Data & Privacy · Taiwan
Data protection & privacy laws in Taiwan (2026)
Taiwan shaded by its data & privacy status
Taiwan has had a comprehensive cross-sectoral data protection law since 2010 (the PDPA, building on a 1995 predecessor law), covering collection, processing, use and cross-border transfer of personal data with consent, purpose-limitation, notification, access/correction and deletion rights. Until recently, enforcement was fragmented across sector-specific competent authorities, but 2025 amendments create an independent Personal Data Protection Commission (PDPC) to centralize supervision — responding to the Constitutional Court's 2022 Judgment 111-Hsien-Pan-13, which required an independent oversight body. The amendments were promulgated on 11 November 2025, with the effective date to be set by the Executive Yuan (expected 2026) and a 6-year transition for migrating supervision to the PDPC.
Key points
The PDPA is a single cross-sectoral statute governing personal data held by both public and private entities; it requires a lawful purpose and (generally) data-subject consent for collection, processing and use, with stricter rules for sensitive data such as medical, genetic, sexual-life, health-check and criminal-record data.
2025 amendments establish the Personal Data Protection Commission as an independent supervisory authority over both government and non-government agencies; a Preparatory Office was set up on 5 December 2023 and currently operates while the full Commission is stood up.
The creation of an independent regulator stems from Constitutional Court Judgment No. 111-Hsien-Pan-13 (2022), which held that Taiwan must establish an independent supervisory mechanism for personal data protection.
Individuals have rights to be informed, to access and obtain copies of their data, to request correction or supplementation, to withdraw consent (after which data must be erased or processing stopped), and to object to use of their data for marketing.
Article 12 requires notifying affected data subjects upon becoming aware of a breach (theft, alteration, damage, destruction or disclosure of data); 2025 amendments also require reporting qualifying incidents to the competent authority/PDPC, and government agencies must designate a Data Protection Officer under amended Article 18.
Competent authorities may restrict transfers of personal data out of Taiwan (e.g., where national interests are involved or the destination lacks adequate protection). Administrative fines for security/maintenance breaches reach up to NT$15 million for repeated failure to rectify, and intentional unlawful misuse can carry up to 5 years' imprisonment.
Timeline - major decisions & events
The ROC President promulgated comprehensive amendments to the Personal Data Protection Act, mandating breach notification to both data subjects and the PDPC, requiring government agencies to designate Data Protection Officers (mirroring GDPR Article 37), and formally constituting the Personal Data Protection Commission. Effective date is to be set by the Executive Yuan.
Laws & Regulations Database of the Republic of China (Taiwan) ↗Taiwan's legislature enacted the most significant PDPA revision in over a decade, adding explicit data-breach notification duties, DPO requirements for public bodies, and formal establishment of the PDPC as a collegial, independent authority — closing a gap the Constitutional Court identified in 2022.
Jones Day ↗The Preparatory Office of the Personal Data Protection Commission took over responsibility for issuing official PDPA interpretations from the National Development Council, centralising guidance ahead of the PDPC's full constitutional launch.
Preparatory Office of the Personal Data Protection Commission (pdpc.gov.tw) ↗Taiwan's Financial Supervisory Commission fined Shanghai Commercial & Savings Bank NT$10 million — the heaviest PDPA-related penalty ever imposed by the FSC on a bank — after confirming the bank leaked names and ID numbers of 14,000 customers following a September 2022 cybersecurity incident.
Global Compliance News (Baker McKenzie) ↗The Legislative Yuan amended the PDPA to raise maximum administrative fines for data-security failures by non-governmental entities from NT$1.5 million to NT$15 million per violation, and designated the incoming Personal Data Protection Commission as the single competent authority, ending the fragmented sector-by-sector enforcement model.
Global Compliance News (Baker McKenzie) ↗A threat actor listed what was described as the complete Taiwan household registration database — covering the entire population — on BreachedForum; the first time such records were publicly offered for sale. The Ministry of the Interior initially denied the breach before prosecutors opened a confidential investigation.
Taiwan Insight (Academia Sinica) ↗Taiwan inaugurated the Ministry of Digital Affairs, consolidating data governance, cybersecurity policy, digital-economy regulation, and telecommunications oversight — absorbing functions from the Ministry of Economic Affairs and the Executive Yuan's Department of Cyber Security, and creating the Administration for Cyber Security as a sub-body.
Ministry of Digital Affairs (moda.gov.tw) ↗The Constitutional Court ruled that the absence of an independent supervisory authority for personal data placed Taiwan's protection framework at the edge of unconstitutionality, and ordered the legislature to enact the necessary laws and establish such an authority within three years — directly triggering the 2023 PDPA amendment and the PDPC.
Science & Technology Law Institute (STLI), Institute for Information Industry ↗The Legislative Yuan passed sweeping amendments that renamed the 1995 Computer-Processed Personal Data Protection Law to the 'Personal Data Protection Act', removed the limitation to computer-processed data, extended the law's reach to all industries, and aligned remedies with the EU Data Protection Directive 95/46/EC.
Library of Congress Global Legal Monitor ↗President promulgated Taiwan's foundational data protection law, modelled on the OECD 1980 Privacy Guidelines and the Council of Europe's 1981 Convention; it applied only to computer-processed personal data in specific regulated sectors (e.g. medical, financial, telecom), establishing the legal baseline that all subsequent PDPA amendments have built upon.
Council of Europe (English translation of 1995 Taiwan law) ↗Taiwan - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →