Data Privacy Regulations in Taiwan

At present, Taiwan does not have specific legislation that directly governs data protection in the context of cloud computing. Nonetheless, the processing of personal data within a cloud environment is subject to the provisions of the Personal Data Protection Act (PDPA) and its Enforcement Rules (the “Enforcement Rules”). Where a cloud service provider collects personal data within Taiwan, such activities are regulated by the PDPA and its Enforcement Rules, pursuant to the principle of territoriality.

Definition of Personal Data and Sensitive Data

The PDPA defines “personal data” as any information that can directly or indirectly identify an individual. This includes, but is not limited to:

• name;
• date of birth;
• national identification number;
• passport number;
• physical characteristics;
• fingerprints;
• marital status;
• family relationships;
• education;
• occupation;
• medical records;
• medical history;
• genetic information;
• sexual history;
• health examination results;
• criminal records;
• contact information;
• financial status; and
• social activities.

Within this broad category, certain types of personal data – particularly medical records, medical history, genetic information, sexual history, health examination results and criminal records – are recognised as possessing heightened sensitivity compared to general personal data. The unauthorised collection, processing or use of such data may result in significant harm to the data subject or provoke widespread protest. Consequently, personal data within these categories is subject to more stringent regulatory requirements and is classified as “special personal data” (commonly referred to as “sensitive personal data”). Except where expressly authorised by law, the collection, processing or use of special personal data by any entity is generally prohibited.

Specific Requirements for Processing Personal Data in the Cloud

The processing of personal data in cloud environments must also comply with the PDPA, its Enforcement Rules and other applicable regulations. It is important to note that competent authorities overseeing specific regulated sectors – such as the financial industry and medical institutions – have promulgated specific regulations governing the transmission and storage of customer and medical record data by cloud service providers.

Financial institutions

Pursuant to the Regulations Governing Internal Operating Systems and Procedures for the Outsourcing of Financial Institution Operation, and the Directions for Operation Outsourcing by Insurance Enterprises, financial institutions – including banks, credit co-operatives, bill finance companies, credit card issuers and insurance companies – are required to implement effective protective measures when transmitting or storing customer data with cloud service providers. Such measures include encryption or encoding of data and the establishment of robust encryption key management protocols. Such institutions must retain full ownership of the entrusted data.

Furthermore, financial institutions and insurance companies must maintain the right to designate the geographic location of data processing and storage. The data protection standards of any overseas storage location must at least meet the requirements set forth in the PDPA. As a general rule, customer data related to significant consumer finance operations or individual customer information systems must be stored within Taiwan. If data is stored abroad, prior approval from the competent authority (ie, the Financial Supervisory Commission) is required, and critical customer data must be retained and backed up within Taiwan.

Medical institutions

Medical institutions that collect or process medical records or that utilise electronic medical record information systems and databases, and that employ cloud services or delegate such services to third parties, must comply with the Regulations Governing the Preparation and Management of Electronic Medical Records by Healthcare Institutions. Such institutions are further obligated to:

• implement appropriate risk control measures;
• ensure continuity of medical services; and
• supervise cloud service providers, either directly or through entrusted professional entities.

Additionally, medical institutions must establish mechanisms to retrieve data upon termination or cessation of cloud services. Data storage in cloud environments must be located within Taiwan; however, in exceptional circumstances – such as those involving international collaboration – storage outside Taiwan may be permitted subject to approval by the Ministry of Health and Welfare.

Specific Obligations for Data Controllers and Processors in the Cloud Environment

Where a cloud service provides infrastructure, hardware, operating systems or development platforms, it is generally the “user” of such services that collects, processes or utilises personal data and that determines the purposes and methods of such use. In such circumstances, the “user” of the cloud service is typically regarded under the PDPA as the data controller, while the cloud service provider functions at most as an entrusted party (ie, a data processor).

Nonetheless, pursuant to Article 4 of the PDPA, even where the cloud service provider acts as an entrusted party, it remains subject to the same obligations as the entrusting agency (ie, the data controller and processor). Such obligations include, but are not limited to:

• obtaining the data subject’s consent prior to the collection of personal data;
• providing clear and transparent notice to the data subject regarding the purposes and scope of data collection and processing (the duty to inform); and
• implementing appropriate security measures to prevent unauthorised access, alteration, disclosure or destruction of personal data.

Furthermore, in the event of a data breach or other infringement, the cloud service provider is obligated to notify the affected data subjects (this is referred to as the notification obligation). Concurrently, as the entrusting party responsible for the collection, processing or use of personal data, the “user” of the cloud service bears a duty to supervise the cloud service provider to ensure compliance with the PDPA.

