The key legislation is the Taiwan Personal Data Protection Act (PDPA) and its Enforcement Rules. 

Since the PDPA came into effect, the supervisory authority has supplemented its application through interpretative guidance, mainly on whether certain information constitutes “personal data,” the lawfulness of its use, and retention periods. A key decision driving further amendments was the Constitutional Court’s 2022 judgment No. 111-Shien-Pan-13, which held that even encrypted or anonymized National Health Insurance (NHI) data remains “personal data” if indirect identification is possible and found existing safeguards inadequate. This ruling prompted the government to propose the “National Health Insurance Data Management Act” and PDPA amendments, both were submitted for legislative review in early 2025.

“Personal data” is defined as name, date of birth, national identification number, passport number, physical characteristics, fingerprints, marital status, family information, education, occupation, contact details, financial status, social activities, or other data that can directly or indirectly identify the individual.
“Sensitive data” is not a term used by PDPA. In practice, it generally refers to the personal information set forth under Article 6 of PDPA, which includes medical records, healthcare information, genetic data, sexual life, health examination results, and criminal record.

The PDPA protects both personal and sensitive data through preventive measures before collection, processing, and use (“data handling”), data subject rights, and remedial actions in case of misuse or breach.  Before collecting personal data, the public authority or private entity shall notify the data subject the purpose of collection, period of use, use regions, recipients, how the personal data will be used, the fact that the data subject has the freedom to decide whether to grant consent, and the potential consequences of not providing consent.
During processing and use, data security and accuracy must be maintained, and any breach involving theft, leakage, alteration, or other infringement must be investigated and notified to affected data subjects.
Sensitive personal data is generally prohibited by Article 6 of PDPA from collection, processing, or use unless:
a.    Another law or regulation provides a legal basis;
b.    It is necessary for statutory duties or legal obligations and handled with appropriate security measures;
c.    The data has been made public by the subject or lawfully by others;
d.    It is required for medical, public health, or crime prevention research by public authorities or academic institutions, with the data anonymized; or
e.    The data subject has given specific, voluntary, and informed consent.

Public authorities and private entities, including natural persons, corporate entities, and other legal persons that collect or handle personal data, are subject to privacy obligations. They also extend to individuals or entities handling personal data on behalf of these organizations. The above entities and individuals are collectively referred to as the obligors below.  

Data processing is defined as the act of recording, inputting, storing, compiling/editing, correcting, duplicating, retrieving, deleting, outputting, connecting or internally transferring data for the purpose of establishing or using a personal data file.

Data collection must be limited to what is necessary and reasonably related to the legitimate and specified purpose. The obligors must respect the rights of data subjects and handle personal data in good faith. They are also responsible for ensuring the accuracy of the data and must proactively implement appropriate security measures against data being stolen, altered, damaged, lost, or leaked. The security measures include technical and organizational measures.

During the data processing, the obligors must ensure the accuracy of the data and implement appropriate measures to prevent data from being stolen, altered, damaged, lost, or leaked. Also, they shall establish a security maintenance plan upon request by the competent authority.
In the event of a data incident and/or data breach, the obligors shall investigate and notify the affected data subject.

All records of data handling, tracking, and relevant evidence shall be kept, which shall also be part of the security maintenance plan. The PDPA does not restrict that the data can only be used for a certain period. When the specific purpose for which the data was collected has been fulfilled and there is no further need to process or use the data, or if the retention period has expired, the obligors shall, either proactively or upon the request of the data subject, delete or cease processing or use of the data.

Data subjects are entitled to the rights of access, correction, deletion and objection. These rights allow data subjects to inquire about the status of their data held by the obligors and to request access to the original data or copy. They may also require the obligors to correct or supplement the data. Once the specified purpose of collection has been fulfilled or the retention period has expired, data subjects may request the deletion of their data. In cases where data subjects discover that their personal data may have been misused, they are entitled to object to the continued processing of such data.

The consent requirements include informing the data subjects of the purpose of data collection, period of use, use regions, the recipients, how the data will be used, the rights of the data subject, and the fact that the data subject has the freedom to decide whether to grant consent, and the potential consequences of not providing consent. 

Authorization for use of personal data is generally based on the informed, specific, and voluntary consent of the data subject. Consent is not required only when permitted by law, necessary to perform a contract, related to data the subject has made public, used for anonymized academic research, or processed for public interest without overriding the rights of the data subject.

The PDPA generally permits cross-border data transfers; however, the supervisory authority may impose restrictions in certain circumstances, such as when the transfer involves significant national interests, is subject to international treaties or agreements, the recipient country lacks adequate data protection that could jeopardize data subjects’ rights, or the transfer is intended to circumvent the PDPA’s requirements.

