Chapter I General Provisions
Article 1
The Personal Data Protection Act (the "PDPA") is enacted to regulate the collection, processing and use of personal data so as to prevent harm to personality rights, and to facilitate the proper use of personal data.
Article 1-1
The competent authority of the PDPA is the Personal Data Protection Commission (the "PDPC").
The responsibilities of the central government authorities in charge of the industries concerned, the special municipality, county (city) government concerned, and the authorities specified in Articles 53 and 55 of the PDPA, shall be under the jurisdiction of the PDPC from the date of its establishment.
Article 2
The terms used in the PDPA have the following meanings:
1. "personal data" refers to a natural person's name, date of birth, national identification Card number, passport number, physical characteristics, fingerprints, marital status, family information, education background, occupation, medical records, healthcare data, genetic data, sex life, records of physical examination, criminal records, contact information, financial conditions, social activities and any other information that may be used to directly or indirectly identify a natural person;
2. a "personal data file" refers to a collection of personal data structured to facilitate data retrieval and management by automated or non-automated means;
3. "collection" refers to the act of collecting personal data in any way;
4. "processing" refers to the act of recording, inputting, storing, compiling/editing, correcting, duplicating, retrieving, deleting, outputting, connecting or internally transferring data for the purpose of establishing or using a personal data file;
5. "use" refers to the act of using personal data via any methods other than processing;
6. "cross-border transfer" refers to the cross-border processing or use of personal data;
7. "government agency" refers to central or local government agencies or administrative entities authorized to exercise public authority;
8. "non-government agency" refers to a natural person, legal person or group other than those stated in the preceding subparagraph; and
9. "data subject" refers to an individual whose personal data is collected, processed or used.
Article 3
A data subject shall be able to exercise the following rights with regard to his/her personal data and such rights shall not be waived or limited contractually in advance:
1. the right to make an inquiry of and to review his/her personal data;
2. the right to request a copy of his/her personal data;
3. the right to supplement or correct his/her personal data;
4. the right to demand the cessation of the collection, processing or use of his/her personal data; and
5. the right to erase his/her personal data.
Article 4
Whoever is commissioned by government agencies or non-government agencies to collect, process or use personal data shall be deemed to be acting on behalf of the commissioning agency to the extent that the PDPA applies.
Article 5
The collection, processing and use of personal data shall be carried out in a way that respects the data subject's rights and interest, in an honest and good-faith manner, shall not exceed the necessary scope of specific purposes, and shall have legitimate and reasonable connections with the purposes of collection.
Article 6
Data pertaining to a natural person's medical records, healthcare, genetics, sex life, physical examination and criminal records shall not be collected, processed or used unless on any of the following bases:
1. where it is expressly required by law;
2. where it is within the necessary scope for a government agency to perform its statutory duties or for a non-government agency to fulfill its statutory obligation, provided that proper security and maintenance measures are adopted prior or subsequent to such collection, processing or use of personal data;
3. where the personal data has been manifestly made public by the data subject or publicized legally;
4. where it is necessary for statistics gathering or academic research by a government agency or an academic institution for the purpose of healthcare, public health, or crime prevention, provided that such data, as processed by the data provider or as disclosed by the data collector, may not lead to the identification of a specific data subject;
5. where it is necessary to assist a government agency in performing its statutory duties or a non-government agency in fulfilling its statutory obligations, provided that proper security and maintenance measures are adopted prior or subsequent to such collection, processing, or use of personal data; or
6. where the data subject has consented to the collection, processing and use of his/her personal data in writing, except where the collection, processing or use exceeds the necessary scope of the specific purpose, or where the collection, processing or use based solely on the consent of the data subject is otherwise prohibited by law, or where such consent is not given by the data subject out of his/her free will.
Articles 8 and 9 shall apply mutatis mutandis to the collection, processing, or use of personal data in accordance with the preceding paragraph; paragraphs 1, 2 and 4 of Article 7 shall apply mutatis mutandis to the consent required under subparagraph 6 of the preceding paragraph.
