{"id":140796,"date":"2026-04-24T14:42:52","date_gmt":"2026-04-24T14:42:52","guid":{"rendered":"https:\/\/my.legal500.com\/guides\/?post_type=comparative_guide&#038;p=140796"},"modified":"2026-04-24T14:42:52","modified_gmt":"2026-04-24T14:42:52","slug":"taiwan-data-protection-cybersecurity","status":"publish","type":"comparative_guide","link":"https:\/\/my.legal500.com\/guides\/chapter\/taiwan-data-protection-cybersecurity\/","title":{"rendered":"Taiwan: Data Protection &amp; Cybersecurity"},"content":{"rendered":"","protected":false},"template":"","class_list":["post-140796","comparative_guide","type-comparative_guide","status-publish","hentry","guides-data-protection-cybersecurity","jurisdictions-taiwan"],"acf":[],"appp":{"post_list":{"below_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">Lee and Li, Attorneys-at-Law<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2019\/12\/Firm-Logo-1.jpg\"\/><\/span><\/div>"},"post_detail":{"above_title":"<div class=\"guide-author-details\"><span class=\"guide-author\">Lee and Li, Attorneys-at-Law<\/span><span class=\"guide-author-logo\"><img src=\"https:\/\/my.legal500.com\/guides\/wp-content\/uploads\/sites\/1\/2019\/12\/Firm-Logo-1.jpg\"\/><\/span><\/div>","below_title":"<span class=\"guide-intro\">This country specific Q&amp;A provides an overview of Data Protection &amp; Cybersecurity laws and regulations applicable in Taiwan<\/span><div class=\"guide-content\"><div class=\"filter\">\r\n\r\n\t\t\t\t<input type=\"text\" placeholder=\"Search questions and answers...\" class=\"filter-container__search-field\">\r\n\t\t\t<\/div>\r\n\r\n\t\t\t\r\n\r\n\r\n\t\t\t<ol class=\"custom-counter\">\r\n\r\n\t\t\t\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please provide an overview of the legal and regulatory framework governing data protection, privacy and cybersecurity in your jurisdiction (e.g., a summary of the key laws; who is covered; what sectors, activities or data do they regulate; and who enforces the relevant laws).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Data protection and privacy<\/p>\n<p>The Personal Data Protection Act (&#8220;PDPA&#8221;) is the principal legislation governing data protection in Taiwan. The PDPA regulates the collection, processing, and use of personal data by both government agencies and non-government agencies, including legal persons, organizations, and natural persons in the private sector. The Enforcement Rules of the Personal Data Protection Act (&#8220;Enforcement Rules of the PDPA&#8221;) provide further guidance on the interpretation and implementation of the PDPA.<\/p>\n<p>Originally enacted in 1995, the PDPA underwent significant amendments and was renamed in 2010, with the amendments taking effect in 2012. The PDPA\u2019s framework is largely modeled after the European Union\u2019s Directive 95\/46\/EC, which served as a key reference for the 2010 amendments.<\/p>\n<p>In response to numerous data breaches and leaks and to address the rulings set forth by the Constitutional Court\u2019s judgment dated August 12, 2022 (Ref. No. 111-Shien-Pan-13), which mandated the establishment of an independent supervisory mechanism for personal data protection, the PDPA was further amended on May 16, 2023. This amendment represents the current effective version of the PDPA.<\/p>\n<p>In addition to the PDPA and its Enforcement Rules of the PDPA, certain central competent authorities have promulgated industry-specific regulations concerning data security within their respective sectors. Other statutes also address personal data protection, such as the Banking Act (with respect to customer information held by banks) and the Financial Holding Company Act, which governs the sharing of customer information between a financial holding company and its subsidiaries for joint marketing purposes.<\/p>\n<p>Enforcement of the PDPA is currently administered by various ministries, commissions, and local governments. To address enforcement challenges arising from this decentralized approach and to comply with the Constitutional Court\u2019s requirement to establish an independent supervisory authority by August 2025, Article 1-1 of the 2023 amended PDPA designates the Personal Data Protection Commission (&#8220;PDPC&#8221;) as the competent authority for the PDPA, consolidating enforcement powers previously dispersed among different agencies. The Preparatory Office of the PDPC was established on December 5, 2023, and assumed responsibility for interpreting the PDPA from the National Development Council (&#8220;NDC&#8221;) as of January 1, 2024.<\/p>\n<p>The PDPA was partially amended on November 11, 2025, with the effective date of these amendments (the &#8220;2025 Amendments&#8221;) to be determined by the Executive Yuan upon the establishment of the PDPC. In the meantime, the Preparatory Office of the PDPC is drafting subordinate regulations to facilitate the implementation of the 2025 Amendments as part of its preparation efforts. The future regulatory framework, including the interaction between the PDPC and sectoral regulators following the formal establishment of the PDPC, is worth monitoring.<\/p>\n<p>Cybersecurity<\/p>\n<p>The Cybersecurity Management Act (&#8220;CSMA&#8221;), the Enforcement Rules of the Cybersecurity Management Act (&#8220;Enforcement Rules of the CSMA&#8221;), as well as other regulations promulgated under the CSMA, are the primary laws and regulations governing cybersecurity law matters in Taiwan. The CSMA governs the management of information and communications security by government agencies and certain non-government agencies, including critical infrastructure providers, public utilities, and government-sponsored foundations. The Enforcement Rules of the CSMA further elaborate on the definitions, requirements, and key terms of the CSMA.<\/p>\n<p>Pursuant to the CSMA and the relevant regulations, such as the Regulations for Classification of Cybersecurity Responsibility, cybersecurity responsibilities are categorized into five levels (Levels A through E). Each regulated entities must meet certain cybersecurity responsibilities at different levels, with regard to management, technical measures, and awareness and training.<\/p>\n<p>Under the CSMA, the Executive Yuan (the executive branch of the Taiwan government) is designated as the competent authority. In August 2022, the Executive Yuan set up the Ministry of Digital Affairs (&#8220;MODA&#8221;), which now serves as the central authority for cybersecurity matters. Under the MODA, the Administration for Cyber Security (&#8220;ACS&#8221;) and the Administration for Digital Industries were established. The ACS, in collaboration with the National Institute of Cyber Security (a non-departmental public body under MODA\u2019s supervision, &#8220;NICS&#8221;), is responsible for formulating national cybersecurity policies, promoting cybersecurity programs, designating critical infrastructure providers, coordinating among competent authorities of nine major sectors, enhancing the national cybersecurity defense system, improving incident reporting and response mechanisms, assisting agencies with compliance, and fostering cybersecurity talent and awareness nationwide.<\/p>\n<p>For government agencies, the regulator is the competent authority at the next higher level, which supervises the formulation, revision, and implementation of the agency\u2019s cybersecurity maintenance plan. For specified non-governmental agencies, the regulator is the central competent authority for the relevant industry. For example, the Financial Supervisory Commission (&#8220;FSC&#8221;) is the regulator for insurance companies, securities firms, and futures commission merchants. The central competent authority is authorized by the CSMA to promulgate rules requiring companies within the industry to establish, revise, and implement their cybersecurity maintenance plans.<\/p>\n<p>The CSMA was amended on September 24, 2025, and took effect on December 1, 2025. In accordance with the relevant amendments to the CSMA, the MODA has also completed revisions to several related subordinate regulations.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any expected changes in the data protection, privacy or cybersecurity landscape in 2025 - 2026 (e.g., new laws or regulations coming into effect, enforcement of such laws and regulations, expected regulations or amendments)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>It is anticipated that between 2025 and 2026, Taiwan will undergo a series of significant regulatory changes and enhanced enforcement measures in these areas, aiming to build a more secure digital environment and align with international trends.<\/p>\n<h4>Formal Establishment of an Independent Supervisory Authority and Reform of the PDPA<\/h4>\n<p>As mentioned above, in May 2023, Taiwan\u2019s legislature passed amendments to the PDPA, formally establishing the Personal Data Protection Commission (&#8220;PDPC&#8221;) as a dedicated regulator. The Preparatory Office of the PDPC was established in December 2023, and the PDPC is expected to officially begin operations in the near future. The PDPA was further amended in 2025 with a focus of defining PDPC&#8217;s regulatory role and powers as well as its inter-relationship with other sectoral regulators.<\/p>\n<p>Key amendments to the PDPA include:<\/p>\n<ul>\n<li>Establishment of the PDPC: The creation of this independent body aims to strengthen the supervision and enforcement of personal data protection. In the future, the PDPC will serve as the centralized regulatory body for the PDPA. Under the 2025 Amendments, the PDPC may request the Executive Yuan to designate certain private entities that, within six years following the establishment of the PDPC, shall continue to be regulated by their respective central sectoral regulators or municipal and county\/city governments with respect to certain matters under the PDPA.<\/li>\n<li>Direct Administrative Litigation against the PDPC\u2019s Decisions: As an independent agency, the PDPC is not subject to the direction or supervision of any other authority, except as otherwise provided by law. Accordingly, any challenge to an administrative act taken by the PDPC under the PDPA must be brought directly through administrative litigation procedures.<\/li>\n<li>Strengthening Data Breach Notification Obligations: The previous PDPA does not explicitly require notification of data breaches to government authorities. The 2025 Amendments expressly mandate that data breach incidents meeting specified reporting criteria must be reported to the government.<\/li>\n<li>Amendments to Administrative Inspection Regulations: The 2025 Amendments introduce detailed procedures for administrative inspections, clarifying that such inspections will be initiated at the discretion of the PDPC, which will coordinate with central competent authorities and local agencies to conduct these inspections.<\/li>\n<li>Promotion of the Data Protection Officer System in the Public Sector: The new legislation requires government agencies to appoint a so-called Personal Data Protection Officer (&#8220;PDPO&#8221;) and designate personnel responsible for overseeing the implementation of internal data protection measures.