Yes, under the Personal Data Protection Act (PDPA) and the Enforcement Rules of the PDPA, a cloud service agreement should specify the following:

• The planned scope, category, specific purpose and time period of the processing or use of the data
• The measures to be taken by the cloud service provider to prevent the data from being stolen, altered, damaged, destroyed or disclosed
• The third party, if any, further commissioned by the cloud service provider
• The information that must be notified and the remedial measures that must be taken if the cloud service provider or its employees violate the PDPA or relevant laws and regulations
• Any reserved matters for which the cloud service provider is required to obtain prior instructions
• The return of any medium containing the data and the deletion of the same stored and possessed by the cloud service provider upon the termination of the cloud service agreement
• That the cloud service provider may only collect, process or use the data within their instructions

Pursuant to the draft amendments to the Regulations Governing Internal Operating Systems and Procedures for the Outsourcing of Financial Institution Operation, the agreement between a financial institution and a cloud service provider must contain the following terms:

• Terms granting the financial institution and the Taiwanese regulators the authority to conduct audits and inspections of the cloud service provider
• A term obliging the cloud service provider to assist the financial institution in executing any system migration requirements and shall be liable for any interruptions in cloud services during the migration process.