Lee and Li, Attorneys at Law
What law(s) specifically govern personal data / information?
Personal Data Protection Act ("PDPA")
The enforcement rules of the Personal Data Protection Act
What are the key data protection principles in this jurisdiction?:
Unlike many other privacy laws, the PDPA does not contain an enumeration of privacy principles. Certain privacy principles, however, can be inferred from the text of the PDPA, including the following:
- Notice: The data collector must notify the data subject of certain enumerated information when collecting personal data. This includes, for instance, the particular purpose for the collection of the data. There are exemptions from the notification requirements, but these are available only under relatively unusual circumstances.
- Consent: One of the legal grounds for the data collector to collect, process, or use the personal data is the data subject’s consent. The consent generally need not be in writing, but when consent is relied upon as the basis for the collection, processing, or use of special category personal data, the consent must be in writing.
Additional consent must be obtained when using the personal data beyond the original scope of the purposes expressed at the time of the initial collection. That separate consent would be considered effective only after the data collector has informed the data subject of (1) the new purposes, (2) the scope of use, and (3) the impact on the data subject’s rights or interests if he/she declines to provide consent.
- Security & Safeguards: Personal data should be securely retained in a way that prevents its theft, falsification, destruction, loss, or disclosure.
- Accuracy and Duration of Retention: The accuracy of personal data must be safeguarded. Personal data should be deleted, or should no longer be processed or used, when the particular purpose for its collection no longer exists, or when the data subject so requests.
- Lawfulness: The collection, processing, and use of personal data must be conducted in a bona fide manner that is honest and respects the data subject’s rights and interests.
- Minimization: The collection, processing, and use of personal data should not exceed that which is necessary to achieve the specified purpose.
What is the supervisory authority / regulator in charge of data protection?
Preparatory Office of the Personal Data Protection Office (Note: The Personal Data Protection Office is expected to be formally established by the end of 2025)
Is there a requirement to register with a supervisory authority / regulator?
No, the PDPA does not impose any registration obligation.
Is there a requirement to notify the supervisory authority / regulator?
While the PDPA itself does not require reporting a data breach to the competent authorities, under the authorization of the PDPA, several competent authorities implement their respective personal data file security maintenance rules ("Maintenance Rules") applying to certain businesses. Under the Maintenance Rules, a business who is subject thereto has to report the breach to the competent authorities within 72 hours of the incident if certain conditions are met (e.g., its normal operation is affected by the data breach, or the breach involves substantial amount of data subjects).
Is it possible to register with / notify the supervisory authority / regulator online?
Not applicable.
What are the key data subject rights under the data protection laws of this jurisdiction?
Right to information
Subparagraphs 1 and 2, Article 3 of the PDPA
Right of access/ request a copy
Subparagraphs 1 and 2, Article 3 of the PDPA
Right to rectification of errors
Paragraphs 1 and 5 , Article 11 of the PDPA
Right to deletion
Right to deletion : Paragraphs 3 and 4, Article 11 of the PDPA;Paragraph 2, Article 19 of the PDPA.
Right to be forgotten: The PDPA does not address the right to be forgotten at the moment.
Right to restriction of processing
Paragraphs 2, 3 and 4, Article 11 of the PDPA
Right to data portability
The PDPA does not address the right to data portability at the moment.
Right to object to processing
Paragraphs 2 and 3, Article 20 of the PDPA is the right to object to processing regarding marketing purpose
Although the PDPA does not clearly stipulate the right to withdraw consent, Article 20 provides that when a data controller uses personal data for marketing purpose, upon the data subject's objection to such use, the data controller shall cease using the data subject's personal data for marketing. Therefore, it can be interpreted that data subject has the right to withdraw his/her consent.
Right to complain to the relevant data protection authority(ies)
Although the PDPA does not clearly stipulate the right to withdraw consent, it is acknowledged that data subjects have such right to do so.
Right not to be subject to automated individual decision-making
The PDPA does not address the automated individual decision-making matter.
Is there a requirement to appoint a data protection officer (or equivalent)?
No, the PDPA does not impose such an obligation to data controllers.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
The PDPA itself does not impose such an obligation. However, Maintenance Rules applying to certain businesses may stipulate otherwise.
For instance, the Digital Economy Industry-Related Agencies Maintenance rules, promulgated by Ministry of Digital Affairs under authorization of the PDPA, requires the business who is subject to the said rules to carry out impact assessments regularly.
Does this jurisdiction have any specific data breach notification requirements?
The PDPA contains a breach notification requirement. In the event of a theft, leak, falsification, or infringement of the data subject’s personal data, after the facts have been verified, the data subject must be notified of the details of the data breach and the measures the organization has taken to handle the data breach.
What restrictions apply to the international transfer of personal data / information?
