Answer ... In Taiwan, personal data protection is governed by:

• the Personal Data Protection Act (PDPA);
• the Enforcement Rules of the PDPA; and
• other relevant regulations and rulings issued by the competent authority and the sectoral regulators.

Answer ... Under the PDPA, each sectoral regulator is empowered to interpret PDPA-related matters governing the industry that it regulates, and to stipulate sectoral rules and regulations. The financial and healthcare industries are subject to special rules promulgated by their regulators. Biometric data is regulated as personal data and some types of biometric data (eg, data pertaining to a natural person’s genetics) are deemed ‘sensitive personal data’ and are subject to special protection.

Fingerprints – a type of biometric data – are treated differently from other data. Although fingerprints are not classified as ‘sensitive personal data’, given that they are a unique and undeniable feature through which individuals may be identified, the government has issued a ruling which provides that any use of fingerprints is subject to the data subject’s consent.

Answer ... In December 2018 Taiwan signed up to the Cross-Border Privacy Rules (CBPR) of the Asia-Pacific Economic Cooperation (APEC) and became the seventh member of the CBPR. This means that the personal data protection statutes, systems and mechanisms adopted in Taiwan are recognised by APEC. Pursuant to the CBPR, Taiwan is in the process of establishing accountability agents in order to certify private businesses in Taiwan. Meanwhile, Taiwan is in dialogue with the European Union in relation to an adequacy decision under the General Data Protection Regulation.

Answer ... The National Development Council is in charge of interpreting the PDPA and facilitating internal coordination between different government agencies on relevant matters. The PDPA is enforced by the central, local, municipal, county and government authorities that regulate and supervise the business operations of non-government agencies in each industry. For example, the regulator of the financial industry, the Financial Supervisory Commission, is in charge of regulating personal data protection matters involving financial institutions, and enforces the PDPA alongside the other sectoral regulations applicable to local financial institutions.

Answer ... Although the government has been promoting industry standards and best practices in relation to the PDPA, it seems that these have not yet been widely adopted and private businesses do not yet appear to be compliant with such standards and practices. That said, ISO27001 has been recognised by the government as a standard for the telecommunications/IT industry and the telecommunications regulator, the National Communications Commission, has requested certain telecommunications operators to adopt ISO27001 standards.

Answer ... Under the Personal Data Protection Act (PDPA), both the government and the private sector are subject to the PDPA, including all individuals located in Taiwan. All private businesses must comply with the PDPA when dealing with personal data.

Answer ... All activities involving the collection, use and processing of personal data are subject to the PDPA, except in the following situations:

• The personal data is collected, processed or used by an individual in the course of personal or family activity; or
• Audiovisual information is collected, processed or used in a public place or through a public activity which is not associated with any other personal data.

Answer ... The current text of the PDPA does not explicitly provide for the extra-territorial application of the PDPA to offshore entities, although some of its provisions would seem to suggest such an application. The current position of the National Development Council (NDC) is that the PDPA does not have extra-territorial application.

Meanwhile, the NDC is contemplating amending the PDPA to further align it with the General Data Protection Regulation; whether the amendments will include an extra-territorial application clause remains a topic to be considered and discussed in Taiwan.

Answer ... (a) Data processing

The term ‘processing’ under the Personal Data Protection Act (PDPA) covers two activities: ‘processing’ and ‘use’. Under the PDPA, ‘processing’ refers to the act of recording, inputting, storing, compiling/editing, correcting, duplicating, retrieving, deleting, outputting, connecting or internally transferring data for the purpose of establishing or using a personal data file. ‘Use’ refers to the act of using personal data through any method other than processing.

(b) Data processor

The PDPA does not specifically adopt any of the terms used in European countries – such as ‘data controller’, ‘data processor’ or ‘data owner’ – to refer to the relevant parties involved in personal data-related activity, although these concepts are embedded in the PDPA. Under the PDPA, a ‘data processor’ is a person or entity that is retained by another to perform data processing activities.

