In the previous article, we discussed the dual obligations of “notifying the data subject” and “reporting to the competent authority” established by Article 12 of the new “Personal Data Protection Act” (PDPA). Among them, “notifying the data subject” is to ensure the victim’s right to know; in principle, notification is required whenever an incident occurs and affects the rights and interests of the data subject.
However, does “reporting to the competent authority” also require reporting “every single case”? This has a significant impact on an enterprise’s administrative burden and regulatory risk. According to the recently announced draft “Regulations on Notification, Reporting, and Response to Personal Data Incidents” (hereinafter referred to as the Draft), the competent authority has defined three clear “mandatory reporting thresholds.” This article will analyze the specific content of these thresholds and the Standard Operating Procedures (SOPs) for response that enterprises should have in place.
1. Mandatory Reporting Thresholds: Report if Any One is Met
According to Paragraph 1, Article 3 of the Draft, if a personal data incident meets any of the following circumstances, the enterprise must report to the competent authority (PDPC) within 72 hours of becoming aware of it:
- Involving personal data stipulated in Paragraph 1, Article 6 of the Act (Special Personal Data):
If the incident involves highly sensitive data such as medical records, healthcare, genetics, sex life, physical examination, and criminal records, reporting is mandatory regardless of the number of records. For medical institutions, biotechnology companies, or insurers, this means almost all cybersecurity incidents must be reported. - The involved information system holds 10,000 or more records of personal data:
This clause focuses on “system scale.” Even if the incident only leaked a few records, if the information system where the incident occurred is a database holding a large amount of personal data (10,000 records or more), it indicates that the system’s vulnerability could trigger systemic risks, and therefore reporting is still required. - The number of affected personal data records reaches 100 or more:
This is the clause with the greatest impact on general B2C enterprises. 100 records is an extremely low threshold. In other words, for e-commerce platforms, membership websites, or service industries, once a leak or ransomware encryption occurs, the number of affected people can easily exceed 100. This threshold breaks the past myth that “only major incidents need to be reported,” effectively normalizing the reporting obligation.
Enterprises should pay special attention to the calculation method of “number of records.” According to the Draft’s explanation, the calculation is based on the sum of “each specific purpose of collection for each natural person held on a single day.” In other words, if data on the same client is used for multiple different purposes, it may be counted repeatedly. Enterprises should adopt a conservative approach when assessing whether the threshold is met.
2. Response Measures: What Else to Do Besides Reporting?
Reporting is not just about filling out forms; the competent authority cares more about what “stop-loss” actions the enterprise took at the moment. Article 4 of the Draft lists immediate and effective response measures that enterprises should take, which are also mandatory fields in the report content:
- Blocking and Isolation: Check leakage pathways (e.g., patching vulnerabilities) and adopt isolation (e.g., cutting off network connections) or blocking measures.
- Permission Review: Check access permissions and immediately block abnormal access paths (e.g., resetting passwords for hacked accounts).
- Data Retrieval: Attempt to recall files if sent by mistake; or request the recipient third party to delete or destroy the data.
- Internet “Right to be Forgotten”: If data has been made public on the internet, request search engine operators to delete cached pages or take measures to remove the public status.
Enterprises must execute the above measures simultaneously at the moment the incident occurs and retain records (such as log files, correspondence emails) to serve as evidence of efforts to prevent the expansion of damages when facing administrative investigations in the future.
3. Penalty Risks: The Cost of Non-Reporting
If an enterprise takes a chance, thinking “as long as we don’t report, we won’t be caught,” it will face extremely high risks under the new law framework.
According to Paragraph 2, Article 48 of the PDPA amended in 2025, violation of the reporting obligation (including non-compliance with content, method, or time limit) is punishable by an administrative fine of NT$20,000 to NT$200,000 imposed by the competent authority, with an order to correct within a time limit; failure to correct by the deadline may result in consecutive punishment.
Although a fine of NT$200,000 may seem low, failure to report is often accompanied by the violation of “failing to implement appropriate security maintenance measures.” Once proactively uncovered by the competent authority, in addition to the penalty for non-reporting, the portion regarding negligence in security maintenance can carry a heavy fine of up to NT$15 million. While reporting invites intervention by the competent authority, proactive reporting and cooperation with investigations are often favorable factors for mitigating liability in administrative discretion.
4. Recommendation: Establish a Graded Reporting Mechanism
Facing the low threshold of “100 records” and the “72-hour” deadline, our firm suggests that enterprises establish an internal “Incident Grading Table.” For example, classify incidents into “Red Light (involving special personal data or >100 people)” and “Yellow Light (general personal data and <100 people)." Once the cybersecurity team confirms the incident level is Red Light, the legal department should intervene immediately to prepare reporting documents to ensure compliance requirements are met within the golden time.
Our firm possesses extensive experience in corporate personal data legal affairs and compliance implementation. If your company has any needs regarding reporting threshold determination, response SOP formulation, or simulation drills, please feel free to contact us at any time. Our team of professional lawyers will provide you with accurate legal analysis and solutions.
Special Note: The draft subsidiary regulations mentioned in this article (such as the Regulations on Security Maintenance, Regulations on Incident Notification, etc.) are pre-announcement versions released by the Preparatory Office of the Personal Data Protection Commission between January and February 2026. As of the time of writing, they are in the public comment phase, and the official provisions may be further adjusted based on feedback from various sectors. Readers are advised to stay updated on the latest regulatory developments.
