Taiwan PDPA Amendment 2025

Personal Data Protection Act Amendment

Major amendment to Taiwan's Personal Data Protection Act establishing independent Personal Data Protection Commission (PDPC) as mandated by Constitutional Court. Significantly strengthens data protection framework for public and private sectors, aligning with EU GDPR standards. Introduces data breach notification obligations, mandatory DPOs for government agencies, and enhanced enforcement powers.

Jurisdiction

Taiwan

Enacted

Nov 11, 2025

Effective

TBD

Enforcement

Personal Data Protection Commission (PDPC)

Passed Legislative Yuan October 17, 2025; promulgated by President November 11, 2025; effective date TBD 2026

Jones Day

Why It Matters

Represents Taiwan's most significant data protection upgrade, bringing framework in line with EU GDPR. Establishes first independent data protection authority (PDPC). Creates new compliance obligations including breach notifications, potential DPO requirements, and enhanced cross-border transfer restrictions. Separate from but complementary to Taiwan's AI Basic Act (enacted December 2025).

Recent Developments

Cabinet approved draft March 27, 2025. Legislative Yuan passed October 17, 2025. President promulgated November 11, 2025. Constitutional Court Judgment 111-Hsien-Pan-13 (2022) mandated PDPC establishment by August 2025 - deadline met. Preparatory Office of PDPC established December 5, 2023. Effective date to be determined by Executive Yuan, expected 2026.

At a Glance

Requires

Transparency User Rights

Who Must Comply

All organizations processing personal data in Taiwan (public and private sectors)
Government agencies (DPO requirements)
Data controllers and processors
Organizations transferring data cross-border

Obligations fall on:

Safety Provisions

Establishes Personal Data Protection Commission (PDPC) as independent supervisory authority
Data breach notification obligations for both data subjects and competent authority
Mandatory appointment of Data Protection Officers (DPOs) for government agencies
Enhanced inspection powers for PDPC
Strengthened cross-border data transfer requirements
Increased penalties for violations
GDPR alignment provisions

Compliance & Enforcement

Key Dates

Dec 31, 2026

Expected effective date (to be determined by Executive Yuan)

Penalties

Penalties pending regulatory determination

Primary Source

Jones Day

https://www.jonesday.com/en/insights/2025/12/taiwan-passes-major-amendments-to-the-personal-data-protection-act

View on map

Taiwan

Focus Areas

Algorithmic accountability

Active safeguards required

Compliance Help

Organizations must establish data protection frameworks compliant with GDPR-aligned standards. Government agencies must appoint Data Protection Officers. Data breach notification systems required. Cross-border transfers must meet enhanced requirements. Specific implementation details pending Executive Yuan determination of effective date.

See how NOPE helps

Cite This

APA

Taiwan. (2025). Personal Data Protection Act Amendment.

Related Regulations

In Effect TW

Taiwan AI Act

Comprehensive AI Basic Act (pending) establishes seven guiding principles and risk-based classification. Note: Taiwan already has ENACTED deepfake/election AI provisions via separate laws (Criminal Code 2023, Election Law 2023, Fraud Prevention Act 2024).

In Effect BN

Brunei PDPO

Brunei's personal data protection order requiring DPIA and imposing penalties up to 10% Brunei turnover or $1M.

In Effect IN

India DPDP Act

STRICTEST children's provisions in APAC. Children = under 18; verifiable parental consent MANDATORY; PROHIBITION on tracking, behavioral monitoring, targeted advertising to children.

In Effect ID

Indonesia PP 17/2025

Indonesia's comprehensive child online protection regulation establishing age-appropriate design requirements for electronic systems accessible to children. Most granular age classification globally (5 groups). Requires risk assessments, privacy-by-default, parental consent, DPIAs, and prohibits data profiling of children. First of its kind in Asia and Global South.

In Effect CN

China CSL Amendments

First major revision of China's foundational Cybersecurity Law since 2017. Introduces formal AI governance provisions, significantly increases penalties, and expands extraterritorial application to all cybersecurity violations.

In Effect NP

Nepal AI Policy

Nepal national AI policy establishing governance framework and development priorities. Creates AI Governance Council (chaired by Minister for Communications and IT), AI Regulation Council, National AI Centre, and AI Regulatory Authority. Six pillars including ethics, human resource development, and sectoral application.

All regulations Check if this applies to you

Last updated February 17, 2026. Verify against primary sources before relying on this information.