Personal Information Protection Act
個人資料保護法 2010.05.26 Amended
Chapter I General Provisions
第 一 章 總則
Article 1 Personal Information Protection Act(hereinafter “this Law”)is enacted to govern the collection, processing and use of personal information so as to prevent harm on personality rights, and to facilitate the proper use of personal information.
第 1 條
為規範個人資料之蒐集、處理及利用,以避免人格權受侵害,並促進個人資料之合理利用,特制定本法。
Article 2
The terms used herein denote the following meanings:
1. Personal information: the name, date of birth, I.D. Card number, passport number, characteristics, fingerprints, marital status, family, education, occupation, medical record, medical treatment, genetic information, sexual life, health examination, criminal record, contact information, financial conditions, social activities and other information which may be used to identify a natural person, both directly and indirectly;
2. Personal information file: A collection of personal information built to allow information retrieval and management by automatic or non-automatic measures;
3. Collection: To collect personal information in any form and way;
4. Processing: To record, input, store, compile, correct, duplicate, retrieve, delete, output, connect or internally transmit information for the purpose of establishing or using a personal information file;
5. Use: All methods of personal information use other than processing;
6. International transmission: The cross-border processing or use of personal information;
7. Government agency refers to a government agency or administrative juridical person at the central or local government level which is empowered to exercise sovereign power;
8. Non-government agency refers to the natural persons, juridical persons or groups other than those stated in the proceeding item;
9. The Party means an individual of whom the personal information has been collected, processed or used in accordance with this Law.
第 2 條
本法用詞,定義如下:
一、個人資料:指自然人之姓名、出生年月日、國民身分證統一編號、護照號碼、特徵、指紋、婚姻、家庭、教育、職業、病歷、醫療、基因、性生活、健康檢查、犯罪前科、聯絡方式、財務情況、社會活動及其他得以直接或間接方式識別該個人之資料。
二、個人資料檔案:指依系統建立而得以自動化機器或其他非自動化方式檢索、整理之個人資料之集合。
三、蒐集:指以任何方式取得個人資料。
四、處理:指為建立或利用個人資料檔案所為資料之記錄、輸入、儲存、編輯、更正、複製、檢索、刪除、輸出、連結或內部傳送。
五、利用:指將蒐集之個人資料為處理以外之使用。
六、國際傳輸:指將個人資料作跨國(境)之處理或利用。
七、公務機關:指依法行使公權力之中央或地方機關或行政法人。
八、非公務機關:指前款以外之自然人、法人或其他團體。
九、當事人:指個人資料之本人。
Article 3 The following rights should be exercised by the Party with regard to his personal information and should not be waived in advance or limited by a specific agreement:
1. any inquiry and request for a review of the personal information;
2. any request to make duplications of the personal information;
3. any request to supplement or correct the personal information;
4. any request to discontinue collection, processing or use of personal information; and
5. any request to delete the personal information.
第 3 條
當事人就其個人資料依本法規定行使之下列權利,不得預先拋棄或以特約限制之:
一、查詢或請求閱覽。
二、請求製給複製本。
三、請求補充或更正。
四、請求停止蒐集、處理或利用。
五、請求刪除。
Article 4
Whoever commissioned by a government agency or non-government agency to collect, process or use personal information should be considered the commissioning agency within the scope of this Law.
第 4 條 受公務機關或非公務機關委託蒐集、處理或利用個人資料者,於本法適用範圍內,視同委託機關。
Article 5
The rights and interests of the Party should be respected in collecting, processing or using personal information and the information should be handled in accordance with the principle of bona fide. It should not go beyond the purpose of collection and should be reasonable and fair.
第 5 條
個人資料之蒐集、處理或利用,應尊重當事人之權益,依誠實及信用方法為之,不得逾越特定目的之必要範圍,並應與蒐集之目的具有正當合理之關聯。
Article 6
Personal information of medical treatment, genetic information, sexual life, health examination and criminal record should not be collected, processed or used. However, the following situations are not subject to the limits set in the preceding sentence:
1. when in accordance with law;
2. when it is necessary for the government agency to perform its duties or for the non- government agency to fulfill the legal obligation, and when there are proper security measures.
3. when the Party has disclosed such information by himself, or when the information concerned has been publicized legally;
4. when the personal information is collected, processed or used under certain methods by a government agency or an academic research institution based on the purpose of medical treatment, personal hygiene or crime prevention statistics and/or study.
The rules of the range, procedure and any other items to be followed concerning Item 4 of the preceding Paragraph should be set by the government authority in charge of subject industry at the central government level in conjunction with the Ministry of Justice.
第 6 條 有關醫療、基因、性生活、健康檢查及犯罪前科之個人資料,不得蒐集、處理或利用。但有下列情形之一者,不在此限:
一、法律明文規定。
二、公務機關執行法定職務或非公務機關履行法定義務所必要,且有適當安全維護措施。
三、當事人自行公開或其他已合法公開之個人資料。
四、公務機關或學術研究機構基於醫療、衛生或犯罪預防之目的,為統計或學術研究而有必要,且經一定程序所為蒐集、處理或利用之個人資料。
前項第四款個人資料蒐集、處理或利用之範圍、程序及其他應遵行事項之辦法,由中央目的事業主管機關會同法務部定之。
Article 7
The written agreement mentioned in Item 2 of Article 15 and Item 5 of Article 19 means a written consent made by the Party after a notification given by the personal information collection based on this Law.
The written agreement mentioned in Item 7 of Article 16 and Item 6 of Paragraph 1 of Article 20 means a written consent made by the Party after having been notified by the collector of the influence to his rights there may be of other purpose of scope.