The PDPA allows central-level authorities to restrict international transfers of personal data under the following circumstances:
- important state interests are involved;
- international treaties or agreements impose special rules under the circumstances;
- the receiving country has not enacted a complete set of rules for the protection of personal data, presenting prospects of harm to the interests of the data subject; or
- the transfer of personal data to another country is intended as a means of evading the PDPA's requirements.
As of today, only several authorities prohibit businesses/institutions from transferring their users’ personal data to China on the grounds that the personal data protection laws in China are still inadequate.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
According to Paragraph 2, Article 51 of the PDPA, the PDPA would also be applicable to a company incorporated under Taiwan law (i.e. data controller/collector), even if it collects, processes, or uses the personal data of Taiwan citizens outside of the territory of Taiwan. As for the foreign entity's offshore collection, processing or use of Taiwan citizens' personal data, the competent authority has clearly indicated that if such activities are conducted outside of the territory of Taiwan, due to lack of jurisdiction, they would not be subject to the PDPA. However, please note that if a foreign entity collects, processes or uses Taiwan citizens' personal data offshore "through the Internet", since in this scenario such activities are not completely conducted outside of the territory of Taiwan, it is unclear whether the PDPA would apply.
In light of the foregoing, even though the relevant Taiwanese authorities seem to take the position that they will not enforce the PDPA against a foreign entity without a presence in Taiwan, we cannot rule out the possibility that the PDPA may still govern a foreign entity located outside of Taiwan for its offshore collection, processing, or use of Taiwan citizens' personal data through the Internet. In this regard, foreign entities are advised to comply with the PDPA.
What rules specifically deal with marketing?
Even if a data controller may legitimately use personal data for marketing activities, (1) the data controller must provide a mechanism for data subjects to object to marketing (i.e., an opt-out mechanism), which must be free of charge at the first time when the data subjects are approached for the marketing purpose; and (2) the data subjects may object to the marketing activities from time to time; once they object to the marketing activities, the data controller must immediately stop using their personal data for the marketing purpose (Paragraphs 2 and 3, Article 20 of PDPA).
Do different rules apply to business-to-business and business-to-consumer marketing?
The PDPA itself does not apply differently between business-to-business and business-to-consumer marketing.
However, It is worth noting that, for the financial industry, its competent authority, the Financial Supervisory Commission ("FSC"), has issued the "Guidelines on Data Sharing between Financial Institutions" ("Guidelines"), which serve as a set of instructions for financial institutions to share their data with other financial institutions and even fintech companies.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
With regard to privacy/personal data protection, Taiwan laws do not specifically impose rules targeting electronic marketing only.
However, Taiwan Congress has just passed the Fraud Offence Prevention Act ("FOPA") in July 2024. Under the FOPA, a digital advertising platform are required to do KYC on advertisers and other compliance before advertising to avoid any Internet fraud.
What rules specifically deal with cookies?
The PDPA does not establish rules to specially deal with cookies.
What are the consequences of non compliance with data protections laws (including marketing laws)?
Competent authorities may impose administrative fines for violations of the PDPA, as well as: (1) prohibit further collection, processing, or use of personal data; (2) order the deletion of personal data that has been processed; (3) order the destruction of personal data that has been collected illegally; and (4) publicize violations, including names of violators and their statutory representatives.
Violations of the PDPA may result in an administrative fine of up to NT$15,000,000 and/or a criminal fine up to NT$1,000,000. Violators also may face terms of imprisonment of up to five years.
Injured parties can bring actions for damages for defendant's violations of the PDPA. Where a plaintiff is unable to prove actual damages, he or she may claim statutory damages ranging from NT$500 to NT$20,000. The PDPA also permits class actions for damages resulting from the misuse of personal data.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
Regarding a foreign entity’s offshore collection, processing, or use of Taiwan citizens’ personal data, the competent authority has indicated that, if the foreign entity collects, processes, or uses Taiwan citizens’ personal data outside of Taiwan, the entity would not be subject to the PDPA. It is unclear, however, whether a foreign entity that collects, processes, or uses Taiwan citizens’ personal data outside of Taiwan via the Internet would be subject to the PDPA because these activities are not fully conducted outside of Taiwan.
For those having a subsidiary or branch in Taiwan, the foreign entities typically comply with the PDPA as a precautionary measure. While the PDPA's requirements are basically the same as those stipulated in GDPR, there would be no substantial cost for having the global version localized.
What upcoming data protection developments should multinational organisations be aware of?
The Personal Data Protection Office ("PDPO") is expected to be formally established by the end of 2025. After its establishment, we believe that the PDPO would promulgate more detailed regulations applicable to businesses and accordingly, the businesses may have a comprehensive internal processing and rules to comply with the regulations.