<\/li>\n<\/ul>\n<h4><\/h4>\n<h4>Revision of the Cybersecurity Management Act and Strengthening of National Overall Protection<\/h4>\n<p>To address the increasingly severe cyber threats, the CSMA was amended on September 24, 2025, and took effect on December 1, 2025. In accordance with the relevant amendments to the CSMA, the MODA has also completed revisions to several related subordinate regulations.<\/p>\n<p>Major amendments include:<\/p>\n<ul>\n<li>Clarification of Competent Authorities and Responsibilities: The MODA and its subordinate ACS are clearly designated as the competent authorities for the CSMA, responsible for the overall planning and promotion of national cybersecurity.<\/li>\n<li>Expansion of Audit Scope and Enhancement of Supervision: The MODA has the authority to conduct regular or irregular audits of the implementation of cybersecurity maintenance plans by government agencies and specific non-government agencies (such as critical infrastructure providers).<\/li>\n<li>Introduction of Restrictions on Products Endangering National Cybersecurity: Regulations has been introduced to restrict the download, installation, or use of products that may endanger national cybersecurity.<\/li>\n<li>Requiring the Appointment of Chief Information Security Officers (CISOs) and Dedicated Personnel: Specific non-government agencies are required to appoint a CISO and dedicated cybersecurity personnel to strengthen their cybersecurity governance.<\/li>\n<li>Clarification of the Relationship with the PDPA: The amendments introduce a new provision addressing the interaction with the PDPA. In the event that an information security incident involves the leakage of personal data, government agencies and specific non-government agencies shall also handle the matter in accordance with the PDPA and relevant laws and regulations.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any identifiable trends or regulatory priorities in privacy, data protection and\/or cybersecurity-related enforcement activity in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes. To facilitate the implementation of the 2025 Amendments, the Preparatory Office of the PDPC announced several draft sub-regulations in early 2026 for public consultation, indicating the future focus of regulatory enforcement:<\/p>\n<ul>\n<li><strong>Enhancement of Security Maintenance Obligations<\/strong>: Under the &#8220;Draft Regulations Governing Security Maintenance and Management of Personal Data Files,&#8221; all non-government agencies must comply with &#8220;common&#8221; security maintenance standards and establish a mechanism for lifecycle management of personal data. These measures include periodic inventory of personal data and delineation of management scope; notification, reporting, and contingency mechanisms; personnel security management; education and training; security management of equipment and information systems; and deletion or destruction of personal data upon business termination.<\/li>\n<li><strong>Standardized Incident Reporting Mechanism:<\/strong> According to the &#8220;Draft Regulations Governing the Notification, Reporting, and Contingency Measures for Personal Data Incidents,&#8221; enterprises must notify affected data subjects within 72 hours of becoming aware of a personal data breach or incident. Furthermore, if the incident involves special category personal data, involves systems that maintain over 10,000 entries, or affects 100 or more data subjects, the enterprise must also report the incident to the PDPC within 72 hours.<\/li>\n<li><strong>Personal Data Protection Officer System<\/strong>: Under the &#8220;Draft Regulations Governing the Functions, Qualifications, and Training of Personal Data Protection Officers and Related Personnel,&#8221; government agencies will be required to appoint a qualified Personal Data Protection Officer (DPO) to oversee and promote internal personal data protection affairs.<\/li>\n<li><strong>Administrative Inspection Framework:<\/strong> The &#8220;Draft Non-Government Agencies Inspection Regulations&#8221; stipulate that authorities must provide at least one month\u2019s written notice prior to an administrative inspection. Selection for inspection is based on factors such as the scale of the non-government agency and the volume of personal data it maintains.<\/li>\n<li><strong>Competent Authorities During the Transition Period:<\/strong> The &#8220;Draft List of Non-Government Agencies Under the Jurisdiction of the Central Government Authorities in Charge of the Industries Concerned, Special Municipal Governments and County (City) Governments Specified in Paragraph 1 of Article 51-1 of the Personal Data Protection Act&#8221; designates the non-government agencies to be governed by sector-specific competent authorities or local governments during the six-year transition period. Any non-government agency not included in this prescribed list shall fall under the direct supervision of the PDPC.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any registration or licensing requirements for entities covered by these data protection and cybersecurity laws, and if so what are the requirements? Are there any exemptions? What are the implications of failing to register \/ obtain a licence?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under the PDPA, there is generally no mandatory licensing or registration requirement for the collection, processing or use of personal data. However, entities are required to implement data security measures, including internal management systems and appropriate technical safeguards. Organizations operating in highly regulated sectors may be subject to sector-specific registrations or compliance obligations imposed by their respective regulators. For example, the FSC has established detailed guidelines and regulations regarding information systems, data security, and customer data protection for financial institutions. The launch of certain businesses may require FSC&#8217;s approval, which can include an assessment of their data processing and cybersecurity capabilities.<\/p>\n<p>Under the CSMA, critical infrastructure providers, such as entities operating in sectors like finance, telecommunications, and energy, are subject to additional regulatory requirements. These entities must report cybersecurity incidents to the relevant authorities, establish internal cybersecurity maintenance plans, and participate in regular audits. While explicit licensing or registration as a critical infrastructure provider may not always be mandatory, such entities must formally acknowledge their designation as a critical infrastructure provider and adhere to regulatory standards and reporting requirements set forth by competent authorities.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What does \u201cpersonal data,\u201d \u201cpersonal information\u201d or other equivalent terms (hereafter \u201cpersonal data\u201d) mean under data protection laws in your jurisdiction? Does the definition broadly include information about all individuals? For example, would this include individuals acting in a personal or household capacity, as well as those acting in a business or commercial capacity (such as on behalf of a business or corporate entity or employer) or otherwise?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under the PDPA, personal data is broadly defined as any information relating to a natural person that enables the direct or indirect identification of that individual. The PDPA provides a non-exhaustive list of examples, including a person\u2019s name, date of birth, national identification number, passport number, physical characteristics, fingerprints, marital status, family background, educational history, occupation, contact details, financial information and social activities, as well as any other information that is capable of identifying the individual, whether on a standalone basis or in combination with other data.<\/p>\n<p>Accordingly, the scope of personal data under the PDPA is not confined to information arising in a private or consumer context. Rather, it extends to information relating to all natural persons, irrespective of the capacity in which they are acting, provided that such information pertains to them as identifiable individuals. In this regard, personal data may encompass information acting in a business, professional or commercial capacity, including directors, employees and representatives, to the extent that such information enables, or is capable of enabling, their identification. Note that the PDPA provides certain exemptions from its applicability. For example, the PDPA does not apply when an individual collects, processes, or uses personal data solely for personal or household activities.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are certain types of personal data considered more sensitive or highly regulated under data protection laws in your jurisdiction?  Please include the relevant defined terms for such data (e.g., special categories of personal data,\u201d \u201csensitive data\u201d or \u201csensitive personal information\u201d?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under Taiwan\u2019s PDPA, certain categories of personal data are subject to a heightened level of protection and are commonly referred to as \u201cspecial category personal data\u201d. While the PDPA does not expressly define \u201cspecial category personal data\u201d, Article 6 of the Act designates specific types of information as falling within this category, including medical records, medical treatment, genetic data, sex life, health examination results and criminal records. As a general rule, and unless a statutory exception applies, the collection, processing and use of such data is prohibited.<\/p>\n<p>The Enforcement Rules of the PDPA provide further clarification as to the scope of these categories. By way of illustration, \u201csex life\u201d is interpreted to include information relating to an individual\u2019s sexual orientation or sexual practices, while \u201ccriminal records\u201d encompass, among others, records of deferred prosecutions, ex officio non-indictments, as well as final and binding criminal judgments and their enforcement.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What principles apply to the processing of personal data in your jurisdiction? For example: is it necessary to establish a \u201clegal basis\u201d for processing personal data?; are there specific transparency requirements?; must personal data only be kept for a certain period? Please provide details of such principles.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><ul>\n<li><strong>Transparency<\/strong>: Pursuant to the PDPA, a government or non-government agency is required to notify the data subject of the matters specified under Articles 8 or 9 of the PDPA. Such notification generally includes: (i) the identity of the government or non-government agency; (ii) the purposes for which the personal data is collected; (iii) the categories of personal data collected; (iv) the duration, location, and method of use, as well as the persons who may use the data; (v) the rights of the data subject and the procedures for exercising such rights; (vi) the consequences of failing to provide the required personal data; and (vii) the source from which the government or non-government agency obtained the personal data, in cases of indirect collection.