Privacy and Information Security Notice
The Overseas Community Affairs Council, Republic of China (Taiwan) (the “OCAC”) accepts, examines and approves online application for the i-Compatriot Card (iCC) via the iCC website (www.ocacocc.net, this “Website”), and provide iCC-related services (collectively, the “Service”). Thank you for using the Service.
Protecting your privacy is important to the OCAC. This Privacy Notice informs you of the OCAC’s policies regarding the collection, processing, use, protection and sharing (collectively, “processing”) of your personal data (i.e., information that directly or indirectly identifies, relates to, describes or is reasonably capable of being associated with you, also referred to as “data”) when you use the Service, and the rights and choices you have about your personal data. The OCAC suggests that you read this Privacy Notice carefully.
When you use the Service, the collection, processing, use, protection and disclosure of your personal data by the OCAC are bound by this Privacy Notice. Where the OCAC relies on your consent for processing of your personal data, it will ask for your consent separately, in an appropriate manner. IF YOU DO NOT ACCEPT THIS PRIVACY NOTICE, PLEASE DO NOT USE THE SERVICE OR PROVIDE YOUR PERSONAL DATA TO THE OCAC.
- DATA THE OCAC COLLECTS
The categories of personal data the OCAC collects depend on the Service you use, and the requirements of applicable law.
- 1-1 Data You Provide Directly
- 1-2 Data the OCAC Collects Automatically
- 1-3 Data the OCAC Collects from Third Parties
●Application information: When you apply for an iCC via the Website, you provide information such as your Chinese name, English name, gender, date of birth, the continent and country you live in, your ROC national status, your email address, and a copy of your identification document (local passport, local residence permit or proof, ROC passport, ROC identity card, etc.).
●Account and profile information: If your iCC application is approved, you will be able to create an account with the Website, with which you provide your password and other profile information.
●Other information you choose to give the OCAC, such as when you provide your detailed locale in the iCC application, or submit your inquiry, comment or request, or otherwise communicate with the OCAC via the Service.
In the Service, the personal data the OCAC asks you to provide with data fields marked with an asterisk (*) or otherwise indicated as mandatory, are required in order to issue the iCC and to enable the Service. For example, if you do not provide your identification document, the OCAC will not be able to approve your iCC application. You may also have the option to provide the OCAC with additional personal data so that it can know more about you and personalize the Service for you.
●Information about your iCC, such as an automatically generated iCC number and a default password when your iCC application is approved.
●Information about your use of the Service, such as searches within and downloads of resources from the Service, and visits and clicks on a certain page.
●Information about your use of iCC Open ID for login and/or account creation on a different OCAC-operated website/service.
●Information about your device and network connection, such as your device name and operating system, browser type and language, and mobile device identifiers, IP address, mobile carrier, and internet service provider.
●Log information, such as log files, timestamps, website performance logs and error messages or reports.
●Approximate location information (e.g., country), as derived from IP address.
●Information that the OCAC collects with cookies or similar technologies (see Section 6 “Cookies and Similar Technologies” below).
The OCAC may also cooperate with third parties to provide the Service, such as its local offices, Authorized Stores, business chambers, industry associations, social networking sites, and data analytics providers, which may involve collecting supplementary information about you, such as:
●Information about your use of iCC Open ID for login and/or account creation on a website/service operated by a third-party partner (such as the EUCARE APP).
●Information that the OCAC receives if you link a third-party tool (such as Facebook, Twitter or Line) with the Service.
●Demographic data, such as those used to determine the continent or country you are in.
●Information for analytics purposes, such as cookie ID or mobile device ID, so that the OCAC could improve its Service’s functionality and provide you a better Service.
Please be advised that the third-party tool, platform or other service you use may operate under their own terms of service and privacy policies, which may be different from those of the Service (see Section 10 “Links to Other Sites” below).
- WHY AND HOW THE OCAC PROCESSES YOUR DATA, LEGAL BASES
- 2-1 To Enable and Improve the Service
- 2-2 To Help Improve Public Service
- 2-3 To Customize Your Service Experience and Promote the Service
- 2-4 To Comply with Applicable Law
- 2-5 Additional Purposes with Your Consent
- RETENTION OF YOUR DATA
- SHARING OF YOUR DATA
The OCAC will not rent, loan, exchange or sell your data to any third party. Your data may only be accessed by a third party in the following situations.
