ARTICLE
27 November 2025

Data Privacy Comparative Guide

LST&C LEGAL

Contributor

LST&C LEGAL logo
Explore Firm Details
Data Privacy Comparative Guide for the jurisdiction of Taiwan, check out our comparative guides section to compare across multiple countries
Taiwan Privacy
Jeep Chen,Daniel Tseng, and Nina Shao

1 Legal and enforcement framework

1.1 Which legislative and regulatory provisions govern data privacy in your jurisdiction?

Privacy is recognised as an indispensable fundamental right under Taiwan's legal system, safeguarded by Article 22 of the Constitution. This constitutional guarantee forms the cornerstone of Taiwan's data protection and privacy regulatory framework.

Taiwan's personal data protection framework originated with the promulgation of the Computer-Processed Personal Data Protection Act in 1995, which laid the foundation for regulating the automated processing of personal information. In 2011, the statute was comprehensively revised and renamed the Personal Data Protection Act (PDPA), thereby extending its scope beyond computerised systems to encompass all forms of personal data processing.

Since its enactment, the PDPA has undergone multiple amendments to reflect evolving technological, regulatory and international developments. The most recent version took effect in 2023. On 17 October 2025, the Legislative Yuan passed at third reading a significant amendment bill to the PDPA, representing a major step towards modernising Taiwan's privacy governance framework and aligning it with international standards.

The effective date of the 2025 amended PDPA will be officially announced upon the formal establishment of the Personal Data Protection Commission (PDPC), which is designated to serve as the central supervisory authority for the enforcement of the PDPA.

Complementing the PDPA, the Cybersecurity Management Act 2025 was enacted to promote national cybersecurity resilience and accelerate the development of secure digital infrastructure. This statute underscores the government's commitment to safeguarding information systems across both the public and private sectors.

The implementation of the PDPA is further supported by several subordinate regulations, including:

  • the Enforcement Rules of the Personal Data Protection Act; and
  • the Regulations on the Specific Purposes and Categories of Personal Data under the Personal Data Protection Act.

These instruments set out detailed classifications and compliance requirements which are essential for practical enforcement of the PDPA's principles.

1.2 Do any special regimes apply in specific sectors (eg, banking, insurance, telecommunications, healthcare, advertising) or to specific data types (eg, biometric data)?

The PDPA establishes general rules, which are further refined by sector-specific and data-specific regulations. Under the PDPA, competent authorities may require non-public agencies to maintain data security plans. Accordingly, ministries have issued detailed measures such as:

  • the Regulations Governing the Security Maintenance and Management of Personal Data Files of the Retail Industry;
  • the Regulations Governing the Implementation of Personal Data File Security Maintenance Plans for Hospitals; and
  • similar rules for financial institutions under the Financial Supervisory Commission.

For sensitive data, Taiwan has adopted additional administrative instruments, including:

  • the Regulations Governing the Collection, Management, and Use of Individual Biometric Data (2013);
  • the Regulations for Collection and Management of Information on Sexual Offenders (2024); and
  • the Regulations for Identifying Unsuitable Personnel in Child and Youth Welfare Institutions (2020).

Together, these rules form a multi-layered system ensuring that data-intensive industries and sensitive information are handled with heightened safeguards.

1.3 Do any bilateral and multilateral instruments on data privacy have effect in your jurisdiction?

Although its participation in international organisations is limited, Taiwan has aligned its data protection framework with global standards. It participates in the Asia-Pacific Economic Cooperation (APEC) forum and joined the APEC Cross-Border Privacy Rules (CBPR) System in 2018, demonstrating its commitment to regional cooperation in data governance.

The PDPA was modelled on major international instruments – notably the Organisation for Economic Co-operation and Development Privacy Guidelines and the EU General Data Protection Regulation (GDPR) – reflecting efforts towards normative convergence in:

  • lawful processing;
  • transparency;
  • accountability; and
  • cross-border safeguards.

Although Taiwan is unable to formally accede to most international treaties, its data protection framework allows authorities to restrict cross-border data transfers where international arrangements so provide. This reflects Taiwan's:

  • de facto recognition of global privacy standards; and
  • commitment to maintaining a regime that is consistent with international norms despite diplomatic limitations.

1.4 Which bodies are responsible for enforcing the data privacy legislation in your jurisdiction? What powers do they have?

Taiwan is establishing a PDPC as the unified authority for enforcing the PDPA. Currently, however, data protection remains decentralised, with each industry overseen by its respective competent authority or local government. In the information and communications sector, the Ministry of Digital Affairs serves as the competent authority, while enforcement is handled by the Administration for Cybersecurity.

