Newsletter
The President Announced the Amendments to the Personal Data Protection Act
The President Announced the Amendments to the Personal Data Protection Act
Ken-Ying Tseng/Roger Kai
On November 11, 2025, the President announced the Amendments to the Personal Data Protection Act (“PDPA”). The implementation date of the Amendments is yet to be determined by the Executive Yuan. The Amendments address the power and responsibilities of the Personal Data Protection Commission (“PDPC”) after its establishment, enhance supervision of government agencies, requiring them to appoint a Data Protection Officer (this requirement has not been extended to the private sector) and add provisions for the PDPC to coordinate and cooperate with various other central competent authorities and local governments in regulating the private sector. From the perspective of the private sector, the following changes are worth noting:
1. Explicitly Establish the Requirement for Reporting Data Breach Incidents to the PDPC
The existing PDPA does not specify whether data breaches should be reported to the competent authorities. The Amendments expressly state that data breach incidents that meet certain reporting criteria must be reported to the PDPC. Furthermore, the Amendments explicitly require companies experiencing a breach to take immediate and effective contingency measures and maintain records. Specific details regarding the content, method, timeframe, and scope of such reports, along with contingency measures and record-keeping requirements, will be specified in subordinate regulations to be stipulated by the PDPC in the future.
2. Obligation of Notifying Affected Data Subjects
The Amendments continue to require companies to notify affected data subjects once there is a data breach incident. However, a company will no longer be able to delay such notification on the grounds that the incident has not yet been inspected or that the company itself did not violate the PDPA in the occurrence of the incident. Specific details for notifying affected data subjects will also be stipulated under subordinate regulations by the PDPC in the future.
3. Amendments to Administrative Inspection Regulations
In addition to adjusting the wording for administrative inspections, the Amendments specify that future administrative inspections will be initiated at the discretion of the PDPC, which will collaborate with central competent authorities and local governments to conduct these inspections.
4. Division of Powers Among Competent Authorities
In the future, the PDPC will serve as the central regulatory body for enforcing the PDPA. The Amendments state that the PDPC should request the Executive Yuan to announce that certain private entities, within six years after the establishment of the PDPC, shall still be regulated by their central sectoral regulators or municipal and local governments regarding certain matters under the PDPA. The central sectoral regulators will continue to establish the requirements for personal data file security maintenance plans or methods for processing personal data applicable to such private entities and may set stricter rules.
5. Stipulate Relevant Penalties
The Amendments specify penalties for non-government agencies that fail to report data breach incidents to the PDPC as required, or fail to establish or implement security maintenance measures or security maintenance plans. Furthermore, the PDPC may impose penalties directly without first ordering rectification.
6. Direct Administrative Litigation Against the PDPC’s Decisions
As the PDPC will be an independent agency, it shall not be subject to the direction or supervision of any other government agencies unless otherwise provided by law. Therefore, any objection to the administrative action taken by the PDPC under the PDPA shall be filed in the form of a law suit pursuant to the administrative litigation procedures.
The Amendments include detailed provisions on the above matters. Our firm’s “Digital, TMT, and Data Privacy Practice Group” has extensive experience assisting companies in handling personal data protection issues. Should you require any assistance, please do not hesitate to contact our team of experts.