Briefly
On 17 October 2025, the Legislative Yuan handed the modification (“Modification”) to the Private Knowledge Safety Act (PDPA). After promulgation by the President, the efficient date of the Modification shall be determined by Government Yuan and anticipate to be in pressure in 2026.
The primary drive for the Modification is to adjust to the Constitutional Courtroom’s ruling issued on 12 August 2022 (111年度憲判字第13號健保資料庫案判決), which mandates the institution of an unbiased supervisory mechanism for private information safety inside three years.
The PDPA has been amended in Might 2023 so as to add Article 1-1 (not efficient but), which offers that the competent authority of the PDPA would be the Private Knowledge Safety Fee (PDPC), the primary devoted authority for private information safety. The Preparatory Workplace of the PDPC was established on 5 December 2023. The PDPC shall be formally established after the Organizational Act of the PDPC (which was proposed together with the Modification) is handed by the Legislative Yuan.
The Modification additionally contains the next key modifications.
Authorities businesses are actually required to nominate DPO (Article 18)
Though the primary draft of the Modification proposed that the PDPC could designate sure non-government businesses to nominate DPO and private information safety audit personnel, the Modification doesn’t embrace this requirement so solely authorities businesses are required to take action.
Knowledge breach notification/report (Article 12)
- Beneath the present PDPA, if there’s a information breach, the non-government company solely must notify the information topic. Beneath the Modification, the non-government company may additionally must report back to the PDPC. The brink, timeline and different necessities on report shall be additional decided by the PDPC in rules.
- The Modification requires the non-government company to maintain the documentation of the info incident for inspection by the PDPC. The file retention interval shall be decided by the PDPC in rules.
- Violation of the brand new necessities above shall be topic to an administrative superb starting from NTD 20,000 (USD 625) to NTD 200,000 (USD 6,250), which can be imposed consecutively if the non‑authorities company fails to rectify inside the specified time frame. (new Paragraph 2, Article 48).
- The PDPC could delegate the acceptance and onward notification of the report back to different businesses, administrative organizations, or public curiosity teams to deal with the matter (Para 1, Article 52).
Administration inspection
- The primary draft of the Modification proposed that the PDPC could select the industries and non-government businesses with larger threat of private information infringement to prioritize administrative inspection in opposition to them (Article 27). The Modification doesn’t embrace this concept.
- That mentioned, even when there isn’t any indication of violation, below the Modification the PDPC should still conduct proactive administrative inspection for reviewing the non-government businesses’ compliance with the PDPA. The PDPC will promulgate rules for issues relating to proactive inspection (new para 2, Article 22).
- The non-government businesses can not refuse the inspection except there are “justifiable causes” (Para 4, Article 22).
6-year transition interval (Article 51-1)
- The PDPC will request the Government Yuan to announce which of the non-government businesses (doubtless those who have already got particular competent authorities) will stay to be regulated by the present central competent authorities or native governments as much as six years after the PDPC is established.
- Each two years, the PDPC will talk about with the competent authorities in command of the trade involved and report back to and request the Government Yuan to scale back the scope of the non-government industries that stay to be supervised by the competent authorities.
- Nevertheless, as soon as the Modification is in impact, the ability below Article 21 of the PDPA to limit cross‑border information switch shall be transferred from the competent authorities in command of the trade involved to the PDPC.
The PDPC will promulgate Laws for Safety and Upkeep of Private Data Information (Article 20-1 and 51-1)
Beneath the Modification, the PDPC will promulgate baseline Laws for Safety and Upkeep of Private Data Information for non-government businesses. (Article 20-1) In the course of the transition interval, the related Laws for Safety and Upkeep of Private Data Information promulgated by the competent authorities shall be primarily based on the PDPC’s baseline model however could be stricter (Paragraphs 3 to 4, Article 51-1).
Administrative enchantment (Article 53-1)
Because the PDPC is an unbiased authority, the enchantment in opposition to the rulings of the PDPC shall be filed with the Administrative Courtroom straight.
Nevertheless, through the transition interval, the enchantment in opposition to the rulings of the central competent authorities or native governments shall be filed with the PDPC.
The Modification follows the choice of Constitutional Courtroom’s ruling to ascertain an unbiased supervisory mechanism for private information safety. Given the brand new regulatory necessities, corporations are suggested to evaluate if they’ve any hole between the Modification and their present information safety apply, particularly the info breach response plan. If sure, corporations shall instantly modify the present insurance policies and operations for compliance with these necessities. If in case you have any questions, please be at liberty to contact us.
