Taiwan Stock Exchange － Rules & Regulations Directory

Taiwan Stock Exchange - Rules & Regulations Directory

Font Size：
S
M
L

Amended Article

Title：	Personal Data Protection Act CH
Amended Date：	2025.11.11

Article 1-1	The competent authority of the PDPA is the Personal Data Protection Commission (the "PDPC").	Info
Article 1-2	The central government and local governments at all levels shall endeavor to coordinate and implement specific measures to achieve the legislative objectives of the PDPA, ensuring that government agencies under their jurisdiction and non-government agencies under their supervision comply with the PDPA when performing their duties and conducting their businesses, jointly establishing a secure and trustworthy environment for personal data protection. To implement matters related to personal data protection, the competent authority may coordinate a personal data protection policy promotion meeting; the regulations on the operational procedures and other relevant matters shall be prescribed by the competent authority.
Article 12	When a government or non-government agency becomes aware that the personal data it holds has been stolen, altered, damaged, lost, or leaked, it shall notify the data subject. Where the circumstances described under the preceding paragraph fall within a specified scope of report, the government or non-government agency shall submit reports to the following authorities: 1.Government agencies shall submit reports to the competent authority and the authorities designated under Paragraph 1, Article 21-1 to receive reports on their implementation status. 2.Non-government agencies shall submit reports to the competent authority. Upon receiving the reports, the competent authority shall also inform the authorities in charge of the industries concerned. Under the circumstances described under Paragraph 1, the government or non-government agency shall take immediate and effective countermeasures to prevent the incident from escalating, document the relevant facts, impacts, and response measures taken, and preserve the relevant records for inspection by the competent authority. The regulations on the content, method, time limit, and scope of notification or reporting, countermeasures, record retention, and other relevant matters under the preceding three paragraphs shall be prescribed by the competent authority.	Info
Article 18	Government agencies shall appoint a Personal Data Protection Officer, designated by the head of the agency from among suitable personnel to serve concurrently with their original position. Adequate personnel and resources shall be allocated to this officer, who shall be responsible for coordinating, promoting, supervising, and evaluating matters related to personal data protection within the agency, its subordinate agencies, and agencies under its supervision. Government agencies shall designate personnel to handle the security and maintenance of personal data files, preventing the theft, alteration, damage, loss, or leakage of personal data. The regulations on the security and maintenance, management mechanisms, measures to be taken, and other related matters concerning personal data files shall be prescribed by the competent authority. Government agencies shall not impose unfavorable disciplinary actions or take management measures against personnel for lawfully performing personal data protection duties. The competent authority shall properly plan and implement competency training for the personnel referred to under Paragraphs 1 and 2 to enhance their professional knowledge and skills in personal data protection. The regulations on the duties, competency requirements, training, and other relevant matters for the personnel referred to under Paragraphs 1 and 2 shall be prescribed by the competent authority.	Info
Article 20-1	Non-government agencies possessing personal data files shall implement security and maintenance measures to prevent the theft, alteration, damage, loss, or leakage of personal data. The regulations on the security and maintenance, management mechanisms, measures to be taken, and other related matters concerning personal data files as referred to under the preceding paragraph shall be prescribed by the competent authority.
Article 21	If a cross-border transfer of personal data is carried out by a non-government agency under any of the following circumstances, the competent authority may impose restrictions on such transfer: 1.where major national interests are involved; 2.where an international treaty or agreement so stipulates; 3.where the country receiving the personal data lacks proper regulations on protection of personal data and the data subjects’ rights and interests may consequently be harmed; or 4.where the cross-border transfer of the personal data to a third country (territory) is carried out to circumvent the PDPA.	Info
Article 21-1	Government agencies shall submit reports annually regarding the implementation status on their management and protection of personal data to their superior agencies or supervisory agencies. Where no superior agency or supervisory agency exists, the following provisions shall apply: 1.The Office of the President, the National Security Council, and the Five Yuans of government shall submit reports to the competent authority. 2.Special municipal governments, special municipal councils, county (city) governments, and county (city) councils shall submit reports to the competent authority. 