November 2025
The Impact of the Personal Data Protection Act Amendments on the Private Sector (Taiwan)
The amendments to the Personal Data Protection Act (the “PDPA”) were passed by the Legislative Yuan on October 17, 2025, and promulgated by the President on November 11. The primary intent of these amendments is to align the PDPA with the forthcoming establishment of the Personal Data Protection Committee (the “PDPC”) and the enactment of its Organic Act, thereby granting the PDPC the necessary enforcement powers. The key impacts of the PDPA amendments on individuals and private-sector entities are summarized as follows:
1. Adjustment of the Competent Authority for Personal Data Protection:
In response to the Constitutional Court’s 111-Xian-Pan-Zi No.13 Constitutional Decision (2022), which requires the establishment of an independent supervisory mechanism for personal data protection, the amendment to the PDPA in May 2023 designated the PDPC as the competent authority. However, considering the wide variety and sheer number of non-governmental agencies, the newly amended PDPA includes transitional provisions to gradually adjust the supervisory responsibilities. Under these provisions, the PDPC will directly oversee non-governmental agencies that previously lacked a clearly designated central competent authority. For agencies already subject to a specific central competent authority, supervisory powers will be transferred to the PDPC in stages and ultimately achieving centralized supervision through a six-year transitional period. (See PDPA Art. 51-1)
2. Obligation to Report Personal Data Incidents:
The amended PDPA imposes a reporting obligation on all non-governmental agencies that experience a personal data incident—such as theft, alteration, damage, destruction, or disclosure of personal data—meeting certain thresholds. Entities must report such incidents to the competent authority and take appropriate response measures. All incident notifications will be centrally handled by the PDPC. Failure to comply may result in an administrative fine of not less than NT$20,000 and not more than NT$200,000, along with an order to rectify within a specified period. Should the entity fail to make corrections within the prescribed period, fines may be imposed consecutively. (See PDPA Arts. 12 and 48)
3. Obligations Regarding the Security Maintenance of Personal Data Files:
The amended PDPA authorizes the PDPC to adopt a unified “Common Baseline Security Maintenance Regulation” applicable to all non-governmental agencies, in order to strengthen regulatory compliance and personal data security controls across the private sector. In addition, during the transitional period, however, central competent authorities may continue requiring entities under their supervision to establish personal data file security maintenance plans or methods for personal data processing after business termination, and may impose stricter requirements or standards based on industry characteristics. Violations of security maintenance obligations may result in fines of up to NT$15,000,000. (See PDPA Arts. 20-1 and 48)
4. Enhanced Administrative Inspections:
Under the amended PDPA, where the competent authority identifies a likelihood of violation or deems an inspection necessary to assess the entity's compliance practices, it may conduct administrative inspections. Following the amendments, inspections may also be initiated in the absence of any suspected violation if the competent authority considers it necessary to further understand their implementation or to exercise supervisory powers. The PDPA further authorizes the PDPC to develop relevant regulations to establish and implement a differentiated inspection mechanism. (See PDPA Art. 22)
The effective date of these PDPA amendments will be separately designated by the Executive Yuan in coordination with the legislative timetable of the PDPC Organic Act. Our firm recommends that businesses across all sectors begin assessing the impact of these PDPA amendments on their operations and prepare corresponding compliance measures. We will continue to monitor the development of subordinate regulations and related legal updates following these amendments.
1. Adjustment of the Competent Authority for Personal Data Protection:
In response to the Constitutional Court’s 111-Xian-Pan-Zi No.13 Constitutional Decision (2022), which requires the establishment of an independent supervisory mechanism for personal data protection, the amendment to the PDPA in May 2023 designated the PDPC as the competent authority. However, considering the wide variety and sheer number of non-governmental agencies, the newly amended PDPA includes transitional provisions to gradually adjust the supervisory responsibilities. Under these provisions, the PDPC will directly oversee non-governmental agencies that previously lacked a clearly designated central competent authority. For agencies already subject to a specific central competent authority, supervisory powers will be transferred to the PDPC in stages and ultimately achieving centralized supervision through a six-year transitional period. (See PDPA Art. 51-1)
2. Obligation to Report Personal Data Incidents:
The amended PDPA imposes a reporting obligation on all non-governmental agencies that experience a personal data incident—such as theft, alteration, damage, destruction, or disclosure of personal data—meeting certain thresholds. Entities must report such incidents to the competent authority and take appropriate response measures. All incident notifications will be centrally handled by the PDPC. Failure to comply may result in an administrative fine of not less than NT$20,000 and not more than NT$200,000, along with an order to rectify within a specified period. Should the entity fail to make corrections within the prescribed period, fines may be imposed consecutively. (See PDPA Arts. 12 and 48)
3. Obligations Regarding the Security Maintenance of Personal Data Files:
The amended PDPA authorizes the PDPC to adopt a unified “Common Baseline Security Maintenance Regulation” applicable to all non-governmental agencies, in order to strengthen regulatory compliance and personal data security controls across the private sector. In addition, during the transitional period, however, central competent authorities may continue requiring entities under their supervision to establish personal data file security maintenance plans or methods for personal data processing after business termination, and may impose stricter requirements or standards based on industry characteristics. Violations of security maintenance obligations may result in fines of up to NT$15,000,000. (See PDPA Arts. 20-1 and 48)
4. Enhanced Administrative Inspections:
Under the amended PDPA, where the competent authority identifies a likelihood of violation or deems an inspection necessary to assess the entity's compliance practices, it may conduct administrative inspections. Following the amendments, inspections may also be initiated in the absence of any suspected violation if the competent authority considers it necessary to further understand their implementation or to exercise supervisory powers. The PDPA further authorizes the PDPC to develop relevant regulations to establish and implement a differentiated inspection mechanism. (See PDPA Art. 22)
The effective date of these PDPA amendments will be separately designated by the Executive Yuan in coordination with the legislative timetable of the PDPC Organic Act. Our firm recommends that businesses across all sectors begin assessing the impact of these PDPA amendments on their operations and prepare corresponding compliance measures. We will continue to monitor the development of subordinate regulations and related legal updates following these amendments.