General Principles

Taiwan generally permits the cross-border transmission of personal data. However, pursuant to Article 21 of the PDPA, the central competent authority overseeing the relevant industry may impose restrictions on the international transfer of personal data by non-public entities under the following circumstances:

• when significant national interests are at stake;
• when international treaties or agreements contain specific provisions governing such transfer;
• when the recipient country or territory lacks adequate personal data protection regulations, thereby potentially harming the rights and interests of data subjects; or
• when personal data is routed through a third country or region by circuitous means to circumvent the PDPA.

Restrictions on cross-border data transfers to Mainland China

Competent authorities have imposed restrictions on the cross-border transmission of certain categories of personal data to Mainland China, as follows:

• in 2012, the National Communications Commission prohibited operators of communications and broadcasting enterprises from transmitting subscribers’ personal data to Mainland China;
• in 2022, the Ministry of Health and Welfare restricted social workers from transmitting personal data of data subjects to Mainland China; and
• in 2023, the Ministry of Labour restricted employment service agencies from transmitting data subjects’ personal data to Mainland China.

Taiwan currently lacks a statute that specifically regulates data privacy in cloud environments. Nonetheless, violations of the PDPA and sector-specific personal data regulations (such as those applicable to the healthcare and finance industries) may give rise to civil, criminal and administrative liabilities.

Civil Liability

Where a non-public entity violates the PDPA by unlawfully collecting, processing or using personal data, or by otherwise infringing upon the rights and interests of a data subject, such entity shall be liable for damages pursuant to Article 29 of the PDPA. The entity may avoid liability only by demonstrating that the harm did not result from its intentional or negligent conduct.

Criminal Liability

Under Article 41 of the PDPA, any person who, with the intent to obtain unlawful benefits for themselves or a third party or to harm another’s interests, violates restrictions on the collection, processing or use of personal data or on cross-border data transfers, in a manner causing harm to another, may be subject to imprisonment for up to five years and a fine of up to TWD1 million (approximately USD33,330).

Article 42 further provides that a person who unlawfully alters, deletes or otherwise compromises the accuracy of personal data, causing harm to another, may face imprisonment for up to five years’ short-term detention and/or a fine of up to TWD1 million.

Administrative Liability

Where a non-public entity materially violates key provisions of the PDPA (such as those governing the collection, processing and use of personal data or restrictions on cross-border transfers), the competent authority may impose an administrative fine ranging from TWD50,000 to TWD500,000 (approximately USD1,670 to USD16,670) and order corrective measures within a specified timeframe. Failure to comply within the prescribed period may result in additional consecutive fines.

For other violations, including failure to establish a personal data security maintenance plan or improper handling of personal data upon business termination, Article 48 of the PDPA authorises fines ranging from TWD20,000 to TWD2 million (approximately USD670 to USD66,670). In cases of serious violations, each instance may incur fines of up to TWD15 million (approximately USD500,000).

In 2023, the Ministry of Digital Affairs (MODA) promulgated the Regulations on Security Maintenance and Management of Personal Data Files for Digital Economy-Related Industries (the “Security Maintenance Regulations”). These regulations apply to digital economy-related industries (including, without limitation, data processing, hosting and website-hosting service providers such as cloud service providers) and require covered entities to establish:

• a Personal Data File Security Maintenance Plan; and
• appropriate methods for handling personal data upon termination of business operations.

These measures aim to prevent theft, alteration, damage, loss or unauthorised disclosure of personal data. The key requirements are as follows.

Personal Data Protection Management Policy, and the Security Maintenance Plan

Covered entities must develop and implement a comprehensive Personal Data File Security Maintenance Plan and procedures for handling personal data upon business termination (collectively, the “Security Maintenance Plan”). The Security Maintenance Plan must incorporate PDPA-compliance provisions, including but not limited to:

• the duty to provide notice and obtain consent;
• the obligation to respond to requests for enquiry, inspection or copies;
• the requirement to maintain data accuracy; and
• the obligation to notify affected parties in the event of a data breach.

Entities must concurrently adopt a personal data protection management policy and internal management procedures addressing such matters, and must provide the personal data protection management policy internally to ensure that personnel understand and comply with its requirements.

Human Resources Allocation and Personnel Management

Covered entities should allocate sufficient management personnel and resources responsible for the formulation, amendment and implementation of the personal data protection management policy and the Security Maintenance Plan. Entities must also:

• impose confidentiality obligations on personnel;
• assign differentiated access permissions to personal data based on business characteristics, data content and operational needs;
• periodically review the appropriateness and necessity of such access permissions;
• conduct regular awareness programmes and training; and
• upon employee separation, require the return and deletion of personal data accessed or held during the course of employment.

Periodic Inspections and Risk Assessments

Covered entities are required to:

• periodically inventory and verify the status of personal data that is collected, processed or used;
• define the scope of data covered by the Security Maintenance Plan; and
• conduct regular risk assessments of business processes that impact such personal data.

Based on the assessment results, entities must implement appropriate security measures to mitigate identified risks.