Under the PDPA, competent authorities may:

  • set security standards;
  • conduct inspections;
  • impose fines;
  • issue corrective orders;
  • prohibit or delete unlawfully collected data; and
  • disclose violators' names and details of infringements.

These powers collectively ensure the effective supervision and prompt enforcement of data protection obligations.

1.5 What role do industry standards or best practices play in terms of compliance and regulatory enforcement?

While laws such as the PDPA or the EU GDPR define the baseline for data protection, frameworks such as ISO/IEC 27001, ISO/IEC 27701 and the APEC CBPR provide concrete methods to meet those obligations. Regulators often reference these standards when judging whether an organisation has taken 'appropriate security measures'. Adherence can:

  • serve as evidence of due diligence;
  • reduce penalties; and
  • demonstrate compliance maturity.

Conversely, ignoring recognised best practices may be deemed to constitute negligence, especially after data breaches.

2 Scope of application

2.1 Which entities are captured by the data privacy regime in your jurisdiction?

The Personal Data Protection Act (PDPA) applies broadly to all natural persons, legal persons and other unincorporated organisations that collect, process or use personal data within Taiwan. The PDPA imposes corresponding obligations on both public and private sector entities to ensure the lawful, fair and transparent handling of personal data.

In addition to the PDPA, certain non-public agencies are simultaneously subject to the Cybersecurity Management Act due to their critical role in national infrastructure or public service provision. These include, among others:

  • financial institutions;
  • telecommunications service providers;
  • energy suppliers;
  • transportation and logistics operators;
  • medical institutions;
  • government contractors engaged in critical infrastructure operations;
  • state-owned enterprises;
  • specific foundations; and
  • other organisations or entities under substantial governmental control.

For these sectors, compliance obligations extend beyond data protection to encompass broader cybersecurity governance, requiring the establishment of:

  • risk management mechanisms;
  • information security protocols; and
  • reporting systems for major incidents.

This dual regulatory structure reflects Taiwan's integrated approach to safeguarding both personal data and information system integrity across high-risk and essential industries.

2.2 What exemptions from the data privacy regime, if any, are available in your jurisdiction?

The PDPA allows limited exemptions to balance privacy protection with practical needs. The law does not apply to:

  • personal or household use of data; or
  • audiovisual materials captured in public places, unless such materials are combined with information that can identify individuals.

Data collectors are also exempt from the requirement to provide notice to data subjects in certain circumstances, such as where:

  • the collection is required by law;
  • the collection is necessary to perform official or legal duties;
  • notification would impede public functions or the public interest;
  • the data subject is already aware of the collection; or
  • the activity is non-commercial and causes no harm.

Other exemptions apply to:

  • situations involving publicly available data;
  • cases where notification is impracticable;
  • research conducted for the public interest; and
  • journalistic activities.

2.3 Does the data privacy regime have extra-territorial application?

The PDPA has extraterritorial reach. The law applies not only to public and non-public agencies operating within Taiwan but also to entities outside its territory that collect, process or use the personal data of Taiwanese nationals.

This approach reflects Taiwan's intention to extend data protection beyond its borders and align with global standards. In practice, it ensures that Taiwanese data subjects receive consistent safeguards against unlawful or inappropriate handling of their personal data, even where such activities occur abroad.

The extraterritorial scope of the PDPA underscores the government's commitment to maintaining a high level of personal data protection consistent with international norms and the realities of cross-border data flows in a globalised digital economy.

3 Definitions

3.1 How are the following terms (or equivalents) defined in your jurisdiction? (a) Data processing; (b) Data processor; (c) Data controller; (d) Data subject; (e) Personal data; (f) Sensitive personal data; and (g) Consent.

(a) Data processing

This term refers to any act performed for the establishment or use of a personal data file, including the recording, input, storage, editing, correction, duplication, retrieval, deletion, output, linking or internal transmission of data.

(b) Data processor

The Personal Data Protection Act (PDPA) does not define the concept of a 'data processor'.

(c) Data controller

The PDPA does not define the concept of a 'data controller'.

(d) Data subject

A 'data subject' is any natural person whose personal data is collected, processed or used.