<\/li>\n<li><strong>Lawful Basis for Processing:<\/strong> For government agencies, the lawful bases for processing personal data include: (i) processing as provided by law; (ii) obtaining the consent of the data subject; and (iii) processing that does not infringe upon the rights or interests of the data subject. For non-government agencies, the lawful bases for processing include: (i) processing as provided by law; (ii) the existence or negotiation of a contract with the data subject, provided that appropriate security measures have been adopted; (iii) processing of data that has entered the public domain due to disclosure by the data subject or legitimate publication; (iv) processing necessary for statistical or academic research by an academic research institution in the public interest, provided that any information sufficient to identify the data subject has been removed; (v) obtaining the consent of the data subject; (vi) processing necessary for the advancement of public interest; (vii) processing of data collected from publicly available sources, unless the interests of the data subject take precedence over those of the non-government agency; and (viii) processing that does not infringe upon the rights or interests of the data subject.<\/li>\n<\/ul>\n<p>Article 6 of the PDPA prohibits the processing of special category personal data except in the following circumstances: (i) where processing is provided by law; (ii) where processing is necessary for a government agency to perform its statutory duties or for a non-government agency to fulfill legal obligations, and appropriate security measures have been or will be adopted; (iii) where the data has entered the public domain due to disclosure by the data subject or legitimate publication; (iv) where processing is necessary for statistical or academic research by a government agency or academic research institution for medical, health, or crime-prevention purposes, provided that any information sufficient to identify the data subject has been removed; (v) where processing is necessary to assist a government agency in performing its statutory duties or a non-government agency in fulfilling legal obligations, and appropriate security measures have been or will be adopted; or (vi) where the written consent of the data subject has been obtained, provided that processing remains prohibited if it exceeds the necessary scope of the specified purpose(s), is otherwise prohibited by law, or if the consent was obtained against the data subject\u2019s will.<\/p>\n<ul>\n<li><strong>Purpose Limitation:<\/strong> The collection of personal data must be for one or more specific purposes, and the use of such data must be confined to the necessary extent of those purposes. Any use beyond this scope requires an additional legal basis in accordance with the PDPA.<\/li>\n<li><strong>Data Minimization:<\/strong> While the PDPA does not prescribe explicit data minimization requirements, Article 5 stipulates that the collection, processing, and use of personal data must not exceed the necessary extent of the purpose(s) for which the data was collected, and must be reasonably and justifiably related to such purpose(s).<\/li>\n<li><strong>Proportionality<\/strong>: The principle of proportionality under the PDPA aligns with data minimization. Furthermore, the PDPA mandates that government and non-government agencies implement appropriate security measures to prevent personal data from being stolen, altered, damaged, destroyed, lost, or leaked. The Enforcement Rules of the PDPA specify certain technical and organizational measures that may be adopted, based on the principle of proportionality, considering the nature and volume of the personal data involved.<\/li>\n<li><strong>Retention<\/strong>: Neither the PDPA nor the Enforcement Rules of the PDPA specify a particular retention period for personal data. The PDPA requires government and non-government agencies to delete or cease processing or using personal data voluntarily, or upon the request of the data subject, when the purpose(s) for which the data was collected no longer exist(s) or the retention period has expired, unless: (i) processing is necessary for the performance of statutory duties or business operations; or (ii) the data subject has provided written consent. The Enforcement Rules of the PDPA further provide that retention of personal data will be deemed necessary for the performance of a government agency\u2019s statutory duties or a non-government agency\u2019s business operations if: (i) the statutory or agreed retention period has not yet expired; (ii) deletion would be detrimental to the data subject\u2019s interests; or (iii) there exists any other legitimate reason for retention.<\/li>\n<li><strong>Accuracy<\/strong>: Government and non-government agencies are obligated to ensure the accuracy of personal data and to correct or supplement such data voluntarily or upon the request of the data subject. If the failure to provide accurate personal data is attributable to a government or non-government agency, the agency must notify the recipients of the data as soon as the data is corrected or supplemented.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any circumstances for which consent is required or typically obtained in connection with the processing of personal data? What are the rules relating to the form, content and administration of such consent? For instance, can consent be implied, incorporated into a broader document (such as a terms of service) or bundled with other matters (such as consents for multiple processing operations)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>As previously addressed, obtaining the data subject\u2019s consent constitutes one of the principal legal bases for the collection, processing, and use of personal data. Explicit consent is generally required where none of the other legal bases (such as a contractual relationship) are applicable. This requirement is particularly significant in relation to the collection, processing, or use of special category personal data, which is generally prohibited under the PDPA. In such cases, written consent from the data subject serves as one of the primary exceptions permitting non-governmental agencies to collect special category data from data subjects.<\/p>\n<p>&nbsp;<\/p>\n<h4>Form and Content of Consent<\/h4>\n<p>The PDPA mandates that consent must be informed, meaning the data subject must be provided with all information required under the PDPA for a privacy notice, either prior to or at the time of data collection.<\/p>\n<p>Except in the case of special category data, the PDPA does not prescribe a specific form for consent (e.g., written, oral, or electronic); however, the consent must be explicit and based on sufficient information. Written consent is generally advisable, particularly as it is a statutory requirement for special category data or in circumstances where the burden of proof regarding the existence of consent may arise in relation to general personal data.<\/p>\n<p>&nbsp;<\/p>\n<h4>Administration of Consent<\/h4>\n<p>The data collector bears the burden of proof to demonstrate that valid consent from the data subject has been obtained. Accordingly, it is recommended that records be maintained to evidence that such consent was duly acquired.<\/p>\n<p>&nbsp;<\/p>\n<h4>Bundling and Incorporation<\/h4>\n<p>Implied consent is typically insufficient under the PDPA. However, if the data subject, after being duly informed via the required privacy notice, does not object and actively provides their personal data, such conduct may be deemed to constitute presumed consent. In all cases, consent should be explicit and based on clear, adequate information provided to the data subject.<\/p>\n<p>&nbsp;<\/p>\n<p>Consent may be incorporated into broader documents (such as terms of service), provided that the consent provisions are clearly distinguishable and the data subject is adequately informed. Nevertheless, consent should not be bundled in a manner that makes it a prerequisite for unrelated services, as such practice may not satisfy the requirement that consent be \u201cfreely given.\u201d<\/p>\n<p>The content and scope of personal data consent must be clearly and explicitly specified. In particular, where there is any intended use beyond the original purpose of collection, such as for marketing purposes, separate consent from the data subject must be obtained, and such consent may not be bundled with the consent for the original collection purpose.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What special requirements, if any, are required for processing particular categories of personal data (e.g., health data, children\u2019s data, special category or sensitive personal data, etc.)? Are there any prohibitions on specific categories of personal data that may be collected, disclosed, or otherwise processed?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Article 6 of the PDPA imposes strict regulations on the collection, processing, and use of \u201cspecial category personal data\u201d (sensitive personal data), which includes information such as medical history, medical treatment, genetic data, sex life, health examination results, and criminal records.<\/p>\n<p>As a general rule, the collection, processing, and use of such data are prohibited. However, exceptions exist where such activities are explicitly authorized by law, such as in the case of health examinations for employees, or when public agencies are performing their statutory duties. Non-government agencies may also process such data within the necessary scope to fulfill legal obligations, provided that appropriate security measures are implemented before or after processing. Additionally, processing may be permitted for purposes such as promoting the public interest, when the data subject has made the information public or voluntarily revealed it, or with the data subject\u2019s written consent. These exceptions are subject to strict compliance with the relevant legal requirements to ensure the protection of sensitive personal data.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction have special or particular requirements, restriction, or rules regarding the collection, use, disclosure or processing of personal information from or about children or minors?  If so, what is the age threshold and key requirements\/restrictions that go beyond those applicable, generally?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPA does not prescribe specific requirements, restrictions or separate regulatory rules in relation to the processing of personal data of children or minors. Accordingly, the provisions of the PDPA apply equally to minors.<\/p>\n<p>However, where the consent of the data subject is required, the manner in which such consent is obtained may differ depending on the age of the individual concerned. In the case of minors under the age of seven, consent must be provided by their parent(s) or legal guardian. For individuals aged seven or above but under the age of eighteen, consent must, in principle, either be given by, or obtained with the approval of, their parent(s) or legal guardian.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction include any derogations, exemptions, exclusions or limitations other than those already described? If so, please describe the relevant provisions.