COMPUTER-PROCESSED PERSONAL DATA PROTECTION LAW

Promulgated on 11 August 1995

Disclaimer: This translation is unofficial as a point of reference only and should not be regarded as a substitute for proper legal advice.

Chapter 1: General Principles

Chapter 2: Data Processing by Public Institutions

Chapter 3: Data Processing of Non-Public Institutions

Chapter 4: Compensation for Damages and Other Remedies

Chapter 5: Penalty

Chapter 6: Ancillary Provisions

Enforcement Rules

CHAPTER 1: GENERAL PRINCIPALS

ARTICLE 1

This Law is enacted to regulate the computerized processing of personal data so as to avoid any infringement of the rights appertaining to an individual's personality and facilitate reasonable use of personal data.

ARTICLE 2

Protection of personal data shall be based on this Law; however, where other laws provide otherwise, the said laws shall apply.

ARTICLE 3

Definitions of terms used herein are as follows:

  1. The term "personal data" means the name, date of birth, uniform number of identification card, special features, finger print, marriage, family, education, profession, health condition, medical history, financial condition, and social activities of a natural person as well as other data sufficient to identify the said person.
  2. The term "personal data file" means a collection of personal data stored in an electromagnetic recorder or other similar media for specific purposes.
  3. The term "computerized processing" means to use computers or automatic machines for input, storage, compilation, correction, indexing, deletion, output, transmission, or other processing of data.
  4. The term "collection means" acquisition of personal data for establishment of personal data files.
  5. The term "use" means that a public institution or a non-public institution uses the personal data file maintained by it for internal use or provides the personal data file for use by a third party other than a concerned party.
  6. The term "public institution" means any agency at central or local government level performing official authorities by law.
  7. The term "non-public institution" means the following enterprises, organizations, or individuals other than the public institution prescribed in Subparagraph 6 above:
  • Any credit investigation business or organization or individual whose principal business is to make the collection or computerized processing of personal data.
  • Any hospital, school, telecommunication business, financial business, securities business, insurance business, and mass media.
  • Other enterprises, organizations, or individuals designated by the Ministry of Justice and the central government authorities in charge of concerned end enterprises.
  1. The term "concerned party" means the person whose personal information is a subject matter.
  2. The term "specific purpose" means the purpose which shall be determined by the Ministry of Justice in conjunction with the central competent authorities having the primary jurisdiction over the enterprise concerned.

ARTICLE 4

Any concerned party shall not waive in advance or limit with special conditions the following rights to be exercised hereunder in respect of his/her personal data:

  1. Inquiry and request for review.
  2. Request for duplicates.
  3. Request for supplements or amendments.
  4. Request for cease of computerized processing and use.
  5. Request for deletion.

ARTICLE 5

In respect of any organization or individual entrusted by a public institution or a non-public institution with the work of data-processing, the person who does the work of data-processing shall be deemed as a member of the entrusting institution within the scope of application of this Law.

ARTICLE 6

Collection and use of personal data shall be made in good-faith and with consideration of rights and interests of the concerned party and shall not transgress the scope of necessity for a specific purpose.

CHAPTER 2: DATA PROCESSING BY PUBLIC INSTITUTIONS

ARTICLE 7

Any public institution shall not make collection or computerized processing of personal data unless for specific purposes and in conformity to any one of the following circumstances:

  1. Within the scope of necessity for its official functions as provided in laws and/or ordinances.
  2. With the written consent of a concerned party.
  3. No potential harm to be done to the rights and interests of a concerned party.

ARTICLE 8

Use of personal data by a public institution shall be within the scope of necessity for its official functions as provided in laws and/or ordinances and in conformity to the specific purposes of collection; however, use beyond the specific purposes may be made under any one of the following circumstances:

  1. Expressly provided by law.
  2. With legitimate cause and for internal use only.
  3. To protect national security.
  4. To enhance public interest.
  5. To avoid emergent danger to the life, body, freedom, or property of a concerned party.
  6. Necessary for preventing grave damages to rights and interests of others.
  7. Necessary for academic research without harm to the major interests of others.
  8. Favorable to rights and interests of a concerned party.
  9. With written consent of a concerned party.

