Taiwan Stock Exchange － Rules & Regulations Directory

Taiwan Stock Exchange - Rules & Regulations Directory

Font Size：
S
M
L

Article Content

Title：	Personal Data Protection Act CH
Amended Date：	2025.11.11

Chapter I General Provisions
Article 1	Personal Information Protection Act（hereinafter “this Law”）is enacted to govern the collection, processing and use of personal information so as to prevent harm on personality rights, and to facilitate the proper use of personal information.
Article 1-1	The competent authority of the PDPA is the Personal Data Protection Commission (the "PDPC").	Info
Article 1-2	The central government and local governments at all levels shall endeavor to coordinate and implement specific measures to achieve the legislative objectives of the PDPA, ensuring that government agencies under their jurisdiction and non-government agencies under their supervision comply with the PDPA when performing their duties and conducting their businesses, jointly establishing a secure and trustworthy environment for personal data protection. To implement matters related to personal data protection, the competent authority may coordinate a personal data protection policy promotion meeting; the regulations on the operational procedures and other relevant matters shall be prescribed by the competent authority.
Article 2	The terms used herein denote the following meanings: Personal information: the name, date of birth, I.D. Card number, passport number, characteristics, fingerprints, marital status, family, education, occupation, medical record, medical treatment, genetic information, sexual life, health examination, criminal record, contact information, financial conditions, social activities and other information which may be used to identify a natural person, both directly and indirectly; Personal information file: A collection of personal information built to allow information retrieval and management by automatic or non-automatic measures; Collection: To collect personal information in any form and way; Processing: To record, input, store, compile, correct, duplicate, retrieve, delete, output, connect or internally transmit information for the purpose of establishing or using a personal information file; Use: All methods of personal information use other than processing; International transmission: The cross-border processing or use of personal information; Government agency refers to a government agency or administrative juridical person at the central or local government level which is empowered to exercise sovereign power; Non-government agency refers to the natural persons, juridical persons or groups other than those stated in the proceeding item; The Party means an individual of whom the personal information has been collected, processed or used in accordance with this Law.
Article 3	The following rights should be exercised by the Party with regard to his personal information and should not be waived in advance or limited by a specific agreement: any inquiry and request for a review of the personal information; any request to make duplications of the personal information; any request to supplement or correct the personal information; any request to discontinue collection, processing or use of personal information; and any request to delete the personal information.	Info
Article 4	Whoever commissioned by a government agency or non-government agency to collect, process or use personal information should be considered the commissioning agency within the scope of this Law.	Info
Article 5	The rights and interests of the Party should be respected in collecting, processing or using personal information and the information should be handled in accordance with the principle of bona fide. It should not go beyond the purpose of collection and should be reasonable and fair.	Info
Article 6	Personal information of medical records, medical treatment, genetic information, sexual life, health examination and criminal records should not be collected, processed or used. However, the following situations are not subject to the limits set in the preceding sentence: when in accordance with law; when it is necessary for a government agency to perform its legal duties or for a non- government agency to fulfill its legal obligation, and proper security measures are adopted prior or subsequent to such collection, processing or use; when the Party has made public such information by himself, or when the information concerned has been publicized legally; where it is necessary to perform statistical or other academic research, a government agency or an academic research institution collects, processes, or uses personal information for the purpose of medical treatment, public health, or crime prevention. The information may not lead to the identification of a specific person after its processing by the provider, or from the disclosure by the collector; where it is necessary to assist a government agency in performing its legal duties or a non-government agency in fulfilling its legal obligations, and proper security measures are adopted prior or subsequent to such collection, processing, or use; where the Party has consented in writing; unless such consent exceeds the necessary scope of the specific purpose; the collection, processing or use merely with the consent of the Party is prohibited by other statutes; or such consent is against the Party’s will. Article 8 and Article 9 shall apply mutatis mutandis to the collection, processing, or use of personal information in accordance with the preceding Paragraph; Paragraphs 1, 2 and 4 of Article 7 shall apply mutatis mutandis to the written consent specified in Item 6 of the preceding Paragraph. The notification should be in written form.	Info
Article 7	"Consent", as referred to in subparagraph 2, paragraph 1 of Article 15 and subparagraph 5, paragraph 1 of Article 19, means a declaration of agreement given by a data subject after he/she has been informed by the data collector of the information required under the PDPA. "Consent", as referred to in subparagraph 7, paragraph 1 of Article 16 and subparagraph 6, paragraph 1 of Article 20, means a separate declaration of agreement given by a data subject after he/she has been informed by the data collector of any of the purposes other than that originally specified, the scope of other use, and the impact of giving or not giving consent on the rights and interests of the data subject. The data subject's consent may be presumed given pursuant to subparagraph 2, paragraph 1 of Article 15 and subparagraph 5, paragraph 1 of Article 19 if the data subject does not indicate his/her objection and affirmatively provides his/her personal data after the government or non-government agency has informed the data subject of the relevant information specified in paragraph 1 of Article 8 of the PDPA. The data collector shall bear the burden of proof regarding the fact that the data subject has given the consent prescribed under the PDPA.	Info