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Natural persons who collect, process, or use personal data solely for personal or family activities are, in principle, not subject to the provisions of the PDPA. Furthermore, audio-visual data collected, processed, or used in public places or during public activities, which is not combined with other personal data, may, under certain circumstances, be exempt from the application of the PDPA.<\/p>\n<p>For specific purposes such as academic research or statistical analysis, where personal data has been processed so that no specific individual can be identified, certain provisions of the PDPA may not apply.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Does your jurisdiction require or recommend privacy risk or impact assessments in connection with personal data processing activities and, if so, under what circumstances? How are these assessments typically carried out?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Currently, Taiwan does not legally require a data protection impact assessment similar to that mandated by the EU GDPR. However, Article 12 of the Enforcement Rules of the PDPA obliges personal data holders to implement &#8220;proper security and maintenance measures,&#8221; which include establishing mechanisms for risk assessment and management of personal data.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any specific codes of practice, or self-regulatory codes applicable in your jurisdiction regarding the processing of personal data (e.g., codes of practice for processing children\u2019s data or health data)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Article 12 of the Enforcement Rules of the PDPA requires personal data holders to implement &#8220;proper security and maintenance measures,&#8221; which include establishing mechanisms for the prevention, notification, and response to data breaches.<\/p>\n<p>Although there is no separate code specifically governing children\u2019s data, the provisions of the Personal Data Protection Act apply equally to minors. For children below a certain age, consent must be obtained from their parents or legal guardians. Organizations are encouraged to adopt additional safeguards when processing children\u2019s data, although such measures are not mandated by a specific code of practice.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are organisations required to maintain any records of their data processing activities or establish internal processes or written documentation? If so, please describe how businesses typically meet such requirement(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Pursuant to Article 27 of the currently effective PDPA, non-government agencies that possess personal data files are required to implement appropriate security measures to prevent the theft, alteration, damage, destruction, or disclosure of personal data. Accordingly, central government authorities have issued sector-specific data protection regulations and have mandated that certain non-government agencies establish security and maintenance plans for the protection of personal data files, as well as procedures for the disposal of personal data upon business termination. These data protection regulations generally require businesses to include, among others, measures or processes related to the preservation of usage records, log files, and relevant evidence in their security and maintenance plans.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction specifically impose data retention limitations? If so, please describe such requirement(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>According to Paragraph 3, Article 11 of the PDPA, when the specific purpose of collecting personal data no longer exists or the statutory retention period expires, a non-government agency must, voluntarily or upon the request of the data subject, delete or cease processing or using the personal data. However, exceptions may apply if the processing is necessary for the performance of business operations or if the data subject has provided written consent.<\/p>\n<p>In practice, sector-specific laws prescribe varying data retention periods across different industries. For example, under Article 70 of the Medical Care Act, medical institutions must retain medical records for at least seven years; under Article 7 of the Labor Standards Act, employers must retain the worker record card for at least five years following an employee&#8217;s resignation. When formulating a data lifecycle management policy, non-government agencies should prioritize compliance with the provisions of these sector-specific laws.<\/p>\n<p>The &#8220;Draft Regulations Governing Security Maintenance and Management of Personal Data Files&#8221; require non-government agencies to establish standard operating procedures for deleting personal data upon business termination. These procedures include implementing proper deletion measures to make the data unreadable and keeping records of these deletions.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Under what circumstances is it required or recommended to consult with the applicable data protection regulator(s)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Although the PDPA currently does not explicitly mandate consultation, the 2025 Amendments expressly mandate that data breach incidents meeting specified reporting criteria must be reported to the government.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require the appointment of a data protection officer, chief information security officer, or other person responsible for data protection? If so, what are their legal responsibilities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under Article 18 of the PDPA, government agencies are required to designate dedicated personnel to be responsible for matters concerning security maintenance. In contrast, the PDPA does not impose a corresponding obligation on a non-government agency to appoint a data protection officer or an equivalent role. Nevertheless, specific sector-specific personal data protection regulations, such as the Regulations Governing Security Maintenance for Personal Data Files of Non-Government Agencies Designated by the Financial Supervisory Commission (&#8220;Financial Industry Security Maintenance Regulations&#8221;) and the Regulations Governing Security Maintenance and Management of Personal Data Files for Digital Economy Business (&#8220;Digital Business Security Maintenance Regulations&#8221;), may impose an obligation on operators to designate personnel responsible for implementing security maintenance plans.<\/p>\n<p>As mentioned above, under Article 18 of the 2025 Amendments, the provision will be revised to introduce a mandatory requirement for government agencies to appoint a PDPO. The PDPO will promote and oversee personal data protection measures within the respective agency.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require or recommend employee training related to data protection? If so, please describe such training requirement(s) or recommendation(s).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPA does not currently impose an express obligation on either government agencies or non-government agencies to provide personnel personal data protection education and training. Specific sector-specific personal data protection regulations require operators to conduct regular awareness campaigns and training programs. Such programs must address statutory obligations, define the scope of personnel responsibilities, and outline the requirements of applicable security maintenance plans, among other relevant topics.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction require controllers to provide notice to data subjects of their processing activities? If so, please describe such notice requirement(s) (e.g., posting an online privacy notice).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>As mentioned above, pursuant to Article 8 of the PDPA, where personal data is collected directly from the data subject, the collecting entity must, at the time of collection or prior thereto, clearly inform the data subject of the following: (1) the name of the agency; (2) the purpose of the data collection; (3) the categories of data to be collected; (4) the duration, geographic scope, recipients, and methods of data use; (5) the rights available to the data subject under Article 3 of the PDPA and the procedures for exercising those rights; and (6) where the provision of personal data is voluntary, the potential impact on the data subject\u2019s rights and interests should the data not be provided.<\/p>\n<p>Additionally, pursuant to Article 9 of the PDPA, if personal data is collected indirectly, such as through a third party, the collecting entity must, before processing or use, inform the data subject of the information above and, in addition, disclose the source from which the personal data was obtained.<\/p>\n<p>In practice, these notification obligations are commonly discharged through the issuance of a privacy policy.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction distinguish between the responsibilities of \u201ccontrollers\u201d and those of \u201cprocessors\u201d (or equivalent terms) of personal data? If so, how are such terms defined and what are the key distinctions between the obligations of controllers and processors (or equivalent terms)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPA does not expressly adopt the term &#8220;controller&#8221;; however, it incorporates functionally equivalent concepts. In particular, the PDPA distinguishes between government agencies and non-government agencies in identifying the entities responsible for the collection, processing and use of personal data. The term &#8220;non-government agency&#8221; is defined broadly and encompasses any natural person, legal entity or unincorporated association that does not qualify as a government agency.<\/p>\n<p>Similarly, the PDPA does not utilize the term &#8220;processor&#8221;, although it recognizes comparable roles in practice. Where a person or entity collects, processes or uses personal data on behalf of another party, such person or entity is subject to regulatory obligations analogous to those typically associated with &#8220;processors&#8221; under the GDPR, albeit subject to a comparatively less stringent regulatory framework.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Please describe any restrictions on monitoring, automated decision-making or profiling in your jurisdiction, including through the use of tracking technologies such as cookies. How are these or any similar terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><ul>\n<li><strong>Monitoring<\/strong>: The PDPA does not contain specific provisions or definitions governing &#8220;monitoring&#8221; activities. Rather, monitoring is regulated across various areas of law. For instance, the Constitution guarantees the right to privacy, and monitoring electronic communications, such as telephone conversations, generally requires the issuance of a surveillance warrant in accordance with the Communication Security and Surveillance Act.<\/li>\n<li><strong>Automated Decision-Making and Profiling:<\/strong> The PDPA does not currently provide any regulatory framework or definitions concerning automated decision-making or profiling.