Information Security Management Measures

When collecting, processing or using personal data, covered entities must adopt appropriate encryption and protective measures for encrypted data, back-up data and data in transit. For personal data handled directly or indirectly via information and communications systems, the following security management measures should be implemented:

• establishing and regularly updating firewalls, email filtering mechanisms, intrusion-detection devices and other measures protecting against external network intrusions;
• monitoring anomalous data-access behaviour on systems storing personal data, and conducting periodic response drills;
• periodically reviewing equipment for security vulnerabilities;
• continuously updating and operating anti-virus software, and performing regular malware scans;
• implementing authentication mechanisms for systems storing personal data, ensuring that account and password complexity meet prescribed standards;
• avoiding, to the extent practicable, the use of real personal data for system testing;
• conducting periodic inspections of systems processing personal data; and
• evaluating usage scenarios and implementing personal data-masking mechanisms as appropriate.

Cloud service providers may refer to MODA’s Reference Guidelines for Implementation of Personal Data Protection and Information Security by the Information Service Industry, as well as to published standards (such as ISO/IEC 27001 (Information Security Management System), ISO/IEC 27701 (Privacy Information Management System) or the Taiwan Personal Information Protection and Administration System (TPIPAS)), when establishing their personal information management systems and information security management systems.

Common security measures include:

• encrypting database-resident data (eg, AES-256);
• protecting back-up data through encrypted storage, automated back-ups, automated compression and automated key encryption;
• adopting SSL/TLS transport encryption for API-based transmissions;
• applying data masking for display purposes;
• providing encrypted channels for customers transmitting sensitive data;
• masking unnecessary elements of sensitive data during transmission; and
• implementing access-control measures for customer entitlements.

Additionally, entities should deploy and periodically update system servers, office automation network protections and application firewalls.

Management of Data Storage Media

Covered entities must implement appropriate protective equipment or technologies commensurate with the characteristics and use of storage media. They must adopt suitable management rules for custodians and enforce ingress and egress controls for environments where media is stored.

Information Security Incident Response

Covered entities should maintain mechanisms for incident response, notification and prevention, including measures and communication channels to mitigate and control harm and to notify data subjects regarding the occurrence and handling of any incidents. Following an incident, entities must consider and implement corrective and preventative measures. Where an incident endangers normal operations or the rights and interests of a large number of data subjects, the entity must report the incident to MODA within 72 hours of becoming aware of the incident, using the prescribed format. If reporting to a municipality, county or city government, a copy of the report must also be submitted to MODA.

Data Ownership

In Taiwan, cloud service agreements typically provide that ownership of information stored in the cloud remains with the users of the cloud service.

However, for certain regulated industries, applicable laws and regulations explicitly govern the rights to data stored in cloud databases. For instance, when a financial institution, insurance company or electronic payment institution utilises cloud services for personal data processing, the relevant regulatory frameworks (ie, the Regulations Governing Internal Operating Systems and Procedures for the Outsourcing of Financial Institution Operation; the Directions for Operation Outsourcing by Insurance Enterprises; and the Rules Governing the Administration of Electronic Payment Business) stipulate that the financial institution, insurance enterprise or electronic payment institution shall retain full ownership of all data processed by the entrusted cloud service provider. The cloud service provider, aside from performing the contracted operations, is prohibited from accessing customer data or from using such data beyond the scope of the outsourced services.

Rights of Data Subjects

With respect to their personal data stored in the cloud, data subjects enjoy the same rights afforded under the PDPA, including:

• the right to inquire or request inspection;
• the right to request copies;
• the right to request supplementation or correction;
• the right to request cessation of collection, processing or use; and
• the right to request deletion.

In principle, data subjects may exercise such rights at their discretion; however, certain legal restrictions may apply in specific contexts. For example, pursuant to Article 70 of the Medical Care Act, medical institutions are required to retain medical records for a minimum of seven years, during which period the data subject’s right to request deletion is correspondingly limited.

To exercise such rights, a data subject may submit an application to the cloud service provider pursuant to the PDPA or other applicable special laws. Under Article 13 of the PDPA, the cloud service provider must decide whether to approve or deny requests for inquiry, inspection or copies within 15 days of receipt, and must decide on other types of requests within 30 days.

Taiwan currently lacks specific statutes or regulations governing cloud data portability. Consequently, the ability to transfer cloud data between different service providers is primarily determined by the terms set forth in the individual cloud service agreements, as well as by the technical capabilities of the respective providers.

Cloud service providers should implement data retention and deletion policies in strict compliance with the PDPA.

Where a cloud service provider maintains personal data files, it must – pursuant to Article 27 of the PDPA – adopt and maintain appropriate security measures to prevent unauthorised theft, alteration, damage, loss or disclosure of such personal data.

