Enacted Law Data Protection Context Relevance

Taiwan PDPA Amendment 2025

Personal Data Protection Act Amendment

Major amendment to Taiwan's Personal Data Protection Act establishing independent Personal Data Protection Commission (PDPC) as mandated by Constitutional Court. Significantly strengthens data protection framework for public and private sectors, aligning with EU GDPR standards. Introduces data breach notification obligations, mandatory DPOs for government agencies, and enhanced enforcement powers.

Jurisdiction

Taiwan

Enacted

Nov 11, 2025

Effective

Unknown

Enforcement

Personal Data Protection Commission (PDPC)

Passed Legislative Yuan October 17, 2025; promulgated by President November 11, 2025; effective date TBD 2026

What It Requires

Transparency

Must disclose AI nature, data practices, or algorithmic decisions

User Rights

Must honor access, correction, and deletion requests

Who Must Comply

This law applies to:

• All organizations processing personal data in Taiwan (public and private sectors)
• Government agencies (DPO requirements)
• Data controllers and processors
• Organizations transferring data cross-border

Who bears obligations:

Developer Deployer

This regulation places direct obligations on deployers (organizations using AI systems).

Safety Provisions

• Establishes Personal Data Protection Commission (PDPC) as independent supervisory authority
• Data breach notification obligations for both data subjects and competent authority
• Mandatory appointment of Data Protection Officers (DPOs) for government agencies
• Enhanced inspection powers for PDPC
• Strengthened cross-border data transfer requirements
• Increased penalties for violations
• GDPR alignment provisions

Compliance Timeline

Dec 31, 2026

Expected effective date (to be determined by Executive Yuan)

Enforcement

Enforced by

Personal Data Protection Commission (PDPC)

Penalties

Enhanced penalties for violations (specific amounts TBD in implementation)

Primary Source

Jones Day (opens in new tab)

https://www.jonesday.com/en/insights/2025/12/taiwan-passes-major-amendments-to-the-personal-data-protection-act

Quick Facts

Binding: Yes
Mental Health Focus: No
Child Safety Focus: No
Algorithmic Scope: Yes

Why It Matters

Represents Taiwan's most significant data protection upgrade, bringing framework in line with EU GDPR. Establishes first independent data protection authority (PDPC). For NOPE customers processing Taiwan user data, this creates new compliance obligations including breach notifications, potential DPO requirements, and enhanced cross-border transfer restrictions. Separate from but complementary to Taiwan's AI Basic Act (enacted December 2025) - PDPA governs data protection broadly while AI Act addresses AI-specific governance.

Recent Developments

Cabinet approved draft March 27, 2025. Legislative Yuan passed October 17, 2025. President promulgated November 11, 2025. Constitutional Court Judgment 111-Hsien-Pan-13 (2022) mandated PDPC establishment by August 2025 - deadline met. Preparatory Office of PDPC established December 5, 2023. Effective date to be determined by Executive Yuan, expected 2026.

What You Need to Comply

Organizations must establish data protection frameworks compliant with GDPR-aligned standards. Government agencies must appoint Data Protection Officers. Data breach notification systems required. Cross-border transfers must meet enhanced requirements. Specific implementation details pending Executive Yuan determination of effective date.

NOPE can help

Cite This

APA

Taiwan. (2025). Personal Data Protection Act Amendment. Retrieved from https://nope.net/regs/tw-pdpa-amendment-2025

BibTeX

@misc{tw_pdpa_amendment_2025,
  title = {Personal Data Protection Act Amendment},
  author = {Taiwan},
  year = {2025},
  url = {https://nope.net/regs/tw-pdpa-amendment-2025}
}

Related Regulations

Enacted TW • AI Safety

Taiwan AI Act

Comprehensive AI Basic Act (pending) establishes seven guiding principles and risk-based classification. Note: Taiwan already has ENACTED deepfake/election AI provisions via separate laws (Criminal Code 2023, Election Law 2023, Fraud Prevention Act 2024).

In Effect BN • Data Protection

Brunei PDPO

Brunei's personal data protection order requiring DPIA and imposing penalties up to 10% Brunei turnover or $1M.

In Effect IN • Data Protection

India DPDP Act

STRICTEST children's provisions in APAC. Children = under 18; verifiable parental consent MANDATORY; PROHIBITION on tracking, behavioral monitoring, targeted advertising to children.

In Effect ID • Data Protection

Indonesia PP 17/2025

Indonesia's comprehensive child online protection regulation establishing age-appropriate design requirements for electronic systems accessible to children. Most granular age classification globally (5 groups). Requires risk assessments, privacy-by-default, parental consent, DPIAs, and prohibits data profiling of children. First of its kind in Asia and Global South.

In Effect NP • AI Safety

Nepal AI Policy

Nepal national AI policy establishing governance framework and development priorities. Creates AI Governance Council (chaired by Minister for Communications and IT), AI Regulation Council, National AI Centre, and AI Regulatory Authority. Six pillars including ethics, human resource development, and sectoral application.

In Effect PK • AI Safety

Pakistan AI Policy

Pakistan's national AI roadmap establishing six strategic pillars: AI Innovation Ecosystem, Awareness and Readiness, Research and Development, Infrastructure, Governance, and International Cooperation. Creates National AI Fund (NAIF), Centres of Excellence in 7 cities, and targets training 200,000 individuals annually.

Back to all regulations Check if this applies to you