Taiwan - Data Protection Overview
1. Governing Texts
Data protection in Taiwan is primarily governed by the Personal Data Protection Act 2015 ('PDPA') and the Enforcement Rules of the Personal Data Protection Act ('the Enforcement Rules').
The Government of Taiwan ('the Government') has submitted its application to the EU for an adequacy decision pursuant to the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and continues to dialogue with the EU in this regard. Meanwhile, the Government is evaluating whether the PDPA needs to be further amended in order to further align the PDPA with the GDPR.
The collection, process, and use of personal data in Taiwan is subject to the PDPA, and the Enforcement Rules, as well as other applicable rulings or regulations issued by the relevant competent authorities, in particular the sectoral rules on the security maintenance plans stipulated by the regulator of different industries.
The latest amendments to PDPA were promulgated at the end of 2015 and took effect on 15 March 2016. Moreover, given the effectiveness of the GDPR, the Government is planning to further amend the PDPA to meet GDPR standards and obtain an adequacy status decision from the EU. The Government held several public hearings to solicit public comments on amendments to the PDPA in 2019. Among the various topics discussed during the public hearings, the Government is contemplating the adoption of data breach notification obligations and cross-border data transfer restrictions similar to those under GDPR. The Government is also planning to establish an independent data protection authority.
There are no guidelines promulgated by the Government or any private organisation concerning personal data protection. The Government had urged government agencies, companies, and organisations to adopt their own internal personal data protection policies or operating procedure guidelines when the PDPA was significantly revised in 2012, therefore many government agencies and companies have stipulated such internal guidelines.
A few government agencies, such as the Ministry of Economic Affairs and the National Communications Commission ('NCC'), have issued certain personal data protection handbooks for the reference of private businesses. The purpose of such handbooks is to assist the private companies in the relevant industrial sectors to be familiar with the relevant requirements under the PDPA so as to establish their own mechanism and system to protect the personal data that they hold.
1.3. Case law
There have been a few noteworthy court decisions:
In January 2017, the Supreme Administrative Court ('the Supreme Court') overruled the request of eight Taiwanese citizens to remove their medical data from the database of the National Health Insurance Administration ('NHIA') under the Ministry of Health and Welfare ('MOHW'). The NHIA had been releasing the medical data of individuals enrolled in the National Health Insurance system of Taiwan to third parties for research purposes. The NHIA claimed that the data released to such third parties had been encrypted six times so that individuals could not be identified, and therefore, the PDPA did not apply to the release of the data. The NHIA also claimed that assisting academic research to improve the health of Taiwanese nationals was one of its official duties, and as such, it should have the power and authorisation to release anonymous data. The eight citizens disagreed with such arguments and claimed that pursuant to the PDPA, they have the right to demand the NHIA stop using their personal data. The Supreme Court supported the position of the NHIA and ruled that even though the data released was not entirely anonymous data, it was the NHIA's official duty to take actions to improve the health of Taiwanese nationals. Furthermore, the Supreme Court emphasised that public interests, such as improving the health of citizens, outweighed private interests such as an individual's right to control their data, in this case. The plaintiffs of the case applied for a judicial review by the Grand Justices of Judicial Yuan (i.e. constitutional interpretation), and the Grand Justices were scheduled to hear the case on 26 April 2022.
In July 2017, the Taipei District Court ('the District Court') rendered its first judgment commenting on the merit of the 'right to be forgotten'. A former owner of a professional baseball team sued Google LLC, requesting Google to remove all of the negative news reports about them in connection with the cheating scandals of the baseball team that he had owned years ago. The District Court ruled that there is no such concept of a right to be forgotten under the Taiwan Civil Code and that pursuant to the PDPA, a data subject can only request the removal of their personal data when the data is incorrect, the specific purpose for the data processing no longer exists, or the data was unlawfully collected or processed. The plaintiff appealed the District Court's decision, but the appeal was overruled by the Taiwan High Court on 20 June 2018 with similar reasoning as the District Court's decision. On 4 February 2021, the Supreme Court overruled the decision of the Taiwan High Court and ordered the case be heard by the Taiwan High Court again. The Supreme Court disagreed with the Taiwan High Court and the Taipei District Court and deemed that it shall be necessary to review carefully again as to whether Google's display of the relevant links to the cheating scandals of the plaintiff is within the necessary scope of the use of the plaintiff's personal data and whether the privacy of the plaintiff shall outweigh the search results given the lapse of time.
