Content

Computer-Processed Personal Data Protection Act

by WP

Robin Winkler

The following is an unofficial English translation of Taiwan’s Computer-Processed Personal Data Protection Act. The Chinese original may be found here. The Act was promulgated in 1995 and has not been amended despite significant technological and social changes in the interim.
It should be noted that over the past decade, the Ministry has used its power under Article 19-3 to list a number of industries as subject to the Act. These include real estate agencies, certain classes of retailers, and employment agencies. As with most such legislation, there are also a set of important Enforcement Rules that govern many of the practical aspects of how the Act is administered.

Chapter I General Provisions
Article 1
This Act is enacted for the purposes of regulating Computerized Processing of Personal Data, preventing infringement on rights of personality, and promoting fair Use of Personal Data.
Article 2
Protection for Personal Data shall be in accordance with the provisions of this Act; provided, where there are [relevant] provisions in other laws, the provisions of such laws shall apply.
Article 3
In this Act the following terms shall be defined as follows:

  1. “Personal Data” means a natural person’s name, date of birth, national identification number, special features, fingerprints, marital, family, education, occupation, health, medical history and financial status, social activities and other data which is sufficient to identify that person.
  2. “Personal Data File” means a set of Personal Data stored in electromagnetic recordings or other similar media for Specified Purposes.
  3. “Computer Processed” means the input, storage, editing, correction, indexing, deletion, output, transmission or other processing of data by means of a computer or an automated machine.
  4. “Collection” means acquisition of Personal Data for establishment of a Personal Data File.
  5. “Use” means the internal use, or provision to a third party other than the Subject, of a Personal Data File by a Public Agency or a Non-Public Agency which maintains such file.
  6. “Public Agency” means a central or local government agency which exercises government authority pursuant to law.
  7. “Non-Public Agency” means the following enterprises, organizations or individuals other than the agencies referred to in the preceding subparagraph:
    (1) credit information business and organizations or individuals whose principal business is to engage in the Collection or Computerized Processing of Personal Data;
    (2) hospitals, schools, telecommunications business, financial business, securities business, insurance business and mass media business; or
    (3) other enterprises, organizations or individuals designated by the Ministry of Justice in consultation with the central competent authorities having jurisdiction [over the business of such enterprise, organization or individual].

  8. “Subject” means the person whose Personal Data is the subject matter [of Personal Data].
  9. “Specified Purposes” means the purposes prescribed by the Ministry of Justice in consultation with the central competent authorities for specified businesses.

Article 4
A Subject may exercise the following rights relating to his Personal Data in accordance with the provisions of this Act; such rights may not be waived or limited in advance by a special agreement:

  1. inquiry and request for review;
  2. request for duplicates;
  3. request for supplementation or correction;
  4. request to cease Computerized Processing or Use; or
  5. request for deletion.

Article 5
Where an organization or individual is retained to process data by a Public Agency or Non-Public Agency, the person who processes the data shall be deemed as personnel of the retaining party [for purposes of] the applicability of the scope of this Act.
Article 6
Collection or Use of Personal Data shall be with respect for the rights and interests of the Subject, shall be undertaken a truthful and credit worthy manner and shall not exceed the scope of necessity for a Specified Purpose.
Chapter II Data Processing by a Public Agency
Article 7
A Public Agency shall not engage in the Collection or Computerized Processing of Personal Data unless for Specified Purposes and in conformity with one of the following circumstances:

  1. within the scope of necessity for the fulfillment of its official functions and duties as provided by laws and regulations;
  2. with the written consent of the Subject; or
  3. there is no likelihood of injury to the rights and interests of the Subject.

Article 8
Use of Personal Data by a Public Agency shall be within the scope of necessity for the fulfillment of its official functions and duties as provided by laws and regulations and in conformity with the Specified Purposes of Collection; provided, Use outside of the Specified Purposes of Collection may be made in any of the following circumstances:

  1. such use is expressly provided by law or regulation;
  2. such use is legitimate and for internal use only;
  3. such use is to protect national security;
  4. such use is to promote public interest;
  5. such use is to avoid imminent danger to the life, body, freedom, or property of the Subject;
  6. such use is necessary for preventing serious damage to the rights and interests of others;
  7. such use is necessary for academic research and does not injure the major interests of others;
  8. such use is favorable to the rights and interests of the Subject; or
  9. such use is authorized by written consent of the Subject.

