In the wave of digital transformation, few enterprises can operate without relying on external vendors. From payroll processing, cloud storage, and marketing campaigns to customer service centers, outsourcing the processing of personal data has become the norm. In the past, many enterprises held a common belief: “I have signed a contract with the vendor, so if an incident occurs, the vendor should take full responsibility.”
However, according to the “Personal Data Protection Act” (PDPA) amended in 2025 and the latest announced draft subsidiary regulations, the mindset of attempting to transfer liability entirely through contracts may expose enterprises to significant legal risks. The new Act specifically emphasizes that the “Entrusting Agency (Enterprise)” bears a mandatory obligation to supervise the “Entrusted Party (Vendor).” This article will analyze how to implement compliance requirements through “Outsourcing Supervision” and “Internal Audits.”
1. The Crucial Clause: “Deemed” to be Known by the Entrusting Agency
In the past, enterprises often argued: “The vendor was hacked, but they didn’t inform us, so we had no way of knowing and should not bear the liability for failing to report.” Under the framework of the new Act, this defense will no longer apply.
According to Article 5 of the draft “Regulations on Notification, Reporting, and Response to Personal Data Incidents,” once the Entrusted Party (Vendor) becomes aware of a personal data incident, it is “deemed” that the Entrusting Agency (Enterprise) is aware. In other words, even if the vendor conceals the incident, the law still considers the enterprise to have “already known,” and the 72-hour reporting countdown begins from the moment the vendor became aware. Therefore, enterprises must strictly require in their contracts that vendors notify them “immediately” upon the occurrence of an incident; otherwise, the administrative liability arising from delayed reporting will be borne by the enterprise first.
2. Outsourcing Supervision: Not Just Signing Contracts, But “Substantive Auditing”
If an enterprise falls under the category of a “Large Non-Government Agency” (not an SME and holding 10,000 or more records of personal data), the obligation to supervise outsourced vendors cannot remain merely at the level of paper contracts.
According to Paragraph 3, Article 24 of the draft “Regulations on Security Maintenance and Management of Personal Data Files,” enterprises must implement the following two points:
- Explicit Agreement: Clearly stipulate supervisory matters and the methods of exercise in the entrustment contract or relevant documents.
- Mandatory Audit: Conduct an audit of the Entrusted Party at least once a year (which may be conducted via on-site visits or document reviews) and retain the audit results for reference.
This means that for critical vendors such as cloud service providers and system maintenance providers, enterprises must establish substantial supervision mechanisms, such as requiring them to periodically provide cybersecurity inspection reports, ISO certification certificates, or actually dispatching personnel to conduct audits, to prove that the duty of supervision has been fulfilled.
3. Internal Audit: Implementing Segregation of Duties
In addition to supervising external vendors, enterprises must also establish internal self-check mechanisms. Paragraph 1, Article 24 of the Draft requires Large Non-Government Agencies to establish an internal audit mechanism and conduct an internal personal data security audit at least once a year.
The focus of audit execution lies in “Independence.” Article 17 of the Draft specifically stipulates that the “Management Dedicated Personnel” responsible for executing personal data protection matters and the “Audit Personnel” responsible for inspection shall not be the same person. Enterprises must distinguish an independent audit function within the organization (e.g., assumed by the Audit Office, Legal Department, or an assigned manager from a department not executing personal data tasks) to ensure the objectivity and impartiality of the inspection results.
4. Reporting and Records: The Importance of Retaining Trails
After the audit work is completed, the relevant procedures do not end. Paragraph 4, Article 24 of the Draft stipulates the necessary subsequent procedures:
- Report Upward: Audit results (including internal audits and outsourcing audits) must be reported to the Head of the Government Agency or the Representative of the Non-Government Agency (e.g., Chairman, General Manager). This provision aims to ensure that senior management cannot evade management responsibility on the grounds of “not knowing.”
- Track Improvements: Improvement measures must be implemented for deficiencies discovered during the audit.
- Record Retention: Audit reports and improvement records must be preserved for at least 5 years.
5. Recommendation: Contract Revision and Vendor Screening
Facing the requirements of the new Act, it is recommended that enterprises take the following actions:
- Inventory Outsourcing Contracts: Comprehensively review contract terms with existing vendors to confirm whether they include key clauses such as “immediate incident notification,” “cooperation with annual audits,” and “subcontracting liability.” If there are deficiencies, supplementary agreements should be signed as soon as possible.
- Establish Vendor Tiering System: Considering limited audit resources, priority should be given to conducting on-site audits on critical vendors that “handle large amounts of personal data” or represent “high cybersecurity risks.”
- Implement Annual Plan: Incorporate internal audits and vendor audits into the annual compliance or audit calendar and reserve corresponding budgets and manpower resources.
Our firm possesses extensive experience in corporate personal data legal affairs and compliance implementation. If your company has any questions regarding the revision of outsourcing contract templates, the creation of audit checklists, or supplier management policies, please feel free to contact us at any time. Our team of professional lawyers will provide you with precise legal analysis and solutions.
Special Note: The draft subsidiary regulations mentioned in this article (such as the Regulations on Security Maintenance, Regulations on Incident Notification, etc.) are pre-announcement versions released by the Preparatory Office of the Personal Data Protection Commission between January and February 2026. As of the time of writing, they are in the public comment phase, and the official provisions may be further adjusted based on feedback from various sectors. Readers are advised to stay updated on the latest regulatory developments.