第 7 條
第15條第2款及第19條第5款所稱書面同意,指當事人經蒐集者告知本法所定應告知事項後,所為允許之書面意思表示。
第16條第7款、第20條第1項第6款所稱書面同意,指當事人經蒐集者明確告知特定目的外之其他利用目的、範圍及同意與否對其權益之影響後,單獨所為之書面意思表示。
Article 8
The following items should be told precisely to the Party by a government agency or non-government agency, in accordance with Article 15 or Article 19:
1. the name of the government agency or the non government agency;
2. purpose of collection;
3. classification of the personal information;
4. time period, area, target and way of the use of personal information;
5. rights of the Party and ways to exercise them as prescribed in Article 3;
6. the influence on his rights and interests while the Party chooses not to provide his personal information;
The following situations may be exempted from the notice prescribed in the preceding Paragraph:
1. when in accordance with law;
2. when the collection of personal information is necessary for the government agency to perform its official duties or the non government agency to fulfill the legal obligation;
3. when the notice will impair the government agency in performing its official duties;
4. when the notice will impair the interests of a third person;.
5. when the Party should have known the content of the notification already.
第 8 條
公務機關或非公務機關依第15條或第19條規定向當事人蒐集個人資料時,應明確告知當事人下列事項:
一、公務機關或非公務機關名稱。
二、蒐集之目的。
三、個人資料之類別。
四、個人資料利用之期間、地區、對象及方式。
五、當事人依第三條規定得行使之權利及方式。
六、當事人得自由選擇提供個人資料時,不提供將對其權益之影響。
有下列情形之一者,得免為前項之告知:
一、依法律規定得免告知。
二、個人資料之蒐集係公務機關執行法定職務或非公務機關履行法定義務所必要。
三、告知將妨害公務機關執行法定職務。
四、告知將妨害第三人之重大利益。
五、當事人明知應告知之內容。
Article 9 A government agency or non-government agency should notify the Party of the source of information and Item 1 to 5 of Paragraph 1 of the preceding Article, before processing or using personal information collected in accordance with Article 15 or 19 which was not provided by the Party.
The notification mentioned in the preceding Paragraph may not be given for the followings:
1. Under one of the situations listed in Paragraph 2 of the preceding Article;
2. When the Party has disclosed such information by himself or when the information has been publicized legally;
3. When the notification may not be made to the Party or his legal representative;
4. When it is necessary for public interests on statistics or the purpose of academic research. The information may not be used to identify a certain person after a treatment of the provider or the disclosure of the collector;
5. Personal information collected by the mass media for the purpose of news reporting on the basis of public interests;
The notification mentioned in Paragraph 1 may be undertaken when the personal information is used against the Party for the first time.
第 9 條 公務機關或非公務機關依第十五條或第十九條規定蒐集非由當事人提供之個人資料,應於處理或利用前,向當事人告知個人資料來源及前條第一項第一款至第五款所列事項。
有下列情形之一者,得免為前項之告知:
一、有前條第二項所列各款情形之一。
二、當事人自行公開或其他已合法公開之個人資料。
三、不能向當事人或其法定代理人為告知。
四、基於公共利益為統計或學術研究之目的而有必要,且該資料須經提供者處理後或蒐集者依其揭露方式,無從識別特定當事人者為限。
五、大眾傳播業者基於新聞報導之公益目的而蒐集個人資料。
第一項之告知,得於首次對當事人為利用時併同為之。
Article 10
Upon the request of the Party, the government agency or non-government agency should reply to the inquiry, offer for a review or provide duplications on the personal information collected, except the followings:
1. when the national security, diplomatic and military secrets, the macro-economic interests or other major national interests may be harmed;
2. when the performance of official duties may be interfered with; and
3. when the major interests of the collecting agency or a third person may be affected.
第 10 條
公務機關或非公務機關應依當事人之請求,就其蒐集之個人資料,答覆查詢、提供閱覽或製給複製本。但有下列情形之一者,不在此限:
一、妨害國家安全、外交及軍事機密、整體經濟利益或其他國家重大利益。
二、妨害公務機關執行法定職務。
三、妨害該蒐集機關或第三人之重大利益。
Article 11
The government agency or the non government agency should ensure the accuracy of personal information, and correct or supplement it, ex officio or upon the request of the Party.
In the event of a dispute regarding the accuracy of personal information, the agency should discontinue processing or using the information, ex officio or upon the request of the Party. However, the preceding sentence may not be applicable when it is necessary for the performance of an official duty or fulfillment of a legal obligation and has been recorded, or when it is agreed by the Party in writing.
The information collected should be deleted, discontinued to process or use, ex officio or upon the request of the Party when the specific purpose no longer exists or time period expires. However, the preceding sentence may not be applicable when it is necessary for the performance of an official duty or fulfillment of a legal obligation and has been recorded, or when it is agreed by the Party in writing.
The information collected should be deleted, discontinued to process or use, ex officio or upon the request of the Party in the cases where a violation of this Law occurred during collecting, processing or using that information.
In the cases where the government agency or the non-government agency should be attributed to of not correcting or supplementing personal information, persons to whom the personal information was provided should be notified after correction or supplement.
第 11 條
公務機關或非公務機關應維護個人資料之正確,並應主動或依當事人之請求更正或補充之。
個人資料正確性有爭議者,應主動或依當事人之請求停止處理或利用。但因執行職務或業務所必須並註明其爭議或經當事人書面同意者,不在此限。
個人資料蒐集之特定目的消失或期限屆滿時,應主動或依當事人之請求,刪除、停止處理或利用該個人資料。但因執行職務或業務所必須或經當事人書面同意者,不在此限。
違反本法規定蒐集、處理或利用個人資料者,應主動或依當事人之請求,刪除、停止蒐集、處理或利用該個人資料。
因可歸責於公務機關或非公務機關之事由,未為更正或補充之個人資料,應於更正或補充後,通知曾提供利用之對象。
Article 12
When the personal information is stolen, disclosed, altered or infringed in other ways due to the violation of this Law, the government agency or non-government agency should notify the Party after an inspection.
第 12 條 公務機關或非公務機關違反本法規定,致個人資料被竊取、洩漏、竄改或 其他侵害者,應查明後以適當方式通知當事人。
Article 13
Where a request is made by the Party to the government agency or the non-government agency pursuant to Article 10, it should be determined within fifteen days. It may be extended to a time period of no longer than fifteen days when necessary and the Party should be notified of that in writing.