The District Court rendered its decision on the first PDPA class action on 31 October 2019. The class action was brought by the Consumers' Foundation for and on behalf of a group of individuals against a listed travel agency. In June 2017, the travel agency discovered that its computer system was accessed by an unknown source, and it immediately took actions to notify its customers, report to the police, made a public announcement, and check its IT system. Some customers were defrauded during that period, despite the travel agency's efforts to alert them. The Consumers' Foundation brought a class action against the travel agency for the victims demanding civil compensation. The District Court ruled that the travel agency was not liable because it took the necessary steps to keep its IT system safe as well as to alert the consumers. The Consumers' Foundation appealed the decision, and the case was heard by the Taiwan High court. This case was eventually settled by the parties before the Taiwan High Court on 7 July 2020. The travel agency paid the agreed amount of compensation in August 2020, and the Consumers' Foundation completed the distribution to the plaintiffs by end of September 2020.
2. Scope of Application
The PDPA applies to personal data-related activities conducted by a government agency, which refers to a government agency or administrative juridical person at the central or local government level, which is empowered to exercise sovereign power. The PDPA also applies to non-government agencies, which includes the private sector, all individuals, and all non-state-owned entities. Government agencies and non-government agencies are subject to two different sets of rules, with government agencies being granted more discretion with regard to how personal data can be collected and used. Nonetheless, a government agency is subject to stricter civil liability than a non-government agency, and so it would be much more difficult for a government agency to disclaim its civil liability.
The PDPA applies in principle to all data collection and processing activities taking place in Taiwan without regard to whether the data subjects are Taiwanese nationals or not. The current text of the PDPA does not explicitly provide for the extraterritorial application of the PDPA to offshore entities, although some of its provisions would seem to suggest such an application. The position of the authority has been that the PDPA does not have the type of extra-territorial effect as spelled out under GDPR, though.
All types of processing are subject to the PDPA, whether conducted by automatic means or in a traditional manual way, except for the following two situations:
- the collection, processing, or use of personal data by an individual in the course of personal or family activity; or
- the collection, processing, or use of audio-visual information in a public place or of a public activity, which is not associated with any other personal data.
3.1. Main regulator for data protection
The National Development Council took over the power and function of the Ministry of Justice and has become the authority that is in charge of interpreting the PDPA and the internal coordination among different government authorities with regard to the relevant matters since July 2018. The enforcement of the PDPA is administered by the central, local, municipal, county, and government authorities that regulate and supervise the business operations of non-government agencies for each industry ('the Competent Regulators'). The Government has been contemplating, designating, or forming one government agency to be the primary regulator of the PDPA in Taiwan, but it is still uncertain as to when such an agency will be established.
3.2. Main powers, duties and responsibilities
The Competent Regulators may impose restrictions on a non-government agency's international transfers of personal data and designate certain non-government agencies to establish plans to maintain the security of personal data files and/or how to dispose of those files after they cease their business operations. The Competent Regulators also have the power to conduct on-site inspections of certain non-government agencies, if they deem it necessary or if such a non-government agency is alleged to have breached the PDPA. If the Competent Regulators discover any major non-compliance, they have the power to publicly announce the relevant non-compliance and the identities of those responsible.
4. Key Definitions
Data controller | Data processor: The PDPA does not specifically adopt any terms used by European countries, such as 'data controller', 'data processor', or 'data owner', to refer to the relevant parties in personal data-related activities. The PDPA simply subjects 'government agencies' and 'non-government agencies' to two different sets of rules in regard to personal data-related activities.
