DLA Piper Intelligence

Data Protection
Laws of the World

Law

Taiwan
Taiwan

The Taiwan Personal Data Protection Act (“PDPA”) as most recently amended on December 30, 2015 and the Enforcement Rules of the Personal Data Protection Act (“Enforcement Rules”) as later amended on March 2, 2016.

Last modified 31 Dec 2020
Law
Taiwan

The Taiwan Personal Data Protection Act (“PDPA”) as most recently amended on December 30, 2015 and the Enforcement Rules of the Personal Data Protection Act (“Enforcement Rules”) as later amended on March 2, 2016.

Last modified 31 Dec 2020
Definitions

Definition of personal data

The PDPA defines “personal data” as the name, date of birth, identification card number, passport number, special traits, finger prints, marital status, family, education, profession, medical history, medical treatment, genetic information, sexual life (including sexual orientation), health examination, criminal record, contact information, financial condition, and social activities of a natural person, as well as other data by which such person may be directly or indirectly identified.

Definition of sensitive personal data

The PDPA defines “sensitive personal data” as medical records, medical treatment, genetic information, sexual life (including sexual orientation) and health examination and criminal records.

Last modified 31 Dec 2020
Authority

The regulatory body with overall responsibility for data protection is the National Development Counsel. However, the authority with jurisdiction over the relevant data collector has primary enforcement responsibility (e.g. the Financial Supervisory Commission has the primary enforcement responsibility vis-á-vis financial institutions). 

Last modified 31 Dec 2020
Registration

Taiwan does not have a registration system for personal data protection.

Last modified 31 Dec 2020
Data Protection Officers

The PDPA does not impose a general requirement to have a data protection officer. However, there are industry specific regulations in certain industries (such financial institutions or airlines) requiring personnel to handle personal data protection matters.

Last modified 31 Dec 2020
Collection & Processing

Under the PDPA, in order to collect, process and use personal data, the data collector is required to give a data subject a privacy notice at the time the data subject’s personal data is first collected. Such privacy notice is required, inter alia, to contain:

  • the name of the data collector
  • the purpose of collection
  • classification of personal data to be collected
  • time period for the use, geographical area of the use, recipients of the data and the manner of using personal data
  • the rights of the data subject to request to review his/her personal data, to make copies of such personal data, to supplement or correct such personal data, to discontinue collection, processing or use of personal data or to delete such personal data, together with the manner in which the data subject makes such requests, and
  • the impact on the data subject’s rights and interests if the data subject chooses not to provide his/her personal data. 

As long as the privacy notice is given when first collecting the personal data, and the privacy notice meets the content requirements set out in the PDPA, the privacy notice is by itself considered sufficient (i.e. consent is not required). This is unless sensitive personal data is collected, in which case data subject consent is required.

Last modified 31 Dec 2020
Transfer

The privacy notice to data subjects must set out the extent to which personal data will be transferred to others. 

Cross-border transmissions of personal data are regulated by the PDPA. The Taiwan authorities may restrict the cross-border transmission and use of personal data in the following circumstances:

  • when a substantial interest of Taiwan is at stake;
  • as provided under an international treaty or agreement (as at December 31, 2020, there are no such treaties or agreements in place);
  • when the receiving country lacks proper laws or regulations adequately to protect personal data or where infringement of the rights and interests of the data subject is threatened; or
  • the purpose of the transfer is to evade the application of the PDPA.

The Taiwan National Communications Commission (NCC) issued an order in 2012 prohibiting communications enterprises from transferring subscribers’ personal data to mainland China on the grounds that the personal data protection laws in mainland China were still inadequate. As at December 31, 2020, there are no other restrictions or prohibitions on the cross-border transfers to any country/area.

Last modified 31 Dec 2020
Security

A data collector is required to adopt proper security measures to prevent personal data from being stolen, altered, damaged, destroyed or disclosed. 

In addition, the relevant competent authority at the central government level may designate certain data collectors for setting up plans of security measures for personal data files or the disposal measures for personal data after termination of business. As at December 31, 2020, industry specific guidelines governing the plan of security measures for personal data files have been promulgated for many industries, including for financial institutions, human resources recruitment business, hospitals, manufacturers, and others.

Last modified 31 Dec 2020
Breach Notification

Upon a data breach, the data collector is required to promptly notify the data subject of:

  • the fact of the infringement
  • the measures the data collector has taken to respond to such infringement, and
  • the contact information of the data collector.

