No Support JavaScript

Laws & Regulations Database of The Republic of China (Taiwan)

Print Time:2024/11/22 06:05
:::

Chapter Law Content

Title: Personal Data Protection Act CH
Category: Preparatory Office of Personal Data Protection Commission(個人資料保護委員會籌備處)
Chapter III Data Collection, Processing and Use by a Non-government Agency
Article 19
Except for the personal data specified under paragraph 1 of Article 6, the collection or processing of personal data by non-government agencies shall be for specific purposes and on one of the following bases:
1. where it is expressly required by law;
2. where there is a contractual or quasi-contractual relationship between the non-government agency and the data subject, and proper security measures have been adopted to ensure the security of the personal data;
3. where the personal data has been manifestly made public by the data subject or publicized legally;
4. where it is necessary for statistics gathering or academic research by an academic institution in pursuit of public interests, provided that such data, as processed by the data provider or as disclosed by the data collector, may not lead to the identification of a specific data subject;
5. where consent has been given by the data subject;
6. where it is necessary for furthering public interests;
7. where the personal data is obtained from publicly available sources unless the data subject has an overriding interest in prohibiting the processing or use of such personal data; or
8. where the rights and interests of the data subject will not be infringed upon.
A data collector or processor shall, on its own initiative or upon the request of the data subject, erase or cease processing or using the personal data when it becomes aware of, or upon being notified by the data subject, that the processing or use of the personal data should be prohibited pursuant to the proviso to subparagraph 7 of the preceding paragraph.
Article 20
Except for the personal data specified in paragraph 1 of Article 6, non-government agencies shall use personal data only within the necessary scope of the specific purpose of collection; the use of personal data for another purpose shall be only on any of the following bases:
1. where it is expressly required by law;
2. where it is necessary for furthering public interests;
3. where it is to prevent harm to the life, body, freedom, or property of the data subject;
4. where it is to prevent material harm to the rights and interests of others;
5. where it is necessary for statistics gathering or academic research by a government agency or an academic institution for public interests; provided that such data, as provided by the data provider or disclosed by the data collector, may not lead to the identification of a specific data subject;
6. where consent has been given by the data subject; or
7. where it is for the data subject's rights and interests.
When a non-government agency uses personal data for marketing purpose pursuant to the preceding paragraph, upon the data subject's objection to such use, the agency shall cease using the data subject's personal data for marketing.
Non-government agencies, when using the data subject’s personal data for marketing purpose for the first time, shall provide the data subject the ways that he/she can object to such use, and the agency shall pay for the fees therefrom.
Article 21
If a cross-border transfer of personal data is carried out by a non-government agency under any of the following circumstances, the central government authority in charge of the industry concerned may impose restrictions on such transfer:
1. where major national interests are involved;
2. where an international treaty or agreement so stipulates;
3. where the country receiving the personal data lacks proper regulations on protection of personal data and the data subjects' rights and interests may consequently be harmed; or
4. where the cross-border transfer of the personal data to a third country (territory) is carried out to circumvent the PDPA.
Article 22
The central government authorities in charge of the industries concerned, the special municipality, county (city) government concerned may, when they deem necessary or suspect any possible violation of the PDPA, inspect compliance with the security control measures, the rules on disposing personal data upon business termination, and the restrictions on cross-border transfers, or conduct any other routine inspections by having their staff enter non-government agencies' premises upon presentation of their official identification documents and order relevant personnel at the non-government agencies to provide necessary explanations, cooperate on adopting relevant measures, or provide supporting documents.
When the central government authorities in charge of the industries concerned or the special municipality, county (city) governments concerned conduct the inspections described in the preceding paragraph, they may retain or make duplications of the personal data or the files thereof that can be confiscated or be admitted as evidence. The owner, holder or keeper of such data or files that shall be confiscated or copied shall submit them to the authorities upon request. If the non-government agency refuses to submit or deliver the requested data or files or rejects the confiscation or duplication thereof without any legitimate reason, a compulsory enforcement that will do the least harm to the rights and interests of the non-government agency may be applied.
When the central government authorities in charge of the industries concerned or the special municipality, county (city) governments concerned conduct the inspections described in paragraph 1, professionals in the field of information technology, telecommunications or law may accompany the inspectors during the inspections.
Non-government agencies and their personnel may not evade such inspections, obstruct the investigators from accessing the premises or data, or refuse to comply with the inspections or decisions referred to in paragraphs 1 and 2.
All personnel who take part in the inspections shall keep in confidence all the personal data that they become aware of due to the inspections.
Article 23
The confiscated files or duplicates referred to in paragraph 2 of the preceding article shall be sealed or tagged and properly handled; if it is unfeasible to move or take possession of such files, the authority shall assign personnel to guard such files or order the owner of such files or an appropriate person to take possession of the files.
If it is no longer necessary to keep the confiscated files or the duplicates, or the authority has decided not to impose any penalties or confiscate any files, the confiscated files and duplicates shall be returned except for the files or duplicates that shall be confiscated or kept for the investigation of other cases.
Article 24
The non-government agency, owner, holder, keeper or interested persons of those confiscated files or duplicates may raise an objection with the central government authority in charge of the industry concerned or the special municipality, county (city) government concerned against the acts of demand, compulsory enforcement, detention, or duplication mentioned in the preceding two Articles.
Upon receiving the objection mentioned in the preceding paragraph, the central government authority in charge of the industry concerned or the special municipality, county (city) government concerned shall immediately cease or rectify such acts if the objection is considered reasonable; otherwise, it may continue such acts. Upon the request of the person who raises the objection, a record of the reasons for objection shall be prepared and delivered to such person.
An appeal against the decision made by the central government authority in charge of the industry concerned or the special municipality, county (city) government concerned under the preceding paragraph may only be filed jointly with the appeal against the substantive decision of the case. However, if the persons identified in paragraph 1 do not have the rights to appeal against the substantive decision of the case under the law, such persons may file an administrative lawsuit solely against the acts identified in the same paragraph 1.
Article 25
In the event that a non-government agency has violated the PDPA, the central government authority in charge of the industry concerned or the special municipality, county (city) government concerned may impose fines on the non-government agency in accordance with the PDPA and may also enforce the following corrective measures:
1. prohibit the collection, processing or use of the personal data;
2. order the erasure of the processed personal data and personal data files;
3. confiscate or order the destruction of the unlawfully collected personal data; and/or
4. disclose to the public the violation of the non-government agency, the name of the non-government agency and its responsible person/representative.
Where the central government authority in charge of the industry concerned or the special municipality, county (city) government concerned enforce the corrective measures referred to in the preceding paragraph, such measures shall be within the scope that is necessary to prevent and remedy the violation of the PDPA and shall do the least harm to the rights and interests of the non-government agency concerned.
Article 26
The findings of the inspections conducted by the central government authorities in charge of the industries concerned or the special municipality, county (city) governments concerned in accordance with Article 22 may be disclosed to the public if the non-government agencies concerned are not in violation of the PDPA and agree to the public disclosure of such findings.
Article 27
Non-government agencies in possession of personal data files shall implement proper security measures to prevent the personal data from being stolen, altered, damaged, destroyed or disclosed.
The central government authorities in charge of the industries concerned may designate and order certain non-government agencies to establish a security and maintenance plan for the protection of personal data files and rules on disposing personal data following a business termination.
Matters such as standards on setting forth the aforementioned plans and disposal regulations shall be expressly established by the central government authority in charge of the industry concerned.
Web site:Laws & Regulations Database of The Republic of China (Taiwan)