Data Privacy Regulations in Taiwan
At present, Taiwan does not have specific legislation that directly governs data protection in the context of cloud computing. Nonetheless, the processing of personal data within a cloud environment is subject to the provisions of the Personal Data Protection Act (PDPA) and its Enforcement Rules (the “Enforcement Rules”). Where a cloud service provider collects personal data within Taiwan, such activities are regulated by the PDPA and its Enforcement Rules, pursuant to the principle of territoriality.
Definition of Personal Data and Sensitive Data
The PDPA defines “personal data” as any information that can directly or indirectly identify an individual. This includes, but is not limited to:
Within this broad category, certain types of personal data – particularly medical records, medical history, genetic information, sexual history, health examination results and criminal records – are recognised as possessing heightened sensitivity compared to general personal data. The unauthorised collection, processing or use of such data may result in significant harm to the data subject or provoke widespread protest. Consequently, personal data within these categories is subject to more stringent regulatory requirements and is classified as “special personal data” (commonly referred to as “sensitive personal data”). Except where expressly authorised by law, the collection, processing or use of special personal data by any entity is generally prohibited.
Specific Requirements for Processing Personal Data in the Cloud
The processing of personal data in cloud environments must also comply with the PDPA, its Enforcement Rules and other applicable regulations. It is important to note that competent authorities overseeing specific regulated sectors – such as the financial industry and medical institutions – have promulgated specific regulations governing the transmission and storage of customer and medical record data by cloud service providers.
Financial institutions
Pursuant to the Regulations Governing Internal Operating Systems and Procedures for the Outsourcing of Financial Institution Operation, and the Directions for Operation Outsourcing by Insurance Enterprises, financial institutions – including banks, credit co-operatives, bill finance companies, credit card issuers and insurance companies – are required to implement effective protective measures when transmitting or storing customer data with cloud service providers. Such measures include encryption or encoding of data and the establishment of robust encryption key management protocols. Such institutions must retain full ownership of the entrusted data.
Furthermore, financial institutions and insurance companies must maintain the right to designate the geographic location of data processing and storage. The data protection standards of any overseas storage location must at least meet the requirements set forth in the PDPA. As a general rule, customer data related to significant consumer finance operations or individual customer information systems must be stored within Taiwan. If data is stored abroad, prior approval from the competent authority (ie, the Financial Supervisory Commission) is required, and critical customer data must be retained and backed up within Taiwan.
Medical institutions
Medical institutions that collect or process medical records or that utilise electronic medical record information systems and databases, and that employ cloud services or delegate such services to third parties, must comply with the Regulations Governing the Preparation and Management of Electronic Medical Records by Healthcare Institutions. Such institutions are further obligated to:
Additionally, medical institutions must establish mechanisms to retrieve data upon termination or cessation of cloud services. Data storage in cloud environments must be located within Taiwan; however, in exceptional circumstances – such as those involving international collaboration – storage outside Taiwan may be permitted subject to approval by the Ministry of Health and Welfare.
Specific Obligations for Data Controllers and Processors in the Cloud Environment
Where a cloud service provides infrastructure, hardware, operating systems or development platforms, it is generally the “user” of such services that collects, processes or utilises personal data and that determines the purposes and methods of such use. In such circumstances, the “user” of the cloud service is typically regarded under the PDPA as the data controller, while the cloud service provider functions at most as an entrusted party (ie, a data processor).
Nonetheless, pursuant to Article 4 of the PDPA, even where the cloud service provider acts as an entrusted party, it remains subject to the same obligations as the entrusting agency (ie, the data controller and processor). Such obligations include, but are not limited to:
Furthermore, in the event of a data breach or other infringement, the cloud service provider is obligated to notify the affected data subjects (this is referred to as the notification obligation). Concurrently, as the entrusting party responsible for the collection, processing or use of personal data, the “user” of the cloud service bears a duty to supervise the cloud service provider to ensure compliance with the PDPA.
