December 2023
Oli Wong and Astrid Chou
The Ministry of Digital Affairs (hereinafter, the “MODA”) promulgated the Regulations Regarding the Security Maintenance and Administration of Personal Data Files in Digital Economy Industry (hereinafter, the “Regulations”)[1] on October 12, 2023 pursuant to the authorization under Article 27, Paragraph 3 of the Personal Data Protection Act. The Regulations came into effect on the day of their promulgation. The Regulations are highlighted as follows:
I. Regulatory targets
Businesses required by law to formulate the Security Maintenance Plan for Personal Data Files and the Method for Processing Personal Data After Termination of Business (hereinafter, the “Security Maintenance Plan”) include natural persons, private legal persons, and other organizations in the following industries (Article 2 of the Regulations):
1. The retail industry engaged in the online sale of goods (not including other electronic media such as television, radio, telephone, etc., and mail order).
2. The software publishing industry.
3. The computer programming, consulting, and related service industries.
4. Industries engaged in data processing on behalf of clients, server and website hosting, and related services (not including online audiovisual streaming services).
5. The third-party payment service industry (not including other financial auxiliary industries).
6. Other information service industries.
II. Content of regulation
1. Based on their business scale and characteristics, businesses are required to set up management personnel responsible for formulating and amending personal data protection management policies and the Security Maintenance Plans and for implementing the Security Maintenance Plans. Internally, the personal data protection management policies should be publicly disclosed to ensure a clear understanding of relevant personnel (Articles 4 and 5 of the Regulations).
2. Businesses are required to periodically review the current status of the collection, processing, or utilization of personal data to define the scope of their Security Maintenance Plans. They should also regularly assess potential risks and adopt appropriate security measures based on the risk assessment results, (Articles 6 and 7 of the Regulations).
3. A business should establish contingency, reporting, and prevention mechanisms for personal data security incidents. In case of a personal data security incident that may jeopardize the normal operations of the business or the rights or interests of a large number of individuals, the business should report to the MODA within 72 hours using the prescribed form or report to the government on the level of municipality under the direct jurisdiction of the Executive Yuan or county (city), with a copy to the MODA (Article 8 of the Regulations).
4. A business is required to establish internal management procedures for collecting, processing, and utilizing of personal data to ensure compliance with the provisions of the Personal Data Protection Act (Article 9 of the Regulations).
5. When transferring personal data internationally, businesses should comply with legal restrictions, inform the data owners of the region to which a transfer will be made, and exercise appropriate supervision over data recipients (including those that are entrusted or sub-entrusted) (Article 10 of the Regulations).
6. Businesses should implement various data security measures, including data security management, personnel management, awareness promotion, education and training, equipment security, etc. (Articles 11-14 of the Regulations).
7. Businesses should continuously inspect and improve the implementation of their Security Maintenance Plans, including establishing a personal data security audit mechanism, retaining records and trail data for at least five years, preserving evidence for at least five years, and an overall continuous improvement mechanism for their Security Maintenance Plans (Articles 15-17 of the Regulations).
8. Businesses with a capital of over NT$10 million or possessing more than 5,000 personal data records should implement and review certain security measures at least once every 12 months (Article 18 of the Regulations).
III. Penalties
If a regulated business fails to formulate the above-mentioned Security Maintenance Plan or to adopt appropriate security measures in accordance with the Regulations by January 12, 2024, the MODA may impose a fine of NT$20,000 to NT$2 million under Article 48 of the Personal Data Protection Act. A penalty of NT$150,000 to NT$15 million may be imposed in serious violations. Relevant businesses are advised to watch out.
[1] Meanwhile, the Regulations Governing Personal Data File Security Maintenance Plans and Processing Methods After Termination of Business for Online Retail Industry and Online Retailing Service Platform were repealed on November 21 this year to avoid issues concerning the application of Regulations.
The contents of all materials (Content) available on the website belong to and remain with Lee, Tsai & Partners. All rights are reserved by Lee, Tsai & Partners, and the Content may not be reproduced, downloaded, disseminated, published, or transferred in any form or by any means, except with the prior permission of Lee, Tsai & Partners.
The Content is for informational purposes only and is not offered as legal or professional advice on any particular issue or case. The Content may not reflect the most current legal and regulatory developments. Lee, Tsai & Partners and the editors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The contributing authors’ opinions do not represent the position of Lee, Tsai & Partners. If the reader has any suggestions or questions, please do not hesitate to contact Lee, Tsai & Partners.