Key takeaway: The partial amendment to the Personal Data Protection Act (PDPA) was promulgated by the President on November 11, 2025, with the effective date to be set by the Executive Yuan. The amendment accompanies the establishment of the Personal Data Protection Commission (PDPC): the PDPC will serve as the competent authority under the PDPA, government agencies must appoint Chief Data Protection Officers, and private organizations are given a transitional adjustment period. On January 22, 2026, the PDPC Preparatory Office pre-announced a draft amendment to the Enforcement Rules and three draft sub-regulations — businesses should use the transition period to complete their compliance inventory and system adjustments.
1. Why the Amendment: From Fragmented Supervision to Independent Oversight
The origin of this amendment is the Constitutional Court's requirement that Taiwan establish an independent oversight mechanism for personal data protection. In response, the Executive Yuan advanced both the organic legislation for the Personal Data Protection Commission and the PDPA amendment — the amended provisions promulgated by the President on November 11, 2025 exist precisely to accompany the PDPC's establishment and to comprehensively restructure the supervisory architecture of personal data protection in Taiwan.
Until now, enforcement of Taiwan's PDPA has long been divided among the various sector-specific competent authorities and local governments: financial businesses answer to the financial regulator, e-commerce to the economic affairs authorities — with no single dedicated supervisory agency, and with supervisory intensity and standards varying by industry. The PDPC is designed to change that landscape, giving personal data protection a single dedicated agency to coordinate it.
2. The Four Key Changes
| Key change | Details |
|---|---|
| PDPC becomes the competent authority | The Personal Data Protection Commission will serve as the competent authority under the Personal Data Protection Act, coordinating personal data protection policy and supervision. |
| Stronger oversight of government agencies | Supervision of government agencies is strengthened: agencies must appoint a Chief Data Protection Officer, deepening internal data governance and accountability. |
| Joint supervision of private organizations | New provisions establish joint supervision of private organizations by the PDPC together with the sector-specific competent authorities and local governments — moving from fragmented to coordinated oversight. |
| Transitional adjustment period | Private organizations are given a transitional adjustment period, allowing businesses time to adapt their internal systems to the new regime. |
※ The controlling requirements are those of the amended provisions as promulgated and of the sub-regulations to be announced.
3. Sub-regulations and Timeline: No Effective Date Yet, but Preparation Has Already Started
Although the amended provisions have been promulgated, the effective date is to be set by the Executive Yuan and is still pending announcement — this gives businesses a valuable preparation window, but it is no reason to sit and wait.
On January 22, 2026, the PDPC Preparatory Office pre-announced a draft amendment to the Enforcement Rules of the Personal Data Protection Act and three draft sub-regulations, entering the formal notice-and-comment stage. The sub-regulations will directly shape businesses' concrete compliance obligations and operational details, so companies should assign someone to track the drafts through finalization and gap-check them against current internal systems. Judging from the rhythm — amended provisions promulgated, sub-regulations pre-announced, effective date to come — the contours of the new regime are taking shape fast.
4. A Five-Item Preparation Checklist for Businesses
First, a personal data inventory: comprehensively map the personal data your company collects, processes and uses — the data items, sources, flows and retention periods — and build a data register; this is the foundation for all the compliance work that follows. Second, data subject rights processes: check that when data subjects exercise their rights of access, correction or deletion, your intake window, handling deadlines and response workflow are clear and workable. Third, outsourcing contract review: check that contracts for outsourced personal data processing contain appropriate supervision clauses, confidentiality obligations and allocation of liability — when a vendor fails, the commissioning company can rarely stand aside. Fourth, breach notification readiness: establish a personal data incident response plan and notification mechanism, rehearse in advance and keep records, so that an actual incident does not turn into a scramble. Fifth, keep tracking regulatory developments: watch for the Executive Yuan's announcement of the effective date and the finalized sub-regulations, and close your compliance gaps within the transitional adjustment period.
5. How LegalAI Can Help
Personal data compliance is not a one-off project but an ongoing system. LegalAI Law Firm provides cybersecurity and regulatory compliance advisory services: helping businesses run personal data inventories, build data subject rights and breach notification workflows, review personal data outsourcing contracts, and continuously track the PDPC's sub-regulations and implementation timeline — so your preparation is complete before the new regime arrives.
Frequently Asked Questions
When does the PDPA amendment take effect?
The amended provisions were promulgated by the President on November 11, 2025, but the effective date is to be set by the Executive Yuan and has not yet been announced; the amendment also gives private organizations a transitional adjustment period. Businesses should keep monitoring the Executive Yuan's announcement of the effective date and the progress of the related sub-regulations, and use the time to prepare early.
What is the PDPC, and how does it differ from the current competent authorities?
The Personal Data Protection Commission (PDPC) is a dedicated agency established to create an independent oversight mechanism for personal data protection. After the amendment takes effect, it will serve as the competent authority under the Personal Data Protection Act. Compared with the previous model of fragmented supervision mainly by the various sector-specific competent authorities, the PDPC will take the coordinating role and supervise private organizations jointly with the sector-specific competent authorities and local governments.
What is the biggest change for private businesses in this amendment?
The biggest change is the supervisory architecture: oversight of private organizations' personal data practices will move step by step from fragmented sector-specific competent authorities toward a model coordinated by the PDPC working jointly with the sector-specific competent authorities and local governments, which may bring more consistent and stronger enforcement. At the same time, the amendment gives private organizations a transitional adjustment period — businesses should use it to complete their compliance review and adjust their systems.
What should businesses prepare now?
We recommend starting with five things: conduct a personal data inventory, review the processes for data subjects exercising their rights, review personal data outsourcing contracts, prepare an incident response and breach notification plan, and keep tracking the effective date and the finalization of the sub-regulations so that system adjustments are completed within the transitional adjustment period.
References
- Lee and Li, Attorneys-at-Law: The President promulgates amendments to the Personal Data Protection Act
- Lee and Li, Attorneys-at-Law: The PDPC Preparatory Office pre-announces the draft amendment to the PDPA Enforcement Rules and three draft sub-regulations
- Personal Data Protection Commission Preparatory Office: Official website
This article was compiled by our lawyers with the assistance of LegalAI's AI legal assistants, based on the public sources listed above. It is for general reference only and does not constitute legal advice on any specific matter. For the application of specific obligations, please rely on the competent authorities' announcements and the official text of the laws, or consult our lawyers.