Article 7
"Consent", as referred to in subparagraph 2, paragraph 1 of Article 15 and subparagraph 5, paragraph 1 of Article 19, means a declaration of agreement given by a data subject after he/she has been informed by the data collector of the information required under the PDPA.
"Consent", as referred to in subparagraph 7, paragraph 1 of Article 16 and subparagraph 6, paragraph 1 of Article 20, means a separate declaration of agreement given by a data subject after he/she has been informed by the data collector of any of the purposes other than that originally specified, the scope of other use, and the impact of giving or not giving consent on the rights and interests of the data subject.
The data subject's consent may be presumed given pursuant to subparagraph 2, paragraph 1 of Article 15 and subparagraph 5, paragraph 1 of Article 19 if the data subject does not indicate his/her objection and affirmatively provides his/her personal data after the government or non-government agency has informed the data subject of the relevant information specified in paragraph 1 of Article 8 of the PDPA.
The data collector shall bear the burden of proof regarding the fact that the data subject has given the consent prescribed under the PDPA.
Article 8
Government or non-government agencies shall expressly inform the data subject of the following information when colleting their personal data in accordance with Article 15 or 19 of the PDPA:
1. the name of the government or non-government agency;
2. the purpose of the collection;
3. the categories of the personal data to be collected;
4. the time period, territory, recipients, and methods of which the personal data is used;
5. the data subject's rights under Article 3 and the methods for exercising such rights; and
6. the data subject's rights and interests that will be affected if he/she elects not to provide his/her personal data.
The obligation to inform as prescribed in the preceding paragraph may be waived under any of the following circumstances:
1. where notification may be waived in accordance with the law;
2. where the collection of personal data is necessary for the government agencies to perform their statutory duties or the non-government agencies to fulfill their statutory obligation;
3. where giving notice will prevent the government agencies from performing their statutory duties;
4. where giving notice will harm public interests;
5. where the data subject has already known the content of the notification; or
6. where the collection of personal data is for non-profit purposes and clearly has no adverse effect on the data subject.
Article 9
Government or non-government agencies shall, before processing or using the personal data collected in accordance with Article 15 or 19 which was not provided by the data subject, inform the data subject of their source of data and other information specified in subparagraphs 1 through 5, paragraph 1 of the preceding article.
The obligation to inform as prescribed in the preceding paragraph may be exempt under any of the following circumstances:
1. under any of the circumstances provided in paragraph 2 of the preceding article;
2. where the personal data has been manifestly made public by the data subject or publicized legally;
3. where it is unable to inform the data subject or his/her legal representative;
4. where it is necessary for statistics gathering or academic research in pursuit of public interests, provided that such data, as processed by the data provider or as disclosed by the data collector, may not lead to the identification of a specific data subject; or
5. where the personal data is collected by mass communication enterprises for the purpose of news reporting for the benefit of public interests.
The obligation to inform as prescribed in paragraph 1 may be performed at the time of the first use of the personal data towards the data subject.
Article 10
Upon the request of a data subject, the government or non-government agency shall reply to the data subject's inquiry, allow the data subject to review the personal data collected, or provide the data subject with a copy thereof except under any of the following circumstances:
1. where national security, diplomatic or military secrets, overall economic interests or other material national interests may be harmed;
2. where a government agency may be prevented from performing its statutory duties; or
3. where the vital interests of the data collectors or any third parties may be adversely affected.
Article 11
A government or non-government agency shall ensure the accuracy of personal data in its possession and correct or supplement such data on its own initiative or upon the request of data subjects.
In the event of a dispute regarding the accuracy of the personal data, the government or non-government agency shall, on its own initiative or upon the request of the data subject, cease processing or using the personal data, unless the processing or use is either necessary for the performance of an official or business duty, or has been agreed to by the data subject in writing, and the dispute has been recorded.
