Last modified 19 March 2026

Data Protection in Taiwan

Electronic marketing in Taiwan

Download PDF

Download current country

Change countries

Change country

Law

Data protection laws in Taiwan

The Taiwan Personal Data Protection Act (“PDPA”) as most recently amended on November 11, 2025 (which amendments have not yet come into effect) and the Enforcement Rules of the Personal Data Protection Act (“Enforcement Rules”) as most recently amended on March 2, 2016.

Related resources

Definitions

Definitions in Taiwan

Definition of personal data

The PDPA defines “personal data” as the name, date of birth, identification card number, passport number, special traits, fingerprints, marital status, family, education, profession, medical history, medical treatment, genetic information, sexual life (including sexual orientation), health examination, criminal record, contact information, financial condition, and social activities of a natural person, as well as other data by which such person may be directly or indirectly identified.

Definition of sensitive personal data

The PDPA defines “sensitive personal data” as medical records, medical treatment, genetic information, sexual life (including sexual orientation) and health examination and criminal records.

Related resources

Authority

National data protection authority in Taiwan

The PDPA was amended on November 11, 2025 to, inter alia, appoint the Personal Data Protection Commission (“PDPC”) as the sole data protection authority; however, the amendments have not yet come into effect and the PDPC (currently the Preparatory Office of the Personal Data Protection Commission) is not yet officially established as of March 19, 2026. In addition, the authority with jurisdiction over the relevant data collector has primary enforcement responsibility (e.g. the Financial Supervisory Commission has the primary enforcement responsibility vis-á-vis financial institutions).

Related resources

Registration

Registration in Taiwan

Taiwan does not have a registration system for personal data protection.

Related resources

Data protection officers

Data protection officers in Taiwan

The PDPA does not impose a general requirement to have a data protection officer. However, there are industry specific regulations in certain industries (such financial institutions or airlines) requiring personnel to handle personal data protection matters.

Related resources

Collection and processing

Collection and processing in Taiwan

Under the PDPA, in order to collect, process and use personal data, the data collector is required to give a data subject a privacy notice at the time the data subject’s personal data is first collected. Such privacy notice is required, inter alia, to contain:

the name of the data collector;
the purpose of collection;
classification of personal data to be collected;
time period for the use, geographical area of the use, recipients of the data and the manner of using personal data;
the rights of the data subject to request to review his / her personal data, to make copies of such personal data, to supplement or correct such personal data, to discontinue collection, processing or use of personal data or to delete such personal data, together with the manner in which the data subject makes such requests; and
the impact on the data subject’s rights and interests if the data subject chooses not to provide his / her personal data.

As long as the privacy notice is given when first collecting the personal data, and the privacy notice meets the content requirements set out in the PDPA, the privacy notice is by itself considered sufficient (i.e. consent is not required). This is unless sensitive personal data is collected, in which case data subject consent is required.

Related resources

Transfer of personal data

Transfer of personal data in Taiwan

The privacy notice to data subjects must set out the extent to which personal data will be transferred to others.

Cross-border transmissions of personal data are regulated by the PDPA. The Taiwan authorities may restrict the cross-border transmission and use of personal data in the following circumstances:

when a substantial interest of Taiwan is at stake;
as provided under an international treaty or agreement (as at March 19, 2026, there are no such treaties or agreements in place);
when the receiving country lacks proper laws or regulations adequately to protect personal data or where infringement of the rights and interests of the data subject is threatened; or
the purpose of the transfer is to evade the application of the PDPA.

The Taiwan National Communications Commission (NCC) issued an order in 2012 prohibiting communications enterprises from transferring subscribers’ personal data to mainland China.

The Ministry of Health and Welfare issued an order in 2022 prohibiting social worker offices from transferring data subjects’ personal data to mainland China.

And the Ministry of Labor issued an order in 2023 prohibiting the private employment services institutions and employment service agencies for people with disabilities from transferring data subjects’ personal data to mainland China all on the grounds that the personal data protection laws in mainland China were still inadequate. As at March 19, 2026, there are no other restrictions or prohibitions on the cross-border transfers to any country / area.

Related resources

Security

Security in Taiwan

A data collector is required to adopt proper security measures to prevent personal data from being stolen, altered, damaged, destroyed or disclosed.

In addition, the relevant competent authority at the central government level may designate certain data collectors for setting up plans of security measures for personal data files or the disposal measures for personal data after termination of business. As at March 19, 2026, industry specific guidelines governing the plan of security measures for personal data files have been promulgated for many industries, including for financial institutions, human resources recruitment business, hospitals, manufacturers, and others.