Article 8	The following items should be told precisely to the Party by a government agency or non-government agency, in accordance with Article 15 or Article 19: the name of the government agency or the non-government agency; purpose of collection; classification of the personal information; time period, area, target and way of the use of personal information; rights of the Party and ways to exercise them as prescribed in Article 3; the influence on his rights and interests while the Party chooses not to provide his personal information; The following situations may be exempted from the notice prescribed in the preceding Paragraph: when in accordance with law; when the collection of personal information is necessary for the government agency to perform its official duties or the non government agency to fulfill the legal obligation; when the notice will impair the government agency in performing its official duties; when the notice will impair public interests. when the Party should have known the content of the notification already; when the collection of personal information is for non-profit purposes and clearly does not cause any detriment to the Party.	Info
Article 9	Government or non-government agencies shall, before processing or using the personal data collected in accordance with Article 15 or 19 which was not provided by the data subject, inform the data subject of their source of data and other information specified in subparagraphs 1 through 5, paragraph 1 of the preceding article. The obligation to inform as prescribed in the preceding paragraph may be exempt under any of the following circumstances: 1.under any of the circumstances provided in paragraph 2 of the preceding article; 2.where the personal data has been manifestly made public by the data subject or publicized legally; 3.where it is unable to inform the data subject or his/her legal representative; 4.where it is necessary for statistics gathering or academic research in pursuit of public interests, provided that such data, as processed by the data provider or as disclosed by the data collector, may not lead to the identification of a specific data subject; or 5.where the personal data is collected by mass communication enterprises for the purpose of news reporting for the benefit of public interests. The obligation to inform as prescribed in paragraph 1 may be performed at the time of the first use of the personal data towards the data subject.	Info
Article 10	Upon the request of the Party, the government agency or non-government agency should reply to the inquiry, offer for a review or provide duplications on the personal information collected, except the followings: when the national security, diplomatic and military secrets, the macro-economic interests or other major national interests may be harmed; when the performance of official duties may be interfered with; and when the major interests of the collecting agency or a third person may be affected.	Info
Article 11	The government agency or the non-government agency should ensure the accuracy of personal information, and correct or supplement it, ex officio or upon the request of the Party. In the event of a dispute regarding the accuracy of personal information, its processing or use shall be ceased voluntarily or upon the request of the Party, unless the processing or use is either necessary for the performance of an official duty or fulfillment of a legal obligation, or agreed to by the Party in writing, and the dispute has been recorded. The information collected should be deleted, discontinued to process or use, ex officio or upon the request of the Party when the specific purpose no longer exists or time period expires. However, the preceding sentence may not be applicable when it is necessary for the performance of an official duty or fulfillment of a legal obligation and has been recorded, or when it is agreed by the Party in writing. The information collected should be deleted, discontinued to process or use, ex officio or upon the request of the Party in the cases where a violation of this Law occurred during collecting, processing or using that information. In the cases where the government agency or the non-government agency should be attributed to of not correcting or supplementing personal information, persons to whom the personal information was provided should be notified after correction or supplement.	Info
Article 12	When a government or non-government agency becomes aware that the personal data it holds has been stolen, altered, damaged, lost, or leaked, it shall notify the data subject. Where the circumstances described under the preceding paragraph fall within a specified scope of report, the government or non-government agency shall submit reports to the following authorities: 1.Government agencies shall submit reports to the competent authority and the authorities designated under Paragraph 1, Article 21-1 to receive reports on their implementation status. 2.Non-government agencies shall submit reports to the competent authority. Upon receiving the reports, the competent authority shall also inform the authorities in charge of the industries concerned. Under the circumstances described under Paragraph 1, the government or non-government agency shall take immediate and effective countermeasures to prevent the incident from escalating, document the relevant facts, impacts, and response measures taken, and preserve the relevant records for inspection by the competent authority. The regulations on the content, method, time limit, and scope of notification or reporting, countermeasures, record retention, and other relevant matters under the preceding three paragraphs shall be prescribed by the competent authority.	Info
Article 13	Where a request is made by the Party to the government agency or the non-government agency pursuant to Article 10, it should be determined within fifteen days. It may be extended to a time period of no longer than fifteen days when necessary and the Party should be notified of that in writing. Where a request is made by the Party to the government agency or the non-government agency pursuant to Article 11, it should be determined within thirty days. It may be extended to a time period of no longer than thirty days when necessary and the Party should be notified of that in writing.	Info
Article 14	The government agency or the non government agency may charge a fee to those who make an inquiry or request to review, or make duplications of the personal information.