(e) Personal data

The term 'personal data' refers to information relating to an identified or identifiable natural person, including, but not limited to:

  • the individual's:
    • name;
    • date of birth;
    • national identification number;
    • passport number;
    • physical characteristics;
    • fingerprints;
    • marital or family status;
    • education;
    • occupation;
    • medical history;
    • medical treatment;
    • genetic information;
    • sexual life;
    • health examination records;
    • criminal history;
    • contact details;
    • financial status; or
    • social activities; and
  • any other information that may, directly or indirectly, identify such individual.

(f) Sensitive personal data

The term 'sensitive personal data' under the PDPA refers specifically to personal information concerning an individual's:

  • medical records;
  • medical treatment;
  • genetic information;
  • sexual life;
  • health examination; or
  • criminal history.

(g) Consent

Where personal data is collected, used and processed for a specific purpose, 'consent' refers to an expression of intent by the data subject permitting such processing after being informed by the data collector of all matters required to be disclosed under the law.

If the data collector has clearly informed the data subject of the required matters and the data subject does not express refusal but provides their personal data, such conduct will be presumed to constitute consent.

When personal data is collected, used or processed for purposes beyond the originally specified purpose, 'consent' means that the data subject:

  • has been explicitly informed by the collector of:
    • the additional purpose and scope of use; and
    • the potential impact of granting or withholding consent on their rights and interests; and
  • has then made a separate and explicit declaration of intent to consent.

The data collector bears the burden of proving that the data subject has given valid consent.

3.2 What other key terms are relevant in the data privacy context in your jurisdiction?

  • 'Processing': Under the PDPA, 'processing' encompasses any operation performed for the establishment or use of a personal data file. It includes, among other things, the recording, input, storage, editing, correction, duplication, retrieval, deletion, output, linking or internal transmission of data. The definition expressly includes storage, reflecting the legislature's intent to cover the entire data lifecycle from creation to deletion within the concept of 'processing'.
  • 'International transmission': The term 'international transmission' denotes the cross-border processing or use of personal data. In light of Taiwan's unique political context, the phrase 'cross-border' expressly includes data transfers involving mainland China, ensuring that the PDPA's provisions on international transmission apply equally to data flows between Taiwan and the mainland. This interpretation highlights the government's cautious stance towards data sovereignty and the protection of national and personal interests in transboundary data movements.
  • 'Personal data file': A 'personal data file' is a structured collection of personal data established according to a defined system, which may be accessed, retrieved or organised either through automated means or by other non-automated methods.

4 Registration

4.1 Is registration of data controllers and processors mandatory in your jurisdiction? What are the consequences of failure to register?

No. Under the 1994 version of the Computer-Processed Personal Data Protection Act – the predecessor to the current Personal Data Protection Act – non-public agencies were required to obtain registration and approval from the competent authority before collecting, processing, transmitting internationally or using personal data.

This ex ante approval system was abolished by the 2011 amendment, which renamed the statute and shifted to a principle-based, accountability-oriented regime. Non-public agencies are no longer subject to prior licensing but must maintain internal compliance systems and bear responsibility for any breach of statutory obligations.

4.2 What is the process for registration?

There are currently no corresponding provisions in force.

4.3 Is registered information publicly accessible?

There are currently no corresponding provisions in force.

5 Data processing

5.1 What lawful bases for processing personal data are recognised in your jurisdiction? Do these vary depending on the type of data being processed?

Under the Personal Data Protection Act (PDPA), both public and non-public agencies must identify a lawful purpose and basis before processing data.

General personal data: Public agencies may process data where necessary for statutory duties, with consent or without infringing individual rights. Non-public agencies may do so:

  • where permitted by law;
  • under contractual necessity;
  • for academic research (where data cannot identify individuals);
  • with consent;
  • to promote public interest;
  • where the data is from public sources; or
  • where no rights are infringed.

Sensitive personal data: The processing of medical, genetic, sexual, health or criminal data is allowed only where:

  • authorised by law;
  • required for statutory or legal duties;
  • publicly disclosed by the subject;
  • used for public interest research (without identification); or
  • the data subject has given written consent. Consent is invalid if it is:
    • contrary to the law;
    • excessive in purpose; or
    • against the subject's true intent.

5.2 What key principles apply (eg, notice) when processing personal data in your jurisdiction? Do these vary depending on the type of data being processed? Or on whether it is outsourced?

The legislative philosophy of the PDPA is rooted in the 1980 Organisation for Economic Co-operation and Development's (OECD) Privacy Guidelines. The PDPA's structure and intent closely mirror the OECD's eight foundational privacy principles, which continue to underpin most modern international data-protection frameworks. These principles are:

  • collection limitation;
  • data quality;
  • purpose specification;
  • use limitation;
  • security safeguards;
  • openness;
  • individual participation; and
  • accountability.

