{"id":109430,"date":"2025-07-08T08:46:43","date_gmt":"2025-07-08T08:46:43","guid":{"rendered":"https:\/\/my.legal500.com\/guides\/?post_type=comparative_guide&#038;p=109430"},"modified":"2025-08-19T10:07:08","modified_gmt":"2025-08-19T10:07:08","slug":"taiwan-data-protection-cybersecurity","status":"publish","type":"comparative_guide","link":"https:\/\/my.legal500.com\/guides\/chapter\/taiwan-data-protection-cybersecurity\/","title":{"rendered":"Taiwan: Data Protection &amp; Cybersecurity"},"content":{"rendered":"","protected":false},"template":"","class_list":["post-109430","comparative_guide","type-comparative_guide","status-publish","hentry","guides-data-protection-cybersecurity","jurisdictions-taiwan"],"acf":[],"appp":{"post_list":{"below_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">Lee and Li, Attorneys-at-Law<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2019\/03\/Firm-Logo_Lee-and-Li.jpg\"\/><\/span><\/div>"},"post_detail":{"above_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">Lee and Li, Attorneys-at-Law<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2019\/03\/Firm-Logo_Lee-and-Li.jpg\"\/><\/span><\/div>","below_title":"<span class=\"guide-intro\">This country specific Q&amp;A provides an overview of Data Protection &amp; Cybersecurity laws and regulations applicable in Taiwan<\/span><div class=\"guide-content\"><div class=\"filter\">\r\n\r\n\t\t\t\t<input type=\"text\" placeholder=\"Search questions and answers...\" class=\"filter-container__search-field\">\r\n\t\t\t<\/div>\r\n\r\n\t\t\t\r\n\r\n\r\n\t\t\t<ol class=\"custom-counter\">\r\n\r\n\t\t\t\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please provide an overview of the legal and regulatory framework governing data protection, privacy and cybersecurity in your jurisdiction (e.g., a summary of the key laws; who is covered; what sectors, activities or data do they regulate; and who enforces the relevant laws).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p><strong><u>Data protection and privacy<\/u><\/strong><\/p>\n<p>The Personal Data Protection Act (&#8220;<strong>PDPA<\/strong>&#8220;) is the principal legislation governing data protection in Taiwan. \u00a0The PDPA regulates the collection, processing, and use of personal data by both government agencies and non-government agencies, including legal persons, organizations, and natural persons in the private sector. \u00a0The Enforcement Rules of the Personal Data Protection Act (&#8220;<strong>Enforcement Rules of the PDPA<\/strong>&#8220;) provide further guidance on the interpretation and implementation of the PDPA.<\/p>\n<p>Originally enacted in 1995, the PDPA underwent significant amendments and was renamed in 2010, with the amendments taking effect in 2012. \u00a0The PDPA\u2019s framework is largely modeled after the European Union\u2019s Directive 95\/46\/EC, which served as a key reference for the 2010 amendments.<\/p>\n<p>In response to numerous data breaches and leaks and to address the rulings set forth by the Constitutional Court\u2019s judgment dated August 12, 2022 (Ref. No. 111-Shien-Pan-13), which mandated the establishment of an independent supervisory mechanism for personal data protection, the PDPA was further amended on May 16, 2023.\u00a0 This amendment represents the current effective version of the PDPA.<\/p>\n<p>In addition to the PDPA and its Enforcement Rules of the PDPA, certain central competent authorities have promulgated industry-specific regulations concerning data security within their respective sectors. \u00a0Other statutes also address personal data protection, such as the Banking Act (with respect to customer information held by banks) and the Financial Holding Company Act, which governs the sharing of customer information between a financial holding company and its subsidiaries for joint marketing purposes.<\/p>\n<p>Enforcement of the PDPA is currently administered by various ministries, commissions, and local governments. \u00a0To address enforcement challenges arising from this decentralized approach and to comply with the Constitutional Court\u2019s requirement to establish an independent supervisory authority by August 2025, Article 1-1 of the 2023 amended PDPA designates the Personal Data Protection Commission (&#8220;<strong>PDPC<\/strong>&#8220;) as the competent authority for the PDPA, consolidating enforcement powers previously dispersed among different agencies. \u00a0The Preparatory Office of the PDPC was established on December 5, 2023, and assumed responsibility for interpreting the PDPA from the National Development Council (&#8220;<strong>NDC<\/strong>&#8220;) as of January 1, 2024. \u00a0The future regulatory framework, including the interaction between the PDPC and sectoral regulators following the formal establishment of the PDPC, is worth monitoring.<\/p>\n<p><strong><u>Cybersecurity <\/u><\/strong><\/p>\n<p>The Cybersecurity Management Act (&#8220;<strong>CSMA<\/strong>&#8220;), the Enforcement Rules of the Cybersecurity Management Act (&#8220;<strong>Enforcement Rules of the CSMA<\/strong>&#8220;), as well as other regulations promulgated under the CSMA, are the primary laws and regulations governing cybersecurity law matters in Taiwan, effective since 1 January 2019.\u00a0 The CSMA governs the management of information and communications security by government agencies and certain non-government agencies, including critical infrastructure providers, public utilities, and government-sponsored foundations. \u00a0The Enforcement Rules of the CSMA further elaborate on the definitions, requirements, and key terms of the CSMA.<\/p>\n<p>Pursuant to the CSMA and the relevant regulations, such as the Regulations for Classification of Cybersecurity Responsibility, cybersecurity responsibilities are categorized into five levels (Levels A through E). \u00a0Each regulated entities must meet certain cybersecurity responsibilities at different levels, with regard to management, technical measures, and awareness and training.<\/p>\n<p>Under the CSMA, the Executive Yuan (the executive branch of the Taiwan government) is designated as the competent authority. \u00a0In August 2022, the Executive Yuan set up the Ministry of Digital Affairs (&#8220;<strong>MODA<\/strong>&#8220;), which now serves as the central authority for cybersecurity matters. \u00a0Under the MODA, the Administration for Cyber Security (&#8220;<strong>ACS<\/strong>&#8220;) and the Administration for Digital Industries were established. \u00a0The ACS, in collaboration with the National Institute of Cyber Security (a non-departmental public body under MODA\u2019s supervision, &#8220;<strong>NICS<\/strong>&#8220;), is responsible for formulating national cybersecurity policies, promoting cybersecurity programs, designating critical infrastructure providers, coordinating among competent authorities of nine major sectors, enhancing the national cybersecurity defense system, improving incident reporting and response mechanisms, assisting agencies with compliance, and fostering cybersecurity talent and awareness nationwide.<\/p>\n<p>For government agencies, the regulator is the competent authority at the next higher level, which supervises the formulation, revision, and implementation of the agency\u2019s cybersecurity maintenance plan. \u00a0For specified non-governmental agencies, the regulator is the central competent authority for the relevant industry. \u00a0For example, the Financial Supervisory Commission (&#8220;<strong>FSC<\/strong>&#8220;) is the regulator for insurance companies, securities firms, and futures commission merchants. \u00a0The central competent authority is authorized by the CSMA to promulgate rules requiring companies within the industry to establish, revise, and implement their cybersecurity maintenance plans.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any expected changes in the data protection, privacy or cybersecurity landscape in 2025 - 2026 (e.g., new laws or regulations coming into effect, enforcement of such laws and regulations, expected regulations or amendments)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>It is anticipated that between 2025 and 2026, Taiwan will undergo a series of significant regulatory changes and enhanced enforcement measures in these areas, aiming to build a more secure digital environment and align with international trends.<\/p>\n<p><strong><u>Formal Establishment of an Independent Supervisory Authority and Reform of the PDPA<\/u><\/strong><\/p>\n<p>As mentioned above, in May 2023, Taiwan\u2019s legislature passed amendments to the PDPA, formally establishing the Personal Data Protection Commission (&#8220;<strong>PDPC<\/strong>&#8220;) as a dedicated regulator. \u00a0The Preparatory Office of the PDPC was established in December 2023, and the PDPC is expected to officially begin operations by August 2025.<\/p>\n<p>In recent years, a series of major personal data breaches has prompted a reassessment of the effectiveness of the current PDPA. \u00a0In March 2025, the Executive Yuan approved a draft amendment to the Personal Data Protection Act (\u201c<strong>Draft Amendments to the PDPA<\/strong>\u201d) and a draft Organization Act for the PDPC, both of which have been submitted to the Legislative Yuan for review. These legislative proposals are anticipated to be enacted and implemented in stages between 2025 and 2026.<\/p>\n<p>Key anticipated changes include:<\/p>\n<ul style=\"padding-left: 0\">\n<li><strong>Establishment of the PDPC:<\/strong> The creation of this independent body aims to strengthen the supervision and enforcement of personal data protection. In the future, the PDPC will serve as the centralized regulatory body for the PDPA.\u00a0 Under the Draft Amendments to the PDPA, the PDPC may request the Executive Yuan to designate certain private entities that, within six years following the establishment of the PDPC, shall continue to be regulated by their respective central sectoral regulators or municipal and county\/city governments with respect to certain matters under the PDPA.