of collection.


4.2 When collecting or processing personal data, specific purposes and corresponding situations shall be identified. When using personal data, it should be limited to the necessary scope of the collection purpose and remain consistent with it. Personal data must not be used illegally.


4.3 Each unit of UMC shall regularly review the effectiveness and availability of personal data, and delete or destroy unnecessary personal data. If the specific purpose of data collection no longer exists, or upon expiration of the relevant time period, or if the collection is illegal, each unit shall, on its own initiative or upon the request of the Data Subjects, delete or destroy the personal data, unless the processing or use is necessary for the performance of a business duty or has been agreed to by the Data Subjects in writing. Each unit shall record and confirm the results of its deletion or destruction of personal data in an appropriate manner.


4.4 If any illegal collection, processing, or use of personal data occurs, the relevant unit shall cease collecting, processing, or using the personal data on its own initiative or upon the request of the Data Subjects.


4.5 Each unit of UMC shall, on its own initiative or upon the request of the Data Subjects, stop processing or using personal data in the event of a dispute regarding its accuracy, if the specific purpose of data collection no longer exists, or when the relevant time period has expired. Processing or use may continue if it is necessary for the performance of a business duty or if agreed to by the Data Subjects in writing, provided that the dispute has been recorded.


4.6 Each unit shall accurately record any personal data that has been ceased from processing or use.


5. Procedures for Handling Personal Data Security Incidents.


5.1 Investigation and Emergency Response Procedures for Personal Data Security Incidents


5.1.1 When any unit of UMC becomes aware of and preliminarily confirms that there has been a Personal Data Security Incident, it shall immediately report it to UMC’s Personal Data Protection Implementation Task Force (hereinafter referred to as “PDP Task Force”). Subsequently, the PDP Task Force will notify and inform the relevant Supervisory Authority and parties in accordance with the laws.


5.1.2 After receiving a report of any Personal Data Security Incident, the PDP Task Force shall establish an emergency response team based on the nature and situation of the incident, and address the following matters: (1) Conduct an incident analysis within 24 hours of receiving the report. The incident analysis shall confirm the type and severity of the incident, the scope of impact, media exposure risk control, and the cause of the incident. (2) Immediately after the incident analysis, UMC shall develop incident response procedures and contingency measures to prevent the incident from expanding and take evidence preservation measures to avoid changes or alterations to the original electromagnetic recording and evidence. (3) Once the incident is identified, UMC shall promptly communicate with the Data Subjects about the facts of the infringement and the measures taken in an appropriate manner. (4) UMC shall report the incident in a timely manner according to the laws.


5.1.3 After a Personal Data Security Incident occurs, the relevant unit of UMC shall pay attention to media reports. If there is public concern, it is necessary to explain and clarify to the public. The emergency response team shall work closely with the Corporate Communications Division to respond effectively.


5.1.4 UMC will assess the need to report and notify affected parties of Personal Data Security Incidents to parties concerned based on the circumstances of each incident, and will report and notify in accordance with applicable personal data protection laws and regulations.


A. Notification to the Supervisory Authority


(1) UMC shall notify the competent supervisory authority of any Personal Data Security Incident that may jeopardize the normal operation of UMC or the rights and interests of a large number of Data Subjects, in accordance with the relevant personal data protection laws and regulations. Such notification shall be provided no later than 72 hours after UMC becomes aware of the incident, unless the Personal Data Security Incident is unlikely to result in a risk to the rights and freedoms of Data Subjects. If the notification is not made within 72 hours or does not provide all information at once, UMC shall provide reasons for the delay or provide the information in stages.


(2) The notification shall include the date and time of the Personal Data Security Incident and its discovery, the type and nature of the incident, the scope and description of the personal data affected (related Data Subjects, categories, and quantities), the cause and summary of the incident, the damage caused, the potential consequences of the Personal Data Security Incident, the measures to be taken in response, the time and method of notifying the Data Subjects involved, and the name and contact information of UMC's contact person.


B. Inform the Data Subjects in such incident.


(1) UMC shall communicate any Personal Data Security Incident that is likely to result in a high risk to the rights and freedoms of Data Subjects to the affected Data Subjects without undue delay, depending on the specific circumstances of the incident. This communication shall be expressed in clear and plain language and may be delivered through email, text message, prominently displayed on UMC’s website, postal mail or advertised in prominent newspapers.


(2) The communication shall include the date and time of the Personal Data Security Incident and its discovery, the type and nature of the incident, the scope and description of the personal data involved (related Data Subjects, categories, and quantities), the cause and summary of the incident, the extent of the damage, the potential consequences of the Personal Data Security Incident, the proposed response measures, and the name and contact information of UMC's contact person.


5.2 After completing the process mentioned in Article 5.1, each unit shall review the causes of the incident and develop improvement plans to prevent future incidents. If necessary, risk assessment may need to be re-evaluated and personal data management mechanisms may need to be redesigned. Each unit shall prepare a Personal Data Security Incident handling report based on the accident review and improvement plan. This report shall be approved by the first-level supervisor of that unit and submitted to UMC's PDP Task Force for record keeping. When necessary, the PDP Task Force may convene a policy review meeting.


5.3 Measures Taken Following Occurrence of Personal Data Security Incidents
UMC will impose disciplinary actions on employees who violate this Procedure in accordance with “The Award and Penalty Measure”. In addition to verbal and written warnings, any employee who misuses others' personal data without their responsible manager’s consent, and not for business purpose, will be deemed to have committed a serious violation of Article 12, Paragraph 4 of the Labor Standards Act. This violation constitutes a breach of the employee's labor contract or work rules, and UMC may terminate their employment without prior notice. Furthermore, UMC may file civil or criminal lawsuits against violators and seek provisional remedies, such as provisional attachment, provisional injunction, or application for a confidentiality preservation order.


