• Font Size:
  • S
  • M
  • L
友善列印
WORD

Article Content

Title:

Personal Data Protection Act  CH

Amended Date: 2023.05.31 
   Chapter I General Provisions
Article 1    Personal Information Protection Act(hereinafter “this Law”)is enacted to govern the collection, processing and use of personal information so as to prevent harm on personality rights, and to facilitate the proper use of personal information.
Article 1-1The competent authority of the PDPA is the Personal Data Protection Commission (the "PDPC").
The responsibilities of the central government authorities in charge of the industries concerned, the special municipality, county (city) government concerned, and the authorities specified in Articles 53 and 55 of the PDPA, shall be under the jurisdiction of the PDPC from the date of its establishment.
Info
Article 2    The terms used herein denote the following meanings:
  1. Personal information: the name, date of birth, I.D. Card number, passport number, characteristics, fingerprints, marital status, family, education, occupation, medical record, medical treatment, genetic information, sexual life, health examination, criminal record, contact information, financial conditions, social activities and other information which may be used to identify a natural person, both directly and indirectly;
  2. Personal information file: A collection of personal information built to allow information retrieval and management by automatic or non-automatic measures;
  3. Collection: To collect personal information in any form and way;
  4. Processing: To record, input, store, compile, correct, duplicate, retrieve, delete, output, connect or internally transmit information for the purpose of establishing or using a personal information file;
  5. Use: All methods of personal information use other than processing;
  6. International transmission: The cross-border processing or use of personal information;
  7. Government agency refers to a government agency or administrative juridical person at the central or local government level which is empowered to exercise sovereign power;
  8. Non-government agency refers to the natural persons, juridical persons or groups other than those stated in the proceeding item;
  9. The Party means an individual of whom the personal information has been collected, processed or used in accordance with this Law.
Article 3    The following rights should be exercised by the Party with regard to his personal information and should not be waived in advance or limited by a specific agreement:
  1. any inquiry and request for a review of the personal information;
  2. any request to make duplications of the personal information;
  3. any request to supplement or correct the personal information;
  4. any request to discontinue collection, processing or use of personal information; and
  5. any request to delete the personal information.
Info
Article 4    Whoever commissioned by a government agency or non-government agency to collect, process or use personal information should be considered the commissioning agency within the scope of this Law.
Info
Article 5    The rights and interests of the Party should be respected in collecting, processing or using personal information and the information should be handled in accordance with the principle of bona fide. It should not go beyond the purpose of collection and should be reasonable and fair.
Info
Article 6    Personal information of medical records, medical treatment, genetic information, sexual life, health examination and criminal records should not be collected, processed or used. However, the following situations are not subject to the limits set in the preceding sentence:
  1. when in accordance with law;
  2. when it is necessary for a government agency to perform its legal duties or for a non- government agency to fulfill its legal obligation, and proper security measures are adopted prior or subsequent to such collection, processing or use;
  3. when the Party has made public such information by himself, or when the information concerned has been publicized legally;
  4. where it is necessary to perform statistical or other academic research, a government agency or an academic research institution collects, processes, or uses personal information for the purpose of medical treatment, public health, or crime prevention. The information may not lead to the identification of a specific person after its processing by the provider, or from the disclosure by the collector;
  5. where it is necessary to assist a government agency in performing its legal duties or a non-government agency in fulfilling its legal obligations, and proper security measures are adopted prior or subsequent to such collection, processing, or use;
  6. where the Party has consented in writing; unless such consent exceeds the necessary scope of the specific purpose; the collection, processing or use merely with the consent of the Party is prohibited by other statutes; or such consent is against the Party’s will.
    Article 8 and Article 9 shall apply mutatis mutandis to the collection, processing, or use of personal information in accordance with the preceding Paragraph; Paragraphs 1, 2 and 4 of Article 7 shall apply mutatis mutandis to the written consent specified in Item 6 of the preceding Paragraph. The notification should be in written form.
Info
Article 7"Consent", as referred to in subparagraph 2, paragraph 1 of Article 15 and subparagraph 5, paragraph 1 of Article 19, means a declaration of agreement given by a data subject after he/she has been informed by the data collector of the information required under the PDPA.
"Consent", as referred to in subparagraph 7, paragraph 1 of Article 16 and subparagraph 6, paragraph 1 of Article 20, means a separate declaration of agreement given by a data subject after he/she has been informed by the data collector of any of the purposes other than that originally specified, the scope of other use, and the impact of giving or not giving consent on the rights and interests of the data subject.
