• Font Size:
  • S
  • M
  • L

Chapter Content

Title:

Personal Data Protection Act  CH

Amended Date: 2023.05.31 
   Chapter I General Provisions
Article 1    Personal Information Protection Act(hereinafter “this Law”)is enacted to govern the collection, processing and use of personal information so as to prevent harm on personality rights, and to facilitate the proper use of personal information.
Article 1-1The competent authority of the PDPA is the Personal Data Protection Commission (the "PDPC").
The responsibilities of the central government authorities in charge of the industries concerned, the special municipality, county (city) government concerned, and the authorities specified in Articles 53 and 55 of the PDPA, shall be under the jurisdiction of the PDPC from the date of its establishment.
Info
Article 2    The terms used herein denote the following meanings:
  1. Personal information: the name, date of birth, I.D. Card number, passport number, characteristics, fingerprints, marital status, family, education, occupation, medical record, medical treatment, genetic information, sexual life, health examination, criminal record, contact information, financial conditions, social activities and other information which may be used to identify a natural person, both directly and indirectly;
  2. Personal information file: A collection of personal information built to allow information retrieval and management by automatic or non-automatic measures;
  3. Collection: To collect personal information in any form and way;
  4. Processing: To record, input, store, compile, correct, duplicate, retrieve, delete, output, connect or internally transmit information for the purpose of establishing or using a personal information file;
  5. Use: All methods of personal information use other than processing;
  6. International transmission: The cross-border processing or use of personal information;
  7. Government agency refers to a government agency or administrative juridical person at the central or local government level which is empowered to exercise sovereign power;
  8. Non-government agency refers to the natural persons, juridical persons or groups other than those stated in the proceeding item;
  9. The Party means an individual of whom the personal information has been collected, processed or used in accordance with this Law.
Article 3    The following rights should be exercised by the Party with regard to his personal information and should not be waived in advance or limited by a specific agreement:
  1. any inquiry and request for a review of the personal information;
  2. any request to make duplications of the personal information;
  3. any request to supplement or correct the personal information;
  4. any request to discontinue collection, processing or use of personal information; and
  5. any request to delete the personal information.
Info
Article 4    Whoever commissioned by a government agency or non-government agency to collect, process or use personal information should be considered the commissioning agency within the scope of this Law.
Info
Article 5    The rights and interests of the Party should be respected in collecting, processing or using personal information and the information should be handled in accordance with the principle of bona fide. It should not go beyond the purpose of collection and should be reasonable and fair.
Info
Article 6    Personal information of medical records, medical treatment, genetic information, sexual life, health examination and criminal records should not be collected, processed or used. However, the following situations are not subject to the limits set in the preceding sentence:
  1. when in accordance with law;
  2. when it is necessary for a government agency to perform its legal duties or for a non- government agency to fulfill its legal obligation, and proper security measures are adopted prior or subsequent to such collection, processing or use;
  3. when the Party has made public such information by himself, or when the information concerned has been publicized legally;
  4. where it is necessary to perform statistical or other academic research, a government agency or an academic research institution collects, processes, or uses personal information for the purpose of medical treatment, public health, or crime prevention. The information may not lead to the identification of a specific person after its processing by the provider, or from the disclosure by the collector;
  5. where it is necessary to assist a government agency in performing its legal duties or a non-government agency in fulfilling its legal obligations, and proper security measures are adopted prior or subsequent to such collection, processing, or use;
  6. where the Party has consented in writing; unless such consent exceeds the necessary scope of the specific purpose; the collection, processing or use merely with the consent of the Party is prohibited by other statutes; or such consent is against the Party’s will.
    Article 8 and Article 9 shall apply mutatis mutandis to the collection, processing, or use of personal information in accordance with the preceding Paragraph; Paragraphs 1, 2 and 4 of Article 7 shall apply mutatis mutandis to the written consent specified in Item 6 of the preceding Paragraph. The notification should be in written form.
Info
Article 7"Consent", as referred to in subparagraph 2, paragraph 1 of Article 15 and subparagraph 5, paragraph 1 of Article 19, means a declaration of agreement given by a data subject after he/she has been informed by the data collector of the information required under the PDPA.
"Consent", as referred to in subparagraph 7, paragraph 1 of Article 16 and subparagraph 6, paragraph 1 of Article 20, means a separate declaration of agreement given by a data subject after he/she has been informed by the data collector of any of the purposes other than that originally specified, the scope of other use, and the impact of giving or not giving consent on the rights and interests of the data subject.
