1. Governing Texts

1.1. Legislation

The current Taiwanese general privacy and data protection law is the Personal Data Protection Act 2010 (as amended in 2015) ('PDPA'), which on 26 May 2010 replaced the Computer Processed Personal Data Protection Act ('CPDPA'), and has been effective since 1 October 2012. Its first amendment entered into force on 15 March 2016.

The Enforcement Rules of the Personal Data Protection Act ('the Enforcement Rules'), in force since 1 October 2012 and amended on 15 March 2016, were promulgated to set forth detailed rules on the implementation and enforcement of PDPA provisions.

The Financial Holding Company Act ('FHCA') provides specific regulations regarding financial communication data protection issues. Under the FHCA, a financial holding company and its subsidiaries must keep their customers' personal data and all other relevant transaction documents confidential. The FHCA also authorises the competent authority to require the financial holding company and its subsidiaries to establish relevant written confidentiality measures and to make such measures available to the public to inform customers on how they keep customer information confidential.

The Banking Act of the Republic of China ('the Banking Act') further specifies that banks shall keep all information related to deposits, loans, and remittances of its customers confidential, unless under any of the prescribed circumstances.

The Money Laundering Control Act ('MLCA') regulates money-laundering activities, and aims to eradicate related serious crimes. To be consistent with the rule of Financial Action Task Force Recommendation, the MLCA has been amended and such amendments took effect on 7 November 2018.

The Regulations Governing Anti-Money Laundering of Financial Institutions ('the AML Regulations') promulgated on 28 June 2017 and amended on 14 November 2018 further provides regulations on the obligations of financial institutions regarding customer due diligence ('CDD') measures, record retention, report on cash transactions above a certain amount, and suspicious ML/TF transaction report.

The Financial Technology Development and Innovative Experimentation Act ('FTDIE') implemented the Regulatory Sandbox regime on 31 January 2018. The Regulatory Sandbox is what the regulators describe as a safe space and applicants can test innovative products, services, business models in a real environment. The FTDIE specifies that applicants should comply with the PDPA and adopt appropriate information security measures commensurate with the business nature of the experimentation to ensure the security of information collection, processing, use, and transmission.

The Regulations Governing Financial Technology Innovative Experimentation (the 'FTDIE Regulation') promulgated on 27 April 2018 further prescribed the application procedure, review criteria, grounds for rejection, scale of experimentation, participant protection measures, supervision and administration relating to innovative experimentation.

The Self-Regulation on Open API Framework for the Banking Sector and Third-Party Service Providers ('Open API Framework'), in force since 24 June 2020, was created by the Bankers Association of the Republic of China for all banks and Third-Party Service Providers ('TSPs') to follow. The Open API Framework provides a secure, controlled environment to allow banks and TSPs to work together and develop innovative/integrated banking services to use product and service information, transaction information, and subscription new applications for product/service.

Under Article 27(2) of the PDPA, a government authority in charge of supervising a particular industry may require a non-government agency to set up a security measures plan for the personal information file. In 2013, the Financial Supervisory Commission ('FSC'), the government authority in charge of the financial sector, formulated the Regulation Governing Security Measures of the Personal Information File for Non-government Agencies Designated by the Financial Supervisory Commission (only available in Chinese here) and designated certain entities, including financial holding companies and operators within the banking, securities, and insurance markets etc., which retain personal information, to establish a security and maintenance plan for the protection of personal data files and adopt proper security measures to prevent personal information records from being stolen, altered, damaged, destroyed, or disclosed.

1.2. Supervisory authorities

The list of regulators and supervisory authorities include:

• the National Development Council, which is responsible for providing explanations of the law under the PDPA; and
• the FSC, which is responsible for overseeing the financial sector and formulating financial policies. The FSC also has the authority to impose fines and to order institutions within its scope to take corrective measures when they are found to be in violation of the PDPA.