<\/li>\n<li><strong>Direct Administrative Litigation against the PDPC\u2019s Decisions:<\/strong> As an independent agency, the PDPC is not subject to the direction or supervision of any other authority, except as otherwise provided by law. Accordingly, any challenge to an administrative act taken by the PDPC under the PDPA must be brought directly through administrative litigation procedures.<\/li>\n<li><strong>Strengthening Data Breach Notification Obligations:<\/strong> The current PDPA does not explicitly require notification of data breaches to government authorities. The Draft Amendments to the PDPA expressly mandate that data breach incidents meeting specified reporting criteria must be reported to the government.<\/li>\n<li><strong>Amendments to Administrative Inspection Regulations: <\/strong>The Draft Amendments to the PDPA introduce detailed procedures for administrative inspections, clarifying that such inspections will be initiated at the discretion of the PDPC, which will coordinate with central competent authorities and local agencies to conduct these inspections.<\/li>\n<li><strong>Promotion of the Data Protection Officer System in the Public Sector:<\/strong> The new legislation may require government agencies to appoint a so-called Personal Data Protection Officer (&#8220;<strong>PDPO<\/strong>&#8220;) or designate personnel responsible for overseeing the implementation of internal data protection measures.<\/li>\n<\/ul>\n<p><strong><u>Revision of the Cybersecurity Management Act and Strengthening of National Overall Protection<\/u><\/strong><\/p>\n<p>To address the increasingly severe cyber threats, the Executive Yuan has passed a draft amendment to the CSMA in July 2024 (&#8220;<strong>Draft Amendments to the CSMA<\/strong>&#8220;). \u00a0The Draft Amendments to the CSMA are intended to strengthen the nation&#8217;s overall cybersecurity protection capabilities, particularly for critical infrastructure providers.<\/p>\n<p>Major directions of the amendments include:<\/p>\n<ul style=\"padding-left: 0\">\n<li><strong>Clarification of Competent Authorities and Responsibilities: <\/strong>The MODA and its subordinate ACS will be clearly designated as the competent authorities for the CSMA, responsible for the overall planning and promotion of national cybersecurity.<\/li>\n<li><strong>Expansion of Audit Scope and Enhancement of Supervision: <\/strong>The ACS will have the authority to conduct regular or irregular audits of the implementation of cybersecurity maintenance plans by government agencies and specific non-government agencies (such as critical infrastructure providers).<\/li>\n<li><strong>Introduction of Restrictions on Products Endangering National Cybersecurity: <\/strong>Regulations will be introduced to restrict the download, installation, or use of products that may endanger national cybersecurity.<\/li>\n<li><strong>Requiring the Appointment of Chief Information Security Officers (CISOs) and Dedicated Personnel:<\/strong> Specific non-government agencies will be required to appoint a CISO and dedicated cybersecurity personnel to strengthen their cybersecurity governance.<\/li>\n<li><strong>Clarification of the Relationship with the PDPA:<\/strong> The amendments introduce a new provision addressing the interaction with the PDPA. In the event that an information security incident involves the leakage of personal data, government agencies and specific non-government agencies shall also handle the matter in accordance with the PDPA and relevant laws and regulations.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any registration or licensing requirements for entities covered by these data protection and cybersecurity laws, and if so what are the requirements? Are there any exemptions? What are the implications of failing to register \/ obtain a licence?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under the PDPA, there is generally no mandatory licensing or registration requirement for the collection, processing or use of personal data.\u00a0 However, entities are required to implement data security measures, including internal management systems and appropriate technical safeguards. \u00a0Organizations operating in highly regulated sectors may be subject to sector-specific registrations or compliance obligations imposed by their respective regulators. \u00a0For example, the FSC has established detailed guidelines and regulations regarding information systems, data security, and customer data protection for financial institutions. \u00a0The launch of certain businesses may require FSC&#8217;s approval, which can include an assessment of their data processing and cybersecurity capabilities.<\/p>\n<p>Under the CSMA, critical infrastructure providers, such as entities operating in sectors like finance, telecommunications, and energy, are subject to additional regulatory requirements. \u00a0These entities must report cybersecurity incidents to the relevant authorities, establish internal cybersecurity maintenance plans, and participate in regular audits. \u00a0While explicit licensing or registration as a critical infrastructure provider may not always be mandatory, such entities must formally acknowledge their designation as a critical infrastructure provider and adhere to regulatory standards and reporting requirements set forth by competent authorities.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How do the data protection laws in your jurisdiction define \u201cpersonal data,\u201d \u201cpersonal information,\u201d \u201cpersonally identifiable information\u201d or any equivalent term in such legislation (collectively, \u201cpersonal data\u201d)? Do such laws include a specific definition for special category or sensitive personal data? What other key definitions are set forth in the data protection laws in your jurisdiction (e.g., \u201ccontroller\u201d, \u201cprocessor\u201d, \u201cdata subject\u201d, etc.)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under Taiwan\u2019s data protection laws, particularly the PDPA, the following definitions and key terms are provided:<\/p>\n<ul style=\"padding-left: 0\">\n<li><strong>Personal Data:<\/strong> The PDPA defines &#8220;personal data&#8221; as information relating to a natural person, such as their name, date of birth, national identification number, passport number, physical appearance, fingerprints, marital status, family background, educational history, occupation, contact details, financial information, social activities, special category personal data (as described below), and any other data that can directly or indirectly identify an individual.<\/li>\n<li><strong>Special Categories of Personal Data<\/strong>: While the PDPA does not explicitly define &#8220;sensitive personal data,&#8221; Article 6 prohibits the processing of certain types of information, including medical history, medical treatment, genetic data, sex life, health examination results, and criminal records, except in specific circumstances. These types of data are generally referred to as &#8220;sensitive personal data&#8221; or &#8220;special category personal data&#8221; in Taiwan.<\/li>\n<li><strong>Processing<\/strong>: Under the PDPA, &#8220;processing&#8221; encompasses activities such as recording, inputting, storing, editing, correcting, duplicating, indexing, deleting, outputting, linking, or internally transmitting personal data for the purpose of establishing or utilizing personal data files.<\/li>\n<li><strong>Controller: <\/strong>Although the PDPA does not use the term &#8220;controller,&#8221; it incorporates similar concepts. The PDPA distinguishes between government and non-government agencies when referring to entities responsible for personal data.\u00a0 A &#8220;non-government agency&#8221; is broadly defined to include any individual, legal entity, or unincorporated association that is not a government agency.<\/li>\n<li><strong>Processor:<\/strong> The PDPA also does not specifically use the term &#8220;processor,&#8221; but it recognizes comparable roles. When an individual or entity collects, processes, or uses personal data on behalf of another party, they are subject to regulations similar to those applied to &#8220;processors&#8221; under the General Data Protection Regulation (&#8220;<strong>GDPR<\/strong>&#8220;), though the requirements are less stringent.<\/li>\n<li><strong>Data Subject<\/strong>: A &#8220;data subject&#8221; refers to any natural person whose personal data is collected, processed, or used.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What principles apply to the processing of personal data in your jurisdiction? For example: is it necessary to establish a \u201clegal basis\u201d for processing personal data?; are there specific transparency requirements?; must personal data only be kept for a certain period? Please provide details of such principles.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><ul style=\"padding-left: 0\">\n<li><strong>Transparency<\/strong>: Pursuant to the PDPA, a government or non-government agency is required to notify the data subject of the matters specified under Articles 8 or 9 of the PDPA. Such notification generally includes: (i) the identity of the government or non-government agency; (ii) the purposes for which the personal data is collected; (iii) the categories of personal data collected; (iv) the duration, location, and method of use, as well as the persons who may use the data; (v) the rights of the data subject and the procedures for exercising such rights; (vi) the consequences of failing to provide the required personal data; and (vii) the source from which the government or non-government agency obtained the personal data, in cases of indirect collection.