Personal data: The PDPA defines the term 'personal data' as 'names, dates of birth, ID Card numbers, passport numbers, characteristics, fingerprints, marital status, family, education, occupation, medical records, medical treatment, genetic information, sexual life, health examinations, criminal records, contact information, financial situation, social activities, and other information or data which may be used to identify a natural person, both directly and/or indirectly'.
Sensitive data: No definition is provided under the PDPA and its Enforcement Rules. However, according to Article 6 of the PDPA, 'any personal data with regard to medical records, medical treatment, genetic information, sexual life, health examinations, and criminal records' shall be subject to special protection and in local practice, such personal data are often referred to as 'sensitive personal data'.
Health data: No definition is provided under the PDPA and its Enforcement Rules. However, Article 6 of the PDPA offers special protection for 'the personal data with regard to medical records and medical treatment'.
Data subject: A natural person whose personal data is collected, processed, or used.
5. Legal Bases
Pursuant to Article 19 of the PDPA, when a non-government agency collects non-sensitive personal data, it must have a 'specific purpose' and shall meet any one of the following statutory grounds:
- it is specifically permitted by law to do so;
- the non-government agency and the data subject have entered into or are negotiating a contract;
- the data is already in the public domain due to disclosure by the data subject or in a legitimate manner;
- it is necessary for the gathering of statistics or academic research by an academic research institution for the public interest, provided that any information sufficient to identify the data subject has been removed;
- the consent of the data subject has been obtained;
- it is necessary for the sake of public interest;
- the data has been collected from a source accessible to the collector unless the interest of the data subject takes priority over that of the collector; or
- it would not harm the data subject's rights or benefits.
Before the latest amendments to PDPA, all consent under the PDPA had to be obtained in a written format, either manually or electronically. Since 15 March 2016, except for consent regarding the collection and use of sensitive personal data and consent for a data subject to waive their right to request the stoppage or suspension of the usage of the relevant personal data when in dispute or when the specific purpose no longer exists, consent required for other matters can be in other formats. As for whether it may be express or implied consent, it is only possible to obtain implied consent from a data subject when the data is directly collected from them with all of the required information being provided to the data subject. In most cases, direct marketing will need to rely on consent as the legal base.
A non-government agency may rely on its contract with the data subject to collect, process, and use the personal data of a data subject but not the sensitive personal data of the data subject. Any personal data collected relying on this legal base shall be used within the scope of performing the contract and can only be used for marketing purposes in a very limited scope. Based on this principle, an employer may rely on the employment agreements with its employees to collect, process, and use the employees' personal data.
For sensitive personal data, a business may collect sensitive personal data if it is necessary for the business' to perform its legal obligation and the business shall adopt proper security measures to protect the personal data. With regards to non-sensitive personal data, pursuant to Article 19 of the PDPA, if the collection and use of personal data is specifically stipulated under a law or a regulation, such a law or regulation can be the legal base for a non-government agency to collect, process, and use the relevant personal data.
Pursuant to Article 19 of the PDPA, a non-government agency may assert that the collection and process of personal data will not harm the right or benefit of the data subjects as its legal base. However, please note that there is no explicit example for this legal base, and the Taiwan authority does not suggest that the non-government agencies resort to this legal base for their data collection and processing activities unless in an exceptional situation.
Pursuant to Article 19 of the PDPA, a non-government agency may collect, process, and use personal data if it is necessary for the sake of public interest.
Under Article 19 of the PDPA, if the personal data is public information, either it was made public by the data subject or through other legal means, a non-government agency may collect, process, and use such personal data based on the specific purpose of collection.
A government or non-government agency is required to notify the data subject of the matters specified under Articles 8 or 9 of the PDPA, which in general include:
- the identity of the government/non-government agency;
- the purposes of the collection;
- the type of data collected;
- the term, place, and method of use, and the persons who may use the data;
- the data subject's rights and the manner in which such rights may be exercised;
- the consequences of their failure to provide the required personal data; and
- the source from which the government/non-government agency obtained the personal data (indirect collection).
