On October 17, 2025, the Legislative Yuan passed the amendments to certain provisions of the "Personal Data Protection Act" ("PDPA"), which are yet to be promulgated by the President.  The amendments are primarily to align with the establishment of the Personal Data Protection Committee ("PDPC"), granting the PDPC relevant law enforcement powers.  In light of its role as an independent supervisory body for personal data protection in Taiwan, the amendments migrate the authority for "supervising personal data protection in non-governmental agencies" from other authorities to the PDPC.  Non-governmental agencies that did not have a clear supervisory authority will be prioritized for PDPC’s supervision.  For agencies that already had a designated supervising body, the amendments include transitional provisions to gradually shift supervisory authority to the PDPC, aiming to gradually establish a unified regulatory system.  Additionally, the amendments introduce a supervision mechanism for government agencies, including provisions that require government agencies to assume personal data protection obligations, notify data subjects and report to competent authorities in the event of data breaches, establish oversight mechanisms, and appoint personal data protection officers.  These measures aim to narrow down the previous regulatory gaps.  Furthermore, the amendments also impose more personal data protection obligations on non-governmental agencies to enhance Taiwan's overall personal data protection framework.

This article will not delve into the detailed regulations added for government agencies.  Instead, we would like to highlight, from the perspective of legal compliance for private enterprises (i.e. non-governmental agencies as defined under the PDPA), the important aspects of the amended provisions that should be noted:

1. Obligation to Notify Data Subjects of Data Breaches:
   Before the amendment, if a non-governmental agency "violated the PDPA" and thus caused a data breach, it was required to notify the data subject "after the investigation was completed."  The amended provisions remove the existing requirements of "violating the provisions of PDPA" and "after investigation" and now require non-governmental agencies to notify the data subject as soon as they become aware of a data breach.  Therefore, in the future, non-governmental agencies cannot excuse themselves from this notification obligation by claiming they have not violated the law or that the incident is not yet fully investigated.
2. New Obligation to Report Data Breaches to Competent Authorities:
   Before the amendment, the PDPA itself did not clearly specify whether non-governmental agencies were required to report data breaches to competent authorities.  Instead, this obligation was specified only under the sub-regulations, i.e. personal data file security and maintenance management regulations established by the competent authorities for specific industries.  The amended provisions explicitly require non-governmental agencies to report a data breach to the competent authority if it falls within certain reporting criteria.  Additionally, the amendments stipulate that non-governmental agencies must take corrective actions and maintain relevant records.  Failure to comply may result in a fine of up to NTD 200,000, with further penalties applied for each subsequent violation.
3. Amendment to Administrative Inspections for Non-Governmental Agencies:
   The amended provisions add criteria for initiating administrative inspections by the competent authority and clearly define the inspection procedures.  According to the legislative explanation of the amendment, if the competent authority suspects that a non-governmental agency may be in violation of the law, or even if no clear violations are apparent but, based on an overall assessment of domestic and international personal data protection laws and cybersecurity measures, it deems it necessary to further investigate the agency's compliance with the PDPA and intervene with public authority, the competent authority may initiate an administrative inspection.  During the inspection, the competent authority can require the non-governmental agency to provide statements, necessary documents, data, or items, and cooperate with other required measures.  The authority may also send personnel to the agency's location for on-site inspection.
4. New Provisions on the Transition of Authority to the PDPC

• Transitional Provisions for the Change in Supervisory Authority over Non-Governmental Agencies' Personal Data Protection Matters: To progressively centralize the supervisory authority over personal data protection matters for non-governmental agencies, transitional provisions have been added to address the shift in authority.  These provisions clearly outline the supervision and management of personal data protection for non-governmental agencies.  During the transition period, the PDPC will report to the Executive Yuan to announce a specific range of non-governmental agencies whose personal data protection matters will continue to be supervised by the relevant central competent authority or municipal or county/city governments.  Over time, the supervisory responsibilities will be gradually migrated to the PDPC.  Additionally, the relevant central competent authorities will continue to enforce the laws during the transition period, with accompanying regulatory measures.  Under these amended provisions, during the transition period, the relevant central competent authorities or municipal or county/city governments will continue to govern the personal data protection compliance of non-governmental agencies.  This includes conducting administrative inspections of non-governmental agencies' data protection practices.  Furthermore, the sub-regulations for certain specific industries, i.e. personal data security maintenance plans or methods for handling personal data after the termination of business for the applicable industries, will still be regulated by the respective central competent authorities for those industries, and such sub-regulations are able to impose more stricter requirements based on the nature and need of relevant industries.
• Handling of Administrative Remedies: Given that the PDPC is an independent agency, the amendments introduce a provision that individuals who disagree with administrative sanctions imposed by the PDPC under the PDPA may file an administrative lawsuit directly.  In relation to point 4.(1) above, for administrative sanctions imposed  by the relevant central competent authorities during the transition period under the PDPA, individuals who disagree with these sanctions should file an appeal with the PDPC.  Furthermore, for administrative sanctions imposed under the PDPA before the amendments come into effect, if an individual disagrees with such sanctions and files an appeal after the amendments take effect, the appeal should be submitted to the PDPC.  However, for appeals that were already in progress before the amendments come into effect but had not yet been concluded, these will continue to be handled by the original authority that received the appeal in accordance with the Administrative Appeal Act, until the case is concluded.

Note: The above content is based on related documents published on the Legislative Yuan's website.  The official version should be referred to in the Legislative Yuan's official gazette.

(The article is originally in Chinese which can be found here.)