Furthermore, under Article 11(3) of the PDPA, when the specific purpose for which the personal data was collected no longer exists, or when the applicable retention period has expired, the cloud service provider must – either proactively or upon request by the data subject – delete the personal data or cease processing or using such data.

In addition, for certain regulated sectors (including financial institutions and digital economy-related operators, such as cloud service providers), after deleting, ceasing to process or use, or transferring personal data, the operator should retain records and relevant evidence of such actions for a minimum period of five years. Such records shall include, without limitation, the reasons for, methods of, timing and location of the deletion, cessation of processing or use, or transfer of the personal data.

The PDPA does not establish a dedicated due diligence regime specifically for the selection of cloud service providers. Nonetheless, for purposes of information security protection, competent authorities and industry trade associations have issued reference guidelines and self-regulatory rules governing the use of cloud services within certain regulated sectors (primarily financial institutions and government agencies), thereby prescribing due diligence procedures. Examples include the following.

Finance Industry

Where a financial institution (such as a bank, credit co-operative or bills finance company) outsources a material consumer finance information system to an offshore cloud service provider, it must – pursuant to Article 18 of the Regulations Governing Internal Operating Systems and Procedures for the Outsourcing of Financial Institution Operation – obtain prior approval from the Financial Supervisory Commission (FSC). The institution is required to:

• verify that the cloud service provider’s use, processing and control of customer information comply with the PDPA and related regulatory requirements;
• maintain comprehensive audit records; and
• designate such matters as key audit items.

Security testing of information systems must meet or exceed the standards prescribed by the competent authority or the Bankers Association. Additionally, the institution should conduct at least one general audit and one special audit annually, and should submit the cross-border outsourcing audit report to the board of directors (or board of supervisors, as applicable) within four months following the end of each fiscal year.

Regarding the items covered for due diligence, under the Self-Regulatory Rules for Financial Institutions’ and Insurance Companies’ Outsourcing to Use Cloud Services, banks and insurance companies that are members of the relevant associations must conduct due diligence and periodic reviews of cloud service providers, with audit frequency determined based on risk. Such reviews should address, inter alia:

• physical security controls at data centres hosting the cloud services;
• critical systems and control points involved in the provider’s processing operations;
• service-level agreements;
• back-up measures;
• information security protection capabilities;
• incident notification responsibilities and management; and
• business continuity and disaster recovery capabilities.

Securities and Futures Industry

The FSC has issued information security control guidance applicable to securities and futures enterprises utilising cloud services. Such enterprises are required to perform due diligence on cloud service providers, assessing (among other factors):

• service levels;
• back-up mechanisms;
• data destruction protocols;
• logical resource segregation;
• log retention policies;
• information security protection capabilities;
• incident notification responsibilities and management; and
• business continuity and disaster recovery capabilities.

Government Agencies

When a government agency procures or utilises cloud services, it must comply with the following additional requirements.

• The cloud service provider must not be a vendor based in Mainland China (including Hong Kong and Macao).
• All software and hardware utilised in connection with the relevant cloud services must exclude products from Mainland Chinese brands. Additionally, no individuals of Mainland Chinese nationality should be permitted to participate in the domestic project team, including any subcontractors. For members of overseas cloud service execution teams, personnel security control mechanisms must be implemented in accordance with applicable international standards.
• The physical locations for access and back-up of cloud data must not be situated in Mainland China (including Hong Kong and Macao), and relevant data must not be transmitted into, out of or across those territories.

Data Protection Requirements

As a general principle, a cloud service provider – even when acting solely as an “entrusted party” (ie, a data processor) in relation to the collection, processing or use of personal data – must, pursuant to Article 4 of the PDPA, bear the same statutory obligations as the entrusting party (ie, the personal data controller or the user of cloud services) under the PDPA. The cloud service provider may collect, process or use personal data only within the scope of the entrusting party’s instructions.

Furthermore, under Article 8 of the Enforcement Rules, the user of the cloud service (the “entrusting party” – ie, the personal data controller) is required to exercise appropriate supervision over the cloud service provider (the “entrusted party” – ie, the processor). Such supervisory measures should include, but are not limited to:

• defining the scope, categories, specific purposes and duration of the intended collection, processing or use of personal data;
• requiring the entrusted party to implement adequate technical and organisational security measures to prevent theft, alteration, damage, loss or unauthorised disclosure of personal data;
• establishing terms governing any sub-outsourcing arrangements with sub-processors;
• specifying notification obligations to the entrusting party and remedial actions to be taken in the event of violations of the PDPA, other applicable personal data laws or regulatory orders by the entrusted party or its employees;
• reserving the entrusting party’s right to issue instructions regarding the handling of personal data; and
• providing for the return of personal data media and the deletion of personal data held by the entrusted party upon termination or rescission of the relevant service agreement.

In addition, the user of the cloud service should periodically verify the cloud service provider’s compliance with such obligations and maintain records of such verification.