2. Personal and Financial Data Management

2.1. Legal basis for processing

Under the PDPA, 'personal data' is defined as a living natural person's name, date of birth, ID card number, passport number, contact details, characteristics, and fingerprints, and information about a person's marital status, family, education, occupation, medical record, medical treatment, genetic profile, sexual life, health examination, criminal record, finances, social activities and any other information that may be used to directly or indirectly identify a natural person. As such, the PDPA applies to any data that is sufficient to directly or indirectly identify an individual.

It should also be noted that under Article 6(1) of the PDPA, data pertaining to a natural person's medical records, healthcare, genetic, sex life, physical examination, and criminal records shall not be collected, processed, or used unless under any of the following bases:

• when expressly required by law;
• where it is necessary for a government agency to perform its statutory duties or for a non-government agency to fulfil its statutory obligation, so long as appropriate security measures are in place beforehand;
• when the party has disclosed such information by themselves, or when that information has been publicised lawfully;
• where it is necessary for statistics gathering or academic research by a government agency or an academic institution for the purpose of healthcare, public health, or crime prevention, provided that such data, as processed by the data provider or as disclosed by the data collector, may not lead to the identification of a specific data subject;
• where it is necessary to assist a government agency in performing its statutory duties or a non-government agency in fulfilling its statutory obligations, provided that proper security and maintenance measures are adopted prior or subsequent to such collection, processing, or use of personal data; or
• where the data subject has consented to the collection, processing, and use of his/her personal data in writing, except where the collection, processing, or use exceeds the necessary scope of the specific purpose, or where the collection, processing, or use based solely on the consent of the data subject is otherwise prohibited by law, or where such consent is not given by the data subject out of his/her free will.

2.2. Privacy notices and policies

Under Article 10, Paragraph 2 of the Financial Consumer Protection Act ('FCPA'), a financial institution must fully explain the important aspects of the financial products, services, and contract before it enters into a contract with clients. If the provision of financial products or services engages in the collection, processing, and use of personal information, the financial institution must notify clients of their rights regarding the protection of personal information, and the potential negative consequences of any refusal to provide consent.

Under Article 8 of the PDPA, a government agency or non-government agency must notify a data subject of certain information when it directly collects their data. Information that must be notified to the data subject includes:

• the name of the government or the non-government agency;
• the purpose of the collection;
• the categories of the personal data to be collected;
• the time period, territory, recipients, and methods of which the personal data is used;
• the data subject's rights under Article 3 of the PDPA, and the methods for exercising such rights; and
• the data subject's rights and interests that will be affected if he/she elects not to provide his/her personal data.

Under Article 9 of the PDPA, a government or non-government agency must notify the data subject of the first five types of information listed above, along with the source of information, before processing or using personal data not provided by the data subject.

Furthermore, Article 12 of the PDPA requires a government or non-government agency, including a financial institution, to properly notify data subjects of any violations of the PDPA that result in the theft, disclosure, alteration, or other infringement of their personal data.

2.3. Data security and risk management

Under Article 27(1) of the PDPA, a non-government agency that keeps personal information records must implement proper security measures to prevent personal information records from being stolen, altered, damaged, destroyed, or disclosed.

The FSC announced Regulation Governing Security Measures of the Personal Information File for Non-government Agencies Designated by the Financial Supervisory Commission (only available in Chinese here) ('the Personal Information File Regulations') in 2013 and revised in 2021. The non-government agencies that are subject to the Personal Information File Regulations include financial holding companies, and operators in the banking, securities, insurance, and futures markets, electronic payment services providers, and other financial services providers.

Under Articles 3 to 15 of the Personal Information File Regulations, financial institutions within its scope must:

• create a plan for data security measures, risk assessments and control, internal audits and internal control systems, and data disposal procedures for personal information records;
• establish the relevant management procedures for the collection, processing, and use of personal information;
• regularly provide employees with training regarding the policies and regulations of personal data protection;
• adopt data security management measures for the protection of personal data, such as establish rules for the use of various equipment or storage media for preventing data leaks, adopt proper encryption measures for the personal information records that need to be encrypted, and implement proper protection of backup data;
• adopt data security measures when providing electronic commerce services;
• use appropriate equipment;
• adopt security management measures to store personal information records such as implementing appropriate control, drawing up media safe-keeping methods, and establishing proper protective equipment or technology based on the characteristics of the means used and their environment;
• set up appropriate access authorisation and controls for personnel that require access to personal data, and include into agreements with personnel relevant confidentiality clauses;
• preserve a record of personal data use; and
• regularly produce related self-evaluation reports to improve the security of personal information records.