- 4-1 Service Providers
- 4-2 Public Authorities, Other Organizations
The OCAC may employ third-party services to facilitate its Service, to provide the Service on its behalf, or to help it improve the Service. These third-party service providers may process your data, only at and according to the OCAC’s instructions, for purposes of Service-related tasks, such as hosting, user support, service promotion, analytics and fraud prevention. The OCAC also ensures that these service providers are contractually obligated to take appropriate organizational and technical measures to ensure safety of your data. Such third-party services include:
●The OCAC works with its local offices that may assist with the operation of the Service.
●The OCAC uses services of external suppliers to assist with the operation and maintenance of the Website.
●The OCAC uses third-party analytics services to understand how the Service is used, to optimize user experience, to facilitate the continuous development of the Service, and to help with its promotional activities.
In accordance with the applicable law and/or per a legally made request, the OCAC may provide your data to other public authorities. The OCAC may also disclose your data based on your consent, or to protect the rights, property or safety of the OCAC, the Service users or others. For example, where the OCAC reasonably suspects that you have engaged in activities in violation of rules and regulations on iCC uses, the OCAC may provide your data to an external body for investigation purposes.
- DATA SECURITY
- COOKIES AND SIMILAR TECHNOLOGIES
- INTERNATIONAL TRANSFERS
- CHILDREN’S PRIVACY
- YOUR RIGHTS AND OPTIONS
- 9-1 Your Rights
- 9-2 Promotional Communications
- 9-3 Unnecessary Cookies and Similar Technologies
You have rights under privacy/data protection law. The rights available to you depend on the OCAC’s reason for processing your data, and the applicable law, which may include:
●Right of access: the right to access and ask the OCAC for a copy of your personal data that the OCAC processes, and information on how the OCAC processes your data (such as purposes of processing, sources of the data, your rights, etc.).
●Right to rectification: the right to ask the OCAC to rectify or update your personal data that you think is inaccurate or incomplete.
●Right to erasure: the right to ask the OCAC to erase/delete your personal data, under conditions prescribed by the law.
●Right to restriction of processing: the right to ask the OCAC to restrict temporarily or permanently the processing of your personal data, under conditions prescribed by the law.
●Right to object to processing: the right to object to the OCAC’s processing of your personal data, under conditions prescribed by the law.
●Right to data portability: the right to request the OCAC to transfer the personal data you have provided it in a structured, commonly used and machine-readable format directly to you, or to another party to the extent technically feasible, under conditions prescribed by the law.
●Right not to be subject to automated decision-making: the right to not be subject to a decision based solely on automated decision making (including profiling) with your personal data, where the decision would have a legal effect on you or produce a similarly significant effect.
Where the OCAC processes your personal data on basis of your consent, you will always have the right to withdraw your consent at any time. Please note your withdrawal of consent does not impact the lawfulness of processing prior to such withdrawal, and that the OCAC may rely on other legal bases to process that personal data after your withdrawal.
If you wish to exercise any of your data subject rights described above, you can make a request via the Contact Us feature on the Website, or by contacting the OCAC with the details listed in Section 12 below. The OCAC will respond to all requests in accordance with applicable laws and within a reasonable timeframe. To protect your privacy, the OCAC may also take additional steps to verify your identity before fulfilling your request.
If you have an unresolved privacy or data use concern that the OCAC has not addressed satisfactorily, the OCAC hopes that you will continue to work with the OCAC to resolve them. However, you also have the right to lodge a complaint with your local data protection authority (if applicable).
With your consent, the OCAC may use your personal data to contact you with newsletters, promotional materials and other information that may be of interest to you. You may object to data processing for such purposes at any time. You may opt out of receiving any, or all, of these communications from the OCAC by following the instructions provided in such communications. The updated settings may not be effective immediately, but the OCAC will follow your instructions as soon as reasonably feasible. Please note that you may still continue to receive non-promotional emails from the OCAC, such as important changes regarding the Service or updates to this Privacy Notice.
You may opt out of unnecessary cookies and similar technologies by disabling them in your browser, or by refusing them in your device’s privacy settings. You may consult official support information pages (usually entitled “Privacy”) to learn how to disable cookies on a particular browser/device. The following links may also contain useful information.
- LINKS TO OTHER SITES
- CHANGES TO THIS PRIVACY NOTICE
- CONTACT THE OCAC
Upon your application for the iCC, the OCAC processes your data for a variety of public service and policy purposes, as further detailed below.