<\/li>\n<li><strong>Lawful Basis for Processing:<\/strong> For government agencies, the lawful bases for processing personal data include: (i) processing as provided by law; (ii) obtaining the consent of the data subject; and (iii) processing that does not infringe upon the rights or interests of the data subject. For non-government agencies, the lawful bases for processing include: (i) processing as provided by law; (ii) the existence or negotiation of a contract with the data subject, provided that appropriate security measures have been adopted; (iii) processing of data that has entered the public domain due to disclosure by the data subject or legitimate publication; (iv) processing necessary for statistical or academic research by an academic research institution in the public interest, provided that any information sufficient to identify the data subject has been removed; (v) obtaining the consent of the data subject; (vi) processing necessary for the advancement of public interest; (vii) processing of data collected from publicly available sources, unless the interests of the data subject take precedence over those of the non-government agency; and (viii) processing that does not infringe upon the rights or interests of the data subject.<\/li>\n<\/ul>\n<p>Article 6 of the PDPA prohibits the processing of special category personal data except in the following circumstances: (i) where processing is provided by law; (ii) where processing is necessary for a government agency to perform its statutory duties or for a non-government agency to fulfill legal obligations, and appropriate security measures have been or will be adopted; (iii) where the data has entered the public domain due to disclosure by the data subject or legitimate publication; (iv) where processing is necessary for statistical or academic research by a government agency or academic research institution for medical, health, or crime-prevention purposes, provided that any information sufficient to identify the data subject has been removed; (v) where processing is necessary to assist a government agency in performing its statutory duties or a non-government agency in fulfilling legal obligations, and appropriate security measures have been or will be adopted; or (vi) where the written consent of the data subject has been obtained, provided that processing remains prohibited if it exceeds the necessary scope of the specified purpose(s), is otherwise prohibited by law, or if the consent was obtained against the data subject\u2019s will.<\/p>\n<ul style=\"padding-left: 0\">\n<li><strong>Purpose Limitation:<\/strong> The collection of personal data must be for one or more specific purposes, and the use of such data must be confined to the necessary extent of those purposes. Any use beyond this scope requires an additional legal basis in accordance with the PDPA.<\/li>\n<li><strong>Data Minimization:<\/strong> While the PDPA does not prescribe explicit data minimization requirements, Article 5 stipulates that the collection, processing, and use of personal data must not exceed the necessary extent of the purpose(s) for which the data was collected, and must be reasonably and justifiably related to such purpose(s).<\/li>\n<li><strong>Proportionality: <\/strong>The principle of proportionality under the PDPA aligns with data minimization. Furthermore, the PDPA mandates that government and non-government agencies implement appropriate security measures to prevent personal data from being stolen, altered, damaged, destroyed, lost, or leaked.\u00a0 The Enforcement Rules of the PDPA specify certain technical and organizational measures that may be adopted, based on the principle of proportionality, considering the nature and volume of the personal data involved.<\/li>\n<li><strong>Retention: <\/strong>Neither the PDPA nor the Enforcement Rules of the PDPA specify a particular retention period for personal data. The PDPA requires government and non-government agencies to delete or cease processing or using personal data voluntarily, or upon the request of the data subject, when the purpose(s) for which the data was collected no longer exist(s) or the retention period has expired, unless: (i) processing is necessary for the performance of statutory duties or business operations; or (ii) the data subject has provided written consent. The Enforcement Rules of the PDPA further provide that retention of personal data will be deemed necessary for the performance of a government agency\u2019s statutory duties or a non-government agency\u2019s business operations if: (i) the statutory or agreed retention period has not yet expired; (ii) deletion would be detrimental to the data subject\u2019s interests; or (iii) there exists any other legitimate reason for retention.<\/li>\n<li><strong>Accuracy: <\/strong>Government and non-government agencies are obligated to ensure the accuracy of personal data and to correct or supplement such data voluntarily or upon the request of the data subject. If the failure to provide accurate personal data is attributable to a government or non-government agency, the agency must notify the recipients of the data as soon as the data is corrected or supplemented.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any circumstances for which consent is required or typically obtained in connection with the processing of personal data? What are the rules relating to the form, content and administration of such consent? For instance, can consent be implied, incorporated into a broader document (such as a terms of service) or bundled with other matters (such as consents for multiple processing operations)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>As previously addressed, obtaining the data subject\u2019s consent constitutes one of the principal legal bases for the collection, processing, and use of personal data. \u00a0Explicit consent is generally required where none of the other legal bases (such as a contractual relationship) are applicable.\u00a0 This requirement is particularly significant in relation to the collection, processing, or use of special category personal data, which is generally prohibited under the PDPA.\u00a0 In such cases, written consent from the data subject serves as one of the primary exceptions permitting non-governmental agencies to collect special category data from data subjects.<\/p>\n<p><strong><u>Form and Content of Consent<\/u><\/strong><\/p>\n<p>The PDPA mandates that consent must be informed, meaning the data subject must be provided with all information required under the PDPA for a privacy notice, either prior to or at the time of data collection.<\/p>\n<p>Except in the case of special category data, the PDPA does not prescribe a specific form for consent (e.g., written, oral, or electronic); however, the consent must be explicit and based on sufficient information.\u00a0 Written consent is generally advisable, particularly as it is a statutory requirement for special category data or in circumstances where the burden of proof regarding the existence of consent may arise in relation to general personal data.<\/p>\n<p><strong><u>Administration of Consent<\/u><\/strong><\/p>\n<p>The data collector bears the burden of proof to demonstrate that valid consent from the data subject has been obtained.\u00a0 Accordingly, it is recommended that records be maintained to evidence that such consent was duly acquired.<\/p>\n<p><strong><u>Bundling and Incorporation<\/u><\/strong><\/p>\n<p>Implied consent is typically insufficient under the PDPA.\u00a0 However, if the data subject, after being duly informed via the required privacy notice, does not object and actively provides their personal data, such conduct may be deemed to constitute presumed consent. \u00a0In all cases, consent should be explicit and based on clear, adequate information provided to the data subject.<\/p>\n<p>Consent may be incorporated into broader documents (such as terms of service), provided that the consent provisions are clearly distinguishable and the data subject is adequately informed. \u00a0Nevertheless, consent should not be bundled in a manner that makes it a prerequisite for unrelated services, as such practice may not satisfy the requirement that consent be \u201cfreely given.\u201d<\/p>\n<p>The content and scope of personal data consent must be clearly and explicitly specified.\u00a0 In particular, where there is any intended use beyond the original purpose of collection, such as for marketing purposes, separate consent from the data subject must be obtained, and such consent may not be bundled with the consent for the original collection purpose.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What special requirements, if any, are required for processing particular categories of personal data (e.g., health data, children\u2019s data, special category or sensitive personal data, etc.)? Are there any prohibitions on specific categories of personal data that may be collected, disclosed, or otherwise processed?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Article 6 of the PDPA imposes strict regulations on the collection, processing, and use of \u201cspecial category personal data\u201d (sensitive personal data), which includes information such as medical history, medical treatment, genetic data, sex life, health examination results, and criminal records.<\/p>\n<p>As a general rule, the collection, processing, and use of such data are prohibited. \u00a0However, exceptions exist where such activities are explicitly authorized by law, such as in the case of health examinations for employees, or when public agencies are performing their statutory duties. \u00a0Non-government agencies may also process such data within the necessary scope to fulfill legal obligations, provided that appropriate security measures are implemented before or after processing. \u00a0Additionally, processing may be permitted for purposes such as promoting the public interest, when the data subject has made the information public or voluntarily revealed it, or with the data subject\u2019s written consent. \u00a0These exceptions are subject to strict compliance with the relevant legal requirements to ensure the protection of sensitive personal data.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction include any derogations, exemptions, exclusions or limitations other than those already described? If so, please describe the relevant provisions.