Chapter II Data Collection, Processing and Use by a Government Agency
Article 15	Except for the personal data specified under paragraph 1 of Article 6, the collection or processing of personal data by government agencies shall be for specific purposes and on one of the following bases: 1.where it is within the necessary scope to perform its statutory duties; 2.where consent has been given by the data subject; or 3.where the rights and interests of the data subject will not be infringed upon.	Info
Article 16	Except for the personal data specified under paragraph 1 of Article 6, government agencies shall use personal data only within the necessary scope of their statutory duties and for the specific purpose of collection; the use of personal data for another purpose shall be only on any of the following bases: 1.where it is expressly required by law; 2.where it is necessary for ensuring national security or furthering public interests; 3.where it is to prevent harm to the life, body, freedom, or property of the data subject; 4.where it is to prevent material harm to the rights and interests of others; 5.where it is necessary for statistics gathering or academic research by a government agency or an academic institution for public interests; provided that such data, as processed by the data provider or as disclosed by the data collector, may not lead to the identification of a specific data subject; 6.where it is for the data subject's rights and interests; or 7.where consent has been given by the data subject.	Info
Article 17	The government agency may publicize the following items on the Internet or by other proper means for inquiries; the above provisions are applicable to amendment thereof: name of personal information file; name of the government agency keeping the personal information file and its contact information; basis and purpose of keeping the file; classification of personal information.
Article 18	Government agencies shall appoint a Personal Data Protection Officer, designated by the head of the agency from among suitable personnel to serve concurrently with their original position. Adequate personnel and resources shall be allocated to this officer, who shall be responsible for coordinating, promoting, supervising, and evaluating matters related to personal data protection within the agency, its subordinate agencies, and agencies under its supervision. Government agencies shall designate personnel to handle the security and maintenance of personal data files, preventing the theft, alteration, damage, loss, or leakage of personal data. The regulations on the security and maintenance, management mechanisms, measures to be taken, and other related matters concerning personal data files shall be prescribed by the competent authority. Government agencies shall not impose unfavorable disciplinary actions or take management measures against personnel for lawfully performing personal data protection duties. The competent authority shall properly plan and implement competency training for the personnel referred to under Paragraphs 1 and 2 to enhance their professional knowledge and skills in personal data protection. The regulations on the duties, competency requirements, training, and other relevant matters for the personnel referred to under Paragraphs 1 and 2 shall be prescribed by the competent authority.	Info
Chapter III Data Collection, Processing and Use by a Non-government Agency
Article 19	Except for the personal data specified under paragraph 1 of Article 6, the collection or processing of personal data by non-government agencies shall be for specific purposes and on one of the following bases: 1.where it is expressly required by law; 2.where there is a contractual or quasi-contractual relationship between the non-government agency and the data subject, and proper security measures have been adopted to ensure the security of the personal data; 3.where the personal data has been manifestly made public by the data subject or publicized legally; 4.where it is necessary for statistics gathering or academic research by an academic institution in pursuit of public interests, provided that such data, as processed by the data provider or as disclosed by the data collector, may not lead to the identification of a specific data subject; 5. where consent has been given by the data subject; 6.where it is necessary for furthering public interests; 7.where the personal data is obtained from publicly available sources unless the data subject has an overriding interest in prohibiting the processing or use of such personal data; or 8.where the rights and interests of the data subject will not be infringed upon. A data collector or processor shall, on its own initiative or upon the request of the data subject, erase or cease processing or using the personal data when it becomes aware of, or upon being notified by the data subject, that the processing or use of the personal data should be prohibited pursuant to the proviso to subparagraph 7 of the preceding paragraph.	Info
Article 20	Except for the personal data specified in paragraph 1 of Article 6, non-government agencies shall use personal data only within the necessary scope of the specific purpose of collection; the use of personal data for another purpose shall be only on any of the following bases: 1.where it is expressly required by law; 2.where it is necessary for furthering public interests; 3.where it is to prevent harm to the life, body, freedom, or property of the data subject; 4.where it is to prevent material harm to the rights and interests of others; 5.where it is necessary for statistics gathering or academic research by a government agency or an academic institution for public interests; provided that such data, as provided by the data provider or disclosed by the data collector, may not lead to the identification of a specific data subject; 6.where consent has been given by the data subject; or 7.where it is for the data subject's rights and interests. When a non-government agency uses personal data for marketing purpose pursuant to the preceding paragraph, upon the data subject's objection to such use, the agency shall cease using the data subject's personal data for marketing. Non-government agencies, when using the data subject’s personal data for marketing purpose for the first time, shall provide the data subject the ways that he/she can object to such use, and the agency shall pay for the fees therefrom.	Info
Article 20-1	Non-government agencies possessing personal data files shall implement security and maintenance measures to prevent the theft, alteration, damage, loss, or leakage of personal data. The regulations on the security and maintenance, management mechanisms, measures to be taken, and other related matters concerning personal data files as referred to under the preceding paragraph shall be prescribed by the competent authority.