The data subject's consent may be presumed given pursuant to subparagraph 2, paragraph 1 of Article 15 and subparagraph 5, paragraph 1 of Article 19 if the data subject does not indicate his/her objection and affirmatively provides his/her personal data after the government or non-government agency has informed the data subject of the relevant information specified in paragraph 1 of Article 8 of the PDPA.
The data collector shall bear the burden of proof regarding the fact that the data subject has given the consent prescribed under the PDPA.
Info
Article 8    The following items should be told precisely to the Party by a government agency or non-government agency, in accordance with Article 15 or Article 19:
  1. the name of the government agency or the non-government agency;
  2. purpose of collection;
  3. classification of the personal information;
  4. time period, area, target and way of the use of personal information;
  5. rights of the Party and ways to exercise them as prescribed in Article 3;
  6. the influence on his rights and interests while the Party chooses not to provide his personal information;
    The following situations may be exempted from the notice prescribed in the preceding Paragraph:
  1. when in accordance with law;
  2. when the collection of personal information is necessary for the government agency to perform its official duties or the non government agency to fulfill the legal obligation;
  3. when the notice will impair the government agency in performing its official duties;
  4. when the notice will impair public interests.
  5. when the Party should have known the content of the notification already;
  6. when the collection of personal information is for non-profit purposes and clearly does not cause any detriment to the Party.
Info
Article 9Government or non-government agencies shall, before processing or using the personal data collected in accordance with Article 15 or 19 which was not provided by the data subject, inform the data subject of their source of data and other information specified in subparagraphs 1 through 5, paragraph 1 of the preceding article.
The obligation to inform as prescribed in the preceding paragraph may be exempt under any of the following circumstances:
1. under any of the circumstances provided in paragraph 2 of the preceding article;
2. where the personal data has been manifestly made public by the data subject or publicized legally;
3. where it is unable to inform the data subject or his/her legal representative;
4. where it is necessary for statistics gathering or academic research in pursuit of public interests, provided that such data, as processed by the data provider or as disclosed by the data collector, may not lead to the identification of a specific data subject; or
5. where the personal data is collected by mass communication enterprises for the purpose of news reporting for the benefit of public interests.
The obligation to inform as prescribed in paragraph 1 may be performed at the time of the first use of the personal data towards the data subject.
Info
Article 10    Upon the request of the Party, the government agency or non-government agency should reply to the inquiry, offer for a review or provide duplications on the personal information collected, except the followings:
  1. when the national security, diplomatic and military secrets, the macro-economic interests or other major national interests may be harmed;
  2. when the performance of official duties may be interfered with; and
  3. when the major interests of the collecting agency or a third person may be affected.
Info
Article 11    The government agency or the non-government agency should ensure the accuracy of personal information, and correct or supplement it, ex officio or upon the request of the Party.
    In the event of a dispute regarding the accuracy of personal information, its processing or use shall be ceased voluntarily or upon the request of the Party, unless the processing or use is either necessary for the performance of an official duty or fulfillment of a legal obligation, or agreed to by the Party in writing, and the dispute has been recorded.
    The information collected should be deleted, discontinued to process or use, ex officio or upon the request of the Party when the specific purpose no longer exists or time period expires. However, the preceding sentence may not be applicable when it is necessary for the performance of an official duty or fulfillment of a legal obligation and has been recorded, or when it is agreed by the Party in writing.
    The information collected should be deleted, discontinued to process or use, ex officio or upon the request of the Party in the cases where a violation of this Law occurred during collecting, processing or using that information.
    In the cases where the government agency or the non-government agency should be attributed to of not correcting or supplementing personal information, persons to whom the personal information was provided should be notified after correction or supplement.
Info
Article 12    When the personal information is stolen, disclosed, altered or infringed in other ways due to the violation of this Law, the government agency or non-government agency should notify the Party after an inspection.
Info
Article 13    Where a request is made by the Party to the government agency or the non-government agency pursuant to Article 10, it should be determined within fifteen days. It may be extended to a time period of no longer than fifteen days when necessary and the Party should be notified of that in writing.
    Where a request is made by the Party to the government agency or the non-government agency pursuant to Article 11, it should be determined within thirty days. It may be extended to a time period of no longer than thirty days when necessary and the Party should be notified of that in writing.
