Taiwan Data Privacy Laws: Personal Data Protection Act and the PDPC (2026 Guide)

Taiwan Data Privacy Laws: Personal Data Protection Act and the PDPC (2026 Guide)

Taiwan's Personal Data Protection Act (個人資料保護法, PDPA), originally enacted in 2010 and significantly amended in November 2025, governs the collection, processing, and use of personal data across all public and private sectors in the Republic of China (Taiwan). The November 11, 2025 amendments formally established the Personal Data Protection Commission (個人資料保護委員會, PDPC) as an independent, centralized supervisory authority and introduced mandatory breach notification, stronger administrative fines, and new data protection officer requirements.

Information last verified on 2026-05-19. This article has not yet been reviewed by a licensed lawyer admitted in the Republic of China (Taiwan).

Jurisdictional scope: This article covers data protection law in the Republic of China (Taiwan) under the Personal Data Protection Act (個人資料保護法) and the orders and interpretations of the Personal Data Protection Commission. It does not address the data protection regimes of the People's Republic of China, Hong Kong, or Macau. For recording and surveillance law in Taiwan, see Taiwan Recording Laws.

---

Quick Answer: How Does Taiwan's Data Privacy Law Work?

Taiwan protects personal data through the PDPA, which applies to government agencies and non-government agencies (businesses, organizations, and individuals) alike. The law requires a legal basis before personal data can be collected, processed, or used; grants data subjects rights of access, correction, and deletion; and imposes criminal, civil, and administrative penalties for violations. The November 11, 2025 amendments mark a generational shift in Taiwanese data protection: for the first time, a single independent authority, the PDPC, holds centralized supervisory and enforcement power over the entire economy rather than leaving enforcement to individual sector ministries.

---

The Personal Data Protection Act: Structure and Scope

Legislative History

Taiwan's data protection framework began with the Computer-Processed Personal Data Protection Law (電腦處理個人資料保護法) of 1995, which covered only certain sectors. The Legislature replaced that statute with the current PDPA in 2010, extending coverage to all sectors and all forms of personal data processing, not just computer-processed data.

The PDPA has since been amended several times. A 2015 round of amendments brought the enforcement provisions into force. A May 2023 amendment added Article 1-1, designating the yet-to-be-established PDPC as the competent authority for the entire act. The November 11, 2025 amendments then delivered the full institutional architecture: the independent PDPC, mandatory breach notification, increased fines, and DPO requirements for public agencies.

The current PDPA applies to government agencies and to natural persons, juridical persons, and other organizations outside government (collectively "non-government agencies") that collect, process, or use personal data within Taiwan or whose activities have effect in Taiwan.

Definition of Personal Data

The PDPA defines personal data broadly. Under the act, personal data is any information that can directly or indirectly identify a natural person, including:

• Names, dates of birth, and national identification card numbers
• Passport numbers and contact details
• Fingerprints, physical characteristics, and marital status
• Family information, educational records, and occupations
• Medical records, genetic data, sexual history, and health examination results
• Criminal records, financial status, and social activities

The PDPA separately recognizes a restricted category of sensitive personal data, which the act calls "special categories." These are: medical records, healthcare data, genetic data, sex life, physical examination results, and criminal records. The collection, processing, and use of special categories is generally prohibited except under specific statutory exemptions.

Territorial and Material Scope

The PDPA covers all personal data held and processed by covered entities, regardless of whether the processing is automated or manual. The act does not contain an explicit extraterritoriality clause comparable to GDPR Article 3(2), but the PDPC is expected to address scope questions in guidance as it develops its operational framework.

---

Legal Bases for Collection and Processing

Government Agencies

Government agencies in Taiwan may collect, process, and use personal data when it is necessary for the performance of their statutory functions and when appropriate security measures are in place. Use must remain within the scope of the original collection purpose, unless a statutory exception permits secondary use.

