Taiwan Passes Major Amendments to the Personal Data Protection Act

The provision that should be given primary attention in the amended Act is Article 12, which—with respect to a personal data breach, namely where personal data is stolen, altered, damaged, destroyed, or disclosed—explicitly prescribes the obligation to inform the data subject and the obligation to notify the competent authority.

1. Regarding the obligation to inform the data subject, when an enterprise becomes aware that the personal data under its possession has been subject to a personal data breach, the enterprise shall, pursuant to Article 12, Paragraph 1, inform the data subject, and, consistent with Article 34(1) of the GDPR, such notification is not conditioned upon "ascertaining the facts," but rather the notification to the data subject constitutes the enterprise's highest-priority obligation. If an enterprise delays in providing the notification, and, after being ordered to make corrections within a prescribed period, fails to make corrections, the competent authority may impose a fine.
2. With respect to the obligation to notify the competent authority, under Article 12, Paragraph 2, if a personal data breach falls within a "reportable incident" as prescribed by the relevant regulations separately issued by the competent authority, the enterprise, in addition to informing the data subject, shall also notify the competent authority. This is similar to the requirement under GDPR Article 33(1). If the enterprise fails to fulfill this obligation, the competent authority may directly impose a fine.

The newly added requirement under Article 18, Paragraph 1 of the amended Act—that government agencies shall designate a data protection officer ("DPO")—further demonstrates that the level of oversight of government agencies under Taiwan's PDPA has been elevated to a degree similar to that under the GDPR. Moreover, a review of the entirety of Article 18 in the amended Act shows that its core principles largely correspond to GDPR Articles 37 through 39. In addition, the legislative reasons emphasize that the implementation of the DPO system should first be carried out by government agencies; therefore, whether enterprises and other non-government agencies will also be required to designate a DPO in the future remains to be observed.

For enterprises, the most significant impact of the amended Act will arise from the handling of personal data breaches as prescribed in Article 12. If an enterprise updates its internal policies before the amended Act takes effect, such preparation will assist the enterprise in responding smoothly to the amendments.