The data subject's consent may be presumed given pursuant to subparagraph 2, paragraph 1 of Article 15 and subparagraph 5, paragraph 1 of Article 19 if the data subject does not indicate his/her objection and affirmatively provides his/her personal data after the government or non-government agency has informed the data subject of the relevant information specified in paragraph 1 of Article 8 of the PDPA.
The data collector shall bear the burden of proof regarding the fact that the data subject has given the consent prescribed under the PDPA.
Info
Article 8    The following items should be told precisely to the Party by a government agency or non-government agency, in accordance with Article 15 or Article 19:
  1. the name of the government agency or the non-government agency;
  2. purpose of collection;
  3. classification of the personal information;
  4. time period, area, target and way of the use of personal information;
  5. rights of the Party and ways to exercise them as prescribed in Article 3;
  6. the influence on his rights and interests while the Party chooses not to provide his personal information;
    The following situations may be exempted from the notice prescribed in the preceding Paragraph:
  1. when in accordance with law;
  2. when the collection of personal information is necessary for the government agency to perform its official duties or the non government agency to fulfill the legal obligation;
  3. when the notice will impair the government agency in performing its official duties;
  4. when the notice will impair public interests.
  5. when the Party should have known the content of the notification already;
  6. when the collection of personal information is for non-profit purposes and clearly does not cause any detriment to the Party.
Info
Article 9Government or non-government agencies shall, before processing or using the personal data collected in accordance with Article 15 or 19 which was not provided by the data subject, inform the data subject of their source of data and other information specified in subparagraphs 1 through 5, paragraph 1 of the preceding article.
The obligation to inform as prescribed in the preceding paragraph may be exempt under any of the following circumstances:
1. under any of the circumstances provided in paragraph 2 of the preceding article;
2. where the personal data has been manifestly made public by the data subject or publicized legally;
3. where it is unable to inform the data subject or his/her legal representative;
4. where it is necessary for statistics gathering or academic research in pursuit of public interests, provided that such data, as processed by the data provider or as disclosed by the data collector, may not lead to the identification of a specific data subject; or
5. where the personal data is collected by mass communication enterprises for the purpose of news reporting for the benefit of public interests.
The obligation to inform as prescribed in paragraph 1 may be performed at the time of the first use of the personal data towards the data subject.
Info
Article 10    Upon the request of the Party, the government agency or non-government agency should reply to the inquiry, offer for a review or provide duplications on the personal information collected, except the followings:
  1. when the national security, diplomatic and military secrets, the macro-economic interests or other major national interests may be harmed;
  2. when the performance of official duties may be interfered with; and
  3. when the major interests of the collecting agency or a third person may be affected.
Info
Article 11    The government agency or the non-government agency should ensure the accuracy of personal information, and correct or supplement it, ex officio or upon the request of the Party.
    In the event of a dispute regarding the accuracy of personal information, its processing or use shall be ceased voluntarily or upon the request of the Party, unless the processing or use is either necessary for the performance of an official duty or fulfillment of a legal obligation, or agreed to by the Party in writing, and the dispute has been recorded.
    The information collected should be deleted, discontinued to process or use, ex officio or upon the request of the Party when the specific purpose no longer exists or time period expires. However, the preceding sentence may not be applicable when it is necessary for the performance of an official duty or fulfillment of a legal obligation and has been recorded, or when it is agreed by the Party in writing.
    The information collected should be deleted, discontinued to process or use, ex officio or upon the request of the Party in the cases where a violation of this Law occurred during collecting, processing or using that information.
    In the cases where the government agency or the non-government agency should be attributed to of not correcting or supplementing personal information, persons to whom the personal information was provided should be notified after correction or supplement.
Info
Article 12    When the personal information is stolen, disclosed, altered or infringed in other ways due to the violation of this Law, the government agency or non-government agency should notify the Party after an inspection.
Info
Article 13    Where a request is made by the Party to the government agency or the non-government agency pursuant to Article 10, it should be determined within fifteen days. It may be extended to a time period of no longer than fifteen days when necessary and the Party should be notified of that in writing.
    Where a request is made by the Party to the government agency or the non-government agency pursuant to Article 11, it should be determined within thirty days. It may be extended to a time period of no longer than thirty days when necessary and the Party should be notified of that in writing.
Info
Article 14    The government agency or the non government agency may charge a fee to those who make an inquiry or request to review, or make duplications of the personal information.