Taishin Holdings-Sustainability

Privacy Protection

Protection Policy of Personal Information

Taishin has a personal information protection policy in place to ensure legitimate collection and use of customers' and employees' personal data. This policy is constantly reviewed and revised in line with changes in regulation. In addition to conducting regular inspections on the security of personal information, Taishin also assesses possible personal information risks and uses the findings to establish proper management practices, responses, reporting channels and preventions for incidents such as theft, alteration, destruction, loss or leakage of personal information, and thereby enforce the personal information protection system of the organization.

Taishin continues to execute training programs that are aimed at raising employees' awareness and respect towards personal information and promoting thorough understanding of relevant legal requirements, responsibilities, systems, procedures and measures the organization has in place for the protection of personal information.

Training for Protection of Personal Information in 2022

Target Courses Coverage Rate (%) Completion Rate (%)

New recruits (to complete training within six months after coming onboard)

- Online course on personal information protection
- Compliance and behavior guidelines

General employees

- Personal information protection reminder publications
- Online course on information security and personal information protection
- Classroom course on personal information protection

Contact person for personal data (or delegate representative) for each division

- Personal data violations response drills
- Personal data inventory training

Contact person or emergency response team of personal data management for each division

- Publicity of personal data protection cases/symposium for legal compliance
  supervisors
- Publicity of laws and regulations and penalties
- Personal information infringement response drills

Personal Information Protection Measures

In terms of improving the response capacity of personal data infringement incidents and the crisis awareness of all personnel, Taishin has specially formulated the "Personal Data Infringement Incident Management Standards" to effectively implement emergency response and handling. When a personal information infringement incident occurs, the supervisor must be notified immediately and Complete the risk assessment and event classification within the time limit, and set up an emergency response team according to the impact of the event to carry out the response, coordination, communication and investigation of related events.

Also, in order to respect the rights customers’ rights to exercise their personal data, Taishin’s subsidiaries have formulated “Operating Rules for Exercising the Rights of the Parties” based on their own business requirements, specify customers’ personal data’s inquiry, viewing, copying, supplement, correction, deletion and the right to stop collection, processing and use.

Taishin FHC takes Personal Information Protection very seriously. In order to increase the level of security management, Taishin Bank engages certified public accountants to review the personal data protection project. The certified public accountants have since 2022, been adopting the agreement procedure method to review the effectiveness of the design and execution of the internal control system of the Bank’s personal data protection, and has included it into the Bank’s Statement on Internal Control. No significant abnormalities were found in 2022. Also, Taishin Life has delegated SGS Taiwan Ltd. in performing verification on April 29, 2022, and was recommended as an organization which complies with the requirements of BS10012:2017 Personal Information Management System certification.

The Handling of Each Level of Incident and the Reporting Level

Incident Classification The level at which the incident is handled The time requirement for handling the incident The Level at which the Incident is Reported

Level 1 Incident

Personal Information Protection Implementation Department

Must be handled within 2 days.Supervisor of said department/Legal compliance unit

Supervisor of said department/Legal compliance unit

Level 2 Incident

- Shall complete the reporting within the deadline set by the Company's internal department
- The emergency response team shall draw up a response plan within 2 working days.
- In accordance with the “Financial Supervisory Commission Designated Non-government Agencies’ Personal Data File Safety Maintenance Measures”, report to the Financial Supervisory Commission within 72 hours for any major personal data incidents.

- Presidant
- Other parties to report to in accordance with internal regulations, include but not limited to Personal Data Protection Committee members, etc

• Level 1 incident: Less than 100 cases of security incidents such as theft, tampering, damage, loss, leakage, etc. of personal data or incidents that meet the definition of other internal regulations.
• Level 2 incident: More than 100 cases (inclusive) of major incidents such as theft, tampering, damage, loss, leakage of personal data which endanger the Company’s normal operations.

Grievance Mechanism of Personal Information

Taishin attaches great importance to the protection of personal information, and customers can raise questions or file complaints through different channels. If the results of an investigation confirm a violation of personal information, we will take disciplinary actions (e.g., downgrading of performance evaluation, withholding of bonuses, and internal penalties). We shall also propose specific system and process improvements to address the root cause of the complaint and avoid the recurrence of similar situations. The cases are compiled and submitted to the Fair Customer Treatment and Consumption Review Committee and the Board of Directors each quarter. The management department unit shall continue to monitor improvements to ensure implementation.

Brand story

Business Philosophy

Management Team

Organization Chart

Milestones

Performance Review

Monthly Results

Financial Statement

Legal Disclosure

Dividend Policy & Payout

Shareholders' Meeting

Annual Report

Shareholder Structure

Analyst Coverage

Transfer Agency

Board Members

Director Election Process

Major Resolutions

Audit Committee

Remuneration Committee

Risk Management Committee

Nomination Committee

Corporate Sustainability Committee

Organization and Operation of Internal Audit

Statement of Internal Control System

Message from the Chairman and the President

Sustainability Performance and SDGs

Sustainability Committee Operations

Corporate Governance and Business Integrity

Risk Management and Internal Control

Information and Transaction Security

Operatonal Continuity and Technology Risk Management

Sustainable Supplier Management

AML/CFT

Sustainable Policies and Actions

Responsible Investment and Lending

FinTech/Digital Innovation

Customer Relationship Management and Consumer Protection

Protection of Privacy

Financial Inclusion

Net zero emission goal

Climate-related financial disclosures

Environmental Management Framework

Energy Conservation and Carbon Reduction

Waste Management and Water Resource Management

Talent Development

Remuneration, Benefit & Employee Care

Occupational Health Safety

Labor-Management Relations

Human Rights and Gender Equality

Social Involvement Strategy

Local Caring

Arts and Culture Development

Sports Sponsorship

Academic Exchange

Stakeholder Identification and Engagement

Material Topics Identification

Feedback

Privacy Protection