The Personal Data Protection Act (the "PDPA") is enacted to regulate the collection, processing and use of personal data so as to prevent harm to personality rights, and to facilitate the proper use of personal data.

The competent authority of the PDPA is the Personal Data Protection Commission (the "PDPC").
The responsibilities of the central government authorities in charge of the industries concerned, the special municipality, county (city) government concerned, and the authorities specified in Articles 53 and 55 of the PDPA, shall be under the jurisdiction of the PDPC from the date of its establishment.

The terms used in the PDPA have the following meanings:
1. "personal data" refers to a natural person's name, date of birth, national identification Card number, passport number, physical characteristics, fingerprints, marital status, family information, education background, occupation, medical records, healthcare data, genetic data, sex life, records of physical examination, criminal records, contact information, financial conditions, social activities and any other information that may be used to directly or indirectly identify a natural person;
2. a "personal data file" refers to a collection of personal data structured to facilitate data retrieval and management by automated or non-automated means;
3. "collection" refers to the act of collecting personal data in any way;
4. "processing" refers to the act of recording, inputting, storing, compiling/editing, correcting, duplicating, retrieving, deleting, outputting, connecting or internally transferring data for the purpose of establishing or using a personal data file;
5. "use" refers to the act of using personal data via any methods other than processing;
6. "cross-border transfer" refers to the cross-border processing or use of personal data;
7. "government agency" refers to central or local government agencies or administrative entities authorized to exercise public authority;
8. "non-government agency" refers to a natural person, legal person or group other than those stated in the preceding subparagraph; and
9. "data subject" refers to an individual whose personal data is collected, processed or used.

A data subject shall be able to exercise the following rights with regard to his/her personal data and such rights shall not be waived or limited contractually in advance:
1. the right to make an inquiry of and to review his/her personal data;
2. the right to request a copy of his/her personal data;
3. the right to supplement or correct his/her personal data;
4. the right to demand the cessation of the collection, processing or use of his/her personal data; and
5. the right to erase his/her personal data.

Whoever is commissioned by government agencies or non-government agencies to collect, process or use personal data shall be deemed to be acting on behalf of the commissioning agency to the extent that the PDPA applies.

The collection, processing and use of personal data shall be carried out in a way that respects the data subject's rights and interest, in an honest and good-faith manner, shall not exceed the necessary scope of specific purposes, and shall have legitimate and reasonable connections with the purposes of collection.

Data pertaining to a natural person's medical records, healthcare, genetics, sex life, physical examination and criminal records shall not be collected, processed or used unless on any of the following bases:
1. where it is expressly required by law;
2. where it is within the necessary scope for a government agency to perform its statutory duties or for a non-government agency to fulfill its statutory obligation, provided that proper security and maintenance measures are adopted prior or subsequent to such collection, processing or use of personal data;
3. where the personal data has been manifestly made public by the data subject or publicized legally;
4. where it is necessary for statistics gathering or academic research by a government agency or an academic institution for the purpose of healthcare, public health, or crime prevention, provided that such data, as processed by the data provider or as disclosed by the data collector, may not lead to the identification of a specific data subject;
5. where it is necessary to assist a government agency in performing its statutory duties or a non-government agency in fulfilling its statutory obligations, provided that proper security and maintenance measures are adopted prior or subsequent to such collection, processing, or use of personal data; or
6. where the data subject has consented to the collection, processing and use of his/her personal data in writing, except where the collection, processing or use exceeds the necessary scope of the specific purpose, or where the collection, processing or use based solely on the consent of the data subject is otherwise prohibited by law, or where such consent is not given by the data subject out of his/her free will.
Articles 8 and 9 shall apply mutatis mutandis to the collection, processing, or use of personal data in accordance with the preceding paragraph; paragraphs 1, 2 and 4 of Article 7 shall apply mutatis mutandis to the consent required under subparagraph 6 of the preceding paragraph.

"Consent", as referred to in subparagraph 2, paragraph 1 of Article 15 and subparagraph 5, paragraph 1 of Article 19, means a declaration of agreement given by a data subject after he/she has been informed by the data collector of the information required under the PDPA.
"Consent", as referred to in subparagraph 7, paragraph 1 of Article 16 and subparagraph 6, paragraph 1 of Article 20, means a separate declaration of agreement given by a data subject after he/she has been informed by the data collector of any of the purposes other than that originally specified, the scope of other use, and the impact of giving or not giving consent on the rights and interests of the data subject.
The data subject's consent may be presumed given pursuant to subparagraph 2, paragraph 1 of Article 15 and subparagraph 5, paragraph 1 of Article 19 if the data subject does not indicate his/her objection and affirmatively provides his/her personal data after the government or non-government agency has informed the data subject of the relevant information specified in paragraph 1 of Article 8 of the PDPA.
The data collector shall bear the burden of proof regarding the fact that the data subject has given the consent prescribed under the PDPA.

