The Privacy, Data Protection and Cybersecurity Law Review: Taiwan

Overview

i Primary legislation

Taiwan takes an omnibus approach to the protection of personal data. The Computer-Processed Personal Data Protection Act (CPDPA) was promulgated in 1995, which regulated the computer processing of personal data by governmental and non-governmental entities. In 2004, the grand justices held in Judicial Yuan Grand Justice Judicial Interpretation No. 585 that the right to privacy is a necessary fundamental right to human dignity, individual subjectivity and personality development, and thus is a constitutional right. In 2005, the grand justices further held in Judicial Interpretation No. 603 that the government may only collect people's private information (e.g., fingerprints) only when:

  1. such collection is in consideration of a specific significant public interest;
  2. the purpose of such collection is specified by law;
  3. such collection is necessary and closely related to the achievement of a significant public interest; and
  4. the use of such information shall not exceed the scope of the statutory purpose.

Consistent with these interpretations, the CPDPA was then amended and renamed the Personal Data Protection Act (PDPA) in 2010 and, along with its related enforcement rules, became effective on 1 October 2012. Under the PDPA, the scope of regulation is no longer limited to computerised processing of personal data information, but applies to all entities (government and non-government, foreign and domestic entities) that collect, process or use personal data within the territory of Taiwan. Moreover, the PDPA limits the disclosure of personal data to specific circumstances, such as responding to government requests to the extent that a disclosure procedure meets the applicable requirements and the use of such data does not exceed the scope of the purpose. In addition to the PDPA, central competent authorities of industries have also promulgated additional regulations for implementing and interpreting the PDPA.

As for cybersecurity, the Cyber Security Management Act (CSMA) serves as a standard for cybersecurity plans. The National Communications Commission (NCC) provides the regulations governing the security of personal data collected by telecom enterprises in the telecommunications industry. According to the CSMA, the competent industrial authorities may also require non-governmental agencies to implement cybersecurity protection plans.

In terms of the restrictions on government surveillance, the Communication Security and Surveillance Act (CSSA) defines the scope of government surveillance powers and the procedural requirements.

ii Regulatory authorities

The National Development Council (NDC) became the governing authority of the PDPA on 25 July 2018, replacing the Ministry of Justice. While the NDC is in charge of interpreting the PDPA, there is no single enforcement authority. Instead, the PDPA is enforced by the central competent authorities in charge of the industries concerned (industry authorities) or the municipality, city or county governments concerned. To further cooperation among the central competent authorities, the NDC founded the Personal Data Protection Office in 2018 as an interdepartmental agency across departments and to initiate negotiations with the EU regarding the adequacy decision requirements under the GDPR.

iii Privacy advocates

The two main advocates of the right to privacy in Taiwan are:

  1. the Data Protection Association of the Republic of China, a non-governmental organisation that promotes personal data privacy, development and improvement of data security technology, and data security services; and
  2. the Taiwan Association for Human Rights, a non-governmental organisation that focuses on issues related to human rights, including privacy rights, and promotes personal data protection through monitory regulatory developments, commenting on proposed legislation and advocacy.

iv Integration with international standards

As a member of the Asia-Pacific Economic Cooperation (APEC), Taiwan has joined the APEC cross-border privacy rules (CBPR) system to promote cross-border information exchange and personal data protection in the Asia-Pacific region.

The year in review

Since the covid-19 pandemic, there have been significant controversies surrounding the protection of personal data collected for pandemic control and tracking, the most notable being that regarding contact information collected when citizens enter public spaces.

i Measures for contact information collection enacted by the government2

The Central Epidemic Command Center (CECC) promulgated the COVID-19 Response Guidelines: Measures for Contact Information Collection on 28 May 2020, stating that

government and non-government agencies must follow the Guidelines when collecting contact information, including, but not limited to the following:

