With the establishment of the Ministry of Digital Affairs (“MODA”), the central competent authority in charge of information services, AI, information security, application software, content software, and relevant matters has been changed to the MODA and its subordinate agencies. To strengthen the protection of personal data, under the authorization of Paragraph 3, Article 27 of the Personal Data Protection Act (“PDPA”), the MODA announced the draft Regulations Governing the Personal Data Files Security Maintenance Plan and Disposal Methods for Digital Economy Related Industries (“Draft Regulations”) on November 15, 2022. The Draft Regulations require the following industries to establish a personal data protection policy and a personal data files security maintenance plan (“Security Maintenance Plan”):

A.Non-Store Retailing (excluding TV Shopping Channel Providers and Multi-Level Marketing Enterprises);

B.Software Publishing;

C.Computer System Design Services;

D.Web Portals, Data Processing, Web Hosting, and Relevant Services (excluding industries governed by other central competent authorities); and

E.Other Information Supply Services (collectively, “Applicable Businesses”).

According to the Draft Regulations, an Applicable Business’s Security Maintenance Plan shall specify the following items:

1.Allocation of personnel and sufficient resources to enforce relevant measures;

2.Identification of the scope of personal data;

3.Data risk assessment and the management mechanism thereof;

4.Mechanism for prevention, notification, and handling of incidents;

5.Internal management procedures for collection, processing, and use of personal data;

6.Restrictions, notification, and supervision of cross-border transfer;

7.Data, personnel, and equipment security management measures;

8.Awareness programs and training;

9.Data security auditing mechanism;

10.Maintenance of access records, log files, and relevant evidence; and

11.Continuous improvement of security maintenance measures.

The Draft Regulations also require Applicable Businesses to report to the MODA (or local governments and carbon copy to the MODA) within 72 hours after becoming aware of a data breach. If Applicable Businesses provide e-commerce services or information system services, additional data security management measures shall be adopted. In addition, the Draft Regulations further require Applicable Businesses with a paid-in capital of NT$10 million or more to implement certain data security maintenance matters on an annual basis, including maintaining personal data inventory, conducting data risk assessment, offering awareness programs and training, conducting data security audits, etc.

If an Applicable Business is commissioned to collect, process, or use personal data (i.e., acting as a data processor), pursuant to Article 4 of the PDPA and Article 7 of the Enforcement Rules of the PDPA, said Applicable Business shall comply with those regulations applicable to the commissioning agency (i.e., the data controller). Therefore, the Draft Regulations also remind Applicable Businesses to confirm the industries to which the commissioning agencies belong and comply with the relevant data protection regulations stipulated by the corresponding competent authorities.