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Natural persons who collect, process, or use personal data solely for personal or family activities are, in principle, not subject to the provisions of the PDPA. \u00a0Furthermore, audio-visual data collected, processed, or used in public places or during public activities, which is not combined with other personal data, may, under certain circumstances, be exempt from the application of the PDPA.<\/p>\n<p>For specific purposes such as academic research or statistical analysis, where personal data has been processed so that no specific individual can be identified, certain provisions of the PDPA may not apply.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Does your jurisdiction require or recommend risk or impact assessments in connection with personal data processing activities and, if so, under what circumstances? How are these assessments typically carried out?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Currently, Taiwan does not legally require a data protection impact assessment similar to that mandated by the EU GDPR.\u00a0 However, Article 12 of the Enforcement Rules of the PDPA obliges personal data holders to implement &#8220;proper security and maintenance measures,&#8221; which include establishing mechanisms for risk assessment and management of personal data.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any specific codes of practice applicable in your jurisdiction regarding the processing of personal data (e.g., codes of practice for processing children\u2019s data or health data)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Article 12 of the Enforcement Rules of the PDPA requires personal data holders to implement &#8220;proper security and maintenance measures,&#8221; which include establishing mechanisms for the prevention, notification, and response to data breaches.<\/p>\n<p>Although there is no separate code specifically governing children\u2019s data, the provisions of the Personal Data Protection Act apply equally to minors. \u00a0For children below a certain age, consent must be obtained from their parents or legal guardians. \u00a0Organizations are encouraged to adopt additional safeguards when processing children\u2019s data, although such measures are not mandated by a specific code of practice.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are organisations required to maintain any records of their data processing activities or establish internal processes or written documentation? If so, please describe how businesses typically meet such requirement(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Pursuant to Article 27 of the PDPA, non-government agencies that possess personal data files are required to implement appropriate security measures to prevent the theft, alteration, damage, destruction, or disclosure of personal data.\u00a0 Accordingly, central government authorities have issued sector-specific data protection regulations and have mandated that certain non-government agencies establish security and maintenance plans for the protection of personal data files, as well as procedures for the disposal of personal data upon business termination.\u00a0 These data protection regulations generally require businesses to include, among others, measures or processes related to the preservation of usage records, log files, and relevant evidence in their security and maintenance plans.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require or recommend data retention and\/or data disposal policies and procedures? If so, please describe such requirement(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>According to Article 11 of the PDPA, personal data must be deleted, cease to be processed, or be anonymized once the purpose for processing has ended or the retention period has expired.\u00a0 Certain industries, such as finance and healthcare, may be subject to more specific statutory retention periods.\u00a0 \u00a0In practice, as noted above, non-government agencies in certain sectors have established security and maintenance plans that include corporate data retention and deletion policies.\u00a0 These policies specify retention periods, designate responsible personnel, outline destruction methods (e.g., physical destruction, electronic data deletion, and overwriting), and require periodic review and enforcement to ensure compliance with legal requirements and to safeguard personal data security.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Under what circumstances is it required or recommended to consult with the applicable data protection regulator(s)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Although the PDPA currently does not explicitly mandate consultation, non-governmental agencies in certain sectors must comply with sector-specific data protection regulations that require immediate reporting of personal data breaches to the relevant authorities within a specified timeframe.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require the appointment of a data protection officer, chief information security officer, or other person responsible for data protection? If so, what are their legal responsibilities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under Article 18 of the PDPA, government agencies are required to designate dedicated personnel to be responsible for matters concerning security maintenance. \u00a0In contrast, the PDPA does not impose a corresponding obligation on a non-government agency to appoint a data protection officer or an equivalent role. \u00a0Nevertheless, specific sector-specific personal data protection regulations, such as the Regulations Governing Security Maintenance for Personal Data Files of Non-Government Agencies Designated by the Financial Supervisory Commission (&#8220;<strong>Financial Industry Security Maintenance Regulations<\/strong>&#8220;) and the Regulations Governing Security Maintenance and Management of Personal Data Files for Digital Economy Business (&#8220;<strong>Digital Business Security Maintenance Regulations<\/strong>&#8220;), may impose an obligation on operators to designate personnel responsible for implementing security maintenance plans.<\/p>\n<p>As mentioned above, under Article 18 of the Draft Amendments of the PDPA, the provision will be revised to introduce a mandatory requirement for government agencies to appoint a PDPO. \u00a0The PDPO will promote and oversee personal data protection measures within the respective agency.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require or recommend employee training related to data protection? If so, please describe such training requirement(s) or recommendation(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPA does not currently impose an express obligation on either government agencies or non-government agencies to provide personnel personal data protection education and training. \u00a0Specific sector-specific personal data protection regulations require operators to conduct regular awareness campaigns and training programs. \u00a0Such programs must address statutory obligations, define the scope of personnel responsibilities, and outline the requirements of applicable security maintenance plans, among other relevant topics.<\/p>\n<p>In addition, Article 18 of the Draft Amendments to the PDPA provides that the PDPC shall promulgate subordinate legislation governing the training methodologies for competency development of PDPOs within government agencies.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require controllers to provide notice to data subjects of their processing activities? If so, please describe such notice requirement(s) (e.g., posting an online privacy notice).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>As mentioned above, pursuant to Article 8 of the PDPA, where personal data is collected directly from the data subject, the collecting entity must, at the time of collection or prior thereto, clearly inform the data subject of the following: (1) the name of the agency; (2) the purpose of the data collection; (3) the categories of data to be collected; (4) the duration, geographic scope, recipients, and methods of data use; (5) the rights available to the data subject under Article 3 of the PDPA and the procedures for exercising those rights; and (6) where the provision of personal data is voluntary, the potential impact on the data subject\u2019s rights and interests should the data not be provided.<\/p>\n<p>Additionally, pursuant to Article 9 of the PDPA, if personal data is collected indirectly, such as through a third party, the collecting entity must, before processing or use, inform the data subject of the information above and, in addition, disclose the source from which the personal data was obtained.<\/p>\n<p>In practice, these notification obligations are commonly discharged through the issuance of a privacy policy.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction draw any distinction between the responsibility of controllers and the processors of personal data? If so, what are the implications?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>As mentioned above, the PDPA does not incorporate the concepts of &#8220;Controller&#8221; and &#8220;Processor&#8221; as defined under the GDPR. \u00a0Instead, regulated entities under the PDPA are categorized as either government agencies or non-government agencies. These entities, insofar as they determine the purposes and means of collecting, processing, and using personal data, function in a manner analogous to the controller under the GDPR.<\/p>\n<p>Additionally, Article 4 of the PDPA refers to &#8220;persons commissioned by government agencies or non-government agencies to collect, process, or use personal data&#8221; (&#8220;<strong>commissioned persons<\/strong>&#8220;), whose role is comparable to that of a processor under the GDPR.<\/p>\n<p>Pursuant to Article 4 of the PDPA, a commissioned person is deemed acting on behalf of the commissioning agency within the commission&#8217;s scope. \u00a0Accordingly, the commissioning agency assumes legal liability for any actions taken by the commissioned person while performing the commissioned activities. \u00a0Furthermore, Article 8 of the Enforcement Rules of the PDPA expressly provides that the commissioning agency shall properly supervise the commissioned person and keep the relevant records of such supervision.