Where a request is made by the Party to the government agency or the non-government agency pursuant to Article 11, it should be determined within thirty days. It may be extended to a time period of no longer than thirty days when necessary and the Party should be notified of that in writing.
第 13 條 公務機關或非公務機關受理當事人依第十條規定之請求,應於十五日內,為准駁之決定;必要時,得予延長,延長之期間不得逾十五日,並應將其原因以書面通知請求人。
公務機關或非公務機關受理當事人依第十一條規定之請求,應於三十日內,為准駁之決定;必要時,得予延長,延長之期間不得逾三十日,並應將其原因以書面通知請求人。
Article 14
The government agency or the non government agency may charge a fee to those who make an inquiry or request to review, or make duplications of the personal information.
第 14 條 查詢或請求閱覽個人資料或製給複製本者,公務機關或非公務機關得酌收必要成本費用。
第 二 章 公務機關對個人資料之蒐集、處理及利用
Chapter II Information Collection, Processing and Use by a Government Agency
Article 15
Except the information stated in Paragraph 1 of Article 6, the government agency should not collect or process personal information unless there is a specific purpose and should comply with one of the following conditions:
1. it is within the scope of job functions provided by laws and regulations;
2. a written consent has been made by the Party; and
3. the rights and interests of the Party may not be harmed.
Article 16
Except the information stated in Paragraph 1 of Article 6, the government agency should use the personal information in accordance with the scope of its job functions provided by laws and regulations, and in compliance with the specific purpose of collection. However, the information may be used outside the scope upon the occurrence of one of the following conditions:
1. Where in accordance with law;
2. Where it is for national security or to promote public interests;
3. Where it is to prevent harm on the life, body, freedom or property of the Party;
4. Where it is to prevent harm on the rights and interests of other people;
5. Where it is necessary for public interests on statistics or the purpose of academic research conducted by a government agency or an academic research institution, respectively. The information may not lead to the identification of a certain person after the treatment of the provider or the disclosure of the collector;
6. Where such use may benefit the Party; and
7. A written consent of the Party has been obtained.
Article 17
The government agency may publicize the following items on the Internet or by other proper means for inquiries; the above provisions are applicable to amendment thereof:
1. name of personal information file;
2. name of the government agency keeping the personal information file and its contact information;
3. basis and purpose of keeping the file;
4. classification of personal information.
Article 18
The government agency which keeps personal information files should assign personnel(s) on security and maintenance of those files to prevent them from being stolen, altered, damaged, destroyed or disclosed.
第 15 條
公務機關對個人資料之蒐集或處理,除第六條第一項所規定資料外,應有特定目的,並符合下列情形之一者:
一、執行法定職務必要範圍內。
二、經當事人書面同意。
三、對當事人權益無侵害。
第 16 條 公務機關對個人資料之利用,除第六條第一項所規定資料外,應於執行法定職務必要範圍內為之,並與蒐集之特定目的相符。但有下列情形之一者,得為特定目的外之利用:
一、法律明文規定。
二、為維護國家安全或增進公共利益。
三、為免除當事人之生命、身體、自由或財產上之危險。
四、為防止他人權益之重大危害。
五、公務機關或學術研究機構基於公共利益為統計或學術研究而有必要,且資料經過提供者處理後或蒐集者依其揭露方式無從識別特定之當事人。
六、有利於當事人權益。
七、經當事人書面同意。
第 17 條 公務機關應將下列事項公開於電腦網站,或以其他適當方式供公眾查閱;其有變更者,亦同:
一、個人資料檔案名稱。
二、保有機關名稱及聯絡方式。
三、個人資料檔案保有之依據及特定目的。
四、個人資料之類別。
第 18 條 公務機關保有個人資料檔案者,應指定專人辦理安全維護事項,防止個人資料被竊取、竄改、毀損、滅失或洩漏。
--------------------------------------
Chapter III Information Collection, Processing and Use by a Non-government Agency
Article 19
Except the information stated in Paragraph 1 of Article 6, the non-government agency should not collect or process personal information unless there is a specific purpose and should comply with one of the following conditions:
1. Where in accordance with law;
2. Where there is a contract or quasi-contract between the Party and the agency;
3. Where the Party has disclosed such information by himself or when the information has been publicized legally;
4. Where it is necessary for public interests on statistics or the purpose of academic research conducted by a research institution. The information may not lead to the identification of a certain person after the treatment of the provider or the disclosure of the collector;
5. Where a written consent has been made by the Party;
6. Where the public interest is involved; and
7. Where the personal information is obtained from publicly available resources. However, it is exempted if the information is limited by the Party on the processing or use and the interests of the Party should be protected.
By the time when the collector or processor realizes or has been notified of the provision in Item 7 of the preceding Paragraph by the Party, he should delete, stop processing or using the personal information, ex officio or upon the request of the Party.
Article 20
Except the information stated in Paragraph 1 of Article 6, the non-government agency should use the personal information in accordance with the scope of the specific purpose of collection provided. However, the information may be used outside the scope upon the occurrence of one of the following conditions:
1. Where in accordance with law;
2. Where it is to promote public interests;
3. Where it is to prevent harm on the life, body, freedom or property of the Party;
4. Where it is to prevent harm on the rights and interests of other people;
5. Where it is necessary for public interests on statistics or the purpose of academic research conducted by a government agency or an academic research institution, respectively. The information may not lead to the identification of a certain person after the treatment of the provider or the disclosure of the collector;
6. Where a written consent of the Party has been obtained.
When the non-government agency uses the personal information for the purpose of marketing pursuant to the preceding Paragraph and has been turned down by the Party, the agency should stop its action.
The non-government agency should notify the Party the measures of refusal at the first marketing action and should pay for fees necessary.