2.4. Data retention/record keeping

Under Article 3 of the Personal Information File Regulations, the designated non-government agencies shall establish a security and maintenance plan for the protection of personal data files and the disposal measures for personal information after termination of business.

Under Article 14 of the Personal Information File Regulations, the designated non-government agencies shall preserve the use records, log files, relevant evidence, and the record of deleting or discontinuing to process or use pursuant to Article 11 of the PDPA for at least five years unless further stipulated by law or contract.

As for the data collected for complying with the AML Regulations, according to Article 7 and Article 8 of the MLCA, together with Article 12 of the AML Regulations, the financial institutions shall retain records obtained through CDD measures and all business relations and transactions with their customers for at least five years or a longer period as otherwise required by law.

3. Financial Reporting and Money Laundering

Pursuant to Article 9 of the MLCA and Article 2 of the AML Regulations notes that for any currency transactions exceeding TWD 500,000 (approx. €15,900) financial institutions and specified non-financial institutions or persons must submit the financial transaction, the customer's identity, and the transaction records to the Investigation Bureau of the Ministry of Justice ('the Investigation Bureau').

Under Article 10 of the MLCA, financial institutions, specified non-financial institutions, and persons designated by the Ministry of Justice, including but not limited to lawyers and certified public accountants, must report to the Ministry of Justice Investigation Bureau any financial transactions suspected for money laundering, or to be made to an entity that accepts, possesses, or uses the property or the benefits of the property without a reasonable account of the origin of such assets, and where such entity's income is obviously disproportionate to the size of such assets in relation to:

• the opening of accounts at financial institutions in the name of other persons or under a false name;
• obtaining accounts opened by others at financial institutions, via improper means; or
• avoiding AML procedures described in the MLCA.

This reporting obligation applies even when the transaction has not been completed.

According to the AML Regulations, financial institutions, including banking businesses, securities and futures businesses, insurance enterprises, and other financial institutions designated by the FSC, must conduct the following measures to fulfill their obligations under the MLCA:

• CDD measures: financial institutions shall undertake CDD measures when: (1) financial institution establishing business relations with any customer; (2) carrying out occasional transactions; (3) there is a suspicion of money laundering or terrorist financing; or (4) the financial institution has doubts about the veracity or adequacy of previously obtained customer identification data. The financial institution undertakes CDD measures shall use reliable, independent source documents, data, or information, and must retain copies of the customer's identity documents or record the relevant information;
• Ongoing CDD: The CDD measures of financial institutions shall include ongoing CDD on the business relationship to scrutinize transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the institution's knowledge of the customer, its business, and risk profile, including, where necessary, the source of funds;
• Cash Transaction Reports ('CTR'): financial institutions are required to file reports on cash transactions above a certain threshold (i.e. TWD 500,000) to the Investigation Bureau in a format prescribed by the Investigation Bureau via electronic media within five business days after the completion of a transaction. Financial institutions are required to keep the data reported to the Investigation Bureau and relevant transaction records.
• Suspicious Transaction Reports ('STR'): financial institutions are required to file reports on suspicious money laundering/terrorist financing transactions to the Investigation Bureau in a format prescribed by the Investigation Bureau after the report has been approved by the responsible chief compliance officer at the institution. The report shall be filed within two business days of said approval and the data reported to the Investigation Bureau and relevant transaction records shall be kept by the financial institution.

4. Banking Secrecy and Confidentiality

The PDPA is the general data protection law for all government and non-government agencies, including banks and financial institutions. It governs the collection, processing, and use of personal data.

The specific regulation about the banking secrecy compliance is Article 48(2) of the Banking Act, which provides that all related information on deposits, loans, or remittances of a bank's customers shall be kept secret unless the exceptions specified in the Banking Act applies.

