The President announced the partial amendments to the Personal Data Protection Act (“Act”) on November 11, 2025. This revision is mainly to adjust the establishment and powers of the Personal Data Protection Commission (“PDPC”) and strengthen personal data management and supervision mechanisms in both public and private sectors. The effective date will be announced by the Executive Yuan. We summarize the amendments below:
1.Competent authority: The competent authority under the Act is the PDPC. (Article 1-1)
2.Obligation to Notify Personal Data Incidents: If the government or non-government agencies are aware that the personal data they hold has been stolen, altered, damaged, lost, or disclosed, they shall notify the data subject; if the case falls within a certain reporting scope, they shall also notify the PDPC. In addition, they shall take immediate and effective remedial measures to prevent further escalation of the incident and retain relevant records for inspection. (Article 12)
3.Government Agencies
(1) Appointment of Data Protection Officer: Government agencies shall appoint a Data Protection Officer (“DPO”). The agency head shall designate the DPO and allocate adequate personnel and resources. Agencies shall not impose adverse actions or management measures on staff for performing their data protection duties in accordance with laws. (Article 18)
(2) Administrative Supervision:
(i) Government agencies shall annually report the implementation of personal data protection management, and supervise and audit the personal data management of subordinate or supervised agencies. Agencies with deficiencies shall submit improvement reports, which shall be reviewed by the auditing agency and submitted to the PDPC along with the audit results. Agencies may be required to provide explanations or make adjustments when necessary. (Article 21-1)
(ii) The PDPC may conduct regular or ad hoc audits of government agencies’ implementation of personal data protection management. Agencies with deficiencies shall submit improvement reports, which shall be reviewed by the responsible authority and then submitted to the PDPC. Agencies may be required to provide explanations or make adjustments when necessary. (Article 21-2)
(iii) If a government agency may violate the Act, the PDPC may request the agency to provide explanations, conduct on-site investigations, order to correct within a specified period of time, and publish the violating agency and the details of its violations. (Articles 21-3 to 21-4)
4.Non-Government Agencies
(1) Security and Maintenance Measures: Non-government agencies which hold personal data files shall implement security and maintenance measures to prevent personal data from being stolen, altered, damaged, lost, or disclosed. (Article 20-1)
(2) Administrative Inspections: When the PDPC believes a non-government agency may violate the Act or needs to review its compliance, it may conduct inspections according to the Act, including notifying the agency or relevant personnel to provide statements, necessary documents, data, items, or cooperation, or entering the premises alone or with other relevant authorities. The non-government agencies may also be required to provide explanations, assistance, or supporting evidence. (Article 22)
(3) Penalties: Non-government agencies that fail to implement the required contingency measures or retain records may be fined between NT$20,000 and NT$200,000 and ordered to correct within a specified period; if they fail to correct, they may be fined on a per-incident basis. Those failing to notify a personal data incident as required may first be ordered to correct, and if they fail to do so, may be fined on a per-incident basis. Those failing to carry out required security and maintenance measures may be fined between NT$20,000 and NT$2,000,000 and ordered to correct; if they fail to correct, they may also be fined on a per-incident basis. (Article 48)
(4) Transitional Provisions: Within six (6) years after the PDPC’s establishment, the PDPC will report to the Executive Yuan and announce that certain non-government agencies will remain under the supervision of their central competent authorities or local governments. The PDPC shall also consult with relevant authorities every two (2) years and submit proposals to the Executive Yuan to adjust and reduce the scope. (Article 51-1)
Remedies: For any person subject to the administrative sanctions imposed by the PDPC under this Act, the administrative litigation procedure will apply. During the transitional period, non-government agencies under the supervision of central competent authorities or local governments shall first file an administrative appeal if they are dissatisfied with an administrative sanction under this Act. (Article 53-1)
Stacy Lo / Alva Wu