Article 21
If one of the followings has occurred when the non-government agency transmits personal information internationally, the government authority in charge of subject industry may limit its action:
1. Where it involves major national interests;
2. Where national treaty or agreement specifies otherwise;
3. Where the country receiving personal information lacks of proper regulations towards the protection of personal information and it might harm the rights and interests of the Party:
4. Where international transmission of personal information is made through an indirect method in which the provisions of this Law may not be applicable.
Article 22
The government authority in charge of subject industry at the central government level, municipality directly under the central government, or county or city government may perform an inspection by its staff workers who carry badges, if it is necessary for the protection of personal information, the disposal after termination of business, the limitation of international transmission, other routine examinations, or if this Law may be violated. Those who perform the inspection should illustrate the action, take necessary measures and provide relating documents.
When the government authority in charge of subject industry at the central government level, municipality directly under the central government, or county or city government conducts such an inspection as stipulated in the preceding Paragraph, may detain or duplicate the personal information or its files which may be confiscated or may be served as evidence. The owner, holder or keeper of those objects should offer them upon request. A compulsory enforcement that might harm the rights of the non-government agency the least may be applied to refusals without proper reasons.
When the government authority in charge of subject industry at the central government level, municipality directly under the central government, or county or city government conducts the inspection stipulated in Paragraph 1 of this Article, the professional of information technology, telecommunications or law may be accompanied.
The non-government agency and its personnel should not evade, obstruct or refuse the entering, inspection or measures adopted which are stipulated in Paragraph 1 and 2 of this Article.
All the personnel who take part in the inspection should fulfill the obligation of confidentiality for the information obtained during the job-undertaking.
Article 23
The objects detained or duplicated in accordance with Paragraph 2 of the preceding Article should be sealed or tagged, and properly located. Those may not be carried or kept may be guarded by a designated personnel, or be kept by the owner or suitable persons. If it is no more necessary to keep the detained or duplicated objects, or when a punishment is not applied or a confiscation is not applied, those objects should be returned. However, it does not apply to objects that should be confiscated or kept for other cases.
Article 24
The non-government agency, owner, holder, keeper or interested persons of those detained or duplicated objects may raise an objection to the government authority in charge of subject industry at the central government level, municipality directly under the central government, or county or city government for the demand, compulsory enforcement, detention, or duplication mentioned in the preceding two Articles.
For the objection mentioned in the preceding Paragraph, the government authority in charge of subject industry at the central government level, municipality directly under the central government or county or city government should stop or alter such acts immediately, when it is considered reasonable. Otherwise, it may continue such acts. Upon the request of the person who raises the objection, the competent government authority should issue a record of reasons towards the objection.
The objection against the decision of the government authority in charge of subject industry at the central government level, municipality directly under the central government, or county or city government in the preceding Paragraph may only be raised jointly with the objection against the decision of the case. However, people who may not raise an objection against the decision of the case as regulated in Paragraph 1 of this Article may bring an administrative litigation against the action mentioned in the same Paragraph.
Article 25
For the non-government agency that violates the provisions of this Law, one of the following actions may be ordered jointly with a fine as regulated by the government authority in charge of subject industry at the central government level, municipality directly under the central government, or county or city government:
1. to forbid the collecting, processing or use of the personal information;
2. to demand the deletion of the personal information files already processed;
3. to confiscate or to destroy the personal information illegally collected;
4. to publicize the violation case, the name of the non-government agency, and the name of the person in charge.
The decisions mentioned in the preceding Paragraph should be done by the measures that may harm the non-government agency the least and should be within the range set in this Law.
Article 26
After performing the inspection mentioned in Article 22, the government authority in charge of subject industry at the central government level, municipality directly under the central government, or county or city government may publicize the result of that after the consent of the non-government agency, if there is no violation found.
Article 27
The non-government agency which keeps personal information files should adopt proper security measures to prevent them from being stolen, altered, damaged, destroyed or disclosed.