Article 9
International transmission and Use of Personal Data by a Public Agency shall be in accordance with relevant laws and regulations.
Article 10
A Public Agency maintaining Personal Data Files shall announce, in the official gazette or by other appropriate means, the following matters; this shall also apply to any changes in such matters:

  1. file name of the Personal Data;
  2. name of the Public Agency maintaining the file;
  3. name of the Public Agency using the Personal Data File;
  4. basis and Specified Purposes for maintaining the Personal Data File;
  5. classification of the Personal Data;
  6. scope of the Personal Data;
  7. Collection method of the Personal Data;
  8. place to where the Personal Data is usually transmitted, and recipients thereof;
  9. direct recipients of international transmission of the Personal Data; and
  10. name and address of the Public Agency accepting applications for inquiry, correction, and review of the Personal Data.

The classification of Personal Data as set forth in subparagraph 5 of the preceding paragraph shall be prescribed by the Ministry of Justice in consultation with the central competent authorities having jurisdiction over the relevant business.
Article 11
The following Personal Data Files may not be subject to the provisions of the preceding article:

  1. files relating to national security, diplomatic and military secrets, overall economic interests, or other major matters of national interest;
  2. files relating to cases under examination by Grand Justices of the Judicial Yuan, cases under examination by the Committee on the Discipline of Public Functionaries, and matters concerning court investigation, trial, judgment, execution, or processing of non-litigious matters;
  3. files relating to crime prevention, criminal investigation, execution of a criminal punishment, corrective or protective measures for the offenders, or prisoner’s post-incarceration protection;
  4. files relating to administrative punishment and compulsory execution thereof;
  5. files relating to administration of border entrance and exit security examination or refugee examination;
  6. files relating to taxes and collection thereof;
  7. files relating to personnel, daily duties, salary, sanitation, benefits, or related matters of Public Agencies;
  8. files specially provided for experimental Computerized Processing;
  9. files to be deleted prior to public announcement in the official gazette;
  10. files in which only the name, domicile, exchanges of money and things with the Subject are recorded as a necessary part of official business contacts;
  11. files separately created for internal use by the personnel of a Public Agency solely for the discharge of their public duties; or
  12. other files specifically provided by law.

Article 12
Upon request by a Subject, a Public Agency shall reply to inquiries about the Personal Data Files it maintains, permit review of such files, or make duplicates thereof; provided, this shall not apply in any of the following circumstances:

  1. the Personal Data File may not be made public pursuant to the preceding article;
  2. the Personal Data File is likely to cause interference with the fulfillment of public functions and duties; or
  3. the Personal Data File is likely to injure important interests of a third party.

Article 13
A Public Agency shall maintain the accuracy of Personal Data and make timely corrections or supplements ex officio or upon request by a Subject.
When a dispute about the accuracy of Personal Data arises, a Public Agency shall, ex officio or upon request by the Subject, cease Computerized Processing and Use of such Personal Data; provided, this shall not apply where such Personal Data are required for execution of duties [of the Public Agency], and the [aforementioned] dispute is noted, or the written consent of the Subject has been obtained.
When the Specified Purpose of Computerized Processing of Personal Data no longer exists or the time limit thereof expires, a Public Agency shall, ex officio or upon request by a Subject, delete or cease Computerized Processing and Use of such data; provided, this shall not apply where the data is required for execution of duties [of the Public Agency], change of their purposes is made in accordance with this Act, or the written consent of the Subject has been obtained.
Article 14
A Public Agency shall maintain a register which sets out the matters announced pursuant to Article 10-1 of this Act; the register shall be made available to the public for inspection.
Article 15
A Public Agency shall process requests made by a Subject in accordance with this Act within thirty days [upon receipt of such request]. If the request can not be processed within such time limit, the applicant shall be advised of the reasons therefor in writing.
Article 16
It is within the discretion of a Public Agency to determine the fees it will charge for inquiries or reviews of Personal Data, or for duplicates thereof.
The amount of the fees referred to in the preceding paragraph shall be determined by each [concerned] Public Agency.
Article 17
A Public Agency maintaining Personal Data Files shall designate special personnel to take exclusive responsibility, in accordance with relevant laws and regulations, for matters relevant to safety maintenance and to prevent burglary, alteration, destruction, disappearance, or disclosure of Personal Data.

