Taiwan Data Privacy Law: Rights, Responsibilities, and Penalties

The Personal Data Protection Act (PDPA) assigns responsibilities to organizations, businesses, and individuals who collect process, or store data. In doing so, this piece of Taiwan data privacy legislation ensures certain rights for individuals. In addition, the PDPA is comprehensive, leaving little ambiguity about what types of activity constitute data privacy violations in Taiwan.

PDPA and the Five Rights of Data Privacy in Taiwan

The current text of the PDPA includes numerous amendments. It has become more thorough and nuanced as a living document since it became effective in 2012. Resources explaining Taiwan’s data privacy law offer condensed looks at some of the critical points, such as the five inalienable rights of data privacy:

  1. The right to, upon inquiring, review one’s data
  2.  The right to request a copy of one’s data (although there may be applicable fees for a physical copy)
  3.  The right to request that one’s data be supplemented or corrected
  4.  The right to demand the cessation of the collection, processing, or utilization of one’s personal information
  5.  The right to erase or request deletion of own personal information

These data privacy rights in Taiwan may not be waived or limited.

Responsibilities for Taiwan Data Privacy Rights

Data gatherers, processors, and holders must be incredibly diligent when distinguishing between personal vs. sensitive PDPA data. Organizations and individuals are primarily responsible for safeguarding details of an individual’s life that might cause harm, embarrassment, exclusion, or other damage.

Under the PDPA, a data collector must give a privacy notice when the data is originally collected. This notice must include all of the following information:

  • The data collector’s name
  •  The intended purpose of collecting the data
  • The classification of all personal data collected
    •  Stipulations as to the data utilization: Time
    •  Geographical area
    •  Recipients of the data
    •  Manner of utilization
  •  Acknowledgment of the five inalienable rights above
  •  The potential impact of the data subject’s decision not to provide personal data

If the privacy notice meets the notification requirements of the PDPA, and if the privacy notice does not require consent under the PDPA, notification is enough even without consent. However, the data subject must consent if the collector also requires sensitive information.

How Does the Government Determine Data Privacy Violations in Taiwan?

The Personal Data Protection Commission (PDPC) declares that organizations that collect, use, or disclose personal data are accountable for all responsibilities outlined in the PDPA. Therefore, there is no uncertainty about the gravity of the Taiwan data privacy regulation.

Any violation of an individual’s privacy rights, especially those five rights outlined above, may result in a penalty. The PDPA calls explicitly out types of data such as the following, which are likely to harm individuals if subjected to a breach:

  • Financial information not publicly disclosed
  •  Data that may identify vulnerable individuals
  •  Insurance information not publicly disclosed
  •  Medical information such as diagnosis of HIV
  •  Information related to adoption
  •  Private keys or passphrases
  •  Account identifiers

Those who wish to steer clear of Taiwan data privacy penalties must take appropriate steps to minimize and protect such information.

Penalties for Violating the PDPA

Fines under the PDPA may be significant. Fines incentivize organizations to ensure that every individual receives uninterrupted access to the benefits of the PDPA. A penalty of up to 500,000 NTD, or 17,000 USD, may be imposed for each violation. The Personal Data Protection Committee has the authority to assess fines repeatedly until the violation is corrected.

There are additional penalties for violating the PDPA, as well. Criminal remedies may include fines of up to 1,000,000 NTD, or 35,700 USD, and five years of imprisonment. In addition, the responsible individual(s) within a non-public institution may be subject to the same administrative fines if deemed negligent. Finally, the wronged party may seek additional remedies and damages under Civil Code.

To avoid such consequences, many organizations in Taiwan choose a partner for data privacy consulting.

What Information Does Taiwan’s Data Privacy Law Protect?

The section above on data privacy violations in Taiwan only includes some of the information covered by the PDPA. To learn more about the scope of information protection, keep an eye out for the next piece in this series on Taiwan data privacy legislation. As a trusted eDiscovery partner in Asia, Sandline takes excellent care to keep our partners up to date with crucial aspects of the PDPA.

Our next piece on personal vs. sensitive PDPA data will cover the differences between personal and sensitive information in great detail. It will be a crucial exploration of which rights and protections apply to both data types and how the treatment of PII and sensitive information differ. The next piece will cover intent, adherence to scope, and consent. Until then, don’t hesitate to contact us to learn about data privacy best practices in Taiwan.