Article 21	If a cross-border transfer of personal data is carried out by a non-government agency under any of the following circumstances, the competent authority may impose restrictions on such transfer: 1.where major national interests are involved; 2.where an international treaty or agreement so stipulates; 3.where the country receiving the personal data lacks proper regulations on protection of personal data and the data subjects’ rights and interests may consequently be harmed; or 4.where the cross-border transfer of the personal data to a third country (territory) is carried out to circumvent the PDPA.	Info
Chapter III-1 Administrative Supervision
Section 1 Supervision on Government Agencies
Article 21-1	Government agencies shall submit reports annually regarding the implementation status on their management and protection of personal data to their superior agencies or supervisory agencies. Where no superior agency or supervisory agency exists, the following provisions shall apply: 1.The Office of the President, the National Security Council, and the Five Yuans of government shall submit reports to the competent authority. 2.Special municipal governments, special municipal councils, county (city) governments, and county (city) councils shall submit reports to the competent authority. 3.The offices of mountain indigenous districts in special municipalities and their representative councils shall submit reports to the special municipal government; township (town, city) offices and their representative councils shall submit reports to the county government. Government agencies shall supervise and audit the implementation of protection and management of personal data by their subordinate or supervised government agencies, township (town, city) offices under their jurisdiction, offices of mountain indigenous districts in special municipalities, and representative councils of townships (towns, cities) and mountain indigenous districts in special municipalities. If deficiencies or areas requiring rectification are identified during the audits conducted pursuant to the preceding paragraph, the audited agency shall submit a rectification report to the auditing agency. After review, the auditing agency shall forward the report along with the audit findings to the competent authority. When deemed necessary, the auditing agency or competent authority may require the audited agency to provide explanations or make adjustments. Regarding the requirements under the preceding four paragraphs, the regulations on the required information of the implementation reports, the frequency, items, and methods of the audits, the delivery of the audit results, the procedures for submitting the rectification reports, and other related matters shall be prescribed by the competent authority.
Article 21-2	The competent authority shall conduct periodic or ad hoc audits on the implementation of the protection and management of personal data by government agencies; when necessary, it may request assistance from the auditing authority specified under Paragraph 2 of the preceding article. If deficiencies or areas requiring rectification are identified in the audited agency’s implementation during an audit under the preceding paragraph, the audited agency shall submit a rectification report. This report shall be submitted to the authority designated to receive the implementation report under Paragraph 1 of the preceding article for review, and subsequently forwarded to the competent authority by such reviewing authority. The reviewing authority or competent authority under the preceding paragraph may, when deemed necessary, request the audited agency to provide explanations or make adjustments. Regarding the requirements under the preceding three paragraphs, the regulations on the frequency, items, and methods of the audits, the procedures for submitting the rectification reports, and other related matters shall be prescribed by the competent authority. Personnel participating in audits pursuant to the preceding article and this article shall bear a duty of confidentiality regarding any information learned or received in the course of performing such audits.
Article 21-3	Where it is likely that a government agency may violate the PDPA, the competent authority may request the government agency to submit information and explanations, or dispatch personnel with official identification documents to conduct on-site inspections. Except where confidentiality is required by law, the government agency and its relevant personnel shall cooperate with the inspections. Where necessary, the competent authority may request assistance from the auditing authority specified under Paragraph 2, Article 21-1 for the on-site inspection referred to under the preceding paragraph. Personnel participating in the inspection shall bear a duty of confidentiality regarding any information learned or received in the course of performing such inspection.
Article 21-4	Where a government agency violates the PDPA, the competent authority shall order it to rectify the violation within a specified time limit. The government agency shall make appropriate rectification within the time limit and shall respond in writing to the competent authority regarding the status of the rectification. Where a government agency fails to rectify the violation as required under the preceding paragraph, the competent authority may publicize its name and the facts of its violation. Where personnel of a government agency fail to act in accordance with the PDPA, they shall be subject to disciplinary sanction, action, or punishment in accordance with relevant laws and regulations, depending on the severity of the violation.
Article 21-5	The provisions under this section do not apply to intelligence agencies.