3.The offices of mountain indigenous districts in special municipalities and their representative councils shall submit reports to the special municipal government; township (town, city) offices and their representative councils shall submit reports to the county government. Government agencies shall supervise and audit the implementation of protection and management of personal data by their subordinate or supervised government agencies, township (town, city) offices under their jurisdiction, offices of mountain indigenous districts in special municipalities, and representative councils of townships (towns, cities) and mountain indigenous districts in special municipalities. If deficiencies or areas requiring rectification are identified during the audits conducted pursuant to the preceding paragraph, the audited agency shall submit a rectification report to the auditing agency. After review, the auditing agency shall forward the report along with the audit findings to the competent authority. When deemed necessary, the auditing agency or competent authority may require the audited agency to provide explanations or make adjustments. Regarding the requirements under the preceding four paragraphs, the regulations on the required information of the implementation reports, the frequency, items, and methods of the audits, the delivery of the audit results, the procedures for submitting the rectification reports, and other related matters shall be prescribed by the competent authority.
Article 21-2	The competent authority shall conduct periodic or ad hoc audits on the implementation of the protection and management of personal data by government agencies; when necessary, it may request assistance from the auditing authority specified under Paragraph 2 of the preceding article. If deficiencies or areas requiring rectification are identified in the audited agency’s implementation during an audit under the preceding paragraph, the audited agency shall submit a rectification report. This report shall be submitted to the authority designated to receive the implementation report under Paragraph 1 of the preceding article for review, and subsequently forwarded to the competent authority by such reviewing authority. The reviewing authority or competent authority under the preceding paragraph may, when deemed necessary, request the audited agency to provide explanations or make adjustments. Regarding the requirements under the preceding three paragraphs, the regulations on the frequency, items, and methods of the audits, the procedures for submitting the rectification reports, and other related matters shall be prescribed by the competent authority. Personnel participating in audits pursuant to the preceding article and this article shall bear a duty of confidentiality regarding any information learned or received in the course of performing such audits.
Article 21-3	Where it is likely that a government agency may violate the PDPA, the competent authority may request the government agency to submit information and explanations, or dispatch personnel with official identification documents to conduct on-site inspections. Except where confidentiality is required by law, the government agency and its relevant personnel shall cooperate with the inspections. Where necessary, the competent authority may request assistance from the auditing authority specified under Paragraph 2, Article 21-1 for the on-site inspection referred to under the preceding paragraph. Personnel participating in the inspection shall bear a duty of confidentiality regarding any information learned or received in the course of performing such inspection.
Article 21-4	Where a government agency violates the PDPA, the competent authority shall order it to rectify the violation within a specified time limit. The government agency shall make appropriate rectification within the time limit and shall respond in writing to the competent authority regarding the status of the rectification. Where a government agency fails to rectify the violation as required under the preceding paragraph, the competent authority may publicize its name and the facts of its violation. Where personnel of a government agency fail to act in accordance with the PDPA, they shall be subject to disciplinary sanction, action, or punishment in accordance with relevant laws and regulations, depending on the severity of the violation.
Article 21-5	The provisions under this section do not apply to intelligence agencies.
Article 22	Where the competent authority deems that a non-government agency is likely to violate the PDPA, or deems it necessary to verify its compliance the PDPA, it may conduct inspections in the following ways: 1.notify the non-government agency or its relevant personnel to state their opinions; 2.notify the non-government agency or its relevant personnel to provide necessary documents, data, or items, or take other cooperative measures; and 3.conduct inspections independently or jointly with the central government authorities in charge of the industries concerned, special municipal governments, county (city) governments, or other relevant authorities by dispatching personnel with official identification documents, and may require relevant personnel to provide necessary explanations, take cooperative measures, or furnish relevant supporting documents. Regarding the inspection on reviewing the compliance with the PDPA as stated under the preceding paragraph, the regulations on the planning, evaluation method, the factors to be considered, the matters requiring cooperation among the central government authorities in charge of the industries concerned, special municipalities governments, county (city) governments, or relevant authorities, and other related matters shall be prescribed by the competent authority. When conducting the inspections specified under Paragraph 1, the competent authority may seize or copy personal data or personal data files that may be confiscated or used as evidence. For items that are subject to seizure or required to be copied, the competent authority may require the owner, holder, or custodian thereof to present or deliver them. Where there is no legitimate grounds for refusal to present or deliver such items, or resisting the seizure or copying, the competent authority may enforce compliance by means causing the least