Yes, consent is required, but the Personal Data Protection Act (PDPA) does not restrict the form of such consent. 

The PDPA also recognizes "presumed consent," according to paragraph 3, Article 7 of the PDPA, where a data subject does not object and provides their personal data after they have been informed of the relevant information specified in paragraph 1, Article 8 of the PDPA. Nonetheless, financial institutions are still expected to inform their clients and obtain express consent before transferring clients' data to their cloud service providers.

According to a ruling issued by the Taiwan Ministry of Justice, if a data subject revokes consent to transfer their data to a cloud service provider, the transfer of such data must cease.