(c) Data controller

Again, the PDPA does not explicitly adopt this term in its text; it simply subjects ‘government agencies’ and ‘non-government agencies’ to two different sets of rules in regard to personal data related activities.

(d) Data subject

Under the PDPA, the term ‘data subject’ refers to an individual whose personal data is collected, processed or used.

(e) Personal data

The PDPA defines ‘personal data’ as a natural person’s name, date of birth, identity card number, passport number, features, fingerprints, marital status, family information, education background, occupation, medical records, healthcare data, genetic data, details of his or her sex life, records of physical examination, criminal records, contact information, financial conditions, data concerning his or her social activities and any other information that may be used to directly or indirectly identify that person.

(f) Sensitive personal data

Personal data pertaining to an individual’s medical records, healthcare, genetics, sex life, physical examination and criminal records is categorised as ‘sensitive personal data’ and is subject to special protection.

(g) Consent

Pursuant to the PDPA, consent must be informed and express, with only one exception. This applies where, at the time the data is collected, the data subject is advised of the notification matters required under the PDPA and surrenders his or her data to the data controller without objection after being duly informed.

Answer ... The PDPA does not include the term ‘data controller’, referring only to ‘government agencies’ and ‘non-government agencies’. In this Q&A, unless otherwise specified, the term ‘data controller’ refers to ‘non-government agencies’ only.

Answer ... There is no registration system under the Personal Data Protection Act.

Answer ... N/A.

Answer ... N/A.

Answer ... While under EU law, the term ‘data processing’ covers all types of activities that a data controller conducts using the data that it collects, under Taiwan law, ‘data processing’ refers to only some of those activities. For most activities, the term ‘use of personal data’ is used instead. The legal requirements under the Personal Data Protection Act (PDPA) are as follows.

Collection of personal data: Pursuant to the PDPA, a non-government agency must have a specific purpose for collecting personal data and one of the following legal grounds must apply:

• The processing is specifically permitted by law;
• The non-government agency and the data subject have entered into or are negotiating a contract;
• The data is already in the public domain due to disclosure by the data subject or in a legitimate manner;
• The processing is necessary for an academic research institution to gather statistics or conduct academic research in the public interest, provided that any information sufficient to identify the data subject has been removed;
• The consent of the data subject has been obtained;
• The processing is necessary in the public interest;
• The data has been collected from a source that is accessible to the collector, unless the interests of the data subject take precedence over those of the collector; or
• The processing will not harm the data subject's rights or benefits.

Use of personal data: A non-government agency must use personal data within the scope of the specific purpose for which it was collected. If the data is used for some other purpose, one of the following conditions must be met:

• The additional use is pursuant to a specific provision set forth under the law;
• The additional use is necessary to promote a public interest;
• The additional use is necessary to prevent a risk to the life, body, freedom or property of the data subject;
• The additional use is necessary to prevent material harm to the rights or benefits of third parties;
• The additional use is necessary for an academic research institution to gather statistics or conduct academic research in the public interest, provided that any information sufficient to identify the data subject has been removed;
• The consent of the data subject has been obtained; or
• The additional use will benefit the data subject.

Collection and use of sensitive personal data: Pursuant to Article 6 of the PDPA, sensitive personal data – that is, any personal data concerning medical records, medical treatment, genetic information, sexual activity, health examinations or criminal records – may be collected, processed or used only in the following situations:

• The collection and use is specifically stipulated by law;
• The information is necessary for a government agency to perform its legal duties or for a non-government agency to fulfil its legal obligations, and proper security measures are adopted prior or subsequent to such collection, processing or use;
• The data subject has made such information public or the information has been publicised legally;
• The information is necessary to collate statistics or conduct other academic research, or is collected, processed or used by a government agency or an academic research institution for the purpose of medical treatment, public health or crime prevention, as long as the information does not lead to the identification of a specific person after its processing by the provider or its disclosure by the collector;
• The information is necessary to assist a government agency in performing its legal duties or a non-government agency in fulfilling its legal obligations, and proper security measures are adopted prior or subsequent to such collection, processing or use; or
• The data subject has freely consented in writing and the use of such information does not exceed the necessary scope of the specific purpose, and no other restrictions under any other statute apply.