To collect personal data, one must have one or more specific purposes and the personal data shall be used within the necessary extent of such purposes. Otherwise, an additional legal basis shall be established pursuant to the PDPA.
There are no specific data minimisation requirements under the PDPA. However, Article 5 of the PDPA stipulates that the collection, processing, and use of personal data shall not go beyond the necessary extent of the purpose(s) for which the data was collected, and must be reasonably and justifiably related to such purpose(s). This can be inferred that a company shall not collect personal data that is not necessary to its operation.
The PDPA adopts the principle of proportionality in a couple of manners. In addition to Article 5 of the PDPA, with regard to the obligations to keep personal data safe, a company is free to adopt the relevant security measures based on the principle of proportionality. The Enforcement Rules illustrate certain technical and organisational measures that a government or non-government agency may consider adopting, and a company may choose to adopt all or some of them based on the quality and quantity of the personal data involved.
Neither the PDPA nor the Enforcement Rules prescribe any specific requirements regarding data retention. Nonetheless, the PDPA requires government and non-government agencies to delete or stop collecting, processing, or using personal data voluntarily or upon the request of the data subject when the purpose(s) for which the personal data were collected cease(s) to exist or the retention period expires. The retention will be deemed to be necessary for the performance of a government agency's statutory duties or a non-government agency's business operation if:
- the retention period provided by law or contract has not expired;
- the deletion will be detrimental to the rights or interests of the data subject; or
- there is any other legal basis for the retention.
Accuracy of personal data
A government or non-government agency must ensure the accuracy of personal data and correct or supplement personal data voluntarily or upon the request of the data subject. If the failure to provide accurate personal data was attributable to a government or non-government agency, it shall notify the persons to whom the data were provided as soon as the government or non-government agency corrects or supplements the data.
7. Controller and Processor Obligations
Under PDPA, the term 'data processor' does not exist. A similar concept would be the commissioned agency that has been appointed by a government agency or a non-government agency to collect, process, or use personal data for and on behalf of such a government agency or non-government agency.
According to Article 8 of the Enforcement Rules, a government agency or non-government agency must adopt proper supervision measures when engaging the services of a commissioned agency to collect, process, or use the relevant personal data. The aforementioned supervision measures shall include, but are not limited to, the following:
- the scope, types, specific purposes, and duration of such collection, processing, or use;
- the data security measures to be adopted by the commissioned agency;
- the third party, if any, commissioned by the commissioned agency;
- when the commissioned agency or its employee violates the PDPA or other personal data protection laws and regulations;
- the matters with the reservation for instructions from the government agency or non-government agency, if any; and
- the commissioned agency must return any devices containing personal data and delete the personal data files stored and kept by it due to the performance of the services when the service has ended, been terminated or rescinded.
In addition, government agencies and non-government agencies must periodically confirm that the commissioned agency has taken the above-mentioned measures and keep a record of the result of such confirmation.
In 2010, the PDPA abolished the previous registration system, hence collecting and using personal data in Taiwan does not require any notification to, or registration with, any government authority. However, the PDPA introduced a notice requirement under which anyone collecting personal data would need to notify the data subject of certain matters.
With regard to the international transfer of personal data, please note that under the PDPA, a competent authority has the discretion to issue an order to restrict or prohibit the international transfer of personal data, in the following situations:
- the transfer would prejudice any material national interest;
- the transfer is prohibited or restricted under an international treaty or agreement;
- the country to which the personal data is to be transferred does not provide sound legal protection of personal data, thereby affecting/jeopardising the interests of the data subjects; or
- the purpose of the transfer is to evade restrictions under the PDPA.
On 25 September 2012, the NCC issued a blanket order prohibiting communications and broadcasting companies from transferring subscribers' personal data to mainland China on the grounds that the personal data protection laws in mainland China are still inadequate.