General Principles
Taiwan generally permits the cross-border transmission of personal data. However, pursuant to Article 21 of the PDPA, the central competent authority overseeing the relevant industry may impose restrictions on the international transfer of personal data by non-public entities under the following circumstances:
Restrictions on cross-border data transfers to Mainland China
Competent authorities have imposed restrictions on the cross-border transmission of certain categories of personal data to Mainland China, as follows:
Taiwan currently lacks a statute that specifically regulates data privacy in cloud environments. Nonetheless, violations of the PDPA and sector-specific personal data regulations (such as those applicable to the healthcare and finance industries) may give rise to civil, criminal and administrative liabilities.
Civil Liability
Where a non-public entity violates the PDPA by unlawfully collecting, processing or using personal data, or by otherwise infringing upon the rights and interests of a data subject, such entity shall be liable for damages pursuant to Article 29 of the PDPA. The entity may avoid liability only by demonstrating that the harm did not result from its intentional or negligent conduct.
Criminal Liability
Under Article 41 of the PDPA, any person who, with the intent to obtain unlawful benefits for themselves or a third party or to harm another’s interests, violates restrictions on the collection, processing or use of personal data or on cross-border data transfers, in a manner causing harm to another, may be subject to imprisonment for up to five years and a fine of up to TWD1 million (approximately USD33,330).
Article 42 further provides that a person who unlawfully alters, deletes or otherwise compromises the accuracy of personal data, causing harm to another, may face imprisonment for up to five years’ short-term detention and/or a fine of up to TWD1 million.
Administrative Liability
Where a non-public entity materially violates key provisions of the PDPA (such as those governing the collection, processing and use of personal data or restrictions on cross-border transfers), the competent authority may impose an administrative fine ranging from TWD50,000 to TWD500,000 (approximately USD1,670 to USD16,670) and order corrective measures within a specified timeframe. Failure to comply within the prescribed period may result in additional consecutive fines.
For other violations, including failure to establish a personal data security maintenance plan or improper handling of personal data upon business termination, Article 48 of the PDPA authorises fines ranging from TWD20,000 to TWD2 million (approximately USD670 to USD66,670). In cases of serious violations, each instance may incur fines of up to TWD15 million (approximately USD500,000).
In 2023, the Ministry of Digital Affairs (MODA) promulgated the Regulations on Security Maintenance and Management of Personal Data Files for Digital Economy-Related Industries (the “Security Maintenance Regulations”). These regulations apply to digital economy-related industries (including, without limitation, data processing, hosting and website-hosting service providers such as cloud service providers) and require covered entities to establish:
These measures aim to prevent theft, alteration, damage, loss or unauthorised disclosure of personal data. The key requirements are as follows.
Personal Data Protection Management Policy, and the Security Maintenance Plan
Covered entities must develop and implement a comprehensive Personal Data File Security Maintenance Plan and procedures for handling personal data upon business termination (collectively, the “Security Maintenance Plan”). The Security Maintenance Plan must incorporate PDPA-compliance provisions, including but not limited to:
Entities must concurrently adopt a personal data protection management policy and internal management procedures addressing such matters, and must provide the personal data protection management policy internally to ensure that personnel understand and comply with its requirements.
Human Resources Allocation and Personnel Management
Covered entities should allocate sufficient management personnel and resources responsible for the formulation, amendment and implementation of the personal data protection management policy and the Security Maintenance Plan. Entities must also:
Periodic Inspections and Risk Assessments
Covered entities are required to:
Based on the assessment results, entities must implement appropriate security measures to mitigate identified risks.
Information Security Management Measures
When collecting, processing or using personal data, covered entities must adopt appropriate encryption and protective measures for encrypted data, back-up data and data in transit. For personal data handled directly or indirectly via information and communications systems, the following security management measures should be implemented:
Cloud service providers may refer to MODA’s Reference Guidelines for Implementation of Personal Data Protection and Information Security by the Information Service Industry, as well as to published standards (such as ISO/IEC 27001 (Information Security Management System), ISO/IEC 27701 (Privacy Information Management System) or the Taiwan Personal Information Protection and Administration System (TPIPAS)), when establishing their personal information management systems and information security management systems.
Common security measures include:
Additionally, entities should deploy and periodically update system servers, office automation network protections and application firewalls.
