Newsletter
The Preparatory Office of the Personal Data Protection Commission Announces Draft Amendments to Certain Provisions of the Personal Data Protection Act
The Preparatory Office of the Personal Data Protection Commission Announces Draft Amendments to Certain Provisions of the Personal Data Protection Act
Ken-Ying Tseng/Roger Kai
According to Constitutional Court's Judgment No. 111-Hsien-Pan-13 (2022), an independent supervisory mechanism for personal data protection in Taiwan must be established by August 2025. In response, the executive branch of the Taiwanese government is actively preparing for the establishment of the Personal Data Protection Commission (hereinafter referred to as the "PDPC"). On December 20, 2024, the preparatory office of the PDPC announced a draft amendment to the Personal Data Protection Act (hereinafter referred to as the "PDPA") for a public consultation period of 21 days to solicit opinions and comments.
The main focus of the draft amendment is to address issues related to the impending establishment of the PDPC in 2025. The draft outlines how the PDPC, as the competent authority in charge of the PDPA, will supervise other government agencies and coordinate with each sectoral regulator at both the central and local levels in regulating the private sector. Furthermore, the draft proposes revisions impacting the private sector, including:
1. Filing of Personal Data Incidents to Competent Authorities and Notification to Affected Data Subjects
The current PDPA lacks provisions requiring the filing of personal data incidents to the competent authority. The draft amendment fills this gap by mandating that incidents be reported to the competent authority in cases where the data breach poses a "potential significant risk of harm to the rights and interests of the data subjects." Violations will be subject to penalties. Additionally, the draft specifies that affected data subjects must also be notified under the same "potential significant risk of harm" criteria.
2. Introduction of Data Protection Officers and Auditors
The draft amendment requires government agencies and designated private businesses to appoint a Data Protection Officer to manage personal data protection matters. These agencies or entities must also assign personnel to serve as Data Protection Auditors, responsible for planning and implementing data protection audits.
3. Prioritizing High-Risk Industries for Administrative Inspections
The draft amendment authorizes the competent authority, after consultation with other relevant authorities, to prioritize industries with higher risks of personal data breaches for administrative inspections. It also introduces minor adjustments to the procedures for conducting these inspections.
The draft includes detailed provisions on these matters. Our firm's "Digital, TMT, and Data Privacy Practice Group" has extensive experience assisting companies in handling personal data protection issues. Should you require any assistance, please do not hesitate to contact our team of experts.