Section 2 Supervision on Non-Government Agencies
Article 22	Where the competent authority deems that a non-government agency is likely to violate the PDPA, or deems it necessary to verify its compliance the PDPA, it may conduct inspections in the following ways: 1.notify the non-government agency or its relevant personnel to state their opinions; 2.notify the non-government agency or its relevant personnel to provide necessary documents, data, or items, or take other cooperative measures; and 3.conduct inspections independently or jointly with the central government authorities in charge of the industries concerned, special municipal governments, county (city) governments, or other relevant authorities by dispatching personnel with official identification documents, and may require relevant personnel to provide necessary explanations, take cooperative measures, or furnish relevant supporting documents. Regarding the inspection on reviewing the compliance with the PDPA as stated under the preceding paragraph, the regulations on the planning, evaluation method, the factors to be considered, the matters requiring cooperation among the central government authorities in charge of the industries concerned, special municipalities governments, county (city) governments, or relevant authorities, and other related matters shall be prescribed by the competent authority. When conducting the inspections specified under Paragraph 1, the competent authority may seize or copy personal data or personal data files that may be confiscated or used as evidence. For items that are subject to seizure or required to be copied, the competent authority may require the owner, holder, or custodian thereof to present or deliver them. Where there is no legitimate grounds for refusal to present or deliver such items, or resisting the seizure or copying, the competent authority may enforce compliance by means causing the least harm to the rights and interests of the non-government agency. Non-government agencies and their relevant personnel shall not evade, obstruct, or refuse any notification, entry, inspection, or measures carried out pursuant to Paragraph 1 or the preceding paragraph without legitimate grounds. When conducting the inspections under Subparagraph 3, Paragraph 1, the competent authority may be accompanied by information technology, telecommunications, legal, and/or other professional personnel. Personnel participating in the inspection shall bear a duty of confidentiality regarding any information learned or received during the inspection and shall take care to preserve the reputation of the inspected party. When conducting the inspections under Paragraph 1, the competent authority may, when necessary, request the central government authorities in charge of the industries concerned, the special municipal governments, the county (city) governments, or other relevant authorities (institutions) to cooperate in taking effective measures or providing assistance.	Info
Article 23	Seized or copied items under Paragraph 3 of the preceding article shall be sealed or otherwise marked and appropriately processed. Items that are difficult to transport or store may be placed under guard or entrusted to the owner or other suitable person for safekeeping. Seized or copied items that no longer need to be retained, or where a decision has been made not to impose penalties or not to confiscate, shall be returned. However, this shall not apply to items that should be confiscated or retained for investigation into other cases.	Info
Article 24	The non-government agency and the owners, holders, custodians, or interested parties of such items may file an objection with the competent authority against the requests, enforcement, seizure, or copying under the preceding two articles. If the competent authority finds the objection under the preceding paragraph justified, it shall immediately cease or modify the action; if it finds the objection unjustified, it may continue with the action. Upon request by the objecting party, a record of the grounds regarding objection shall be prepared and provided. Where a party objects to the competent authority’s decision under the preceding paragraph, such objection may only be raised concurrently with an appeal against the substantive decision in the case. However, where the party under Paragraph 1 is legally barred from appealing the substantive decision, they may directly initiate an administrative lawsuit against the action under Paragraph 1.	Info
Article 25	Where a non-government agency violates the PDPA, the competent authority may, in addition to imposing fines as prescribed under the PDPA, impose the following penalties: 1.prohibit the collection, processing, or use of personal data; 2.order the deletion of processed personal data files; 3.confiscate or order the destruction of illegally collected personal data; and 4.publicize the violations, along with the names of the violator and the statutory representative thereof. When imposing the penalties under the preceding paragraph, the competent authority shall adopt the method that causes the least harm to the rights and interests of the non-government agency, within the scope necessary to prevent violations of the PDPA.
Article 26	Where the competent authority finds no violation of the PDPA after an inspection pursuant to Article 22, it may publish the inspection findings with the consent of the non-government agency.	Info
Article 27	(Deleted)
Chapter IV Damages and Class Action
Article 28	Government agencies shall be liable for the damages arising from injury caused by any unlawful collection, processing or use of personal data, or other infringement on the rights of data subjects due to such government agency's violation of the PDPA, unless such injury was caused by any natural disaster, emergency or other force majeure event. If an injury suffered by the victim is a non-pecuniary damage, he/she may request an appropriate amount of monetary compensation; if the injury suffered by the victim is damage to his/her reputation, the victim may request appropriate corrective measures to restore his/her reputation. Under the circumstances identified in the preceding two paragraphs, if it is difficult or impossible for the victim to prove the monetary value of the actual damage, he/she may ask the court to award the compensation in the amount of not less than NT$500 but not more than NT$20,000 per incident, per person based on the severity of the damage. Where the rights of multiple data subjects have been infringed upon due to the same incident, the total amount of compensation awarded to such data subjects shall not exceed NT$200 million. However, if the interests involved in the incident exceed NT$200 million, the compensation shall be up to the value of such interests. If the total amount of damages for the injuries attributable to the same incident exceeds the amount referred to in the preceding paragraph, the compensation payable to each victim shall not be limited to the lower end of damages, i.e. NT$500, per incident as set forth in paragraph 3 of this Article. The right of claim referred to in paragraph 2 above may not be transferred or inherited. However, this does not apply to the circumstances where monetary compensation has been agreed upon in a contract or a claim therefor has been filed with the court.