Management of Data Storage Media
Covered entities must implement appropriate protective equipment or technologies commensurate with the characteristics and use of storage media. They must adopt suitable management rules for custodians and enforce ingress and egress controls for environments where media is stored.
Information Security Incident Response
Covered entities should maintain mechanisms for incident response, notification and prevention, including measures and communication channels to mitigate and control harm and to notify data subjects regarding the occurrence and handling of any incidents. Following an incident, entities must consider and implement corrective and preventative measures. Where an incident endangers normal operations or the rights and interests of a large number of data subjects, the entity must report the incident to MODA within 72 hours of becoming aware of the incident, using the prescribed format. If reporting to a municipality, county or city government, a copy of the report must also be submitted to MODA.
Data Ownership
In Taiwan, cloud service agreements typically provide that ownership of information stored in the cloud remains with the users of the cloud service.
However, for certain regulated industries, applicable laws and regulations explicitly govern the rights to data stored in cloud databases. For instance, when a financial institution, insurance company or electronic payment institution utilises cloud services for personal data processing, the relevant regulatory frameworks (ie, the Regulations Governing Internal Operating Systems and Procedures for the Outsourcing of Financial Institution Operation; the Directions for Operation Outsourcing by Insurance Enterprises; and the Rules Governing the Administration of Electronic Payment Business) stipulate that the financial institution, insurance enterprise or electronic payment institution shall retain full ownership of all data processed by the entrusted cloud service provider. The cloud service provider, aside from performing the contracted operations, is prohibited from accessing customer data or from using such data beyond the scope of the outsourced services.
Rights of Data Subjects
With respect to their personal data stored in the cloud, data subjects enjoy the same rights afforded under the PDPA, including:
In principle, data subjects may exercise such rights at their discretion; however, certain legal restrictions may apply in specific contexts. For example, pursuant to Article 70 of the Medical Care Act, medical institutions are required to retain medical records for a minimum of seven years, during which period the data subject’s right to request deletion is correspondingly limited.
To exercise such rights, a data subject may submit an application to the cloud service provider pursuant to the PDPA or other applicable special laws. Under Article 13 of the PDPA, the cloud service provider must decide whether to approve or deny requests for inquiry, inspection or copies within 15 days of receipt, and must decide on other types of requests within 30 days.
Taiwan currently lacks specific statutes or regulations governing cloud data portability. Consequently, the ability to transfer cloud data between different service providers is primarily determined by the terms set forth in the individual cloud service agreements, as well as by the technical capabilities of the respective providers.
Cloud service providers should implement data retention and deletion policies in strict compliance with the PDPA.
Where a cloud service provider maintains personal data files, it must – pursuant to Article 27 of the PDPA – adopt and maintain appropriate security measures to prevent unauthorised theft, alteration, damage, loss or disclosure of such personal data.
Furthermore, under Article 11(3) of the PDPA, when the specific purpose for which the personal data was collected no longer exists, or when the applicable retention period has expired, the cloud service provider must – either proactively or upon request by the data subject – delete the personal data or cease processing or using such data.
In addition, for certain regulated sectors (including financial institutions and digital economy-related operators, such as cloud service providers), after deleting, ceasing to process or use, or transferring personal data, the operator should retain records and relevant evidence of such actions for a minimum period of five years. Such records shall include, without limitation, the reasons for, methods of, timing and location of the deletion, cessation of processing or use, or transfer of the personal data.
The PDPA does not establish a dedicated due diligence regime specifically for the selection of cloud service providers. Nonetheless, for purposes of information security protection, competent authorities and industry trade associations have issued reference guidelines and self-regulatory rules governing the use of cloud services within certain regulated sectors (primarily financial institutions and government agencies), thereby prescribing due diligence procedures. Examples include the following.
Finance Industry
Where a financial institution (such as a bank, credit co-operative or bills finance company) outsources a material consumer finance information system to an offshore cloud service provider, it must – pursuant to Article 18 of the Regulations Governing Internal Operating Systems and Procedures for the Outsourcing of Financial Institution Operation – obtain prior approval from the Financial Supervisory Commission (FSC). The institution is required to:
Security testing of information systems must meet or exceed the standards prescribed by the competent authority or the Bankers Association. Additionally, the institution should conduct at least one general audit and one special audit annually, and should submit the cross-border outsourcing audit report to the board of directors (or board of supervisors, as applicable) within four months following the end of each fiscal year.