Related resources

Breach notification

Breach notification in Taiwan

As mentioned earlier, the Commission is the competent authority that is tasked with protection of personal data through effective application and compliance with the DPA.

A person who has access to personal data and is acting under the authorisation of the data controller or the data processor must process personal data only as instructed and without prejudice to any duty or restriction imposed by law. A contravention of this amounts to an offence which is punishable by a fine not exceeding BWP 20,000 or to imprisonment for a term not exceeding one year, or to both.

Where personal data is processed without the required authorisation, such processing amounts to an offence which is punishable by a fine not exceeding BWP 100,000 or to imprisonment for a term not exceeding three years, or to both.

Failure to implement the security safeguards amounts to an offence and will render the data controller liable to a fine not exceeding BWP 500 000 or to imprisonment for a term not exceeding nine years, or to both.

See also Electronic marketing for sanctions for breach of marketing by electronic communications.

Related resources

Enforcement

Enforcement in Taiwan

In addition to civil damages, violations of the PDPA, depending on the specific violation, are also subject to administrative sanctions and criminal sanctions and, in some cases, imprisonment.

Civil damages

If a data collector intentionally or negligently violates any provision of the PDPA and such violation causes illegal collection, processing or use of personal data or other infringement to a data subject, the data collector is liable to compensate the data subject for the damages suffered. Compensation may be both monetary and in the form of corrective measures (e.g. to rectify damage to the data subject’s reputation).

Where the victims may not have access to or cannot provide evidence for the amount of actual damage, the minimum amount is NT$ 500 (approx. US$ 16 as at March 19, 2026) and the maximum is NT$ 20,000 (approx. US$ 630 as at March 19, 2026) per violation / per injured party depending on the severity of the infringement.

In the case of class actions, the aggregate total compensation to the class as a whole is limited to NT$ 200,000,000 (approx. US$ 6,300,000 as at March 19, 2026). However, one should not necessarily rely on these limits because the maxima do not apply if it can be proven that a higher amount is appropriate. Furthermore, the limits may be circumvented by resorting to general causes of action in tort over and above the specific statutory cause of action created by the PDPA.

Administrative sanctions

A regulatory body may impose administrative fines on a data collector in violation of the PDPA ranging from NT$ 20,000 (approx. US$ 630 as at March 19, 2026 to NT$15,000,000 (approx. US$ 470,000 as at March 19, 2026) per violation. These administrative fines may be imposed repeatedly until the violation is cured.

Also, the representative, managers or other persons having authority of the data collector which violates the PDPA are subject to the same administrative fines as the data collector itself, unless it is proven that the relevant representative, manager or other person having authority had properly performed his / her duties. There is no definition of representative, manager or other person having authority but generally such terms are understood to refer to the chairman and the general manager of the company.

Criminal sanctions

A person who, with the intention to gain “benefit” for themself or a third party or to “harm” the interests of others, violates certain requirements as set out in the PDPA or conducts a prohibited cross-border transfer of personal data may be punished by up to five years’ imprisonment and / or fines of up to NT$ 1,000,000 (approx. US$ 32,000 as at March 19, 2026). In addition, the acquisition, dissemination, alteration, compromise of the accuracy of, or deletion of personal data with the intent to gain “benefit” for themself or a third party or to “harm” the interests of others, in circumstances which is sufficient to cause damage to others, may also be punished by imprisonment for up to five years and / or fines of up to NT$ 1,000,000 (approx. US$ 32,000 as at March 19, 2026).

Related resources

Electronic marketing

Electronic marketing in Taiwan

If a data collector wishes to use a data subject’s personal data for the purpose of direct marketing whether electronic or otherwise, such data collector is required to give the data subject a privacy notice (see Collection and processing).

If a data subject requests the data controller to cease direct marketing, the data collector must stop using the data subject’s personal data for marketing.

In this regard, when a data collector uses personal data of a data subject to conduct marketing for the first time, the data collector must advise the data subject that they have the right to require cessation of the marketing and provide the data subject with information as to how to exercise such right. Also, the data collector must bear the cost of the first cessation request (e.g. by providing a toll-free line to call or a stamped pre-addressed envelope for return mail).

Related resources

Online privacy

Online privacy in Taiwan

Although the PDPA does not specifically regulate online privacy, cookies and location data could be considered as social activities of a natural person by which such person may be directly or indirectly identified, as such the PDPA may apply to online privacy.

Related resources

Key contacts

Data protection lawyers in Taiwan

Phoebe Yu

Partner

Russin & Vecchi

Taipei

If a data subject requests the data controller to cease direct marketing, the data collector must stop using the data subject’s personal data for marketing.

Quick links

Data Protection in Taiwan

Electronic marketing in Taiwan

Continue reading