Taiwan PDPA

Personal Data Protection Act

Flag of TW
TaiwanOpt-inSpecial Administrative Region
Back to Regulations Guide

Key Facts

Effective Date
October 1, 2012
Enacted
May 26, 2010
Enforcing Authority
Sector-specific competent authorities; new independent PDPC established by November 2025 amendments
Consent Model
Opt-in
Applies To
Government and non-government agencies processing personal data of individuals in Taiwan

Overview

Taiwan's PDPA was significantly reformed by the November 2025 amendments, establishing the country's first independent Personal Data Protection Commission (PDPC). This moves Taiwan from fragmented sectoral enforcement to centralized oversight. Data breach notification is now mandatory rather than discretionary.

What This Means for Your Website

  • Informed consent is required before collecting personal data of Taiwanese visitors
  • Clear disclosure is needed: organization name, data types, purpose, rights, and duration of use
  • Data breach notification is now mandatory (previously discretionary)
  • Government agencies must designate Data Protection Officers
  • Criminal penalties include up to 5 years imprisonment for intentional violations
  • Class action civil damages can reach NTD 200 million aggregate

Key Requirements

Sector-specific authorities currently enforce the PDPA, with the new PDPC taking on centralized oversight. Civil damages range from NTD 500 to 20,000 per incident per person, with class action aggregates up to NTD 200 million. Criminal penalties include up to 5 years imprisonment and NTD 1 million fines for intentional violations.

How ConsentStack Handles This

ConsentStack applies informed consent for Taiwanese visitors with clear disclosures about data collection purposes and rights, meeting PDPA requirements.

Penalties

Civil: NTD 500-20,000 per incident per person (up to NTD 200M in class actions). Criminal: up to 5 years and NTD 1M for intentional violations.

Maximum Fine
NT$200,000,000 aggregate

Key Requirements

  • Informed consent required before collecting personal data
  • Clear disclosure of: organization, data types, purpose, rights, duration
  • Mandatory data breach notification (November 2025 amendments)
  • Government agencies must designate DPO (November 2025)
  • Data security measures required

Notable Provisions

  • November 2025 amendments establish first independent DPA (PDPC)
  • Moving from fragmented sectoral enforcement to centralized oversight
  • Breach notification now mandatory rather than discretionary
  • Criminal penalties including 5 years imprisonment

Other Asia Pacific Regulations

PIPLChina
China's PIPL is one of three pillars alongside the CSL and DSL forming China's data governance framework. Non-essential cookies must be blocked until visitors actively opt in. Simply stating cookie use in a privacy policy is insufficient. Separate consent is required for sensitive data, cross-border transfers, public disclosure, and third-party provision.
Singapore PDPASingapore
Singapore's PDPA takes a less prescriptive approach to cookies than EU/GDPR-style laws — no specific cookie consent mandate exists. However, cookies collecting personal data are subject to the PDPA's consent, notification, and purpose limitation obligations. The 2021 amendments introduced 10% turnover penalties and deemed consent provisions.
South Korea PIPASouth Korea
South Korea's PIPA was amended in February 2026 to introduce the world's highest potential penalty ceiling at 10% of total revenue for severe violations. Cookie data qualifies as personal information when combinable with other data to identify individuals. CEO accountability is now statutory — the CEO is designated as the ultimate responsible person.
APPIJapan
Japan's APPI governs personal information handling with specific cookie/tracking provisions added by the 2023 Telecommunications Business Act. Consent is required before providing cookies, IPs, and device IDs to parties that will link them to identified users. The PPC conducts mandatory three-year review cycles.
Thailand PDPAThailand
Thailand's PDPA is modeled on the GDPR and requires explicit consent before processing personal data through cookies. Consent must be unambiguous and via affirmative action. Enforcement intensified significantly in 2025, with THB 21.5 million in fines in August 2025 alone. Withdrawal of consent must be as easy as giving it.
Australian Privacy ActAustralia
Australia's December 2024 amendments are the most significant since the Act's inception. Personal information now explicitly includes IPs, device IDs, and cookie identifiers. Pre-ticked boxes and dark patterns are restricted. A new statutory tort for serious privacy invasion creates a private right of action. Penalties can reach AUD 50 million or 30% of turnover.

Frequently Asked Questions

What changed in Taiwan's PDPA in 2025?

The November 2025 amendments establish Taiwan's first independent data protection authority (PDPC), make breach notification mandatory, and require government DPOs.

Does Taiwan have criminal privacy penalties?

Yes. Intentional violations carry up to 5 years imprisonment and NTD 1 million fines.

How are civil damages calculated in Taiwan?

NTD 500-20,000 per incident per person, with class action aggregates up to NTD 200 million.

Stay compliant with Taiwan PDPA

ConsentStack helps you implement Opt-in consent for Taiwan automatically.

Get started free