Formosa Transnational Attorneys at Law
The former Computer Processed Personal Data Protection Law (“CPPL”) was renamed as the Personal Data Protection Law (“PDPL”) and amended on 26 May 2010. The PDPL became effective on 1 October 2012, except that the provisions relating to sensitive personal data and the notification obligation for personal data indirectly collected before the effectiveness of the PDPL remain ineffective. The government has proposed further amendment to these provisions, which is pending legislative review. The information hereunder is based upon the effective PDPL only.
Definition of Personal Data
According to PDPL, personal data means the name, date of birth, I.D. Card number, passport number, characteristics, fingerprints, marital status, family, education, occupation, medical record, medical treatment, genetic information, sexual life, health checks, criminal records, contact information, financial conditions, social activities and other information which may directly or indirectly be used to identify a living natural person.
Definition of Sensitive Personal Data
According to PDPL, sensitive personal data means the personal data relating to medical treatments, genetic information, sex life, health checks and criminal records. As mentioned above, the provisions relating to sensitive personal data remain ineffective. At the moment, sensitive personal data will be treated like other data.
National Data Protection Authority
In Taiwan, there is no single national data protection authority. The various ministries and city/county governments serve as the competent authorities.
Unlike the CPPL, there is no need to register with any authorities for the collection, processing, usage and international transfer of personal data under the PDPL
Data Protection Officers
There is no requirement in Taiwan for the data controller to appoint a data protection officer. However, if the data controller is a government agency, a specific person should be appointed to be in charge of the security maintenance measures.
Collection and Processing
Under the PDPL, the data controller should not collect or process personal data unless there is specific pur pose and should comply with one of the following conditions:
- where collection/processing is explicitly stipulated by law;
- where there is a contract or quasi contract between the data controller and the data subject;
- where the data subject has his/herself disclosed such data or where the data has been publicised legally;
- where it is necessary for public interest on statistics or the purpose of academic research conducted by a research institution. The data may not lead to the identification of a certain person after the treatment of the provider or by the disclosure of the collector;
- where written consent has been given by the data subject;
- where the public interest is involved; or
- where the personal data is obtained from publicly available sources, except that where the is vital interest of the data subject requires more protection and the prohibition of the processing or usage of such personal information.
- Furthermore, except for the exemptions stipulated in the PDPL (e.g. if it is explicitly stipulated by law that the provision of such information is not required), the data controller is permitted to collect and process personal data only if the data controller unambiguously informs the data subject of the following information prior to or upon the collection:
- data controller’s name;
- purpose for collecting personal data;
- categories of personal data;
- period, area, recipients and means of using the data;
- the data subject’s rights and the methods by which the data subject may exercise those rights in accordance with the PDPL; and
- that the data subject has the right to choose whether or not to provide the data and the consequences of not providing the data.
- The information collected should in principle only be used for the pur pose notified and not for any other pur pose.
The central competent authority may restrict the international transfer of personal data by the data controller which is not a government agency if:
- it involves major national interests
- where a national treaty or agreement specifies otherwise;
- where the country receiving personal data lacks proper regulations that protect personal data and that might harm the rights and interests of the data subject;
- where the international transfer of personal data is made to a third country through an indirect method in order to evade the provisions of the PDPL.
Data controllers which are non-government agencies should adopt proper security measures to prevent personal data from being stolen, altered, damaged, destroyed or disclosed.
The central competent authority may request the data controller to set up a plan for the security measures of the personal data file or the disposal measures for the personal data after termination of business.
Where the personal data is stolen, disclosed, altered or infringed in other ways due to the violation of the PDPL, the data controller should notify the data subject.
Under the PDPL, the competent authority may perform an inspection, if it is necessary for the protection of personal data, of the disposal measures after termination of business, the limitation of international transfer, other routine examinations, or if the PDPL may be violated. Those who perform the inspection may ask the data controller to provide a necessary explanation, take cooperative measures, or provide relevant evidence.
When the competent authority conducts such an inspection, it may seize or duplicate the personal data and files may be confiscated or may be used as evidence. The owner, holder or keeper of that data or those files should surrender them upon request.
In addition, a breach of the PDPL may be subject to criminal sanctions, administrative fines, and civil compensation (class action is permitted).
The PDPL applies to electronic marketing in the same way as to other marketing. Within the necessary scope of specific purposes of data collection, the data controller may use personal data for marketing. However, when the data subject refuses the marketing (a right to “opt-out”), the data controller should cease using such personal data for marketing. In addition, when making the first marketing, the data controller should bear the costs to provide the data subject with the means to refuse marketing.
Online Privacy (including cookies and Location Data)
There is no special law or regulation applicable to online privacy. The PDPL applies to online and physical world in the same manner. As a result, online unique issues are not specifically addressed