On November 11, 2025, the President officially promulgated the latest amendments to the Personal Data Protection Act (PDPA). While the formal effective date is yet to be announced by the Executive Yuan, private enterprises should take note of the following four critical updates:
1. Establishment of a Centralized Regulatory Authority
In the future, the Personal Data Protection Commission (PDPC) will serve as the sole specialized oversight body for all PDPA-related matters. This marks a significant shift from the current fragmented regulatory landscape, where supervision was dispersed among various ministries. This centralization will lead to more consistent standards for administrative inspections and penalties.
2. Universal Statutory Obligation for “Security Maintenance Plans”
Previously, only specific industries meeting certain criteria were required to implement industry-specific security maintenance plans. The amended law now empowers the PDPC to establish a universal baseline version of these plans applicable to all private-sector entities.
- Note on Article 51-1: For specific industries currently regulated by their respective central competent authorities, the original industry-specific plans will remain prioritized during a six-year transition period.
3. Substantial Reduction in Breach Notification Timelines
The threshold for reporting personal data incidents—such as theft, tampering, damage, loss, or leakage—has been advanced from “upon verification” to “upon awareness.” Enterprises can no longer delay notifications by citing ongoing internal investigations. Upon discovering a breach, entities must immediately notify the affected data subjects. Furthermore, if the breach meets a certain threshold, the PDPC must also be notified.
- Draft Regulations: A draft for the “Measures for Notice, Notification, and Response to Personal Data Incidents” has been released for public comment, covering specific requirements for content, methods, timelines, reporting scope, and record-keeping.
4. Normalization of Administrative Inspections
The PDPC’s authority has been expanded to allow for discretionary administrative inspections. This means that a company’s implementation of data protection measures will face more frequent and rigorous external oversight.
💡 Legal Compliance Note for Enterprises Personal data protection has become a core pillar of regulatory compliance. It is highly recommended that enterprises commence a comprehensive audit of existing data processing workflows as soon as possible to ensure they can withstand future administrative scrutiny.