When the specific purpose of data collection no longer exists, or upon expiration of the relevant time period, government or non-government agencies shall, on their own initiative or upon the request of the data subject, erase or cease processing or using the personal data, unless the processing or use is either necessary for the performance of an official or business duty, or has been agreed to by the data subject in writing.
Government or non-government agencies shall, on their own initiative or upon the request of the data subject, erase the personal data collected or cease collecting, processing or using the personal data in the event where the collection, processing or use of the personal data is in violation of the PDPA.
If any failure to correct or supplement any personal data is attributable to a government or non-government agency, the government or non-government agency shall notify the persons who have been provided with such personal data after the correction or supplement is made.
Article 12
If any personal data is stolen, disclosed, altered, or otherwise infringed upon due to a violation of the PDPA by a government or non-government agency, the data subject shall be notified via appropriate means after the relevant facts have been clarified.
Article 13
Where a request is made by a data subject to a government or non-government agency pursuant to Article 10, the agency shall determine whether to accept or reject such request within fifteen days; such deadline may be extended by up to fifteen days if necessary, and the data subject shall be notified in writing of the reason for the extension.
Where a request is made by a data subject to a government or non-government agency pursuant to Article 11, the agency shall determine whether to accept or reject such request within thirty days; such deadline may be extended by up to thirty days if necessary, and the data subject shall be notified in writing of the reason for the extension.
Article 14
Government or non-government agencies may charge a fee to cover necessary costs from those who make an inquiry or request to review or obtain copies of the personal data.
Chapter II Data Collection, Processing and Use by a Government Agency
Article 15
Except for the personal data specified under paragraph 1 of Article 6, the collection or processing of personal data by government agencies shall be for specific purposes and on one of the following bases:
1. where it is within the necessary scope to perform its statutory duties;
2. where consent has been given by the data subject; or
3. where the rights and interests of the data subject will not be infringed upon.
Article 16
Except for the personal data specified under paragraph 1 of Article 6, government agencies shall use personal data only within the necessary scope of their statutory duties and for the specific purpose of collection; the use of personal data for another purpose shall be only on any of the following bases:
1.where it is expressly required by law;
2.where it is necessary for ensuring national security or furthering public interests;
3.where it is to prevent harm to the life, body, freedom, or property of the data subject;
4.where it is to prevent material harm to the rights and interests of others;
5.where it is necessary for statistics gathering or academic research by a government agency or an academic institution for public interests; provided that such data, as processed by the data provider or as disclosed by the data collector, may not lead to the identification of a specific data subject;
6.where it is for the data subject's rights and interests; or
7.where consent has been given by the data subject.
Article 17
Government agencies shall make public the following information online or allow the public to make inquiries thereof via other appropriate means; the foregoing also applies when any changes are made to the following information:
1. the names of the personal data files;
2. the name and contact information of the agency that is in possession of the personal data files;
3. the legal basis and purpose of keeping the personal data files; and
4. the category of the personal data.
Article 18
Government agencies in possession of personal data files shall assign dedicated personnel to implement security and maintenance measures to prevent the personal data from being stolen, altered, damaged, destroyed or disclosed.
Chapter III Data Collection, Processing and Use by a Non-government Agency
Article 19
Except for the personal data specified under paragraph 1 of Article 6, the collection or processing of personal data by non-government agencies shall be for specific purposes and on one of the following bases:
1. where it is expressly required by law;
2. where there is a contractual or quasi-contractual relationship between the non-government agency and the data subject, and proper security measures have been adopted to ensure the security of the personal data;
3. where the personal data has been manifestly made public by the data subject or publicized legally;
4. where it is necessary for statistics gathering or academic research by an academic institution in pursuit of public interests, provided that such data, as processed by the data provider or as disclosed by the data collector, may not lead to the identification of a specific data subject;
5. where consent has been given by the data subject;
6. where it is necessary for furthering public interests;
7. where the personal data is obtained from publicly available sources unless the data subject has an overriding interest in prohibiting the processing or use of such personal data; or
8. where the rights and interests of the data subject will not be infringed upon.