ARTICLE 9

International transmission and use of personal data by public institution shall be in accordance with relevant laws and ordinances.

ARTICLE 10

Any public institution maintaining a personal data file shall publish the following information and its changes in the official gazette or in other proper manners:

  1. Name of the personal data file.
  2. Name of the public institution maintaining the file.
  3. Name of the public institution using the personal data file.
  4. Basis and specific purposes of maintaining a personal data file.
  5. Classification of personal information.
  6. Scope of personal information.
  7. Collection method of personal data.
  8. Places where personal information is usually transmitted to recipients and recipients thereof.
  9. Direct recipients of international transmission of personal information.
  10. Name and address of the public institution accepting applications for inquiry, amendment, and review of personal data.

The classification of personal information mentioned in Subparagraph 5 of the preceding paragraph shall be stipulated by the Ministry of Justice and the central government authorities in charge of concerned end enterprises.

ARTICLE 11

The following personal data files may not be subject to application of provisions in the preceding Article:

  1. Relating to national security, diplomatic and military secret, overall economic interest, or other grave interest of the country.
  2. Relating to cases under examination by Grand Justices of Judicial Yuan, cases under examination by Committee on the Discipline of Public Functionaries, and matters concerning court investigation, trial, judgment, execution, or processing of non-litigation affairs.
  3. Relating to crime prevention, criminal investigation, execution, corrective - protective measures of the offenders, or prisoner's after-jail protection.
  4. Relating to administrative punishment and compulsory execution thereof.
  5. Relating to administration of border entrance and exit, security examination or refugee examination.
  6. Relating to taxes and collection thereof.
  7. Relating to personnel, daily duties, salary, sanitation, welfare, or relevant affairs of government agencies.
  8. Specially provided for test of computerized processing.
  9. To be deleted before publication in official gazette.
  10. Relating only to the name, residence, money and article exchange relations of a concerned party for the need of official business contact.
  11. Made individually for internal use by government staff solely in carrying out its personal duties.
  12. Others specially provided in laws.

ARTICLE 12

A public institution shall, upon request by a concerned party, reply inquiries on, permit review of, and make duplicates of the personal data file maintained by it except for any one of the following circumstances:

  1. The personal data file may not be published under the preceding Article.
  2. Likely to cause interference with public functions.
  3. Likely to undermine the great interest of a third party.

ARTICLE 13

A public institution shall maintain personal information with accuracy and make timely amendments or supplements ex officio or upon request by a concerned party.

Where there is a dispute about accuracy of personal information, a public institution shall cease computerized processing and use of concerned personal information ex officio or upon request by the concerned party except that the said personal information is required for carrying out official duty and the dispute is noted or the consent of the concerned party has been obtained. When the specific purpose of computerized processing of personal information no longer exists or the time limit there of expires, a public institution may, ex officio or upon request by a concerned party, delete or cease computerized processing and use the said information except that the said information is required for carrying out official duties, change of purpose is made hereunder, or the written consent of the concerned party has been obtained.

ARTICLE 14

A public institution shall maintain books and records to register information published under Paragraph 1, Article 10 hereof for public consult.

ARTICLE 15

A public institution shall process request made by a concerned party hereunder within thirty (30) days upon receipt of such request or advise in writing the requester of reasons if process of the request can not be completed within said time limit.

ARTICLE 16

In respect of a request for inquiry on, review of or duplicates of personal information, a public institution may charge a proper amount of fees therefor.

ARTICLE 17

A public institution maintaining a personal data file shall designate a special staff to take exclusive charge of maintenance of safety in accordance with relevant laws and ordinances so as to prevent personal data from burglary, alteration, destruction, extinction, or disclosure.

