總統已於2025年11月11日公布修正「個人資料保護法」(下稱個資法)，施行日期尚待訂定。本次個資法之修正目的在於配合憲法法庭111年憲判字第13號判決要求，建立個資保護獨立監督機制即個人資料保護委員會（下稱個資會）以完足憲法保障人民之資訊隱私權保障，除有針對公部門使用個資為相關監管增修之外，就本次修法涉及民間企業（非公務機關，即非公務機關之自然人、法人或其他團體）之部分，謹就相關規範重點說明如下：

On 11 November 2025, the President promulgated the amendments to the Personal Data Protection Act (“PDPA”), with the effective date to be announced. The purpose of this amendment is to comply with Constitutional Court Judgment, Hsien Pan Tze No. 13 of 2022, which requires the establishment of an independent supervisory authority for personal data protection—the Personal Data Protection Commission (“PDPC”)—in order to fully safeguard the constitutional right to informational privacy.  In addition to strengthening the regulatory framework applicable to the use of personal data by public sector agencies, the amendments introduce several changes relevant to private-sector entities (i.e., non-public agencies, including natural persons, legal persons, or other organizations). The key points of the amendments concerning private enterprises are summarized below:

1.        個資事故通報及通知等義務

Obligations Regarding Personal Data Incident Notification and Reporting

(1)     對個資當事人之通知義務：原個資法僅規定民間企業為查明個資事故時，應通知當事人，因此實務上時有因各種因素而造成通知上的延遲，本次修法通知時點提前為於『知悉』有個資事故時，即應通知當事人。至於具體應通知個資當事人的內容及細部事項，尚待進一步規範。

Obligation to Notify Data Subjects: Under the previous PDPA, private-sector entities were only required to notify data subjects when investigating a personal data incident. In practice, this often resulted in delays in notification due to various factors. Under the amended PDPA, the timing for notification has been moved forward—private-sector entities must notify data subjects immediately upon becoming aware of a personal data incident. The specific content and detailed requirements for such notifications will be further stipulated in subsequent regulations.

(2)     對個資會之通報義務：對於符合一定通報範圍內的個資事件，民間機關應通報個資會，個資會並應轉知目的事業主管機關。

Obligation to Report to the PDPC: For personal data incidents falling within a specified reporting threshold, private-sector entities will be required to report such incidents to the PDPC. The PDPC, in turn, must forward the report to the competent authority overseeing the relevant industry.

針對個資事故，民間企業應採取即時有效之應變措施以防止事故之擴大，記載相關事實、影響、以採取之因應措施，並保存相關紀錄等。具體之應通知與應通報之內容、時限、範圍等相關事項則授權個資會訂定之。

Private-sector entities must adopt prompt and effective response measures to prevent the escalation of any personal data incident, document the relevant facts, impacts, and responsive actions taken, and retain the relevant records. The specific requirements regarding the content, timeframe, and scope of notifications to data subjects and reports to the PDPC will be prescribed by the PDPC.

如民間企業有違反就個資事故之通知當事人之義務，個資會將令限期改善，未改正即處罰鍰；如係違反個資事故之通報個資會義務，或應變措施、紀錄保存等義務者，則逕處罰鍰並得按次處罰。

If a private-sector entity violates its obligation to notify data subjects of a personal data incident, the PDPC will order the entity to remedy the violation within a specified period, and if it fails to do so, a fine will be imposed. In contrast, if the entity violates its obligation to report a personal data incident to the PDPC or fails to comply with its obligations relating to incident response measures or record retention, the PDPC may directly impose a fine and may continue to impose fines on a per-violation basis.

2.        修正行政檢查相關規定

Amendments to Administrative Inspection Provisions

細緻化對民間企業為行政檢查之相關規定，包括提供個資會干預程度不同之檢查方式，且增訂會同檢查機制，個資會得會同目的事業主管機關或其他有關機關進行檢查。並且授權個資會得就行政檢查作業之規劃、評估方式、考量因素及有賴其他機關協力之事項，得另訂辦法以為規範，

The amendments refine the rules governing administrative inspections of private-sector entities, including providing different inspection methods corresponding to varying levels of intervention by the PDPC.  A joint-inspection mechanism has also been added, under which the PDPC may conduct inspections together with the competent industry authority or other relevant government agencies. In addition, the PDPC is authorized to formulate separate regulations governing the planning and evaluation methods for administrative inspections, the factors to be considered, and matters requiring cooperation from other agencies.

