Home >> News & Publications >> Newsletter

Newsletter

搜尋

  • 年度搜尋:
  • 專業領域:
  • 時間區間:
    ~
  • 關鍵字:

Executive Yuan requires ministries and commissions to amend data protection regulations to include requirements for cross-border transfer of personal data



Currently, there is no dedicated authority responsible for data protection in Taiwan.  The enforcement of the Taiwan Personal Data Protection Act is administered by the local government authorities and central competent authorities in charge of the relevant industries.  To urge ministries and commissions to implement the supervision and management of non-government agencies, the Executive Yuan has convened and hosted regular collaborative meetings for implementing personal data protection among ministries and commissions since December 22, 2020 (“Collaborative Meeting”).  According to the Collaborative Meeting’s resolution dated February 3, 2021, in order to ensure a consistent reporting process and timeline for data breaches, the ministries and commissions should amend data protection regulations promulgated by them for specific industry sectors under their supervision (“Data Protection Regulations”), explicitly requiring non-government agencies to report data breaches to the central competent authorities within 72 hours by using reporting forms provided by the central competent authorities.

On August 6, 2021, the Executive Yuan further required ministries and commissions to amend their existing Data Protection Regulation to include requirements for cross-border transfer of personal data.  Ministries and commissions have published proposed amendments to their existing Data Protection Regulations for public comment one after another since August 2021, explicitly requiring non-government agencies to inform data subjects of the destination of data transfer before transferring personal data abroad.  Some ministries and commissions further require non-government agencies to supervise data recipients in terms of the following: (a) the anticipated processing or use of personal data, including the scope, types, specific purposes, duration, geographic area, recipients, and manner thereof; and (b) relevant matters about how data subjects exercise their rights in relation to personal data.

In addition, the Executive Yuan further stipulated the Collaborative Practice Guidelines on the Implementation of Personal Data Protection by the Executive Yuan and its Subordinate Agencies (“Guidelines”) on August 11, 2021, which took effect on September 3, 2021.  The Guidelines require ministries and commissions to amend their existing Data Protection Regulations and thereby require non-government agencies using IT systems to collect, process, or use personal data to adopt additional measures so as to ensure information security.  The Guidelines also require ministries and commissions to review the necessity of stipulating new Data Protection Regulations for specific industry sectors under their supervision on a regular basis by considering the scale of non-government agencies, the quantity or nature of personal data retained by non-government agencies, the potential impact on data subjects as a result of a data breach, the frequency of cross-border data transfer, etc.

It is worth observing how the central competent authorities in charge of the relevant industries will stipulate or amend the relevant Data Protection Regulations in the near future.  Meanwhile, business operators should also assess whether their current security measures are sufficient and conform to the central competent authorities’ strengthened standards for data protection.

回上一頁