-
(A) Purpose
-
Innolux Corporation (“Innolux” or “Company”) has formulated the following Personal Data Protection and Privacy Policy (“Policy”) in accordance with the Republic of China’s Personal Data Protection Act and its Enforcement Rules, the European Union’s General Data Protection Regulation, and the personal data protection and privacy regulations applicable in the United States, Japan, and other jurisdictions where the Company has a presence for the purpose of protecting the personal data of the Company and its suppliers, external visitors, website visitors, investors, shareholders, and current and prospective employees. As a safeguard for the rights and interests of data owners, this Policy shall serve as a guiding principle for the Company’s management of data collection, processing, and use and shall apply to the Company’s suppliers, contractors, consultants, and other external partners.
-
(B) Definitions
-
General personal data
“General personal data” shall refer to any personal data that does not fall under the category of confidential personal data as described below but that may be used to directly or indirectly identify a person, including names, dates of birth, national identification numbers, passport numbers, marital/family status, educational background, employment/financial status, contact information, and participation in social activities.
-
Confidential personal data
“Confidential personal data” shall refer to any personal data that is sensitive or highly sensitive, including medical histories, healthcare records, genetic information, sexual orientation, heath examination results, and criminal records.
-
Innolux may become privy to personal data when data owners browse or sign up on the Company’s website, respond to job vacancies posted by the Company, or otherwise interact with the Company. In principle, Innolux will not collect or process such personal data unless it is consistent with the purpose of this Policy, in which event the Company shall protect the personal data in accordance with the provisions stipulated herein.
-
(C) Scopes and sources of personal data
The scopes and sources of personal data shall be as follows:
-
Employees of clients and suppliers
Innolux may collect, process, and use the following personal data belonging to the employees of an Innolux client or supplier when they contact, communicate/collaborate with, or do business with the Company at a conference, business event, or through other communication channels:
-
Personal information, including name, gender, affiliation, job title, national identification number, passport number, other identification numbers, and photos
-
Contact information, including mailing address, telephone numbers, and email addresses
-
Other information that may be used to directly or indirectly identify the employee
-
On-site visitors from external organizations:
Innolux may collect, process, and use the following personal data belonging to visitors from external organizations who need to enter the Company’s premises for business or official purposes:
-
Personal information, including name, gender, affiliation, job title, national identification number, passport number, other identification numbers, and photos
-
Contact information, including mailing address, telephone numbers, and email addresses
-
Other information which may be used to directly or indirectly identify the visitor or which is necessary to promote public interest
-
Website visitors
Innolux may collect, process, and use the following personal data belonging to website visitors who interact with the Company through its websites by subscribing to its e-newsletter, submitting an inquiry, consulting a customer service agent, or using the online whistleblower system:
-
Personal information, including name, gender, affiliation, job title, national identification number, passport number, other identification numbers, and photos
-
Contact information, including mailing address, telephone numbers, and email addresses
-
Other information that may be used to directly or indirectly identify the visitor
-
Information stored as cookies in the visitor’s browser
-
Investors and shareholders
Innolux may collect, process, and use the following personal data belonging to potential investors and shareholders when they contact Innolux via telephone, email, or other communication channels should they become actual Innolux shareholders:
-
Personal information, including name, gender, affiliation, job title, national identification number, passport number, other identification numbers, and photos
-
Contact information, including mailing address, telephone numbers, and email addresses
-
Other information that may be used to directly or indirectly identify the investor or shareholder
-
Prospective employees
Innolux may collect, process, and use the following personal data belonging to prospective employees when they respond to vacancies posted by the Company:
-
Personal information, including name, gender, date of birth, national identification number, passport number, other identification numbers, and photos
-
Skills and experience, including educational background, employment history, language proficiency, and certification of other professional skills and qualifications
-
Contact information, including mailing address, telephone numbers, and email addresses
-
Other information which may be used to directly or indirectly identify the prospective employee or which is necessary to promote the public interest
-
Additional sources
-
Innolux may receive additional personal data from service providers (such as employment agencies and credit bureaus) and law enforcement agencies.