<\/li>\n<li><strong>Cookies and Other Tracking Technologies:<\/strong> While there is neither specific legislation dealing with or defining cookies under Taiwan law, where data collected through cookies (alone or when combined with other information) can identify a specific individual, such data constitutes personal data within the meaning of the PDPA. In such cases, the collection and use of this data must comply with the requirements of the PDPA, including: the establishment of a legal basis (Article 19), compliance with notification obligations (Article 8), and the limitations of use (Article 20). The same principles apply to other tracking technologies in determining whether the data collected falls within the scope of personal data under the PDPA.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the laws in your jurisdiction include specific rules, requirement or regulator guidance regarding the use of cookies, pixels, online tracking and\/or targeted advertising? Please describe any restrictions on targeted advertising and\/or cross context behavioral advertising. How are these terms or any similar terms defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Taiwan currently has no specific legislation regulating cookies, pixel tracking, online behavioral tracking, or targeted advertising. Furthermore, no competent authority has issued legally binding, specific guidelines regarding these technologies.<\/p>\n<p>However, once the operation of the aforementioned technologies involves the collection, processing, or use of personal data, it falls under the regulatory framework of the PDPA and must comply with the regulatory requirements, including establishing a specific purpose supported by a legal basis, fulfilling notification obligations, and adhering to use limitations, which, according to Article 20 of the PDPA, means the use shall not exceed the scope of the &#8220;specific purpose&#8221; specified at the time of collection.<\/p>\n<p>In targeted or behavioral advertising, if ad delivery uses a data subject&#8217;s personal data, it is generally considered a use of personal data. Enterprises must ensure the advertising purpose aligns with the original data collection&#8217;s specific purpose. If the advertising purpose exceeds the original specific purpose, the enterprise must obtain the data subject&#8217;s explicit and separate consent or meet other statutory exemptions under Article 20 of the PDPA.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction specifically restrict or regulate  the \u201csale\u201d of personal data and\/or \u201cdata brokers\u201d? How is \u201csale\u201d and\/or \u201cdata broker\u201d or (similar\/related terms) defined?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPA does not specifically define &#8220;sale of personal data&#8221; or provide independent regulatory chapters for &#8220;data brokers&#8221;. Legally, transferring or selling personal data to a third party is classified as a form of &#8220;use&#8221; under Article 2 of the PDPA. Because commercial monetization of data usually exceeds the specific purpose specified by the enterprise at the time of collection, according to Paragraph 1, Article 20 of the PDPA, such out-of-purpose use generally requires the data subject&#8217;s separate and explicit consent to be lawful. If separate and explicit consent cannot be obtained, the use must meet other statutory exceptions.<\/p>\n<p>Such actions may also entail criminal liability. If a perpetrator illegally sells personal data with the intent to unlawfully profit themselves or a third party, or to harm the interests of another, they may be subject to a maximum of five years&#8217; imprisonment and may concurrently be fined up to NT$1,000,000 under Article 41 of the PDPA. However, it should be noted that the establishment of criminal liability under Article 41 strictly requires the presence of the aforementioned unlawful intent.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction specifically regulate or restrict marketing and electronic communications, including telemarketing\/telephone solicitations and \u2018robocalls\u2019, email marketing, SMS\/text messaging or other direct marketing? Please provide an overview.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPA explicitly regulates direct marketing activities. Broadcasting commercial messages to data subjects by telemarketing, email, text messaging, or other electronic communication media is considered a &#8220;use&#8221; of personal data and must comply with the PDPA&#8217;s lawfulness requirements.<\/p>\n<p>Enterprises engaging in direct marketing must satisfy one of the following lawful bases. First, the marketing purpose must align with the &#8220;specific purpose&#8221; specified when the personal data was collected, and the data subject must have been adequately notified at that time. Alternatively, if the marketing purpose exceeds the original specific purpose, the enterprise must meet one of the statutory exceptions for such use for marketing, such as obtaining the data subject&#8217;s separate informed consent.<\/p>\n<p>Paragraph 2, Article 20 of the PDPA states that when a non-government agency uses a data subject&#8217;s personal data for marketing for the first time, it must proactively notify the data subject and provide a free and accessible way to opt out. Once the data subject informs the agency of their decision to refuse further marketing communications, the agency must immediately stop using their personal data for any marketing activities, as required by Paragraph 3 of the same Article.<\/p>\n<p>The National Development Council, in its Guidelines for Refusal of Commercial Marketing, clarifies that after engaging in marketing activities directed at data subjects, the data controller should continuously disclose, in a clear, comprehensible, prominently displayed, and easily accessible way, information on how data subjects may refuse to receive commercial marketing communications, for example by publishing such information on its website.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction regulate, restrict or impose specific obligations on the processing of biometric data, such as facial recognition. If so, how are the relevant terms defined?  Are these obligations focused on the collection, use and processing of unique biometric \u2018identifiers\u2019 (rather than any sort of biometric measurements) ?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPA does not explicitly define &#8220;biometric data&#8221;. In practice, based on guidelines from authorities such as the Ministry of Education, it is generally understood as &#8220;physiological characteristic data unique to an individual and sufficient to identify a specific person&#8221;. These characteristics include fingerprints, facial features, iris patterns, voice prints, and vein patterns.<\/p>\n<p>Under the current PDPA framework, biometric data such as facial features are not classified as &#8220;special category personal data&#8221; under Article 6 of the PDPA. As a result, the collection, processing, and use of such data are not directly subject to the stricter requirements of Article 6.<\/p>\n<p>Having said that, biometric data remains highly privacy-sensitive and warrants careful consideration. Judicial Yuan (Taiwan\u2019s Grand Justices) Interpretation No. 603 (concerning compulsory fingerprinting for the issuance of Taiwan ID) established that, because of the significant personal identification capacity of biometrics, any compulsory collection by the State must be justified by a specific and substantial public interest. Such actions must also follow the principle of proportionality and be expressly authorized by law; otherwise, they infringe on the constitutional right to privacy.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any data protection laws in your jurisdiction that specifically address or apply to artificial intelligence or machine learning (\u201cAI\u201d).  If so, do these laws specifically apply to the processing of personal information related to AI, or more broadly?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Currently there are no data protection laws that specifically address or apply to AI. Given that protection of privacy and data governance are among the fundamental principles under the AI Basic Act enacted in January 2026 by the Taiwan government, it is anticipated that the PDPC will further review the relevant issues or even consider further amendments.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there any data localization requirements in your jurisdiction?  In other words, are there any circumstances where some or all personal data is required to be stored locally, or prohibited from being transferred to or stored in certain jurisdictions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPA in Taiwan currently does not impose comprehensive &#8220;data localization&#8221; obligations, and cross-border transfers of personal data are generally permitted. However, at the sector-specific level, competent authorities for relevant industries have established more stringent localization requirements or transfer restrictions. Enterprises should evaluate their compliance obligations based on their respective industries. For example:<\/p>\n<ul>\n<li><strong>Financial Sector:<\/strong> When financial institutions, securities firms, futures commission merchants, insurance companies, and electronic payment institutions outsource their information systems or customer data to cloud service providers, they must store sensitive data, such as core consumer financial business systems, customer and beneficiary data, investment portfolios, and transaction records, within Taiwan as required by their competent authorities. If offshore storage is necessary, the enterprise must obtain project-specific approval from the competent authority and ensure that complete data backups are maintained within Taiwan to guarantee the supervisory authority&#8217;s right of access to the data.<\/li>\n<li><strong>Healthcare Sector:<\/strong> If medical institutions use or outsource the processing of electronic medical record information systems to cloud service providers, the data storage location must be within Taiwan, as required by the Ministry of Health and Welfare. The cloud service provider must also pass information security certifications recognized by the central competent authority, such as ISO 27001 or other international cybersecurity certifications, before undertaking such operations.<\/li>\n<li><strong>Government Procurement and Critical Infrastructure:<\/strong> When government agencies procure information or cloud services, the use of products and services from vendors in the People&#8217;s Republic of China (&#8220;PRC&#8221;) is generally prohibited. Relevant data involved in government procurement must be stored within Taiwan. Vendors providing software or cloud services must also hold information security certifications, such as ISO 27001.<\/li>\n<li><strong>Sector-Specific Prohibitions on Cross-border Transfer to the PRC:<\/strong> For certain industries, competent authorities have issued blanket prohibitions on transferring personal data to the PRC, including those governing telecommunications and broadcasting businesses, social worker offices and human resources agencies. Enterprises in these industries, or those collaborating with such operators, must ensure their personal data flow mechanisms do not involve any transmission to the PRC.