Answer ... Pursuant to the PDPA, where a non-government agency collects personal data (whether sensitive or not) from data subjects directly, it must inform the data subjects of the following information at the time of collection:

• who is collecting the personal data;
• the purpose(s) for which the data is being collected;
• the types of personal data to be collected;
• for how long, where, by whom and in what manner the data will be used;
• the rights that the data subject may exercise in relation to his or her personal data and how he or she can exercise them; and
• how the data subject’s rights or interests will be affected if he or she chooses not to provide the data.

A data processor is not subject to these notification obligations.

Answer ... In addition to the requirements outlined in questions 5.1 and 5.2, businesses must also comply with the following statutory requirements:

• adopting proper security measures to protect the personal data that they hold (see question 9.1);
• complying with the additional marketing restrictions under the PDPA (see question 11.3); and
• respecting the data subject’s rights (see question 7.1).

The most important best practices are to have a statutory ground for collection and to use the data only within the scope of the specific purpose at the time of collection. Otherwise, additional consent will be required.

Answer ... Data may be transferred to a third party as long as a non-government agency has obtained consent from the data subject for the transfer or the transfer is otherwise permitted under Article 20 of the Personal Data Protection Act (PDPA). The recipient of the data must also have its own legal ground as set forth under Article 19 of the PDPA in order to legally collect the personal data.

Answer ... Currently, personal data may be freely transferred outside of Taiwan, unless the government otherwise issues an order or ruling that prohibits or restricts such a transfer. Thus far, the only government ruling restricting the transfer of personal data has been issued by the National Communications Commission, which prohibits telecommunications operators and broadcasting companies from storing subscriber data in China.

The National Development Council (NDC) is contemplating amending the PDPA in the near future. One of the issues that the NDC is considering is whether to change the current rules on the international transfer of personal data and adopt rules similar to those of the General Data Protection Regulation. If this happens, companies would be prohibited from freely transferring personal data outside Taiwan unless the destination jurisdiction provided adequate protection of personal data or certain conditions were met.

Answer ... Although the PDPA allows for international data transfers to almost all countries in the world, the data controller in Taiwan must still conduct the transfer based on one of the legal grounds as set forth under the PDPA. Before conducting the international transfer, a review of the relevant legal grounds should be conducted to ensure that the transfer is legal under the PDPA.

Answer ... Article 3 of the Personal Data Protection Act (PDPA) provides that a data subject can exercise the following rights with regard to his or her personal data, which may not be waived or limited contractually in advance:

• the right to make an inquiry in relation to and to review his or her personal data;
• the right to request a copy of his or her personal data;
• the right to supplement or correct his or her personal data;
• the right to demand the cessation of the collection, processing or use of his or her personal data; and
• the right to erase his or her personal data.

One the other hand, Article 11 of the PDPA also allows a data controller to refuse to comply with a data subject’s request if the use of the personal data is necessary for the data controller to perform its duties or conduct its business operations, or if the data subject’s written consent has been obtained.

Answer ... Data subjects may contact the data controller to exercise their rights in any manner (eg, by phone, email or letter). The PDPA requires a data controller to inform data subjects, upon collecting their personal data, of how they can exercise their rights under Article 3 of the PDPA.

Answer ... No. The Personal Data Protection Act (PDPA) does not require a private business to appoint a data protection officer. However, the Enforcement Rules suggest that a private business should allocate sufficient resources to handle personal data related matters within its organisation.

Answer ... N/A.

Answer ... N/A.

Answer ... N/A.

Answer ... There are no specific record-keeping or documentation requirements under the PDPA. In relation to appropriate security measures, the Enforcement Rules suggest that a company should keep records, logs and relevant evidence with regard to its collection and use of personal data.