Government or non-government agencies shall expressly inform the data subject of the following information when colleting their personal data in accordance with Article 15 or 19 of the PDPA:
1. the name of the government or non-government agency;
2. the purpose of the collection;
3. the categories of the personal data to be collected;
4. the time period, territory, recipients, and methods of which the personal data is used;
5. the data subject's rights under Article 3 and the methods for exercising such rights; and
6. the data subject's rights and interests that will be affected if he/she elects not to provide his/her personal data.
The obligation to inform as prescribed in the preceding paragraph may be waived under any of the following circumstances:
1. where notification may be waived in accordance with the law;
2. where the collection of personal data is necessary for the government agencies to perform their statutory duties or the non-government agencies to fulfill their statutory obligation;
3. where giving notice will prevent the government agencies from performing their statutory duties;
4. where giving notice will harm public interests;
5. where the data subject has already known the content of the notification; or
6. where the collection of personal data is for non-profit purposes and clearly has no adverse effect on the data subject.

Government or non-government agencies shall, before processing or using the personal data collected in accordance with Article 15 or 19 which was not provided by the data subject, inform the data subject of their source of data and other information specified in subparagraphs 1 through 5, paragraph 1 of the preceding article.
The obligation to inform as prescribed in the preceding paragraph may be exempt under any of the following circumstances:
1. under any of the circumstances provided in paragraph 2 of the preceding article;
2. where the personal data has been manifestly made public by the data subject or publicized legally;
3. where it is unable to inform the data subject or his/her legal representative;
4. where it is necessary for statistics gathering or academic research in pursuit of public interests, provided that such data, as processed by the data provider or as disclosed by the data collector, may not lead to the identification of a specific data subject; or
5. where the personal data is collected by mass communication enterprises for the purpose of news reporting for the benefit of public interests.
The obligation to inform as prescribed in paragraph 1 may be performed at the time of the first use of the personal data towards the data subject.

Upon the request of a data subject, the government or non-government agency shall reply to the data subject's inquiry, allow the data subject to review the personal data collected, or provide the data subject with a copy thereof except under any of the following circumstances:
1. where national security, diplomatic or military secrets, overall economic interests or other material national interests may be harmed;
2. where a government agency may be prevented from performing its statutory duties; or
3. where the vital interests of the data collectors or any third parties may be adversely affected.

A government or non-government agency shall ensure the accuracy of personal data in its possession and correct or supplement such data on its own initiative or upon the request of data subjects.
In the event of a dispute regarding the accuracy of the personal data, the government or non-government agency shall, on its own initiative or upon the request of the data subject, cease processing or using the personal data, unless the processing or use is either necessary for the performance of an official or business duty, or has been agreed to by the data subject in writing, and the dispute has been recorded.
When the specific purpose of data collection no longer exists, or upon expiration of the relevant time period, government or non-government agencies shall, on their own initiative or upon the request of the data subject, erase or cease processing or using the personal data, unless the processing or use is either necessary for the performance of an official or business duty, or has been agreed to by the data subject in writing.
Government or non-government agencies shall, on their own initiative or upon the request of the data subject, erase the personal data collected or cease collecting, processing or using the personal data in the event where the collection, processing or use of the personal data is in violation of the PDPA.
If any failure to correct or supplement any personal data is attributable to a government or non-government agency, the government or non-government agency shall notify the persons who have been provided with such personal data after the correction or supplement is made.

If any personal data is stolen, disclosed, altered, or otherwise infringed upon due to a violation of the PDPA by a government or non-government agency, the data subject shall be notified via appropriate means after the relevant facts have been clarified.

Where a request is made by a data subject to a government or non-government agency pursuant to Article 10, the agency shall determine whether to accept or reject such request within fifteen days; such deadline may be extended by up to fifteen days if necessary, and the data subject shall be notified in writing of the reason for the extension.
Where a request is made by a data subject to a government or non-government agency pursuant to Article 11, the agency shall determine whether to accept or reject such request within thirty days; such deadline may be extended by up to thirty days if necessary, and the data subject shall be notified in writing of the reason for the extension.

Government or non-government agencies may charge a fee to cover necessary costs from those who make an inquiry or request to review or obtain copies of the personal data.