TAIWAN Law and Practice Contributed by: Che-Hung Chen, Doris Lu, Jakob Huang and Meng-Ying Lee, Chen & Lin Attorneys-at-Law
changed the passwords for the computer sys - tem periodically. Therefore, although there was a data breach caused by a hacking attack, the court held that the travel agency was not in violation of the PDPA and thus should not be held liable for the data breach. The Consumer Foundation has filed an appeal against this judgment. During the procedure in the court of second instance, the Consumers’ Foundation and the travel agency reached a settlement. 3. Data Regulation on IoT Providers, Data Holders and Data Processing Services 3.1 Objectives and Scope of Data Regulation Regulations Applicable to IoT Services Currently, there is no specific legislation that directly governs IoT services with regard to data protection. However, IOT services frequently involve the collection, processing and transmis - sion of significant volumes of personal data. As such, the use of IOT services in relation to data protection should be subject to the general provisions and principles outlined in applicable data protection laws, such as the PDPA. Conse - quently, in the absence of dedicated IoT regu - lations, the overarching framework provided by the PDPA applies to IoT service providers han - dling personal data. The Rights and Obligations of Data Holders and Data Processing Services Under the PDPA, any collection, processing and use of personal data is governed by its provi - sions. The PDPA does not introduce a specific distinction between “data controllers” (or data holders) and “data processors” (data process -
ing services). While many data protection frame - works, such as the GDPR, explicitly define these roles, the PDPA focuses primarily on the respon - sibilities of entities involved in data collection, processing and use without separately catego - rising them. Instead, it sets forth general obliga - tions for all parties involved in the handling of personal data, irrespective of the role the entity plays in the data processing chain. Under the PDPA, the collection, processing and use of personal data shall comply with essential requirements. These requirements include the following. • Informing the data subject: Businesses must provide information to the data subject regarding the collection, use and processing of their personal data. This includes informing them about the specific items outlined under the PDPA, such as the purposes of data collection, the categories of data being col - lected, the retention periods, and the rights of the data subject to access, correct and delete their data. • Data subject’s consent or other lawful requirement: The collection, use and process - ing of personal data must be based on the data subject’s consent or any other lawful requirements. In cases where consent is not required, data processing may be law - ful under other circumstances such as when it is expressly required by law, or there is a contractual or quasi-contractual relation - ship between the businesses and the data subject, and proper security measures have been adopted to ensure the security of the personal data. • Purpose limitation: Personal data must only be used for the specific purposes that were initially communicated to the data subject at the time of collection. This principle ensures
451 CHAMBERS.COM
Powered by FlippingBook