Article 29	Non-government agencies shall be liable for the damages arising from any injury caused by any unlawful collection, processing or use of personal data, or other infringement on the rights of data subjects due to such non-government agency's violation of the PDPA, unless the non-government agency can prove that such injury is not caused by its willful act or negligence. Paragraphs 2 through 6 of the preceding article apply to the damage claims raised in accordance with the preceding paragraph.	Info
Article 30	The right to claim for damage compensation will be terminated two years since the claimant has been aware of the damages and the person(s) who is liable for the compensation, or five years since the date the damage actually occurred.
Article 31	Aside from the provisions of this Law, the provisions of the State Compensation Law may be applied to a government agency, while the Civil Code may be applied to a non-government agency.
Article 32	A business juridical person or a charitable juridical person that brings a case to the court in accordance with this Chapter should fulfill the following conditions: The total registered assets of a business juridical person should reach NT$10 million or more, or the total number of members of a charitable juridical person should be 100 or more; The protection of personal information is set in its charter; It has been established for more than 3 years after its approval.
Article 33	The litigation brought to the court against a government agency in accordance with this Law should be subject to the exclusive jurisdiction of the district court where the agency is located. The litigation against a non-government agency is subject to the exclusive jurisdiction of the district court where its headquarters, main office of operation or domicile is located. If the non-government agency in the preceding Paragraph is natural person and has no place of domicile in the Republic of China, or where it is unknown, his place of residence in the Republic of China shall be deemed to be the place of domicile. Where he has no place of residence in the Republic of China or where it is unknown, his last place of domicile in the Republic of China shall be deemed to be the place of domicile. Where he has no last place of domicile, the district court where the central government is located shall have exclusive jurisdiction. If the non-government agency mentioned in the first Paragraph is a juridical person or a group and has no headquarters, main office of operation, or unknown for both, the district court where the central government is located shall have exclusive jurisdiction.
Article 34	For cases caused by the same cause and fact and there are multi Parties infringed, the business juridical person or charitable juridical person may bring a lawsuit to the court by its own name, after obtaining a written authorization of litigation rights of 20 or more Parties. The Parties may withdraw their authorization by writing before the closure of the oral debate and the court should be notified of it. For the litigation in accordance with the preceding Paragraph, the court may publicize it to other parties that may have been infringed, upon request of ex officio that those Parties may authorize their litigation rights to the business juridical person or charitable juridical person in the preceding Paragraph within a specified period. The business juridical person or charitable juridical person may expand its claim before the closure of the oral debate. Other parties that haven been infringed by the same cause and fact that choose not to follow the rule in the preceding Paragraph may bring the case to the court with the specified period for the court to combine the cases. Other Parties that have been infringed by the same cause and fact may apply to the court the announcement of the preceding Paragraph. The announcement of the two preceding Paragraph may be publicized on the bulletin of the court, on the Internet or other proper location. Should the court considers it necessary, it may be posted on the communiques or newspaper and the fees should be paid by the National Treasury. For the business juridical person or charitable juridical association that brings a case to the court in accordance with Paragraph 1 and the target amount exceeds NT$600,000, the exceeding portion should be waived of court fees.
Article 35	The court proceedings should be discontinued partly if the Party withdraws his authorization of litigation right according to the first Paragraph of the preceding Article. The Party should resume the proceeding or the court may request the Party to do so, ex officio. For the case where more than one Party withdraws his litigation right after the business juridical person or charitable juridical person has brought the case to the court in accordance with the preceding Article, the remaining part of court proceedings may be continued, even when there are fewer than 20 Parties remained.	Info
Article 36	The extinctive prescription for the right to claim for damage compensation for each Party in accordance with Paragraph 1 and 2 of Article 34 should be calculated separately.	Info
Article 37	The business juridical person or charitable juridical person should act as the representative of litigation right authorized by the Party. However, the Party may set a limit on abandonment, withdrawal or reconciliation. The limit set by one of the Parties in the preceding Paragraph should not be applicable to other Parties. The limit mentioned in Paragraph 1 of this Article should be illustrated in the documents mentioned in the first Paragraph of Article 34 or should be brought to the court in writing.	Info
Article 38	In the event the Party is object to the decision pursuant to Article 34, he may withdraw the authorization given to the business juridical person or charitable juridical person before the expiration of the period of an appeal and then file an appeal himself. After receiving the decision document, the business juridical person or charitable juridical person should notify the Party of the outcome and also notify the Party in writing within 7 days as to whether or not an appeal should be file.	Info
Article 39	The business juridical person or charitable juridical person should deduct necessary litigation fees from the compensation received in accordance with the result of the case in Article 34 and deliver the remaining amount to the authorizing Parties. The business juridical person or charitable juridical person should not ask for remuneration for the lawsuit which brought out in accordance with Paragraph 1 of Article 34.	Info
Article 40	The business juridical person or charitable juridical person should authorize its litigation right to an attorney while bringing out a lawsuit to the court in accordance with the provisions of this Chapter.