harm to the rights and interests of the non-government agency. Non-government agencies and their relevant personnel shall not evade, obstruct, or refuse any notification, entry, inspection, or measures carried out pursuant to Paragraph 1 or the preceding paragraph without legitimate grounds. When conducting the inspections under Subparagraph 3, Paragraph 1, the competent authority may be accompanied by information technology, telecommunications, legal, and/or other professional personnel. Personnel participating in the inspection shall bear a duty of confidentiality regarding any information learned or received during the inspection and shall take care to preserve the reputation of the inspected party. When conducting the inspections under Paragraph 1, the competent authority may, when necessary, request the central government authorities in charge of the industries concerned, the special municipal governments, the county (city) governments, or other relevant authorities (institutions) to cooperate in taking effective measures or providing assistance.	Info
Article 23	Seized or copied items under Paragraph 3 of the preceding article shall be sealed or otherwise marked and appropriately processed. Items that are difficult to transport or store may be placed under guard or entrusted to the owner or other suitable person for safekeeping. Seized or copied items that no longer need to be retained, or where a decision has been made not to impose penalties or not to confiscate, shall be returned. However, this shall not apply to items that should be confiscated or retained for investigation into other cases.	Info
Article 24	The non-government agency and the owners, holders, custodians, or interested parties of such items may file an objection with the competent authority against the requests, enforcement, seizure, or copying under the preceding two articles. If the competent authority finds the objection under the preceding paragraph justified, it shall immediately cease or modify the action; if it finds the objection unjustified, it may continue with the action. Upon request by the objecting party, a record of the grounds regarding objection shall be prepared and provided. Where a party objects to the competent authority’s decision under the preceding paragraph, such objection may only be raised concurrently with an appeal against the substantive decision in the case. However, where the party under Paragraph 1 is legally barred from appealing the substantive decision, they may directly initiate an administrative lawsuit against the action under Paragraph 1.	Info
Article 25	Where a non-government agency violates the PDPA, the competent authority may, in addition to imposing fines as prescribed under the PDPA, impose the following penalties: 1.prohibit the collection, processing, or use of personal data; 2.order the deletion of processed personal data files; 3.confiscate or order the destruction of illegally collected personal data; and 4.publicize the violations, along with the names of the violator and the statutory representative thereof. When imposing the penalties under the preceding paragraph, the competent authority shall adopt the method that causes the least harm to the rights and interests of the non-government agency, within the scope necessary to prevent violations of the PDPA.
Article 26	Where the competent authority finds no violation of the PDPA after an inspection pursuant to Article 22, it may publish the inspection findings with the consent of the non-government agency.	Info
Article 27	(Deleted)
Article 41	Any person who, with intent to obtain unlawful benefit for themselves or a third party or to cause harm to another’s interests, violates Paragraph 1 of Article 6, Article 15, Article 16, Article 19, Paragraph 1 of Article 20, or an order or decision restricting cross-border transfer under Article 21, thereby causing harm to another, shall be sentenced to imprisonment for up to five (5) years and may also be fined up to NT$1,000,000.	Info
Article 47	Where a non-government agency commits any of the violations listed below, the competent authority shall impose a fine of not less than NT$50,000 and not more than NT$500,000, order it to rectify the violation within a specified period of time, and impose fines successively until the violation is rectified: 1.violation of Paragraph 1, Article 6; 2.violation of Article 19; 3.violation of Paragraph 1, Article 20; and 4.violation of an order or decision restricting cross-border transfer under Article 21.	Info
Article 48	Where a non-government agency commits any of the violations listed below, the competent authority shall order it to rectify the violation within a specified period of time, and, if the violation is not rectified within such period, impose a fine of not less than NT$20,000 and not more than NT$200,000 successively until the violation is rectified: 1.violation of Article 8 or Article 9; 2.violation of Article 10, Article 11, or Article 13; 3.violation of Paragraph 1 of Article 12, or the provisions concerning the content, method, or time limit of notifications as stipulated in the regulations prescribed under Paragraph 4; and 4.violation of Paragraph 2 or 3, Article 20. Where a non-government agency is in violation of Paragraph 2 or 3 of Article 12, or the provisions concerning the content, method and time limit of reporting, response measures, and record retention as stipulated in the regulations prescribed under Paragraph 4, the competent authority shall impose a fine of not less than NT$20,000 and not more than NT$200,000, order it to rectify the violation within a specified period of time, and impose fines successively until the violation is rectified. Where a non-government agency commits any of the violations listed below, the competent authority shall impose a fine of not less than NT$20,000 and not more than NT$2,000,000, order it to rectify the violation within