º¬Ðß²ÝÉçÇø

Taiwan has a single legislation, the Personal Data Protection Act (PDPA), generally governing matters in relation to personal data protection. The PDPA applies to government agencies as well as private enterprises and individuals. Some other laws and regulations offer protection over personal data in special aspects including financial, health and insurance.

Providing a basic level of data protection, the PDPA is applicable to both Taiwanese and foreigners. Foreign entities collecting, processing or using personal data of Taiwanese people are also subject to obligations set out by the PDPA.

Supervising authorities

The Preparation Office of Taiwan¡¯s Personal Data Protection Commission (PDPC) was established in December 2023. The PDPC is now set to begin operations in August 2025 as the sole data protection authority, enforcing andinterpreting the PDPA, and supervising matters relating to data protection.

At the same time, other government agencies with authority over specific industries continue to regulate data protection matters in those specific fields.

For instance, the Ministry of Digital Affairs (MODA), with authority over digital industries, promulgated the Regulation on Personal Data Safety Maintenance in Digital Economy Industries (MODA regu-lations) setting out advanced data protection requirements based on the PDPA framework.

The MODA regulations apply to businesses such as e-commerce, software, computer programming, data management and information services.

Informed consent

Under the PDPA, valid informed consent may be given by a data subject only if this data subject is notified of:

1. 1. Titles of the collecting/processing/using entity;
   2. Purposes of the collection/processing/use;
   3. Types of collected personal data;
   4. Timeframe, area, persons, ways of the usage of the collected personal data;
   5. A data subject rights; and
   6. A data subject¡¯s determination on whether to disclose personal data will not impact on his/her rights and interests.

While consent may be given by data subjects in a digital form, the entity that collects personal data bears the burden to prove that the data subject has properly consented to collection.

A private entity may use a data subject¡¯s personal data for a different purpose than the purposes of the collection only if this data subject gives explicit consent to that secondary use. In other words, implied consent does not work for a secondary use.

If explicit consent by a data subject is not available, the entity must find another legal basis for its secondary uses.

Data protection officer

Under the current PDPA, a private entity storing files containing personal data shall take proper security measures that may include management personnel. Under the MODA regulations, an entity in the digital economy needs to appoint management personnel specifically responsible for:

1. 1. Formulating/revising the entity¡¯s privacy protection policy; and
   2. formulating/revising/enforcing the entity¡¯s safety maintenance plan.

In December 2024, the PDPC proposed amendments to the PDPA, imposing obligations on government agencies and private entities designated by the PDPC to appoint a data protection officer, as well as management personnel, in charge of data protection. It would be prudent for businesses to pay close attention to the future development of the PDPA amendments.

Security measures

Both the PDPA and the MODA regulations lay out detailed sets of rules for a private entity¡¯s obligations to ensure the security of personal data, collected or stored by this entity. Under the PDPA, a private entity shall maintain a set of data security measures, including:

1. 1. Management personnel;
   2. Specifying the scope of personal data;
   3. Adopting a mechanism to evaluate and manage risks,
   4. Adopting internal rules to prevent a data breach, report breach events, and take immediate action;
   5. Adopt internal SOPs on collection, processing and use;
   6. Appoint/retain information security personnel;
   7. Offer training sessions to employees;
   8. Adopt a mechanism that ensures the security of information service equipment;
   9. Audit information security;
   10. Preserve records of use, track and evidence; and
   11. Adopt plans that improve data protection practices.

Under the MODA regulations, an entity in the digital economic industries should take the following management activities for its employees:

1. 1. Enter into an NDA with its employee;
   2. Identify employees who will handle matters in relation to collection, processing or use of personal data;
   3. Determine each employee¡¯s authority to access personal data in accordance with necessity, and review said authority regularly; and
   4. Request that departing employees return devices storing personal data and delete personal data they possessed during course of performing their duties.

Furthermore, under the MODA regulations, the following records shall be kept for at least five years:

1. 1. Records of collection, processing or use;
   2. Tracking information of automatic equipment; and
   3. Evidence supporting compliance of the entity¡¯s data security plan.

Data breach notification

Under the current PDPA, when a data breach event occurs, a private entity shall notify the data subject after obtaining a clear understanding of the event.

The notification could be made to the data subject via oral/written statement, phone conversation, message, email, fax or other proper manners. The PDPA does not set a particular deadline for the notification.

On the other hand, the MODA regulations require an entity in the digital economy industries to report a data breach event to the authorities concerned within 72 hours after the event occurred.

Under the PDPA amendments, a private entity shall report to authorities and notify data subjects of a data breach when becoming aware of the event, and when it would severely damage the data subjects¡¯ rights and interests. It will be prudent for businesses to pay close attention to the future development of the PDPA amendments.

Marketing uses

Under the PDPA, a private entity shall immediately cease using a data subject¡¯s personal data for marketing purposes if the subject declines to accept any communications made for marketing purposes.

From the first time a private entity reaches out to a data subject for marketing purposes, channels should be provided for opt-outing. ¡°Marketing¡± is construed broadly to include virtually all kinds of activities that promote products or services, including eDMs, personalised services or recommendations.

Cross-border transmission

Under the PDPA, a government authority may restrict a private entity from transmitting personal data to anyone outside the territory of Taiwan, if:

1. 1. Substantial national interestsare involved;
   2. It is in accordance with international agreements or treaties;
   3. The receiving country does not offer proper protection over personal data; and
   4. Transmission is made to circumvent requirements set out in the PDPA.

Foreign entities are subject to the same obligations. Under the MODA regulations, before transmitting personal data overseas, an entity in digital economy industries shall confirm whether the transmission is subject to any restrictions imposed by the MODA. In addition, the entity shall notify data subjects of the regions to which their personal data will be transferred, and supervise the receiving entity¡¯s subsequent use of said personal data.

FORMOSA TRANSNATIONAL
Taipei 13th Fl, 136, Sec 3, Jen-Ai Road
Taipei 106 Taipei Taiwan
Tel: 886 2 2755 7366
Email: brian.hsieh@taiwanlaw.com