February 2022
Teresa Huang and Hannah Kuo
On December 30, 2021, the Ministry of Economic Affairs amended the Regulations Governing Personal Information File Security Maintenance Plan and Processing Method After Termination of Business for the Online Retailing and Online Retailing Service Platform (hereinafter, the “Regulations”) by adding provisions on the reporting of major personal data incidents and international transmissions related to online retail businesses and online retail service platforms (hereinafter, the “Online Retail Businesses and Platforms”).
In the event of a major personal data incident involving theft, alteration, damage, loss, or leakage of personal data in the Online Retail Businesses and Platforms and jeopardizing the normal operation of the businesses or the rights and interests of a large number of data subjects, the competent authority of the municipality, city or county government where the head office of the business is located shall be notified by e-mail with a copy to the Ministry of Economic Affairs within 72 hours upon discovery of the incident in accordance with the Notification and Record Form of Personal Data Violation Incidents attached to the Regulations. In addition, the process, results, and review of the overall investigation and sanction shall be timely submitted, depending on the development of the matter, to the competent authority of the municipality, city or county government where the head office of the business is located with a copy delivered to the Ministry of Economic Affairs.
In addition, the Regulations also additionally provide that if the Online Retail Businesses and Platforms seek to transmit the consumers’ personal data internationally, they should first examine if the receiving area of transmission is restricted by the Ministry of Economic Affairs, inform consumers in advance of the area where their personal data are to be transmitted internationally, monitor the recipients of international transmission, including the intended scope, type, specific purpose, period, area, recipients, and manner of processing or use of the personal data, and ensure that consumers can exercise their rights in accordance with Article 3 of the Personal Data Protection Act (hereinafter, the “PDPA”).
The Regulations are applicable to companies limited by shares that engage in the online retail business or online retail service platform business with a registered capital reaching NT$10 million or more or to companies or firms designated by the Ministry of Economic Affairs. If an entity violates the Regulations, the competent authority can impose a fine in accordance with the PDPA, prohibit the collection, processing, or use of personal data by the entity, order the deletion, confiscation, and destruction of wrongfully collected personal data, and announce the name of the entity and its responsible persons.