Taiwan: Amendment to Personal Data Protection Act

29 Oct 2025    4 minute read
Cybersecurity & Data Privacy

In brief

On 17 October 2025, the Legislative Yuan passed the amendment (“Amendment”) to the Personal Data Protection Act (PDPA). After promulgation by the President, the effective date of the Amendment will be decided by Executive Yuan and expect to be in force in 2026.

Contents

Background

The main drive for the Amendment is to comply with the Constitutional Court’s ruling issued on 12 August 2022 (111年度憲判字第13號健保資料庫案判決), which mandates the establishment of an independent supervisory mechanism for personal data protection within three years.

The PDPA has been amended in May 2023 to add Article 1-1 (not effective yet), which provides that the competent authority of the PDPA will be the Personal Data Protection Commission (PDPC), the first dedicated authority for personal data protection. The Preparatory Office of the PDPC was established on 5 December 2023. The PDPC will be officially established after the Organizational Act of the PDPC (which was proposed along with the Amendment) is passed by the Legislative Yuan.

The Amendment also includes the following key changes.

Key points of the Amendment

Government agencies are now required to appoint DPO (Article 18)

Although the first draft of the Amendment proposed that the PDPC may designate certain non-government agencies to appoint DPO and personal data protection audit personnel, the Amendment does not include this requirement so only government agencies are required to do so.

Data breach notification/report (Article 12)

  • Under the current PDPA, if there is a data breach, the non-government agency only needs to notify the data subject. Under the Amendment, the non-government agency may also need to report to the PDPC. The threshold, timeline and other requirements on report will be further determined by the PDPC in regulations.
  • The Amendment requires the non-government agency to keep the documentation of the data incident for inspection by the PDPC. The record retention period will be determined by the PDPC in regulations.
  • Violation of the new requirements above will be subject to an administrative fine ranging from NTD 20,000 (USD 625) to NTD 200,000 (USD 6,250), which may be imposed consecutively if the non‑government agency fails to rectify within the specified period of time. (new Paragraph 2, Article 48).
  • The PDPC may delegate the acceptance and onward notification of the report to other agencies, administrative organizations, or public interest groups to handle the matter (Para 1, Article 52).

Administration inspection

  • The first draft of the Amendment proposed that the PDPC may choose the industries and non-government agencies with higher risk of personal data infringement to prioritize administrative inspection against them (Article 27). The Amendment does not include this idea.
  • That said, even if there is no indication of violation, under the Amendment the PDPC may still conduct proactive administrative inspection for reviewing the non-government agencies’ compliance with the PDPA. The PDPC will promulgate regulations for matters regarding proactive inspection (new para 2, Article 22).
  • The non-government agencies cannot refuse the inspection unless there are “justifiable reasons” (Para 4, Article 22).

6-year transition period (Article 51-1)

  • The PDPC will request the Executive Yuan to announce which of the non-government agencies (likely those that already have specific competent authorities) will remain to be regulated by the current central competent authorities or local governments up to six years after the PDPC is established.
  • Every two years, the PDPC will discuss with the competent authorities in charge of the industry concerned and report to and request the Executive Yuan to reduce the scope of the non-government industries that remain to be supervised by the competent authorities.
  • However, once the Amendment is in effect, the power under Article 21 of the PDPA to restrict cross‑border data transfer will be transferred from the competent authorities in charge of the industry concerned to the PDPC.

The PDPC will promulgate Regulations for Security and Maintenance of Personal Information Files (Article 20-1 and 51-1)

Under the Amendment, the PDPC will promulgate baseline Regulations for Security and Maintenance of Personal Information Files for non-government agencies. (Article 20-1) During the transition period, the relevant Regulations for Security and Maintenance of Personal Information Files promulgated by the competent authorities shall be based on the PDPC’s baseline version but can be stricter (Paragraphs 3 to 4, Article 51-1).

Administrative appeal (Article 53-1)

As the PDPC is an independent authority, the appeal against the rulings of the PDPC shall be filed with the Administrative Court directly.

However, during the transition period, the appeal against the rulings of the central competent authorities or local governments shall be filed with the PDPC.

Impact

The Amendment follows the decision of Constitutional Court’s ruling to establish an independent supervisory mechanism for personal data protection. Given the new regulatory requirements, companies are advised to assess if they have any gap between the Amendment and their current data protection practice, in particular the data breach response plan. If yes, companies shall immediately adjust the current policies and operations for compliance with these requirements. If you have any questions, please feel free to contact us.

Contact Information
Grace Shao
Managing Partner
Taipei
Read my Bio
grace.shao@bakermckenzie.com
Sean Shih
Partner
Taipei
Read my Bio
sean.shih@bakermckenzie.com

Copyright © 2025 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.