Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Create an account
Join our community for free to access exclusive whitepapers, reports, and regulatory information.
EU - Taiwan: GDPR v. PDPA
In this report, OneTrust DataGuidance provides a means of analyzing and comparing data protection requirements and recommendations under the General Data Protection Regulation (GDPR) and the Personal Data Protection Act 2010 (as amended in 2015) (PDPA) and the Enforcement Rules of the Personal Data Protection Act (the Enforcement Rules).
The report examines and compares the scope, main definitions, legal bases, data controller and processor obligations, data subject rights, and enforcement capacities of the PDPA and the Enforcement Rules with the GDPR.
You can access the latest version of the report here.
What is the PDPA and the Enforcement Rules?
The PDPA, which took effect on March 15, 2016, and the Enforcement Rules are the primary legislation governing the collection, processing, or use of personal data in Taiwan.
Key highlights
The PDPA and the GDPR share broad similarities and share certain fundamental concepts and approaches within the realm of data protection:
- have comparable definitions for 'personal data;'
- address matters such as data subject rights;
- provide lawful bases for data processing; and
- set out restrictions on international data transfers.
However, despite their similarities, the PDPA and the GDPR also differ sometimes in their approach, such as:
- the PDPA does not explicitly define special categories of personal data, nor does it define 'online identifiers;'
- the obligations imposed on government and non-government agencies in the PDPA are less extensive than those provided in the GDPR;
- the PDPA omits obligations including in relation to conducting Data Protection Impact Assessments (DPIA), data breach notifications, and record-keeping;
- regarding the notification of data breaches, the PDPA does not require government and non-government agencies to notify central government authorities; and
- their approaches to the appointment of a DPO.
Send us your Feedback!
Please let us know what you think of DataGuidance! It will only take 60 seconds and help us make the site better for you.