-
Innolux may receive other personal data through social media websites and publicly accessible online forums (including but not limited to Facebook, X, YouTube, Pinterest, Weibo, and LinkedIn), regardless of whether such information is provided by the data owner directly or indirectly.
-
(D) Personal data collection, processing, and use
-
Collection, processing, and use of general personal data
Innolux may collect, process, and use personal data for the purposes set out below:
1. Business and operations
Includes emails or similar communications sent for the implementation, communication, negotiation, or fulfillment of, or collaboration on business-related matters
2. Marketing and promotion
Includes the provision of marketing and collaboration information through emails, websites, or other communication channels
3. Security management
a. Includes measures implemented to ensure the security of the Company’s data, sites, and employees
b. Includes measures implemented to ensure the security of the Company’s networks and information
4. Website maintenance
a. Includes improvements to the functionality and service of, business updates and investor disclosures on, and responses to user inquiries through the Company’s websites
b. Includes the receipt and acceptance of complaints submitted by data owners
5. Recruitment and hiring
Includes human resource records collected for recruitment and hiring purposes
6. Legal obligations
7. Assisting government agencies Includes the investigation of unlawful acts and prevention of crimes
8. To safeguard, exercise, or assert the Company’s lawful rights and interests
9. Other measures necessary to the Company’s operations
-
Collection, processing, and use of confidential personal data
In principle, Innolux will not actively collect, process, or use any confidential personal data except in the following circumstances:
1. Where it is expressly permitted by law
2. Where it is necessary for the fulfillment of legal obligations, provided that the appropriate security measures are in place
3. Where such data is already public knowledge or has been released by the data owners themselves
4. Where a law enforcement agency requests such data for the investigation of unlawful acts or the prevention of a crime, provided that the appropriate security measures are in place
5. Where the written consent of the data owner is obtained
-
Informed consent
Unless otherwise exempted by law, Innolux shall be required to inform data owners of:
1. The scope and types of data collected, processed, and used
2. The purpose of the data collection, processing, and use
3. Data owners’ right to decline or opt out of data collection, processing, and use
requested or recommended by Innolux, whether in part or in whole
4. The possible consequences (such as the inability to receive certain services or communications) if data owners opt out of data collection, ask to have certain data redacted, or provide erroneous data
-
Minimization of data collection and processing
Innolux’s collection, processing, and use of personal data may not exceed the scopes defined herein. The Company shall attempt to minimize the scope of its data collection, processing, and use and shall ensure that such collection, processing, and use is truly necessary and is consistent with the purposes set forth herein.
-
(E) Disclosure to third parties
Innolux may disclose personal data to third parties, including:
-
Government agencies
1. To fulfill legal obligations
2. To assist government agencies (such as courts, law enforcement agencies, and central/local government agencies) in investigating unlawful acts or preventing crimes
3. To exercise, safeguard, or assert the Company’s legal rights and interests
4. In response to data owners’ requests
-
Private legal persons (including Innolux subsidiaries), private institutions/organizations, and other external legal persons
1. To fulfill legal obligations
2. To exercise, safeguard, or assert the Company’s legal rights and interests
3. To use personal data as necessary within the scopes defined herein
4. In response to data owners’ requests
-
Disclosure to third parties shall be made in accordance with the following principles:
1. The Company must verify the identity of any such third parties.
2. Unless otherwise exempted by law, the Company shall duly inform the data owner and obtain their consent before making any such disclosure.
3. The Company shall minimize the scope of the disclosure inasmuch as possible and shall impose the same personal data protection terms stipulated herein on any such third parties.
-
(F) Personal data accuracy
-
Innolux shall take all reasonable measures necessary to ensure the accuracy of personal data and shall supplement or make corrections to incomplete or incorrect data whether proactively or upon request by the data owner. If necessary, the Company may contact data owners to verify the accuracy of their personal data.
-
(G) Personal data retention, protection, and security
-
Personal data retention and deletion
-
The personal data retention period shall not exceed the reasonable period for the scopes of data collection, processing, and use defined herein (no longer than 3 years in principle) unless expressly required by law or for the fulfillment of official duties, in which case the Company may continue to retain personal data with the consent of the data owner.
