Taiwan’s Personal Data Protection Act (PDPA) was enacted in 2010 and came into effect in 2012. The PDPA regulates the collection, processing, use, and international transfer of personal data. The law was modeled after the European Union’s General Data Protection Regulation (GDPR) and has similar requirements for organizations that process personal data.
Under the PDPA, personal data is defined as any information that can identify a specific individual, such as name, address, ID number, telephone number, and email address. The law applies to both public and private organizations that collect, process, or use personal data in Taiwan.
Some of the key requirements of the PDPA include:
- Consent: Organizations must obtain consent from individuals before collecting, processing, or using their personal data. The consent must be specific, informed, and freely given.
- Purpose: Organizations must clearly define the purpose for collecting and using personal data and limit the use of personal data to only the purposes for which it was collected.
- Data Retention: Organizations must establish a policy for retaining personal data and delete personal data when it is no longer necessary for the purpose for which it was collected.
- Security: Organizations must implement reasonable security measures to protect personal data against unauthorized access, alteration, or disclosure.
- Data Subject Rights: Individuals have the right to access, correct, and delete their personal data, as well as the right to withdraw their consent for the processing of their personal data.
- Data Transfer: Organizations must comply with the PDPA when transferring personal data outside of Taiwan.
Non-compliance with the PDPA can result in fines and other penalties. In addition to fines, organizations may also face legal action from individuals who have been harmed by a breach of their personal data.
In summary, Taiwan’s Personal Data Protection Act regulates the collection, processing, use, and international transfer of personal data. The law places an emphasis on obtaining consent, limiting the use of personal data to the purpose for which it was collected, data retention, security, and data subject rights. Organizations that process personal data in Taiwan must comply with the PDPA or face fines and legal action.