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Is the transfer of personal data outside your jurisdiction restricted, under certain circumstances? If so, please describe these restrictions and how businesses typically comply with them (e.g., does a cross-border transfer of personal data require a specified mechanism or notification to or authorization from a regulator?)<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under the PDPA, cross-border transfers of personal data are generally permitted unless the competent authorities issue an order prohibiting or restricting such transfers. Under the PDPA, the competent authorities may impose limitations on cross-border data transfers under the following circumstances: (i) if the transfer may adversely affect significant national interests; (ii) if the transfer is prohibited or restricted by a relevant international treaty or agreement; (iii) if the jurisdiction receiving the data does not provide adequate legal protections for personal data, potentially infringing upon the rights or interests of data subjects; or (iv) if the transfer is intended to circumvent the provisions of the PDPA.<\/p>\n<p>Accordingly, several competent authorities have imposed restrictions and prohibitions on the transfer of personal data from certain business sectors under their supervision to the PRC. For example, the National Communications Commission issued a blanket prohibition against communications enterprises, including telecommunications carriers and broadcasting operators, from transferring subscribers\u2019 personal data to the PRC.<\/p>\n<p>In principle, businesses not subject to the restrictions above may transfer personal data across borders without the need to implement any specific mechanism, notify regulators, or obtain prior authorization from a competent authority.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What personal data security obligations are imposed by the data protection laws  in your jurisdiction?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Pursuant to Articles 18 and 27 of the currently effective PDPA, an obligation exists to implement security and maintenance measures to safeguard personal data from theft, alteration, damage, loss, or unauthorized disclosure. Article 12 of the Enforcement Rules of the PDPA outlines eleven security measures that may serve as guidelines (though not mandatory), which include (1) allocating management personnel and reasonable resources, (2) defining the scope of personal data, (3) establishing a mechanism of risk assessment and management of personal data; (4) establishing a mechanism of preventing, giving notice of, and responding to a data breach; (5) establishing an internal control procedure for the collection, processing, and use of personal data; (6) managing data security and personnel; (7) promoting awareness, education and training; (8) managing facility security; (9) establishing an audit mechanism of data security; (10) keeping records, log files and relevant evidence; and (11) implementing integrated and persistent improvements on the security and maintenance of personal data.<\/p>\n<p>Sector-specific personal data protection regulations, such as the Financial Industry Security Maintenance Regulations, require operators to fulfill obligations, including conducting risk assessments, establishing contingency plans for incidents, implementing education and training programs, formulating specific management procedures, and adopting data security measures.<\/p>\n<p>Under the 2025 Amendments, the obligation for non-government agencies has been relocated to Article 20-1, which grants the PDPC the authority to prescribe relevant security maintenance standards. Government agencies are subject to similar obligations under Article 18 of the proposed amendment.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are there more specific security obligations for certain types of personal data (e.g., sensitive data or special categories of personal data)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under the PDPA, both governmental and non-governmental agencies are subject to an obligation to implement appropriate security and maintenance measures to safeguard personal data against theft, alteration, damage, loss or unauthorized disclosure.<\/p>\n<p>Pursuant to the &#8220;Draft Regulations Governing Security Maintenance and Management of Personal Data Files&#8221;, as announced by the Preparatory Office of the PDPC, both government and non-government agencies would be required to implement additional and more specific measures in respect of paper-based or electronic files containing special categories of personal data. Such measures include, inter alia, the establishment of appropriate access control mechanisms for relevant files, the adoption of safeguards in relation to the destruction, disposal or repurposing of such files, the implementation of file security and encryption protocols, and the maintenance of secure transmission mechanisms.<\/p>\n<p>In the event that the draft regulations are formally promulgated, government and non-government agencies would be subject to enhanced compliance obligations in relation to the retention, management and handling of special categories of personal data.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction impose obligations in the context of security breaches which impact personal data? If so, how do such laws define a security breach (or similar term) and under what circumstances and within what timeframe must such a breach be reported to regulators, impacted individuals, law enforcement, or other persons or entities?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The PDPA does not provide a direct definition of &#8220;security breaches.&#8221; However, Article 12 stipulates that a personal data incident refers to theft, leakage, alteration, or other forms of infringement upon personal data. Once confirmed, the affected data subjects must be notified appropriately in such an incident, including oral, written, telephone, text message, email, facsimile, or electronic document notifications. A public announcement may be used instead if notification costs are excessively high.<\/p>\n<p>The 2025 Amendments introduce a general mandatory notification requirement. Where a personal data incident falls within the &#8220;specified notification scope&#8221; to be designated by the PDPC, notification must be made to the PDPC. In the case of non-governmental agencies, such notification is also required to be submitted to the competent authority overseeing the relevant industry sector.<\/p>\n<p>The &#8220;Draft Regulations Governing the Notification, Reporting, and Contingency Measures for Personal Data Incidents,&#8221;, as announced by the Preparatory Office of the PDPC, provide further clarification of the &#8220;specified notification scope&#8221; and establish that notification and reporting must be made to affected individuals and the competent authority within 72 hours of becoming aware of theft, leakage, alteration or other forms of infringement of personal data. The draft regulations further set out detailed requirements regarding the content, method and record-keeping obligations for such notifications and reports. Moreover, sector-specific personal data protection regulations may impose additional reporting obligations on certain industries in respect of material personal data incidents.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction establish specific rights for individuals, such as the right to access and the right to deletion? If so, please provide a general description of such rights, how they are exercised, and any exceptions.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Article 3 of the PDPA confers the following rights upon data subjects, which may neither be waived in advance nor restricted by special agreement:<\/p>\n<ul>\n<li><strong>Right of Access to (Copies of) Data about Processing:<\/strong> Individuals have the right to access and review their data held by both government or non-government agencies, as well as the right to obtain copies of such data.<\/li>\n<li><strong>Right to Rectification of Errors:<\/strong> Data subjects can request the correction or supplementation of inaccurate or incomplete personal data. In the event of a dispute concerning the accuracy of the personal data, the processing or use of the data must be suspended unless (i) such processing or use is necessary for the agency\u2019s statutory duties or business operations or (ii) the data subject provides written consent, and the existence of the dispute is duly recorded.<\/li>\n<li><strong>Right to Cease Processing:<\/strong> Article 3 of the PDPA grants data subjects the right to request the cessation of the processing or use of their personal data.<\/li>\n<li><strong>Right to Deletion<\/strong>: Article 3 of the PDPA expressly provides that a data subject may request the deletion of their personal data by either a government or non-government agency.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the data protection laws in your jurisdiction allow or provide for a private right of action for violations?  If so, does your jurisdiction also allow \u201cclass action\u201d litigation (i.e., on behalf of a class or (\u2018many\u2019) claimants)? Please explain under what circumstances in which a private right of action applies and\/or a class action may be brought, and whether types of claims\/violations present a higher risk of a private right of action or class action (e.g., are there statutory damages or presumed harm for certain violations)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Chapter 4 of the PDPA expressly confers private rights of action upon data subjects. Where a government agency or non-governmental agency is in breach of the provisions of the PDPA, and such breach results in an infringement of the rights of a data subject, the data subject may, in accordance with Articles 28 and 29 of the PDPA, bring a claim for damages against the relevant agency.<\/p>\n<p>In addition, pursuant to Article 34 of the PDPA, where the rights of multiple individuals (being 20 or more persons) are infringed as a result of the same set of underlying facts, a qualified foundation or association meeting the prescribed statutory requirements may, upon obtaining written authorization from the affected individuals, initiate a class action on behalf of the aggrieved data subjects.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are individuals entitled to monetary damages or compensation if they are affected by breaches of data protection law? Does the law require actual and material damage to have been sustained, or is non-material injury to feelings, emotional distress or similar sufficient for such purposes?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Under Article 28 of the PDPA, a data subject who suffers damage due to an infringement of their data protection rights is entitled to claim compensation for both pecuniary and non-pecuniary damages. Additionally, if the violation of personal data harms the data subject&#8217;s reputation, the data subject may request appropriate measures to restore their reputation.<\/p>\n<p>It is important to note that, in cases where the same infringing act damages the rights of multiple data subjects, the law establishes an upper limit on the total amount of compensation. In principle, the aggregate maximum compensation shall not exceed NT$200 million. However, if the total actual interests in the incident exceed this amount, the aggregate value of such actual interests shall serve as the upper limit for compensation.