A data collector or processor shall, on its own initiative or upon the request of the data subject, erase or cease processing or using the personal data when it becomes aware of, or upon being notified by the data subject, that the processing or use of the personal data should be prohibited pursuant to the proviso to subparagraph 7 of the preceding paragraph.
Article 20
Except for the personal data specified in paragraph 1 of Article 6, non-government agencies shall use personal data only within the necessary scope of the specific purpose of collection; the use of personal data for another purpose shall be only on any of the following bases:
1. where it is expressly required by law;
2. where it is necessary for furthering public interests;
3. where it is to prevent harm to the life, body, freedom, or property of the data subject;
4. where it is to prevent material harm to the rights and interests of others;
5. where it is necessary for statistics gathering or academic research by a government agency or an academic institution for public interests; provided that such data, as provided by the data provider or disclosed by the data collector, may not lead to the identification of a specific data subject;
6. where consent has been given by the data subject; or
7. where it is for the data subject's rights and interests.
When a non-government agency uses personal data for marketing purpose pursuant to the preceding paragraph, upon the data subject's objection to such use, the agency shall cease using the data subject's personal data for marketing.
Non-government agencies, when using the data subject’s personal data for marketing purpose for the first time, shall provide the data subject the ways that he/she can object to such use, and the agency shall pay for the fees therefrom.
Article 21
If a cross-border transfer of personal data is carried out by a non-government agency under any of the following circumstances, the central government authority in charge of the industry concerned may impose restrictions on such transfer:
1. where major national interests are involved;
2. where an international treaty or agreement so stipulates;
3. where the country receiving the personal data lacks proper regulations on protection of personal data and the data subjects' rights and interests may consequently be harmed; or
4. where the cross-border transfer of the personal data to a third country (territory) is carried out to circumvent the PDPA.
Article 22
The central government authorities in charge of the industries concerned, the special municipality, county (city) government concerned may, when they deem necessary or suspect any possible violation of the PDPA, inspect compliance with the security control measures, the rules on disposing personal data upon business termination, and the restrictions on cross-border transfers, or conduct any other routine inspections by having their staff enter non-government agencies' premises upon presentation of their official identification documents and order relevant personnel at the non-government agencies to provide necessary explanations, cooperate on adopting relevant measures, or provide supporting documents.
When the central government authorities in charge of the industries concerned or the special municipality, county (city) governments concerned conduct the inspections described in the preceding paragraph, they may retain or make duplications of the personal data or the files thereof that can be confiscated or be admitted as evidence. The owner, holder or keeper of such data or files that shall be confiscated or copied shall submit them to the authorities upon request. If the non-government agency refuses to submit or deliver the requested data or files or rejects the confiscation or duplication thereof without any legitimate reason, a compulsory enforcement that will do the least harm to the rights and interests of the non-government agency may be applied.
When the central government authorities in charge of the industries concerned or the special municipality, county (city) governments concerned conduct the inspections described in paragraph 1, professionals in the field of information technology, telecommunications or law may accompany the inspectors during the inspections.
Non-government agencies and their personnel may not evade such inspections, obstruct the investigators from accessing the premises or data, or refuse to comply with the inspections or decisions referred to in paragraphs 1 and 2.
All personnel who take part in the inspections shall keep in confidence all the personal data that they become aware of due to the inspections.
Article 23
The confiscated files or duplicates referred to in paragraph 2 of the preceding article shall be sealed or tagged and properly handled; if it is unfeasible to move or take possession of such files, the authority shall assign personnel to guard such files or order the owner of such files or an appropriate person to take possession of the files.
If it is no longer necessary to keep the confiscated files or the duplicates, or the authority has decided not to impose any penalties or confiscate any files, the confiscated files and duplicates shall be returned except for the files or duplicates that shall be confiscated or kept for the investigation of other cases.
Article 24
The non-government agency, owner, holder, keeper or interested persons of those confiscated files or duplicates may raise an objection with the central government authority in charge of the industry concerned or the special municipality, county (city) government concerned against the acts of demand, compulsory enforcement, detention, or duplication mentioned in the preceding two Articles.