3.        監管過渡規定

Transitional Regulatory Provisions

個資會將直接監管目前沒有明確目的事業主管機關的業者。而有明確目的事業主管機關的業者，基於個資會監管資源尚未齊備，於個資會成立六年內，針對民間企業之個資相關監管事宜，個資會得公告一定範圍之民間企業，仍由中央目的事業主管機關或地方政府管轄之。

The PDPC will directly regulate businesses that currently do not have a clearly designated competent authority. For businesses that do have an expressly designated competent industry authority, given that the PDPC’s regulatory resources may not yet be fully established, the PDPC may, within six years from its establishment, announce certain categories of private-sector entities for which personal data–related regulatory matters shall continue to fall under the jurisdiction of the central competent industry authority or local government.

針對個資會公告仍由中央目的事業主管機關或地方政府管轄之民間企業範圍，中央目的事業主管並得就該一定範圍之民間企業指定訂定「個人資料檔案安全維護計畫」或「業務終止後個人資料處理方法」，且針對前開計畫或辦法相關事項之辦法，由中央目的事業主管機關比照個資會訂定之辦法訂定，並得為更為嚴格之規定。民間企業若未訂定相關計畫、辦法，或係違反中央目的事業主管所訂辦法中有關計畫或處理方法應具備之內容、基準或執行方式之規定，個資會得處罰鍰，並得按次處罰。

For those private-sector entities announced by the PDPC as remaining under the jurisdiction of the central competent industry authority or local government, the central competent industry authority may require such entities to prepare a “Personal Data File Security Maintenance Plan” or a “Personal Data Processing Method After Business Termination.” The regulations governing such plans or methods shall be formulated by the central competent industry authority by reference to the rules established by the PDPC, and may impose stricter requirements. If a private-sector entity fails to establish the required plan or method, or violates the content, standards, or implementation requirements set forth in the regulations issued by the central competent industry authority, the PDPC may impose an administrative fine and may continue to impose fines for each instance of noncompliance.



4.        個資會為獨立機關，依法獨立行使職權，除法律另有規定外，不受其他機關指揮監督，因此，若對個資會所為之行政處分不服，應直接適用行政訴訟程序。

The PDPC is an independent authority that exercises its powers independently in accordance with the law and, unless otherwise provided by law, is not subject to the direction or supervision of any other government agency. Accordingly, if a party disagrees with an administrative disposition rendered by the PDPC, the appropriate remedy is to directly pursue administrative litigation procedures.

由本次修正內容可知，個資事務監管事權將漸行移轉並集中至個資會。除上開說明之修法重點外，民間企業應特別注意的係，本次修法明定將由個資會針對個資事故應變措施、安全控管事項統一訂定原則規範，因此民間企業現行依循現行各中央目的事業主管機關依修正前之個資法第27條第2項（本次修正已刪除本項）訂定發布的個人資料檔案安全維護管理辦法而所訂定個資相關內規，很可能須為相應調整。然而，因個資會尚未制定發布該原則規範，且亦不清楚個資會於個資法監管過渡期間，暫將如何劃分民間企業範圍予中央目的事業主管機關監管等，建議仍應持續關注本次個資法修法後續，以資及時因應調整。

Based on the amendments, it is clear that regulatory authority over personal data matters will gradually be transferred to and centralized within the PDPC. In addition to the key amendments outlined above, private-sector entities should pay particular attention to the fact that the PDPC is now expressly tasked with formulating unified principles governing personal data incident response measures and security control requirements. As a result, internal policies currently adopted by private-sector entities—based on the “Personal Data Security Maintenance and Management Regulations” issued by their respective central competent industry authorities under former Article 27, Paragraph 2 of the PDPA (which has been deleted in this amendment)—may need to be adjusted accordingly. However, because the PDPC has not yet promulgated these unified principles, and because it remains unclear how the PDPC will delineate the scope of private-sector entities that will continue to fall under the jurisdiction of the central competent industry authorities during the regulatory transition period, it is advisable for private-sector entities to closely monitor subsequent developments under the amended Personal Data Protection Act to enable timely compliance and adjustment.