The PDPA applies stricter standards to the collection and use of sensitive personal data. Such data may generally be collected or processed only:

  • under explicit statutory authorisation; or
  • when appropriate de-identification and security measures are implemented.

The PDPA provides that any entity entrusted by a public or non-public agency to collect, process or use personal data is, within the scope of the PDPA, deemed to be the same as the entrusting agency. Consequently, outsourcing or delegation does not exempt the principal agency from its statutory responsibilities.

5.3 What other requirements, restrictions and best practices should be considered when processing personal data in your jurisdiction?

Beyond the general principles and obligations of the PDPA, Taiwan's data protection regime imposes additional restrictions on cross-border data transfers. Pursuant to the PDPA, the competent authority may, where necessary for national security or for the protection of data subjects' rights and interests, restrict or prohibit the transfer of personal data to designated countries or regions.

Certain regulated industries are subject to heightened data security and governance obligations. For instance, financial institutions must formulate comprehensive data security and maintenance operating standards as part of their internal compliance framework. These standards must be:

  • approved by:
    • the institution's board of directors; or
    • in the case of a foreign bank branch in Taiwan, a duly authorised representative of the head office; and
  • subsequently filed with the competent authority for record.

6 Data transfers

6.1 What requirements and restrictions apply to the transfer of data to third parties?

Under the Personal Data Protection Act (PDPA), any third party that receives personal data through transfer or disclosure must adhere strictly to the scope, purposes of use and categories of recipients as originally notified to and consented by the data subject at the time of collection. Should the recipient intend to process or use the data beyond these authorised parameters, it must provide a renewed notice to the data subject in accordance with the PDPA.

Where a public or non-public agency collects personal data that has not been directly provided by the individual, it must, before processing or using that data, inform the individual of the data source and key information including:

  • the identity of the collector;
  • the purposes of collection;
  • the categories of data involved;
  • the scope and methods of use; and
  • the individual's rights in relation to the data.

6.2 What requirements and restrictions apply to the transfer of data abroad? Do these vary depending on the destination?

The PDPA authorises the central competent authority to restrict or prohibit international transfers of personal data by non-public agencies under specific circumstances. Such restrictions may be imposed where:

  • the transfer concerns matters of significant national interest;
  • an international treaty or agreement provides otherwise;
  • the recipient country or territory lacks adequate personal data protection laws, thereby posing a risk of infringement of the rights and interests of data subjects; or
  • the transfer is conducted indirectly through a third country or region for the purpose of evading the PDPA.

6.3 What other requirements, restrictions and best practices should be considered when transferring personal data, both within your jurisdiction and abroad?

In addition to the statutory requirements set out under the PDPA, it is necessary to consider whether the recipient of the data transfer:

  • has implemented appropriate personal data protection measures; or
  • possesses sufficient capability to maintain or comply with Taiwan's relevant personal data protection requirements (eg, fulfilling renewed notification obligations).

Moreover, Taiwan's regulatory framework concerning the competent authority for personal data protection and the internal management personnel responsible for data protection within organisations remains at the draft stage. Accordingly, it is essential to monitor the progress of relevant legislative developments to ensure clarity regarding:

  • the competent authority;
  • the procedures for responding to personal data breaches; and
  • the designation of responsible personnel within companies.

7 Rights of data subjects

7.1 What rights do data subjects enjoy with regard to the processing of their personal data? Do any exemptions apply?

The Personal Data Protection Act (PDPA) establishes a comprehensive framework for the protection of individual rights, granting every data subject the ability to control the collection, processing and use of their personal data. The rights conferred include:

  • the right to inquire about or request access to personal data;
  • the right to request copies of such data;
  • the right to request the supplementation or correction of inaccurate or incomplete information;
  • the right to request the cessation of the collection, processing or use of personal data; and
  • the right to request the deletion of personal data.

These rights collectively reflect the principle of informational self-determination, ensuring that individuals retain meaningful control over their personal information throughout its lifecycle.

Non-public agencies engaging in direct marketing must, at the time of the first marketing communication, provide data subjects with a clear and accessible means of refusing further marketing activities. The cost associated with such refusal mechanisms must be borne entirely by the marketer.

7.2 How can data subjects seek to exercise their rights in your jurisdiction?

Under the PDPA, both public and non-public agencies that collect personal data have a statutory obligation to inform data subjects of the procedures available for exercising their rights.