Measures to Ensure Compliance With Data Privacy Regulations

In addition, for banks, credit co-operatives, bills finance companies and insurance companies utilising cloud services, the following enhanced oversight measures should be implemented to ensure that the cloud service providers’ collection, processing or use of customers’ personal data fully complies with the PDPA.

• The financial institution shall bear ultimate supervisory responsibility and should, either directly or through a qualified third party, obtain audit reports verifying the cloud service provider’s compliance with relevant international information security and privacy standards.
• Customer data transmitted to and stored by the cloud service provider should be protected by robust security measures, such as encryption or tokenisation, supported by appropriate key management protocols.
• The financial institution should retain full ownership of all entrusted data and ensure that the cloud service provider’s access to customer data is strictly limited to the performance of the entrusted services, with no authority to use such data beyond the agreed scope.
• The financial institution shall retain the right to designate the geographic locations for processing and storage of customer data and should ensure that any applicable foreign data protection laws afford protections no less stringent than those required under Taiwan law. As a general principle, storage locations for customer data related to material consumer finance information systems should be within Taiwan. Where offshore storage is employed, important customer data must be backed up within Taiwan unless otherwise approved by the competent authority.

The PDPA does not explicitly prescribe the specific content requirements for data-processing agreements. However, when banks, credit co-operatives, bills finance companies or insurance companies outsource data processing to a cloud service provider, the outsourcing contract must include the following provisions, at a minimum:

• a clear definition of the scope of the outsourced activities, including the categories of personal data involved, the specific purposes for which the data will be collected, processed or used, and the duration of such processing;
• an explicit obligation requiring the provider to comply with all applicable laws and regulations, including but not limited to the Banking Act, the Money Laundering Control Act, the PDPA and the Consumer Protection Act;
• provisions ensuring consumer rights protections, including confidentiality and security measures to safeguard customer data;
• a requirement that the provider, in accordance with supervisory standards established by the financial or insurance institution, implement standard operating procedures addressing consumer rights protection, risk management, internal controls and internal audit systems;
• mechanisms for resolving consumer disputes, including detailed timelines, procedures and available remedies;
• policies governing the management of the provider’s personnel, including hiring practices, performance evaluations and disciplinary actions;
• clearly defined material grounds for termination of the outsourcing contract, including clauses permitting termination or rescission upon notice from the competent authority;
• the provider’s agreement to permit the competent authority and the Central Bank, within the scope of the entrusted activities, to access relevant data or reports, conduct examinations of the financial or insurance institution, and require submission of data or reports within specified timeframes;
• a prohibition against the provider acting on behalf of the financial or insurance institution in handling entrusted matters, engaging in false advertising or charging fees to customers in connection with loan-marketing operations; and
• an obligation for the provider to promptly notify the financial or insurance institution of any material abnormalities or deficiencies relating to the outsourced activities.

Under applicable self-regulatory rules, financial institutions and insurance companies must, prior to engaging a cloud service provider, incorporate in their contracts comprehensive exit mechanisms to be implemented upon termination of the cloud outsourcing arrangement. Such mechanisms must include, but are not limited to, the following provisions.

Migration Planning

Specification of an appropriate and effective method for migrating systems and data, either back to the institution or to an alternative cloud service provider.

Data Deletion and Record Retention

Assurance that, upon termination or migration, all data remaining within the cloud environment will be securely deleted, and that verifiable records of such deletion or destruction will be retained by the provider.

Responsibilities Regarding Data Handling Upon Termination

The outsourcing agreement with the cloud service provider must explicitly define the obligations and responsibilities concerning data management upon termination of the service. This includes the secure return, deletion or transfer of data, ensuring compliance with applicable laws and protecting the confidentiality and integrity of all information involved.

Contractual Migration Obligations and Liability for Service Interruptions

Clear contractual provisions requiring the original cloud service provider to facilitate system migration and proper data handling during the transition to another provider or repatriation to the institution, together with defined liability for any service interruptions arising from such processes.

General Rules Under the PDPA

Private-sector entities designated by the competent authority (such as financial institutions, insurance companies and digital economy-related industries, including cloud service providers) are required to establish a Personal Data File Security Maintenance Plan in accordance with applicable regulations. In the event of a personal data breach, such entities must notify the competent authority in the prescribed manner and within the specified timeframe, typically within 72 hours, as mandated by their respective competent authorities.

Failure to formulate and implement a Personal Data File Security Maintenance Plan as required shall subject the entity to administrative fines pursuant to Article 48(2) of the PDPA. Such fines, imposed by the central competent authority overseeing the relevant industry or by the municipal, county or city government, range from TWD20,000 to TWD2 million (approximately USD670 to USD66,670). The entity will also be ordered to rectify the violation within a specified period. Should the entity fail to comply within the allotted time, repeated fines ranging from TWD150,000 to TWD15 million (approximately USD5,000 to USD500,000) per instance may be imposed.