6. Procedure for the Acceptance of Data Subjects Rights Exercise


6.1 When Data Subjects exercise their rights under the relevant personal data protection laws, they shall complete UMC's Data Privacy Request Form and attach the relevant supporting documents.


6.2 When Data Subjects submit their request, UMC shall confirm their identity or that of their agent and may request relevant information for identity verification. UMC shall respond within the period prescribed by the relevant personal data protection laws and regulations. If there are grounds for refusing the request under the laws, UMC shall notify the Data Subjects of the reasons for such refusal.


6.3 The exercise of the rights of the Data Subjects shall be done by themselves. If the Data Subjects are unable to do so personally, they may appoint an agent to act on their behalf. When applying through an agent, a power of attorney and proof documents from both parties shall be provided.


6.4 When Data Subjects request correction or supplementation of their personal data, UMC shall request that the Data Subjects state the incorrect or incomplete items, provide reasons for correction or supplementation, and supply relevant supporting documents.


7. Outsourcing Supervision Procedures


7.1 Any third party that UMC outsources to collect, process, or use personal data shall be subject to appropriate supervision by UMC.


7.2 When selecting an outsourcing contractor, UMC shall include the status of maintenance for personal data security measures as an evaluation item.


7.3 After selecting an outsourcing contractor, the outsourcing agreement shall include the following supervision matters and methods: (1) the scope, categories, specific purposes, and duration of the collection, processing, or use of personal data; (2) the security measures implemented by the contractor; (3) if there is subcontracting, the name of the sub-contractor; (4) matters to be notified to UMC and remedial measures to be taken in the event that the contractor or its employees violate applicable personal data protection laws and regulations; (5) any matter reserved for instructions of UMC; and (6) the return of personal data carriers and the deletion of personal data held by the contractor in storage when the entrusted relationship is terminated or revoked.


7.4 UMC shall periodically assess the contractor's performance and document the results. If needed, UMC itself or its designated professional personnel may conduct on-site inspections and provide written feedback, requesting that the contractor make improvements within a specified timeframe. Alternatively, the contractor may conduct self-checks based on the current situation and provide operational instructions and supporting materials.
7.5 When the outsourcing relationship is terminated or rescinded, UMC shall request the contractor to, delete, destroy or return any personal data obtained during the execution of the outsourcing matter. The contractor shall also provide records of the time, method, location of the deletion, destruction or return of the personal data. If necessary, on-site visits may be conducted.

 

8. The Responsible Unit


8.1 The Global Compliance Division is responsible for providing consultation on matters related to privacy and personal data protection, as well as the interpretation and maintenance of this Procedure.


8.2 UMC shall establish a Personal Data Protection Implementation Task Force. The PDP Task Force will be a permanent task force composed of two conveners, who are managers from both the Global Compliance Division and the Corporate Security Division. They shall be responsible for promoting, coordinating, and supervising UMC's personal data protection management matters. The personal data protection contact person of each unit will be an ex officio member of UMC PDP Task Force. The duties of the UMC PDP Task Force are as follows: (1) drafting UMC's personal data protection management system and supporting measures; (2) assisting the Global Compliance Division in conducting professional training and advocacy on personal data protection-related laws and regulations; (3) addressing the personal data breaches and reporting the Personal Data Security Incidents; and (4) handling other personal data protection implementation matters.


8.3 Each unit that collect, process, use, and transfer personal data internationally shall be accountable for its collection and use of the personal data, as well as the relevant protection measures. Each unit shall establish a personal data protection contact person to handle the following matters: (1) coordination and contact of personal data protection business; (2) notification and reporting of Personal Data Security Incidents; and (3) aggregation of personal data records.


8.4 The audit tasks related to UMC's management of personal data protection include: (1) reviewing the operations of personal data protection in each internal unit; (2) recording and reporting audit results; (3) properly preserving audit documents and complying with confidentiality regulations; and (4) tracking improvement measures.


9. Reference


001-103-030 Personal Information Protection Management Measure
001-103-028 The Award and Penalty Measure
00E-600-014 UMC’s Personal Data File Security Maintenance Plan and Methods of Disposing Personal Data After Business Termination

 

We value your privacy
Our website uses cookies to enhance user experience and functionality, and to analyze how this site is used in order to make future improvements. Select “Allow All Cookies” to continue, or go to “Manage Cookies” to set your preferences.
Allow All Cookies
Manage Cookies
We value your privacy
For the best user experience, select "Allow All" to consent to the use of all cookies. You can also choose to disable performance & functional cookies below. For more detail about the type of cookies used by UMC and third parties on this website, please refer to our Cookie Policy .
Allow All
Manage Consent Preferences
  • Essential Cookies
    Always Active
    These cookies are essential in order to enable you to move around the website and use its features, such as setting your privacy preferences, logging in or filling in forms. Without these cookies, services requested through usage of our website cannot be properly provided. Essential cookies do not require consent from the user under applicable law. You may configure your web browser to block strictly necessary cookies, but you might then not be able to use the website’s functionalities as intended.
  • Functionality & Performance Cookies
    These cookies collect information about how visitors use a website, for instance which pages visitors go to most often, and how visitors move around the site. They help us to improve the user friendliness of a website and therefore enhance the user's experience.
Confirm