Global Data and Cyber Handbook

Taiwan

Select a Topic
Start Comparison
Regulators, Enforcement Priorities and Penalties
Jump to
Regulators, Enforcement Priorities and Penalties Start Comparison
Who are the main data privacy, non-personal data and/or cybersecurity regulator(s) in the jurisdiction?

Last review date: 31 December 2024

The Preparatory Office of the Personal Data Protection Commission is the main data privacy regulator.

The Ministry of the Digital Affairs of the Executive Yuan is the main non-personal data and cybersecurity regulator.

How active is each of the regulator(s)?

Last review date: 31 December 2024

Moderately active   

Both the data privacy regulators and the cybersecurity regulator are moderately active in general.

What are each of the regulator's anticipated enforcement priorities for the next 12 months?

Last review date: 31 December 2024

For the data privacy regulators, we expect that the financial authority will continue to be active. We also anticipate enforcement actions in the retail, healthcare/medical, and telco sectors. The Taiwanese regulator amended the Regulations Governing Establishment of Internal Control Systems by Public Companies and required all listed companies in Taiwan to designate a chief information security officer. The new rule, which began its implementation in 2022, will be rolled out in two phases based on company size. We anticipate that the regulator will treat this as its enforcement focus in the coming years.

For the cybersecurity regulator, the Administration for Cyber Security of the MODA will continue its ongoing monitoring of government agencies and specific non-government agencies subject to CSMA compliance. Additionally, it will research and analyze the cybersecurity threat landscape, with a particular focus on deterring cybersecurity incidents that could lead to or exacerbate fraud cases.

What trends are you seeing in regulatory investigations relating to data & cyber?

Last review date: 31 December 2024

Regulatory investigations or direct enforcement activity by data or cyber regulators are:

         Staying the same

Class actions/group actions under data or cyber regulation are:

         Staying the same

 

What are the potential penalties/remedies for non-compliance with the key data and cybersecurity laws in the jurisdiction?

Last review date: 31 December 2024

There are:

         administrative remedies / civil penalties applied by regulators and law enforcement

For a natural/legal person in breach of Article 6(1), 19, 20 (1) of the PDPA or in breach of the limitation on international transmission, the central competent authority may impose an administrative penalty in the amount ranging from NTD 50,000 (approx. USD 1,644.69) to 500,000 (approx. USD 16,446.86) and order the rectification within the limitation period.

For a natural/legal person in breach of Articles 8, 9, 10, 11, 12, 13, 20 (2), 20 (3) of the PDPA, the central competent authority may impose an administrative penalty in an amount ranging from NTD 20,000 (approx. USD 657.87) to 200,000 (approx. USD 6,578.74) and order the rectification within the limitation period.

For a natural/legal person in breach of Article 27(1) of the PDPA or fails to establish a security and maintenance plan for the protection of personal data files or rules on disposing of personal data following a business termination, the central competent authority may impose an administrative penalty in an amount ranging from NTD 20,000 (approx. USD 657.87) to 2,000,000 (approx. USD 65,787.43), or NTD 150,000 (approx. USD 4,934.06) to NTD 15,000,000 (approx. USD 493,405.69) in a serious violation, and order the rectification within the limitation period. If the natural/legal person fails to rectify the violation in time, an administrative penalty in an amount between NTD 150,000 (approx. USD 4,934.06) to NTD 15,000,000 (approx. USD 493,405.69) may be imposed for each occurrence of the violation.

         criminal penalties from regulators and law enforcement

When a person violates Article 6(1), 15, 16, 19, 20(1) of the PDPA or is in breach of the limitation on international transmission with the intention to acquire an illegal interest or to cause damage to others' interest, they would be sentenced to imprisonment of no more than five years and/or a fine in the amount of less than NTD 1,000,000 (approx. USD 32,893.71).

When a person alters, deletes or impedes the accuracy of a personal data profile illegally, thereby causing damage to others, with the intention to acquire an illegal interest or to cause damage to others' interests, they would be sentenced to imprisonment of no more than five years, short-term imprisonment, and/or a fine in the amount of less than NTD 1,000,000 (approx. USD 32,893.71).

         private remedies

Any natural/legal person in breach of PDPA is liable for any damage to the data subject resulting from the illegal collection, processing or utilization due to non-compliance with the PDPA, unless it is proved that the natural/legal person has no intention or negligence.

If data subjects have private remedies, what form can these remedies take?

Last review date: 31 December 2024

         individual personal actions

         representative actions (e.g., brought by a consumer / data privacy body or the supervisory authority)

         class actions

{{ $store.state.loadingScreen.message }} ...