Under Article 48(2) of the Banking Act and Article 42(1) of the FHCA, customer information and transaction materials are financial data that needs to be kept secret by bank employees and a financial holding company and its subsidiaries.

Under Article 28(4) of the Banking Act, a bank's employees conducting trust or securities business shall keep customer information and transaction materials confidential. Such confidentiality obligations also apply to dealings between such bank's employees and the employees of another department at the same bank, therefore, access to information even among employees at the same bank should be on a need-to-know basis.

Under Article 20(1) of the PDPA, the bank may only release or share information in accordance with the scope of the specific purpose/s behind the initial collection provided at the time of collection. With the exception of where the bank has received the consent from the data subject, information may not be used outside the scope of the specific purpose(s) behind the collection.

Please also note that under Article 18(1) of the Regulations Governing Internal Operating Systems and Procedures for the Outsourcing of Financial Institution Operation ('the FIO Regulations') which were issued in 2006 and revised in 2019, banks must first receive the approval from the FSC before they may transmit and outsource their operations related to customer information overseas.

5. Insurance

Article 177-1(1) of the Insurance Act (as amended in 2021) ('the Insurance Act') provides that insurance enterprises, insurance agents, brokers, and surveyors who operate or conduct business in accordance with the Insurance Act, or legal persons commissioned by insurance companies and insurance-related foundations may collect, process, or use personal information relating to medical records, medical treatment, or health examination of individuals, which is sensitive data that in principle cannot be collected under Article 6 of the PDPA, with the written consent of the data subject.

FSC further stipulated the Regulations Governing Manner of Written Consent, Scope of Business and Other Matters of Compliance Prescribed by Paragraph 2, Article 177-1 of Insurance Act on 25 May 2016 and required that the written consent, if it is included in the insurance application form, claim form or other relevant documents, shall be a separate field in the form that clearly indicates or uses an appropriate manner to fully inform the principal party of the content of written consent. And if the personal information is to be used outside the specified scope of purpose, the written consent shall contain a separate signature field indicating that the principal party is aware of the related content and consents to such other purposes.

Also, under 177-1(3) of the Insurance Act, insurance companies may be exempted from the obligation to notify data subjects as provided in Paragraph 1, Article 9 of the PDPA when they process and use lawfully collected information such as name, date of birth, ID card number, and means of contacting beneficiaries under insurance contracts to underwrite or process claims.

6. Payment Services

The PDPA is the general protection law for all of government and non-government agencies, including electronic payment institutions. Therefore, an electronic payment institution must comply with the regulations regarding the collection, processing, and use of personal data under PDPA.

Furthermore, AGEPI, which was promulgated in 2015 and revised in 2021, provides general regulations governing electronic payment institutions. Under Article 31 of AGEPI, an electronic payment institution must keep transaction data and other related user information confidential.

The FSC issued its Regulations Governing the Standards for Information System and Security Management of Electronic Payment Institutions ('EPI Regulations') in 2015 and revised in 2017, which contain specific regulations regarding information system and security management operations of electronic payment institutions and their business. Under Article 13 of the EPI Regulations, an electronic payment institution must comply with the following provisions regarding personal data protection in e-payment operations:

• adopt appropriate data security management measures to maintain the security of personal data held;
• adopt appropriate equipment security management measures for personal information records which are stored in different kinds of media;
• set up appropriate levels of access authorisation and controls for personnel, and include confidentiality clauses in agreements with such personnel;
• map and make an inventory of the e-payment operating environment, including database, forms, statements, documents, File Transfer Protocol servers, and personal computers to check whether they contain personal data, and compile a list for, and carry out, risk assessments and controls;
• generate and retain an audit record or identification mechanisms for personal data use to facilitate the tracking of personal data use when there is a personal data leak;
• establish a data leak protection mechanism to control the transmission of personal data records, and retain relevant records;
• retain certain records if the personal data in its possession is deleted, or its processing or use is being discontinued; and
• regularly produce relevant self-evaluation reports to improve the security of personal information records.

