TAIWAN Law and Practice Contributed by: Che-Hung Chen, Doris Lu, Jakob Huang and Meng-Ying Lee, Chen & Lin Attorneys-at-Law
that individuals’ personal data is not misused for other purposes without their knowledge. If data is to be used for a purpose outside the initially stated purpose, it must be based on a clear lawful requirement. Such lawful grounds may include instances where the use is expressly required by law, when it is neces - sary for protecting public interests, or where it is to prevent harm to the life, body, freedom or property of the data subject. • International transfer: In principle, interna - tional transfer of personal data is allowed under the PDPA. However, certain competent authorities may impose restrictions or prohibit businesses from transferring personal data to specific jurisdictions under certain circum - stances – eg, where the level of protection for personal data does not meet the required standards. • Security measures: Businesses are required to implement appropriate technical and organisational security measures to protect personal data from risks such as unau - thorised access, theft, alteration, loss or destruction. These security measures must be tailored to the nature of the data being processed and the risks involved, and must be regularly reviewed and updated to address emerging threats. It is also required to ensure that any commissioned third parties involved in processing personal data adhere to the appropriate security standards. 3.2 Interaction of Data Regulation and Data Protection Since Taiwan follows the civil law system, data protection requirements are primarily governed by the relevant data protection regulations, with the PDPA being the key piece of legislation. In addition to the PDPA, sector-specific laws may apply when it comes to certain data protection requirements in specific industries. For example,
the Banking Act sets forth additional data pro - tection provisions for the banking sector. 3.3 Rights and Obligations Under Applicable Data Regulation Please see 3.1 Objectives and Scope of Data Regulation for details. 3.4 Regulators and Enforcement The current enforcement of the PDPA is admin - istered by the central government authorities that supervise the business operation of non- government agencies and local government authorities. As stated in 1.2 Regulators , upon its official launch (scheduled for August 2025), the PDPC will integrate the enforcement pow - ers and responsibilities spread among the MOJ, the National Development Council, central gov - ernment authorities that supervise the business operation of non-government agencies and local government authorities (the PDPC will prioritise the regulation of non-government agencies that do not have a clearly designated competent authority, and gradually expand the scope to all other industry). The PDPA does not have specific provisions directly addressing cookies. Nevertheless, their use, which typically involves collecting personal data from users’ devices, must comply with the general principles of the PDPA. This includes: • providing certain information required by the PDPA (businesses must provide clear infor - mation in respect of certain items prescribed under the PDPA, such as the name of the business, the types of personal data being collected, the rights of the data subjects, and 4. Sectoral Issues 4.1 Use of Cookies
452 CHAMBERS.COM
Powered by FlippingBook