Data Protection in Taiwan

Breach notification in Taiwan

Upon a data breach (which is not defined under  the PDPA, however, from a Taiwan law perspective, such would mean where a data subject’s personal data is accessed, taken, revealed, leaked, changed or otherwise infringed on by any unauthorized person or entity or in any unauthorized manner), the data collector is required to promptly notify the data subject of:

  • the fact of the infringement;
  • the measures the data collector has taken to respond to such infringement; and
  • the contact information of the data collector.

No threshold has been provided for when such notice has to be given to the affected data subjects. It is understood that so long as personal data is stolen, disclosed, altered or otherwise infringed on, such notice has to be promptly given.

The notice may be made orally, by written document, telephone, text message, email, facsimile, electronic record, or in another manner which the data subject can receive such notice. If the cost of notifying each data subject is “too high”, such notice may be made via the internet or news media.

In addition, data collectors in certain industries (e.g. travel agents, financial institutions) are required to report to their respective industry regulator and, where it is required to do so, the report to the industry regulator needs to include:

  • the fact that personal data may have been compromised;
  • the measures the data collector has taken to respond to such compromise (including evidence that the data collector has notified the affected individuals);
  • the investigation by the data collector (or any outside forensic firm) as to how the data breach occurred;
  • the preventive measure(s) the data collector will take to prevent recurrence of data breach in the future; and
  • any other information that the industry regulator may require on a case-by-case basis.

Also, between 2021 and 2023, steps were taken by the Taiwan authorities to expand the material data breach reporting obligations of, inter alia, security service providers, pawnshops, travel agents and financial institutions by (i) requiring such enterprises to report material data breaches to the relevant industry competent authority within a specified period (e.g. 72 hours) and / or (ii) requiring such competent authorities to further report such breach to the NDC within 72 hours of becoming aware of the breach. Such steps are now being implemented or will shortly become effective. Also, the term “material data breach”, subject to the relevant regulations, in general means a situation where personal data is stolen, altered, damaged, destroyed or disclosed, and such will endanger the normal business of the data collector, or the rights and interests of a large number of data subjects (“large” has not been defined).

Continue reading

  • no results

Previous topic
Back to top