  1. when collecting personal data, the agencies should clearly inform the data subjects according to the requirements of the PDPA. Further:
    • the purpose of the personal data collected is to be limited to pandemic control and may not be used for any other purpose;
    • the type of personal data collected should be the least intrusive (e.g., telephone numbers);
    • the personal data collected may only be used for 28 days from the date of collection, and collecting agencies shall keep a record of the data deleted and the date of the deletion; and
    • when necessary to thwart the spread of the pandemic, the collected data may be provided to public health authorities to be used in accordance with the Communicable Disease Control Act and other relevant guidelines for investigation or contact;
  2. agencies that collect, process or use personal data should ensure that the data is secure by taking appropriate technical and organisational precautions and appointing a dedicated person to take charge of data protection;
  3. agencies that collect contact information through information systems or apps should conduct a risk evaluation and take necessary safety precautions, ensuring that the system meets safety standards; and
  4. the competent authorities and local governments should supervise non-government agencies, ensuring that they meet information protection standards pursuant to Article 22 of the PDPA.

ii Controversies surrounding the collection of contact information

With the increasing spread of covid-19, on 19 May 2021, Taiwan launched a system to digitally collect contact information instead of collection by paper. While the collection of information digitally is also subject to the above guidelines (i.e., to be used by the CECC for pandemic control purposes), a judge recently pointed out that the police have used the collected contact information for criminal investigations: After obtaining the text information containing movement and contact information from telecommunication companies through the CSSA, the police have used this information to trace the locations of suspects. Even though the CECC has requested the police not to use such contact information, there is great controversy surrounding the CECC's system as it allows the government to surveil the movements of its citizens in violation of their privacy right by using their personal data collected for purposes other than epidemic control.

Regulatory framework

i Privacy and data protection legislation and standards

The PDPA defines personal data as:

a natural person's name, date of birth, national ID number, passport number, specific features, fingerprints, marital status, family information, education, employment, medical records, medical procedures, genetic information, sexual life, health examination information, criminal history, contact information, financial situation, social activities, and any other information that could be used directly or indirectly to identify an individual.

Medical records, genetic information, sexual life, health examinations and criminal records are sensitive personal data that may not be collected, processed or used without legal cause.

The scope of the PDPA covers government agencies and non-government agencies (i.e., natural persons, legal persons or other groups)3 with varying requirements on their collection, processing and use of personal data.

ii General obligations for data handlers

The general principles underlying the PDPA on the collection, processing and use of personal data is that the foregoing activities shall be carried out in a way that respects the data subject's rights and interests, in an honest and good faith manner, shall not exceed the necessary scope of the specified purposes, and shall have legitimate and reasonable connections with the purposes of collection.4

Prior to collecting personal data, government and non-government agencies shall inform the data subject of:

  1. the name of the agency;
  2. the purpose of the data collection;
  3. the type of personal data they aim to collect;
  4. the time frame, territory, recipients and method of use;
  5. the rights under Article 3 of the PDPA5 and the methods for exercising such rights;
  6. for information provided directly by the data subject, data subjects' rights and interests that will be affected if they elect not to provide their personal data; and
  7. for information not provided by the data subject, the source of personal data.

For a government agency to collect or process personal data, it must have a specific purpose and it must be on one of the following bases: the personal data collected is within the scope necessary for the said government agency to perform its statutory duties, the data subject's consent has been obtained, or the rights and interests of the data subject will not be infringed.

For non-government agencies to collect or process personal data, it must have a specific purpose and have one of the following bases:

  1. express stipulation by law;
  2. a contractual or similar relationship with the data subject where proper security measures have been adopted to ensure the security of the personal data;
  3. the personal data was freely disclosed by the data subject or other entity legally permitted to disclosed the personal data;
  4. it is necessary for academic institutions to conduct statistical or academic research that benefits the public, and the personal data is processed by the provider or disclosed by the data collector in a way that may not directly identify the data subject;
  5. consent of the data subject is obtained;
  6. it is necessary for the public interest;
  7. the personal data is obtained from publicly available sources unless the data subject prohibits the processing and use of such data, and he or she has an overriding interest; and
  8. the rights and interests of the data subject will not be infringed.6

Furthermore, government agencies shall appoint dedicated personnel to implement security and maintenance measures, and non-government agencies shall implement proper security measures to prevent personal data from being stolen, altered, damaged, destroyed or disclosed.7 The industry authorities may further designate and order certain non-government agencies to establish a security and maintenance plan to protect personal data files and a guideline on disposing of personal data following a business termination.8

iii Data subject rights

Data subjects have the following rights with respect to their personal data, and these rights may not be waived or restricted by contract:9

  1. the right to inquire about and review their personal data;
  2. the right to request a duplicated copy of their personal data;
  3. the right to supplement or correct their personal data;
  4. the right to discontinue collection, processing and use of their personal data; and
  5. the right to request the deletion of their personal data.

