Taishin Holdings-Sustainability

Privacy Protection

Privacy Protection Policy and Management Mechanism

To maintain the security of personal information, Taishin has formulated regulations on the protection and management of personal information. Taishin has reviewed the appropriateness of these regulations in accordance with the law to ensure the legal collection and use of personal information of customers and employees. In addition to regularly checking the current status of personal data security maintenance and evaluating possible risks to personal data, Taishin also establishes appropriate management mechanisms based on the results of the risk assessment, and formulate contingency, notification, and prevention mechanisms to implement personal data protection and management measures for security incidents such as theft, alterations, damage, loss, or leakage of personal data.

Privacy Protection Measures

To enhance the ability to respond to personal data infringement incidents and raise the risk awareness of all employees, Taishin has formulated the "Personal Data Infringement Incident Management Standards" to effectively implement emergency response and handling. When a personal data infringement incident occurs, the supervisor shall immediately be notified supervisor and the risk assessment and classification of the incident must be completed within the time limit. Depending on the extent of the impact of the incident, an emergency response team shall be set up for the response, coordination, liaison, and investigation of the incident. Taishin adopts the principle of zero tolerance for personal privacy infringement

Also, in order to respect the customers’ rights to their personal data, Taishin’s subsidiaries have formulated “Operating Rules for Exercising the Rights of the Parties” based on their own business requirements, specify customers’ personal data’s inquiry, viewing, copying, supplement, correction, deletion and the right to stop collection, processing and use.

Personal Information Infringement reporting procedure (Taishin Bank example)

The handling of each level of incident and the reporting level

Incident Classification The level at which the incident is handled The time requirement for handling the incident The level at which the incident is reported

Level 1 (Note1)

Personal Information Protection Implementation Department

Must be handled within 2 days.

Supervisor of said department/Legal compliance unit

Level 2 (Note2)

Emergency Response Team

- Shall complete the reporting within the deadline set by the Company's internal department.
- The emergency response team shall draw up a response plan within 2 working days.
- In accordance with the “Financial Supervisory Commission Designated Non-Government Agencies’ Personal Data File Safety Maintenance Measures”, report to the Financial Supervisory Commission within 72 hours for any major personal data incidents.

- Presidant
- Other parties to report to in accordance with internal regulations, include but not limited to Personal Data Protection Committee members, etc

Note 1: Level 1 incident: Less than 100 cases of security incidents such as theft, tampering, damage, loss, leakage, etc. of personal data or incidents that meet the definition of other internal regulations.
Note 2: Level 2 incident: More than 100 cases (inclusive) of major incidents such as theft, tampering, damage, loss, leakage of personal data which endanger the Company’s normal operations

To strengthen the awareness on personal protection and establish a corporate culture of respect for personal information, Taishin continues to promote education and training on personal information protection so that employees understand the requirements of relevant laws and regulations. Furthermore, allow employees fully understand the scope of responsibilities, mechanisms, procedures, and measures for personal information protection.

Training for Protection of Personal Information in 2023

Target Courses Coverage Rate (%) Completion Rate (%)

New recruits (to complete training within six months after coming onboard)

- Online course on personal information protection
- Compliance and behavior guidelines

General employees

- Personal data protection special issue
- Online course on personal information protection
- Classroom course on personal information protection

Contact person for personal data (or delegate representative) for each division

- Personal data violations response drills
- Personal data inventory training

Contact person or emergency response team of personal data management for each division

- Publicity of personal data protection cases/symposium for legal compliance supervisors
- Publicity of laws and regulations and penalties
- Personal information infringement response drills

Internal/External audit defects

Taishin FHC attaches great importance to the security of personal information protection. In 2023, Taishin Bank commissioned an accountant to conduct an audit of the implementation of personal data protection in accordance with the agreed procedures, and no major irregularities were found after the implementation of the agreed procedures.

To establish a comprehensive personal information management system, Taishin Life appointed SGS Taiwan on April 29, 2022 to perform the certification and was recommended by SGS Taiwan as an organization that meets the requirements of BS10012:2017 Personal Information Management System (PIMS). In 2023, we continued to pass the PIMS certification.

Grievance Mechanism of Personal Information

Taishin attaches great importance to the protection of personal information, and customers can raise questions or file complaints through different channels. If the results of an investigation confirm a violation of personal information, we will take disciplinary actions (e.g., downgrading of performance evaluation, withholding of bonuses, and internal penalties). We shall also propose specific system and process improvements to address the root cause of the complaint and avoid the recurrence of similar situations. The cases are compiled and submitted to the Fair Customer Treatment and Consumption Review Committee and the Board of Directors each quarter. The management department unit shall continue to monitor improvements to ensure implementation.

Brand story

Business Philosophy

Management Team

Organization Chart

Milestones

Performance Review

Monthly Results

Financial Statement

Legal Disclosure

Dividend Policy & Distribution

Shareholders' Meeting

Annual Report

Shareholder Structure

Analyst Coverage

Transfer Agency

Board Members

Director Election Process

Major Resolutions

Audit Committee

Remuneration Committee

Risk Management Committee

Nomination Committee

Corporate Sustainability Committee

Organization and Operation of Internal Audit

Statement of Internal Control System

Message from the Chairman and the President

Sustainability Performance and SDGs

Sustainability Committee Operations

Corporate Governance and Business Integrity

Risk Management and Internal Control

Information and Transaction Security

Operatonal Continuity and Technology Risk Management

Sustainable Supplier Management

AML/CFT

Sustainable Policies and Actions

Responsible Investment and Lending

FinTech/Digital Innovation

Customer Relationship Management and Consumer Protection

Protection of Privacy

Financial Inclusion

Net zero emission goal

Climate-related financial disclosures

Environmental Management Framework

Energy Conservation and Carbon Reduction

Waste Management and Water Resource Management

Talent Development

Remuneration, Benefit & Employee Care

Occupational Health Safety

Labor-Management Relations

Human Rights and Gender Equality

Social Involvement Strategy

Local Caring

Arts and Culture Development

Sports Sponsorship

Academic Exchange

Stakeholder Identification and Engagement

Material Topics Identification

Feedback

Privacy Protection