For the avoidance of doubt, since the PDPA does not explicitly impose a statutory obligation to notify upon a personal data breach, competent authorities may not impose penalties solely for failure to notify under the “appropriate security measures” stipulated in the Personal Data File Security Maintenance Plan.

The Cybersecurity Management Act (for Government Agencies and Critical Infrastructure Providers)

Agencies or enterprises designated by the competent authority as critical infrastructure providers (including but not limited to those in energy, water resources, telecommunications and broadcasting, transportation, finance and emergency services industries, as well as hospitals, central and local government agencies, and science parks) must notify the central competent authority of any cybersecurity incident within one hour of becoming aware of the event, using the method prescribed by the central competent authority.

Failure by a designated non-public entity to provide timely notification may result in an administrative fine ranging from TWD300,000 to TWD5 million (approximately USD10,000 to USD166,670), along with an order to correct the violation within a specified timeframe. Continued non-compliance may lead to the imposition of consecutive fines.

Material Information Disclosure by Listed Companies

When a listed company experiences a cybersecurity incident that causes material damage or materially impacts the company, such incident must be disclosed as material information. The competent authority interprets “cybersecurity incident” to include hacking, intrusion, damage, alteration, deletion, encryption, theft or denial-of-service (DDoS) attacks targeting information systems, official websites or other digital assets, resulting in operational disruption, service unavailability, or risk of leakage of personal data or internal documents.

The listed company is required to submit the relevant information or explanation through the designated online information-reporting system no later than two hours before the commencement of trading hours on the next business day following the incident.

In cases of serious violations, the listed company may be subject to liquidated damages of up to TWD5 million (approximately USD166,670) and must complete the required filing. Failure to comply within the specified timeframe may result in repeated fines.

Digital-related industries, including cloud service providers, should maintain comprehensive post-incident response, notification and preventative measures to address security incidents involving the theft, alteration, damage, loss or unauthorised disclosure of personal data.

Investigation Procedure for Personal Data Incidents

Information service providers (including cloud service providers) are guided by MODA’s Reference Guidelines for Implementation of Personal Data Protection and Information Security by the Information Service Industry, which recommend investigating incidents through log reviews to identify anomalous IP addresses, and conducting security assessments such as source-code reviews, penetration testing, vulnerability scanning and intrusion path analysis to determine the root cause of such incidents. Service providers should concentrate investigative efforts on their own systems and websites and provide assistance to customers in their investigations as necessary.

Immediate Remedial Measures Upon Occurrence of a Data Breach

Immediate remedial measures for ongoing personal data incidents may include malware detection and engagement with cybersecurity experts to perform digital forensic analyses aimed at identifying and eradicating malicious code (eg, viruses, trojans) to prevent further damage. If the scope of harm is significant, it may be necessary to temporarily suspend operations of system servers implicated in the data breach. Additionally, baseline containment measures should be promptly implemented, such as restricting access from foreign IP addresses and tightening customer account access controls.

Post-Incident Remediation and Preventative Measures

The following post-incident measures are recommended for purposes of elimination of vulnerabilities and prevention of similar incidents in the future.

Strengthening information security controls

Upon identifying the root cause of an incident, vulnerabilities should be eliminated and system defences should be enhanced either at a detailed level or comprehensively – eg:

• system architecture modifications;
• firewall hardening;
• encryption of transmission channels; and
• database encryption.

If the root cause remains undetermined, client-side improvements may include:

• adopting multi-factor authentication;
• enforcing a one-person-one-account policy;
• limiting the number of accounts; and
• binding accounts to specific IP addresses.

For the provider’s own systems, defence-in-depth measures may be implemented across the platform to mitigate both intermittent and persistent malicious network attacks.

Adjusting personal data processing practices

The following measures may be considered:

• data minimisation (eg, masking data during transmission);
• modifying the types of personal data collected;
• altering transmission methods; and
• changing storage locations and methods to enhance data protection.

Reassessing allocation of security responsibilities with customers

Evaluation should be conducted to determine whether customers can bear the costs of security protection, and contractual allocations of security responsibilities may be accordingly renegotiated. If a customer is unable to meet the required security standards, non-renewal of the contract may be considered to avoid imposing excessive risk on the information service provider.

Notification of Data Subjects

In the event that a government agency or private-sector entity violates the PDPA, resulting in the theft, leakage, alteration or other infringement of personal data, the responsible party should, upon ascertaining the relevant facts, notify the affected data subjects by appropriate means. Such “appropriate means” may include oral or written notice, telephone call, text message, email, facsimile, electronic document or any other method reasonably determined to effectively inform the data subjects.

Where direct notification would impose undue cost, and after considering technical feasibility and the need to protect privacy, notification may instead be made by public announcement through the internet, media outlets or other suitable public channels.

