Chapter III-1 Administrative Supervision
|
Section 1 Supervision on Government Agencies
|
| Article 21-1 | Government agencies shall submit reports annually regarding the implementation status on their management and protection of personal data to their superior agencies or supervisory agencies. Where no superior agency or supervisory agency exists, the following provisions shall apply:
1.The Office of the President, the National Security Council, and the Five Yuans of government shall submit reports to the competent authority.
2.Special municipal governments, special municipal councils, county (city) governments, and county (city) councils shall submit reports to the competent authority.
3.The offices of mountain indigenous districts in special municipalities and their representative councils shall submit reports to the special municipal government; township (town, city) offices and their representative councils shall submit reports to the county government.
Government agencies shall supervise and audit the implementation of protection and management of personal data by their subordinate or supervised government agencies, township (town, city) offices under their jurisdiction, offices of mountain indigenous districts in special municipalities, and representative councils of townships (towns, cities) and mountain indigenous districts in special municipalities.
If deficiencies or areas requiring rectification are identified during the audits conducted pursuant to the preceding paragraph, the audited agency shall submit a rectification report to the auditing agency. After review, the auditing agency shall forward the report along with the audit findings to the competent authority.
When deemed necessary, the auditing agency or competent authority may require the audited agency to provide explanations or make adjustments.
Regarding the requirements under the preceding four paragraphs, the regulations on the required information of the implementation reports, the frequency, items, and methods of the audits, the delivery of the audit results, the procedures for submitting the rectification reports, and other related matters shall be prescribed by the competent authority. |
|
| Article 21-2 | The competent authority shall conduct periodic or ad hoc audits on the implementation of the protection and management of personal data by government agencies; when necessary, it may request assistance from the auditing authority specified under Paragraph 2 of the preceding article.
If deficiencies or areas requiring rectification are identified in the audited agency’s implementation during an audit under the preceding paragraph, the audited agency shall submit a rectification report. This report shall be submitted to the authority designated to receive the implementation report under Paragraph 1 of the preceding article for review, and subsequently forwarded to the competent authority by such reviewing authority.
The reviewing authority or competent authority under the preceding paragraph may, when deemed necessary, request the audited agency to provide explanations or make adjustments.
Regarding the requirements under the preceding three paragraphs, the regulations on the frequency, items, and methods of the audits, the procedures for submitting the rectification reports, and other related matters shall be prescribed by the competent authority.
Personnel participating in audits pursuant to the preceding article and this article shall bear a duty of confidentiality regarding any information learned or received in the course of performing such audits. |
|
| Article 21-3 | Where it is likely that a government agency may violate the PDPA, the competent authority may request the government agency to submit information and explanations, or dispatch personnel with official identification documents to conduct on-site inspections. Except where confidentiality is required by law, the government agency and its relevant personnel shall cooperate with the inspections.
Where necessary, the competent authority may request assistance from the auditing authority specified under Paragraph 2, Article 21-1 for the on-site inspection referred to under the preceding paragraph.
Personnel participating in the inspection shall bear a duty of confidentiality regarding any information learned or received in the course of performing such inspection. |
|
| Article 21-4 | Where a government agency violates the PDPA, the competent authority shall order it to rectify the violation within a specified time limit. The government agency shall make appropriate rectification within the time limit and shall respond in writing to the competent authority regarding the status of the rectification.
Where a government agency fails to rectify the violation as required under the preceding paragraph, the competent authority may publicize its name and the facts of its violation.
