Taiwan Data Privacy Laws: Personal Data Protection Act (PDPA) Guide (2026)

Overview of Taiwan's Data Protection Framework

Taiwan has developed one of Asia's most comprehensive data protection frameworks. The Personal Data Protection Act (PDPA), originally enacted in 2010 as an update to the earlier Computer-Processed Personal Data Protection Law of 1995, governs the collection, processing, and use of personal data across all sectors of the economy.

The PDPA has undergone several rounds of amendments, with the most significant occurring in 2025. On 11 November 2025, the president promulgated major amendments that establish an independent supervisory authority, introduce mandatory breach notification, and strengthen enforcement mechanisms. These changes position Taiwan's data protection framework more closely alongside international standards such as the GDPR.

The PDPA applies to government agencies, natural persons, juridical persons, and other organizations that collect, process, or use personal data. Its scope is broad, covering both automated and non-automated processing and applying across all industry sectors.

The Personal Data Protection Act: Core Provisions

Definition of Personal Data

The PDPA defines personal data as any information that can directly or indirectly identify a natural person. This includes names, dates of birth, identification card numbers, passport numbers, characteristics, fingerprints, marital status, family information, education records, occupations, medical records, genetic data, sexual history, health examination results, criminal records, contact information, financial status, and social activities.

The act also recognizes a category of sensitive personal data, referred to as "special categories" of personal data. These include medical records, genetic data, sexual history, health examination results, and criminal records. The collection, processing, and use of special categories requires heightened legal justification and additional safeguards.

Legal Bases for Collection and Processing

The PDPA establishes different legal bases for personal data processing depending on whether the entity is a government agency or a non-government agency.

Government agencies may collect personal data when it is necessary for the performance of their statutory functions and when appropriate security measures are in place. They may use personal data within the scope of their statutory functions and in accordance with the purpose for which the data was collected.

Non-government agencies (businesses, organizations, and individuals) may collect personal data when it is necessary for specific purposes, when the data subject's rights are not disproportionately affected, and when one of the specified legal bases is met. These bases include consent, contractual necessity, legal obligation, vital interests, publicly available data, and research or statistical purposes (with adequate de-identification).

Consent Requirements

Consent under the PDPA must be informed and specific. The data subject must be informed of the identity of the collecting entity, the purpose of collection, the categories of personal data to be collected, the period, area, and methods of use, the data subject's rights, and the consequences of not providing the data.

For special categories of personal data, the PDPA imposes additional restrictions. Collection of sensitive data is generally prohibited unless specific exemptions apply, such as compliance with a legal obligation, protection of public interest, or the data subject's express written consent.

Data Subject Rights

The PDPA grants data subjects several important rights. These include the right to request access to and review of their personal data, the right to request copies of their data, the right to request supplementation or correction of inaccurate data, the right to request cessation of collection, processing, or use, and the right to request deletion of personal data.

Government agencies may not refuse a data subject's request without legitimate grounds, and non-government agencies must respond within a reasonable timeframe.

The 2025 Amendments: Establishing the PDPC

Creation of an Independent Supervisory Authority

The most significant change introduced by the 2025 amendments is the establishment of the Personal Data Protection Commission (PDPC) as Taiwan's centralized, independent supervisory authority for data protection. Previously, enforcement of the PDPA was divided among sector-specific regulators, with each government ministry overseeing data protection compliance within its industry sector.

This fragmented approach led to inconsistencies in interpretation and enforcement across sectors. The creation of the PDPC addresses this by consolidating supervisory authority under a single independent body, similar to the data protection authorities found in GDPR jurisdictions.

The PDPC is responsible for interpreting the PDPA, issuing guidance, conducting investigations, imposing penalties, and coordinating with international data protection authorities.

Mandatory Data Breach Notification

The 2025 amendments introduce explicit data breach notification requirements through revised Article 12. Organizations that experience a personal data breach are now required to inform affected data subjects and notify the PDPC. This codifies what was previously a less clearly defined obligation and brings Taiwan in line with the breach notification requirements found in the GDPR and other modern data protection laws.

Data Protection Officers

The amendments add a new requirement under Article 18 for government agencies to designate a Data Protection Officer (DPO). The DPO is responsible for overseeing compliance with the PDPA within the agency, ensuring proper data protection practices, and serving as a point of contact for data subjects and the PDPC.