Info
Article 14    The government agency or the non government agency may charge a fee to those who make an inquiry or request to review, or make duplications of the personal information.
   Chapter II Data Collection, Processing and Use by a Government Agency
Article 15Except for the personal data specified under paragraph 1 of Article 6, the collection or processing of personal data by government agencies shall be for specific purposes and on one of the following bases:
1. where it is within the necessary scope to perform its statutory duties;
2. where consent has been given by the data subject; or
3. where the rights and interests of the data subject will not be infringed upon.
Info
Article 16Except for the personal data specified under paragraph 1 of Article 6, government agencies shall use personal data only within the necessary scope of their statutory duties and for the specific purpose of collection; the use of personal data for another purpose shall be only on any of the following bases:
1.where it is expressly required by law;
2.where it is necessary for ensuring national security or furthering public interests;
3.where it is to prevent harm to the life, body, freedom, or property of the data subject;
4.where it is to prevent material harm to the rights and interests of others;
5.where it is necessary for statistics gathering or academic research by a government agency or an academic institution for public interests; provided that such data, as processed by the data provider or as disclosed by the data collector, may not lead to the identification of a specific data subject;
6.where it is for the data subject's rights and interests; or
7.where consent has been given by the data subject.
Info
Article 17    The government agency may publicize the following items on the Internet or by other proper means for inquiries; the above provisions are applicable to amendment thereof:
  1. name of personal information file;
  2. name of the government agency keeping the personal information file and its contact information;
  3. basis and purpose of keeping the file;
  4. classification of personal information.
Article 18    The government agency which keeps personal information files should assign personnel(s) on security and maintenance of those files to prevent them from being stolen, altered, damaged, destroyed or disclosed.
Info
   Chapter III Data Collection, Processing and Use by a Non-government Agency
Article 19Except for the personal data specified under paragraph 1 of Article 6, the collection or processing of personal data by non-government agencies shall be for specific purposes and on one of the following bases:
1. where it is expressly required by law;
2. where there is a contractual or quasi-contractual relationship between the non-government agency and the data subject, and proper security measures have been adopted to ensure the security of the personal data;
3. where the personal data has been manifestly made public by the data subject or publicized legally;
4. where it is necessary for statistics gathering or academic research by an academic institution in pursuit of public interests, provided that such data, as processed by the data provider or as disclosed by the data collector, may not lead to the identification of a specific data subject;
5. where consent has been given by the data subject;
6. where it is necessary for furthering public interests;
7. where the personal data is obtained from publicly available sources unless the data subject has an overriding interest in prohibiting the processing or use of such personal data; or
8. where the rights and interests of the data subject will not be infringed upon.
A data collector or processor shall, on its own initiative or upon the request of the data subject, erase or cease processing or using the personal data when it becomes aware of, or upon being notified by the data subject, that the processing or use of the personal data should be prohibited pursuant to the proviso to subparagraph 7 of the preceding paragraph.
Info
Article 20Except for the personal data specified in paragraph 1 of Article 6, non-government agencies shall use personal data only within the necessary scope of the specific purpose of collection; the use of personal data for another purpose shall be only on any of the following bases:
1. where it is expressly required by law;
2. where it is necessary for furthering public interests;
3. where it is to prevent harm to the life, body, freedom, or property of the data subject;
4. where it is to prevent material harm to the rights and interests of others;
5. where it is necessary for statistics gathering or academic research by a government agency or an academic institution for public interests; provided that such data, as provided by the data provider or disclosed by the data collector, may not lead to the identification of a specific data subject;
6. where consent has been given by the data subject; or
7. where it is for the data subject's rights and interests.
When a non-government agency uses personal data for marketing purpose pursuant to the preceding paragraph, upon the data subject's objection to such use, the agency shall cease using the data subject's personal data for marketing.
Non-government agencies, when using the data subject’s personal data for marketing purpose for the first time, shall provide the data subject the ways that he/she can object to such use, and the agency shall pay for the fees therefrom.
Info
Article 21    If one of the followings has occurred when the non-government agency transmits personal information internationally, the government authority in charge of subject industry may limit its action:
  1. Where it involves major national interests;
  2. Where national treaty or agreement specifies otherwise;
  3. Where the country receiving personal information lacks of proper regulations towards the protection of personal information and it might harm the rights and interests of the Party:
  4. Where international transmission of personal information is made through an indirect method in which the provisions of this Law may not be applicable.