If a government or non-government agency violates the PDPA in collecting, processing or using personal data, data subjects may request the deletion of their personal data and that the agency stop processing and using their personal data.10

iv Specific regulatory areas

Aside from the PDPA, there are other regulations governing personal data in other fields. For example, the Employment Services Act (ESA) states that employers may not request job seekers or employees to surrender private information irrelevant to employment.11 In the medical field, all citizens are insured through national health insurance, and the use of personal data collected and stored on national health insurance cards is governed by the Regulations Governing the Production and Issuance of the National Health Insurance IC Card and Data Storage.

v Technological innovation

In recent years, the government has been developing regulations and pilot plans for technology industries, including those involving personal data and cybersecurity, such as the following:

  1. In September 2019, the Ministry of Science and Technology established the AI Technology R&D Guidelines for technological researchers, which requires artificial intelligence (AI) researchers to adhere to relevant regulations on the collection, processing and use of personal data and implement appropriate safeguards for data storage in AI systems to protect the dignity and rights of individuals.
  2. The Unmanned Vehicles Technology Innovative Experimentation Act, announced on 19 December 2018, which requires participants in the regulatory sandbox to adopt appropriate and sufficient data security measures during the period of innovative experimentation to ensure the security of data collection, processing, utilisation and transmission, and to comply with the provisions of the PDPA;
  3. The Guideline on the AI application service pilot using the National Health Insurance Database announced on 4 June 2019, which allows government agencies and academic institutions to apply to collect, process and use data from the National Health Insurance Database such as de-identified computerised tomography and magnetic resonance imaging scans for AI algorithm and modelling.

International data transfer and data localisation

As mentioned above, Taiwan is a member of APEC, and Taiwan officially became a member of the CBPR system on 23 November 2018. Under this system, a total of 15 personal data-competent authorities from Taiwan joined the APEC Cross-Border Privacy Enforcement Arrangement (CPEA),12 strengthening information sharing and cooperation in privacy investigations and enforcement with other member institutions. Furthermore, in June 2021, Taiwan's Institute for Information Industry formally became an accountability agent for the CBPR and will assist and certify that domestic companies implement their privacy policies and practices in compliance with the requirements under the CBPR system.

The PDPA does not restrict the cross-border transfer of personal data unless otherwise restricted by the central competent authorities. According to the PDPA, central competent authorities may impose restrictions on the cross-border transfer of personal data in the following cases:

  1. when it involves major national interests;
  2. when an international treaty or agreement so stipulates;
  3. when the receiving nation lacks adequate regulations on personal data protection that may harm the rights and interests of the data subjects; or
  4. when the transfer of personal data to a third country (region) is to circumvent the PDPA.

To date, the only cross-border restriction was made by the NCC on 25 September 2012 that communications enterprises are prohibited from transmitting personal data to mainland China as the laws and regulations on personal data in the area are insufficient to protect the data subjects.

To strengthen administrative supervision, the central competent authority or local governments may authorise investigators to inspect non-governmental entities when they deem it necessary to supervise international information transmission or they suspect illegal activities.

Company policies and practices

Thirty-eight industries have been designated by industry authorities to set up a security and maintenance plan for the protection of personal data files, including the financial industry, the telecommunications industry and the human resources agency industry. For example, companies in the financial industry13 and the telecommunications industry14 are required to adhere to the following regulatory measures:

  1. establish and implement a safety precaution plan for protecting personal data;15
  2. establish a procedure for managing personal data;16
  3. establish emergency measures to protect personal data in the case of safety threatening incidents;17 and
  4. establish a procedure for storing relevant records and evidence.18

Organisations in other industries are required to implement similar regulatory measures as stated above.