The notice may be made orally, by written document, telephone, text message, email, facsimile, electronic record, or in another manner which the data subject can receive such notice. If the cost of notifying each data subject is “too high”, such notice may be made via the Internet or news media. 

In addition, the data collector in certain industries (e.g. travel agents) is required to report to their respective industry regulator and, where it is required to do so, the report to the industry regulator needs to include: 

  • the fact that personal data may have been compromised
  • the measures the data collector has taken to respond to such compromise (including evidence that the data collector has notified the affected individuals)
  • the investigation by the data collector (or any outside forensic firm) as to how the data breach occurred
  • the preventive measure(s) the data collector will take to prevent recurrence of data breach in the future, and
  • any other information that the industry regulator may require on a case-by-case basis.
Last modified 31 Dec 2020
Enforcement

In addition to civil damages, violations of the PDPA, depending on the specific violation, are also subject to administrative sanctions and criminal sanctions and, in some cases, imprisonment. 

Civil damages 

If a data collector intentionally or negligently violates any provision of the PDPA and such violation causes illegal collection, processing or use of personal data or other infringement to a data subject, the data collector is liable to compensate the data subject for the damages suffered. Compensation may be both monetary and in the form of corrective measures (e.g. to rectify damage to the data subject’s reputation).

Where the victims may not have access to or cannot provide evidence for the amount of actual damage, the minimum amount is NT$500 (approx. US$18 as at December 31, 2020) and the maximum is NT$20,000 (approx. US$690 as at December 31, 2020) per violation/per injured party depending on the severity of the infringement. In the case of class actions, the aggregate total compensation to the class as a whole is limited to NT$200,000,000 (approx. US$6,900,000 as at December 31, 2020). However, one should not necessarily rely on these limits because the maxima do not apply if it can be proven that a higher amount is appropriate. Furthermore, the limits may be circumvented by resorting to general causes of action in tort over and above the specific statutory cause of action created by the PDPA. 

Administrative sanctions 

A regulatory body may impose administrative fines on a data collector in violation of the PDPA ranging from NT$20,000 (approx. US$690 as at December 31, 2020) to NT$500,000 (approx. US$17,300 as at December 31, 2020) per violation. These administrative fines may be imposed repeatedly until the violation is cured.

Also, the representative, managers or other persons having authority of the data collector which violates the PDPA are subject to the same administrative fines as the data collector itself, unless it is proven that the relevant representative, manager or other person having authority had properly performed his/her duties. There is no definition of representative, manager or other person having authority but generally such terms are understood to refer to the chairman and the general manager of the company. 

Criminal sanctions

A person who, with the intention to gain “benefit” for themself or a third party or to “harm” the interests of others, violates certain requirements as set out in the PDPA or conducts a prohibited cross-border transfer of personal data may be punished by up to five years’ imprisonment and/or fines of up to NT$1,000,000 (approx. US$35,000 as at December 31, 2020). In addition, the acquisition, dissemination, alteration, compromise of the accuracy of, or deletion of personal data with the intent to gain “benefit” for themself or a third party or to “harm” the interests of others, in circumstances which is sufficient to cause damage to others, may also be punished by imprisonment for up to five years and/or fines of up to NT$1,000,000 (approx. US$35,000 as at December 31, 2020).

Last modified 31 Dec 2020
Electronic Marketing

If a data collector wishes to use a data subject’s personal data for the purpose of direct marketing whether electronic or otherwise, such data collector is required to give the data subject a privacy notice (see Collection and Processing).

If a data subject requests the data controller to cease direct marketing, the data collector must stop using the data subject’s personal data for marketing.

In this regard, when a data collector uses personal data of a data subject to conduct marketing for the first time, the data collector must advise the data subject that they have the right to require cessation of the marketing and provide the data subject with information as to how to exercise such right. Also, the data collector must bear the cost of the first cessation request (e.g. by providing a toll-free line to call or a stamped pre-addressed envelope for return mail).

Last modified 31 Dec 2020
Online Privacy

Although the PDPA does not specifically regulate online privacy, cookies and location data could be considered as social activities of a natural person by which such person may be directly or indirectly identified, as such the PDPA may apply to online privacy.

Last modified 31 Dec 2020
Contacts
Phoebe Yu
Phoebe Yu
Partner
Russin & Vecchi
T +886-2-2713-6110
Helen Wang
Helen Wang
Associate
Russin & Vecchi
T +886-2-2713-6110
Last modified 31 Dec 2020