Preamble To protect and manage personal data and to comply with Personal Data Protection Act (hereinafter, the "PDPA"), “CSBC-DEME Wind Engineering Co. Ltd.” (CDWE) (hereinafter referred to as “CDWE”, “we”, “us” or “our”) adopted CDWE Personal Data Protection Policy (hereinafter referred to this “Policy”) to govern the use of personal data of individuals or legal entities who have established business relationships with us, including our clients, contractors, subcontractors, consultants, suppliers, service providers and all personnel in their groups.

Objectives 2.1 The Policy ensures that we comply with the requirements set forth in the PDPA and applicable personal data protection laws and regulations while conducting our various business operations.
2.2 For the purpose of protecting both our own rights as well as our clients’ rights, the Policy sets out personal data protection objectives for CDWE and everyone who has established business relationships with us and all personnel in their groups. The Policy clarifies that we may collect, process and use personal data when reasonably necessary and provides guidelines for persons responsible for the operation and management of CDWE when dealing with personal data of individuals or legal entities who have business relationships with us, including our clients, contractors, subcontractors, consultants, suppliers, service providers and all personnel in their groups.

Scope of the Policy 3.1 Applicable persons
The Policy covers individuals or legal entities who have established business relationships with us, including our clients, contractors, subcontractors, consultants, suppliers, service providers and all personnel in their groups, including temporarily hired companies or individuals.
3.2 Applicable data
The Policy applies to all personal data protected under the PDPA. It regulates the collection, processing, use, and global

The Collection of Personal Data 4.1 CDWE will not collect, process, use or transmit globally applicable personal data unless it complies with the requirements of PDPA and other applicable laws and regulations.
4.2 By establishing business relationships with us, our clients, contractors, subcontractors, consultants, suppliers, service providers and all personnel in their groups consent to our collection, use, processing, and transmission of their personal data. If the data involves third parties (including but not restricted to suppliers or agents), they should also disclose and provide the Policy to the third parties and, where such may be necessary, acquire their consent to our collection, processing, use, and global transmission of their personal data.
4.3 “Personal data” referred to in the Policy includes, but is not limited to: the individual’s or the legal entity’s name, date of birth, ID card number, passport number, gender, features, fingerprints, marital status, family information, education background, occupation, medical records, healthcare data, genetic data, data concerning a person's sex life, records of physical examination, criminal records, contact information, financial conditions (including, but not limited to, bank account, credit card and debit card number), data concerning a person's social activities, video and audio records (including, but not limited to, photos and surveillance videos), employee information, and other information which can be used to identify the individual’s or the entity’s identity directly or indirectly. The definition and scope as provided here may change if the Policy is amended from time to time for any reason including according to any order made by the competent authority or amendment of applicable laws and regulations.

Data Accuracy 5.1 Individuals or legal entities who have established business relationships with us, including our clients, contractors subcontractors, consultants, suppliers, service providers and all personnel in their groups should guarantee the accuracy of the personal data they provide under clause 4.2 of this Policy and that there is no such fraud or dishonesty as forgery, alteration, fabrication, addition or deletion is involved.
5.2 We will take reasonable measures to ensure the accuracy of personal data we have collected.

The Purposes of the Use, Processing, and Transmission of Personal Data We may use, process, and transmit collected personal data for the purposes of: (1) providing products and services;
(2) operating business;
(3) communicating with clients and customers;
(4) managing relevant information systems;
(5) managing suppliers;
(6) conducting surveys;
(7) ensuring the safety of our plants and systems;
(8) complying with applicable laws and regulations;
(9) meeting the requirements laid down by the concerned or competent authorities;
(10) improving our products and services;
(11) preventing fraud;
(12) taking any necessary step to exercise or protect any right under applicable laws and regulations;
(13) recruiting and managing employees; or
(14) achieving other business purposes.

Data Security We have taken proper technical and organizational security measures to protect the security of personal data we collect. Individuals or legal entities who have established business relationships with us, including our clients, contractors subcontractors, consultants, suppliers, service providers and all personnel in their groups must confirm that the process of providing or transmitting their personal data to us is secure.

Data Retention Period CDWE may retain personal data even though any business relationship for which the personal data may have initially been received has ended or been terminated, as long as it is within the period necessary for serving our business or legal purposes.

Withdrawing Consent 9.1 Individuals or legal entities who have established business relationships with us, including our clients, contractors (and subcontractors), consultants, and all personnel in their groups, or third parties, have the right to withdraw their consent under clause 4.2 of this Policy, given that they apply to our Data Protection Department in writing (contact information as below). CDWE may request them to provide personal verification documents for verifying their identities.

Contact email address: info@cdwe.com.tw
Contact address: 6F., No. 20, Sec. 3, Bade Rd., Songshan Dist., Taipei City, Taiwan (R.O.C.)
Telephone number: +886-2-6604-0888.

9.2 We will make every effort to process the application under clause 9.1 of this Policy within ten (10) business days starting from the day after we receive the withdrawal application in writing.
9.3 We reserve our rights under applicable laws and regulations even if consent under clause 4.2 of this Policy has been withdrawn.

Access to Personal Data 10.1 Persons who provide their personal data may apply to our Data Protection Officer (department)under clause 9.1 of this Policy in writing for access to their personal data, but only for those unrelated to others’ information. When processing their applications, we may request them to provide personal verification documents for verifying their identities.
10.2 We may charge reasonable fees for the access to or the provision of personal data.
10.3 We will make every effort to process the application under clause 10.1 of this Policy within thirty (30) calendar days starting from the day after we receive the withdrawal application in writing.

Responsible Department 11.1 All of our departments and employees understand and will comply with the Policy, and should implement every required measure to protect the personal data we collect.
11.2 CDWE has taken proper technical and organizational security measures to secure the personal data collected, used, or processed by us to the extent it is reasonable and necessary.

Implementation and Amendment 12.1 Issues not covered by the Policy will be governed by our relevant management regulations and applicable laws and regulations made by the competent authority.
12.2 This Policy may be updated from time to time to reflect new or different privacy practices according to applicable laws and regulations. A copy of any updated Policy and latest information on our privacy practices may be found at: https://www.cdwe.com.tw/
12.3 The Policy becomes effective only after being approved and announced by the Chief Executive Officer. The same procedure applies when the Policy is amended.