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any restrictions on monitoring, automated decision-making or profiling in your jurisdiction, including through the use of tracking technologies such as cookies. How are these or any similar terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><ul style=\"padding-left: 0\">\n<li><strong>Monitoring: <\/strong>The PDPA does not contain specific provisions or definitions governing &#8220;monitoring&#8221; activities. Rather, monitoring is regulated across various areas of law. \u00a0For instance, the Constitution guarantees the right to privacy, and monitoring electronic communications, such as telephone conversations, generally requires the issuance of a surveillance warrant in accordance with the Communication Security and Surveillance Act.<\/li>\n<li><strong>Automated Decision-Making and Profiling: <\/strong>The PDPA does not currently provide any regulatory framework or definitions concerning automated decision-making or profiling.<\/li>\n<li><strong>Cookies and Other Tracking Technologies: <\/strong>While there is neither specific legislation dealing with or defining cookies under Taiwan law, where data collected through cookies (alone or when combined with other information) can identify a specific individual, such data constitutes personal data within the meaning of the PDPA. In such cases, the collection and use of this data must comply with the requirements of the PDPA, including: the establishment of a legal basis (Article 19), compliance with notification obligations (Article 8), and the limitations of use (Article 20). \u00a0The same principles apply to other tracking technologies in determining whether the data collected falls within the scope of personal data under the PDPA.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any restrictions on targeted advertising and\/or behavioral advertising. How are these terms or any similar terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>At present, no specific legislation in Taiwan expressly defines or regulates &#8220;targeted advertising&#8221; or &#8220;behavioral advertising&#8221;. \u00a0However, where such advertising involves the use of personal data, it falls under the scope of Article 20 of the PDPA, which governs the use of personal data. \u00a0Under the PDPA, the use of personal data for advertising must either align with the original purpose for which the data was collected or be supported by the data subject\u2019s separate and explicit consent for the specific purpose of advertising.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any data protection laws in your jurisdiction restricting the sale of personal data. How is the term \u201csale\u201d or such related terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPA or other data protection laws do not define &#8220;sale&#8221;. The sale of personal data is classified as a form of &#8220;use&#8221; under Article 2 of the PDPA. \u00a0As the sale of personal data typically falls outside the scope of the original purpose for which the data was collected, it is generally understood that under Subparagraph 6, Paragraph 1, Article 20 of the PDPA, specific and informed consent of the data subject is required. \u00a0Furthermore, the sale of personal data intending to profit oneself or a third party unlawfully or to harm the interests of another constitutes a criminal liability under Article 41 of the PDPA.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any data protection laws in your jurisdiction restricting telephone calls, text messaging, email communication, or direct marketing. How are these terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Using personal data for direct marketing purposes via telephone, text message, email, or similar means constitutes an act of &#8220;use&#8221; as defined under Article 20 of the PDPA. \u00a0The lawfulness of such activities depends on one of the following conditions: (a) the marketing purpose aligns with the original purpose for which the data was collected, such as marketing related products to existing customers where such use was disclosed at the time of data collection, or (b) the explicit consent (opt-in) of the data subject for such marketing purposes, as outlined in Subparagraph 6, Paragraph 1 of Article 20 of the PDPA.<\/p>\n<p>It is essential to note that the data subject has the right to opt-out. Once the data subject informs the data controller of their decision to refuse further marketing communications, the controller must cease using the data subject&#8217;s personal data for marketing purposes. \u00a0Additionally, when using the data subject&#8217;s personal data for marketing purposes for the first time, the data controller must provide the data subject with a free and accessible method to exercise their right to opt-out.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any data protection laws in your jurisdiction addressing biometrics, such as facial recognition. How are such terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPA does not define the term &#8220;biometrics.&#8221; However, the &#8220;Guidelines on the Protection of Personal Data in the Use of Biometric Identification Technology on Campus,&#8221; issued by the Ministry of Education, define biometric as &#8220;physiological characteristic data that are unique to an individual and sufficient to identify a specific person.&#8221; Such characteristics include fingerprints, facial features, iris patterns, voice, palm prints, and veins.<\/p>\n<p>Currently, biometric data, such as facial features, is <strong>not<\/strong> classified as special data under Article 6 of the PDPA. \u00a0As a result, such data collection, processing, and use are not automatically subject to the more stringent requirements outlined in Article 6. \u00a0Nevertheless, due to the highly sensitive nature of biometric data, its use requires careful consideration.<\/p>\n<p>Judicial Yuan (Taiwan&#8217;s Grand Justices) Interpretation No. 603 (concerning compulsory fingerprinting for the issuance of Taiwan ID) established the principle that, due to the significant personal identification capacity of biometrics (such as fingerprints), which enables the monitoring of individuals, any large-scale and compulsory collection by the State must be justified by a specific and substantial public interest. \u00a0Such actions must also adhere to the principle of proportionality and be expressly authorized by law.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any data protection laws in your jurisdiction addressing artificial intelligence or machine learning (\u201cAI\u201d).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>There are currently no relevant regulations in Taiwan.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Is the transfer of personal data outside your jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (e.g., does a cross-border transfer of personal data require a specified mechanism or notification to or authorization from a regulator?)<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under the PDPA, cross-border transfers of personal data are generally permitted unless the competent authorities issue an order prohibiting or restricting such transfers. \u00a0Under the PDPA, the competent authorities may impose limitations on cross-border data transfers under the following circumstances: (i) if the transfer may adversely affect significant national interests; (ii) if the transfer is prohibited or restricted by a relevant international treaty or agreement; (iii) if the jurisdiction receiving the data does not provide adequate legal protections for personal data, potentially infringing upon the rights or interests of data subjects; or (iv) if the transfer is intended to circumvent the provisions of the PDPA.<\/p>\n<p>The National Communications Commission issued a blanket prohibition against communications enterprises, including telecommunications carriers and broadcasting operators, from transferring subscribers\u2019 personal data to the People\u2019s Republic of China (\u201c<strong>PRC<\/strong>\u201d). Subsequently, the Ministry of Health and Welfare and the Ministry of Labor issued rulings prohibiting social worker offices and human resources agencies from transferring the personal data of their service recipients to the PRC.<\/p>\n<p>In principle, businesses not subject to the restrictions above may transfer personal data across borders without the need to implement any specific mechanism, notify regulators, or obtain prior authorization from a competent authority.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What personal data security obligations are imposed by the data protection laws  in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Pursuant to Articles 18 and 27 of the PDPA, an obligation exists to implement security and maintenance measures to safeguard personal data from theft, alteration, damage, loss, or unauthorized disclosure. \u00a0Article 12 of the Enforcement Rules of the PDPA outlines eleven security measures that may serve as guidelines (though not mandatory), which include (1) allocating management personnel and reasonable resources, (2) defining the scope of personal data, (3) establishing a mechanism of risk assessment and management of personal data; (4) establishing a mechanism of preventing, giving notice of, and responding to a data breach; (5) establishing an internal control procedure for the collection, processing, and use of personal data; (6) managing data security and personnel; (7) promoting awareness, education and training; (8) managing facility security; (9) establishing an audit mechanism of data security; (10) keeping records, log files and relevant evidence; and (11) implementing integrated and persistent improvements on the security and maintenance of personal data.