CHAPTER 3 - DATA PROCESSING OF NON-PUBLIC INSTITUTIONS

ARTICLE 18

Unless for a specific purpose and satisfying any of the following requirements, a non-government organization should not collect or process by computer the personal data:

  1. Upon written consent from the party concerned;
  2. Having a contractual or quasi-contractual relationship with the party concerned and having no potential harm to be done to the party concerned;
  3. Such personal data is already in public domain and having no harm to the major interest of the party concerned;
  4. For purpose of academic research and having no harm to the major interest of the party concerned; or
  5. Specifically provided by the relevant laws in Article 3 (7) ii and other laws.

ARTICLE 19

A non-public institution not registered with the government authority in charge of concerned end enterprises and issued with a license shall not engage in collection, computerized processing, international transmission, and use of personal data.

A credit investigation business and any organization or individual whose principal business is to make collection or computerized processing of personal data shall obtain permission from the government authority in charge of concerned end enterprises and register therewith and issued with a license. Registration procedures, conditions precedent of permission, and criteria of charges in relation to the preceding two paragraphs shall be stipulated by the central government authorities in charge of concerned end enterprises.

ARTICLE 20

Application for registration prescribed in the preceding Article shall be made in writing with description of the following information:

  1. Applicant's name, place of residence or domicile. If the applicant is a juridical person or non-juridical organization, its names, principal office, branch office(s), or business operation office(s) and its representative's or administrator's name, place of residence or domicile.
  2. Name of the personal data file.
  3. Specific purposes of maintaining a personal data file.
  4. Classification of personal information.
  5. Scope of personal information.
  6. Period to maintain a personal data file.
  7. Collection method of personal data.
  8. Scope of use of personal data file.
  9. Direct recipients of international transmission of personal information.
  10. Name of person responsible for preserving personal data file.
  11. Safety maintenance plan of personal data file.

Change of registration shall be applied for within fifteen (15) days after any change of the above said information. Termination of registration shall be applied for within one (1) month from occurrence of cause of business termination.

When termination of registration is applied for under the preceding paragraph, method of disposal of the personal data maintained by the applicant shall be reported to the government authorities in charge of concerned end enterprises for approval.

The specific purposes and classification of information mentioned in Sub-paragraph 3, Paragraph 1 above shall be stipulated by the Ministry of Justice and the central government authorities in charge of concerned end enterprise. Criteria of safety maintenance plan of personal data file mentioned in Subparagraph 11, paragraph 1 and the method of disposal mentioned in paragraph 3 above shall be stipulated by government authorities in charge of concerned end enterprises.

ARTICLE 21

When registration is approved, information prescribed in Subparagraphs through 10, Paragraph 1 of the preceding Article shall be published in an official gazette and local newspapers.

ARTICLE 22

A non-public institution shall maintain books and records to register information prescribed in Subparagraphs 1 through 10, Paragraph 1, Article 20 for public consultation.

ARTICLE 23

Use of personal information by a non-public institution shall be within the scope of necessity for the specific purpose of collection; however, use beyond the specific purpose may be made under any one of the following circumstances:

  1. To enhance public interest;
  2. To avoid emergent danger to the life, body, freedom, or property of a concerned party;
  3. Where it is necessary for preventing grave damages to rights and interests of others; or
  4. With written consent of a concerned party.

ARTICLE 24

Under any one of the following circumstances, the government authorities in charge of concerned end enterprises may restrict international transmission and use of personal information by non-public institutions hereunder:

  1. Involving great interest of this country.
  2. Specially provided in an international treaty or agreement.
  3. Where the receiving country lacks proper laws and/or ordinances to adequately protect personal data and where are apprehensions of injury to the rights and interests of a concerned party.
  4. To indirectly transmit to and use from a third country personal information so as to evade control of this Law.

ARTICLE 25

A government authority in charge of concerned end enterprises may, if necessary, dispatch officials with identification documents to order a non-public institution under its control in respect of permission or registration to provide relevant data or give other necessary cooperation in relation to matters provided herein and visit the said non-public institution to conduct inspections. If any data violating this Law is found, the data may be seized. The non-public institution shall not evade, hinder or refuse any order, inspection, or seizure under the above paragraph.

