Yes, the Personal Data Protection Act (PDPA) applies. Pursuant to Article 8 of the Enforcement Rules of the PDPA, a financial institution is obligated to supervise its cloud service provider
(s). Among other things, the PDPA specifies certain requirements that would need to be met in a cloud services agreement (see the response to the question on specific contractual requirements for cloud outsourcing).

Additionally, Article 19 of the draft amendments to the Regulations Governing Internal Operating Systems and Procedures for the Outsourcing of Financial Institution Operation ("Draft Amendments") provides that financial institutions will ensure that they and the regulator have the power to audit the cloud service providers, with one of the drivers for this being the need to ensure data security. The Draft Amendments further require financial institutions to conduct regular inspections to verify the cloud service provider's performance and to document the findings of such inspections.

The European Union's General Data Protection Regulation (GDPR) imposes a more rigorous standard for data protection compliance compared to Taiwan's PDPA. As such, contractual terms, obligations and commitments reflecting GDPR compliance would necessarily satisfy or exceed Taiwan's PDPA standards. Given the stricter scope and mandates of the GDPR, agreements structured to meet GDPR standards would effectively satisfy the requirements under Taiwan's PDPA.