Non-Government Agencies

Non-government agencies must satisfy one of the following legal bases before collecting or processing personal data:

1. Consent: The data subject has given express, informed, and specific consent.
2. Contractual necessity: Collection is necessary for the performance of a contract to which the data subject is a party, or for pre-contractual steps at the data subject's request.
3. Legal obligation: Collection is required by law.
4. Vital interests: Collection is necessary to protect the life, body, or property of the data subject or a third party and consent cannot be obtained in time.
5. Publicly available data: The data has been lawfully made public by the data subject or by other lawful means.
6. Legitimate interests: Collection is necessary for research, statistics, or surveys, provided the data is adequately de-identified or the data subject's rights are not disproportionately affected.

For sensitive personal data, the legal bases are narrower. Collection is generally prohibited unless a specific statutory exception applies, such as a legal obligation, a public interest requirement, or the written consent of the data subject.

Notice Requirements

Before or at the time of collecting personal data, the collecting entity must inform the data subject of: (1) the identity of the collecting entity; (2) the purpose of collection; (3) the categories of personal data to be collected; (4) the period, geographic area, and methods of use; (5) the data subject's rights under the PDPA; and (6) the consequences of declining to provide the data.

---

Data Subject Rights

The PDPA grants data subjects five core rights against both government agencies and non-government agencies:

Government agencies may not refuse a data subject's request without legitimate statutory grounds. Non-government agencies must respond within a reasonable period, with specific timeframes to be clarified in PDPC regulations.

These rights are not absolute. Entities may refuse requests where compliance would harm national security, public interests, or the rights of third parties, or where the data is required to fulfill a legal obligation.

---

The PDPC: Taiwan's New Independent Data Protection Authority

The Constitutional Court Mandate (August 2022)

Taiwan's data protection story changed on August 12, 2022, when the Constitutional Court issued Judgment 111-Hsien-Pan-13 (Case on the National Health Insurance Research Database). The court found that existing mechanisms for personal data protection were insufficient to satisfy the constitutional right to informational self-determination under Article 22 of the Constitution of the Republic of China. Specifically, the court held that the absence of an independent supervisory authority meant that data controllers in the public sector faced no credibly independent oversight.

The court gave the Legislature a three-year grace period, requiring the establishment of an independent data protection supervisory mechanism by August 2025.

The Constitutional Court held in Judgment 111-Hsien-Pan-13 that "to ensure the protection of personal information and the constitutional right to privacy under Article 22, the establishment of an independent data protection mechanism is required."

The 2023 Legislative Response: Article 1-1

The Legislative Yuan responded on May 16, 2023, passing amendments to the PDPA that added Article 1-1. That provision designated the Personal Data Protection Commission as the competent authority for the entire PDPA, replacing the previous system under which individual sector ministries administered the act within their own domains. The National Development Council (國家發展委員會) had historically served as a coordinating body and default interpreter of the PDPA, but it held no enforcement primacy.

The Preparatory Office (December 5, 2023)

The Executive Yuan established the Preparatory Office of the Personal Data Protection Commission (個人資料保護委員會籌備處) on December 5, 2023. The Preparatory Office assumed responsibility for interpreting the PDPA from the National Development Council as of January 1, 2024. Its mandate during the preparatory phase included:

• Drafting organizational regulations for the full PDPC
• Formulating, interpreting, and coordinating amendments to the PDPA
• Developing subordinate regulations, including security management rules
• Conducting public consultations on data protection standards

The Preparatory Office was not the full PDPC. It lacked the independent enforcement authority that the Constitutional Court mandated. It served as the institutional foundation from which the full commission would emerge.

The November 11, 2025 Amendments: The Full PDPC

On November 11, 2025, the President of the Republic of China promulgated major amendments to the PDPA. These amendments formally established the Personal Data Protection Commission as a full independent supervisory authority, completing the three-year process set in motion by the 2022 Constitutional Court judgment.