-
Innolux shall immediately stop the collection, processing, and use of personal data and shall delete or destroy any data in its possession when such collection, processing, and use is no longer necessary, reasonable, or relevant, or when the laws authorizing the Company to retain such data expire.
-
Data owners may request that Innolux cease the collection, processing, and use of their personal data or delete or destroy any existing data, either in part or in whole, to which request the Company must accede.
-
Personal data protection and security
To ensure the security of personal data during the retention period, Innolux shall take the following data security measures as necessary to monitor data access, processing, transmission, retention, and permissions, and the security of data storage and transmission devices to prevent personal data corruption, loss, theft, or leaks, or unauthorized access to, reproduction or use of, or tampering with personal data:
-
Using firewalls, data encryption (such as SSL/HTTPS secure connections), and other security measures on personal data transmission and storage devices
-
Classifying certain personal data as confidential based on the applicable standard operating procedures to ensure that no personal data is subject to unauthorized access and that the Company’s data collection, processing, and use is within the scopes defined herein
-
Managing personal data classification based on risk analysis results in order to formulate appropriate management procedures for personal data collection, processing, use, and disclosure.
-
(H) Transmission of personal data across borders
-
The fact that Innolux subsidiaries are located in multiple countries might necessitate the transmission of personal data across borders. Innolux may, within the scopes of the purposes defined herein, transmit data to a Company subsidiary in a different country from that in which the data owner is located, including Taiwan, the United States, China, and Japan, among other countries. The foregoing notwithstanding, Innolux shall abide by the provisions herein and the privacy and personal data protection laws applicable to the respective countries.
-
(I) Website cookie policy
-
Innolux uses cookies on its website to collect, process, and use visitors’ personal data (including IP addresses and locations). Information on the Company’s cookie policy shall be made available on the Innolux official website.
-
(J) Data owners’ rights
Owners of personal data collected, processed, and used by Innolux shall have the right to:
-
Request access to their personal data
-
Request copies of their personal data
-
Make corrections to erroneous data or make supplements to incomplete data
-
Request the suspension of data collection, processing, and use
-
Request the deletion or destruction of personal data displayed on Innolux’s intranet or websites or stored in the Company’s file systems or data storage equipment
-
Where technology allows, request the transfer of data to a third-party information service provider in a machine-readable format
-
File complaints with the local competent authority (in the jurisdiction in which they reside or in which their data is being used) regarding personal data protection violations
-
(K) Protection of minors
-
The Company will not intentionally collect personal data belonging to minors (defined as people under the age of 16) and shall, pursuant to the applicable regulations, delete any such data collected inadvertently upon becoming aware of the fact that a data owner is a minor.
-
(L) Internal audits, third-party audits, and supplier audits
-
This Policy constitutes an important aspect of Innolux’s overall management plans. To ensure the implementation of this Policy, the Company shall commission an annual internal risk analysis and internal regulatory compliance audit, a biennial external privacy and personal data protection audit by an independent third party, and periodic supplier compliance audits (to ensure that suppliers comply with the requirements set forth in this Policy as well as other applicable privacy and personal data protection regulations).
-
(M) Updates
-
Innolux may update this Policy without prior notice. Data owners are advised to check the Company’s websites for the latest version of this Policy.
-
(N) Complaint channels
-
Innolux has a zero tolerance policy for privacy and personal data protection violations. Upon confirmation of a violation of this Policy or other applicable privacy and personal data protection regulations following an investigation, the Company shall immediately call a meeting to review and improve existing management measures, punish the violator(s) in accordance with internal regulations, and if necessary, seek indemnity or file a legal claim in accordance with the applicable regulations.
-
Upon becoming aware of a potential or alleged violation of privacy rights or personal data protection, Innolux employees, external entities, and legal persons whose rights have been infringed may file a report via the Company’s Personal Data Protection Team or other reporting or complaint channels indicated in the Company’s latest communications.
-
For more information on this Policy and other privacy and personal data protection-related matters, Innolux employees, external entities, and legal persons may contact the competent department (Innolux Personal Data Protection Team) of the Company.