DLA Piper Intelligence

Data Protection
Laws of the World

Law

Taiwan
Taiwan

The former Computer Processed Personal Data Protection Law (‘CPPL’) was renamed as the Personal Data Protection Law (‘PDPL’) and amended on 26 May 2010. The PDPL became effective on 1 October 2012, except that the provisions relating to sensitive personal data and the notification obligation for personal data indirectly collected before the effectiveness of the PDPL remained ineffective. The government later proposed further amendment to these and other provisions, which passed legislative procedure and became effective on 15th March 2016.

Last modified 27 Jan 2017
Law
Taiwan

The former Computer Processed Personal Data Protection Law (‘CPPL’) was renamed as the Personal Data Protection Law (‘PDPL’) and amended on 26 May 2010. The PDPL became effective on 1 October 2012, except that the provisions relating to sensitive personal data and the notification obligation for personal data indirectly collected before the effectiveness of the PDPL remained ineffective. The government later proposed further amendment to these and other provisions, which passed legislative procedure and became effective on 15th March 2016.

Last modified 27 Jan 2017
Definitions

Definition of personal data

According to PDPL, personal data means the name, date of birth, I.D. Card number, passport number, characteristics, fingerprints, marital status, family, education, occupation, medical record, medical treatment, genetic information, sexual life, health checks, criminal records, contact information, financial conditions, social activities and other information which may directly or indirectly be used to identify a living natural person.

Definition of sensitive personal data

According to PDPL, sensitive personal data means the personal data relating to medical records, medical treatments, genetic information, sex life, health checks and criminal records.

Last modified 27 Jan 2017
Authority

In Taiwan, there is no single national data protection authority. The various ministries and city/county governments serve as the competent authorities.

Last modified 27 Jan 2017
Registration

Unlike the CPPL, there is no need to register with any authorities for the collection, processing, usage and international transfer of personal data under the PDPL.

Last modified 27 Jan 2017
Data Protection Officers

There is no requirement in Taiwan for the data controller to appoint a data protection officer. However, if the data controller is a government agency, a specific person should be appointed to be in charge of the security maintenance measures.

Last modified 27 Jan 2017
Collection & Processing

Under the PDPL, the data controller should not collect or process personal data unless there is specific purpose and should comply with one of the following conditions:

  • where collection/processing is explicitly stipulated by law
     
  • where there is a contract or quasi contract between the data controller and the data subject and there is proper security measures in place
     
  • where the data subject has him/herself disclosed such data to the publics or where the data has been publicised legally
     
  • where it is necessary for public interest on statistics or the purpose of academic research conducted by a research institution. The data may not lead to the identification of a certain person after the treatment of the provider or by the disclosure of the collector
     
  • where consent has been given by the data subject (if the data subject has explicitly informated the data subject of the information as required by the PDPL and the data subject has not expressed his/her rejection and further, provided his/her personal data, the consent will be presumed to have been given. However, the data controller should prove the existence of the relevant facts)
     
  • where it is necessary to enahance the public interest, 
     
  • where the personal data is obtained from publicly available sources, except that where the vital interest of the data subject requires more protection and the prohibition of the processing or usage of such personal information, or
  • where there is no infringement on the rights of interests of the data subject.

Furthermore, except for the exemptions stipulated in the PDPL (eg if it is explicitly stipulated by law that the provision of such information is not required, or if the data subject is fully aware of the contents of the notice, or if it is not profit-seeking purpose and it is obviously not detrimental to the data subject), the data controller is permitted to collect and process personal data only if the data controller unambiguously informs the data subject of the following information prior to or upon the collection:

  • data controller’s name
     
  • purpose(s) for collecting personal data
     
  • categories of personal data
     
  • period, area, recipients and means of using the data
     
  • the data subject’s rights and the methods by which the data subject may exercise those rights in accordance with the PDPL, and
     
  • where the the data subject has the right to choose whether or not to provide the data, the consequences of not providing the data.

The information collected should in principle only be used for the purpose notified and not for any other purpose unless falling within any of the exceptional circumstances as set forth in the PDPL (eg, where consent has been given by the data subject, or where it is beneficial to the rights or interests of the data subject).

In addition, the Employment Service Act and its Enforcement Rules require that an employer shall not request a job seeker or an employee to provide his/her privacy information which is unrelated to his/her employment. Such privacy information includes physiological information, psychological information and personal life information. When an employer asks a job seeker or an employee to provide his/her privacy information, the personal interest of the data subject should be respected; the request should not exceed necessary scope of specific purposes based on economic demand or public interest, and should have just and reasonable connection with the specific purposes.

As to sensitive personal data, its collection, processing or usage (including international transfer) is prohibited unless any of the statutory conditions is met, which include the circumstances where written consent of the data subject has been obtained (except that it exceeds the necessary scope of specific purposes, or other laws otherwise provide for, or the consent is contrary to his/her free will), or where the data subject has him/herself disclosed such data to the public or the data has been publicized legally.

Last modified 27 Jan 2017
Transfer

The central competent authority may restrict the international transfer of personal data by the data controller which is not a government agency if:

  • where it involves major national interests
     
  • an international treaty or agreement specifies otherwise
     
  • where the country receiving personal data lacks proper regulations that protect personal data and that might harm the rights and interests of the data subject, or
     
  • where the international transfer of personal data is made to a third country through an indirect method in order to evade the provisions of the PDPL.
Last modified 27 Jan 2017
Security

Data controllers should adopt proper security measures (both technical and organisational) to prevent personal data from being stolen, altered, damaged, destroyed or disclosed.

The central competent authority may request the data controller which is a non-government agency to set up a plan for the security measures of the personal data file or the disposal measures for the personal data after termination of business.

Last modified 27 Jan 2017
Breach Notification

Where the personal data is stolen, disclosed, altered or infringed in other ways due to the violation of the PDPL, the data controller should notify the data subject after due inquiry.

Last modified 27 Jan 2017
Enforcement

Under the PDPL, the competent authority may perform an inspection, if it is necessary for the examination of the security measures of data files, of the disposal measures after termination of business, the limitation of international transfer, or other routine business, or if the PDPL may be violated. Those who perform the inspection may ask the data controller to provide a necessary explanation, take cooperative measures, or provide relevant evidence.

When the competent authority conducts such an inspection, it may seize or duplicate the personal data and files that may be confiscated or may be used as evidence. The owner, holder or keeper of the data or files should surrender them upon request.

In addition, a breach of the PDPL may be subject to criminal sanctions (if for profit-seeking purpose), administrative fines, and civil compensation (collective action is permitted).

Last modified 27 Jan 2017
Electronic Marketing

The PDPL applies to electronic marketing in the same way as to other marketing. Within the necessary scope of specific purposes of data collection, the data controller may use personal data for marketing. However, when the data subject refuses the marketing (a right to ‘opt-out’), the data controller should cease using such personal data for marketing. In addition, when making the first marketing, the data controller should bear the costs to provide the data subject with the means to refuse marketing.

Last modified 27 Jan 2017
Online Privacy

There is no special law or regulation applicable to online privacy. The PDPL applies to online and physical world in the same manner. As a result, online unique issues are not specifically addressed.

Last modified 27 Jan 2017
Contacts
Chun-yih Cheng
Chun-yih Cheng
Senior Partner
T +886 2 27557366 Ext 158
Last modified 27 Jan 2017