Chapter III Data Processing by Non-Public Agencies

Article 18
Unless for a Specified Purpose and in compliance with any of the following circumstances, a Non-Public Agency shall not engage in the Collection or Computerized Processing of Personal Data:

  1. written consent from the Subject is obtained;
  2. the Non-Public Agency has a contractual or quasi-contractual relationship with the Subject and there is no likelihood of harm to the rights and interests of the Subject;
  3. such Personal Data is already public and there is no harm to the important interest of the Subject;
  4. [the Collection or Computerized Processing of Personal Data] is made for academic research and there is no harm to the important interest of the Subject; or
  5. [the Collection or Computerized Processing of Personal Data] is made pursuant to the relevant laws and regulations in connection with Article 3-1-7-2 of this Act and special provisions of other laws.

Article 19
A Non-Public Agency not registered with and licensed by the competent authority with jurisdiction over such agency shall not engage in Collection, Computerized Processing, international transmission, or Use of Personal Data.
A credit information business and an organization or individual whose principal business is to make Collection or Computerized Processing of Personal Data shall obtain permission from the competent authority with jurisdiction over such business organization or individual and shall obtain [appropriate] registrations and licenses therefor.
Registration procedures, conditions of permission, and fee standards contained in the preceding two paragraphs shall be determined by the central competent authority for specified businesses.
Article 20
Applicants for registration referred to in the preceding article shall file an application stating the following items:

  1. applicant’s name, residence or domicile; and, if the application is a juristic person or non-juristic organization, its name, principal office, branch office, or business place, and the name, residence or domicile of its representative or administrator;
  2. names of Personal Data Files;
  3. Specified Purposes of maintaining Personal Data Files;
  4. classification of Personal Data;
  5. scope of Personal Data;
  6. duration of maintenance of Personal Data Files;
  7. Collection method of Personal Data;
  8. scope of Use of Personal Data Files;
  9. direct recipients of international transmission of Personal Data;
  10. name of person responsible for maintaining Personal Data Files; and
  11. safety maintenance plan of Personal Data Files.

Changes in the above items shall be applied for within fifteen days after change of such item occurs. If a business is terminated, the termination of registration shall be applied for within one month after the termination of operations takes place.
When application for termination of the registration in the preceding paragraph is filed, the method of disposal of the Personal Data maintained by the applicant shall be reported to, and approval for such method shall be obtained from, the competent authority with jurisdiction over the applicant.
The Specified Purposes under Article 20-1-3 and classification of data under Article 20-1-4 shall be prescribed by the Ministry of Justice in consultation with the central competent authorities for specified businesses.
The standard for the safety maintenance plan of Personal Data Files as set forth in paragraph 1, subparagraph 11 and the method of disposal in paragraph 3 [all of this Act] shall be prescribed by the central competent authority for specified businesses.
Article 21
When the registration application in the preceding paragraph is approved, a Non-Public Agency shall announce the matters set forth in paragraph 1, subparagraphs 1 through 10 of the preceding article in an official gazette and publish them in local newspapers.
Article 22
A Public Agency shall maintain a register which sets out the matters contained in paragraph 1, subparagraphs 1 through 10 of Article 20; the register shall be made available to the public for review.
Article 23
Use of Personal Data by a Non-Public Agency shall be within the scope of necessity for the Specified Purpose of Collection; provided, Use beyond the Specified Purpose may be made in any of the following circumstances:

  1. such use is to promote public interest;
  2. such use is to avoid imminent danger to the life, body, freedom, or property of the Subject;
  3. such use is necessary for preventing serious damage to the rights and interests of others; or
  4. such use is authorized by written consent of the Subject.

Article 24
In any of the following circumstances, the competent authority for specified businesses may restrict international transmission and Use of Personal Data by a Non-Public Agency:

  1. such transmission and use involve major matters of national interest;
  2. such transmission and use are subject to special provisions of an international treaty or agreement;
  3. the receiving country lacks proper laws and regulations to adequately protect Personal Data, such that the rights and interests of the Subject are likely to be injured; or
  4. [Personal Data] is indirectly transmitted to or used [through] a third country to evade this Act.