ARTICLE 26

Articles 12, 13, 15, Paragraph 1, Article 16, and Article 17 shall apply mutatis mutandis to non-public institution. The charge criteria of a non-public institution applying mutatis mutandis Paragraph 1, Article 16 shall be stipulated by the central government authorities in charge of concerned end enterprises.

Chapter 4: Compensation for Damages and Other Remedies

ARTICLE 27

A public institution violating provisions herein thus causing damages to the rights and interests of a concerned party shall be liable for compensation for damages except that the damage is due to acts of God, accidents, or other causes of force majeure.

The aggrieved party though having suffered non-pecuniary damage still may claim for monetary compensation in a proper amount and, if having suffered any damage in reputation, for proper measures to rehabilitate his/her reputation.

The total amount of compensation for damages prescribed in the preceding two paragraphs shall be not less than NT$20,000 and not more than NT$ 100,000 for each event to each person unless there is evidence to prove a higher amount of damages.

In case of compensation for damages in favor of a number of injured parties due to one single cause, the aggregated sum of compensation amount shall be limited to NT$20,000,000.

The claim for compensation as prescribed in Paragraph 2 above shall not be transferred or inherited, except in case of a claim for monetary compensation which has been acknowledged by contract or upon which an action has been commenced.

ARTICLE 28

A non-public institution violating provisions herein thus causing damages to the interests of a concerned party shall be liable for compensation for damages except that it can prove that it has no intention or fault. Provisions in Paragraphs 2 through 5 of the preceding Article shall be applicable to request except that it can prove that it has no intention or fault. Provisions in Paragraphs 2 through 5 of the preceding Article shall be applicable to request for compensation set forth in the above paragraph.

ARTICLE 29

The claim for compensation for damages shall extinguish after two (2) years from the time when the injured party becomes aware of the damage and the obliger to make compensation or after five (5) years from the time of occurrence of the damage.

ARTICLE 30

In respect of compensation for damages, in addition to application of this Law, the National Liability Law shall apply to government agencies and the Civil Code to non-public institution.

ARTICLE 31

Where a concerned party is refused or a request is not attended within the time limit prescribed in Article 4 by a public institution, the concerned party may, within twenty (20) days after the refusal or expiry of the time limit, request in writing the supervising authority to take proper action.

ARTICLE 32

Where a concerned party is refused the exercised rights of those prescribed in Article 4 by a non-public institution or after the expiry of the fixed period for reply, the concerned party may, within twenty (20) days after the refusal, request in writing the government authorities in charge of concerned end enterprises to take proper action.

The government authorities in charge of concerned end enterprises mentioned above shall inform, within two (2) months after the receipt of the request, the requesting party of the result of its action. If the request is found with merits, a demand on the non-public institution to correct within a limited time period shall be made.

CHAPTER 5 - PENALTY

ARTICLE 33

A person, with an intention to seek profits, who violates Articles 7, 8, 18 and 19, Paragraphs 1, and 2, Article 23, or a restriction order issued under Article 24 of this Law and thereby causing damages to others, shall be punished with imprisonment for not more than two years, detention, or, or in addition thereto a fine of not more than NT$40,000.

ARTICLE 34

A person, with an intention to acquire illegal interests for its personal or third party's benefit, or damage other's interests, who makes illegal output, interference, alteration, and deletion of a personal data file or impedes the accuracy

of a personal data file causing damages to others shall be punished with imprisonment for not more than three (3) years, detention, or a fine of not more than NT$50,000.

ARTICLE 35

A public official who takes advantage of his authority, opportunity or means afforded by his official position to commit an offence provided by the preceding two Articles shall be subject up to one and a half times punishment prescribed for such offense as provided in the preceding two Articles.

ARTICLE 36

Prosecution for any offence specified in this Chapter may be instituted only upon complaint.