Info
Article 22The central government authorities in charge of the industries concerned, the special municipality, county (city) government concerned may, when they deem necessary or suspect any possible violation of the PDPA, inspect compliance with the security control measures, the rules on disposing personal data upon business termination, and the restrictions on cross-border transfers, or conduct any other routine inspections by having their staff enter non-government agencies' premises upon presentation of their official identification documents and order relevant personnel at the non-government agencies to provide necessary explanations, cooperate on adopting relevant measures, or provide supporting documents.
When the central government authorities in charge of the industries concerned or the special municipality, county (city) governments concerned conduct the inspections described in the preceding paragraph, they may retain or make duplications of the personal data or the files thereof that can be confiscated or be admitted as evidence. The owner, holder or keeper of such data or files that shall be confiscated or copied shall submit them to the authorities upon request. If the non-government agency refuses to submit or deliver the requested data or files or rejects the confiscation or duplication thereof without any legitimate reason, a compulsory enforcement that will do the least harm to the rights and interests of the non-government agency may be applied.
When the central government authorities in charge of the industries concerned or the special municipality, county (city) governments concerned conduct the inspections described in paragraph 1, professionals in the field of information technology, telecommunications or law may accompany the inspectors during the inspections.
Non-government agencies and their personnel may not evade such inspections, obstruct the investigators from accessing the premises or data, or refuse to comply with the inspections or decisions referred to in paragraphs 1 and 2.
All personnel who take part in the inspections shall keep in confidence all the personal data that they become aware of due to the inspections.
Info
Article 23    The objects detained or duplicated in accordance with Paragraph 2 of the preceding Article should be sealed or tagged, and properly located. Those may not be carried or kept may be guarded by a designated personnel, or be kept by the owner or suitable persons. If it is no more necessary to keep the detained or duplicated objects, or when a punishment is not applied or a confiscation is not applied, those objects should be returned. However, it does not apply to objects that should be confiscated or kept for other cases.
Info
Article 24The non-government agency, owner, holder, keeper or interested persons of those confiscated files or duplicates may raise an objection with the central government authority in charge of the industry concerned or the special municipality, county (city) government concerned against the acts of demand, compulsory enforcement, detention, or duplication mentioned in the preceding two Articles.
Upon receiving the objection mentioned in the preceding paragraph, the central government authority in charge of the industry concerned or the special municipality, county (city) government concerned shall immediately cease or rectify such acts if the objection is considered reasonable; otherwise, it may continue such acts. Upon the request of the person who raises the objection, a record of the reasons for objection shall be prepared and delivered to such person.
An appeal against the decision made by the central government authority in charge of the industry concerned or the special municipality, county (city) government concerned under the preceding paragraph may only be filed jointly with the appeal against the substantive decision of the case. However, if the persons identified in paragraph 1 do not have the rights to appeal against the substantive decision of the case under the law, such persons may file an administrative lawsuit solely against the acts identified in the same paragraph 1.
Info
Article 25In the event that a non-government agency has violated the PDPA, the central government authority in charge of the industry concerned or the special municipality, county (city) government concerned may impose fines on the non-government agency in accordance with the PDPA and may also enforce the following corrective measures:
1. prohibit the collection, processing or use of the personal data;
2. order the erasure of the processed personal data and personal data files;
3. confiscate or order the destruction of the unlawfully collected personal data; and/or
4. disclose to the public the violation of the non-government agency, the name of the non-government agency and its responsible person/representative.
Where the central government authority in charge of the industry concerned or the special municipality, county (city) government concerned enforce the corrective measures referred to in the preceding paragraph, such measures shall be within the scope that is necessary to prevent and remedy the violation of the PDPA and shall do the least harm to the rights and interests of the non-government agency concerned.
Article 26The findings of the inspections conducted by the central government authorities in charge of the industries concerned or the special municipality, county (city) governments concerned in accordance with Article 22 may be disclosed to the public if the non-government agencies concerned are not in violation of the PDPA and agree to the public disclosure of such findings. Info
Article 27Non-government agencies in possession of personal data files shall implement proper security measures to prevent the personal data from being stolen, altered, damaged, destroyed or disclosed.
The central government authorities in charge of the industries concerned may designate and order certain non-government agencies to establish a security and maintenance plan for the protection of personal data files and rules on disposing personal data following a business termination.