Article 25
A competent authority for specified businesses may, if it deems necessary, send officials with identification documents to order a Non-Public Agency which is subject to permission or registration by such competent authority to provide relevant data or give other necessary cooperation in relation to matters provided in this Act; such officials may visit the Non-Public Agency to conduct inspection. Upon detection any data violating this Act may be seized.
The Non-Public Agency shall not evade, hinder, or refuse the order, inspection, or seizure set forth in the preceding paragraph.
Article 26
The provisions of Articles 12, 13, 15, 16-1, and 17 shall apply mutatis mutandis to a Non-Public Agency.
The fee standard of a Non-Public Agency applying mutatis mutandis Article 16-1 shall be prescribed by the central competent authority with jurisdiction over such agency.
Chapter IV Compensation for Damage and Other Remedies
Article 27
A Public Agency violating the provisions of this Act so as to injure the rights and interests of a Subject shall be liable for compensation; provided, this shall not apply where such injury is due to natural disasters, accidents, or other causes of force majeure.
The injured party, though having [only] suffered non-pecuniary injury, may nevertheless claim an appropriate amount of monetary compensation ,and if there is damage to reputation, appropriate measures may be requested to restore such reputation.
The total amount of compensation for damages prescribed in the preceding two paragraphs shall be between Twenty Thousand New Taiwan Dollars and One Hundred Thousand New Taiwan Dollars for each event to each person; provided, this shall not apply where there is evidence to support a higher amount of damages.
In case of compensation for injuries to a Subject [or a number of Subjects] due to one single cause and fact, the aggregated amount of compensation shall not exceed Twenty Million New Taiwan Dollars.
The claim for compensation set forth in the second paragraph [of this Article] shall not pass to another person through transfer or succession; provided, this shall not apply to a claim for monetary compensation which has been acknowledged by contract or upon which an action has been commenced.
Article 28
A Non-Public Agency which violates the provisions of this Act so as to cause damage to the interests of a Subject shall be liable for compensation; provided, this shall not apply where it can be proven [by such agency] that there was no willful or negligent act.
The provisions of paragraphs 2 through 5 of the preceding article shall be applicable to claims for compensation made pursuant to the provisions of the preceding paragraph.
Article 29
A claim for compensation shall be extinguished two years after the time when the injured party becomes aware of the damage and [can identify]the person liable for compensation; or after five years from the time when such damage occurs.
Article 30
In addition to the provisions of this Act, compensation for damages shall be governed by National Torts Compensation Act in the case of Public Agencies, and the Civil Code in the case of Non-Public Agencies.
Article 31
If a Subject meets with refusal from a Public Agency in exercising the rights specified under Article 4, or a request is not processed within the time limit prescribed in Article 15, the Subject may, within twenty days after the refusal or expiry of the time limit, request in writing the supervising authority [of the Public Agency in question] to take proper action.
The supervising authority referred to in the preceding paragraph shall, within two months after receipt of the request, notify the applicant in writing of the result of its action.
Article 32
If a Subject meets with refusal from a Public Agency in exercising the rights specified under Article 4, the Subject may, within twenty days after the refusal or after the expiry of the time limit, request in writing the competent authority with jurisdiction over such agency to take proper action.
The competent authority referred to in the preceding paragraph shall, within two months after receipt of the request, notify the applicant in writing of the result of its action. If the request is deemed to be reasonable, an order shall be issued to request the Non-Public Agency to rectify its act.