a specified period of time, and, if the violation is not rectified within such period, impose a fine of not less than NT$150,000 and not more than NT$15,000,000 successively until the violation is rectified: 1.violation of Paragraph 1, Article 20-1; 2.violation of the provisions concerning the security and maintenance matters, management mechanisms, or measures to be taken related to personal data files as stipulated under the regulations established under Paragraph 2, Article 20-1; 3.failure to establish a security and maintenance plan for personal data files or methods for processing personal data after business termination as required under Paragraph 3, Article 51-1; and 4.violation of the provisions concerning the content, implementation methods or standards that the plans or processing methods must possess as stipulated in the regulations established under Paragraph 4, Article 51-1. Where a non-government agency commits any of the acts listed under the preceding paragraph and the violation is material, the competent authority shall impose a fine of not less than NT$150,000 and not more than NT$15,000,000, order it to rectify the violation within a specified period of time, and impose fines successively until the violation is rectified.	Info
Article 49	Non-government agencies in violation of Paragraph 4, Article 22 shall be subject to a fine of not less than NT$20,000 and not more than NT$200,000 to be imposed by the competent authority.	Info
Article 51-1	Regarding the supervision and management matters concerning non-governmental agencies stipulated under Paragraphs 1 and 3 to 7 of Article 22, Articles 23 to 26, and Articles 47 to 50, within six (6) years from the date of establishment of the competent authority, the competent authority will propose to the Executive Yuan for announcement of a specified scope of non-governmental agencies that shall remain under the jurisdiction of the central government authorities in charge of the industries concerned, special municipal governments, and county (city) governments. The competent authority shall, after consultation with relevant authorities every two (2) years, propose to the Executive Yuan the adjustment or reduction of the scope of non-government agencies specified in the announcement referred to under the preceding paragraph. The central government authorities in charge of the industries concerned may require non-government agencies within the scope announced in the preceding two paragraphs to formulate personal data file security and maintenance plans or methods for processing personal data after business termination. The central government authorities in charge of the industries concerned will prescribe, pursuant to the regulations prescribed by the competent authority under Paragraph 2, Article 20-1, the regulations on the content, implementation methods or standards, and other relevant requirements for the plans and processing methods referred to under the preceding paragraph, and may prescribe stricter requirements.
Article 52	The competent authority may commission other authorities (institutions), non-departmental public bodies, or public interest organizations to exercise its authority under Paragraph 2 of Article 12, Paragraphs 1, 3, 5, and 7 of Article 22, Article 23, and Article 24. Within the scope announced under Paragraphs 1 and 2 of the preceding article, the central government authorities in charge of the industries concerned, special municipal governments, or county (city) governments may delegate their subordinate authorities or commission other authorities (institutions), non-departmental public bodies, or public interest organizations to exercise their authority under Paragraphs 1, 3, 5, and 7 of Article 22, Article 23, and Article 24 to its subordinate authorities. Members of the entities commissioned or delegated under the preceding two paragraphs shall bear a duty of confidentiality regarding any information learned or received in the course of performing such duties. A public interest organization referred to under Paragraphs 1 and 2 shall not be granted the legal standing to sue by the data subjects under Paragraph 1, Article 34 to file damage compensation lawsuits in its own name.	Info
Article 53	The competent authority shall prescribe specific purposes and categories of personal data, and provide the same to government and non-government agencies for reference and use.
Article 53-1	Those dissatisfied with an administrative disposition rendered by the competent authority under the PDPA may resort to administrative litigation directly. Non-government agencies within the scope announced under Paragraphs 1 and 2 of Article 51-1 may file administrative appeals with the competent authority against the administrative dispositions rendered by central government authorities in charge of the industries concerned, special municipal governments, or county (city) governments under the PDPA. However, where an administrative disposition is made by an independent agency established under the Basic Code Governing Central Administrative Agencies and Organizations, administrative litigation may be initiated directly. For administrative dispositions rendered under the PDPA prior to the effective date of the amendments enacted on October 17, 2025, administrative appeals shall be filed with the competent authority. Administrative appeals accepted but not yet concluded before October 17, 2025, the effective date of the amendments to the PDPA, shall continue to be processed by the original accepting authority in accordance with the Administrative Appeal Act after the effective date of the amendments.
Article 55	The Enforcement Rules of the PDPA shall be prescribed by the competent authority.

Resolution：1024 x 768	Update：2026.01.21	Mobile Site
Visitor：30,897,909	Visitor of this month：276,838	Mobile Site

English version of regulations are translated by Baker McKenzie Taipei Office.