In the previous article, we introduced the “fundamentals of personal data protection” that all enterprises must observe. However, according to the newly announced draft “Regulations on Security Maintenance and Management of Personal Data Files” (hereinafter referred to as the Draft), if an enterprise is classified as a “Large Non-Government Agency,” its compliance obligations will be significantly upgraded, facing stricter organizational management and technical standards. This article will help enterprises determine whether they fall into this category and understand the enhanced responsibilities that follow.
1. Who is a “Large Non-Government Agency”? The Two Thresholds Test
According to the definition in Article 3 of the Draft, an entity must meet the following two conditions simultaneously to be considered a Large Non-Government Agency:
- Not a Small and Medium Enterprise (SME): Meaning an enterprise whose scale exceeds the “Standards for Identifying Small and Medium Enterprises” (i.e., paid-in capital of NT$100 million or more, or regularly employing 200 or more employees).
- Holding 10,000 or more records of personal data: As long as the entity is not an SME and holds more than 10,000 records of personal data, it will be upgraded to a “Large Non-Government Agency.”
How is “10,000 records” calculated? Article 4 of the Draft stipulates that the number of records is calculated by aggregating “each specific purpose of collection for each natural person held on a single day.” According to the legislative explanation of the Draft, “single day” refers to the day the agency conducts the inventory; and the calculation is not simply based on the “headcount of natural persons,” but is cumulatively calculated based on different purposes of personal data collection. In other words, even for the same data subject, if the enterprise manages files separately based on different specific purposes, they will be counted repeatedly in the calculation. For medium to large enterprises with vast member databases, supplier lists, or multiple business lines, the threshold of 10,000 records is extremely easy to reach.
2. Enhanced Obligation 1: Mandatory Organizational Structure
Once categorized as a Large Non-Government Agency, relying solely on legal or IT departments to handle personal data tasks part-time may no longer be sufficient to meet regulatory requirements. Article 17 of the Draft requires the establishment of a dedicated organizational structure:
- Designate Dedicated Personnel: Specific personnel must be designated to be responsible for personal data protection matters.
- Establish an Execution Team: Individual effort is not enough; a cross-departmental “Personal Data Protection Management Execution Team” must be established to be responsible for policy deliberation and execution.
- Segregation of Duties: The Draft explicitly stipulates that the “Management Dedicated Personnel” responsible for execution and the “Audit Personnel” responsible for auditing shall not be the same person. This requires enterprises to establish a mechanism for the segregation of duties internally to ensure the independence and objectivity of auditing.
3. Enhanced Obligation 2: Written “Security Maintenance Plan”
General enterprises only need to establish management mechanisms, but Large Non-Government Agencies, pursuant to Article 16 of the Draft, must formulate a formal “Personal Data File Security Maintenance Plan,” covering risk assessment, incident response, awareness promotion, etc. The formulation or amendment of this plan must be approved by the enterprise’s representative (such as the Chairman or General Manager) or their designee.
This plan is not a one-time document. Articles 19 and 26 of the Draft require that enterprises must conduct risk assessments annually and review and amend the plan based on the assessment results.
This part is the core spirit of the PDCA (Plan-Do-Check-Act) cycle required by the regulations. Many enterprises’ personal data plans often become mere formalities, leading to the discovery that the plan is unimplementable only when an incident occurs. Please ensure regular checks and revisions are implemented; do not let your company’s PDCA turn into Plan, Delay, Cancel, Apology.
4. Enhanced Obligation 3: Stricter Cybersecurity Technical Indicators
For information systems, Article 23 of the Draft sets higher technical standards for Large Non-Government Agencies:
- Pre-Launch Testing: If the enterprise’s information system provides external services (such as official websites, APPs), source code reviews, vulnerability scans, and penetration tests must be completed before the system goes live, and it can only go live after vulnerabilities are patched. Relevant tests must continue to be conducted after the system is live.
- Data Masking and Encryption: When personal data display is involved, there must be a masking mechanism (such as partially masking ID numbers), and encryption is mandatory during transmission.
- Intrusion Prevention: Measures to prevent external network intrusion (such as Firewalls, Web Application Firewalls – WAF) must be established.
5. Recommendation: Start Inventory Now
If your enterprise does not fall under the category of an SME, please be sure to immediately conduct a “Personal Data Record Inventory.”
- If approaching or exceeding 10,000 records: Immediately start planning the “Security Maintenance Plan” and review whether the current manpower allocation can meet the requirement for segregation of duties between “Dedicated Personnel” and “Audit Personnel.”
- If under 10,000 records: Although temporarily exempt from the above enhanced obligations, according to Article 4 of the Draft, if the number of records reaches the threshold due to business expansion in the future, the enterprise has only a 6-month buffer period to complete all compliance implementation.
For large enterprises, personal data protection is no longer just a legal compliance issue but an important indicator of corporate governance (ESG).
Our firm possesses extensive experience in corporate personal data legal affairs and compliance implementation. If your company has any questions regarding organizational structure adjustment, drafting security maintenance plans, or cybersecurity testing compliance, please feel free to contact us at any time. Our team of professional lawyers will provide you with precise legal analysis and solutions.
Special Note: The draft subsidiary regulations mentioned in this article (such as the Regulations on Security Maintenance, etc.) are pre-announcement versions released by the Preparatory Office of the Personal Data Protection Commission between January and February 2026. As of the time of writing, they are in the public comment phase, and the official provisions may be further adjusted based on feedback from various sectors. Readers are advised to stay updated on the latest regulatory developments.