<\/p>\n<p>Sector-specific personal data protection regulations, such as the Financial Industry Security Maintenance Regulations, require operators to fulfill obligations, including conducting risk assessments, establishing contingency plans for incidents, implementing education and training programs, formulating specific management procedures, and adopting data security measures.<\/p>\n<p>Under the Draft Amendments to the PDPA, the obligation for non-government agencies has been relocated to Article 20-1, which grants the PDPC the authority to prescribe relevant security maintenance standards. \u00a0Government agencies are subject to similar obligations under Article 18 of the proposed amendment.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction impose obligations in the context of  security breaches which impact personal data? If so, how do such laws define a security breach (or similar term) and under what circumstances must such a breach be reported to regulators, impacted individuals, law enforcement, or other persons or entities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPA does not provide a direct definition of &#8220;security breaches.&#8221; \u00a0However, Article 12 stipulates that a personal data incident refers to theft, leakage, alteration, or other forms of infringement upon personal data. \u00a0Once confirmed, the affected data subjects must be notified appropriately in such an incident, including oral, written, telephone, text message, email, facsimile, or electronic document notifications. \u00a0A public announcement may be used instead if notification costs are excessively high.<\/p>\n<p>Sector-specific personal data protection regulations impose additional obligations on specific industries to report significant personal data incidents to the relevant competent authority.\u00a0 The Draft Amendments to the PDPA introduces a new, general mandatory notification requirement. \u00a0If a personal data incident falls within the &#8220;specified notification scope&#8221; established by the PDPC, notification must be made to the PDPC. \u00a0For non-government agencies, notification must also be made to the competent authority overseeing the relevant business sector.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction establish specific rights for individuals, such as the right to access and the right to deletion? If so, please provide a general description of such rights, how they are exercised, and any exceptions.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Article 3 of the PDPA confers the following rights upon data subjects, which may neither be waived in advance nor restricted by special agreement:<\/p>\n<ul style=\"padding-left: 0\">\n<li><strong>Right of Access to (Copies of) Data about Processing:<\/strong> Individuals have the right to access and review their data held by both government or non-government agencies, as well as the right to obtain copies of such data.<\/li>\n<li><strong>Right to Rectification of Errors:<\/strong> Data subjects can request the correction or supplementation of inaccurate or incomplete personal data. In the event of a dispute concerning the accuracy of the personal data, the processing or use of the data must be suspended unless (i) such processing or use is necessary for the agency\u2019s statutory duties or business operations or (ii) the data subject provides written consent, and the existence of the dispute is duly recorded.<\/li>\n<li><strong>Right to Cease Processing:<\/strong> Article 3 of the PDPA grants data subjects the right to request the cessation of the processing or use of their personal data.<\/li>\n<li><strong>Right to Deletion:<\/strong> Article 3 of the PDPA expressly provides that a data subject may request the deletion of their personal data by either a government or non-government agency.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction provide for a private right of action and, if so, under what circumstances?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Chapter 4 of the PDPA expressly confers private law rights of action upon data subjects. \u00a0In the event that a government agency or non-government agency violates the provisions of the PDPA, thereby infringing upon a data subject&#8217;s rights, the data subject may, in accordance with the law, initiate a claim for damages against the relevant agency (Articles 28 and 29 of the PDPA).<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are individuals entitled to monetary damages or compensation if they are affected by breaches of data protection law? Does the law require actual and material damage to have been sustained, or is non-material injury to feelings, emotional distress or similar sufficient for such purposes?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under Article 28 of the PDPA, a data subject who suffers damage due to an infringement of their data protection rights is entitled to claim compensation for both pecuniary and non-pecuniary damages. \u00a0Additionally, if the violation of personal data harms the data subject&#8217;s reputation, the data subject may request appropriate measures to restore their reputation.<\/p>\n<p>It is important to note that, in cases where the same infringing act damages the rights of multiple data subjects, the law establishes an upper limit on the total amount of compensation. \u00a0In principle, the aggregate maximum compensation shall not exceed NT$200 million. However, if the total actual interests in the incident exceed this amount, the aggregate value of such actual interests shall serve as the upper limit for compensation (Article 28 of the PDPA).<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How are data protection laws in your jurisdiction typically enforced?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>As mentioned above, previously, the NDC served as the competent authority responsible for interpreting the PDPA and acted as a coordinator among various government agencies regarding the interpretation and implementation of personal data protection matters.\u00a0 However, following the establishment of the Preparatory Office of the PDPC on December 5, 2023, the responsibility for interpreting the PDPA was transferred from the NDC to the PDPC as of January 1, 2024.<\/p>\n<p>Meanwhile, the central competent authority for each industry, as well as local government authorities, are vested with the power to enforce certain provisions of the PDPA.\u00a0 Their investigative powers include entering premises, requesting information, and retaining or copying personal data or files for evidentiary purposes.\u00a0 Upon identifying a violation, the authorities may impose administrative fines and take measures such as prohibiting further collection or processing of personal data, ordering the deletion or destruction of unlawfully collected data, confiscating data, and publicizing the violation along with the names of the agency and its statutory representative.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What is the range of sanctions (including fines and penalties) for violation of data protection laws in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Pursuant to the PDPA, conducting any of the following breaches with an intent to make unlawful profit for oneself or a third party or with an intent to damage the interest of another, thereby causing or potentially causing injury to another\u2019s may lead to criminal penalties:<\/p>\n<p>(i)\u00a0\u00a0 illegal collection, processing, or use of personal data;<\/p>\n<p>(ii)\u00a0 failure to obey a central government authority&#8217;s order imposing restrictions on the international transfer of personal data; or<\/p>\n<p>(iii) illegal amendment or deletion of personal data files or employment of any other illegal means thereby affecting the accuracy of personal data files.<\/p>\n<p>In addition, an administrative fine may be imposed for failure to comply with the requirements under the PDPA, such as collecting or processing personal data without a statutory ground, using the personal data outside of the scope of the specific purpose under which the personal data was collected, or failure to comply with the restrictions on the international transfer of personal data. \u00a0For any failure to comply with the notification requirements, marketing restrictions, information security requirement or obligations to respond to data subjects&#8217; requests, the authority may order that correction be made by a certain deadline and impose an administrative fine if correction is not made within such deadline.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any guidelines or rules published regarding the calculation of such fines or thresholds for the imposition of sanctions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The competent authorities may impose an administrative fine of between NT$50,000 to NT$500,000 if a non-government agency violates the relevant data protection requirements.<\/p>\n<p>For minor violations, such as failure to comply with notification requirements, the competent authority must first designate a time limit for the non-government agency to rectify the failure. \u00a0Only if the non-government agency fails to rectify the failure within the time limit will the competent authorities impose an administrative fine between NT$20,000 and NT$200,000.<\/p>\n<p>If there is a data breach, the central competent authorities in charge of the relevant industries and the local government authorities may impose an administrative fine ranging from NT$20,000 to NT$2,000,000 immediately, without having to designate a time limit for the non-government agency to rectify the breach first. \u00a0If the non-government agency fails to rectify the breach within such time limit, the aforesaid administrative fine can be increased to between NT$150,000 and NT$15,000,000. \u00a0On the other hand, if the data breach is material (the threshold for determining whether a data breach is material will be assessed on a case-by-case basis), the aforesaid authorities may impose an administrative fine ranging from NT$150,000 to NT$15,000,000 immediately, without having to designate a time limit for the non-government agency to rectify the breach first.