Matters such as standards on setting forth the aforementioned plans and disposal regulations shall be expressly established by the central government authority in charge of the industry concerned.
Info
   Chapter IV Damages and Class Action
Article 28Government agencies shall be liable for the damages arising from injury caused by any unlawful collection, processing or use of personal data, or other infringement on the rights of data subjects due to such government agency's violation of the PDPA, unless such injury was caused by any natural disaster, emergency or other force majeure event.
If an injury suffered by the victim is a non-pecuniary damage, he/she may request an appropriate amount of monetary compensation; if the injury suffered by the victim is damage to his/her reputation, the victim may request appropriate corrective measures to restore his/her reputation.
Under the circumstances identified in the preceding two paragraphs, if it is difficult or impossible for the victim to prove the monetary value of the actual damage, he/she may ask the court to award the compensation in the amount of not less than NT$500 but not more than NT$20,000 per incident, per person based on the severity of the damage.
Where the rights of multiple data subjects have been infringed upon due to the same incident, the total amount of compensation awarded to such data subjects shall not exceed NT$200 million. However, if the interests involved in the incident exceed NT$200 million, the compensation shall be up to the value of such interests.
If the total amount of damages for the injuries attributable to the same incident exceeds the amount referred to in the preceding paragraph, the compensation payable to each victim shall not be limited to the lower end of damages, i.e. NT$500, per incident as set forth in paragraph 3 of this Article.
The right of claim referred to in paragraph 2 above may not be transferred or inherited. However, this does not apply to the circumstances where monetary compensation has been agreed upon in a contract or a claim therefor has been filed with the court.
Article 29Non-government agencies shall be liable for the damages arising from any injury caused by any unlawful collection, processing or use of personal data, or other infringement on the rights of data subjects due to such non-government agency's violation of the PDPA, unless the non-government agency can prove that such injury is not caused by its willful act or negligence.
Paragraphs 2 through 6 of the preceding article apply to the damage claims raised in accordance with the preceding paragraph.
Info
Article 30    The right to claim for damage compensation will be terminated two years since the claimant has been aware of the damages and the person(s) who is liable for the compensation, or five years since the date the damage actually occurred.
Article 31    Aside from the provisions of this Law, the provisions of the State Compensation Law may be applied to a government agency, while the Civil Code may be applied to a non-government agency.
Article 32    A business juridical person or a charitable juridical person that brings a case to the court in accordance with this Chapter should fulfill the following conditions:
  1. The total registered assets of a business juridical person should reach NT$10 million or more, or the total number of members of a charitable juridical person should be 100 or more;
  2. The protection of personal information is set in its charter;
  3. It has been established for more than 3 years after its approval.
Article 33    The litigation brought to the court against a government agency in accordance with this Law should be subject to the exclusive jurisdiction of the district court where the agency is located. The litigation against a non-government agency is subject to the exclusive jurisdiction of the district court where its headquarters, main office of operation or domicile is located.
    If the non-government agency in the preceding Paragraph is natural person and has no place of domicile in the Republic of China, or where it is unknown, his place of residence in the Republic of China shall be deemed to be the place of domicile. Where he has no place of residence in the Republic of China or where it is unknown, his last place of domicile in the Republic of China shall be deemed to be the place of domicile. Where he has no last place of domicile, the district court where the central government is located shall have exclusive jurisdiction.
    If the non-government agency mentioned in the first Paragraph is a juridical person or a group and has no headquarters, main office of operation, or unknown for both, the district court where the central government is located shall have exclusive jurisdiction.
Article 34    For cases caused by the same cause and fact and there are multi Parties infringed, the business juridical person or charitable juridical person may bring a lawsuit to the court by its own name, after obtaining a written authorization of litigation rights of 20 or more Parties. The Parties may withdraw their authorization by writing before the closure of the oral debate and the court should be notified of it.
    For the litigation in accordance with the preceding Paragraph, the court may publicize it to other parties that may have been infringed, upon request of ex officio that those Parties may authorize their litigation rights to the business juridical person or charitable juridical person in the preceding Paragraph within a specified period. The business juridical person or charitable juridical person may expand its claim before the closure of the oral debate.
    Other parties that haven been infringed by the same cause and fact that choose not to follow the rule in the preceding Paragraph may bring the case to the court with the specified period for the court to combine the cases.