The government authority in charge of subject industry at the central government level may designate a non-government agency for setting up the plan of security measures for the personal information file or the disposal measures for the personal information after termination of business.
The rules of the fore-mentioned plan and processing methods should be set up by the government authority in charge of subject industry at the central government level.
第 三 章 非公務機關對個人資料之蒐集、處理及利用
第 19 條 非公務機關對個人資料之蒐集或處理,除第六條第一項所規定資料外,應 有特定目的,並符合下列情形之一者:
一、法律明文規定。
二、與當事人有契約或類似契約之關係。
三、當事人自行公開或其他已合法公開之個人資料。
四、學術研究機構基於公共利益為統計或學術研究而有必要,且資料經過提供者處理後或蒐集者依其揭露方式無從識別特定之當事人。
五、經當事人書面同意。
六、與公共利益有關。
七、個人資料取自於一般可得之來源。但當事人對該資料之禁止處理或利用,顯有更值得保護之重大利益者,不在此限。
蒐集或處理者知悉或經當事人通知依前項第七款但書規定禁止對該資料之處理或利用時,應主動或依當事人之請求,刪除、停止處理或利用該個人資料。
第 20 條 非公務機關對個人資料之利用,除第六條第一項所規定資料外,應於蒐集之特定目的必要範圍內為之。但有下列情形之一者,得為特定目的外之利用:
一、法律明文規定。
二、為增進公共利益。
三、為免除當事人之生命、身體、自由或財產上之危險。
四、為防止他人權益之重大危害。
五、公務機關或學術研究機構基於公共利益為統計或學術研究而有必要,且資料經過提供者處理後或蒐集者依其揭露方式無從識別特定之當事人。
六、經當事人書面同意。
非公務機關依前項規定利用個人資料行銷者,當事人表示拒絕接受行銷時,應即停止利用其個人資料行銷。
非公務機關於首次行銷時,應提供當事人表示拒絕接受行銷之方式,並支付所需費用。
第 21 條 非公務機關為國際傳輸個人資料,而有下列情形之一者,中央目的事業主管機關得限制之:
一、涉及國家重大利益。
二、國際條約或協定有特別規定。
三、接受國對於個人資料之保護未有完善之法規,致有損當事人權益之虞 。
四、以迂迴方法向第三國(地區)傳輸個人資料規避本法。
第 22 條
中央目的事業主管機關或直轄市、縣(市)政府為執行資料檔案安全維護、業務終止資料處理方法、國際傳輸限制或其他例行性業務檢查而認有必 要或有違反本法規定之虞時,得派員攜帶執行職務證明文件,進入檢查,並得命相關人員為必要之說明、配合措施或提供相關證明資料。
中央目的事業主管機關或直轄市、縣(市)政府為前項檢查時,對於得沒入或可為證據之個人資料或其檔案,得扣留或複製之。對於應扣留或複製之物,得要求其所有人、持有人或保管人提出或交付;無正當理由拒絕提出、交付或抗拒扣留或複製者,得採取對該非公務機關權益損害最少之方法強制為之。
中央目的事業主管機關或直轄市、縣(市)政府為第一項檢查時,得率同資訊、電信或法律等專業人員共同為之。
對於第一項及第二項之進入、檢查或處分,非公務機關及其相關人員不得規避、妨礙或拒絕。
參與檢查之人員,因檢查而知悉他人資料者,負保密義務。
第 23 條
對於前條第二項扣留物或複製物,應加封緘或其他標識,並為適當之處置 ;其不便搬運或保管者,得命人看守或交由所有人或其他適當之人保管。
扣留物或複製物已無留存之必要,或決定不予處罰或未為沒入之裁處者, 應發還之。但應沒入或為調查他案應留存者,不在此限。
第 24 條
非公務機關、物之所有人、持有人、保管人或利害關係人對前二條之要求、強制、扣留或複製行為不服者,得向中央目的事業主管機關或直轄市、 縣(市)政府聲明異議。
前項聲明異議,中央目的事業主管機關或直轄市、縣(市)政府認為有理 由者,應立即停止或變更其行為;認為無理由者,得繼續執行。經該聲明 異議之人請求時,應將聲明異議之理由製作紀錄交付之。
對於中央目的事業主管機關或直轄市、縣(市)政府前項決定不服者,僅得於對該案件之實體決定聲明不服時一併聲明之。但第一項之人依法不得對該案件之實體決定聲明不服時,得單獨對第一項之行為逕行提起行政訴訟。
第 25 條 非公務機關有違反本法規定之情事者,中央目的事業主管機關或直轄市、 縣(市)政府除依本法規定裁處罰鍰外,並得為下列處分:
一、禁止蒐集、處理或利用個人資料。
二、命令刪除經處理之個人資料檔案。
三、沒入或命銷燬違法蒐集之個人資料。
四、公布非公務機關之違法情形,及其姓名或名稱與負責人。
中央目的事業主管機關或直轄市、縣(市)政府為前項處分時,應於防制 違反本法規定情事之必要範圍內,採取對該非公務機關權益損害最少之方法為之。
第 26 條 中央目的事業主管機關或直轄市、縣(市)政府依第二十二條規定檢查後,未發現有違反本法規定之情事者,經該非公務機關同意後,得公布檢查結果。
第 27 條
非公務機關保有個人資料檔案者,應採行適當之安全措施,防止個人資料被竊取、竄改、毀損、滅失或洩漏。
中央目的事業主管機關得指定非公務機關訂定個人資料檔案安全維護計畫或業務終止後個人資料處理方法。
前項計畫及處理方法之標準等相關事項之辦法,由中央目的事業主管機關定之。
----------------------------------
Chapter IV Damages and Class Litigation
Article 28
A government agency should be liable for damages and compensation caused by illegal collection, processing and using of personal information, or other ways of infringement on the rights of the Party due to violation of this Law. However, it does not apply to damages caused by natural disaster, incident or other force majeure.
A proper amount of monetary compensation may be requested for damage not to properties. A proper rehabilitation action may be requested upon infringement to reputation.
The total amount of compensation for the damages referred to in the two preceding Paragraphs shall be no less than NT$500 but no more than NT$20,000 for each case of damages per person in the cases where the victims in the two preceding Paragraphs may not or cannot provide evidence for actual damage amount.
With regard to damages caused to multi parties by the same cause and fact, the total amount of compensation should not exceed NT$200 million. However, if the interests involved are over the amount in the preceding sentence, the amount of interests should be set as the limit.
If the total amount of damage caused by the same cause and fact exceeds the amount mentioned in the preceding Paragraph, the compensation amount to the victim should not be limited by the baseline(NT$500)set in Paragraph 3 of this Article.
The right of claim referred to in the second Paragraph above should not be transferred or inherited. However, it does not apply to the situation where the monetary compensation has been undertaken according to an agreement or the case has been brought to the court.
Article 29
A non-government agency should be liable for damages and compensation caused by illegal collection, processing and using of personal information, or other ways of infringement on the rights of the Party due to violation of this Law. However, it does not apply to the situation where the non-government agency can be proved to be unintentional or non-negligent.
The provisions of Paragraphs 2 to 6 of the preceding Article are applicable to claims for damages made in accordance with the provisions of the preceding Paragraph.
Article 30
The right to claim for damage compensation will be terminated two years since the claimant has been aware of the damages and the person(s) who is liable for the compensation, or five years since the date the damage actually occurred.
Article 31
Aside from the provisions of this Law, the provisions of the State Compensation Law may be applied to a government agency, while the Civil Code may be applied to a non-government agency.
Article 32
A business juridical person or a charitable juridical person that brings a case to the court in accordance with this Chapter should fulfill the following conditions:
1. The total registered assets of a business juridical person should reach NT$10 million or more, or the total number of members of a charitable juridical person should be 100 or more;
2. The protection of personal information is set in its charter;
3. It has been established for more than 3 years after its approval.
Article 33
The litigation brought to the court against a government agency in accordance with this Law should be subject to the exclusive jurisdiction of the district court where the agency is located. The litigation against a non-government agency is subject to the exclusive jurisdiction of the district court where its headquarters, main office of operation or domicile is located.
