Data & Privacy - Taiwan

The PDPA is a single cross-sectoral statute governing personal data held by both public and private entities; it requires a lawful purpose and (generally) data-subject consent for collection, processing and use, with stricter rules for sensitive data such as medical, genetic, sexual-life, health-check and criminal-record data.

2025 amendments establish the Personal Data Protection Commission as an independent supervisory authority over both government and non-government agencies; a Preparatory Office was set up on 5 December 2023 and currently operates while the full Commission is stood up.

The creation of an independent regulator stems from Constitutional Court Judgment No. 111-Hsien-Pan-13 (2022), which held that Taiwan must establish an independent supervisory mechanism for personal data protection.

Individuals have rights to be informed, to access and obtain copies of their data, to request correction or supplementation, to withdraw consent (after which data must be erased or processing stopped), and to object to use of their data for marketing.

Article 12 requires notifying affected data subjects upon becoming aware of a breach (theft, alteration, damage, destruction or disclosure of data); 2025 amendments also require reporting qualifying incidents to the competent authority/PDPC, and government agencies must designate a Data Protection Officer under amended Article 18.

Competent authorities may restrict transfers of personal data out of Taiwan (e.g., where national interests are involved or the destination lacks adequate protection). Administrative fines for security/maintenance breaches reach up to NT$15 million for repeated failure to rectify, and intentional unlawful misuse can carry up to 5 years' imprisonment.