On basis of necessity for the performance of a task carried out in the public interest or in the exercise of official authority vested in the OCAC (or, to the extent the General Data Protection Regulation (GDPR) applies, on basis of your consent, the necessity to perform the OCAC’s contract with you on iCC usage and the OCAC’s legitimate interest to provide its services), the OCAC collects, processes and uses necessary data to:
●Accept, examine and approve your iCC application, including by verifying your eligibility as an iCC holder.
●Assist you to activate and use the iCC, including by verifying your email and account credentials.
●Provide and deliver portions of the Service you request, including by processing your search requests for Authorized Store information, and allowing you to modify your profile information.
●Respond to your requests and provide customer support, including by forwarding your request to an appropriate team within the OCAC, and keeping an internal record of the processing of your request.
●Ensure the safety, security, and integrity of the Service, including by investigating and addressing any fraudulent iCC applications/card holders.
●Collect and aggregate metrics (such as the continent and country distribution of iCC users) to understand service performance and efficiency, so the OCAC can ensure and optimize service quality.
●Send you Service-related communications (such as security alerts and updates to the iCC rules of use), including by identifying relevant Service-related notifications for you, and keeping an internal record on the OCAC’s communication with you.
●Develop and test out new features of the Service, and undertake experimentation to evaluate new service components.
●Transfer, store or process your data in a third country where an OCAC facility, or a local office, supplier or partner is located. For more information, see Section 7 “International Transfers” below.
On basis of necessity for the performance of a task carried out in the public interest or in the exercise of official authority vested in it, the OCAC collects, processes and uses necessary data to:
●Aggregate iCC applicant and holder data into the OCAC’s internal overseas compatriot affairs information system, for more efficient management of the Service.
●Cross-reference and analyze iCC-related data with other data in the overseas compatriot affairs information system, for deepened understanding of the overseas community, provision of better public service, and contribution to the research and formulation of relevant public policy.
On basis of your consent, the OCAC collects, processes and uses necessary data to:
●Provide customized Service experience per your request made by enabling certain feature or device-based settings, such as accepting cookies for recording your language preference.
●Manage the relationship with you and seek your feedback on the Service.
●Provide related information, such as featured events, new Authorized Stores, promotional offers and other messages of interest via the Service as well as through other means (including by email).
●Track the content you access in connection with the Service and your online behavior, so that the OCAC can better understand your preferences, habits and needs.
●Deliver, target and improve the OCAC’s promotional practice.
The OCAC may use external services to promote and share with you information on its activities and services on third party platforms, on basis of data collected upon your access to the Service. This may include using cookies to inform, optimize and serve relevant promotional communications. The OCAC and its third-party vendors will always comply with the privacy settings on your device, and the applicable platform rules. For information on how to opt-out from such promotional communications, see Section 9 “Your Rights and Options” below.
In accordance with the applicable law, and/or the necessity to protect the vital interests of you or of another natural person, the OCAC collects, processes and uses necessary data to:
●Comply with a request by a competent court or other law enforcement authority.
●Establish, exercise or defend a legal claim, including by seeking the necessary legal advice.
With your consent, the OCAC may collect, process or use your data for additional purposes, such as to conduct stakeholder consultation for a proposed overseas community policy, or to use other smart services or value-added services. When the OCAC does so, it will always seek your prior consent.
The OCAC will retain your data as needed for the purpose for which your data are collected, as required for the applicable law, or for other legitimate purposes, such as for public policy research. The OCAC will not retain your personal data for longer than is necessary for its public service purposes or for legal requirements. The retention periods of your data are determined on a case-by-case basis that depends on the following factors:
●The length of time the OCAC will retain your data will generally be determined by how long it needs that data to provide you with the Service. For example, once the OCAC has finalized examination of your iCC application, it will remove copies of your identification document from its server. By contrast, the OCAC keeps basic iCC holder information (such as name, gender, date of birth, iCC number, etc.) as long as you remain an iCC holder.
●Legal reasons. In certain cases, the OCAC keeps your data for legal reasons, including when you request deletion of such data. For example, there may be instances where the OCAC is legally required to retain your data for a certain period of time.
When the OCAC no longer needs to retain your data, it may need a reasonable period of time to remove or anonymize that data from its server. Unless otherwise provided for under this Privacy Notice or permitted by and applicable law, the OCAC will not use any data in a way that might identify you after the purpose of collection of your data no longer exists.
The security of your personal data is important to the OCAC. Though no method of transmission or storage is 100% secure, the OCAC is continuously developing and implementing organizational and technical security measures, including pseudonymization and/or encryption of your data, and access control to OCAC-controlled servers, to safeguard the confidentiality, integrity and availability of your data, and to protect your data from unauthorized access or disclosure, destruction, loss, misuse or alteration.
Despite the OCAC’s endeavor to protect your personal data, there is an inherent risk of encountering an unexpected security breach. The OCAC has put in place procedures to deal with any suspected breach and will notify you and any applicable regulator of a breach where it is legally required to do so.
You may use your web browser settings to accept, refuse and delete cookies. You can instruct your browser to refuse all or a specific type of cookies. However, certain cookies are essential for the proper functioning of the Service. If you do not accept these essential cookies, you may not be able to use some portions of the Service. For information on how to manage unnecessary cookies and other similar technologies, see Section 9 “Your Rights and Options” below.
The OCAC operates the Service across the globe. Your data will generally be stored on servers controlled by the OCAC or its hosting service provider located in Taiwan. In exceptional cases, the OCAC may need to transfer your data to a different jurisdiction (a “third country”), which may be of a different level of privacy protection than that are applicable in yours. Where the OCAC does so, it relies separately, alternatively, and independently on the applicable legal bases. The OCAC takes steps to ensure that adequate safeguards and mechanisms are in place for the protection of your data.
If the OCAC transfers your personal data from the European Economic Area (EEA) to Taiwan or a third country, it ensures that an adequate degree of protection for your personal data as within the EEA, by implementing appropriate safeguards, which may include:
●The third country that your personal data are transferred to is one that recognized by the European Commission with an adequacy decision as offering an adequate level of protection.
●The OCAC uses standard contract clauses (SCC) adopted by the European Commission, to ensure that the recipient of your personal data in the third country is contractually obligated to provide an adequate level of protection.
●For transfers between the OCAC and another public authority, a legally binding and enforceable instrument with the public authority in question.
In the event that the above measures are not applicable for a particular transfer, the OCAC will rely on an appropriate derogation under the GDPR, such as:
●You have explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers due to the absence of an adequate degree of protection.
●The transfer is necessary for the performance of a contract or the implementation of precontractual measures taken at your request.
●The transfer is necessary for important reasons of public interest.
●The transfer is necessary for the establishment, exercise or defense.
If you would like to find out more about these safeguards, please contact the OCAC via the Contact Us feature on the Website, or by using the details listed in Section 12 below.
If you are a child younger than the age limit under the applicable law for independently giving valid consent to data collection (the “Restricted Age”, which under the current Taiwanese law is 20, and will be 18 from January 1, 2023), your application for an iCC and provision of personal data to the OCAC shall be subject to authorization by your parent/guardian.
If you are a parent or guardian and you are aware that your children have filed an iCC application or provided the OCAC with personal data without your authorization, please contact the OCAC. If the OCAC becomes aware that it has collected personal data from a child under the Restricted Age without parental authorization, the OCAC takes steps to remove that data from its servers, unless it has a legal obligation to keep such data.
The Service may contain links to other sites or services that are not operated by the OCAC, such as websites of the Authorized Stores. If you click on a third-party link, please understand that you are leaving the Service and any personal data you provide will not be covered by this Privacy Notice. The OCAC cannot control or be held responsible for third parties’ privacy practices and content that such links direct to. The OCAC strongly advises that you review their privacy policies.
The OCAC may update this Privacy Notice from time to time. The OCAC will notify you of any changes by posting the new Privacy Notice on this page, and by other means as appropriate under the circumstances. If the OCAC makes any material changes, it will notify you as required under applicable law, including by posting a notice in the Service prior to the change becoming effective. Your continued use of the Service after the effective date will be subject to the new Privacy Notice.
If you have any questions about this Privacy Notice, please contact the OCAC at:
Overseas Community Affairs Council, Republic of China (Taiwan)
3F., No.5, Xuzhou Rd., Zhongzheng Dist., Taipei City 10055, Taiwan (R.O.C.)
For contact details of the OCAC’s global offices in Europe, North, Central & South America, Africa, Australasia and Asia, please surf OCAC websitehttps://www.ocac.gov.tw/.
The OCAC has appointed a Data Protection Officer (DPO). You can reach the DPO at email@example.com or via the postal address indicated above. Please mark the envelope ‘Data Protection Officer’.