If the non-government agency in the preceding Paragraph is natural person and has no place of domicile in the Republic of China, or where it is unknown, his place of residence in the Republic of China shall be deemed to be the place of domicile. Where he has no place of residence in the Republic of China or where it is unknown, his last place of domicile in the Republic of China shall be deemed to be the place of domicile. Where he has no last place of domicile, the district court where the central government is located shall have exclusive jurisdiction.
If the non-government agency mentioned in the first Paragraph is a juridical person or a group and has no headquarters, main office of operation, or unknown for both, the district court where the central government is located shall have exclusive jurisdiction.
Article 34
For cases caused by the same cause and fact and there are multi Parties infringed, the business juridical person or charitable juridical person may bring a lawsuit to the court by its own name, after obtaining a written authorization of litigation rights of 20 or more Parties. The Parties may withdraw their authorization by writing before the closure of the oral debate and the court should be notified of it.
For the litigation in accordance with the preceding Paragraph, the court may publicize it to other parties that may have been infringed, upon request of ex officio that those Parties may authorize their litigation rights to the business juridical person or charitable juridical person in the preceding Paragraph within a specified period. The business juridical person or charitable juridical person may expand its claim before the closure of the oral debate.
Other parties that haven been infringed by the same cause and fact that choose not to follow the rule in the preceding Paragraph may bring the case to the court with the specified period for the court to combine the cases.
Other Parties that have been infringed by the same cause and fact may apply to the court the announcement of the preceding Paragraph.
The announcement of the two preceding Paragraph may be publicized on the bulletin of the court, on the Internet or other proper location. Should the court considers it necessary, it may be posted on the communiques or newspaper and the fees should be paid by the National Treasury.
For the business juridical person or charitable juridical association that brings a case to the court in accordance with Paragraph 1 and the target amount exceeds NT$600,000, the exceeding portion should be waived of court fees.
Article 35
The court proceedings should be discontinued partly if the Party withdraws his authorization of litigation right according to the first Paragraph of the preceding Article. The Party should resume the proceeding or the court may request the Party to do so, ex officio.
For the case where more than one Party withdraws his litigation right after the business juridical person or charitable juridical person has brought the case to the court in accordance with the preceding Article, the remaining part of court proceedings may be continued, even when there are fewer than 20 Parties remained.
Article 36
The extinctive prescription for the right to claim for damage compensation for each Party in accordance with Paragraph 1 and 2 of Article 34 should be calculated separately.
Article 37
The business juridical person or charitable juridical person should act as the representative of litigation right authorized by the Party. However, the Party may set a limit on abandonment, withdrawal or reconciliation.
The limit set by one of the Parties in the preceding Paragraph should not be applicable to other Parties.
The limit mentioned in Paragraph 1 of this Article should be illustrated in the documents mentioned in the first Paragraph of Article 34 or should be brought to the court in writing.
Article 38
In the event the Party is object to the decision pursuant to Article 34, he may withdraw the authorization given to the business juridical person or charitable juridical person before the expiration of the period of an appeal and then file an appeal himself.
After receiving the decision document, the business juridical person or charitable juridical person should notify the Party of the outcome and also notify the Party in writing within 7 days as to whether or not an appeal should be file.
Article 39
The business juridical person or charitable juridical person should deduct necessary litigation fees from the compensation received in accordance with the result of the case in Article 34 and deliver the remaining amount to the authorizing Parties.
The business juridical person or charitable juridical person should not ask for remuneration for the lawsuit which brought out in accordance with Paragraph 1 of Article 34.
Article 40
The business juridical person or charitable juridical person should authorize its litigation right to an attorney while bringing out a lawsuit to the court in accordance with the provisions of this Chapter.
第 四 章 損害賠償及團體訴訟
第 28 條 公務機關違反本法規定,致個人資料遭不法蒐集、處理、利用或其他侵害
當事人權利者,負損害賠償責任。但損害因天災、事變或其他不可抗力所
致者,不在此限。
被害人雖非財產上之損害,亦得請求賠償相當之金額;其名譽被侵害者,
並得請求為回復名譽之適當處分。
依前二項情形,如被害人不易或不能證明其實際損害額時,得請求法院依
侵害情節,以每人每一事件新臺幣五百元以上二萬元以下計算。
對於同一原因事實造成多數當事人權利受侵害之事件,經當事人請求損害
賠償者,其合計最高總額以新臺幣二億元為限。但因該原因事實所涉利益
超過新臺幣二億元者,以該所涉利益為限。
同一原因事實造成之損害總額逾前項金額時,被害人所受賠償金額,不受
第三項所定每人每一事件最低賠償金額新臺幣五百元之限制。
第二項請求權,不得讓與或繼承。但以金額賠償之請求權已依契約承諾或
已起訴者,不在此限。
第 29 條 非公務機關違反本法規定,致個人資料遭不法蒐集、處理、利用或其他侵
害當事人權利者,負損害賠償責任。但能證明其無故意或過失者,不在此
限。
依前項規定請求賠償者,適用前條第二項至第六項規定。
第 30 條 損害賠償請求權,自請求權人知有損害及賠償義務人時起,因二年間不行
