Newsletter
The Preparatory Office of the Personal Data Protection Commission Announces Draft Amendments to the Enforcement Rules of the Personal Data Protection Act and Three Subordinate Regulations
The Preparatory Office of the Personal Data Protection Commission Announces Draft Amendments to the Enforcement Rules of the Personal Data Protection Act and Three Subordinate Regulations
Ken-Ying Tseng / Yi-Mei Pan / Kai-Yao Cheng
The Personal Data Protection Act (“PDPA”) was amended and promulgated on November 11, 2025, with its enforcement date to be set by the Executive Yuan (“Amended PDPA”). To align with these amendments, the Preparatory Office of the Personal Data Protection Commission (“Preparatory Office of the PDPC”) announced on January 22, 2026, the draft amendments to the Enforcement Rules of the PDPA (“Draft Amendments to the PDPA Enforcement Rules”), and draft regulations authorized under the Amended PDPA: the “Regulations Governing the Functions, Qualifications, and Training of Personal Data Protection Officers and Related Personnel,” the “Regulations Governing the Security Maintenance and Management of Personal Data Files,” and the “Regulations Governing the Notification, Reporting, and Contingency Measures for Personal Data Incidents.”
Among these, the draft “Regulations Governing the Functions, Qualifications, and Training of Personal Data Protection Officers and Related Personnel” was formulated in accordance the obligation imposed on government agencies to appoint personal data protection officers, as required under theAmended PDPA. Accordingly, it applies exclusively to government agencies. For private enterprises, the key points of the remaining three bills are summarized as follows:
1. The Draft Amendments to the PDPA Enforcement Rules
The proposed amendments aim to adjust existing regulations to align with the Amended PDPA and repeal certain provisions to harmonize with the newly authorized draft regulations.
The key substantive revision concerns the adjustment of the definition of “unable to identify a specific data subject” under Article 17 of the PDPA Enforcement Rules. To resolve practical disputes about the original definition, the Preparatory Office of the PDPC, referencing the reasoning of the Constitutional Court Judgment 2022-Hsien-Pan-Zi-No. 13, has revised the definition to: using existing technical methods at the time so that the personal data, “based on its presentation, at least precludes the direct identification of a specific natural person,” while not ruling out the possibility of indirect identification.
2. The Draft Regulations Governing Security Maintenance and Management of Personal Data Files (“Personal Data Security Maintenance Regulations”)
Under the current legal framework, private enterprises operating in industries and scopes designated by their sector-specific competent authorities must meet certain regulatory obligations, such as establishing personal data security maintenance plans and implementing security measures.
To ensure regulatory consistency and to improve personal data protection, this draft requires all government and non-government agencies to comply with the common security maintenance measures. In addition, government agencies and “large-scale non-government agencies”—those of a certain scale and holding a substantial volume of personal data files—are required to implement additional enhanced measures. The regulations are thus divided into two tiers.
(1) Common Security Maintenance Measures: Prescribed in Articles 5 to 15, Chapter II of the draft, these apply to all government and non-government agencies. Relevant requirements include: periodic inventory of personal data and delineation of management scope; notification, reporting, and contingency mechanisms; personnel security management; education and training; security management of equipment and information systems; and deletion or destruction of personal data upon business termination. In cases where special categories of personal data are retained (such as medical records, healthcare, genetic data, sexual life, health examinations, and criminal records), special data security management measures must be adopted in accordance with Article 11 of the draft.
(2) Enhanced Security Maintenance Measures: Prescribed in Articles 16 to 26, Chapter III of the draft, these apply only to government agencies and large-scale non-government agencies. A “large-scale non-government agency” refers to a company, limited partnership, or business that is not a small or medium-sized enterprise and maintains personal data files reaching 10,000 entries or more. Such entities must establish personal data security maintenance plans, designate dedicated personnel, execution units, and auditors, and maintain data inventory lists and process documentation. They must also conduct annual risk assessments, internal audits, and audits of commissioned parties (if applicable), along with other enhanced security measures.
Furthermore, if a non-government agency in a specific industry remains under the jurisdiction of its sector-specific central competent authority as announced by the Executive Yuan after the Amended PDPA take effect, and such authority has already established industry-specific security maintenance regulations, those regulations shall prevail. However, if the security maintenance measures stipulated under the Personal Data Security Maintenance Regulations are more stringent, the stricter standards shall apply.
3. The Draft "Regulations Governing the Notification, Reporting, and Contingency Measures for Personal Data Incidents"
The Amended PDPA require that, upon becoming aware of the theft, alteration, damage, loss, or leakage of personal data in one’s possession (“personal data incident”), one must notify data subjects and report to the competent authority. This draft is formulated pursuant to the relevant requirements, with the following key points:
(1) Notification to Data Subjects: Within 72 hours of becoming aware of a personal data incident, data subjects must be notified individually through appropriate means. If it is impossible to carry out individual notification or where specific conditions are met, a public notice must be issued continuously for at least 30 days via the internet, news media, or other appropriate channels. The draft also specifies the required content and methods of notification.
(2) Reporting to Competent Authorities: Reporting must be conducted via designated methods within 72 hours of becoming aware of a personal data incident if it involves special-category personal data, information systems with 10,000 or more personal data entries, or if affected personal data reaches 100 entries or more. The draft also outlines the reporting content and procedures for handling exceptional circumstances where reporting cannot be completed as prescribed
Additionally, the draft also regulates contingency measures to be taken after an incident, the items to be recorded in incident investigation reports, and their retention periods. In cases of outsourcing, if a commissioned party becomes aware of a personal data incident within the scope of the PDPA, it is deemed that the commissioning agency is also aware of the incident, and the commissioned party must immediately notify the commissioning agency upon discovery. If the commissioned party fails to notify, the commissioning agency where the incident occurred remains liable for any breach of obligations under the PDPA.
The above draft regulations are subject to a 60-day public consultation period, during which comments from all sectors are solicited. Given that these bills may significantly impact private enterprises across various industries, the legislative progress warrants close attention. Our firm’s “Digital, TMT and Data Privacy” team is closely monitoring these developments. Should you require any assistance, please do not hesitate to contact our team of experts.