TAIWAN Law and Practice Contributed by: Che-Hung Chen, Doris Lu, Jakob Huang and Meng-Ying Lee, Chen & Lin Attorneys-at-Law
5.2 Government Notifications and Approvals If a financial institution wishes to outsource its data entry, processing and the output operations of an information system related to consumer finance business to an offshore service provider, it must submit the documents to the FSC for approval. Further, electronic payment businesses wishing to outsource their data-processing operations should obtain the FSC’s approval in advance. 5.3 Data Localisation Requirements As stated in 5.1 Restrictions on International Data Transfers , international data transfers are in general permitted by the PDPA, while it leaves the room and flexibility to the relevant competent authority to impose restrictions at its discretion based on the regulation and management needs of the specific industry. Therefore, the relevant competent authority may still promulgate sector- specific rules governing data localisation for a specific industry. Please see 5.1 Restrictions on International Data Transfers and 5.2 Govern- ment Notifications and Approvals for details. 5.4 Blocking Statutes There is no concept of “blocking” in Taiwan. 5.5 Recent Developments The general rules and handling in relation to the international transfers of personal data are set out in 5.1 Restrictions on International Data Transfers to 5.3 Data Localisation Require-
ments . With respect to a new development on 18 December 2024, Taiwan Food and Drug Administration, the Ministry of Health and Wel - fare, announced a draft to “restrict the interna - tional transfer of personal data by the whole - sale and retail pharmaceutical industry to China, Hong Kong, and Macau”. In this draft, it is stipu - lated that the wholesale and retail pharmaceuti - cal industry shall not transfer the personal data it collects, processes and uses to China, Hong Kong and Macau unless an exception applies. The exceptions include, among others: • where the personal data cannot be identified, either directly or indirectly; • where the personal data is not obtained in connection with pharmaceutical-related busi - ness activities; • where the personal data belongs to an employee of the wholesale and retail pharma - ceutical industry, or personal data is related to service providers or business partners and is obtained by pharmaceutical wholesalers or retailers during the course of their business operations; and • where the headquarters or parent companies of the wholesaler or the retailer have obtained or comply with certain certification, such as an adequacy decision under the GDPR. The draft regulation is open for public comment and the consultation period ends in mid-January 2025. The regulation is expected to be officially announced in June 2025.
456 CHAMBERS.COM
Powered by FlippingBook