Upon receiving the objection mentioned in the preceding paragraph, the central government authority in charge of the industry concerned or the special municipality, county (city) government concerned shall immediately cease or rectify such acts if the objection is considered reasonable; otherwise, it may continue such acts. Upon the request of the person who raises the objection, a record of the reasons for objection shall be prepared and delivered to such person.
An appeal against the decision made by the central government authority in charge of the industry concerned or the special municipality, county (city) government concerned under the preceding paragraph may only be filed jointly with the appeal against the substantive decision of the case. However, if the persons identified in paragraph 1 do not have the rights to appeal against the substantive decision of the case under the law, such persons may file an administrative lawsuit solely against the acts identified in the same paragraph 1.
Article 25
In the event that a non-government agency has violated the PDPA, the central government authority in charge of the industry concerned or the special municipality, county (city) government concerned may impose fines on the non-government agency in accordance with the PDPA and may also enforce the following corrective measures:
1. prohibit the collection, processing or use of the personal data;
2. order the erasure of the processed personal data and personal data files;
3. confiscate or order the destruction of the unlawfully collected personal data; and/or
4. disclose to the public the violation of the non-government agency, the name of the non-government agency and its responsible person/representative.
Where the central government authority in charge of the industry concerned or the special municipality, county (city) government concerned enforce the corrective measures referred to in the preceding paragraph, such measures shall be within the scope that is necessary to prevent and remedy the violation of the PDPA and shall do the least harm to the rights and interests of the non-government agency concerned.
Article 26
The findings of the inspections conducted by the central government authorities in charge of the industries concerned or the special municipality, county (city) governments concerned in accordance with Article 22 may be disclosed to the public if the non-government agencies concerned are not in violation of the PDPA and agree to the public disclosure of such findings.
Article 27
Non-government agencies in possession of personal data files shall implement proper security measures to prevent the personal data from being stolen, altered, damaged, destroyed or disclosed.
The central government authorities in charge of the industries concerned may designate and order certain non-government agencies to establish a security and maintenance plan for the protection of personal data files and rules on disposing personal data following a business termination.
Matters such as standards on setting forth the aforementioned plans and disposal regulations shall be expressly established by the central government authority in charge of the industry concerned.
Chapter IV Damages and Class Action
Article 28
Government agencies shall be liable for the damages arising from injury caused by any unlawful collection, processing or use of personal data, or other infringement on the rights of data subjects due to such government agency's violation of the PDPA, unless such injury was caused by any natural disaster, emergency or other force majeure event.
If an injury suffered by the victim is a non-pecuniary damage, he/she may request an appropriate amount of monetary compensation; if the injury suffered by the victim is damage to his/her reputation, the victim may request appropriate corrective measures to restore his/her reputation.
Under the circumstances identified in the preceding two paragraphs, if it is difficult or impossible for the victim to prove the monetary value of the actual damage, he/she may ask the court to award the compensation in the amount of not less than NT$500 but not more than NT$20,000 per incident, per person based on the severity of the damage.
Where the rights of multiple data subjects have been infringed upon due to the same incident, the total amount of compensation awarded to such data subjects shall not exceed NT$200 million. However, if the interests involved in the incident exceed NT$200 million, the compensation shall be up to the value of such interests.
If the total amount of damages for the injuries attributable to the same incident exceeds the amount referred to in the preceding paragraph, the compensation payable to each victim shall not be limited to the lower end of damages, i.e. NT$500, per incident as set forth in paragraph 3 of this Article.
The right of claim referred to in paragraph 2 above may not be transferred or inherited. However, this does not apply to the circumstances where monetary compensation has been agreed upon in a contract or a claim therefor has been filed with the court.
Article 29
Non-government agencies shall be liable for the damages arising from any injury caused by any unlawful collection, processing or use of personal data, or other infringement on the rights of data subjects due to such non-government agency's violation of the PDPA, unless the non-government agency can prove that such injury is not caused by its willful act or negligence.