It should also be noted that electronic payment institutions must comply with the Personal Information File Regulations given that such institutions, as designated agencies, also fall within the regulatory scope of the FSC.

7. Data Transfers and Outsourcing

The FSC issued the FIO Regulations (see section on banking secrecy and confidentiality above) in 2006 and revised in 2019. Under the FIO Regulations, financial institutions within scope, including banking business, electronic payment institution, and foreign migrant worker remittance company, must comply with various provisions when outsourcing their operations to third parties.

Article 3 of the FIO Regulations provides specific business items that can be outsourced to third parties by financial institutions. In addition, under Article 7 of the FIO Regulations, financial institutions must implement outsourcing operations and procedures that ensure the protection of customer interests, including the obligation to notify customers, the scope and method of the transfer of information, and the methods for supervising the use of customer information by the service provider, etc. Under Article 10 of the FIO Regulations, financial institutions must specify consumer protection, including the confidentiality of customer data and the adoption of security measures in their outsourcing agreements. However, according to Article 18(1) of the FIO Regulations and the FSC FAQ of Regulations Governing Internal Operating Systems and Procedures for the Outsourcing of Financial Institution Operation, when banks in Taiwan intend to share customer information with an entity within its group that is located outside of Taiwan, the prior notification and approval of the relevant competent authority is required. According to the AML Regulations, a financial institution shall establish a database to consolidate the basic information of all customers as well as all transactions for AML/CFT inquiries by the head office and other branches (Article 9(1) of the AML Regulations). The FSC also requires financial institutions to establish policies and procedures for sharing information within the group (Article 6(4)(1) of the Regulations Governing the Internal Audit and Internal Control System for AML/CTF by Banks and Other Financial Institutions Designated by the Financial Supervisory). In order to fulfil its obligations under the MLCA, financial institutions may transfer client personal data at the intra-group level. If the personal data is neither being shared for AML/CFT purposes nor for fulfilling any other legal obligation, customer consent is required before the data may be shared.

8. Breach Notification

Article 12 of the PDPA and Article 22 of the Enforcement Rules requires non-government agencies, including financial institutions, to properly notify data subjects of any violations of the PDPA, which result in the theft, disclosure, alteration, or other infringement of their personal data. The notification given shall include the facts pertaining to the data breach and the response measures already adopted to address such breach of personal data. The notification shall be given via "appropriate means", which means it is given in a prompt manner either verbally or in writing via phone, text messages, email, fax, electronic documents or other means that can effectively make the information known or available to the data subjects. However, if such notification entails disproportionate costs, a non-government agency may, taking into consideration the technical feasibility and privacy protection of the data subjects, notify the data subjects through the Internet, the media or other proper and public means.

And according to Article 6 of the Personal Information File Regulations, in the event of a major personal data accident, the financial institution shall notify the FSC within 72 hours in accordance with the notification and record sheet attached in the regulation. The "major personal data incidents" refer to situations in which personal data is stolen, altered, damaged, lost or leaked, which would endanger the normal operations of the financial institution or the rights and interests of a large number of data subjects.

9. Fintech

Whether financial institutions apply innovative experimentation alone or in cooperation with non-financial institutions, all applicants should comply with the FTDIE.

Article 23(3) of the FTDIE provides that applicants of the innovative experimentation shall comply with the PDPA in the collection, processing and use of participants' data. Further, under Article 18 of the FTDIE Regulations, an applicant shall ensure the security of information collection, processing, use, and transmission to prevent illegal intrusion, access, tampering, or destruction of business records or personal information, and establish a participant notification and damage compensation mechanisms to respond to third-party's intrusion in information system.

Pursuant to Article 14 to 15 of the FTDIE, when an applicant fails to comply with the FTDIE, the competent authority may order the applicant to take remedial action within a given time period. Moreover, if the innovative experimentation involves a situation that is materially averse to the financial market or the interests of participants, the competent authority may revoke the approval for the innovative experimentation. The Open API Framework focuses only on the banking sector. Under Articles 4 to 6 of the Open API Framework, the banking sector should not only consider data protection ability of TSPs before cooperation, but also request TSPs comply with PDPA, the Open API Framework, and other regulations. Pursuant to Article 7 of Open API Framework, the banking sector cannot provide the information of customers to TSPs unless it obtains the prior consent of the customers.

