Taiwan���s Legislative Yuan (���Congress���) approved on December 2, 2025, the amendment to Taiwan���s main labor safety legislation, the Occupational Safety and Health Act (���OSHA���). This amendment is the most extensive revision of OSHA since its last full amendment in 2013. Notably, it introduces a new dedicated chapter on workplace bullying prevention in response to recent workplace bullying incidents.

The version approved by the Congress is largely aligned with the amendment previously proposed by the Executive Yuan (���Cabinet���). For further details, please refer to our newsletter dated September 9, 2025:Taiwan Legal Update September 2025 .

Following extensive discussions and several revisions to the draft amendments of the Personal Data Protection Act (���PDPA���) by Taiwan���s Legislative Yuan (the ���Congress���), the new amendments to the PDPA (���the New Amendments���) were passed by Congress on 17 October and promulgated by Taiwan���s Presidential Office on 11 November.

Pursuant to the New Amendments, the sole and independent to-be-established supervisory body for personal data protection matters, the Personal Data Protection Committee (���PDPC���), will assume jurisdiction over the enforcement of the PDPA in both government agencies and the private sector (e.g., setting forth cross-border data transfer restrictions, conducting administrative inspections on personal data protection matters, and imposing penalties) once it is established. However, given the PDPC���s limited administrative resources to perform the foregoing functions, the New Amendments provide that jurisdiction over the enforcement of the PDPA (i.e., administrative inspections and penalty imposition) against non-governmental entities in specific industries/sectors designated by the Executive Yuan (the ���Cabinet���) will remain with the government agencies that have the jurisdiction over such specific industries and sectors respectively, within the scope provided under the New Amendments, during a six-year transition period. The designated industries/sectors shall be reviewed and adjusted by the Cabinet every two years and will ultimately be transferred to the PDPC���s sole jurisdiction upon expiration of the six-year transition period.

The New Amendments also authorize the PDPC to set forth regulations governing personal data file protection measures and management mechanisms (the ���PDPC Personal Data File Protection Regulations���) as minimum criteria for non-governmental entities to comply with. The government agencies that have the authority to enforce the PDPA for the respective specific industries or sectors as designated by the Cabinet during the transition period will also be entitled to set forth regulations governing the personal data file protection measures and management mechanisms for the industries or sectors within their respective jurisdictions provided that the measures and mechanisms so set forth shall at least align with the standards set forth by PDPC Personal Data File Protection Regulations

In addition to introducing more comprehensive requirements applicable to government agencies, the New Amendments also introduce the following new requirements/obligations in the private sector:

1. Non-governmental entities are required to promptly (i) notify the data subject of the data breach in the manner set forth by the PDPC and (ii) implement effective and immediate response measures, upon becoming aware of a data breach to mitigate and prevent further harm. The details of the breach, its impact, and the response measures taken must be documented and retained for a minimum statutory period to facilitate inspection by the PDPC. The details of the above-mentioned reporting requirements as well as record documentation and retention requirements, will be further set forth by the PDPC through regulations.


2. Non-governmental entities are required to report data breaches that fall within the reportable scope set forth by the PDPC (���Reportable Data Breach���) to the PDPC. The details of the above-mentioned requirements, including the scope of the Reportable Data Breach, will be further set forth by the PDPC through regulations.


3. Non-governmental entities are required to (i) establish their own personal data file protection measures and management mechanisms (���Personal Data File Protection Plan���) in accordance with the PDPC Personal Data File Protection Regulations, and (ii) implement the personal data file protection measures and management mechanisms set forth in their Personal Data File Protection Plan.

failure to comply with the above-mentioned requirements and any remedial request will be subject to administrative fines.

Prior to the New Amendments, the PDPA provided that a non-governmental entity was entitled to refuse the personal data protection regulator���s administrative inspection if there was justification, however the New Amendments have removed such exception.

The effective date of the New Amendments remains subject to determination by the Cabinet, but a decision has not yet been made. It is not clear when the New Amendments would become effective at this stage.