Answer ... Given that the PDPA does not require the appointment of a data protection officer, data protection matters are often handled by different departments, including legal, HR, IT and compliance. As a result, it is often difficult to handle a particular data protection matter within an organisation; and sometimes personal data protection matters are not in fact handled by any of the relevant departments. It is very important that a company designate and empower a particular department with responsibility for data protection matters, or establish a joint taskforce among different departments to this end.

Answer ... The Personal Data Protection Act (PDPA) requires that a data controller adopt ‘appropriate’ security measures to safeguard the personal data that it holds. A data processor should also take ‘appropriate’ security measures on the instruction of the data controller. If a data processor fails to do so, the data controller will be held liable for such non-compliance. The Enforcement Rules suggest that the following measures should be implemented in order to safeguard personal data:

• allocating management personnel and reasonable resources;
• defining the scope of personal data;
• establishing a mechanism for risk assessment and management of personal data;
• establishing a mechanism for preventing, giving notice of and responding to data breaches;
• establishing an internal control procedure for the collection, processing and use of personal data;
• managing data security and personnel;
• promoting awareness, education and training;
• managing facility security;
• establishing an audit mechanism for data security;
• keeping records, logs and relevant evidence; and
• implementing integrated and persistent improvements to the security and maintenance of personal data.

Answer ... The PDPA does not require that data breaches be reported to the authorities.

However, under the PDPA, the central competent authorities have the power to stipulate further rules concerning a ‘security and maintenance plan for personal information files’ in the industry sectors under their charge. For example, the central competent authority in charge of the online retail industry has stipulated such rules for this sector and requires relevant business operators to report any incident which is material and may impact on the normal operations of the business or the interests of numerous data subjects. Quite a few other central competent authorities have issued similar rules for the industries they regulate, including the information services industry.

Answer ... Yes. Under the PDPA, where personal data is stolen, disclosed, altered or otherwise infringed as a result of a violation of the PDPA, the data controller must notify the affected data subjects in a proper manner after investigating the incident. The notification must include details of the infringement of personal data and the measures which have been taken in response.

Further, according to the Enforcement Rules, the notification must be made in a timely manner, whether orally, in a written document, by telephone, text message, email, fax electronic record or in such other manner as is sufficient to communicate such notification to the data subjects. However, if this would be too costly, notification may be made online, through the news media or through another appropriate disclosure manner, after taking technical feasibility and privacy protection into account.

Answer ... In the event of a data breach, a company should act as fast as possible to investigate what has happened and retain the relevant records, and should notify the affected data subjects as soon as possible. Under the PDPA, when a data subject seeks compensation from a data controller for damages caused by the data controller’s failure to comply with the PDPA, the data subject need not prove that the data controller was negligent for the non-compliance; rather, the data controller must prove that it was not negligent with regard to the breach. By notifying the data subjects as soon as possible, the data controller can strengthen its argument that it was not negligent in complying with the PDPA and took swift action to limit the damage from the breach.

Answer ... The Personal Data Protection Act (PDPA) includes no requirements or restrictions with regard to the personal data of employees. Employers should thus follow the same rules and principles under the PDPA with regard to the collection, processing and use of the personal data of their employees. Additional requirements can be found in the labour-related statutes. For example, Article 5 of the Employment Services Act provides that an employer may not force a job candidate or an employee to provide personal data that is unrelated to the employment against his or her will.

Answer ... Whether the surveillance of employees is allowed depends on whether the employees have an expectation of privacy in the workplace. An employer may legally monitor employees’ activities only if the employees have no such expectation. Hence, before an employer conducts any surveillance activities, it must inform its employees or even obtain their consent so that they will have no expectation of privacy.

Answer ... When collecting sensitive personal data of employees or job candidates (eg, criminal records), an employer must comply with the requirements on the collection and use of sensitive personal data as set out in question 5.1. A necessity test will also apply: that is, the sensitive personal data of the employee or job candidate must be necessary and relevant to the performance of the relevant job.

Answer ... Currently, there are no requirements or restrictions applying to the use of cookies

There are no specific legal requirements on the use of cookies in Taiwan. If cookies contain any personal data, they will be regulated as personal data and their use must comply with the Personal Data Protection Act (PDPA).