使而消滅;自損害發生時起,逾五年者,亦同。
第 31 條 損害賠償,除依本法規定外,公務機關適用國家賠償法之規定,非公務機
關適用民法之規定。
第 32 條 依本章規定提起訴訟之財團法人或公益社團法人,應符合下列要件:
一、財團法人之登記財產總額達新臺幣一千萬元或社團法人之社員人數達
一百人。
二、保護個人資料事項於其章程所定目的範圍內。
三、許可設立三年以上。
第 33 條 依本法規定對於公務機關提起損害賠償訴訟者,專屬該機關所在地之地方
法院管轄。對於非公務機關提起者,專屬其主事務所、主營業所或住所地
之地方法院管轄。
前項非公務機關為自然人,而其在中華民國現無住所或住所不明者,以其
在中華民國之居所,視為其住所;無居所或居所不明者,以其在中華民國
最後之住所,視為其住所;無最後住所者,專屬中央政府所在地之地方法
院管轄。
第一項非公務機關為自然人以外之法人或其他團體,而其在中華民國現無
主事務所、主營業所或主事務所、主營業所不明者,專屬中央政府所在地
之地方法院管轄。
第 34 條 對於同一原因事實造成多數當事人權利受侵害之事件,財團法人或公益社
團法人經受有損害之當事人二十人以上以書面授與訴訟實施權者,得以自
己之名義,提起損害賠償訴訟。當事人得於言詞辯論終結前以書面撤回訴
訟實施權之授與,並通知法院。
前項訴訟,法院得依聲請或依職權公告曉示其他因同一原因事實受有損害
之當事人,得於一定期間內向前項起訴之財團法人或公益社團法人授與訴
訟實施權,由該財團法人或公益社團法人於第一審言詞辯論終結前,擴張
應受判決事項之聲明。
其他因同一原因事實受有損害之當事人未依前項規定授與訴訟實施權者,
亦得於法院公告曉示之一定期間內起訴,由法院併案審理。
其他因同一原因事實受有損害之當事人,亦得聲請法院為前項之公告。
前二項公告,應揭示於法院公告處、資訊網路及其他適當處所;法院認為
必要時,並得命登載於公報或新聞紙,或用其他方法公告之,其費用由國
庫墊付。
依第一項規定提起訴訟之財團法人或公益社團法人,其標的價額超過新臺
幣六十萬元者,超過部分暫免徵裁判費。
第 35 條 當事人依前條第一項規定撤回訴訟實施權之授與者,該部分訴訟程序當然
停止,該當事人應即聲明承受訴訟,法院亦得依職權命該當事人承受訴訟
。
財團法人或公益社團法人依前條規定起訴後,因部分當事人撤回訴訟實施
權之授與,致其餘部分不足二十人者,仍得就其餘部分繼續進行訴訟。
第 36 條 各當事人於第三十四條第一項及第二項之損害賠償請求權,其時效應分別
計算。
第 37 條 財團法人或公益社團法人就當事人授與訴訟實施權之事件,有為一切訴訟
行為之權。但當事人得限制其為捨棄、撤回或和解。
前項當事人中一人所為之限制,其效力不及於其他當事人。
第一項之限制,應於第三十四條第一項之文書內表明,或以書狀提出於法
院。
第 38 條 當事人對於第三十四條訴訟之判決不服者,得於財團法人或公益社團法人
上訴期間屆滿前,撤回訴訟實施權之授與,依法提起上訴。
財團法人或公益社團法人於收受判決書正本後,應即將其結果通知當事人
,並應於七日內將是否提起上訴之意旨以書面通知當事人。
第 39 條
財團法人或公益社團法人應將第三十四條訴訟結果所得之賠償,扣除訴訟 必要費用後,分別交付授與訴訟實施權之當事人。
提起第三十四條第一項訴訟之財團法人或公益社團法人,均不得請求報酬。
第 40 條 依本章規定提起訴訟之財團法人或公益社團法人,應委任律師代理訴訟。
----------------------------------------------------
chapter V Penalties
Article 41
A violation to Paragraph 1 of Article 6, Articles 15, 16, 17, 19 and Paragraph 1 of Article 20, or an order or disciplinary action of the limitation on international transmission made by the government authority in charge of subject industry at the central government level in accordance with Article 21 which may harm other people’s rights should be imposed of a sentence or custody of no more than 2 years, or a fine of no more than NT$200,000, or both.
A person who intends to commit the crime in the preceding Paragraph should be imposed of a sentence of no more than 5 years and a fine of no more than NT$1,000,000.
Article 42
A person who intends to make unlawful profits for himself or for a third party, or intends to infringe upon the interests of others by illegally changing or deleting personal information files, or by other illegal means and has impeded the accuracy of other people’s personal information files and caused damages to others should be imposed of an imprisonment or custody of no more than 5 years, or a fine of no more than NT$1,000,000, or both.
Article 43
The above two Articles may be applicable to a citizen of the Republic of China who commits those crimes to citizens of the Republic of China outside the territory of the Country.
Article 44
A government official who takes advantage of his position, or opportunity or means available to him to commit the offenses prescribed in this Chapter should be subject to punishments half as severe as those enumerated above.
Article 45
The offenses referred to in this Chapter should be instituted only upon a complaint. However, the commission of the crime provided for pursuant to Paragraph 2 of Article 41, or the crime against the government agency pursuant to Article 42 is excluded from that.
Article 46
In the event where a more severe punishment is provided for in other laws with respect to the offenses outlined in this Chapter, the more severe one should be applied.
Article 47
Upon occurrence of any of the followings, the government authority in charge of subject industry at the central government level, municipality directly under the central government, or county or city government should impose an administrative fine of no less than NT$50,000 but no more than NT$500,000 on the non-government agency and should order the said agency to take corrective measures within a specified time period. In the event when the agency fails to do so, a fine should be imposed each time the violation occurs:
1. a violation of the provisions of Paragraph 1 of Article 6;
2. a violation of the provisions of Article 19;
3. a violation of the provisions of Paragraph 1 of Article 20; and
4. a violation of the order of the limitation on international transmission imposed by the government authority in charge of subject industry at the central government level concerning the restriction of international transmission of personal information in accordance with the provisions of Article 21.
Article 48
Upon occurrence of any of the following, the government authority in charge of subject industry at the central government level, municipality directly under the central government, or county or city government should order the non-government agency to take corrective measures within a specified time period. If they are not taken within that period, an administrative fine of no less than NT$20,000 but no more than NT$200,000 should be imposed upon the agency each time a violation of any of the followings occurs:
1. A violation of the provisions of Article 8 or Article 9;
2. A violation of the provisions of Article 10, Article 11, Article 12 or Article 13 hereinabove;
3. A violation of the provisions of Paragraph 2 or Paragraph 3 of Article 20 hereinabove;
4. A violation of the provisions of Paragraph 1 of Article 27 or a failure to set up a security and maintenance plan for personal information file or a disposal measure for the personal information after termination of business in accordance with Paragraph 2 of Article 27.