Chapter V Penalties
Article 41	Any person who, with intent to obtain unlawful benefit for themselves or a third party or to cause harm to another’s interests, violates Paragraph 1 of Article 6, Article 15, Article 16, Article 19, Paragraph 1 of Article 20, or an order or decision restricting cross-border transfer under Article 21, thereby causing harm to another, shall be sentenced to imprisonment for up to five (5) years and may also be fined up to NT$1,000,000.	Info
Article 42	A person who intends to make unlawful profits for himself or for a third party, or intends to infringe upon the interests of others by illegally changing or deleting personal information files, or by other illegal means and has impeded the accuracy of other people’s personal information files and caused damages to others should be imposed of an imprisonment or custody of no more than 5 years, or a fine of no more than NT$1,000,000, or both.
Article 43	The above two Articles may be applicable to a citizen of the Republic of China who commits those crimes to citizens of the Republic of China outside the territory of the Country.	Info
Article 44	A government official who takes advantage of his position, or opportunity or means available to him to commit the offenses prescribed in this Chapter should be subject to punishments half as severe as those enumerated above.
Article 45	The offenses referred to in this Chapter should be instituted only upon a complaint, except offenses specified in Article 41 and those against a government agency in Article 42.	Info
Article 46	In the event where a more severe punishment is provided for in other laws with respect to the offenses outlined in this Chapter, the more severe one should be applied.
Article 47	Where a non-government agency commits any of the violations listed below, the competent authority shall impose a fine of not less than NT$50,000 and not more than NT$500,000, order it to rectify the violation within a specified period of time, and impose fines successively until the violation is rectified: 1.violation of Paragraph 1, Article 6; 2.violation of Article 19; 3.violation of Paragraph 1, Article 20; and 4.violation of an order or decision restricting cross-border transfer under Article 21.	Info
Article 48	Where a non-government agency commits any of the violations listed below, the competent authority shall order it to rectify the violation within a specified period of time, and, if the violation is not rectified within such period, impose a fine of not less than NT$20,000 and not more than NT$200,000 successively until the violation is rectified: 1.violation of Article 8 or Article 9; 2.violation of Article 10, Article 11, or Article 13; 3.violation of Paragraph 1 of Article 12, or the provisions concerning the content, method, or time limit of notifications as stipulated in the regulations prescribed under Paragraph 4; and 4.violation of Paragraph 2 or 3, Article 20. Where a non-government agency is in violation of Paragraph 2 or 3 of Article 12, or the provisions concerning the content, method and time limit of reporting, response measures, and record retention as stipulated in the regulations prescribed under Paragraph 4, the competent authority shall impose a fine of not less than NT$20,000 and not more than NT$200,000, order it to rectify the violation within a specified period of time, and impose fines successively until the violation is rectified. Where a non-government agency commits any of the violations listed below, the competent authority shall impose a fine of not less than NT$20,000 and not more than NT$2,000,000, order it to rectify the violation within a specified period of time, and, if the violation is not rectified within such period, impose a fine of not less than NT$150,000 and not more than NT$15,000,000 successively until the violation is rectified: 1.violation of Paragraph 1, Article 20-1; 2.violation of the provisions concerning the security and maintenance matters, management mechanisms, or measures to be taken related to personal data files as stipulated under the regulations established under Paragraph 2, Article 20-1; 3.failure to establish a security and maintenance plan for personal data files or methods for processing personal data after business termination as required under Paragraph 3, Article 51-1; and 4.violation of the provisions concerning the content, implementation methods or standards that the plans or processing methods must possess as stipulated in the regulations established under Paragraph 4, Article 51-1. Where a non-government agency commits any of the acts listed under the preceding paragraph and the violation is material, the competent authority shall impose a fine of not less than NT$150,000 and not more than NT$15,000,000, order it to rectify the violation within a specified period of time, and impose fines successively until the violation is rectified.	Info
Article 49	Non-government agencies in violation of Paragraph 4, Article 22 shall be subject to a fine of not less than NT$20,000 and not more than NT$200,000 to be imposed by the competent authority.	Info
Article 50	The main representative, manager or other representative of a non-government agency who should be imposed of an administrative fine due to the violation of the preceding three Articles of the agency should be subject to the same amount of the fine, unless the obligation of the representative has been proved to be fulfilled.	Info
Chapter VI Supplementary Provisions
Article 51	The provisions of this Law are not applicable to the following situations: When an individual who collects, processes or uses personal information in the course of personal activity of a domestic nature; and if the audio-visual information is collected, processed or used in public places or public activities and not associated with the other personal information. The provisions of this Law are applicable to the government agency and the non-government agency, when they collect, process or use the personal information of the citizens of the Republic of China outside the territory of the Republic of China.