In practice, this obligation is typically fulfilled by providing accessible contact channels – such as a customer service email address, telephone hotline or designated contact person – through which individuals may submit inquiries, correction requests or objections relating to the collection, processing or use of their personal data.

7.3 What remedies are available to data subjects in case of breach of their rights?

Where an individual's personal data rights are infringed, the PDPA grants the injured party the right to seek compensation through civil proceedings. Liability arises where the unlawful collection, processing or use of personal data causes harm to the data subject; and damages may be claimed in accordance with the Civil Code. This mechanism provides a private right of action to ensure redress and deterrence.

Beyond civil compensation, criminal sanctions may also apply where the violator acts with intent to obtain an unlawful benefit or to cause harm to another.

In parallel with judicial remedies, individuals may also file reports or complaints with the central competent authority or the relevant municipal or county (city) government. Such administrative channels allow regulators to investigate, impose administrative fines and order corrective measures, thereby complementing private and criminal enforcement mechanisms.

8 Compliance

8.1 Is the appointment of a data protection officer mandatory in your jurisdiction? If so, what are the consequences of failure to do so?

On 17 October 2025, Taiwan's Legislative Yuan passed at third reading a major amendment to the Personal Data Protection Act (PDPA). The amendment introduces a new requirement for public agencies to establish the position of personal data protection officer (PDPO), responsible for:

  • overseeing compliance;
  • coordinating internal data protection policies; and
  • liaising with the supervisory authority.

The amended PDPA is expected to take effect upon the formal establishment of the Personal Data Protection Commission, which will announce the implementation date.

For non-public agencies in the private sector, the amended PDPA does not currently mandate the appointment of a PDPO. However, private organisations are encouraged to designate internal personnel or departments to manage data protection compliance in anticipation of future regulatory developments.

8.2 What qualifications or other criteria must the data protection officer meet?

Under the amended PDPA, the PDPO will be designated by the head of each public agency. The officer will be responsible for:

  • overseeing compliance with the PDPA;
  • managing internal data protection policies; and
  • coordinating responses to personal data breaches.

Notably, the amendment does not extend this requirement to non-public agencies (private sector organisations). While private entities remain subject to the general compliance obligations of the PDPA, the appointment of a PDPO within such organisations is currently encouraged but not mandatory.

8.3 What are the key responsibilities of the data protection officer?

The PDPO's responsibilities encompass the formulation, implementation and oversight of data protection policies, including the establishment of personal data file security maintenance measures to prevent the theft, alteration, damage, loss or unauthorised disclosure of personal data.

8.4 Can the role of the data protection officer be outsourced in your jurisdiction? If so, what requirements, restrictions and best practices should be considered in this regard?

Under the PDPA, the position of PDPO within public agencies may not be outsourced or delegated to external service providers. The PDPO must be an internal officer formally designated by the head of the respective public agency, ensuring direct accountability and institutional integrity in the performance of data protection duties.

8.5 What record-keeping and documentation requirements apply in the data privacy context?

Under the PDPA, personal data must be deleted or destroyed once:

  • the period covered by the data subject's consent has expired; or
  • the original purpose of use has been fulfilled.

Continued retention or processing of such data beyond the authorised scope is strictly prohibited unless otherwise provided by law.

In addition, business entities must implement personal data file security maintenance plans in accordance with the standards and guidelines promulgated by their respective competent authorities. These plans must include internal control measures, access management and technical safeguards to ensure the integrity and confidentiality of personal data throughout its lifecycle.

8.6 What other requirements, restrictions and best practices should be considered from a compliance perspective in the data privacy context?

When planning, implementing, reviewing and improving a personal data security maintenance plan, organisations may refer to:

  • international standards for personal information management systems and information security management systems; and
  • the guidance issued by relevant industry regulators.

9 Data security and data breaches

9.1 What obligations apply to data controllers and processors to preserve the security of personal data?

Any entity that holds personal data files must implement appropriate technical and organisational security measures to prevent personal data from being:

  • stolen;
  • altered;
  • damaged;
  • lost; or
  • unlawfully disclosed.

This fundamental duty applies throughout the entire data lifecycle and reflects the Personal Data Protection Act's (PDPA) emphasis on preventive risk management and accountability.

Non-public agencies must implement the security maintenance plans established by the competent authorities, which includes:

  • organising personal data protection teams;
  • identifying and inventorying the scope of personal data held;
  • ensuring the security of storage equipment;
  • assessing the risks of potential incidents;
  • conducting internal employee training; and
  • establishing internal procedures for handling incidents when they occur.