    Other Parties that have been infringed by the same cause and fact may apply to the court the announcement of the preceding Paragraph.
    The announcement of the two preceding Paragraph may be publicized on the bulletin of the court, on the Internet or other proper location. Should the court considers it necessary, it may be posted on the communiques or newspaper and the fees should be paid by the National Treasury.
    For the business juridical person or charitable juridical association that brings a case to the court in accordance with Paragraph 1 and the target amount exceeds NT$600,000, the exceeding portion should be waived of court fees.
Article 35    The court proceedings should be discontinued partly if the Party withdraws his authorization of litigation right according to the first Paragraph of the preceding Article. The Party should resume the proceeding or the court may request the Party to do so, ex officio.
    For the case where more than one Party withdraws his litigation right after the business juridical person or charitable juridical person has brought the case to the court in accordance with the preceding Article, the remaining part of court proceedings may be continued, even when there are fewer than 20 Parties remained.
Info
Article 36    The extinctive prescription for the right to claim for damage compensation for each Party in accordance with Paragraph 1 and 2 of Article 34 should be calculated separately.
Info
Article 37    The business juridical person or charitable juridical person should act as the representative of litigation right authorized by the Party. However, the Party may set a limit on abandonment, withdrawal or reconciliation.
    The limit set by one of the Parties in the preceding Paragraph should not be applicable to other Parties.
    The limit mentioned in Paragraph 1 of this Article should be illustrated in the documents mentioned in the first Paragraph of Article 34 or should be brought to the court in writing.
Info
Article 38    In the event the Party is object to the decision pursuant to Article 34, he may withdraw the authorization given to the business juridical person or charitable juridical person before the expiration of the period of an appeal and then file an appeal himself.
    After receiving the decision document, the business juridical person or charitable juridical person should notify the Party of the outcome and also notify the Party in writing within 7 days as to whether or not an appeal should be file.
Info
Article 39    The business juridical person or charitable juridical person should deduct necessary litigation fees from the compensation received in accordance with the result of the case in Article 34 and deliver the remaining amount to the authorizing Parties.
    The business juridical person or charitable juridical person should not ask for remuneration for the lawsuit which brought out in accordance with Paragraph 1 of Article 34.
Info
Article 40    The business juridical person or charitable juridical person should authorize its litigation right to an attorney while bringing out a lawsuit to the court in accordance with the provisions of this Chapter.
   Chapter V Penalties
Article 41If a person, with the intention of obtaining unlawful gains for himself/herself or a third party, or with the intention of impairing another person's interests, is in violation of paragraph 1 of Article 6, Articles 15, 16, 19, and paragraph 1 of Article 20, or an order or decision relating to the restrictions on cross-border transfers made by the central government authority in charge of the industry concerned in accordance with Article 21 of the PDPA, thereby causing damage to others, the person shall be sentenced to imprisonment for no more than five years; in addition thereto, a fine of no more than NT$1,000,000 may be imposed. Info
Article 42    A person who intends to make unlawful profits for himself or for a third party, or intends to infringe upon the interests of others by illegally changing or deleting personal information files, or by other illegal means and has impeded the accuracy of other people’s personal information files and caused damages to others should be imposed of an imprisonment or custody of no more than 5 years, or a fine of no more than NT$1,000,000, or both.
Article 43    The above two Articles may be applicable to a citizen of the Republic of China who commits those crimes to citizens of the Republic of China outside the territory of the Country.
Info
Article 44    A government official who takes advantage of his position, or opportunity or means available to him to commit the offenses prescribed in this Chapter should be subject to punishments half as severe as those enumerated above.
Article 45    The offenses referred to in this Chapter should be instituted only upon a complaint, except offenses specified in Article 41 and those against a government agency in Article 42.
Info
Article 46    In the event where a more severe punishment is provided for in other laws with respect to the offenses outlined in this Chapter, the more severe one should be applied.
Article 47If a non-government agency violates any of the following provisions, the central government authority in charge of the industry concerned or the special municipality, county (city) government concerned shall impose a fine of not less than NT$50,000 but not more than NT$500,000 on the non-government agency, and shall order the non-government agency to rectify the violation within a specified period of time. If the non-government agency fails to rectify the violation in time, a fine shall be imposed for each occurrence of the violation:
1. paragraph 1 of Article 6;
2. Article 19;
3. paragraph 1 of Article 20; and/or
4. an order or decision relating to the restrictions on cross-border transfers made by the central government authority in charge of the industry concerned under Article 21.
