|
On 27 April 2010 the Legislative Yuan passed a bill to amend the Computer-processed Personal Data Protection Act, which is renamed as the Personal Data Protection Act (the "Act"). This has been the major overhaul of the legislation since its promulgation in 1994. The major amendments, which will take effect after their promulgation, include the following:
|
| |
|
l |
All public and private entities will be subject to the Act, and the license and registration requirements will be abolished.
|
| |
|
l |
"Personal data" will include passport number, medical history, genetic records, sex life, health check results, criminal records, contact information and any other information that may directly or indi-rectly identify a person. Unless otherwise specified in the Act, no person may collect, process or use the medical history, genetic records, sex life, health check results and criminal records of another. Even if it is permitted by the Act, the collection, processing or use must comply with the regulations set by the central competent authorities and the Ministry of Justice.
|
| |
|
l |
Whenever an entity collects personal data, it must inform the data subject about (i) its identity; (ii) the purpose of collection; (iii) how the collected personal data will be used; (iv) his/her rights; and (v) the consequences of his/her failure to provide the required personal data. If personal data is not provided by the data subject, an entity must inform the data subject of the source of the data before processing or using the data, in addition to the information described above. In principle, prior consent from the data subject is required for the use of his/her personal data. This requirement is exempted if the use relates to public interests or the information is available from the public domain and the interest to be protected is more important than the privacy of the data subject.
|
| |
|
l |
Depending on the gravity of a violation, damages of NT$500 to NT$20,000 may be claimed against a person for each violation of the Act even if the actual damage cannot be proved. If there is more than one victim in a single violation, the maximum damages would be up to NT$200,000,000. However, if the interests involved therein exceeds NT$200,000,000, the maximum damages would be increased correspondingly and the minimum damages of NT$500 per person for each violation will not apply. A victim may authorize a foundation or public-interest association to file a lawsuit against the violator on his/her behalf.
|
| |
|
The revised Act will take effect pursuant to the announcement of the Executive Yuan. After the Act takes effect, the entities must take proper measures to protect personal data against theft, loss, misuse, and unauthorized alteration, destruction, access and disclosure. In other words, the entities must set up rules to regulate the collection, processing and use of personal data to avoid legal liability.
|
| |