Notification of Competent Authorities

Private-sector entities designated by competent authorities to implement personal data security maintenance plans should, upon the occurrence of a personal data security incident, notify their competent authorities in accordance with the prescribed procedures and within the timeframe mandated by the industry-specific regulations.

For instance, entities operating within the digital economy sector, the financial industry, and certain co-operatives and civil associations are required to submit the designated notification form to their competent authorities within 72 hours of becoming aware of the incident. Such notification must include, at minimum:

• basic business information and contact details;
• the date and nature of the incident;
• the volume and categories of personal data affected;
• the cause of the incident;
• the extent of harm caused;
• potential consequences;
• remedial measures undertaken; and
• the timing and method of notification provided to affected data subjects.

Co-Ordination of Notifications With Cloud Service Providers

The data controller retains ultimate responsibility for all notifications related to personal data incidents. Pursuant to Article 8 of the Enforcement Rules of the PDPA, where a private-sector entity entrusts a cloud service provider with the collection, processing or use of personal data, the entrusting party must exercise proper supervision over the provider. The outsourcing agreement or related contractual arrangements should explicitly require that, upon becoming aware of any data breach or leakage incident, the cloud service provider promptly notify the private-sector entity and co-operate fully for informing the competent authority, as required by law.

Definition of International Data Transfers/Transmissions

Pursuant to Article 2, subparagraph 6 of the PDPA, “international transfer/transmission” refers to the cross-border processing or use of personal data. Examples include:

• a head office transmitting personal data to an overseas (outbound) branch or to another foreign company or institution; and
• a public agency transmitting personal data to an overseas (outbound) representative office or to another foreign public institution or company.

Regulation of International Data Transfers/Transmissions

Pursuant to Article 21 of the PDPA, the international transfer or transmission of personal data is generally permitted. However, the central competent authority overseeing the relevant industry is empowered to impose restrictions on such cross-border transfers by non-public entities under certain specified circumstances, including:

• when national security or other significant national interests are at risk;
• when specific provisions exist in applicable international treaties or agreements;
• when the recipient country or territory lacks adequate personal data protection laws and regulations, thereby potentially jeopardising the rights and interests of data subjects; and
• when personal data is routed through a third country or region to circumvent the PDPA’s requirements.

Notably, current practical restrictions on cross-border data transmissions predominantly target transfers of specified data to Mainland China.

Data Protection Requirements in International Data Transfer Agreements

Certain sectors impose more stringent requirements on cross-border data transfers. For instance, when financial institutions and insurance companies engage cloud service providers to process or store personal data, such institutions retain the right to designate the locations of data processing and storage. Moreover, when customer data is stored offshore, such institutions must ensure that the personal data protection laws of the foreign jurisdiction provide protections that are no less stringent than those mandated under Taiwan law.

Although the PDPA does not explicitly mandate data localisation requirements for cloud computing, competent authorities have implemented administrative rules and regulations that effectively impose localisation requirements in certain sectors – for example, as follows.

Healthcare Industry

Pursuant to Article 15 of the Human Biobank Management Act, data contained within a human biobank may only be transferred internationally with prior approval from the competent authority. Additionally, Article 8 of the Regulations Governing the Preparation and Management of Electronic Medical Records by Healthcare Institutions stipulates that, when a medical institution utilises cloud services or engages a service provider to deliver cloud services for the collection, processing or use of system data, the physical locations for data access, back-up, redundancy and temporary storage must, in the absence of approval from the Ministry of Health and Welfare, be located within Taiwan. Moreover, the cloud service provider must not be an entity invested in by a PRC investor.

Financial Industry

When a financial institution (including banks, credit co-operatives, bill finance companies and credit card issuers) entrusts a cloud service provider to process customer data involving material consumer finance information, the storage of such customer data must, as a general rule, be located in Taiwan. In cases where data storage occurs offshore, important customer data must be backed up within Taiwan unless otherwise authorised by the competent authority. Comparable localisation and back-up requirements apply to electronic payment institutions and insurance companies.

Government Agencies

For government agencies, the physical locations for data access, back-up and redundancy related to agency cloud data must not be situated within the territory of Mainland China, including Hong Kong and Macao. Furthermore, data must not be transmitted into, out of or through such territories.

Principles of Conflicts of Law

Under the PDPA’s territorial scope, the Act applies to the collection, processing and use of personal data conducted within Taiwan, regardless of whether the cloud service provider is located domestically or abroad. With respect to governing law and international jurisdiction in disputes arising from cross-border data transfers, the Act Governing the Choice of Law in Civil Matters Involving Foreign Elements does not provide explicit guidance on the matter. In such cases, Taiwan courts will consider multiple factors, including:

• the interests of international civil litigation;
• the connection of the case to a particular jurisdiction;
• applicable domestic civil procedure rules; and
• principles concerning the recognition and enforcement of foreign judgments.