9.2 Must data breaches be notified to the regulator? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?

In the event of a personal data incident, the organisation must:

  • report the matter to the competent authority;
  • take immediate and effective response measures to prevent further escalation; and
  • document the relevant facts, impacts and remedial actions taken for future inspection or audits by the competent authority.

If the incident constitutes a major case that significantly affects the public, the competent authority:

  • may require the organisation to provide an official explanation of the data breach; and
  • will initiate an administrative investigation.

9.3 Must data breaches be notified to the affected data subjects? If so, what information must be provided and what is the process for doing so? If not, under what circumstances is voluntary notification of a data breach expected?

Pursuant to the PDPA, an organisation that becomes aware of any unlawful infringement involving personal data must notify the affected data subjects within 24 hours. The purpose of this obligation is to ensure that individuals:

  • are promptly informed of the breach; and
  • may take appropriate remedial actions or pursue legal remedies.

The notification must clearly state:

  • the facts and circumstances of the data breach;
  • the remedial or containment measures that have been taken; and
  • the contact information, such as a dedicated hotline or enquiry channel, through which the data subject may obtain further details.

While the PDPA does not prescribe a fixed format, its Enforcement Rules require that notification be made in a timely and appropriate manner, which may include:

  • oral communication;
  • written notice;
  • telephone call;
  • text message;
  • email;
  • fax;
  • electronic document; or
  • any other method that is reasonably capable of ensuring that the data subject is informed.

Where individual notification would involve disproportionate costs, organisations may resort to public disclosure – such as via the Internet, mass media or other appropriate channels – provided that such announcements protect the privacy of affected individuals by avoiding the disclosure of directly or indirectly identifiable information.

9.4 What other requirements, restrictions and best practices should be considered in the event of a data breach?

In the event of a personal data breach, organisations should:

  • promptly evaluate the sensitivity, quantity and potential impact of the compromised data; and
  • immediately establish a dedicated contact point for affected data subjects.

This contact mechanism – such as a hotline, dedicated email address or online portal – serves as the primary interface for individuals to exercise their statutory rights under the PDPA.

10 Employment issues

10.1 What requirements and restrictions apply to the personal data of employees in your jurisdiction?

According to the Employment Service Act, employers, when recruiting or employing workers, must not:

  • against the will of the job applicant or employee, retain their:
    • national identification card;
    • work permit; or
    • other personal documents; or
  • request the provision of personal data that are not necessary for employment purposes.

Such data includes:

  • biometric or physiological information – for example:
    • genetic testing;
    • medical testing;
    • HIV testing;
    • intelligence testing; or
    • fingerprints; and
  • personal life information, such as:
    • credit records;
    • criminal records;
    • pregnancy plans; or
    • background checks.

When requesting personal data from job applicants or employees, employers:

  • must respect the individual's rights and interests; and
  • may not go beyond the scope necessary for specific purposes based on economic need or the protection of public interest.

The data requested must have a legitimate and reasonable connection with the purpose.

10.2 Is the surveillance of employees allowed in your jurisdiction? What requirements and restrictions apply in this regard?

Employers are permitted, within reasonable limits, to supervise employees' performance of their work duties in order to maintain business order and protect corporate property. However, such monitoring:

  • must comply with the principles of proportionality, necessity and transparency; and
  • may not infringe upon employees' privacy rights protected under the Personal Data Protection Act (PDPA).

To lawfully implement workplace monitoring, employers should adhere to the following key requirements:

  • Duty of notification: Employers must clearly and proactively inform employees of the organisation's monitoring policy, specifying the scope, purpose, method and types of personal data that will be collected. Transparent notification not only fulfils the statutory notice requirement but also reduces employees' reasonable expectation of privacy regarding the use of company systems and devices.
  • Specific purpose and necessity: Under the PDPA, the collection, processing or use of employee personal data must be carried out:
    • for a specific and legitimate business purpose; and
    • within the scope necessary to achieve that purpose.
  • Legal basis or consent: The processing of employee personal data must be grounded in one of the lawful bases enumerated under the PDPA – for example:
    • through the employee's written consent; or
    • where the processing is necessary for the performance of the employment contract.
  • Balancing of interests and minimisation principle: In implementing monitoring activities, employers must adopt the least intrusive means capable of achieving legitimate business goals.