Paragraphs 2 through 6 of the preceding article apply to the damage claims raised in accordance with the preceding paragraph.
Article 30
The right to claim damage compensation will be extinguished if the right-holder does not exercise such right within the two-year period after he/she becomes aware of his/her damage and the identity of the person(s) liable for the compensation, or the five-year period following the occurrence of the damage.
Article 31
With regard to matters pertaining to damages, aside from the provisions of the PDPA, the State Compensation Law may be applied to a government agency and the Civil Code may be applied to a non-government agency.
Article 32
An incorporated foundation or an incorporated charity that brings a case to the court in accordance with this Chapter shall fulfill the following criteria:
1. the total registered assets of an incorporated foundation shall be NT$10 million or more, or the total number of members of an incorporated charity shall be 100 or more;
2. the protection of personal data shall be set forth as one of its purposes in its charter; and
3. It shall have been established for more than three years following its receipt of the approval thereof.
Article 33
The lawsuit filed with the court for damages against a government agency in accordance with the PDPA shall be subject to the exclusive jurisdiction of the district court where the agency is located. The lawsuit against a non-government agency is subject to the exclusive jurisdiction of the district court where its main office, principal place of business or domicile is located.
If the non-government agency referred to in the preceding paragraph is a natural person and has no place of domicile in the Republic of China, or the address thereof is unknown, such natural person's place of residence in the Republic of China shall be deemed to be the place of domicile. If the natural person has no place of residence in the Republic of China or the address thereof is unknown, his/her last known domicile in the Republic of China shall be deemed to be the place of domicile. If the natural person has no last known domicile, the district court where the central government is located shall have exclusive jurisdiction.
If the non-government agency referred to in paragraph 1 is a legal person or a group and has no main office, principal place of business, or the addresses thereof are both unknown, the district court where the central government is located shall have exclusive jurisdiction.
Article 34
Where the rights of multiple data subjects have been infringed upon due to the same incident, the incorporated foundation or incorporated charity may file a lawsuit with the court in its own name after obtaining a written delegation of litigation rights of at least 20 data subjects. The data subjects may withdraw their delegation in writing before the conclusion of the oral argument and the data subjects shall notify the court thereof.
With regard to the litigation referred to in the preceding paragraph, the court may issue a public notice, either upon receiving a petition therefor or on its own initiative, informing other data subjects that suffer damages due to the same incident that they may delegate their litigation rights to the incorporated foundation or the incorporated charity referred to in the preceding paragraph within a specified period of time. The incorporated foundation or the incorporated charity may expand demand for the relief sought before the conclusion of the oral argument.
If other data subjects that suffer damages due to the same incident chose not to delegate their litigation rights pursuant to the preceding paragraph, they may still bring the case to the court within the timeframe specified in the public notice for the court to combine the cases.
Other data subjects that have suffered damages due to the same incident may also file a petition, requesting the court to issue the public notice referred to in the preceding paragraph.
The notice referred to in the preceding two paragraphs may be posted on the bulletin boards of the court, on the Internet or at other proper locations. Should the court consider it necessary, it may make such notice in a government gazette or newspaper, or through other means, and the fees therefrom shall be paid by the National Treasury.
For the incorporated foundation or the incorporated charity that brings a case to the court in accordance with paragraph 1, if the claim value of the case exceeds NT$600,000, the court fee attributable to the excess portion of the claim value shall be waived.
Article 35
If a data subject withdraws his/her delegation of the litigation rights in accordance with paragraph 1 of the preceding article, the part of the court proceedings relating to such data subject shall automatically be suspended, and such data subject shall make a declaration to become a party to the suit. The court may also, on its own initiative, order such data subject to become a party to the suit.
After the incorporated foundation or the incorporated charity files a lawsuit with the court in accordance with the preceding article, if the withdrawal of litigation rights by some data subjects causes the number of remaining data subjects in the lawsuit to drop to less than 20, the court proceedings for the remaining data subjects may still continue.
