Laws Information

法規資訊
Title: Personal Information Protection Act
Am Date: 2015-12-30

Chapter Article

Chapter  I General Provisions
Article 1
Personal Information Protection Act(hereinafter “this Law”)is enacted to govern the collection, processing and use of personal information so as to prevent harm on personality rights, and to facilitate the proper use of personal information.

Article 2
The terms used herein denote the following meanings:
1. Personal information: the name, date of birth, I.D. Card number, passport number, characteristics, fingerprints, marital status, family, education, occupation, medical record, medical treatment, genetic information, sexual life, health examination, criminal record, contact information, financial conditions, social activities and other information which may be used to identify a natural person, both directly and indirectly;
2. Personal information file: A collection of personal information built to allow information retrieval and management by automatic or non-automatic measures;
3. Collection: To collect personal information in any form and way;
4. Processing: To record, input, store, compile, correct, duplicate, retrieve, delete, output, connect or internally transmit information for the purpose of establishing or using a personal information file;
5. Use: All methods of personal information use other than processing;
6. International transmission: The cross-border processing or use of personal information;
7. Government agency refers to a government agency or administrative juridical person at the central or local government level which is empowered to exercise sovereign power;
8. Non-government agency refers to the natural persons, juridical persons or groups other than those stated in the proceeding item;
9. The Party means an individual of whom the personal information has been collected, processed or used in accordance with this Law.

Article 3
The following rights should be exercised by the Party with regard to his personal information and should not be waived in advance or limited by a specific agreement:
1. any inquiry and request for a review of the personal information;
2. any request to make duplications of the personal information;
3. any request to supplement or correct the personal information;
4. any request to discontinue collection, processing or use of personal information; and
5. any request to delete the personal information.

Article 4
Whoever commissioned by a government agency or non-government agency to collect, process or use personal information should be considered the commissioning agency within the scope of this Law.

Article 5
The rights and interests of the Party should be respected in collecting, processing or using personal information and the information should be handled in accordance with the principle of bona fide. It should not go beyond the purpose of collection and should be reasonable and fair.

Article 6
Personal information of medical records, medical treatment, genetic information, sexual life, health examination and criminal records should not be collected, processed or used. However, the following situations are not subject to the limits set in the preceding sentence:
1. when in accordance with law;
2. when it is necessary for a government agency to perform its legal duties or for a non-government agency to fulfill its legal obligation, and proper security measures are adopted prior or subsequent to such collection, processing or use;
3. when the Party has disclosed such information by himself, or when the information concerned has been publicized legally;
4. where it is necessary to perform statistical or other academic research, a government agency or an academic research institution collects, processes, or uses personal information for the purpose of medical treatment, public health, or crime prevention.The information may not lead to the identification of a certain person after its processing by the provider, or from the disclosure by the collector;
5. where it is necessary to assist a government agency in performing its legal duties or a non-government agency in fulfilling its legal obligations, and proper security measures are adopted prior or subsequent to such collection, processing, or use;
6. where the Party has consented in writing; unless such consent exceeds the necessary scope of the specific purpose; the collection, processing or use merely with the consent of the Party is prohibited by other statutes; or such consent is against the Party’s will.
Article 8 and Article 9 shall apply mutatis mutandis to the collection, processing, or use of personal information in accordance with the preceding Paragraph; Paragraphs 1, 2 and 4 of Article 7 shall apply mutatis mutandis to the written consent specified in Item 6 of the preceding Paragraph. The notification should be in written form.

Article 7
The consent mentioned in Item 2 of Article 15 and Item 5 of Paragraph 1 of Article 19 means a declaration of intention made by the Party to allow the collection or processing of personal information after notification is given by the collector in accordance with this Act.
The consent mentioned in Item 7 of Article 16 and Item 6 of Paragraph 1 of Article 20 means a separate declaration of intention made by the Party to allow the use of personal information after the collector has expressly notified the Party of the purpose other than the originally-specified purpose, and the scope of use, and also the impact of whether consent is given or not on the Party’s rights and interests.
The Party’s consent may be presumed given pursuant to Item 2 of Article 15 and Item 5 of Paragraph 1 of Article 19 if the Party does not indicate any refusal, and also provides his/her personal information, when a government or non-government agency gives express notice to the Party in accordance with Paragraph 1 of Article 8.
The collector shall have the burden of proving that the Party has given the consent under this Act.