The PDPC has the following principal powers under the amended PDPA:

• Issuing interpretations and binding guidance on the PDPA
• Conducting administrative inspections of non-government agencies, and coordinating inspections with sector-specific regulators and local authorities
• Retaining or copying personal data as evidence during inspections
• Imposing administrative penalties and corrective orders
• Coordinating with international data protection authorities
• Prescribing subordinate regulations, including security maintenance rules under Article 20-1

The effective date of the November 2025 amendments is to be set by the Executive Yuan. Implementation is expected during 2026. The Preparatory Office announced multiple draft sub-regulations for public consultation in early 2026, including draft security maintenance and management regulations.

The Pre-PDPC Enforcement Landscape

Before the PDPC, enforcement of the PDPA was fragmented across more than two dozen sector-specific regulators and local governments. The Financial Supervisory Commission enforced the PDPA in financial services; the Ministry of Health and Welfare in healthcare; the National Communications Commission in telecommunications; and so on for every regulated industry. Local governments enforced the PDPA against businesses outside any national-level sectoral regulator's jurisdiction.

This decentralized structure produced inconsistent interpretations, uneven enforcement, and regulatory arbitrage across sectors. The PDPC's consolidation of authority is intended to produce a uniform national standard for the first time.

---

Mandatory Data Breach Notification

The New Obligation Under Article 12

The November 2025 amendments codify mandatory breach notification through a revised Article 12. When a personal data breach occurs within a non-government agency, the agency must:

1. Notify affected data subjects; and
2. Report to the PDPC when the breach falls within a "specified notification scope" to be designated by the PDPC in sub-regulations.

The amended article makes data subject notification the highest-priority obligation and explicitly states it is not conditioned on the agency first "ascertaining all facts" of the breach. The specific threshold, timeline, content, and method of reporting to the PDPC will be set in PDPC regulations, which were in draft form as of early 2026. Sector-specific rules already required reporting to sector regulators within 72 hours in certain circumstances; the PDPC's forthcoming rules will set a unified national standard.

Penalties for Breach Notification Failures

Non-compliance with the obligation to report to the PDPC carries administrative fines of NT$20,000 to NT$200,000 per violation. Each subsequent failure to rectify is subject to a separate fine in the same range.

---

Security Obligations Under Article 20-1

The November 2025 amendments add Article 20-1, which requires non-government agencies to adopt appropriate technical and organizational security measures for personal data files. The PDPC will prescribe the specific requirements in sub-regulations. Organizations that fail to satisfy those requirements face administrative fines of NT$20,000 to NT$2,000,000. Each failure to rectify after a corrective order triggers escalating penalties of NT$150,000 to NT$15,000,000 per instance.

---

Data Protection Officers

Article 18 of the amended PDPA now requires every government agency to appoint a Data Protection Officer (DPO). The DPO is responsible for promoting and supervising data protection operations within the agency and serves as the point of contact for data subjects and the PDPC.

The DPO requirement applies only to public-sector agencies. Non-government agencies are not currently required to designate a DPO under the amended PDPA, though sector-specific regulations or PDPC guidance may address this in future.

---

Cross-Border Data Transfers

General Permissibility

Cross-border transfers of personal data are generally permitted under the PDPA. Taiwan does not require organizations to obtain an adequacy decision, implement standard contractual clauses, or use binding corporate rules as default conditions for international transfers, unlike the approach taken by the GDPR.

Government Restriction Authority (Article 21)

Article 21 of the PDPA empowers the competent authority to restrict international transfers of personal data in three circumstances:

1. The transfer may harm major national interests.
2. The receiving country lacks adequate data protection standards that could harm the rights and interests of Taiwanese data subjects.
3. The transfer is made indirectly to circumvent restrictions already imposed under the PDPA.

Under the November 2025 amendments, the power to restrict cross-border transfers under Article 21 transfers from individual sector-specific regulators to the PDPC. This centralization means organizations will deal with a single authority when seeking guidance on permissible transfers, rather than consulting multiple ministries.

Sector-Specific Restrictions

Certain industries already have sector-specific transfer restrictions in place. The Financial Supervisory Commission has rules governing transfers of financial personal data outside Taiwan. Healthcare providers must comply with Ministry of Health and Welfare rules on transfers of medical records. Organizations in regulated sectors should continue to comply with their sector-specific requirements pending PDPC consolidation guidance.