Info
Article 48If a non-government agency violates any of the following provisions, the central government authority in charge of the industry concerned or the special municipality, county (city) government concerned shall order the non-government agency to rectify the violation within a specified period of time; if the non-government agency fails to rectify the violation in time, a fine of not less than NT$20,000 but not more than NT$200,000 shall be imposed on the non-government agency for each occurrence of the violation:
1. Article 8 or Article 9;
2. Article 10, Article 11, Article 12, or Article 13;
3. paragraph 2 or paragraph 3 of Article 20.
If a non-government agency violates paragraph 1 of Article 27 or fails to establish a security and maintenance plan for the protection of personal data files or rules on disposing of personal data following a business termination under paragraph 2 of Article 27, the central government authority in charge of the industry concerned or the special municipality, county (city) government concerned shall impose a fine of not less than NT$20,000 but not more than NT$2,000,000 on the non-government agency, and shall order the non-government agency to rectify the violation within a specified period of time. If the non-government agency fails to rectify the violation in time, a fine of not less than NT$150,000 but not more than NT$15,000,000 shall be imposed for each occurrence of the violation.
If a non-government agency violates paragraph 1 of Article 27, or fails to establish a security and maintenance plan for the protection of personal data files or rules on disposing of personal data following a business termination under paragraph 2 of Article 27, which is of a serious violation, the central government authority in charge of the industry concerned or the special municipality, county (city) government concerned shall impose a fine not less than NT$150,000 but not more than NT$15,000,000 on the non-government agency to rectify the violation within a specified period of time; if the non-government agency fails to rectify the violation in time, a fine shall be imposed for each occurrence of the violation.
Info
Article 49If a non-government agency is in violation of paragraph 4 of Article 22 without any legitimate reason, the central government authority in charge of the industry concerned or the special municipality, county (city) government concerned shall impose a fine of not less than NT$20,000 but not more than NT$200,000 on the non-government agency. Info
Article 50    The main representative, manager or other representative of a non-government agency who should be imposed of an administrative fine due to the violation of the preceding three Articles of the agency should be subject to the same amount of the fine, unless the obligation of the representative has been proved to be fulfilled.
Info
   Chapter VI Supplementary Provisions
Article 51    The provisions of this Law are not applicable to the following situations:
  1. When an individual who collects, processes or uses personal information in the course of personal activity of a domestic nature; and
  2. if the audio-visual information is collected, processed or used in public places or public activities and not associated with the other personal information.
    The provisions of this Law are applicable to the government agency and the non-government agency, when they collect, process or use the personal information of the citizens of the Republic of China outside the territory of the Republic of China.
Article 52The duties of the central government authorities in charge of the industries concerned or the special municipality, county (city) governments concerned under Articles 22 through 26 may be delegated to their subordinate agencies, other agencies or public interest groups. The personnel of such agencies or public interest groups shall be obligated to keep confidential all the data they become aware of during the performance of the duties so delegated or commissioned.
The public interest groups referred to in the preceding paragraph shall not receive any data subject's delegation of litigation rights to file a lawsuit for damages in their names in accordance with paragraph 1 of Article 34.
Info
Article 53    The Ministry of Justice shall, in conjunction with the competent authority in charge of the subject industry at the central government level, prescribe, and provide government and non-government agencies for reference and use with, the specific purpose and the classification of personal information.
Article 54    After the enforcement of the amendments to this Act on December 15, 2015, any processing or use of personal information that was furnished before the amendments to this Act on May 26, 2010 not by the Party, shall be notified to the Party pursuant to Article 9 before such processing or use.
    The notification prescribed in the preceding Paragraph may be given at the time where such personal information is first used after the enforcement of the amendments to this Act on 15 December, 2015.
    Any use of personal information without notification given in accordance with the preceding two Paragraphs is deemed and punished as a violation of Article 9.
Info
Article 55    The Enforcement Rule of this Act shall be prescribed by the Ministry of Justice.
Article 56The enforcement date of the PDPA shall be set by the Executive Yuan.
The deletion of Articles 19 through 22 and Article 43 on May 26, 2010, and the revision of Article 48 under the amendment to the PDPA made on May 16, 2023, shall become effective on the date of promulgation.
Info