Article 8
The following items should be told precisely to the Party by a government agency or non-government agency, in accordance with Article 15 or Article 19:
1. the name of the government agency or the non-government agency;
2. purpose of collection;
3. classification of the personal information;
4. time period, area, target and way of the use of personal information;
5. rights of the Party and ways to exercise them as prescribed in Article 3;
6. the influence on his rights and interests while the Party chooses not to provide his personal information;
The following situations may be exempted from the notice prescribed in the preceding Paragraph:
1. when in accordance with law;
2. when the collection of personal information is necessary for the government agency to perform its official duties or the non government agency to fulfill the legal obligation;
3. when the notice will impair the government agency in performing its official duties;
4. when the notice will impair public interests.
5. when the Party should have known the content of the notification already;
6. when the collection of personal information is for non-profit purposes and clearly does not cause any detriment to the Party.

Article 9
A government agency or non-government agency should notify the Party of the source of information and Item 1 to 5 of Paragraph 1 of the preceding Article, before processing or using personal information collected in accordance with Article 15 or 19 which was not provided by the Party.
The notification mentioned in the preceding Paragraph may not be given for the followings:
1. Under one of the situations listed in Paragraph 2 of the preceding Article;
2. When the Party has disclosed such information by himself or when the information has been publicized legally;
3. When the notification may not be made to the Party or his legal representative;
4. When it is necessary for public interests on statistics or the purpose of academic research. The information may not be used to identify a certain person after a treatment of the provider or the disclosure of the collector;
5. Personal information collected by the mass media for the purpose of news reporting on the basis of public interests;
The notification mentioned in Paragraph 1 may be undertaken when the personal information is used against the Party for the first time.

Article 10
Upon the request of the Party, the government agency or non-government agency should reply to the inquiry, offer for a review or provide duplications on the personal information collected, except the followings:
1. when the national security, diplomatic and military secrets, the macro-economic interests or other major national interests may be harmed;
2. when the performance of official duties may be interfered with; and
3. when the major interests of the collecting agency or a third person may be affected.

Article 11
The government agency or the non-government agency should ensure the accuracy of personal information, and correct or supplement it, ex officio or upon the request of the Party.
In the event of a dispute regarding the accuracy of personal information, its processing or use shall be ceased voluntarily or upon the request of the Party,unless the processing or use is either necessary for the performance of an official duty or fulfillment of a legal obligation,or agreed to by the Party in writing, and the dispute has been recorded.
The information collected should be deleted, discontinued to process or use, ex officio or upon the request of the Party when the specific purpose no longer exists or time period expires. However, the preceding sentence may not be applicable when it is necessary for the performance of an official duty or fulfillment of a legal obligation and has been recorded, or when it is agreed by the Party in writing.
The information collected should be deleted, discontinued to process or use, ex officio or upon the request of the Party in the cases where a violation of this Law occurred during collecting, processing or using that information.
In the cases where the government agency or the non-government agency should be attributed to of not correcting or supplementing personal information, persons to whom the personal information was provided should be notified after correction or supplement.

Article 12
When the personal information is stolen, disclosed, altered or infringed in other ways due to the violation of this Law, the government agency or non-government agency should notify the Party after an inspection.

Article 13
Where a request is made by the Party to the government agency or the non-government agency pursuant to Article 10, it should be determined within fifteen days. It may be extended to a time period of no longer than fifteen days when necessary and the Party should be notified of that in writing.
Where a request is made by the Party to the government agency or the non-government agency pursuant to Article 11, it should be determined within thirty days. It may be extended to a time period of no longer than thirty days when necessary and the Party should be notified of that in writing.

Article 14
The government agency or the non government agency may charge a fee to those who make an inquiry or request to review, or make duplications of the personal information.