Regarding the items covered for due diligence, under the Self-Regulatory Rules for Financial Institutions’ and Insurance Companies’ Outsourcing to Use Cloud Services, banks and insurance companies that are members of the relevant associations must conduct due diligence and periodic reviews of cloud service providers, with audit frequency determined based on risk. Such reviews should address, inter alia:
Securities and Futures Industry
The FSC has issued information security control guidance applicable to securities and futures enterprises utilising cloud services. Such enterprises are required to perform due diligence on cloud service providers, assessing (among other factors):
Government Agencies
When a government agency procures or utilises cloud services, it must comply with the following additional requirements.
Data Protection Requirements
As a general principle, a cloud service provider – even when acting solely as an “entrusted party” (ie, a data processor) in relation to the collection, processing or use of personal data – must, pursuant to Article 4 of the PDPA, bear the same statutory obligations as the entrusting party (ie, the personal data controller or the user of cloud services) under the PDPA. The cloud service provider may collect, process or use personal data only within the scope of the entrusting party’s instructions.
Furthermore, under Article 8 of the Enforcement Rules, the user of the cloud service (the “entrusting party” – ie, the personal data controller) is required to exercise appropriate supervision over the cloud service provider (the “entrusted party” – ie, the processor). Such supervisory measures should include, but are not limited to:
In addition, the user of the cloud service should periodically verify the cloud service provider’s compliance with such obligations and maintain records of such verification.
Measures to Ensure Compliance With Data Privacy Regulations
In addition, for banks, credit co-operatives, bills finance companies and insurance companies utilising cloud services, the following enhanced oversight measures should be implemented to ensure that the cloud service providers’ collection, processing or use of customers’ personal data fully complies with the PDPA.
The PDPA does not explicitly prescribe the specific content requirements for data-processing agreements. However, when banks, credit co-operatives, bills finance companies or insurance companies outsource data processing to a cloud service provider, the outsourcing contract must include the following provisions, at a minimum:
Under applicable self-regulatory rules, financial institutions and insurance companies must, prior to engaging a cloud service provider, incorporate in their contracts comprehensive exit mechanisms to be implemented upon termination of the cloud outsourcing arrangement. Such mechanisms must include, but are not limited to, the following provisions.
Migration Planning
Specification of an appropriate and effective method for migrating systems and data, either back to the institution or to an alternative cloud service provider.
Data Deletion and Record Retention
Assurance that, upon termination or migration, all data remaining within the cloud environment will be securely deleted, and that verifiable records of such deletion or destruction will be retained by the provider.
Responsibilities Regarding Data Handling Upon Termination
The outsourcing agreement with the cloud service provider must explicitly define the obligations and responsibilities concerning data management upon termination of the service. This includes the secure return, deletion or transfer of data, ensuring compliance with applicable laws and protecting the confidentiality and integrity of all information involved.
Contractual Migration Obligations and Liability for Service Interruptions
Clear contractual provisions requiring the original cloud service provider to facilitate system migration and proper data handling during the transition to another provider or repatriation to the institution, together with defined liability for any service interruptions arising from such processes.
General Rules Under the PDPA
Private-sector entities designated by the competent authority (such as financial institutions, insurance companies and digital economy-related industries, including cloud service providers) are required to establish a Personal Data File Security Maintenance Plan in accordance with applicable regulations. In the event of a personal data breach, such entities must notify the competent authority in the prescribed manner and within the specified timeframe, typically within 72 hours, as mandated by their respective competent authorities.
Failure to formulate and implement a Personal Data File Security Maintenance Plan as required shall subject the entity to administrative fines pursuant to Article 48(2) of the PDPA. Such fines, imposed by the central competent authority overseeing the relevant industry or by the municipal, county or city government, range from TWD20,000 to TWD2 million (approximately USD670 to USD66,670). The entity will also be ordered to rectify the violation within a specified period. Should the entity fail to comply within the allotted time, repeated fines ranging from TWD150,000 to TWD15 million (approximately USD5,000 to USD500,000) per instance may be imposed.