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How are data protection laws in your jurisdiction typically enforced? What regulatory body(ies) have enforcement authority?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>As mentioned above, previously, the NDC served as the competent authority responsible for interpreting the PDPA and acted as a coordinator among various government agencies regarding the interpretation and implementation of personal data protection matters. However, following the establishment of the Preparatory Office of the PDPC on December 5, 2023, the responsibility for interpreting the PDPA was transferred from the NDC to the Preparatory Office of PDPC as of January 1, 2024.<\/p>\n<p>Taiwan is currently under a decentralized regulatory approach to the supervision of compliance with the PDPA. Under this framework, central competent authorities across various industry sectors, as well as local governments, are vested with supervisory powers to enforce the relevant provisions of the PDPA. Such powers include, inter alia, the issuance of sector-specific rules in relation to data security requirements, as well as the authority to require data controllers to report personal data security incidents.<\/p>\n<p>Following the decision of the Constitutional Court and the subsequent amendments to the PDPA, a centralized regulatory model is to be implemented through the establishment of the PDPC. Upon its establishment, the PDPC will assume the supervisory powers currently exercised by other competent authorities and will become the sole competent authority under the PDPA. The amended PDPA provides for a six-year transitional period during which such supervisory powers will be progressively transferred to the PDPC.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What is the range of sanctions (including fines and penalties) for violation of data protection laws in your jurisdiction?  Are there any guidelines or rules for the calculation of such fines or the imposition of sanctions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Pursuant to the PDPA, conducting any of the following breaches with an intent to make unlawful profit for oneself or a third party or with an intent to damage the interest of another, thereby causing or potentially causing injury to another\u2019s may lead to criminal penalties:<\/p>\n<p>(i) illegal collection, processing, or use of personal data;<\/p>\n<p>(ii) failure to obey a central government authority&#8217;s order imposing restrictions on the international transfer of personal data; or<\/p>\n<p>(iii) illegal amendment or deletion of personal data files or employment of any other illegal means thereby affecting the accuracy of personal data files.<\/p>\n<p>In addition, an administrative fine may be imposed for failure to comply with the requirements under the PDPA, such as collecting or processing personal data without a statutory ground, using the personal data outside of the scope of the specific purpose under which the personal data was collected, or failure to comply with the restrictions on the international transfer of personal data. For any failure to comply with the notification requirements, marketing restrictions, information security requirement or obligations to respond to data subjects&#8217; requests, the authority may order that correction be made by a certain deadline and impose an administrative fine if correction is not made within such deadline.<\/p>\n<p>The competent authorities may impose an administrative fine of between NT$50,000 to NT$500,000 if a non-government agency violates the relevant data protection requirements.<\/p>\n<p>&nbsp;<\/p>\n<p>For minor violations, such as failure to comply with notification requirements, the competent authority must first designate a time limit for the non-government agency to rectify the failure. Only if the non-government agency fails to rectify the failure within the time limit will the competent authorities impose an administrative fine between NT$20,000 and NT$200,000.<\/p>\n<p>If there is a data breach, the central competent authorities in charge of the relevant industries and the local government authorities may impose an administrative fine ranging from NT$20,000 to NT$2,000,000 immediately, without having to designate a time limit for the non-government agency to rectify the breach first. If the non-government agency fails to rectify the breach within such time limit, the aforesaid administrative fine can be increased to between NT$150,000 and NT$15,000,000. On the other hand, if the data breach is material (the threshold for determining whether a data breach is material will be assessed on a case-by-case basis), the aforesaid authorities may impose an administrative fine ranging from NT$150,000 to NT$15,000,000 immediately, without having to designate a time limit for the non-government agency to rectify the breach first.<\/p>\n<p>The administrative fines under the PDPA may be imposed consecutively until the violation is rectified.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are enforcement decisions open to  appeal in your jurisdiction? If so, please provide an overview of the appeal options.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Yes, non-government agencies subject to enforcement decisions may file an appeal if they object to such decisions. Non-government agencies may file an administrative appeal against enforcement decisions with their superior authorities in accordance with the Administrative Appeal Act. If the non-government agencies are not satisfied with the appeal decisions, they may seek judicial remedies from administrative courts in accordance with the Administrative Litigation Act.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction require the implementation of specific cybersecurity risk management measures and\/or require that organisations take specific actions relating to cybersecurity? If so, please provide an overview of these obligations and explain their scope\/applicability.  For example, are all organizations subject to the requirement or only to certain organizations (e.g., based on size, sector, critical infrastructure designation, public company)?  Are there specific and\/or additional regulations for different industries (e.g., finance, healthcare, government)?.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>For government agencies and the specific non-government agencies (such as critical infrastructure providers), the CSMA requires adoption of cybersecurity maintenance plans and reporting of cybersecurity incidents to the related government authorities. In particular, implementing anti-virus measures and adopting periodic checks on security procedures are encouraged. In addition, some statutes for the telecommunications industry prescribe critical infrastructure and the related security level.<\/p>\n<p>Other than the specific non-government agencies under the CSMA, a company is not legally required to have written information security plans or incident response plans, appoint a chief information security officer (&#8220;CISO&#8221;), conduct risk assessment or internal training, or implement other security measures. A company is also not required to disclose software vulnerabilities unless they are material to the operation of a listed company.<\/p>\n<p>Critical infrastructure providers are the primary entities regulated under the CSMA. According to the Executive Yuan, as of November 2025, there are nine designated critical infrastructure sectors: energy, water resources, telecommunications, transportation, banking and finance, hospitals, central and local government, high-technology parks, and food supply.<\/p>\n<p>Each of these critical infrastructure sectors may be governed by specific laws and regulations. For example, in the banking and finance sector, the Regulations of Cyber Security Management for Specific Non-Government Agencies under FSC, promulgated by the FSC, govern cybersecurity requirements for the industry. Additionally, the Telecommunications Management Act stipulates that telecommunications enterprises which have established a public switched telephone network (PSTN) using telecommunications resources, or other telecommunications enterprises as announced by the competent authority, must formulate and implement an information and communications security maintenance plan. The specific requirements are further detailed in the Administration Regulations of Cyber Security on Telecommunications Business.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose formal cybersecurity audit or certification requirements? If so, please provide an overview.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>According to the Regulations on Classification of Cyber Security Responsibility Levels, governmental agencies and specific non-governmental agencies classified as Level A or Level B under the CSMA are required to implement information security management system standards, such as CNS 27001 or ISO 27001, or other systems or standards with equivalent or superior effectiveness, or standards independently developed by other governmental agencies and recognized by the competent authority, for all core information and communication systems. These agencies must also complete impartial third-party certification and continuously maintain the validity of such certification.<\/p>\n<p>For governmental agencies and specific non-governmental agencies classified as Level C, it is required to implement CNS 27001, ISO 27001, or other systems or standards with equivalent or superior effectiveness, or standards independently developed by other governmental agencies and recognized by the competent authority, for all core information and communication systems, and to continuously maintain such implementation.<\/p>\n<p>In addition, Level A governmental agencies or specific non-governmental agencies are required to conduct internal information security audits twice per year; Level B agencies must conduct such audits once per year; and Level C agencies are required to conduct internal information security audits once every two years.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose specific requirements regarding vendor and supply chain management? If so, please provide details of these requirements.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Although the CSMA articles do not contain a dedicated chapter on &#8220;supply chain,&#8221; many of the management requirements and standards derived from the CSMA implicitly address the need to manage third-party vendors and product supply chains.<\/p>\n<p>For instance, Exhibit 10 of the Regulations on Classification of Cyber Security Responsibility Levels outlines specific requirements for entities subject to the CSMA to ensure the integrity and availability of their information systems. Entities classified at a high defense standard are required to implement at least the following control measures:<\/p>\n<ul>\n<li>The cyber system must use automated tools to monitor communication flows and analyze any detected unusual or unauthorized activities.<\/li>\n<li>Regular inspections must be conducted to verify the integrity of software and information.<\/li>\n<li>Integrity verification tools should be employed to detect any unauthorized changes to specific software and information.