New Personal Data Protection Act Effective October 1, 2012
Seraphim Mar, Baker & McKenzie, Taiwan
Taiwan's new Personal Data Protection Act (PDPA) became effective October 1, 2012, except for two controversial articles that remain pending. These articles deal with (1) prohibiting the collecting, processing, and us of "sensitive data" such as criminal records, etc., and (2) the need to obtain consent for the personal data acquired before the amendment's effective date. It is not certain when these two articles will take effect.
Under this new law, all government sectors, non-government sectors, and individuals are subject to the PDPA. The definition "Personal Data" was also expanded to a broad scope, meaning name, birthday, ID, special features, fingerprints, marriage, family, education, occupation, medical records, medical history, generic information, sex life, health examinations, criminal records, contact information, financial status, social activities, and other data which is sufficient to directly or indirectly identify a person.
The effects of the new PDPA include: (1) all enterprises and individuals that collect, process or use Personal Data are subject to the PDPA; (2) statutory requirements and procedures must be followed when collecting, processing or using Personal Data; (3) proper safety measures must be taken when retaining Personal Data files; (4) failure to comply with the PDPA will result in violators being subject to civil liabilities (up to TWD 200M), administrative penalties (up to TWD 500,000), and criminal liabilities (up to 5 years and/or TWD 1M). The representatives of an enterprise may be punished for the same amount of administrative penalties where the enterprise violates the PDPA.