Collection and use of employee and potential employee information

An organisation's collection of personal data from employees or potential employees should adhere to the PDPA and the ESA and its enforcement rules. As a general principle, employers shall respect the rights of employees and potential employees and refrain from overstepping the scope necessary for economic demands or public interest and limit the use of such data in a manner reasonably relevant to the organisation's goal.19 For example, under the ESA, when an organisation needs to conduct background checks of applicants for potential employment, the organisation may not request private information that is irrelevant to the purpose of employment or withhold applicants' identification cards, work certificates or any other certifying documents without the employee's consent.20

Discovery and disclosure

i Entities disclosing personal data at the request of the government should still follow the PDPA

Non-government agencies providing personal data at the request of government agencies constitutes use of personal data 'for a purpose other than the purpose the data was collected for', as stipulated in the PDPA, in which case, the use is limited to the following circumstances:

  1. it is explicitly allowed by the law;
  2. it is necessary for the public interest;
  3. it is to prevent harm to a data subject's life, body, freedom or property;
  4. it is to prevent significant harm to the rights and interests of others;
  5. it is necessary for government agencies and academic institutions to conduct statistical and academic research that benefits the public, and the personal data is processed by the provider or disclosed by the data collector in a way that may not directly identify the data subject;
  6. the consent of the data subject is obtained; and
  7. it is in the interest of the data subject.

ii Presentation of civil litigation documentary evidence

Taiwan does not have a discovery procedure in civil litigation. Relevant documents identified as documentary evidence should be produced by the parties involved,21 or a party may request the court to order the opposing party or a third party to produce such documents.22

If the contents of the documents a party is obligated to produce includes privacy or trade secrets of the party or a third party where the disclosure of which may cause significant harm, the party may refuse to produce such content. To determine whether the party has a justifiable reason to refuse the production of a document, the court, if necessary, may order the party to produce the document and examine it in private.23

Judgments or rulings made by a foreign court that requests a person in Taiwan to produce documents will automatically be recognised in Taiwan unless one of the circumstances set forth in Article 402 Paragraph 1 of the Code of Civil Procedure exists.24 However, foreign courts must obtain a judgment of approval in accordance with Article 4-1 Paragraph 1 of the Compulsory Enforcement Act before requesting compulsory enforcement from Taiwan's courts.

iii Communication surveillance for national security and major crimes

The CSSA was enacted in 1999 and revised on 23 May 2018 to protect the freedom of private communication and privacy, ensure national security and maintain social order.25 It stipulates that the government may only engage in communication surveillance where it is necessary for ensuring national security and maintaining social order.26

Police and prosecutors must obtain an interception warrant from courts to monitor telecommunications, emails, letters, speeches and conversations in a criminal investigation. An interception warrant may only be issued for the investigation of major crimes with a minimum sentence of three years or above, or other specified crimes that threaten national security or the socioeconomic order, where it is reasonable to believe the contents of the monitored telecommunication are relevant to the case, and such contents are difficult or impossible to obtain elsewhere.27

With respect to communication surveillance to collect intelligence of foreign forces or hostile foreign forces, an interception warrant is issued by the head of the National Security Bureau, and the information obtained from such surveillance may only be used for national security unless it fulfils the requirements for criminal communication surveillance.28

There are limitations to how the communication surveillance is conducted and how the information is used. For example, permissible communication surveillance does not include setting up tapping devices, video recording equipment or other monitoring equipment in private dwellings.29 Further, recorded content clearly unrelated to the purpose of the surveillance may not be transcribed. Finally, information obtained according to the CSSA may not be provided to other institutions, groups or persons unless otherwise stipulated by law.30

The CSSA also states that the police or prosecutors must request an access warrant from the court to obtain user information and communication records from telecommunication services and that the crime being investigated must have a minimum sentence of three years or above, and that there are facts supporting the belief that such user information and communication records are necessary and relevant to the case.31