Chapter V Penalties

Article 33
A person who intends to profit through acts in violation of the provisions of Articles 7, 8, 18 and 19-1, 19-2, Article 23, or of a restriction order issued in accordance with Article 24 of this Act, and who thereby causes damage to others shall be punished with imprisonment of up to two years, detention, or in lieu thereof, or in addition thereto, a fine of up to Forty Thousand New Taiwan Dollars.
Article 34
A person who intends to pursue the illicit gain for his own or a third party, or to cause injury to the interest of another party, by engaging in the illegal output, interference, alteration, or deletion of a Personal Data File, or otherwise unlawfully impairs the accuracy of a Personal Data File, thereby causing damage to another party, shall be punished with imprisonment of up to three years, detention, or a fine of up to Fifty Thousand New Taiwan Dollars.
Article 35
A public functionary, who on account of office, opportunity, or methods available in the discharge of duty, commits the crimes set forth in the preceding two articles, shall be subject to criminal punishment set forth in the preceding articles with such punishment increased by fifty percent.
Article 36
Prosecution for offenses under this Chapter may be instituted only upon complaint.
Article 37
Where more severe punishment is stipulated by other laws for the commission of an offense under this Chapter, the provisions of such other laws shall govern.
Article 38
In any of the following circumstances, the competent authority for specified businesses may punish the responsible person by a fine of Twenty Thousand New Taiwan Dollars to One Hundred Thousand New Taiwan Dollars and request such agency to rectify its act within a specified time period. In case no rectification is made within the time period, the preceding fine will be imposed for each violation until rectification is made.

  1. Violation of the provisions of Article 18 of this Act.
  2. Violation of the provisions of Article 19-1 or 19-2 of this Act.
  3. Violation of the provisions of Article 23 of this Act.
  4. Violation of the restriction order issued under the provisions of Article 24 of this Act.

In case of a serious violation of subparagraphs 1, 3, or 4 of the preceding paragraph, the permission granted or registration made under this Act may be revoked or canceled.
Article 39
In any of the following circumstances, the competent authority for specified businesses may request [a concerned agency] to rectify its act within a specified time period. In case no rectification is made within the time period, the responsible person [of the agency] shall be punished with a fine of Ten Thousand New Taiwan Dollars to Fifty Thousand New Taiwan Dollars for each violation until rectification is made.

  1. Violation of Article 20-2 of this Act.
  2. Violation of Article 21 of this Act regarding publication in local newspapers.
  3. Violation of Article 22 of this Act.
  4. Violation of Article 26-1 for which Articles 12, 13, 15 and 17 are applicable mutatis mutandis.
  5. Violation of the fee standard under Article 26-2 of this Act.

In case of a serious violation of subparagraphs 1, 2, 3 or 4 of the preceding paragraph, the authorization or registration pursuant to this Act may be revoked or canceled.
Article 40
For each instance of the following, the competent authority for specified businesses may punish the responsible person [of a concerned agency] by a fine of Ten Thousand New Taiwan Dollars to Fifty Thousand New Taiwan Dollars:

  1. failure to comply with the method of disposal approved by the competent authority for specified businesses under Article 20-3 of this Act;
  2. violation of the provisions of Article 25-2 of this Act; or
  3. Failure to rectify conduct within a time limit specified pursuant to Article 32-2 of this Act.

In case of a serious violation of subparagraphs 2 or 3 of the preceding paragraph, the authorization or registration pursuant to this Act may be revoked or canceled.
Article 41
Nonpayment of a fine imposed under this Act beyond a notified time limit shall be subject to compulsory execution by the court.
Chapter VI Supplementary Provisions
Article 42
The Ministry of Justice shall be responsible for the coordination and contacts in connection with matters relating to the execution of this Act; rules governing such coordination and contacts shall be prescribed by the Ministry of Justice.
Where there is no competent authority for a specified business, the Ministry of Justice shall handle matters which are required by this Act to be handled by a competent authority for specified business.
The Ministry of Justice and the competent authority for specified businesses may, if necessary, retain a public-interest organization to process the registration and announcement for the Collection, Computerized Processing, and Use of Personal Data by Non-Public Agencies or for the administration of other matters relating thereto.
Article 43
[Operations] of Collection or Computerized Processing of Personal Data prior to the effective date of this Act, which pursuant to the provisions of this Act are required to obtain registration or authorization, should file [for such registration or authorization] within one year after this Act becomes effective.
Enterprises, organizations, or individuals designated by the Ministry of Justice in conjunction with the central competent authority with jurisdiction over such enterprises, organizations or individuals pursuant to Article 3-1-7-3 of this Act, shall obtain registration or authorization within six months from the date of such designation.
Where [the operation] fails to file an application or authorization is not obtained within the time limit prescribed in the preceding two paragraphs, it shall be deemed that the registration has not been obtained or authorized.
Article 44
The Enforcement Rules of this Act shall be prescribed by the Ministry of Justice.
Article 45
This Act shall become effective on the day of its promulgation.

 

Archives