<\/p>\n<p>The administrative fines under the PDPA may be imposed consecutively until the violation is rectified.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are enforcement decisions open to  appeal in your jurisdiction? If so, please provide an overview of the appeal options.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes, non-government agencies subject to enforcement decisions may file an appeal if they object to such decisions. \u00a0Non-government agencies may file an administrative appeal against enforcement decisions with their superior authorities in accordance with the Administrative Appeal Act. If the non-government agencies are not satisfied with the appeal decisions, they may seek judicial remedies from administrative courts in accordance with the Administrative Litigation Act.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any identifiable trends or regulatory priorities in enforcement activity in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>As mentioned above, the PDPA was amended on May 16, 2023, to include Article 1-1, designating the PDPC as the competent authority of the PDPA. \u00a0This amendment aims to integrate enforcement powers and responsibilities that were previously dispersed among local government authorities, central competent authorities in charge of the relevant industries, and the NDC. \u00a0The Preparatory Office of the PDPC was established on December 5, 2023, and the PDPC is expected to gradually integrate enforcement powers regarding the PDPA following its formal establishment, which is expected to take place by August 2025. \u00a0At the moment, the role of the NDC has been fulfilled by the Preparatory Office of the PDPC, and the enforcement tendencies of the PDPC (e.g., its sectoral focus or regulatory priorities) are to be observed after its establishment.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction require the implementation of specific cybersecurity risk management measures and\/or require that organisations take specific actions relating to cybersecurity? If so, please provide details.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>For government agencies and the specific non-government agencies (such as critical infrastructure providers), the CSMA requires adoption of cybersecurity maintenance plans and reporting of cybersecurity incidents to the related government authorities. \u00a0In particular, implementing anti-virus measures and adopting periodic checks on security procedures are encouraged. \u00a0In addition, some statutes for the telecommunications industry prescribe critical infrastructure and the related security level.<\/p>\n<p>Other than the specific non-government agencies under the CSMA, a company is not legally required to have written information security plans or incident response plans, appoint a chief information security officer (&#8220;<strong>CISO<\/strong>&#8220;), conduct risk assessment or internal training, or implement other security measures. A company is also not required to disclose software vulnerabilities unless they are material to the operation of a listed company.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose specific requirements regarding supply chain management? If so, please provide details of these requirements.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Although the CSMA articles do not contain a dedicated chapter on &#8220;supply chain,&#8221; many of the management requirements and standards derived from the CSMA implicitly address the need to manage third-party vendors and product supply chains.<\/p>\n<p>For instance, Exhibit 10 of the Regulations on Classification of Cyber Security Responsibility Levels outlines specific requirements for entities subject to the CSMA to ensure the integrity and availability of their information systems. \u00a0Entities classified at a high defense standard are required to implement at least the following control measures:<\/p>\n<ul style=\"padding-left: 0\">\n<li>The cyber system must use automated tools to monitor communication flows and analyze any detected unusual or unauthorized activities.<\/li>\n<li>Regular inspections must be conducted to verify the integrity of software and information.<\/li>\n<li>Integrity verification tools should be employed to detect any unauthorized changes to specific software and information.<\/li>\n<li>The legitimacy of user input data must be verified at the server terminal of the application system.<\/li>\n<li>If any integrity violations are identified, the cyber system must implement the security protection measures prescribed by the relevant authorities.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose information sharing requirements on organisations?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Pursuant to Article 8 of the CSMA, the Executive Yuan is mandated to establish a cybersecurity information sharing mechanism.\u00a0 Under the Cyber Security Information Sharing Regulations, the competent authorities of relevant industries are required to timely share cybersecurity information with the \u201cspecific non-government agencies\u201d under their supervision.\u00a0 These \u201cspecific non-government agencies\u201d may also voluntarily provide cybersecurity information to the competent authorities.<\/p>\n<p>For individuals, entities or organisations that are not subject to the CSMA, the competent authorities may also share cybersecurity information with them, provided that they have agreed in writing to comply with the requirements under the Cyber Security Information Sharing Regulations.<\/p>\n<p>Additionally, the ACS under MODA has developed a national information security joint defense system.\u00a0 This system enables information sharing among governmental agencies and critical infrastructure providers.\u00a0 Furthermore, certain industry authorities, such as the National Communications Commission (&#8220;<strong>NCC<\/strong>&#8220;), regularly organize training sessions and seminars to encourage enterprises to enhance their information security capabilities.\u00a0 Alliances such as the Taiwan Computer Emergency Response Team (TWCERT) also offer platforms for private companies to access and exchange intelligence and resources on recent cybersecurity threats.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction require the appointment of a chief information security officer, regulatory point of contact, or other person responsible for cybersecurity? If so, what are their legal responsibilities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Pursuant to Paragraph 1 Article 11 of the CSMA, government agency are required to appoint a CISO.\u00a0 While non-government agencies are not mandated to appoint a CISO under the CSMA, it is nevertheless recommended.\u00a0 Additionally, entities classified as levels A, B, and C under the CSMA are required to assign dedicated cybersecurity personnel.<\/p>\n<p>Although the CSMA does not obligate non-government agencies to appoint a CISO, the FSC requires eligible listed companies to designate a CISO responsible for implementing information security policies and to establish a department with officers and staff dedicated to information security, in accordance with the Regulations Governing Establishment of Internal Control Systems by Public Companies.\u00a0 Furthermore, pursuant to Paragraph 6, Article 16 and Paragraph 4, Article 17 of the CSMA, the central competent authority for the relevant business may, based on overall cybersecurity considerations, require specific non-government agencies under its supervision to designate personnel at an appropriate level to serve as a CISO or information security management representative, and may stipulate such requirements in relevant administrative regulations.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there specific cybersecurity laws \/ regulations for different industries (e.g., finance, healthcare, government)? If so, please provide an overview.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Critical infrastructure providers are the primary entities regulated under the CSMA.\u00a0 According to the Executive Yuan, as of February 2025, there are nine designated critical infrastructure sectors: energy, water resources, telecommunications, transportation, banking and finance, hospitals, central and local government, high-technology parks, and food supply.<\/p>\n<p>Each of these critical infrastructure sectors may be governed by specific laws and regulations. \u00a0For example, in the banking and finance sector, the Regulations of Cyber Security Management for Specific Non-Government Agencies under FSC, promulgated by the FSC, govern cybersecurity requirements for the industry. \u00a0Additionally, the Telecommunications Management Act stipulates that telecommunications enterprises which have established a public switched telephone network (PSTN) using telecommunications resources, or other telecommunications enterprises as announced by the competent authority, must formulate and implement an information and communications security maintenance plan. \u00a0The specific requirements are further detailed in the Administration Regulations of Cyber Security on Telecommunications Business.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What impact do international cybersecurity standards have on local laws and regulations?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>International cybersecurity standards, such as ISO 27001, NIST SP 800-82, IEC 62443-3-3, and other internationally recognized security standards, are expressly referenced in relevant cybersecurity regulations and government guidelines.<\/p>\n<p>For example, entities subject to the CSMA are classified into different levels (Levels A, B, C, D, and E) under the Regulations on Classification of Cyber Security Responsibility Levels, which are required to fulfil specific cybersecurity responsibilities corresponding to their classification. \u00a0The Regulations expressly require that entities classified as Levels A, B, and C obtain certification for their information security management systems in accordance with specified standards, such as CNS 27001 or ISO 27001, or other equivalent systems or standards, or alternatively, systems developed by the government agency itself or approved by the competent authority.