Chinese Taipei: Personal Data Protection Commission Preparatory Office closes consultation on Draft Personal Data Incident Notification, Reporting and Response Measures

On 23 March 2026, the Personal Data Protection Commission Preparatory Office closed the public consultation, which had been open since 22 January 2026, on the Draft Personal Data Incident Notification, Reporting and Response Measures. The Draft Measures would establish obligations for public and non-public bodies upon becoming aware of a personal data incident involving theft, alteration, damage, loss, destruction, or leakage of personal data. It requires notification to affected data subjects within 72 hours from the time the incident is known, using appropriate individual methods. In certain limited circumstances, such as when data subjects cannot be identified or where individual notifications would be excessive, providing notifications through public means would be permitted, with the requirement to display relevant information for at least 30 consecutive days. The Draft Measures also specify mandatory notification content, including the time and facts of the incident, categories of personal data affected, response measures taken, and contact and remedy channels. The Draft Measures also introduce obligations for entities to report incidents falling into certain categories to the competent authority within 72 hours, including incidents involving special categories of personal data, systems holding 10'000 or more records, or incidents affecting 100 or more data subjects. Where entities are unable to meet the reporting deadline due to natural disasters or emergencies, they would be permitted to submit supplementary reports within 48 hours after regaining the ability to make reports. Entities would be required to take certain immediate response measures upon discovery of a personal data incident, including blocking measures, reviewing access permissions, and submitting takedown requests to search engines. Finally, the Draft Measures set out rules on knowledge attribution in entrusted processing relationships and requirements to create and retain investigation records for at least five years.