April 2026
The Taiwan Preparatory Office of the Personal Data Protection Commission Announced Draft Amendments to the Enforcement Rules of the Personal Data Protection Act and Related Subordinate Regulations
Following the amendment and promulgation of the Personal Data Protection Act (the "Amended PDPA") on November 11, 2025, the Preparatory Office of the Personal Data Protection Commission ("PDPC") announced a series of draft regulations in January 2026. These include the Draft Amendment to the Enforcement Rules of the PDPA and various subordinate regulations authorized under the Amended PDPA. The suite of drafts includes the "Regulations on Personal Data Breach Notification and Emergency Response," the "Regulations on Personal Data File Security Maintenance," the "Regulations on Qualifications and Training for Personal Data Protection Officer," and the "Regulations on Administrative Inspections of Non-Government Agencies," among others. These initiatives aim to transition Taiwan’s data protection oversight from a decentralized model toward a centralized regulatory framework, establishing common compliance standards for both government agencies and non-government agencies.
This article summarizes the key highlights of the draft regulations affecting non-government agencies as follows:
I. Draft Amendment to the Enforcement Rules of the PDPA
In this amendment, provisions regarding data security maintenance and breach notifications have been removed from the Enforcement Rules to be consolidated into specialized subordinate regulations. Furthermore, to align with the Judgement No. 111-Hsien-Pan-13 of the Taiwan Constitutional Court, the Draft Amendment to Article 17 clarifies the definition of the requirement that data "may not lead to the identification of a specific data subject" for statistical or academic research purposes (under Article 6, Paragraph 1, Proviso 4; Article 19, Paragraph 1, Item 4; and Article 20, Paragraph 1, Proviso 5 of the PDPA). The draft stipulates that this condition is met if, using currently available technology, the data is presented in a manner that achieves at least "no direct identification" of a specific natural person, even if indirect identification remains possible.
II. Draft Regulations on Personal Data File Security Maintenance
Article 20-1 of the Amended PDPA requires non-government agencies possessing personal data files to implement security measures to prevent theft, alteration, damage, loss, or leakage, authorizing the PDPC to set a universal standard. The announced draft introduces a tiered management mechanism. Beyond general security measures, the draft defines "Large-scale Non-government Agencies"—enterprises of a certain economic scale holding over 10,000 personal data records—which must adhere to enhanced security protocols. These include establishing a dedicated security maintenance plan, appointing specialized personnel and audit teams, and conducting regular risk assessments, breach drills, audits, and continuous improvement mechanisms (see Articles 3, 16–26 of the Draft).
III. Draft Regulations on Personal Data Breach Notification and Emergency Response
Pursuant to Article 12 of the Amended PDPA, non-government agencies are obligated to notify data subjects and report to the competent authority upon discovery of a data breach. Key points of this draft include:
1. Duty and Timeline for Notifying Data Subjects: Non-government agencies must notify affected individuals within 72 hours of discovery. Under specific circumstances, and considering technical feasibility and privacy protection, notification may be made via the internet or news media for at least 30 consecutive days (Article 2 of the Draft).
2. Duty and Timeline for Reporting to Authorities: If a breach involves sensitive data, or if the affected system contains over 10,000 records, or if the breach impacts 100 or more records, the agency must report to the competent authority within 72 hours of discovery (Article 3 of the Draft).
3. Emergency Response Measures: Agencies must take immediate action, including investigating leakage paths, revoking access permissions, and requesting search engines to remove exposed data (Article 4 of the Draft). The draft also mandates record-keeping of investigations (Article 6 of the Draft) and supervision of outsourced processors (Article 5 of the Draft).
IV. Draft List of Non-Government Agencies under the Jurisdiction of Central Competent Authorities or Local Governments
According to Article 51-1 of the Amended PDPA, during a six-year transition period following the establishment of the PDPC, administrative inspections and sanctions for non-government agencies will remain the responsibility of the relevant Central Competent Authorities or local governments. The draft lists 388 categories of non-government agencies and their respective authorities. Any agency not included in this list will fall directly under the oversight of the PDPC.