<\/p>\n<p>Furthermore, specific cybersecurity obligations differ across industries.\u00a0 For instance, operators in the telecommunications industry are required to obtain ISO\/IEC 27001 and ISO\/IEC 27011 certifications pursuant to the Administration Regulations of Cyber Security on Telecommunications Business.\u00a0 Additionally, the Guidance for Critical Information Infrastructure Security Protection, published by the Executive Yuan, references and recommends international security standards such as NIST SP 800-82, IEC 62443-3-3, and others.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose obligations in the context of  cybersecurity incidents? If so, how do such laws define a cybersecurity incident and under what circumstances must a cybersecurity incident be reported to regulators, impacted individuals, law enforcement, or other persons or entities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Pursuant to the CSMA, agencies and entities subject to the CSMA shall report to their supervisory agency or to the competent authority of the industry as applicable when the they becomes aware of a cybersecurity incident (Articles 14 and 18 of the CSMA). \u00a0A &#8220;cybersecurity incident&#8221; refers to any incident in which the system or information may have been accessed without authorisation and used, controlled, disclosed, damaged, altered, deleted, or otherwise infringed, affecting the functioning of the information communication system and thereby threatening the cybersecurity policy.<\/p>\n<p>The Regulations on the Notification and Response of Cyber Security Incident further detail the reporting of a cybersecurity incident as required under the CSMA. A \u201cspecified non-government agency\u201d shall report to the central regulator within one hour of becoming aware of the cybersecurity incident and shall complete damage control or recovery of the system within 36 to 72 hours depending on the type of the cybersecurity incident.<\/p>\n<p>When making such a report to the authority, the report must include information such as the time of occurrence and the time the agency became aware of the incident, a description of the incident, an assessment of the risk level, the response measures taken, an evaluation of any external assistance received, and other relevant matters. \u00a0There are no specific provisions with regard to exemption from the reporting requirements, and it is not necessary for the authority to make such reports publicly available.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How are cybersecurity laws in your jurisdiction typically enforced?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The cybersecurity laws in Taiwan are generally enforced by government agencies themselves (as regulated entities under the CSMA) and by specific non-government agencies (such as critical infrastructure providers) under the supervision of their competent authority.<\/p>\n<p>In particular, the central competent authority responsible for the relevant industry has the power to conduct audits or administrative inspections of specific non-government agencies under its supervision, request information, and issue orders to implement or enhance cybersecurity measures.\u00a0 In the event of non-compliance, the central competent authority may issue corrective orders requiring the specific non-government agency to rectify the deficiencies within a designated period, as well as impose administrative fines.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What powers of oversight \/ inspection \/ audit do regulators have in your jurisdiction under cybersecurity laws.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Pursuant to the CSMA and relevant regulations, the competent authority and the central competent authority responsible for the relevant industry have broad powers of oversight, including the authority to require reports, conduct audits, mandate improvement actions, and oversee incident reporting and response by regulated entities under their supervision.<\/p>\n<p>Specifically, critical infrastructure providers are required to submit reports on the implementation of their cybersecurity maintenance plans to the central competent authority for the relevant business purpose. \u00a0The central competent authority responsible for the relevant industry is empowered to audit the implementation of such plans by the critical infrastructure providers under its supervision. \u00a0If deficiencies or areas for improvement are identified in the implementation of cybersecurity maintenance plans, the provider must submit an improvement report to the central competent authority (Article 16 of the CSMA).<\/p>\n<p>For specific non-government agencies other than critical infrastructure providers, the central competent authority in charge of the relevant industry may require such agencies to submit reports on the implementation of their cybersecurity maintenance plans and may also conduct audits of such implementation. \u00a0Where deficiencies are found, the central competent authority for the relevant business purpose may require the audited agency to submit an improvement report within a specified period (Article 17 of the CSMA).<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What is the range of sanctions (including fines and penalties) for violations of cybersecurity laws in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Government officials who fail to comply with the CSMA are subject to discipline or penalty in accordance with the applicable regulations (i.e., the Regulations for Rewards and Penalties Regarding Cybersecurity Matters for Personnel of Government Agencies).<\/p>\n<p>Specific non-government agencies may be ordered to take corrective measures by a certain deadline or be subject to an administrative fine ranging from NT$100,000 to NT$1,000,000 for failure to comply with the obligations to:<\/p>\n<ol style=\"padding-left: 0\">\n<li>stipulate, revise or implement the cybersecurity management plan;<\/li>\n<li>submit a report on implementation of the cybersecurity maintenance plan;<\/li>\n<li>submit the improvement reports,<\/li>\n<li>stipulate the reporting and response mechanisms for cybersecurity incidents;<\/li>\n<li>submit the cybersecurity investigation, handling and improvement reports regarding cybersecurity incidents. and<\/li>\n<li>comply with the report requirements under the Regulations on the Notification and Response of Cyber Security Incident.<\/li>\n<\/ol>\n<p>Fines may be imposed consecutively until corrective measures are taken (Article 20 of the CSMA).<\/p>\n<p>Specific non-government agencies are subject to an administrative fine ranging from NT$300,000 to NT$5,000,000 for failure to comply with the obligations to report a cybersecurity incident (Article 21 of the CSMA).<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any guidelines or rules published regarding the calculation of such fines or thresholds for the imposition of sanctions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>So far, no rules or clear guidelines have been published regarding fines as mentioned above under the CSMA. The central competent authority generally has discretionary power with respect to the amount of fines imposed.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are enforcement decisions open to appeal in your jurisdiction? If so, please provide an overview of the appeal options.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The enforcement decisions imposed by the central competent authority as mentioned above may be appealed in accordance with the general procedures for administrative remedies under Taiwan law, such as the Administrative Appeal Act and the Administrative Litigation Act.<\/p>\n<p>Generally, administrative dispositions imposed by the administrative agency can be appealed to its supervisory agency. \u00a0If the supervisory agency does not rule in favour of the appellant, the appellant may further initiate administrative litigation before the Administrative High Court seeking revocation such a decision. \u00a0The judgment rendered by the Administrative High Court may be appealed to the Supreme Administrative Court, whose judgment would be final and binding if it does not revoke the Administrative High Court\u2019s judgment.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any identifiable trends or regulatory priorities in enforcement activity in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The requirements for corporate cybersecurity management in Taiwan are expected to become more stringent. As mentioned above, the CSMA has not been amended since its initial enactment in 2018.\u00a0 In response to increasingly severe cyber threats, Taiwanese society has urged the government to advance the revisions to the current CSMA, as well as to strengthen the overall cybersecurity regulatory regime.\u00a0 At present, the Draft Amendments to the CSMA are under review and deliberation by the legislature.\u00a0 The potential implications of these amendments are worth monitoring.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\r\n<div class=\"word-count-hidden\" style=\"display:none;\">Estimated word count: <span class=\"word-count\">10652<\/span><\/div>\r\n\r\n\t\t\t<\/ol>\r\n\r\n<script type=\"text\/javascript\" src=\"\/wp-content\/themes\/twentyseventeen\/src\/jquery\/components\/filter-guides.js\" async><\/script><\/div>"}},"_links":{"self":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide\/109430","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide"}],"about":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/types\/comparative_guide"}],"wp:attachment":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/media?parent=109430"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}