The Personal Data Protection Act (PDPA) assigns responsibilities to organizations, businesses, and individuals who collect processes or store data. In doing so, this piece of Taiwan data privacy legislation ensures certain rights for individuals. The PDPA is comprehensive, leaving little ambiguity about what types of activity constitute data privacy violations in Taiwan.
The current text of the PDPA includes numerous amendments. As a living document, it has become more thorough and nuanced since it became effective in 2012. Resources explaining Taiwan’s data privacy law offer condensed looks at some of the critical points, such as the five inalienable rights of data privacy:
- The right to, upon making an inquiry, review one’s personal data
- The right to request a copy of one’s personal data (although there may be applicable fees for a physical copy)
- The right to request that one’s personal data be supplemented or corrected
- The right to demand the cessation of the collection, processing, or utilization of one’s personal information
- The right to erase or request deletion of own personal information
These data privacy rights in Taiwan may not be waived or limited.
Responsibilities for Taiwan Data Privacy Rights
Data gatherers, processors, and holders must be incredibly diligent when distinguishing between personal vs. sensitive PDPA data. Organizations and individuals are especially responsible for safeguarding details of an individual’s life that might cause harm, embarrassment, exclusion, or other damage.
Information and Consent Under the PDPA
Under the PDPA, a data collector must give a privacy notice when the data is originally collected. This notice must include all of the following information:
- The data collector’s name
- The intended purpose of collecting the data
- The classification of all personal data collected
- Stipulations as to the data utilization:
- Time period
- Geographical area
- Recipients of the data
- Manner of utilization
- Acknowledgment of the five inalienable rights above
- The potential impact of the data subject’s decision not to provide personal data
If the privacy notice meets the notification requirements of the PDPA, and if the privacy notice does not require consent under the PDPA, notification is enough even without consent. If the collector also requires sensitive information, the data subject must provide consent.
The Personal Data Protection Commission (PDPC) declares that organizations that collect, use, or disclose personal data are accountable for all responsibilities outlined in the PDPA. There is no uncertainty about the gravity of the Taiwan data privacy regulation.
Any violation of an individual’s privacy rights, especially those five rights outlined above, may result in a penalty. The PDPA specifically calls out types of data such as the following, which are likely to harm individuals if subjected to a breach:
- Financial information not publicly disclosed
- Data that may identify vulnerable individuals
- Insurance information not publicly disclosed
- Medical information such as diagnosis of HIV
- Information related to adoption
- Private keys or passphrases
- Account identifiers
Those who wish to steer clear of Taiwan data privacy penalties must take appropriate steps to minimize and protect such information.
Fines under the PDPA may be significant. This incentivizes organizations to ensure every individual receives uninterrupted access to the benefits of the PDPA. A single penalty of up to 500,000 NTD, or 17,000 USD, may be imposed for each violation. The Personal Data Protection Committee has the authority to assess fines repeatedly until the violation is corrected.
There are additional penalties for violating the PDPA, as well. Criminal remedies may include fines of up to 1,000,000 NTD, or 35,700 USD, and five years of imprisonment. The responsible individual(s) within a non-public institution may be subject to the same administrative fines if deemed negligent. Finally, the wronged party may seek additional remedies and damages under Civil Code.
To avoid such consequences, many organizations in Taiwan choose a partner for data privacy consulting.
The section above on data privacy violations in Taiwan only includes some of the information covered by the PDPA. To learn more about the scope of information protected, keep an eye out for the next piece in this series on Taiwan data privacy legislation. As a trusted eDiscovery partner in Asia, Sandline takes great care to keep our partners up to date with crucial aspects of the PDPA.
Our next piece on personal vs. sensitive PDPA data will cover the differences between personal information and sensitive information in great detail. It will be a crucial exploration of which rights and protections apply to both types of data and how treatment of PII and sensitive information differ. The next piece will cover intent, adherence to scope, and consent. Until then, don’t hesitate to contact us to learn more about data privacy best practices in Taiwan.