Data Protection in Taiwan

Enforcement in Taiwan

In addition to civil damages, violations of the PDPA, depending on the specific violation, are also subject to administrative sanctions and criminal sanctions and, in some cases, imprisonment.

Civil damages 

If a data collector intentionally or negligently violates any provision of the PDPA and such violation causes illegal collection, processing or use of personal data or other infringement to a data subject, the data collector is liable to compensate the data subject for the damages suffered. Compensation may be both monetary and in the form of corrective measures (e.g. to rectify damage to the data subject’s reputation).

Where the victims may not have access to or cannot provide evidence for the amount of actual damage, the minimum amount is NT$ 500 (approx. US$ 18 as at December 10, 2021) and the maximum is NT$ 20,000 (approx. US$ 690 as at December 10, 2021) per violation / per injured party depending on the severity of the infringement. In the case of class actions, the aggregate total compensation to the class as a whole is limited to NT$ 200,000,000 (approx. US$ 6,900,000 as at December 10, 2021). However, one should not necessarily rely on these limits because the maxima do not apply if it can be proven that a higher amount is appropriate. Furthermore, the limits may be circumvented by resorting to general causes of action in tort over and above the specific statutory cause of action created by the PDPA.

Administrative sanctions 

A regulatory body may impose administrative fines on a data collector in violation of the PDPA ranging from NT$ 20,000 (approx. US$ 690 as at December 10, 2021) to NT$ 500,000 (approx. US$ 17,300 as at December 10, 2021) per violation. These administrative fines may be imposed repeatedly until the violation is cured. The May 31, 2023 amendment of the PDPA increases the administrative sanctions on a data collector for its violation of data security obligations to up to NT$15,000,000 (approx. US$ 483,900 as at December 18, 2023), and such increase came into effect on June 2, 2023.

Also, the representative, managers or other persons having authority of the data collector which violates the PDPA are subject to the same administrative fines as the data collector itself, unless it is proven that the relevant representative, manager or other person having authority had properly performed his / her duties. There is no definition of representative, manager or other person having authority but generally such terms are understood to refer to the chairman and the general manager of the company.

Criminal sanctions

A person who, with the intention to gain “benefit” for themself or a third party or to “harm” the interests of others, violates certain requirements as set out in the PDPA or conducts a prohibited cross-border transfer of personal data may be punished by up to five years’ imprisonment and / or fines of up to NT$ 1,000,000 (approx. US$ 35,000 as at December 10, 2021). In addition, the acquisition, dissemination, alteration, compromise of the accuracy of, or deletion of personal data with the intent to gain “benefit”  for themself or a third party or to “harm” the interests of others, in circumstances which is sufficient to cause damage to others, may also be punished by imprisonment for up to five years and / or fines of up to NT$ 1,000,000 (approx. US$ 35,000 as at December 10, 2021).

Continue reading

  • no results

Previous topic
Back to top