10.3 What other requirements, restrictions and best practices should be considered from an employment perspective in the data privacy context

To ensure compliance with the PDPA and to uphold employees' right to privacy, companies should establish a clear and transparent workplace monitoring policy. This policy should be:

  • formalised in writing;
  • preferably incorporated into the organisation's work rules or internal regulations; and
  • communicated to employees in advance through accessible and verifiable means.

Doing so:

  • fosters transparency;
  • mitigates disputes; and
  • satisfies the PDPA's notification requirements.

Furthermore, companies should encourage employees to avoid using company equipment for personal affairs, thereby maintaining a clear boundary between professional and private use. The scope of monitoring:

  • must be limited strictly to work-related activities conducted on company-provided systems or devices; and
  • must not extend to private communications or the use of personal devices.

For example, if network traffic monitoring is implemented to ensure operational efficiency or cybersecurity, the employer's oversight should focus solely on system performance metrics and not on the content of employees' communications.

11 Online issues

11.1 What requirements and restrictions apply to the use of cookies in your jurisdiction?

Under the Personal Data Protection Act (PDPA), 'personal data' is defined as information that can identify an individual directly or indirectly. Accordingly, cookies and similar online identifiers are regarded as personal data under Taiwanese law.

11.2 What requirements and restrictions apply to cloud computing services in your jurisdiction from a data privacy perspective?

When government agencies procure or deploy cloud computing services, stringent information security and national security measures apply. In accordance with current administrative directives, government bodies must observe the following requirements:

  • Prohibition on Chinese cloud providers: The use of cloud service computing providers originating from mainland China is strictly prohibited.
  • Restriction on Chinese information and communication technology (ICT) products: All ICT products, including hardware, software and related services, employed in government cloud systems must not be of mainland-Chinese brands. For offshore cloud service providers, personnel engaged in service execution must:
    • implement internationally recognised security clearance and personnel control mechanisms; and
    • obtain appropriate certification.
  • Cloud providers using self-developed white-label equipment are temporarily exempted.
  • When government agencies in Taiwan use cloud services, strict cybersecurity and national security rules apply. Mainland Chinese cloud providers and ICT products – including hardware, software and related services – are prohibited. Offshore providers must adopt internationally recognised security clearance mechanisms; while self-developed white-label equipment is temporarily exempted.

Data centres and backups must not be located in mainland China, Hong Kong or Macao, and data transmission to these regions is banned. These restrictions reflect Taiwan's national cybersecurity policy to reduce geopolitical and supply chain risks.

For private entities, overseas storage of personal data is allowed only if the destination ensures protection equivalent to Taiwan's PDPA. Transfers to inadequate jurisdictions may be restricted and entities must notify data subjects when their data is transmitted or processed abroad.

11.3 What other requirements, restrictions and best practices should be considered from a marketing perspective in the online and networked context?

If customer personal data is to be stored in the cloud, it is advisable to enter into a written agreement with the cloud service provider that clearly stipulates information security and personal data protection obligations. Such provisions should specify, among other things:

  • the location of data storage;
  • access control and authorisation management; and
  • data breach notification mechanisms.

It is also recommended to prioritise cooperation with cloud service providers that have obtained internationally recognised information security and privacy certifications, such as ISO/IEC 27001 and ISO/IEC 27701.

12 Disputes

12.1 In which forums are data privacy disputes typically heard in your jurisdiction?

The forum and procedure for resolving disputes arising from the Personal Data Protection Act (PDPA) depend on the legal nature of the alleged violation, as personal data infringements may give rise to administrative, civil or criminal proceedings.

If a non-public agency is sanctioned by the competent authority for violating the PDPA, the affected party may file an administrative appeal in accordance with administrative procedures, which will be reviewed by the designated appeal authority. If the party is dissatisfied with the appeal decision, it may further pursue an administrative lawsuit before the Administrative Court.

Where the dispute involves civil liability, such as a claim for damages resulting from a data breach, the matter will be heard by the civil courts under ordinary civil litigation procedures.

For disputes involving criminal liability, if the public prosecutor initiates a prosecution, the prosecutorial authority will first conduct an investigation to determine whether the case meets the requirements for indictment. Upon indictment, the case will be tried by the criminal court. If the victim chooses to file a private prosecution, the case proceeds directly to criminal trial.

12.2 What issues do such disputes typically involve? How are they typically resolved?

Such disputes often involve situations where an individual intentionally discloses another person's personal data, which may constitute a criminal offence under the PDPA.