The PDPA provides no definition for “incidents” and “breaches.” However, under the PDPA, these terms may refer to data stolen, altered, damaged, lost, leaked or other forms of infringement.

In the event of data theft, leakage, alteration, or other forms of infringement, the obligors is required to conduct the investigation and notify the affected data subjects accordingly. The notification must be made in a timely manner and may be delivered through various methods, including oral or written communication, phone calls, text messages, emails, faxes, electronic documents, or any other means that effectively inform the data subjects. The obligors must disclose the nature and scope of the breach and the remedial measures that have been taken in response.

The supervisory authority under the PDPA refers to the competent authority of the respective the obligor. For example, if the obligor is a school, the supervisory authority would be the Ministry of Education. 
In 2023, the PDPA was amended to establish the Personal Data Protection Commission as the sole and centralized supervisory authority. However, the effective date of this amendment has not yet been determined.

In the event of a data breach caused by the obligor, administrative fines ranging from NT$20,000 to NT$15,000,000 may be imposed, depending on the nature and severity of the breach. Repeated fines may also be imposed if the obligor fails to correct. In addition, the obligor’s representative, manager, or any other person with legal representative authority may be subject to the same amount of fines, unless they can prove that they fulfilled their duty to prevent such breach.
The obligors may also be held liable for damages unless it proves that the breach occurred without intent or negligence. 

There are no standalone provisions regulating “electronic marketing.” The obligors may collect, process, and use data for marketing purposes if the requirements for data handling are fulfilled, or if additional consent is obtained. If a data subject refuses to receive marketing, the obligors must immediately cease using their data for that purpose.

The PDPA does not impose sector-specific privacy requirements. However, under Article 27, supervisory authorities may require competent authorities overseeing certain sectors to enact Regulations for the Security and Maintenance of Personal Data Files in Non-Public Agencies, which in turn require the obligors to establish their own security maintenance plan accordingly. Currently, 18 competent authorities have issued sector-specific versions of these regulations, which generally share a common framework covering personal data protection plans, protection measures, security audits, recordkeeping, and continuous improvement mechanisms.

The PDPA currently does not require the appointment of a Data Protection Officer (DPO). However, amendments submitted for legislative review in March 2025 propose requiring public authorities and certain designated private entities to appoint both a DPO and a data protection auditor. These amendments are still under legislative review.

The PDPA imposes no general record-keeping or documentation obligation. However, if the competent authority requires a security maintenance plan, the obligors must retain all records related to data handling, tracking, and relevant evidence. Upon deletion or cessation of data processing, the method used, along with the date and time, must be documented and retained for a specified period.

The PDPA contains no provisions requiring the performance of Data Protection Impact Assessments (DPIAs). The closest requirement is the obligation, upon request by the supervisory authority, to establish a security maintenance plan, which may include mechanisms for risk assessment and management of personal data. However, there are no detailed provisions on how such risk assessments should be conducted.

The PDPA imposes certain obligations on individuals or entities handling personal data on behalf of an obligor (“third-party vendors”), in addition to those imposed on the obligor itself. Third-party vendors must:
a.    Report to the obligor the intended scope, categories, purposes, duration, and security measures for data collection, processing, or use;
b.    Disclose any sub-vendor arrangements agreed upon in advance;
c.    Implement and report remedial measures in the event of a breach; and
d.    Process personal data only within the obligor’s instructions, notifying the obligor immediately if any instruction would violate the PDPA or related laws.

For breaches by public authorities or private entities, administrative fines range from NT$20,000 to NT$15,000,000, depending on the nature and severity of the violation, with repeated fines possible if non-compliance is not corrected. Representatives, managers, or other persons with legal authority may also be fined the same amount unless they can prove they fulfilled their duty to prevent the breach.

The PDPA contains no explicit audit requirement, though a competent authority may require a security maintenance plan that includes data security audit mechanisms. Ongoing compliance obligations include implementing technical and organizational measures to safeguard data, ensuring its accuracy, and responding to data subjects’ requests to access, correct, supplement, or delete their personal data. In the event of a data breach involving theft, leakage, alteration, or other infringement, the obligors must investigate and notify affected data subjects without delay.

Amendments to the PDPA were proposed in March 2025 and are currently under legislative review. Key changes include a requirement to report to the supervisory authority any data incident or breach, take immediate and effective contingency measures to prevent its escalation, document the facts, impacts, and remedial actions taken, and preserve all relevant records. The amendments also introduce mandatory Data Protection Officers (DPOs) for public authorities and empower the supervisory authority to conduct administrative inspections of sectors or industries that pose a high risk of data incidents and/or breaches.