Support Centre



Law: The Personal Data Protection Act 2010 (as amended in 2015) ('PDPA')

Regulator: The National Development Council ('NDC')

Summary: Data protection in Taiwan is governed by the PDPA and the Enforcement Rules of the Personal Data Protection Act. Although the NDC is the lead regulator when it comes to interpreting the PDPA, the PDPA is enforced by the competent regulators that supervise each industry. Of these regulators, the Financial Supervisory Commission is the most active. On June 2, 2023, amendments to the PDPA entered into effect. The amendments update Article 48 of the PDPA in regard to violations of security obligations and establish an independent supervision mechanism. The NDC confirmed that the Executive Yuan will promptly establish a preparatory office for the Personal Data Protection Commission. 


In this Insight article, Robert C. Lee and Wayne Huang, from YangMing Partners, discuss the recent amendments made to Taiwan's Personal Data Protection Act (PDPA) and their implications for personal data protection.

Due to several recent incidents of severe personal data leakage incidents in Taiwan, which garnered significant public attention and highlighted the importance of personal data protection, the Executive Yuan of Taiwan (Cabinet) approved draft amendments to the PDPA on April 13, 2023. Subsequently, the draft amendments (Amendments) were approved by Taiwan's Legislative Yuan (Congress) on May 16 and were officially signed off on and published by Taiwan's President on May 31.

In this report, OneTrust DataGuidance provides a means of analyzing and comparing data protection requirements and recommendations under the General Data Protection Regulation (GDPR) and the Personal Data Protection Act 2010 (as amended in 2015) (PDPA) and the Enforcement Rules of the Personal Data Protection Act (the Enforcement Rules).

The report examines and compares the scope, main definitions, legal bases, data controller and processor obligations, data subject rights, and enforcement capacities of the PDPA and the Enforcement Rules with the  GDPR.

You can access the latest version of the report here.

Taiwan commenced the process to obtain an adequacy decision shortly after the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') took effect in May 2018. The Taiwan Government established a Personal Data Protection Office under the National Development Council ('NDC') in July 2018 for the purposes of, among others, obtaining a GDPR adequacy decision as soon as possible so as to facilitate cross-border personal data transfers between EU Member States and Taiwan. Ken-Ying Tseng, Partner at Lee and Li, Attorneys-at-Law, discusses the timeline of Taiwan's process thus far of obtaining an adequacy decision and what is further expected to happen regarding this.