Public and private enforcement

i Enforcement agencies

There is no single competent authority that oversees the enforcement of the PDPA. Instead, the PDPA is enforced by the industry authorities or the municipality, city or county governments concerned. When such entities deem it necessary or suspect any possible violation of the PDPA, they have the right to conduct a compliance inspection, during which professionals in the field of information technology, telecommunications or law may accompany the inspectors.32

In the event that a non-government agency violates the PDPA, the industry authorities or the municipality, city or county government concerned may impose fines on the non-government agency per the PDPA and may also enforce the following corrective measures:

  1. prohibit the collection, processing or use of the personal data;
  2. order the erasure of the processed personal data and personal data files;
  3. confiscate or order the destruction of the unlawfully collected personal data; and
  4. disclose to the public the violation of the non-government agency, the name of the non-government agency and its responsible person or representative.33

The corrective measure must be within the scope necessary to prevent and remedy the violation of the PDPA and do the least harm to the rights and interests of the non-government agency concerned.34 Further, the non-government agency may file an administrative lawsuit against the acts of inspection or corrective measures.

ii Recent enforcement cases

Nanshan Life Insurance Co, Ltd failed to meet internal standards on managing system development and did not adequately assess and test for information security and personal data protection, and was thus fined NT$600,000 on 29 April 2021.35

Fujitec Insurance Brokers Co, Ltd failed to meet internal standards for information security by transmitting personal data without encryption and failing to inform subjects about their use of personal data and was thus fined NT$900,000 on 18 September 2020.36

Taiwan Insurance Co, Ltd did not plan for drills in the event of information disclosed and was thus fined NT$600,000 on 3 June 2019.37

iii Private litigation

Compared to other jurisdictions, there are relatively few cases in Taiwan where private plaintiffs have claimed damages due to personal data violations (including personal and class action suits). There have been no leading cases in the past two years that may set important precedents.

Considerations for foreign organisations

Foreign entities must comply with the PDPA when collecting, processing and using personal data within Taiwan's borders.38 If the foreign entity does not have an establishment in Taiwan (such as a branch), the PDPA will apply to the natural person, such as an employee, who actually engaged in the collection, processing or use of the personal data in Taiwan.39

As mentioned in Section IV, and subject to the restrictions noted therein, cross-border transfer of information is generally permissible as long as the collection, processing and use of personal data is legal. Therefore, there is no requirement that personal data be exclusively stored in Taiwan, and organisations may, subject to limited exceptions, be transferred outside of Taiwan.

Cybersecurity and data breaches

The CSMA was enacted on 6 June 2018 to proactively promote national information security policies, create a safe environment in the country and defend the public interest. The CSMA, along with its sub-regulations, applies to government agencies40 and non-government agencies,41 as defined therein.

i Appointing a chief information security officer

Government agencies are to appoint a cybersecurity officer responsible for carrying out and overseeing the cybersecurity business of the agency.42 Specific industries are also required to have an information security supervisor; for example, enterprises in the banking industry must establish an information security specialised unit and appoint a supervisor who does not have a conflict of interest with their other duties.43

ii Information communication security

Government and non-government agencies are required to meet the cybersecurity requirement level applicable to it under the CSMA and to take into account the category, quantity and attributes of the information reserved or processed, along with the scale and attributes of the information and communication system, to stipulate, amend and implement the cybersecurity maintenance plan.44 Security maintenance plans should include the following:45

  1. the goals and regulations of the information security policy;
  2. the organisation, persons in charge and budgeting plans;
  3. an inventory of the information and information communication system;
  4. a risk assessment of information communication security;
  5. a protocol for information security protection and control;
  6. mechanisms for notification, crisis management and rehearsal in the case of a security breach;
  7. an assessment of and response to information communication security;
  8. management of outsourced projects;
  9. training;
  10. testing for members of governmental agencies on information communication security; and
  11. a management and continuous improvement plan.

