On November 11, 2025, the Office of the President officially promulgated amendments to the “ Personal Data Protection Act” Although the official effective date will be separately determined by the Executive Yuan, these amendments have attracted significant attention due to their substantial impact on private enterprises.
The current amendments (hereinafter referred to as the “New Act”) respond to the establishment of the Personal Data Protection Commission (hereinafter referred to as the “PDPC”) by granting the PDPC supervisory authority over both public and non-public agencies. The New Act also explicitly mandates public agencies to appoint Data Protection Officers (DPOs), who shall be responsible for promoting and supervising personal information protection operations within their respective public agencies (however, the New Act does not impose an obligation on private enterprises to appoint DPOs).
With respect to non-public agencies (i.e., private enterprises), Article 12 of the New Act requires enterprises experiencing data incidents to implement immediate and effective response measures and maintain records thereof. Specific details regarding the content, method, timeframe, and scope of incident notifications shall be subsequently prescribed by the PDPC through regulatory orders.
Furthermore, Article 48 of the New Act clarifies the obligations for incident notification and response, and establishes penalties for violations. Additionally, Article 20-1 of the New Act authorizes the PDPC to formulate regulations concerning general personal information security maintenance plans. Once the PDPC completes the formulation of such regulations, enterprises across all industries, beyond those currently under regulatory supervision, will be required to comply with the provisions of these regulations. Article 22 of the New Act provides detailed provisions regarding future administrative inspection plans and cooperative measures concerning personal information.
Article 51-1 of the New Act introduces transitional provisions, which take into consideration that supervisory resources during the initial establishment phase of the PDPC may not yet be fully equipped. Accordingly, a transitional mechanism has been designed whereby the PDPC will directly supervise operators that currently lack a clearly designated competent authority. For operators that already have a clearly designated competent authority, within six years following the establishment of the PDPC and in accordance with the scope announced by the Executive Yuan, such operators shall continue to be supervised by their respective competent authorities. This arrangement will be reviewed biennially with gradual reduction, ultimately achieving unified regulatory authority.