For the avoidance of doubt, since the PDPA does not explicitly impose a statutory obligation to notify upon a personal data breach, competent authorities may not impose penalties solely for failure to notify under the “appropriate security measures” stipulated in the Personal Data File Security Maintenance Plan.
The Cybersecurity Management Act (for Government Agencies and Critical Infrastructure Providers)
Agencies or enterprises designated by the competent authority as critical infrastructure providers (including but not limited to those in energy, water resources, telecommunications and broadcasting, transportation, finance and emergency services industries, as well as hospitals, central and local government agencies, and science parks) must notify the central competent authority of any cybersecurity incident within one hour of becoming aware of the event, using the method prescribed by the central competent authority.
Failure by a designated non-public entity to provide timely notification may result in an administrative fine ranging from TWD300,000 to TWD5 million (approximately USD10,000 to USD166,670), along with an order to correct the violation within a specified timeframe. Continued non-compliance may lead to the imposition of consecutive fines.
Material Information Disclosure by Listed Companies
When a listed company experiences a cybersecurity incident that causes material damage or materially impacts the company, such incident must be disclosed as material information. The competent authority interprets “cybersecurity incident” to include hacking, intrusion, damage, alteration, deletion, encryption, theft or denial-of-service (DDoS) attacks targeting information systems, official websites or other digital assets, resulting in operational disruption, service unavailability, or risk of leakage of personal data or internal documents.
The listed company is required to submit the relevant information or explanation through the designated online information-reporting system no later than two hours before the commencement of trading hours on the next business day following the incident.
In cases of serious violations, the listed company may be subject to liquidated damages of up to TWD5 million (approximately USD166,670) and must complete the required filing. Failure to comply within the specified timeframe may result in repeated fines.
Digital-related industries, including cloud service providers, should maintain comprehensive post-incident response, notification and preventative measures to address security incidents involving the theft, alteration, damage, loss or unauthorised disclosure of personal data.
Investigation Procedure for Personal Data Incidents
Information service providers (including cloud service providers) are guided by MODA’s Reference Guidelines for Implementation of Personal Data Protection and Information Security by the Information Service Industry, which recommend investigating incidents through log reviews to identify anomalous IP addresses, and conducting security assessments such as source-code reviews, penetration testing, vulnerability scanning and intrusion path analysis to determine the root cause of such incidents. Service providers should concentrate investigative efforts on their own systems and websites and provide assistance to customers in their investigations as necessary.
Immediate Remedial Measures Upon Occurrence of a Data Breach
Immediate remedial measures for ongoing personal data incidents may include malware detection and engagement with cybersecurity experts to perform digital forensic analyses aimed at identifying and eradicating malicious code (eg, viruses, trojans) to prevent further damage. If the scope of harm is significant, it may be necessary to temporarily suspend operations of system servers implicated in the data breach. Additionally, baseline containment measures should be promptly implemented, such as restricting access from foreign IP addresses and tightening customer account access controls.
Post-Incident Remediation and Preventative Measures
The following post-incident measures are recommended for purposes of elimination of vulnerabilities and prevention of similar incidents in the future.
Strengthening information security controls
Upon identifying the root cause of an incident, vulnerabilities should be eliminated and system defences should be enhanced either at a detailed level or comprehensively – eg:
If the root cause remains undetermined, client-side improvements may include:
For the provider’s own systems, defence-in-depth measures may be implemented across the platform to mitigate both intermittent and persistent malicious network attacks.
Adjusting personal data processing practices
The following measures may be considered:
Reassessing allocation of security responsibilities with customers
Evaluation should be conducted to determine whether customers can bear the costs of security protection, and contractual allocations of security responsibilities may be accordingly renegotiated. If a customer is unable to meet the required security standards, non-renewal of the contract may be considered to avoid imposing excessive risk on the information service provider.