The victim may also, pursuant to the Civil Code, claim damages from the wrongdoer under the provisions governing tort liability.

In practice, such cases are usually handled first through criminal proceedings; and the victim may subsequently pursue civil damages through an incidental civil action within the criminal process.

Furthermore, if the case involves a massive data breach committed by a company, the competent authority will conduct an investigation. If the company is found to have acted negligently or in violation of the PDPA, it may be subject to administrative penalties and will be required to rectify the deficiencies without delay.

12.3 Have there been any recent cases of note?

Recent enforcement cases demonstrate Taiwan's increasingly stringent application of the PDPA and the authorities' emphasis on corporate accountability for safeguarding personal information.

iRent data breach (2023): In 2023, a major data breach occurred at iRent, a car-sharing service operated by Hotai Motor Co. The competent authority's investigation revealed that the incident involved the unauthorised disclosure of approximately 400,000 personal data records. Given the magnitude of the breach and its potential impact on data subjects, the authority imposed an administrative fine and ordered iRent to implement corrective measures to ensure full compliance with the PDPA and relevant data security obligations.

Taishin Bank Misdelivery Incident (2025): On 8 May 2025, Taishin Bank was fined after a system configuration error led to the misdelivery of postal correspondence, resulting in the inadvertent disclosure of personal data belonging to 1,447 customers. While the bank maintained a relatively mature internal control and data protection framework, the incident highlighted:

  • the risks associated with systemic process errors; and
  • the importance of continuous monitoring and review of automated operations.

13 Trends and predictions

13.1 How would you describe the current data privacy landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

Taiwan is in the process of establishing an independent Personal Data Protection Commission (PDPC) as the central regulatory authority responsible for the unified supervision and enforcement of the Personal Data Protection Act (PDPA). A preparatory office for the PDPC is currently operational, reflecting the government's commitment to building a specialised and autonomous data protection institution comparable to the supervisory authorities found in advanced jurisdictions.

The reform of Taiwan's data protection framework remains progressive and phased, with ongoing legislative updates aimed at strengthening enforcement capabilities and institutional coherence. Under the existing regime, non-public agencies continue to be monitored by their respective central or local competent authorities, depending on their sectoral activities. Upon the PDPC's formal establishment, the PDPC will initially assume jurisdiction over non-public agencies that lack a defined competent authority.

For sectors already regulated by specific supervisory bodies, transitional provisions will apply. During this transitional phase, the existing regulatory structure will remain in place while oversight powers are gradually transferred to the PDPC.

Looking forward, the regulatory landscape is expected to evolve towards:

  • heightened scrutiny of data breach reporting; and
  • enhanced expectations for corporate information security governance.

Within the next 12 months, the subordinate legislation governing the appointment, qualifications and responsibilities of personal data protection officers in public agencies is also expected to be promulgated, completing a critical component of Taiwan's modernised data protection infrastructure.

14 Tips and traps

14.1 What are your top tips for effective data protection in your jurisdiction and what potential sticking points would you highlight?

Enterprises should align their internal data protection frameworks with the Personal Data File Security Maintenance Plan templates and accompanying regulations promulgated by their respective competent authorities. These sector-specific templates provide practical guidance for designing, implementing and auditing internal data governance systems that comply with the Personal Data Protection Act (PDPA).

Entities in highly regulated sectors – such as finance, healthcare and telecommunications – must adopt strict technical and organisational safeguards in accordance with regulations issued by the Financial Supervisory Commission, the Ministry of Health and Welfare and the National Communications Commission, which govern the security maintenance of personal data files for non-public agencies and hospitals.

These regulations articulate the minimum standards for access control, encryption, employee training and incident response, forming the backbone of industry-specific compliance obligations.

Following the recent passage of the PDPA amendment, the new law will enter into force after the public notice period and upon the formal establishment of the Personal Data Protection Commission (PDPC). The legislative trajectory clearly signals a move towards stricter regulatory enforcement and enhanced corporate accountability in personal data governance.

Upon its formal establishment, the PDPC will assume primary responsibility for the approval, supervision and enforcement of personal data security maintenance plans. This institutional development will mark a pivotal step towards the unification of data protection governance in Taiwan.

Accordingly, regulated entities should take early preparatory action – such as revising internal policies, upgrading technical controls and strengthening accountability structures – to ensure readiness for the forthcoming regulatory environment.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Jeep Chen
Jeep Chen
Photo of Daniel Tseng
Daniel Tseng
Person photo placeholder
Nina Shao
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More