Privacy Protection | ACER ESG
Privacy Protection
Protecting Privacy
The protection of personal information and privacy has gradually become a basic human right protected by national legislation and has developed into a universal value, as well as an important part of consumer rights awareness. As a global brand company, customer data protection measures, complaint handling mechanisms, and information security incident prevention are essential to the company's management responsibilities and brand protection, and it is the core meaning of Acer's management to always emphasize and strengthen the security and protection of data transmission across borders and regions. Ensuring that customers’ personal data is safe and informing customers of the relevant regulations and precautions before accepting equipment for repair. Acer did not experience any significant customer privacy infringement incidents in 2023.
Staff | Customers | |
|---|---|---|
Before Using Personal Information | Conduct staff training on personal information protection. | Information security, confidentiality commitments or personal data protection clauses are set out in contracts. |
During the Use of Personal Information | When employees need to use personal information, they shall apply for approval in accordance with the regulations. | When using or storing your personal information, Acer Group’s rules and regulations regarding the use of Personal Data data shall be followed. |
After Using Personal Information | Perform internal audits of personal data management occasionally. |
Privacy Protection Measures
 | All Acer employees are required to carefully protect confidential or proprietary information provided by stakeholders, and our products make use of data security technologyFacing the risk of network system cracking or intrusion and the rapid changes in technology, Acer not only reviews the need for customer information requests and strengthens information security measures in parallel with Acer's privacy protection practices, but also continues to apply for information security insurance in order to further protect the privacy of stakeholders. |
 | Personal information protection and privacy-related issues are incorporated into the orientation training for new employeesThe importance of personal information protection is promoted and reminded through physical or electronic posters in office areas on a regular basis. The Legal Department and each business unit set up and discuss privacy statements or policies on the websites they operate in order to raise the importance and protection of customers' privacy rights among company members, and conduct education and training courses in response to the implementation and revision of personal data protection regulations around the world. |
 | The collection, processing and use of personal information shall be in accordance with the purposes set forth in the internal personal information registration form and to the extent necessary for the performance of business.After the stakeholder has indicated that he or she no longer wishes to receive marketing messages from Acer, then he or she shall not be engaged in any marketing activities in any way and shall dispose of the personal information appropriately (e.g., by deleting the personal information from the server or moving it to a system other than the one used to send the marketing communications). In other words, Acer prohibits the secondary use of personal information and monitors and manages the use of personal information.
|
 | Establish a Group Information Security Governance Committee that is responsible for formulating group information security and protection policies and conducting risk auditsTo enhance the group's information security risk management, Acer established the Group Information Security Governance Committee in 2023. The committee is coordinated by the Acer Information and Network Security Center and reports directly to the Chairman of the Board. Its members include the head of Acer's IT product line and the general managers of subsidiary companies within the group. At the same tine, the committee also forms working groups responsible for developing group information security and protection policies, as well as conducting risk assessments. Quarterly reports are submitted to the Chairman and General Manager, and an annual report is presented to the Board of Directors on the effectiveness of group information security governance, as well as security-related issues and directions. |
2023 Implementation Status
Regulatory compliance
The collection, use and management of personal information are required to comply with local personal information protection laws and regulations, and the basic principle is that the subject of personal information should have the right to know, access, correct and delete their personal information.
Implementation of internal controls and human rights education & training
- Training on personal data protection and privacy-related issues is provided to new recruits at the time of their employment.
- The collection, processing, and use of personal information must be undertaken in accordance with the company’s Principles for the Management of Personal Data, approved by units supervisor, and then sent to the Legal Department and the Information Technology Unit for review.
- Continuously conduct information security scenario drills to improve employees' capacity to respond to security incidents and the company's resilience to attacks.
- In 2023, the Legal Department developed a dedicated course on personal data privacy protection to enhance participants' understanding. This course was accompanied by global employee education and training on personal data. A total of 3,649 individuals successfully completed the training.
Sound mechanism for handling stakeholder issues
A proper protection mechanism is in place for personal information involving stakeholders. If there is a suspected security problem or incident involving stakeholder information, the notification mechanism will be activated immediately in accordance with the relevant regulations to ensure that the risk to stakeholders is minimized when it occurs.
Continuously review the information security regulations and undergo re-validation by third-party organizations
Acer headquarters has added and revised the key points, specifications, and 5 information security frameworks (Cybersecurity Framework) of 51 information security management systems in 2023 to maintain and enhance Acer's information security defense level. Additionally, Acer's ISO 27001:2013 information security management system has also successfully undergone annual re-verification by a third-party verification company in 2023, ensuring the ongoing effectiveness of the security management system.
Other concrete actions for protection of privacy
- With respect to the business cooperation between third parties and our customers, this company’s customers must also comply with laws on the handling of personal data on the protection of personal information, and that this be clearly laid out in the contract.
- We hold irregular personal information protection related courses for our employees to raise their awareness of personal information protection and to reduce the incidence of any related problems.
- Complaints Regarding Infringement of Customer Privacy or Loss of Customer Information: None
Explanation of the 2023 Cybersecurity Incident
In March 2023, unauthorized individuals accessed our company's server due to the improper safeguarding of account passwords by our cooperating partners. However, there was no intrusion or damage to our server, and no personal or customer data was compromised. Consequently, our company's operations remained largely unaffected. To prevent similar incidents in the future, we have implemented various measures, including conducting a comprehensive inventory of cooperating partners' account lists, enhancing the authentication mechanism for their accounts, bolstering the security of our data exchange platform, and providing education and regular training to our cooperating partners.