Answer ... Like all other business, online businesses may use personal data for marketing purposes only if such use is compatible with the specific purpose(s) for which the data was collected. In most cases, this will mean that the data subjects must have given separate and ‘informed’ consent for the marketing. Online companies and electronic platforms must be transparent with their customers and subscribers, and advise them of what will be done with their personal data when obtaining consent from them.

Meanwhile, under the PDPA, additional requirements apply to marketing activities. Where a non-government agency uses personal data for marketing purposes and the data subject objects to this, the non-government agency must immediately stop using the data subject’s personal data for marketing purposes. In addition, where a non-government agency approaches a data subject for marketing purposes for the first time, it must provide a mechanism for the data subject to indicate his or her objection to the marketing activity at any time and must accept the relevant costs for this. For example, where a non-government agency conducts a marketing campaign, it should provide a mechanism – such as a toll-free phone number, an email address or a web link – for the data subject to unsubscribe from the marketing information.

Answer ... In Taiwan, data privacy disputes are typically resolved in the courts. Data subjects normally bring civil lawsuits against data controllers that failed to comply with the Personal Data Protection Act (PDPA), claiming civil damages.

Answer ... In some cases, the issue is whether the data controller had any legal grounds under Articles 19 and 20 of the PDPA to collect and use the personal data of the data subject. In other cases, the issue is whether the data controller must compensate the data subjects from damage suffered due to a data breach.

Answer ... The first class action against a non-government agency for a data breach was brought to court in March 2018. The Consumers’ Foundation initiated a class action against a leading travel agent for civil compensation on behalf of 25 consumers. According to local news reports, the personal data of around 360,000 customers was compromised by an unidentified source and many of them received calls from phone scammers and suffered losses due to deception. The Consumers’ Foundation claimed that the travel agent had not taken appropriate security measures to protect its customers’ personal data. The travel agent insisted that it had taken all necessary security measures to protect its personal information files, including setting up firewalls and being certified by certification organisations; hence, it did not consider that it had committed negligence with regard to the data breach and refused to settle with the consumers.

A district court judgment was rendered in October 2019, dismissing the Consumers’ Foundation’s claim due to its failure to prove that the travel agent had committed negligence with regard to the adoption of appropriate security measures. The district court held that, despite advances in computer technology, hacking attacks are still common occurrences; therefore, it could not be concluded that the travel agent had failed to adopt the appropriate security measures simply because hackers had successfully attacked its computer systems and stolen consumers’ personal data. The Consumers’ Foundation has appealed the judgment and the appeal is now being heard by the Taiwan High Court.

Answer ... The National Development Council (NDC) is considering amending the Personal Data Protection Act (PDPA) in order to fully comply with the principles of the General Data Protection Regulation (GDPR). It solicited public comments and opinions in 2019 with regard to proposed amendments in relation to the following:

• establishing a single government agency with responsibility for personal data protection matters (currently, each sectoral regulator is the primary regulator of the PDPA);
• adopting the same restrictions on international transfers of personal data as apply under the GDPR;
• facilitating the industrial use of anonymised personal data;
• requiring data controllers to notify the government authority of a data breach;
• combining the three legal concepts of ‘collection’, ‘processing’ and ‘use’ of data under the PDPA into one – ‘processing’; and
• providing a unified set of rules to regulate both government agencies and non-government agencies, like the GDPR.

In the near future, the NDC will propose these draft amendments and it is anticipated that the current PDPA will be significantly revised.

Answer ... Although awareness of personal data protection has increased in Taiwanese society since 2012, compliance measures still seem insufficient. In addition to drafting legal documents such as privacy policies, companies should incorporate data protection principles and mechanisms into their business operations. For example, employee education is important: employees should be sensitive to the relevant issues whenever they encounter or access personal data. Meanwhile, companies should seek professional advice and implement measures based on such advice in order to reduce or eliminate the risk of non-compliance.