Where personnel of a government agency fail to act in accordance with the PDPA, they shall be subject to disciplinary sanction, action, or punishment in accordance with relevant laws and regulations, depending on the severity of the violation. |
|
| Article 21-5 | The provisions under this section do not apply to intelligence agencies. |
|
Section 2 Supervision on Non-Government Agencies |
| Article 22 | Where the competent authority deems that a non-government agency is likely to violate the PDPA, or deems it necessary to verify its compliance the PDPA, it may conduct inspections in the following ways:
1.notify the non-government agency or its relevant personnel to state their opinions;
2.notify the non-government agency or its relevant personnel to provide necessary documents, data, or items, or take other cooperative measures; and
3.conduct inspections independently or jointly with the central government authorities in charge of the industries concerned, special municipal governments, county (city) governments, or other relevant authorities by dispatching personnel with official identification documents, and may require relevant personnel to provide necessary explanations, take cooperative measures, or furnish relevant supporting documents.
Regarding the inspection on reviewing the compliance with the PDPA as stated under the preceding paragraph, the regulations on the planning, evaluation method, the factors to be considered, the matters requiring cooperation among the central government authorities in charge of the industries concerned, special municipalities governments, county (city) governments, or relevant authorities, and other related matters shall be prescribed by the competent authority.
When conducting the inspections specified under Paragraph 1, the competent authority may seize or copy personal data or personal data files that may be confiscated or used as evidence. For items that are subject to seizure or required to be copied, the competent authority may require the owner, holder, or custodian thereof to present or deliver them. Where there is no legitimate grounds for refusal to present or deliver such items, or resisting the seizure or copying, the competent authority may enforce compliance by means causing the least harm to the rights and interests of the non-government agency.
Non-government agencies and their relevant personnel shall not evade, obstruct, or refuse any notification, entry, inspection, or measures carried out pursuant to Paragraph 1 or the preceding paragraph without legitimate grounds.
When conducting the inspections under Subparagraph 3, Paragraph 1, the competent authority may be accompanied by information technology, telecommunications, legal, and/or other professional personnel.
Personnel participating in the inspection shall bear a duty of confidentiality regarding any information learned or received during the inspection and shall take care to preserve the reputation of the inspected party.
When conducting the inspections under Paragraph 1, the competent authority may, when necessary, request the central government authorities in charge of the industries concerned, the special municipal governments, the county (city) governments, or other relevant authorities (institutions) to cooperate in taking effective measures or providing assistance. |
Info |
| Article 23 | Seized or copied items under Paragraph 3 of the preceding article shall be sealed or otherwise marked and appropriately processed. Items that are difficult to transport or store may be placed under guard or entrusted to the owner or other suitable person for safekeeping.
Seized or copied items that no longer need to be retained, or where a decision has been made not to impose penalties or not to confiscate, shall be returned. However, this shall not apply to items that should be confiscated or retained for investigation into other cases. |
Info |
| Article 24 | The non-government agency and the owners, holders, custodians, or interested parties of such items may file an objection with the competent authority against the requests, enforcement, seizure, or copying under the preceding two articles.
If the competent authority finds the objection under the preceding paragraph justified, it shall immediately cease or modify the action; if it finds the objection unjustified, it may continue with the action. Upon request by the objecting party, a record of the grounds regarding objection shall be prepared and provided.
Where a party objects to the competent authority’s decision under the preceding paragraph, such objection may only be raised concurrently with an appeal against the substantive decision in the case. However, where the party under Paragraph 1 is legally barred from appealing the substantive decision, they may directly initiate an administrative lawsuit against the action under Paragraph 1. |
Info |
| Article 25 | Where a non-government agency violates the PDPA, the competent authority may, in addition to imposing fines as prescribed under the PDPA, impose the following penalties:
1.prohibit the collection, processing, or use of personal data;
2.order the deletion of processed personal data files;
3.confiscate or order the destruction of illegally collected personal data; and
4.publicize the violations, along with the names of the violator and the statutory representative thereof.
When imposing the penalties under the preceding paragraph, the competent authority shall adopt the method that causes the least harm to the rights and interests of the non-government agency, within the scope necessary to prevent violations of the PDPA. |
|
| Article 26 | Where the competent authority finds no violation of the PDPA after an inspection pursuant to Article 22, it may publish the inspection findings with the consent of the non-government agency. |
Info |
| Article 27 | (Deleted) |
|