Other than those discussed in this section on controller and processor obligations, there are no additional requirements for outsourcing activities under the PDPA. However, financial institutions are subject to strict requirements on their outsourcing activities which include obtaining prior approval from the competent authority of the financial institutions or even consent from the data subjects.
There is no mandatory requirement to appoint a data protection officer ('DPO'). Under the PDPA, appointment of a DPO would be at the discretion of the company. However, the Enforcement Rules suggest that a company shall allocate sufficient manpower to handle the relevant matters.
Pursuant to Article 12 of the PDPA, in the event that a data breach incident occurs due to a failure to comply with the PDPA by a government agency or non-government agency, the government agency or non-government agency shall notify the affected data subject in a proper manner after it has investigated the incident.
The PDPA does not require any report to be filed with the relevant government authority concerning any incident involving the security of personal data. However, a central competent authority, pursuant to the PDPA, may require that the industry that it regulates to set up a plan for maintaining the security of personal data files by stipulating the relevant Regulation Governing Personal Information File Security Maintenance Plan and Processing Method (collectively referred to as 'Security Plan Regulations'), such as:
- Regulations Governing the Clearinghouse's Plan of Security Measures for Personal Information Files;
- Regulations Governing Personal Information File Security Maintenance Plan and Processing Method for the Human Resources Recruitment Industry;
- Regulations Governing the Security Assurance Plan and Processing Method for Personal Data of the Engineering Consulting Industry; and
- Regulations Governing Security Protection Plans for and Processing of Personal Information Files by Travel Agencies.
In 2021, the Executive Yuan urged the central competent authorities to amend or promulgate Security Plan Regulations governing the relevant industries that they regulate and required such authorities to include a reporting requirement in the same. Such a reporting requirement is similar to the one under GDPR, that is, when there is a security breach incident of personal data, a business shall report to its competent authority within 72 hours. While some of the competent authorities only require the businesses to report 'material' data breach incidents to them, others require the businesses to report each and every data breach incident. As a result, many businesses in Taiwan are now subject to the 72-hour reporting requirements with regard to data breach incidents.
Article 11 of the PDPA requires personal data to be deleted when the retention period ends. However, the PDPA is neutral as to how long the retention period shall be. It would in principle be determined by the purposes of processing and the potential need to continue to retain the data after the purposes no longer exist.
Not applicable. There is no such requirement under the PDPA or its Enforcement Rules.
Pursuant to Article 6 of the PDPA, sensitive personal data may not be collected, processed, or used unless any of the following situations apply:
- where it is specifically stipulated by law;
- when it is necessary for a government agency to perform its legal duties or for a non-government agency to fulfil its legal obligation, and proper security measures are adopted prior or subsequent to such collection, processing, or use;
- when the data subject has made public such information by themselves, or when the information concerned has been publicised legally;
- where it is necessary to perform statistics or other academic research, a government agency, or an academic research institution may collect, process, or use personal data for the purpose of medical treatment, public health, or crime prevention, as long as the information does not lead to the identification of a specific person after its processing by the provider, or from the disclosure by the collector;
- where it is necessary to assist a government agency in performing its legal duties, or a non-government agency in fulfilling its legal obligations, and proper security measures are adopted prior or subsequent to such collection, processing, or use; or
- where the data subject has consented in writing, however, not if the use of such data exceeds the necessary scope of the specific purpose or there is any other restriction under any other statute; moreover, such consent, if obtained, may not be against the data subject's free will.
The PDPA does not specifically regulate any agreement or agreement rights between a government agency as well as non-government agency and a commissioned agency. Given that a government agency and a non-government agency must adopt proper supervision measures when engaging the services of a commissioned agency in accordance with Article 8 of the Enforcement Rules, it is advisable for a government agency or a non-government agency to enter into agreements with their commissioned agencies setting forth the relevant matters. Meanwhile, note that sectorial regulations may impose different requirements. For example, a company conducting the business of retail and wholesale of west medicine is required to sign an agreement with its data processor stipulating certain required matters pursuant to the recent regulations stipulated by the MOHW.
