1. To enhance the protection of personal data by large-scale retailers, the Ministry of Economic Affairs (“MOEA”) amended the “Regulations Governing the Security Maintenance and Management of Personal Data Files for General Merchandise Retailers” on November 13, 2024. The amendment renamed the regulations as the “Regulations Governing the Security Maintenance and Management of Personal Data Files for the Retail Industry” (“Regulations”) and expanded their scope to encompass large-scale retailers specializing in specific goods.
2. Large-scale retailers subject to the Regulations must establish a Personal Data File Security Maintenance Plan by May 12, 2025. Failure to comply within the specified timeframe may lead the competent authority to impose fines pursuant to Article 48, Paragraph 2, and Article 50 of the Personal Data Protection Act. Penalties range from NT$20,000 to NT$2,000,000 each for the retailer and its representative. In cases of severe violations or failure to rectify within the prescribed period, additional fines ranging from NT$150,000 to NT$15,000,000 may be imposed.
3. Key Highlights of the Amendments to the Regulations
(1) The scope of applicability under the Regulations has been expanded. Prior to these amendments, the Regulations already applied to large-scale “general merchandise retailers” that are (i) regulated by the MOEA as of August 1, 2023, and (ii) not engaged in industries requiring special permissions, licenses, or subject to specific regulatory laws, such as Chinese medicine retailers, Western medicine retailers, medical device retailers, cosmetics retailers, multi-level marketing businesses, and agricultural product retailers. With the latest amendments, the applicability has been broadened to include nine additional categories of large-scale retailers specializing in specific goods (Article 3 of the Regulations), including:
I. Retail Sale of food, beverages, and tobacco products;
II. Retail Sale of textiles and clothing;
III. Retail Sale of household appliances and goods;
IV. Retail Sale of cultural, educational and recreational products;
V. Retail Sale of building materials;
VI. Retail sale of information and communication equipment (excluding retailers of controlled telecommunications radio-frequency devices);
VII. Retail sale of motor vehicle parts and motorcycle parts, accessories;
VIII. Retail sale of other specialized goods; and
IX. Retail stall operators.
(See Appendix 1 for details)
(2) Large-scale retailers shall implement appropriate security measures according to different transmission methods when transmitting personal data; where encryption and backup of personal data are necessary, appropriate encryption and protection measures shall be implemented (Article 9, Paragraphs 5 to 7)
(3) Where large-scale retailers engage in the direct or indirect collection, processing, or utilization of personal data through information and communication systems as prescribed under the Cybersecurity Management Act, they shall implement data security management measures as stipulated in the Regulations (See Appendix 2 for details); furthermore, with respect to security management measures already in place, periodic review and enhancement shall be conducted in consideration of factors including, but not limited to, current business operations changes, technological advancements, risk landscapes, and regulatory developments. (Article 10)