Article 36
The statute of limitation for each data subject to exercise the right to claim damages under paragraphs 1 and 2 of Article 34 shall be calculated separately.
Article 37
An incorporated foundation or an incorporated charity that has been delegated litigation rights by data subjects shall be entitled to implement any and all acts pertaining to the lawsuit. However, the data subjects may set restrictions on the abandonment, withdrawal, or settlement relating to such lawsuit.
The restrictions set by one of the data subjects referred to in the preceding paragraph have no effect on the other data subjects.
The restrictions referred to in paragraph 1 shall be specified in the documents identified in paragraph 1 of Article 34, or shall be submitted to the court in writing.
Article 38
In the event that a data subject is not satisfied with the judgment of the lawsuit filed pursuant to Article 34, he/she may withdraw his/her delegation of litigation rights before the deadline for filing an appeal by such incorporated foundation or incorporated charity, and then file the appeal himself/herself.
After receiving the original copy of the judgment, the incorporated foundation or the incorporated charity shall notify the data subjects of the outcome and also notify the data subjects in writing within seven days as to whether or not an appeal will be filed.
Article 39
The incorporated foundation or the incorporated charity shall deduct the necessary litigation fees from the compensation awarded in accordance with the result of the lawsuit filed pursuant to Article 34, and deliver the remaining amount to the data subjects that delegate the litigation rights.
The incorporated foundation or the incorporated charity may not ask for remuneration for the lawsuit filed in accordance with paragraph 1 of Article 34.
Article 40
The incorporated foundation or the incorporated charity that filed a lawsuit in accordance with the provisions of this Chapter shall engage an attorney as its agent ad litem for the lawsuit.
Chapter V Penalties
Article 41
If a person, with the intention of obtaining unlawful gains for himself/herself or a third party, or with the intention of impairing another person's interests, is in violation of paragraph 1 of Article 6, Articles 15, 16, 19, and paragraph 1 of Article 20, or an order or decision relating to the restrictions on cross-border transfers made by the central government authority in charge of the industry concerned in accordance with Article 21 of the PDPA, thereby causing damage to others, the person shall be sentenced to imprisonment for no more than five years; in addition thereto, a fine of no more than NT$1,000,000 may be imposed.
Article 42
If a person, with the intention of obtaining unlawful gains for himself/herself or for a third party, or infringing upon the interests of others, illegally changes or erases personal data files, or otherwise compromises the accuracy of another's personal data files, thereby causing damages to others, the person shall be sentenced to imprisonment for no more than five years or detention, and/or a fine of no more than NT$1,000,000.
Article 43
The preceding two articles also apply to nationals of the Republic of China if they commit any offense specified therein outside of the Republic of China against any other national of the Republic of China.
Article 44
A government official who abuses the power, opportunity or means available to him/her to commit any of the offenses described in this Chapter shall be subject to a more severe punishment which is up to 50% more than that prescribed above.
Article 45
A person who committed any of the offenses identified in this Chapter shall be indicted only upon a complaint, except for the offenses specified in Article 41 and those identified in Article 42 against a government agency.
Article 46
If a more severe punishment is provided for under other laws with respect to the offenses identified in this Chapter, the more severe punishment shall take precedence.
Article 47
If a non-government agency violates any of the following provisions, the central government authority in charge of the industry concerned or the special municipality, county (city) government concerned shall impose a fine of not less than NT$50,000 but not more than NT$500,000 on the non-government agency, and shall order the non-government agency to rectify the violation within a specified period of time. If the non-government agency fails to rectify the violation in time, a fine shall be imposed for each occurrence of the violation:
1. paragraph 1 of Article 6;
2. Article 19;
3. paragraph 1 of Article 20; and/or
4. an order or decision relating to the restrictions on cross-border transfers made by the central government authority in charge of the industry concerned under Article 21.