<\/li>\n<li>The legitimacy of user input data must be verified at the server terminal of the application system.<\/li>\n<li>If any integrity violations are identified, the cyber system must implement the security protection measures prescribed by the relevant authorities.<\/li>\n<\/ul>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction require the appointment of a chief information security officer, regulatory point of contact, or other person responsible for cybersecurity? If so, please provide an overview of the requirement, including whether there are any formalities that must be observed regarding such appointment (e.g., board-approval, reporting line structure, notification to regulatory body).<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Pursuant to the CSMA as amended on September 24, 2025, both government agencies and specific non-governmental agencies are required to appoint a CISO. For government agencies, the CISO shall be appointed by the head of the agency from among the deputy heads or other appropriate personnel, and is responsible for promoting and overseeing information and communications security matters within the agency. For specific non-governmental organizations, the CISO shall be the representative, manager, other authorized person, or other appropriate personnel appointed by such individuals, and is responsible for promoting and overseeing information and communications security matters within the organization.<\/p>\n<p>Additionally, entities classified as levels A, B, and C under the CSMA are required to assign dedicated cybersecurity personnel.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Do the cybersecurity laws in your jurisdiction impose specific reporting or notice obligations in the context of cybersecurity incidents?  If so, how do such laws define a cybersecurity incident and what are the reporting and notification requirements (please also note whether these laws require reporting of certain cyber security incidents, regardless of whether there has been a \u2018breach of personal data\u2019)?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Pursuant to the CSMA, agencies and entities subject to the CSMA shall report to their supervisory agency or to the competent authority of the industry as applicable when the they becomes aware of a cybersecurity incident. A &#8220;cybersecurity incident&#8221; refers to refers to any event where the status of a system, service, or network is identified as having a potential violation of the cyber security policy or a failure of protective measures, which affects the functionality of the information and communication system..<\/p>\n<p>The Regulations on the Notification and Response of Cyber Security Incident further detail the reporting of a cybersecurity incident as required under the CSMA. A \u201cspecified non-government agency\u201d shall report to the central regulator within one hour of becoming aware of the cybersecurity incident and shall complete damage control or recovery of the system within 36 to 72 hours depending on the type of the cybersecurity incident.<\/p>\n<p>When making such a report to the authority, the report must include information such as the time of occurrence and the time the agency became aware of the incident, a description of the incident, an assessment of the risk level, the response measures taken, an evaluation of any external assistance received, and other relevant matters. There are no specific provisions with regard to exemption from the reporting requirements, and it is not necessary for the authority to make such reports publicly available.<\/p>\n<p>Under the CSMA, if a cybersecurity incident involves a personal data breach, government agencies and specific non-government agencies must not only report in accordance with the CSMA, but also comply with the PDPA and other relevant laws and regulations.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Can individuals bring a private right of action for cybersecurity incidents or other violations of cybersecurity laws?  If so, does your jurisdiction also allow \u201cclass action\u201d litigation (i.e., on behalf of a class or (\u2018many\u2019) claimants)? Please explain under what circumstances in which a private right of action and\/or a class action may be brought?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The CSMA does not specifically provide a private right of action for cybersecurity incidents or for other violations of cybersecurity laws. However, parties affected by such incidents may still pursue potential liability claims (such as those in tort) or seek other civil remedies, depending on the specific circumstances and applicable legal provisions.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">How are cybersecurity laws in your jurisdiction typically enforced? What regulatory body(ies) have enforcement authority?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The cybersecurity laws in Taiwan are generally enforced by government agencies themselves (as regulated entities under the CSMA) and by specific non-government agencies (such as critical infrastructure providers) under the supervision of their competent authority.<\/p>\n<p>In particular, the central competent authority responsible for the relevant industry has the power to conduct audits or administrative inspections of specific non-government agencies under its supervision, request information, and issue orders to implement or enhance cybersecurity measures. In the event of non-compliance, the central competent authority may issue corrective orders requiring the specific non-government agency to rectify the deficiencies within a designated period, as well as impose administrative fines.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What powers of oversight \/ inspection \/ audit do regulators have in your jurisdiction under cybersecurity laws.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Pursuant to the CSMA and relevant regulations, the competent authority and the central competent authority responsible for the relevant industry have broad powers of oversight, including the authority to require reports, conduct audits, mandate improvement actions, and oversee incident reporting and response by regulated entities under their supervision.<\/p>\n<p>Specifically, critical infrastructure providers are required to submit reports on the implementation of their cybersecurity maintenance plans to the central competent authority for the relevant business purpose. The central competent authority responsible for the relevant industry is empowered to audit the implementation of such plans by the critical infrastructure providers under its supervision. If deficiencies or areas for improvement are identified in the implementation of cybersecurity maintenance plans, the provider must submit an improvement report to the central competent authority.<\/p>\n<p>For specific non-government agencies other than critical infrastructure providers, the central competent authority in charge of the relevant industry may require such agencies to submit reports on the implementation of their cybersecurity maintenance plans and may also conduct audits of such implementation. Where deficiencies are found, the central competent authority for the relevant business purpose may require the audited agency to submit an improvement report within a specified period.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">What is the range of sanctions (including fines and penalties) for violations of cybersecurity laws in your jurisdiction? What is the range of sanctions (including fines and penalties) for violation of data protection laws in your jurisdiction?  Are there any guidelines or rules for the calculation of such fines or the imposition of sanctions?<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>Government officials who fail to comply with the CSMA are subject to discipline or penalty in accordance with the applicable regulations (i.e., the Regulations for Rewards and Penalties Regarding Cybersecurity Matters for Personnel of Government Agencies).<\/p>\n<p>Specific non-government agencies may be ordered to take corrective measures by a certain deadline or be subject to an administrative fine ranging from NT$100,000 to NT$5,000,000 for failure to comply with the obligations to:<\/p>\n<ol>\n<li>stipulate, revise or implement the cybersecurity management plan;<\/li>\n<li>submit a report on implementation of the cybersecurity maintenance plan;<\/li>\n<li>submit the improvement reports,<\/li>\n<li>stipulate the reporting and response mechanisms for cybersecurity incidents;<\/li>\n<li>submit the cybersecurity investigation, handling and improvement reports regarding cybersecurity incidents. and<\/li>\n<li>comply with the reporting and drill execution requirements under the Regulations on the Notification and Response of Cyber Security Incident. Fines may be imposed consecutively until corrective measures are taken.<\/li>\n<\/ol>\n<p>Specific non-government agencies are subject to an administrative fine ranging from NT$300,000 to NT$10,000,000 for failure to comply with the obligations to report a cybersecurity incident.<\/p>\n<p>So far, no rules or clear guidelines have been published regarding fines as mentioned above under the CSMA. The central competent authority generally has discretionary power with respect to the amount of fines imposed.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\t\t\t\t\t<li class=\"question-block filter-container__element\">\r\n\t\t\t\t\t\t<h3 class=\"filter-container__match-html\">Are enforcement decisions open to appeal in your jurisdiction? If so, please provide an overview of the appeal options.<\/h3>\r\n\t\t\t\t\t\t<button id=\"show-me\">+<\/button>\r\n\t\t\t\t\t\t<div class=\"question_answer filter-container__match-html\" style=\"display:none;\"><p>The enforcement decisions imposed by the central competent authority as mentioned above may be appealed in accordance with the general procedures for administrative remedies under Taiwan law, such as the Administrative Appeal Act and the Administrative Litigation Act.<\/p>\n<p>Generally, administrative dispositions imposed by the administrative agency can be appealed to its supervisory agency. If the supervisory agency does not rule in favour of the appellant, the appellant may further initiate administrative litigation before the Administrative High Court seeking revocation such a decision. The judgment rendered by the Administrative High Court may be appealed to the Supreme Administrative Court, whose judgment would be final and binding if it does not revoke the Administrative High Court\u2019s judgment.<\/p>\n<\/div>\r\n\r\n\r\n\t\t\t\t\t<\/li>\r\n\r\n\t\t\t\t\r\n<div class=\"word-count-hidden\" style=\"display:none;\">Estimated word count: <span class=\"word-count\">12226<\/span><\/div>\r\n\r\n\t\t\t<\/ol>\r\n\r\n<script type=\"text\/javascript\" src=\"\/wp-content\/themes\/twentyseventeen\/src\/jquery\/components\/filter-guides.js\" async><\/script><\/div>"}},"_links":{"self":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide\/140796","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/comparative_guide"}],"about":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/types\/comparative_guide"}],"wp:attachment":[{"href":"https:\/\/my.legal500.com\/guides\/wp-json\/wp\/v2\/media?parent=140796"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}