iii Implementation of personal data security

Central competent authorities may mandate non-governmental agencies to establish plans for maintaining personal data security and disposal of such information after the termination of the project.46 As of 6 July 2021, 38 industries have been designated to set up the relevant plans and processing methods.47 These companies in these industries are required to keep and implement the following security protocols:48 establish guidelines for using various types of equipment or media storage and establish appropriate measures to prevent information leaks when they are disposed of or used for other purposes; encrypt personal data that needs to be encrypted when collecting, processing or using such information; and take appropriate safety precautions when a personal data file needs to be duplicated.

iv Mechanisms for notification and crisis management in the case of a security breach

In the case of a security breach, governmental and non-governmental agencies are required to notify superiors and supervisory institutions, as well as the relevant competent authorities. In addition, governmental agencies must provide an investigative analysis report and plans for improvement to superiors and supervisory institutions. Non-governmental agencies are required to formulate appropriate methods of informing subjects when their personal data is stolen, tampered with, damaged, destroyed or leaked. The notification to the data subjects shall include the facts of the security breach, the current crisis management,and the number for a advisory service line.49 If there is a significant security breach, the competent authority shall be notified.50

Outlook

It is expected that the Taiwan legislators will amend the PDPA to harmonise with international data privacy regulations. As mentioned in Section I, the Personal Data Protection Office was established to initiate negotiations with the EU on the adequacy decision requirements of the GDPR. It is still in the progress of reviewing and consulting on the differences of law and regulations between Taiwan and the EU. Further, the NDC is concurrently preparing an amendment to the PDPA, and according to the open government national action plan approved by the Executive Yuan in February 2021, the NDC has stated that it will consider inserting provisions to strengthen the protection of data subject protection and establish data protection impact assessments into the amendment.

In terms of cybersecurity, an organisational reform bill of the Executive Yuan was submitted to the Legislative Yuan on 25 March 2021. The Executive Yuan is planning to establish a Ministry of Digital Development to consolidate the telecommunications, information, cybersecurity, network and broadcasting industries under one ministry, which are now divided into various government agencies. It will also establish an Administration of Cyber Security and a Research Institute of Cyber Security tasked with ensuring the nation's information security.

Footnotes

1 Jaclyn Tsai is a co-founder and Elizabeth Pai and Jaime Cheng are senior of counsel at Lee, Tsai & Partners. The authors would like to thank Hannah Kuo, Jack Hsieh and Doris Hsu for their research and contribution to this chapter.

2 CECC guidelines for contact information based measures for COVID-19 to protect personal data and facilitate outbreak investigations. https://www.cdc.gov.tw/En/Bulletin/Detail/IIDyyLqebEgsqQTkb1dUxg?typeid=158 (last visited: 2021/07/12).

3 The PDPA recognises the terms government agency and non-government agency that collect, process or use personal data instead of data controller.

4 PDPA, Article 5.

5 PDPA, Article 16.

6 PDPA, Article 19.

7 PDPA, Article 18 and Article 27, Paragraph 1.

8 PDPA, Article 27 Paragraph 2.

9 PDPA, Article 3.

10 PDPA, Article 11.

11 ESA, Article 5.

12 The competent authorities that joined the CPEA are the Ministry of the Interior, Ministry of Foreign Affairs, Ministry of Education, Ministry of Justice, Ministry of Economic Affairs, Ministry of Transportation and Communications, Ministry of Labour, Council of Agriculture, Ministry of Health and Welfare, Ministry of Culture, Ministry of Science and Technology, Financial Supervisory Commission (FSC), Public Construction Commission, Fair Trade Commission and NCC.

13 Under the Regulations Governing Security of Personal Data Kept by Non-Governmental Agencies designated by the FSC, these non-government agencies include financial holding companies, the banking industry, the securities and futures industry, the insurance industry, the electronically stored value card industry, electronic payment institutions and other financial service industries approved by the FSC.

14 Under the Regulations Governing Security of Personal Data Kept by Non-Governmental Agencies designated by the NCC (applies to non-government agencies, including type 1 and type 2 telecommunications businesses, cable broadcasting and television system operators, cable television broadcasting systems, television businesses, live satellite broadcasting businesses with over 3,000 subscribers, domestic news channels, shopping channel satellites, or other channel programme supplying businesses.