Article 51-1	Regarding the supervision and management matters concerning non-governmental agencies stipulated under Paragraphs 1 and 3 to 7 of Article 22, Articles 23 to 26, and Articles 47 to 50, within six (6) years from the date of establishment of the competent authority, the competent authority will propose to the Executive Yuan for announcement of a specified scope of non-governmental agencies that shall remain under the jurisdiction of the central government authorities in charge of the industries concerned, special municipal governments, and county (city) governments. The competent authority shall, after consultation with relevant authorities every two (2) years, propose to the Executive Yuan the adjustment or reduction of the scope of non-government agencies specified in the announcement referred to under the preceding paragraph. The central government authorities in charge of the industries concerned may require non-government agencies within the scope announced in the preceding two paragraphs to formulate personal data file security and maintenance plans or methods for processing personal data after business termination. The central government authorities in charge of the industries concerned will prescribe, pursuant to the regulations prescribed by the competent authority under Paragraph 2, Article 20-1, the regulations on the content, implementation methods or standards, and other relevant requirements for the plans and processing methods referred to under the preceding paragraph, and may prescribe stricter requirements.
Article 52	The competent authority may commission other authorities (institutions), non-departmental public bodies, or public interest organizations to exercise its authority under Paragraph 2 of Article 12, Paragraphs 1, 3, 5, and 7 of Article 22, Article 23, and Article 24. Within the scope announced under Paragraphs 1 and 2 of the preceding article, the central government authorities in charge of the industries concerned, special municipal governments, or county (city) governments may delegate their subordinate authorities or commission other authorities (institutions), non-departmental public bodies, or public interest organizations to exercise their authority under Paragraphs 1, 3, 5, and 7 of Article 22, Article 23, and Article 24 to its subordinate authorities. Members of the entities commissioned or delegated under the preceding two paragraphs shall bear a duty of confidentiality regarding any information learned or received in the course of performing such duties. A public interest organization referred to under Paragraphs 1 and 2 shall not be granted the legal standing to sue by the data subjects under Paragraph 1, Article 34 to file damage compensation lawsuits in its own name.	Info
Article 53	The competent authority shall prescribe specific purposes and categories of personal data, and provide the same to government and non-government agencies for reference and use.
Article 53-1	Those dissatisfied with an administrative disposition rendered by the competent authority under the PDPA may resort to administrative litigation directly. Non-government agencies within the scope announced under Paragraphs 1 and 2 of Article 51-1 may file administrative appeals with the competent authority against the administrative dispositions rendered by central government authorities in charge of the industries concerned, special municipal governments, or county (city) governments under the PDPA. However, where an administrative disposition is made by an independent agency established under the Basic Code Governing Central Administrative Agencies and Organizations, administrative litigation may be initiated directly. For administrative dispositions rendered under the PDPA prior to the effective date of the amendments enacted on October 17, 2025, administrative appeals shall be filed with the competent authority. Administrative appeals accepted but not yet concluded before October 17, 2025, the effective date of the amendments to the PDPA, shall continue to be processed by the original accepting authority in accordance with the Administrative Appeal Act after the effective date of the amendments.
Article 54	After the enforcement of the amendments to this Act on December 15, 2015, any processing or use of personal information that was furnished before the amendments to this Act on May 26, 2010 not by the Party, shall be notified to the Party pursuant to Article 9 before such processing or use. The notification prescribed in the preceding Paragraph may be given at the time where such personal information is first used after the enforcement of the amendments to this Act on 15 December, 2015. Any use of personal information without notification given in accordance with the preceding two Paragraphs is deemed and punished as a violation of Article 9.	Info
Article 55	The Enforcement Rules of the PDPA shall be prescribed by the competent authority.
Article 56	The enforcement date of the PDPA shall be set by the Executive Yuan. The deletion of Articles 19 through 22 and Article 43 on May 26, 2010, and the revision of Article 48 under the amendment to the PDPA made on May 16, 2023, shall become effective on the date of promulgation.	Info

Resolution：1024 x 768	Update：2026.02.17	Mobile Site
Visitor：31,386,403	Visitor of this month：350,509	Mobile Site

English version of regulations are translated by Baker McKenzie Taipei Office.