Skip to Main Content

New Developments in the Taiwan Personal Data Protection Act

Share via LinkedIn
Share via Twitter
Share via Facebook
Download PDF Version
Jump to Audio Version
Date: 13 January 2026
Asia Corporate Alert
By: Jacqueline Fu, Pearl Kuo

On 11 November 2025, amendments to the Taiwan Personal Data Protection Act (PDPA) were officially promulgated (個人資料保護法; the Amendments). The effective date of the Amendments will be determined by the Executive Yuan. These Amendments establish the Personal Data Protection Commission (PDPC) and new regulatory compliance obligations, aiming to enhance personal data protection standards and foster a more secure environment. The Amendments themselves are available here.

Key Highlights

Focusing on regulations applicable to non-government agencies, we have summarized the key updates as follows:

  • Establishment of a new independent supervisory agency, the PDPC, to oversee personal data protection (Article 1-1).
  • Introduction of new data breach notification requirements, including mandatory reporting to the PDPC and affected individuals (Article 12).
    • Under the current PDPA, non-government agencies must notify the individual to whom the personal data pertains upon becoming aware that personal data they hold has been stolen, altered, damaged, lost, or leaked. The new Amendments further stipulate that, if the incident meets certain reporting criteria, non-government agencies must also report to the PDPC.
    • In addition, non-government agencies are required to take immediate and effective remedial measures to prevent the escalation of the incident, record relevant facts, impacts, and measures taken, and retain related records for PDPC inspection.
    • The PDPC will establish detailed regulations governing the content, methods, time limits, scope of reporting, contingency measures, record preservation, and other related matters for the notifications or reports.
    • Penalties for non-compliance with reporting to the PDPC range from NT$20,000 to NT$200,000, with additional fines of NT$20,000 to NT$200,000 imposed for each failure to rectify.
  • Enhanced security measures for personal data files and contingency planning (Article 20-1)
    • Under the current PDPA, non-government agencies that maintain personal data files must implement security measures to prevent personal data from being stolen, altered, damaged, lost, or leaked.  Competent authorities may designate non-government agencies to establish a security and maintenance plan for personal data protection and rules on disposing personal data after the termination of business.
    • In the future, regulations concerning the maintenance of personal data file security, management mechanisms, measures to be adopted, and other related matters will all be prescribed by the PDPC instead.
    • In violation of Article 20-1, non-government agencies will be subject to penalties ranging from NT$20,000 to NT$2,000,000, with additional fines ranging from NT$150,000 to NT$15,000,000 for each failure to rectify.
  • The PDPC is empowered to conduct administrative inspections and enforce corrective actions (Article 22)
    • The PDPC, as a new independent supervisory agency, will take over the responsibility of conducting administrative inspection in the future. If the PDPC determines that non-government agencies may be in violation of the PDPA, or deems it necessary to review the agency’s compliance, it may notify non-government agencies or relevant personnel to present their views, provide necessary documents, data, or items, or take other cooperative measures; or it may directly dispatch personnel to conduct an inspection. During an inspection, personal data that may serve as evidence may be retained or copied.
    • Non-government agencies must not evade, obstruct, or refuse without legitimate reason. Otherwise, penalties ranging from NT$20,000 to NT$200,000 will be imposed.

Conclusion

Companies should closely monitor any guidance and regulations published by the PDPC or relevant authorities in the future and consider the necessary actions to fully align their operations with the requirements of the Taiwan government.

Our firm is positioned to help companies navigate these complex and evolving regulations and can assist if you require further advice on complying with these new regulations. Should you have any questions, please do not hesitate to contact the authors listed above.

Jacqueline Fu
Jacqueline Fu
Taipei
Pearl Kuo
Pearl Kuo
Taipei

This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. Any views expressed herein are those of the author(s) and not necessarily those of the law firm's clients.

Find more items tagged as: Corporate, Data Protection, Privacy, and Security, Policy and Regulatory, Technology
Return to top of page

Email Disclaimer

We welcome your email, but please understand that if you are not already a client of K&L Gates LLP, we cannot represent you until we confirm that doing so would not create a conflict of interest and is otherwise consistent with the policies of our firm. Accordingly, please do not include any confidential information until we verify that the firm is in a position to represent you and our engagement is confirmed in a letter. Prior to that time, there is no assurance that information you send us will be maintained as confidential. Thank you for your consideration.

Accept Cancel