Notification of Data Subjects
In the event that a government agency or private-sector entity violates the PDPA, resulting in the theft, leakage, alteration or other infringement of personal data, the responsible party should, upon ascertaining the relevant facts, notify the affected data subjects by appropriate means. Such “appropriate means” may include oral or written notice, telephone call, text message, email, facsimile, electronic document or any other method reasonably determined to effectively inform the data subjects.
Where direct notification would impose undue cost, and after considering technical feasibility and the need to protect privacy, notification may instead be made by public announcement through the internet, media outlets or other suitable public channels.
Notification of Competent Authorities
Private-sector entities designated by competent authorities to implement personal data security maintenance plans should, upon the occurrence of a personal data security incident, notify their competent authorities in accordance with the prescribed procedures and within the timeframe mandated by the industry-specific regulations.
For instance, entities operating within the digital economy sector, the financial industry, and certain co-operatives and civil associations are required to submit the designated notification form to their competent authorities within 72 hours of becoming aware of the incident. Such notification must include, at minimum:
Co-Ordination of Notifications With Cloud Service Providers
The data controller retains ultimate responsibility for all notifications related to personal data incidents. Pursuant to Article 8 of the Enforcement Rules of the PDPA, where a private-sector entity entrusts a cloud service provider with the collection, processing or use of personal data, the entrusting party must exercise proper supervision over the provider. The outsourcing agreement or related contractual arrangements should explicitly require that, upon becoming aware of any data breach or leakage incident, the cloud service provider promptly notify the private-sector entity and co-operate fully for informing the competent authority, as required by law.
Definition of International Data Transfers/Transmissions
Pursuant to Article 2, subparagraph 6 of the PDPA, “international transfer/transmission” refers to the cross-border processing or use of personal data. Examples include:
Regulation of International Data Transfers/Transmissions
Pursuant to Article 21 of the PDPA, the international transfer or transmission of personal data is generally permitted. However, the central competent authority overseeing the relevant industry is empowered to impose restrictions on such cross-border transfers by non-public entities under certain specified circumstances, including:
Notably, current practical restrictions on cross-border data transmissions predominantly target transfers of specified data to Mainland China.
Data Protection Requirements in International Data Transfer Agreements
Certain sectors impose more stringent requirements on cross-border data transfers. For instance, when financial institutions and insurance companies engage cloud service providers to process or store personal data, such institutions retain the right to designate the locations of data processing and storage. Moreover, when customer data is stored offshore, such institutions must ensure that the personal data protection laws of the foreign jurisdiction provide protections that are no less stringent than those mandated under Taiwan law.
Although the PDPA does not explicitly mandate data localisation requirements for cloud computing, competent authorities have implemented administrative rules and regulations that effectively impose localisation requirements in certain sectors – for example, as follows.
Healthcare Industry
Pursuant to Article 15 of the Human Biobank Management Act, data contained within a human biobank may only be transferred internationally with prior approval from the competent authority. Additionally, Article 8 of the Regulations Governing the Preparation and Management of Electronic Medical Records by Healthcare Institutions stipulates that, when a medical institution utilises cloud services or engages a service provider to deliver cloud services for the collection, processing or use of system data, the physical locations for data access, back-up, redundancy and temporary storage must, in the absence of approval from the Ministry of Health and Welfare, be located within Taiwan. Moreover, the cloud service provider must not be an entity invested in by a PRC investor.
Financial Industry
When a financial institution (including banks, credit co-operatives, bill finance companies and credit card issuers) entrusts a cloud service provider to process customer data involving material consumer finance information, the storage of such customer data must, as a general rule, be located in Taiwan. In cases where data storage occurs offshore, important customer data must be backed up within Taiwan unless otherwise authorised by the competent authority. Comparable localisation and back-up requirements apply to electronic payment institutions and insurance companies.
Government Agencies
For government agencies, the physical locations for data access, back-up and redundancy related to agency cloud data must not be situated within the territory of Mainland China, including Hong Kong and Macao. Furthermore, data must not be transmitted into, out of or through such territories.