Article 48
If a non-government agency violates any of the following provisions, the central government authority in charge of the industry concerned or the special municipality, county (city) government concerned shall order the non-government agency to rectify the violation within a specified period of time; if the non-government agency fails to rectify the violation in time, a fine of not less than NT$20,000 but not more than NT$200,000 shall be imposed on the non-government agency for each occurrence of the violation:
1. Article 8 or Article 9;
2. Article 10, Article 11, Article 12, or Article 13;
3. paragraph 2 or paragraph 3 of Article 20.
If a non-government agency violates paragraph 1 of Article 27 or fails to establish a security and maintenance plan for the protection of personal data files or rules on disposing of personal data following a business termination under paragraph 2 of Article 27, the central government authority in charge of the industry concerned or the special municipality, county (city) government concerned shall impose a fine of not less than NT$20,000 but not more than NT$2,000,000 on the non-government agency, and shall order the non-government agency to rectify the violation within a specified period of time. If the non-government agency fails to rectify the violation in time, a fine of not less than NT$150,000 but not more than NT$15,000,000 shall be imposed for each occurrence of the violation.
If a non-government agency violates paragraph 1 of Article 27, or fails to establish a security and maintenance plan for the protection of personal data files or rules on disposing of personal data following a business termination under paragraph 2 of Article 27, which is of a serious violation, the central government authority in charge of the industry concerned or the special municipality, county (city) government concerned shall impose a fine not less than NT$150,000 but not more than NT$15,000,000 on the non-government agency to rectify the violation within a specified period of time; if the non-government agency fails to rectify the violation in time, a fine shall be imposed for each occurrence of the violation.
Article 49
If a non-government agency is in violation of paragraph 4 of Article 22 without any legitimate reason, the central government authority in charge of the industry concerned or the special municipality, county (city) government concerned shall impose a fine of not less than NT$20,000 but not more than NT$200,000 on the non-government agency.
Article 50
The representative, manager, or any other authorized representative of a non-government agency shall be fined the same amount imposed on the non-government agency for a violation of any of the preceding three articles, unless said person proves that he/she has exercised due care to prevent such violation.
Chapter VI Supplementary Provisions
Article 51
The PDPA does not apply to the following circumstances:
1. where personal data is being collected, processed, or used by a natural person purely for purposes of personal or household activities; or
2. where audio-visual data is collected, processed, or used in public places or public activities and not connected to other personal data.
The PDPA also applies to the government and the non-government agencies outside the territory of the Republic of China (R.O.C) when they collect, process or use the personal data of R.O.C. nationals.
Article 52
The duties of the central government authorities in charge of the industries concerned or the special municipality, county (city) governments concerned under Articles 22 through 26 may be delegated to their subordinate agencies, other agencies or public interest groups. The personnel of such agencies or public interest groups shall be obligated to keep confidential all the data they become aware of during the performance of the duties so delegated or commissioned.
The public interest groups referred to in the preceding paragraph shall not receive any data subject's delegation of litigation rights to file a lawsuit for damages in their names in accordance with paragraph 1 of Article 34.
Article 53
The Ministry of Justice shall, in conjunction with the central government authorities in charge of the industries concerned, set forth the specific purposes and categories of personal data, and provide the same to government and non-government agencies for reference and use.
Article 54
After the enactment of the amendments to the PDPA on December 15, 2015, if any personal data was furnished before the amendments to the PDPA on May 26, 2010, not by the data subject, the data subject shall be provided with the information required under Article 9 before such personal data is processed or used.
The obligation to inform as prescribed in the preceding paragraph may be given at the time when such personal data is used for the first time after the enactment of the amendments to the PDPA on December 15, 2015.
Any use of personal data without the information provided in accordance with the preceding two paragraphs shall be deemed and punished as a violation of Article 9.
Article 55
The Enforcement Rules of the PDPA shall be prescribed by the Ministry of Justice.
Article 56
The enforcement date of the PDPA shall be set by the Executive Yuan.
The deletion of Articles 19 through 22 and Article 43 on May 26, 2010, and the revision of Article 48 under the amendment to the PDPA made on May 16, 2023, shall become effective on the date of promulgation.