Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Create an account
Join our community for free to access exclusive whitepapers, reports, and regulatory information.
Taiwan: Taipei Municipal Transportation Bureau fines iRent TWD 90,000 for data security failures
The Taipei Municipal Transportation Bureau ('the Bureau') announced, on 9 February 2023, that it had fined Heyun Mobile Service Co., Ltd. ('iRent') TWD 90,000 (approx. €2,660) for violations of Articles 9(1)(10) and 14 of the Taipei City Autonomous Regulations on the Business Management of Shared Vehicles 2017 ('the Regulations'), following a data breach.
Background to the case
Following the data breach on 31 January 2023, the Bureau sent a document requesting an explanation, the measures adopted following the data breach, and a notification that it would be conducting a visit on 4 February 2023. To this end, the Bureau reported that iRent explained that its temporary database did not properly block external connections, resulting in the database potentially being accessed by external parties using specific tools and techniques to access information of members in the previous three months, with 400,000 users potentially being affected.
Findings of the Bureau
Following the inspection, the Bureau determined that iRent had failed to take appropriate security measures to prevent the data leakage in violation of Articles 9(1)(10) and 14 of the Regulations. On this point, the Bureau recognised that iRent had failed to perform its duty of management, and the circumstances were serious.
Outcomes
In light of the above, the Bureau imposed a fine of TWD 90,000 (approx. €2,660) based on violation of the Regulations. Furthermore, the Bureau noted that if the public believes that they have suffered relevant damage due to the incident, they can contact iRent to understand the relevant situation, and claim in accordance with the provisions of Chapter 4 of the Personal Data Protection Act 2010 (as amended in 2015) ('PDPA') on compensation for damages and group litigation. In addition, where the damages arising from the leakage of personal data is due to consumer relations, the claim can be handled through consumer dispute appeals and mediation procedures prescribed by the Consumer Protection Law 2015.
You can read the press release, only available in Chinese, here.
Send us your Feedback!
Please let us know what you think of DataGuidance! It will only take 60 seconds and help us make the site better for you.