It should also be noted that the Open API Framework is a self-regulation between banking industry. Thus, there are no penalties of violating the Open API Framework.

10. Enforcement

Banking Secrecy

Under Article 129 of the Banking Act, an administrative fine of not less than TWD 2 million (approx. €63,930) and not more than TWD 50 million (approx. €1.6 million) may be imposed on banks when they violate the provision of banking secrecy and confidentiality.

Under Article 135 of the Banking Act, if a bank fails to pay an administrative fine within the prescribed period of time, the government authority may suspend the business of the relevant bank or bank branch.

Under Article 136 of the Banking Act, the bank may be ordered to replace its representative or may have its licence revoked if it repeatedly violates the provisions of the Banking Act.

AML Legislation

Under Articles 6 to 10 of the MLCA, a financial institution shall be imposed with an administrative fine of not less than TWD 500,000 (approx. €50,980) and not more than TWD 10 million (approx. €319,550) if it violates the AML provisions of the MLCA.

Under Article 61-1 of the Banking Act, if a bank violates the relevant laws and regulations including the MLCA, the competent authority may take any of the following actions by way of an order:

• revoke resolutions of statutory meetings;
• suspend part of the bank's business;
• restrict its investments;
• order or prohibit the bank from disposing or transferring specific assets;
• order the bank to close a branch or department within a prescribed period;
• order the bank to discharge managers or staff members;
• discharge directors and supervisors or suspend them from the performance of their duties for a specified period of time;
• order the bank to set aside a certain amount of monetary reserve; or
• impose other necessary measures.

Penalties of violating data protection rules

The PDPA is the general personal data protection law for all government and non-government agencies including financial institutions.

Under Articles 47 to 49 of the PDPA, an administrative fine may be imposed on any non-government agency for violating the provisions of the PDPA. In addition, under Article 50 of the PDPA, the representative or main manager of a non-government agency may incur an administrative fine due to a violation of Articles 47 to 49 of the PDPA by the agency unless he/she proves that his/her obligations as a representative had been fulfilled.

Pursuant to Article 25 of the PDPA, if a non-government agency violates the provisions of the PDPA, the authority may take any of the following actions by way of an order:

• forbid the collection, processing, or use of personal information;
• demand the deletion of personal information records already processed;
• demand the confiscation or disposal the personal information unlawfully collected; or
• make public the violation, the name of the non-government agency, and the name of the person in charge.

It should also be noted that the PDPA and the MLCA contain the general personal data protection rules and AML rules for financial institutions and non-financial institutions. However, different financial institutions should comply with specific regulations regarding these two matters and may be subject to additional penalties, which are regulated in the relevant regulations.

11. Additional Areas of Interest

The Employment Services Act (amended in 2018) ('Employment Services Act') and its enforcement rules provide specific regulation with respect to employment information.

Pursuant to the Employment Services Act, when recruiting or employing new employees, an employer may not withhold any identification card, work certificate, or any other certifying document belonging to an employee or job applicant, nor request that a job applicant or employee surrender any other personal data unrelated to his/her employment against his/her free will. Such personal data may include the following:

• physiologic information obtained from genetic, medication, medical treatment, HIV, or IQ tests, and fingerprints;
• psychological information obtained from psychiatric, loyalty, or polygraph tests, etc.; and
• personal lifestyle information such as financial records, criminal records, family plans, and background checks.

When employers, such as financial institutions, request job applicants or employees to present their personal data, they must respect the rights and interests of the individuals concerned. They may not process beyond the scope of necessity when considering the intended purposes of data collection, such as economic needs or public interest. In addition, there must be an appropriate and reasonable connection between the personal data requested and the purposes for which personal data is collected.

Jaime Cheng Senior Of Counsel
[email protected]
Hannah Kuo Associate
[email protected]
Lee, Tsai & Partners, Taipei