Briefly
On 17 October 2025, the Legislative Yuan handed the modification (“Modification”) to the Private Knowledge Safety Act (PDPA). After promulgation by the President, the efficient date of the Modification shall be determined by Government Yuan and anticipate to be in pressure in 2026.
The primary drive for the Modification is to adjust to the Constitutional Courtroom’s ruling issued on 12 August 2022 (111年度憲判字第13號健保資料庫案判決), which mandates the institution of an unbiased supervisory mechanism for private information safety inside three years.
The PDPA has been amended in Might 2023 so as to add Article 1-1 (not efficient but), which offers that the competent authority of the PDPA would be the Private Knowledge Safety Fee (PDPC), the primary devoted authority for private information safety. The Preparatory Workplace of the PDPC was established on 5 December 2023. The PDPC shall be formally established after the Organizational Act of the PDPC (which was proposed together with the Modification) is handed by the Legislative Yuan.
The Modification additionally contains the next key modifications.
Authorities businesses are actually required to nominate DPO (Article 18)
Though the primary draft of the Modification proposed that the PDPC could designate sure non-government businesses to nominate DPO and private information safety audit personnel, the Modification doesn’t embrace this requirement so solely authorities businesses are required to take action.
Knowledge breach notification/report (Article 12)
- Beneath the present PDPA, if there’s a information breach, the non-government company solely must notify the information topic. Beneath the Modification, the non-government company may additionally must report back to the PDPC. The brink, timeline and different necessities on report shall be additional decided by the PDPC in rules.
- The Modification requires the non-government company to maintain the documentation of the info incident for inspection by the PDPC. The file retention interval shall be decided by the PDPC in rules.
- Violation of the brand new necessities above shall be topic to an administrative superb starting from NTD 20,000 (USD 625) to NTD 200,000 (USD 6,250), which can be imposed consecutively if the non‑authorities company fails to rectify inside the specified time frame. (new Paragraph 2, Article 48).
- The PDPC could delegate the acceptance and onward notification of the report back to different businesses, administrative organizations, or public curiosity teams to deal with the matter (Para 1, Article 52).
Administration inspection
- The primary draft of the Modification proposed that the PDPC could select the industries and non-government businesses with larger threat of private information infringement to prioritize administrative inspection in opposition to them (Article 27). The Modification doesn’t embrace this concept.
- That mentioned, even when there isn’t any indication of violation, below the Modification the PDPC should still conduct proactive administrative inspection for reviewing the non-government businesses’ compliance with the PDPA. The PDPC will promulgate rules for issues relating to proactive inspection (new para 2, Article 22).
- The non-government businesses can not refuse the inspection except there are “justifiable causes” (Para 4, Article 22).
6-year transition interval (Article 51-1)
- The PDPC will request the Government Yuan to announce which of the non-government businesses (doubtless those who have already got particular competent authorities) will stay to be regulated by the present central competent authorities or native governments as much as six years after the PDPC is established.
- Each two years, the PDPC will talk about with the competent authorities in command of the trade involved and report back to and request the Government Yuan to scale back the scope of the non-government industries that stay to be supervised by the competent authorities.
- Nevertheless, as soon as the Modification is in impact, the ability below Article 21 of the PDPA to limit cross‑border information switch shall be transferred from the competent authorities in command of the trade involved to the PDPC.
The PDPC will promulgate Laws for Safety and Upkeep of Private Data Information (Article 20-1 and 51-1)
Beneath the Modification, the PDPC will promulgate baseline Laws for Safety and Upkeep of Private Data Information for non-government businesses. (Article 20-1) In the course of the transition interval, the related Laws for Safety and Upkeep of Private Data Information promulgated by the competent authorities shall be primarily based on the PDPC’s baseline model however could be stricter (Paragraphs 3 to 4, Article 51-1).
Administrative enchantment (Article 53-1)
Because the PDPC is an unbiased authority, the enchantment in opposition to the rulings of the PDPC shall be filed with the Administrative Courtroom straight.
Nevertheless, through the transition interval, the enchantment in opposition to the rulings of the central competent authorities or native governments shall be filed with the PDPC.
The Modification follows the choice of Constitutional Courtroom’s ruling to ascertain an unbiased supervisory mechanism for private information safety. Given the brand new regulatory necessities, corporations are suggested to evaluate if they’ve any hole between the Modification and their present information safety apply, particularly the info breach response plan. If sure, corporations shall instantly modify the present insurance policies and operations for compliance with these necessities. If in case you have any questions, please be at liberty to contact us.