ARTICLE 37

Any more severe punishment stipulated in any other laws against any offence specified in this Chapter shall be applicable.

ARTICLE 38

Where a concerned institution meets any one of the following circumstances, the responsible person of the said institution shall be punished by the government authorities in charge of the concerned end enterprise with a fine of not less than NT$20,000 and not more than NT$100,000, a time limit for correction shall also be prescribed. In case no correction is made within the given time limit, the preceding fine will be imposed on the responsible person of a concerned institution for each violation until correction is made. 1. Violation of Article 18 of this Law 2. Violation of Paragraphs 1 or 2, Article 19 of this Law. 3. Violation of Article 23 of this Law 4. Violation of restriction order issued under Article 24 of this Law.

In case of a serious violation of Subparagraphs 1, 3, or 4 of the preceding paragraph, the permission granted or registration made hereunder may be revoked or canceled.

ARTICLE 39

Where a concerned institution meets any one of the following circumstances, it shall be prescribed by the government authorities in charge of concerned end enterprises a time limit for correction. In case no correction is made within the given time limit, the responsible person of the said concerned organization shall be punished with a fine of not less than NT$10,000 and not more than NT$50,000 for each violation until correction is made.

  1. Violation of Paragraph 2, Article 20 of this Law.
  2. Violation of Article 21 of this Law regarding publication in local newspapers.
  3. Violation of Article 22 of this Law.
  4. Violation of Paragraph 1, Article 26 for which Articles 12, 13, 15 and 17 are applicable mutatis mutandis.
  5. Violation of charge criteria of Paragraph 2, Article 26 of this Law.

In case of a serious violation of Subparagraphs 1, 2, 3 or 4 of preceding paragraph, the permission granted or registration made hereunder may be revoked or canceled.

ARTICLE 40

Where a concerned organization institution, the responsible person of the said institution meets one of the following circumstances shall be punished by the government authorities in charge of concerned end enterprises with a fine of not less than NT$10,000 and not more than NT$50,000 for each violation until correction is made.

  1. Failure to comply with the method of disposal approved by the government authorities in charge of concerned end enterprises under Paragraph 3, Article 20 of this Law.
  2. Violation of Paragraph 2, Article 25 of this Law.
  3. Violation of the official order for correction within a time limit under Paragraph 2, Article 32 of this Law.

In case of a serious violation of Subparagraphs 2 or 3 of the preceding Paragraph, the permission granted or registration made hereunder may be revoked or canceled.

ARTICLE 41

Where a fine imposed under this Law which has not been paid within the time limit given in a notice, shall be transferred to the court for compulsory execution.

CHAPTER 6 - ANCILLARY PROVISIONS

ARTICLE 42

The Ministry of Justice shall be responsible for coordination and contact of matters relating to execution of this Law and rules governing such coordination and contact shall be enacted by the said Ministry.

In case there is no government authority in charge of a certain end enterprise, matters to be handled by a government authority in charge of concerned end enterprises as provided herein shall be handled by the Ministry of Justice. The Ministry of Justice and government authorities in charge of concerned end enterprises may, if necessary, entrust any public welfare body with the administration of registration, publication, or other matters relating to collection, computerized processing, and use of personal data by non-public institutions.

ARTICLE 43

For operations of collection or computerized processing of personal data already occurred before promulgation of this Law, registration or permission thereof, if required hereunder, shall be supplementarily applied for within one (1) year from the date of promulgation of this Law.

Enterprises, organizations, or individuals designated by the Ministry of Justice and the central government authorities in charge of concerned end enterprises under Item 3, Subparagraph 8, Article 3 of this Law, shall apply for registration or permission within six (6) months from the date of designation.

Failure to file an application within the time limit prescribed in the preceding two paragraphs or rejection of an application shall be deemed that no approval of registration or permission is given.

ARTICLE 44

The Enforcement Rules of this Law shall be enacted by the Ministry of Justice.

ARTICLE 45

This Law shall come into force on the date of promulgation.