V. Draft Regulations on Administrative Inspections of Non-Government Agencies
Under Article 22 of the Amended PDPA, authorities may conduct inspections if there is a suspected violation or a need to verify compliance. This draft outlines the procedures for the PDPC's inspections. The PDPC will set annual inspection plans based on risk levels and notify the target entity in writing one month in advance (Articles 2, 3, 6 of the Draft). Inspection powers include seizing or copying data files, involving professional experts in the inspection, and publishing the results (Article 8 of the Draft). During the six-year transition, central competent authorities and local governments shall also follow these planning and assessment standards (Article 7 of the Draft).
This article summarizes the key highlights of the draft regulations affecting non-government agencies as follows:
I. Draft Amendment to the Enforcement Rules of the PDPA
In this amendment, provisions regarding data security maintenance and breach notifications have been removed from the Enforcement Rules to be consolidated into specialized subordinate regulations. Furthermore, to align with the Judgement No. 111-Hsien-Pan-13 of the Taiwan Constitutional Court, the Draft Amendment to Article 17 clarifies the definition of the requirement that data "may not lead to the identification of a specific data subject" for statistical or academic research purposes (under Article 6, Paragraph 1, Proviso 4; Article 19, Paragraph 1, Item 4; and Article 20, Paragraph 1, Proviso 5 of the PDPA). The draft stipulates that this condition is met if, using currently available technology, the data is presented in a manner that achieves at least "no direct identification" of a specific natural person, even if indirect identification remains possible.
II. Draft Regulations on Personal Data File Security Maintenance
Article 20-1 of the Amended PDPA requires non-government agencies possessing personal data files to implement security measures to prevent theft, alteration, damage, loss, or leakage, authorizing the PDPC to set a universal standard. The announced draft introduces a tiered management mechanism. Beyond general security measures, the draft defines "Large-scale Non-government Agencies"—enterprises of a certain economic scale holding over 10,000 personal data records—which must adhere to enhanced security protocols. These include establishing a dedicated security maintenance plan, appointing specialized personnel and audit teams, and conducting regular risk assessments, breach drills, audits, and continuous improvement mechanisms (see Articles 3, 16–26 of the Draft).
III. Draft Regulations on Personal Data Breach Notification and Emergency Response
Pursuant to Article 12 of the Amended PDPA, non-government agencies are obligated to notify data subjects and report to the competent authority upon discovery of a data breach. Key points of this draft include:
1. Duty and Timeline for Notifying Data Subjects: Non-government agencies must notify affected individuals within 72 hours of discovery. Under specific circumstances, and considering technical feasibility and privacy protection, notification may be made via the internet or news media for at least 30 consecutive days (Article 2 of the Draft).
2. Duty and Timeline for Reporting to Authorities: If a breach involves sensitive data, or if the affected system contains over 10,000 records, or if the breach impacts 100 or more records, the agency must report to the competent authority within 72 hours of discovery (Article 3 of the Draft).
3. Emergency Response Measures: Agencies must take immediate action, including investigating leakage paths, revoking access permissions, and requesting search engines to remove exposed data (Article 4 of the Draft). The draft also mandates record-keeping of investigations (Article 6 of the Draft) and supervision of outsourced processors (Article 5 of the Draft).
IV. Draft List of Non-Government Agencies under the Jurisdiction of Central Competent Authorities or Local Governments
According to Article 51-1 of the Amended PDPA, during a six-year transition period following the establishment of the PDPC, administrative inspections and sanctions for non-government agencies will remain the responsibility of the relevant Central Competent Authorities or local governments. The draft lists 388 categories of non-government agencies and their respective authorities. Any agency not included in this list will fall directly under the oversight of the PDPC.
V. Draft Regulations on Administrative Inspections of Non-Government Agencies
Under Article 22 of the Amended PDPA, authorities may conduct inspections if there is a suspected violation or a need to verify compliance. This draft outlines the procedures for the PDPC's inspections. The PDPC will set annual inspection plans based on risk levels and notify the target entity in writing one month in advance (Articles 2, 3, 6 of the Draft). Inspection powers include seizing or copying data files, involving professional experts in the inspection, and publishing the results (Article 8 of the Draft). During the six-year transition, central competent authorities and local governments shall also follow these planning and assessment standards (Article 7 of the Draft).
