With the promulgation of the new “Personal Data Protection Act” (PDPA) on November 11, 2025, establishing the “Personal Data Protection Commission” (hereinafter referred to as the PDPC) as an independent competent authority, the most pressing question for many enterprises is: “Will I be regulated by the PDPC in the future, or by my original competent authority (e.g., the Financial Supervisory Commission, the Ministry of Economic Affairs)?”
The answer is not static but is a dynamic process spanning six years. This article will guide you through interpreting the “Transition Period” design under Article 51-1 of the new Act. Through the newly announced draft of the “List of Non-Government Agencies Regulated by Central Industry Competent Authorities or Municipality/County (City) Governments as Referred to in Paragraph 1, Article 51-1 of the Personal Data Protection Act” (hereinafter referred to as the Draft Non-Government Agency List), we will help enterprises clarify their counterpart for regulatory compliance.
1. Why the “Dual-Track System”? The Logic Behind the 6-Year Transition Period Design
According to Article 1-1 of the new Act, in principle, the authority and responsibility for personal data protection should be unified under the PDPC. However, considering the vast number and diverse nature of non-government agencies (enterprises and organizations) across Taiwan, if the PDPC were to take over supervision of all industries immediately upon establishment, it could lead to a regulatory vacuum due to insufficient resources.
Therefore, Article 51-1 of the new Act specifically designs a “6-year transition period.” During the six years following the establishment of the PDPC, a “Dual-Track System” will be adopted:
- On the List (Regulated by Original Authority): Industries listed in the announcement by the Executive Yuan will continue to be supervised by their original central industry competent authorities (e.g., the Ministry of Economic Affairs, the Ministry of Health and Welfare).
- Off the List (Regulated by PDPC): Industries not included in the list will be directly supervised by the PDPC.
2. Am I on the List? Interpreting the Draft “Transition Period Jurisdiction List”
The Draft Non-Government Agency List announced by the PDPC in February 2026 lists a total of 388 types of non-government agencies, covering the vast majority of chartered industries and large-scale industries. The following is a summary of the attribution of several key industries:
- Financial Industry (Financial Supervisory Commission, FSC): Financial holding companies, banks, insurance, securities and futures, electronic payments, and the recently spotlighted virtual asset services industry, etc.
- E-Commerce and IT Industry (Ministry of Digital Affairs, MODA): Internet retail industry (online shopping), third-party payment service industry, software publishing industry, computer programming industry, etc.
- Medical and Social Welfare (Ministry of Health and Welfare, MOHW): Hospitals, long-term care institutions, medical personnel (physicians, nurses, etc.), social welfare institutions.
- General Commerce and Manufacturing (Ministry of Economic Affairs, MOEA): Retail industry, various manufacturing industries (e.g., semiconductors, food, textiles, machinery, etc.), logistics centers.
- Education Industry (Ministry of Education, MOE): Private schools, short-term cram schools, kindergartens.
- Transportation and Tourism (Ministry of Transportation and Communications, MOTC): Travel agencies, tourist hotel industry, taxi passenger transportation services, and food delivery platforms.
Enterprises should first query this draft list. If your industry is on the list, your personal data protection operations (such as filing security maintenance plans, administrative inspections) during the transition period will essentially still correspond to the original competent authority. If not on the list, you will correspond directly to the PDPC.
3. Will the “Original Authority’s” Standards be More Lenient?
Many enterprises may wonder: “Since I am still regulated by the original competent authority, does that mean I don’t have to worry about the strict standards of the new Act?”
Paragraph 4 of Article 51-1 of the new Act explicitly stipulates that the regulations on security maintenance established by central industry competent authorities during the transition period must be “comparable” to the standards of the PDPC and “shall not be lower” than the basic level set by the PDPC.
Furthermore, according to Article 27 of the draft “Regulations on Security Maintenance and Management of Personal Data Files,” if an enterprise’s competent authority has not established specific regulations on security maintenance, or if its prescribed standards are looser than the PDPC’s common regulations, the stricter regulations of the PDPC shall directly apply. In other words, regardless of who the competent authority is, compliance standards will be comprehensively raised.
4. The Two-Year “Dynamic Transfer Mechanism”
This jurisdiction list is not fixed. The new Act stipulates that the PDPC shall review it every two years and petition the Executive Yuan to “delist” items from the announcement scope. In other words, within the next six years, industries will be transferred from their original competent authorities to the PDPC in batches. This is a dynamic integration process, with the ultimate goal of achieving unified supervisory authority.
In addition, to avoid fragmented governance, the new Act also authorizes the PDPC to convene a “Personal Data Protection Policy Promotion Conference” as a platform for inter-agency coordination to resolve jurisdictional disputes and unify enforcement standards.
5. How Should Enterprises Respond?
Facing this 6-year period of change, our firm suggests enterprises take the following steps:
- Confirm Identity: Download the draft list and confirm whether you belong to a non-government agency within the “announced scope.”
- Identify Regulations:
- If on the list: Closely monitor whether your industry’s competent authority (e.g., FSC, MOEA) has amended the “Regulations on Security Maintenance of Personal Data Files” for that industry in accordance with the new Act.
- If not on the list: Directly follow the draft “Regulations on Security Maintenance and Management of Personal Data Files” announced by the PDPC, as this will be the basis for your compliance.
- Prepare for Upgrade: Regardless of which competent authority regulates you, please use the PDPC’s “Common Regulations on Security Maintenance” as the baseline to review whether your internal personal data inventory, risk assessment, and incident response mechanisms meet the standards.
Our firm possesses extensive experience in corporate personal data legal affairs and compliance implementation. If your company has any questions regarding the determination of the competent authority, the revision of security maintenance plans, or the application of new versus old regulations, please feel free to contact us at any time. Our team of professional lawyers will provide you with precise legal analysis and solutions.
Special Note: The draft subsidiary regulations mentioned in this article (such as the list of non-government agencies, Regulations on Security Maintenance, etc.) are pre-announcement versions released by the Preparatory Office of the Personal Data Protection Commission between January and February 2026. As of the time of writing, they are in the public comment phase, and the official provisions may be further adjusted based on feedback from various sectors. Readers are advised to stay updated on the latest regulatory developments.