In doing so, courts balance considerations of substantive fairness, procedural convenience and judicial economy to determine whether they have jurisdiction. To mitigate potential jurisdictional disputes, parties are strongly advised to expressly stipulate the governing law and forum selection in their contractual agreements. For instance, the Executive Yuan’s model procurement contract for government cloud services designates Taiwan law as the governing law and specifies the court located in the government agency’s jurisdiction as the court of first instance.

Risks and Challenges

Given the diversity in economic and social structures and privacy norms across jurisdictions, cross-border cloud data transmissions often encounter regulatory frictions where domestic and foreign legal regimes diverge. In the absence of harmonised privacy standards, there is a risk of increased restrictions on cross-border data transfers. This, in turn, will elevate the costs for enterprises in delivering related services. Conversely, unrestricted data transfers to third countries lacking adequate data protection may incentivise parties to circumvent more stringent regulatory regimes.

Challenges arising from cross-border data transmissions cannot be adequately addressed solely through assertions of domestic jurisdiction. When personal data transmitted offshore is misused or inadequately protected, affected data subjects frequently face significant obstacles in asserting their rights. Such cases typically involve complex issues of international jurisdiction, characterisation of tort claims, and choice of law. Moreover, even after securing a favourable judgment, the recognition and enforcement of foreign judgments in another jurisdiction remain uncertain and pose potential legal risks.

Scope and Obligations Under the PDPA

The PDPA broadly imposes audit-related obligations on both public agencies and non-public bodies to safeguard personal data against theft, alteration, damage, loss or unauthorised disclosure. These obligations include the formulation of a Personal Data File Security Maintenance Plan, the periodic evaluation of the plan’s implementation, and the issuance of corresponding assessment reports.

Furthermore, competent authorities (including, without limitation, the FSC, the National Communications Commission, the Overseas Community Affairs Council and the Mainland Affairs Council) have, pursuant to the PDPA, promulgated detailed model Personal Data File Security Maintenance Plans and post-termination handling procedures. These authorities have also issued Personal Data Security Audit Checklists to guide regulated entities in complying with their obligations.

Recommended Audit Items for Cloud Environments

Pursuant to Article 12 of the Enforcement Rules of the PDPA, audit focus areas for cloud environments should encompass:

• organisation and resource management;
• risk assessment and management;
• incident handling and response; and
• legal compliance.

Specific audit items include, but are not limited to, the following:

• allocation of management personnel and adequate resources;
• definition and delineation of the scope of personal data;
• risk-assessment and risk-management mechanisms relating to personal data;
• mechanisms for incident prevention, notification and response;
• internal procedures governing the collection, processing and use of personal data;
• data security management and personnel oversight;
• awareness programmes, including education and training initiatives;
• equipment security management;
• mechanisms for conducting data security audits;
• preservation of usage logs, trace data and evidentiary materials; and
• continuous, comprehensive improvement of personal data security maintenance.

Internal Audits by Non-Public Bodies

In implementing their security plans, non-public bodies are required to designate personnel possessing expertise in legal, accounting and information security fields to conduct internal audits. Key measures should include the following.

• Access-control mechanisms for personal data files, including:
1. permission settings;
2. periodic permission reviews;
3. maintenance of permission inventories; and
4. access-logging workflows.
• Timely updating and verification of system software and anti-virus programs.
• Necessary controls over critical equipment and premises, such as:
1. establishing secure network architectures;
2. periodically remediating vulnerabilities in equipment, system components, database systems and software; and
3. adopting security operating procedures for the use of portable storage media.

External audits conducted by independent third parties (such as certification under ISO/IEC 27001) may also be utilised to demonstrate compliance.

Audit Report Requirements

Audit reports must, at a minimum, include:

• the assessors’ qualifications;
• the scope of the assessment;
• identified deficiencies;
• severity ratings;
• deficiency categories;
• explanations of associated risks;
• specific remediation recommendations; and
• the results of social engineering or tabletop exercises.

Such reports should be submitted to the designated auditing unit, which, depending on applicable sectoral regulations, may include the company’s board of directors and/or the relevant competent authority, for purposes of tracking and monitoring corrective actions.

Penalties for Non-Compliance

Where a non-public body maintaining personal data files fails to implement appropriate security measures to prevent theft, alteration, damage, loss or unauthorised disclosure of personal data, or fails to comply with its Personal Data File Security Maintenance Plan or its post-termination personal data handling procedures, administrative fines may be imposed pursuant to Article 48 of the PDPA. Such fines range from TWD20,000 to TWD2 million (approximately USD670 to USD66,670). In cases of serious violations, or where corrective actions are not completed within the timeframe specified by the competent authority, repeated fines ranging from TWD150,000 to TWD15 million (approximately USD5,000 to USD500,000) per instance may be levied.