---

Penalties and Enforcement

Administrative Penalties

The table below summarizes the principal administrative penalty ranges under the amended PDPA:

All administrative penalties are imposed by the PDPC under the amended act. Before the November 2025 amendments, penalties were imposed by sector-specific regulators, leading to inconsistency in enforcement.

Criminal Penalties

The PDPA carries criminal sanctions for intentional violations. Article 41 provides that a person who intentionally violates the act's provisions on collection, processing, or use of personal data for the purpose of profit or with intent to harm another is subject to up to five years imprisonment and a criminal fine of up to NT$1,000,000.

Where an offender acts to profit unlawfully, both imprisonment and a fine may be imposed concurrently. The criminal provisions operate independently of administrative penalties; an organization can face both criminal prosecution of responsible individuals and administrative fines imposed on the entity.

Civil Liability

Data subjects who suffer harm from a PDPA violation may seek compensation in civil court. The PDPA provides statutory damages of NT$500 to NT$20,000 per incident per data subject, allowing recovery even where actual damages are difficult to quantify. The maximum aggregate recovery for a single event is NT$200,000,000.

Class action litigation is available under the PDPA. Designated consumer protection groups may bring group actions on behalf of multiple affected data subjects, creating a private enforcement mechanism alongside the PDPC's administrative powers.

---

Industry-Specific Requirements

Financial Services

The Financial Supervisory Commission (FSC) has issued extensive sector-specific data protection rules for banks, insurance companies, securities firms, and payment institutions. These rules often impose obligations beyond the baseline PDPA, including restrictions on data sharing, customer consent requirements at account opening, and cross-border transfer approvals. After the PDPC becomes fully operational, coordination between the FSC and the PDPC on enforcement will be a key area to monitor.

Healthcare

Medical providers, hospitals, and health insurance entities are subject to the Medical Care Act and related Ministry of Health and Welfare regulations, which impose specific safeguards for medical records and patient data. The PDPA's treatment of health examination results, medical records, and genetic data as sensitive personal data means that healthcare entities must satisfy heightened legal bases for processing.

Telecommunications

The National Communications Commission regulates telecommunications providers' handling of subscriber data, communications metadata, and location information. These requirements overlap with but are distinct from the baseline PDPA obligations.

---

Practical Compliance Considerations

Organizations doing business in Taiwan should prioritize the following in preparing for the PDPC's full operational launch:

1. Review legal bases for processing. Audit existing consent language, contractual provisions, and legitimate-interest assessments against the PDPA's requirements to confirm each processing activity has a compliant basis.

2. Establish breach detection and notification procedures. The amended PDPA requires prompt notification to data subjects without waiting to confirm all facts. Internal incident-response processes should reflect this standard. Once the PDPC publishes its notification-scope regulations, timelines must be embedded in incident protocols.

3. Assess Article 20-1 security measures compliance. The PDPC's draft security maintenance rules set minimum technical and organizational standards. Organizations should compare current information security programs against the forthcoming requirements.

4. Public agencies: appoint a DPO. Government agencies face a statutory DPO requirement under Article 18. Private organizations should monitor whether PDPC guidance extends DPO obligations to non-government sectors.

5. Audit cross-border transfer arrangements. Once the PDPC centralizes Article 21 transfer restriction authority, organizations should establish a single-authority contact for transfer guidance. Sector-specific transfer approvals may need to be revalidated under the PDPC framework.

6. Update privacy notices. Privacy notices should identify the PDPC as the competent supervisory authority and provide the required disclosures on data subject rights under the PDPA.

---

Recent Developments (2022-2026)

---

This article is for general informational purposes only and does not constitute legal advice. Taiwan's Personal Data Protection Act is subject to continuing legislative and regulatory development; the effective date of the November 2025 amendments and their implementing regulations had not been finalized as of the date of this article. Organizations should consult a lawyer licensed to practice in the Republic of China (Taiwan) for advice specific to their circumstances. Information last verified on 2026-05-19.

---