Section 1 Supervision on Government Agencies |
| Article 21-1 | Government agencies shall submit reports annually regarding the implementation status on their management and protection of personal data to their superior agencies or supervisory agencies. Where no superior agency or supervisory agency exists, the following provisions shall apply:
1.The Office of the President, the National Security Council, and the Five Yuans of government shall submit reports to the competent authority.
2.Special municipal governments, special municipal councils, county (city) governments, and county (city) councils shall submit reports to the competent authority.
3.The offices of mountain indigenous districts in special municipalities and their representative councils shall submit reports to the special municipal government; township (town, city) offices and their representative councils shall submit reports to the county government.
Government agencies shall supervise and audit the implementation of protection and management of personal data by their subordinate or supervised government agencies, township (town, city) offices under their jurisdiction, offices of mountain indigenous districts in special municipalities, and representative councils of townships (towns, cities) and mountain indigenous districts in special municipalities.
If deficiencies or areas requiring rectification are identified during the audits conducted pursuant to the preceding paragraph, the audited agency shall submit a rectification report to the auditing agency. After review, the auditing agency shall forward the report along with the audit findings to the competent authority.
When deemed necessary, the auditing agency or competent authority may require the audited agency to provide explanations or make adjustments.
Regarding the requirements under the preceding four paragraphs, the regulations on the required information of the implementation reports, the frequency, items, and methods of the audits, the delivery of the audit results, the procedures for submitting the rectification reports, and other related matters shall be prescribed by the competent authority. |
|
| Article 21-2 | The competent authority shall conduct periodic or ad hoc audits on the implementation of the protection and management of personal data by government agencies; when necessary, it may request assistance from the auditing authority specified under Paragraph 2 of the preceding article.
If deficiencies or areas requiring rectification are identified in the audited agency’s implementation during an audit under the preceding paragraph, the audited agency shall submit a rectification report. This report shall be submitted to the authority designated to receive the implementation report under Paragraph 1 of the preceding article for review, and subsequently forwarded to the competent authority by such reviewing authority.
The reviewing authority or competent authority under the preceding paragraph may, when deemed necessary, request the audited agency to provide explanations or make adjustments.
Regarding the requirements under the preceding three paragraphs, the regulations on the frequency, items, and methods of the audits, the procedures for submitting the rectification reports, and other related matters shall be prescribed by the competent authority.
Personnel participating in audits pursuant to the preceding article and this article shall bear a duty of confidentiality regarding any information learned or received in the course of performing such audits. |
|
| Article 21-3 | Where it is likely that a government agency may violate the PDPA, the competent authority may request the government agency to submit information and explanations, or dispatch personnel with official identification documents to conduct on-site inspections. Except where confidentiality is required by law, the government agency and its relevant personnel shall cooperate with the inspections.
Where necessary, the competent authority may request assistance from the auditing authority specified under Paragraph 2, Article 21-1 for the on-site inspection referred to under the preceding paragraph.
Personnel participating in the inspection shall bear a duty of confidentiality regarding any information learned or received in the course of performing such inspection. |
|
| Article 21-4 | Where a government agency violates the PDPA, the competent authority shall order it to rectify the violation within a specified time limit. The government agency shall make appropriate rectification within the time limit and shall respond in writing to the competent authority regarding the status of the rectification.
Where a government agency fails to rectify the violation as required under the preceding paragraph, the competent authority may publicize its name and the facts of its violation.
Where personnel of a government agency fail to act in accordance with the PDPA, they shall be subject to disciplinary sanction, action, or punishment in accordance with relevant laws and regulations, depending on the severity of the violation. |
|
| Article 21-5 | The provisions under this section do not apply to intelligence agencies. |
|