Administrative Inspection Powers

The amendments introduce detailed procedures for administrative inspections by the PDPC. The commission has the authority to initiate inspections at its discretion and coordinate with sector-specific regulators and local agencies. These inspection powers enhance the PDPC's ability to proactively identify and address compliance issues, rather than relying solely on complaints and reactive enforcement.

Cross-Border Data Transfers

General Permission with Sector-Specific Restrictions

International data transfers are generally permitted under the PDPA. Unlike the GDPR, which requires specific transfer mechanisms such as adequacy decisions or standard contractual clauses, the PDPA takes a more permissive default approach.

However, the PDPA grants competent authorities the flexibility to impose restrictions on cross-border transfers at their discretion based on the regulatory needs of specific industries. This means that sector-specific regulators may promulgate rules governing data localization or restricting cross-border transfers for their respective sectors.

Government Restriction Powers

Article 21 of the PDPA empowers the government to restrict international transfers of personal data where such transfers may harm major national interests, where the receiving country lacks adequate data protection, or where transfers are made indirectly to circumvent restrictions.

When the government imposes restrictions on international transfers, organizations must comply or face penalties. The PDPC, as the new centralized authority, is expected to develop more comprehensive guidance on cross-border data transfers as part of its operational framework.

Sector-Specific Requirements

Certain sectors have already implemented transfer restrictions. The financial sector, regulated by the Financial Supervisory Commission, has specific requirements for the transfer of financial personal data outside Taiwan. The healthcare sector similarly has rules governing the international transfer of medical records and health data.

Penalties and Enforcement

Administrative Penalties

The PDPA provides for administrative fines for non-compliance. Organizations that fail to comply with the PDPA's requirements regarding collection, processing, use, or international transfer of personal data may face administrative penalties imposed by the PDPC (or previously, by sector-specific regulators).

The 2025 amendments strengthen the administrative penalty framework, giving the PDPC broader authority to impose fines and corrective orders.

Criminal Penalties

The PDPA includes criminal sanctions for serious violations. Under Article 41, anyone who intentionally violates the PDPA's provisions on collection, processing, or use of personal data for profit or with intent to harm another may face imprisonment of up to five years and fines of up to NTD 1 million.

Where violations are committed with the intent to cause harm or for unlawful profit, the criminal penalties serve as a significant deterrent, particularly for cases involving large-scale data theft or unauthorized commercial exploitation of personal data.

Civil Liability

Data subjects who suffer harm as a result of PDPA violations may seek civil damages. The PDPA provides for statutory damages ranging from NTD 500 to NTD 20,000 per incident per data subject, with a maximum aggregate amount of NTD 200 million for a single event. This statutory damages framework allows data subjects to obtain compensation even where actual damages are difficult to prove.

Class action lawsuits are also permitted under the PDPA. Designated consumer protection groups may file group litigation on behalf of affected data subjects, creating a meaningful enforcement mechanism through private litigation.

Industry-Specific Requirements

Financial Services

The Financial Supervisory Commission (FSC) has issued extensive regulations on data protection in the financial sector. Banks, insurance companies, and securities firms must comply with sector-specific rules on data security, customer data handling, and cross-border data transfers. These requirements often exceed the baseline PDPA obligations.

Healthcare

The medical sector is subject to additional data protection requirements under the Medical Care Act and related regulations. Healthcare providers must implement specific safeguards for medical records and patient data, and restrictions apply to the sharing and transfer of medical information.

Telecommunications

The National Communications Commission (NCC) regulates data protection in the telecommunications sector, with specific requirements for the handling of subscriber data, communications metadata, and location information.

Practical Compliance Considerations

Organizations operating in Taiwan should prepare for the transition to the PDPC-centered enforcement model introduced by the 2025 amendments. This includes reviewing and updating privacy policies, consent mechanisms, and internal data protection procedures.

The establishment of the PDPC is expected to lead to more uniform interpretation and enforcement of the PDPA across sectors. Organizations that previously navigated different regulatory expectations depending on their industry should anticipate a more standardized compliance landscape.

Organizations should also review their cross-border data transfer practices, particularly in light of the PDPC's expected development of comprehensive transfer guidelines. While transfers remain generally permissible, organizations in regulated sectors should ensure compliance with any sector-specific restrictions.

The introduction of mandatory breach notification requires organizations to establish or upgrade their incident response procedures. Detecting breaches promptly, assessing their impact, and notifying both the PDPC and affected data subjects within the required timeframes should be a compliance priority.

This article is for informational purposes only and does not constitute legal advice. Data protection laws are subject to change, and organizations should consult with a qualified attorney for advice specific to their situation.