Principles of Conflicts of Law
Under the PDPA’s territorial scope, the Act applies to the collection, processing and use of personal data conducted within Taiwan, regardless of whether the cloud service provider is located domestically or abroad. With respect to governing law and international jurisdiction in disputes arising from cross-border data transfers, the Act Governing the Choice of Law in Civil Matters Involving Foreign Elements does not provide explicit guidance on the matter. In such cases, Taiwan courts will consider multiple factors, including:
In doing so, courts balance considerations of substantive fairness, procedural convenience and judicial economy to determine whether they have jurisdiction. To mitigate potential jurisdictional disputes, parties are strongly advised to expressly stipulate the governing law and forum selection in their contractual agreements. For instance, the Executive Yuan’s model procurement contract for government cloud services designates Taiwan law as the governing law and specifies the court located in the government agency’s jurisdiction as the court of first instance.
Risks and Challenges
Given the diversity in economic and social structures and privacy norms across jurisdictions, cross-border cloud data transmissions often encounter regulatory frictions where domestic and foreign legal regimes diverge. In the absence of harmonised privacy standards, there is a risk of increased restrictions on cross-border data transfers. This, in turn, will elevate the costs for enterprises in delivering related services. Conversely, unrestricted data transfers to third countries lacking adequate data protection may incentivise parties to circumvent more stringent regulatory regimes.
Challenges arising from cross-border data transmissions cannot be adequately addressed solely through assertions of domestic jurisdiction. When personal data transmitted offshore is misused or inadequately protected, affected data subjects frequently face significant obstacles in asserting their rights. Such cases typically involve complex issues of international jurisdiction, characterisation of tort claims, and choice of law. Moreover, even after securing a favourable judgment, the recognition and enforcement of foreign judgments in another jurisdiction remain uncertain and pose potential legal risks.
Scope and Obligations Under the PDPA
The PDPA broadly imposes audit-related obligations on both public agencies and non-public bodies to safeguard personal data against theft, alteration, damage, loss or unauthorised disclosure. These obligations include the formulation of a Personal Data File Security Maintenance Plan, the periodic evaluation of the plan’s implementation, and the issuance of corresponding assessment reports.
Furthermore, competent authorities (including, without limitation, the FSC, the National Communications Commission, the Overseas Community Affairs Council and the Mainland Affairs Council) have, pursuant to the PDPA, promulgated detailed model Personal Data File Security Maintenance Plans and post-termination handling procedures. These authorities have also issued Personal Data Security Audit Checklists to guide regulated entities in complying with their obligations.
Recommended Audit Items for Cloud Environments
Pursuant to Article 12 of the Enforcement Rules of the PDPA, audit focus areas for cloud environments should encompass:
Specific audit items include, but are not limited to, the following:
Internal Audits by Non-Public Bodies
In implementing their security plans, non-public bodies are required to designate personnel possessing expertise in legal, accounting and information security fields to conduct internal audits. Key measures should include the following.
External audits conducted by independent third parties (such as certification under ISO/IEC 27001) may also be utilised to demonstrate compliance.
Audit Report Requirements
Audit reports must, at a minimum, include:
Such reports should be submitted to the designated auditing unit, which, depending on applicable sectoral regulations, may include the company’s board of directors and/or the relevant competent authority, for purposes of tracking and monitoring corrective actions.
Penalties for Non-Compliance
Where a non-public body maintaining personal data files fails to implement appropriate security measures to prevent theft, alteration, damage, loss or unauthorised disclosure of personal data, or fails to comply with its Personal Data File Security Maintenance Plan or its post-termination personal data handling procedures, administrative fines may be imposed pursuant to Article 48 of the PDPA. Such fines range from TWD20,000 to TWD2 million (approximately USD670 to USD66,670). In cases of serious violations, or where corrective actions are not completed within the timeframe specified by the competent authority, repeated fines ranging from TWD150,000 to TWD15 million (approximately USD5,000 to USD500,000) per instance may be levied.
Taipei Office:
8F, No 555
Sec 4 Zhongxiao E Rd Taipei
110055 Taiwan ROC
Hsinchu Office:
5F, Science Park Life Hub No 1
Industry E 2nd Rd Hsinchu Science Park Hsinchu
300091 Taiwan ROC
+886 2 2763 8000
+886 2 2766 5566
attorneys@leeandli.com www.leeandli.com/EN