8. Data Subject Rights
The PDPA prioritises the protection of the data subject and allows a data subject to exercise the following rights, which may not be waived or released:
- accessing their personal data to check and review it;
- having a copy of the personal data;
- supplementing or revising the personal data;
- demanding the collector to cease collection, processing, or use of the personal data; and
- demanding the collector delete the personal data.
When collecting personal data, a non-government agency shall notify the data subjects of the following matters:
- the identity of the non-government agency that is collecting the data;
- the purpose(s) for which the personal data is collected;
- the type of personal data to be collected;
- the term, place, and method of use and the person(s) who may use the personal data;
- the data subject's rights under the PDPA and the manner to exercise such rights; and
- the consequences of the data subject's failure to provide the required personal data.
A data subject has the right to access their personal data to check and review them and have a copy of the data.
A data subject has the right to correct or supplement their personal data. A government or non-government agency must cease the processing or use of personal data if there is any dispute over the accuracy of the personal data, unless:
- the processing or use is necessary for the performance of a government agency's statutory duties or a non-government agency's business operation; or
- the data subject has given written consent and the dispute has been recorded.
Article 3 of the PDPA explicitly states that a data subject's right to request a government or non-government agency to delete their personal data shall not be waived in advance. However, whether the right to erasure (or the right to be forgotten) indeed exists under the PDPA is still subject to debate in Taiwan. The Supreme Court decision on the Google case seems to suggest that under the PDPA, the right to erasure shall exist to a certain extent. The Google case is not finalised, though. Please see the section on case law above.
Under the PDPA, there is no 'right to object to processing' as defined under the GDPR. However, Article 3 of the PDPA explicitly states that a data subject may request a government or non-government agency to stop processing their personal data.
In addition, the PDPA stipulates certain special provisions with regard to data subjects' rights with regard to marketing. Under the PDPA, a data subject may object to marketing at any time, and a non-government agency shall stop any and all marketing activities towards such a data subject at once. Meanwhile, when a non-government agency contacts a data subject for marketing purposes for the first time, the non-government agency shall provide a mechanism for the data subject to object to the marketing free of charge.
Pursuant to the PDPA, conducting any of the following breaches with an intent to make an unlawful profit for oneself or a third party or with an intent to damage the interest of another, thereby causing or potentially causing injury to another may lead to criminal penalties:
- illegal collection, processing, or use of personal data;
- failure to obey a central government authority's order imposing restrictions on the international transfer of personal data; or
- illegal amendment or deletion of personal data files or employment of any other illegal means thereby affecting the accuracy of personal data files.
In addition, an administrative fine may be imposed for failure to comply with the requirements under the PDPA, such as the collecting or processing of personal data without a statutory ground, using personal data outside of the scope of the specified purpose under which the personal data was collected, or failure to comply with restrictions on the international transfer of personal data. For any failure to comply with the notification requirements, marketing restrictions, information security requirements, or obligations to respond to data subjects' requests, the authority may order that correction be made by a certain deadline and impose an administrative fine if correction is not made within such deadline.
Since Taiwan does not have a data protection authority, the enforcement of the PDPA is carried out by the central competent authority as well as the municipal governments. According to the public database, the relevant bureaus under the Financial Supervisory Commission ('FSC') and the NCC took certain enforcement actions against the businesses that they regulate. For example, the Insurance Bureau, Banking Bureau, and Securities and Futures Bureau of the FSC imposed fines on several insurance companies, banks, and securities-related companies in 2020 for their failure to comply with the PDPA, including their failure to have proper security measures or data deletion/retention mechanisms in place. The NCC also issued orders to several telecommunications operators and TV channels ordering them to improve their personal data protection practices in 2020. One of the NCC orders was to request a large mobile operator to improve its internal training because its employee at the customer support department posted on the Internet the mobile phone number of a consumer who filed a complaint and the consumer thereafter received many harassing calls.