15 The Regulations Governing Security of Personal Data Kept by Non-Governmental Agencies designated by NCC, Article 3.

16 The Regulations Governing Security of Personal Data Kept by Non-Governmental Agencies designated by NCC, Article 5.

17 The Regulations Governing Security of Personal Data Kept by Non-Governmental Agencies designated by NCC, Article 4.

18 The Regulations Governing Security of Personal Data Kept by Non-Governmental Agencies designated by NCC, Article 6.

19 Enforcement Rule of the ESA, Article 1-1, Paragraph 2.

20 ESA, Article 5, Paragraph 2, Subparagraph 2.

21 Code of Civil Procedure Article 341.

22 Code of Civil Procedure Article 342, 343, 346 and 347.

23 Code of Civil Procedure Article 344 Paragraph 2.

24 Order of Judicial Yuan, Secretary-General, No 1070030760.

25 CSSA, Article 1.

26 CSSA, Article 2 Paragraph 1.

27 CSSA, Article 5.

28 CSSA, Article 7 and 10.

29 CSSA, Article 13, Paragraph 1.

30 CSSA, Article 18.

31 CSSA, Article 11-1.

32 PDPA, Article 22, Paragraph 1.

33 PDPA, Article 25, Paragraph 1.

34 PDPA, Article 25, Paragraph 2.

35 Nanshan Life Insurance Co, Ltd violated Implementation Measures for the Internal Control and Audit System of the Insurance Industry Article 6, Paragraph 1, Subparagraph 2. See the administrative sanctions of FSC, https://www.fsc.gov.tw/ch/home.jsp?id=96&parentpath=0,2&mcustomize=news_view.jsp&dataserno=202104290004&toolsflag=Y&dtable=News.

36 Fujitec Insurance Brokers Co, Ltd violated Article 8, Paragraph 27, Subparagraph 1 of Article 10,
Paragraph 3. See the administrative sanctions of FSC, https://www.fsc.gov.tw/ch/home.jsp?id=131&;
parentpath=0,2&mcustomize=multimessages_view.jsp&dataserno=202009180005&dtable=Penalty.

37 Taiwan Insurance Co, Ltd violated Article 10, Paragraph 3 of the Regulations Governing Security of
Personal Data Kept by Non-governmental Agency, as designated by the FSC. See the administrative sanctions of FSC, https://www.fsc.gov.tw/ch/home.jsp?id=131&parentpath=0,2&mcustomize=
multimessages_view.jsp&dataserno=201906040001&dtable=Penalty.

38 Reference in the letter of the Ministry of Justice No. 10100088140 dated 6 June 2013.

39 PDPA, Article 2, Paragraph 8.

40 Government agencies is defined under CSMA, Article 3, Paragraph 5, as central and local institutions or legal persons that exercise public power in accordance with the law but specifically excludes military and intelligence agencies.

41 Non-government agencies is defined under CSMA, Article 3, Paragraph 6, and includes critical infrastructure providers, government-owned enterprises and government-endowed foundations.

42 CSMA, Article 11.

43 Implementation Rules of Internal Audit and Internal Control System of Financial Holding Companies and Banking Industries, Article 38-1.

44 CSMA, Article 10, and Article 16, Paragraph 2, and Article 17.

45 Refer to the Information Security Maintenance Plan of the Executive Yuan.

46 PDPA, Article 27, Paragraph 2.

47 See the Personal Data Protection Department of the National Development Commission, https://PDPA.ndc.gov.tw/News.aspx?n=B1C4E8AEFEB6857C&page=2&PageSize=20.

48 The Regulations Governing Security of Personal Data Kept by Non-Governmental Agencies designated by the FSC, Article 9.

49 The Regulations Governing Security of Personal Data Kept by Non-Governmental Agencies designated by the FSC, Article 1, Paragraph 2 and 3.

50 The Regulations Governing Security of Personal Data Kept by Non-Governmental Agencies designated by the FSC, Article 6, Paragraph 2.

The Law Reviews content