Article 49
A non-government agency violates the provisions of Paragraph 4 of Article 22 without proper reasons should be imposed of an administrative fine of no less than NT$20,000 by the government authority in charge of subject industry at the central government level, municipality directly under the central government, or county or city government.
Article 50
The main representative, manager or other representative of a non-government agency who should be imposed of an administrative fine due to the violation of the preceding three Articles of the agency should be subject to the same amount of the fine, unless the obligation of the representative has been proved to be fulfilled.
第 五 章 罰則
第 41 條 違反第六條第一項、第十五條、第十六條、第十九條、第二十條第一項規
定,或中央目的事業主管機關依第二十一條限制國際傳輸之命令或處分,
足生損害於他人者,處二年以下有期徒刑、拘役或科或併科新臺幣二十萬
元以下罰金。
意圖營利犯前項之罪者,處五年以下有期徒刑,得併科新臺幣一百萬元以
下罰金。
第 42 條 意圖為自己或第三人不法之利益或損害他人之利益,而對於個人資料檔案
為非法變更、刪除或以其他非法方法,致妨害個人資料檔案之正確而足生
損害於他人者,處五年以下有期徒刑、拘役或科或併科新臺幣一百萬元以
下罰金。
第 43 條 中華民國人民在中華民國領域外對中華民國人民犯前二條之罪者,亦適用
之。
第 44 條 公務員假借職務上之權力、機會或方法,犯本章之罪者,加重其刑至二分
之一。
第 45 條 本章之罪,須告訴乃論。但犯第四十一條第二項之罪者,或對公務機關犯
第四十二條之罪者,不在此限。
第 46 條 犯本章之罪,其他法律有較重處罰規定者,從其規定。
第 47 條 非公務機關有下列情事之一者,由中央目的事業主管機關或直轄市、縣(
市)政府處新臺幣五萬元以上五十萬元以下罰鍰,並令限期改正,屆期未
改正者,按次處罰之:
一、違反第六條第一項規定。
二、違反第十九條規定。
三、違反第二十條第一項規定。
四、違反中央目的事業主管機關依第二十一條規定限制國際傳輸之命令或
處分。
第 48 條 非公務機關有下列情事之一者,由中央目的事業主管機關或直轄市、縣(
市)政府限期改正,屆期未改正者,按次處新臺幣二萬元以上二十萬元以
下罰鍰:
一、違反第八條或第九條規定。
二、違反第十條、第十一條、第十二條或第十三條規定。
三、違反第二十條第二項或第三項規定。
四、違反第二十七條第一項或未依第二項訂定個人資料檔案安全維護計畫
或業務終止後個人資料處理方法。
第 49 條 非公務機關無正當理由違反第二十二條第四項規定者,由中央目的事業主
管機關或直轄市、縣(市)政府處新臺幣二萬元以上二十萬元以下罰鍰。
第 50 條 非公務機關之代表人、管理人或其他有代表權人,因該非公務機關依前三
條規定受罰鍰處罰時,除能證明已盡防止義務者外,應並受同一額度罰鍰
之處罰。
--------------------------------------
Chapter VI Supplementary Provisions
Article 51 The provisions of this Law are not applicable to the following situations:
1. When an individual who collects, processes or uses personal information in the course of personal activity of a domestic nature; and
2. if the audio-visual information is collected, processed or used in public places or public activities and not associated with the other personal information.
The provisions of this Law are applicable to the government agency and the non-government agency, when they collect, process or use the personal information of the citizens of the Republic of China outside the territory of the Republic of China.
Article 52 The competencies prescribed to the government authority in charge of subject industry at the central government level, municipality directly under the central government, or county or city government may be appointed to the subordinate agencies, other agencies or charitable groups. The personnel of such agencies should fulfill the obligation of confidentiality for all the information obtained during the job-undertaking.
The charitable groups prescribed in the preceding Paragraph should not be authorized by the Party in accordance with Paragraph 1 of Article 34 for litigation rights and should proceed to the action for damages in its own name.
Article 53 The specific purpose and the classification of personal information stipulated in this Law should be prescribed by the Ministry of Justice in conjunction with the government authority in charge of subject industry at the central government level.
Article 54 For the personal information which is not provided by the Party before the amendment of this Law and is subject to a notice to the Party prior to processing or use in accordance with Article 9, the personal information controller should fulfill its notice duty within one year after the effective date of this Law Amendment. Any processing or use of the personal information without notification in the overdue period of time is regarded as violation of Article 9.
Article 55 The Enforcement Rule of this Act shall be prescribed by the Ministry of Justice.
Article 56 The date for enforcement of this Act shall be set by the Executive Yuan.
The deletion of Articles 19 to 22 and Article 43 in the old Act becomes effective since the date of promulgation.
Until the date of promulgation in the preceding Paragraph, the enterprises, groups or individuals designated in Paragraph 2 of Article 43 in the old Act who are required to process registration or special permit within six months after the designated date, may apply for termination of process; the government authority in charge of subject industry shall refund the fees that have already been paid upon termination of process. Those who have completed the process may also apply for the refund of fees that have already been paid.
For the fees that have already been paid, it shall be refunded together with the total daily interest from the date of payment by the obligor to the date of termination of process set by the government authority in charge of subject industry based on the fixed annual interest rate for a one-year time deposit announced by the Directorate General of the Postal Remittances and Savings Bank on the beginning date of payment. The same is applicable to the fee refund situation of the above-mentioned completion of process, thereto the fees shall be refunded from the date of payment by the obligor to the date when the government authority in charge of subject industry approves such application.
第 六 章 附則
第 51 條 有下列情形之一者,不適用本法規定:
一、自然人為單純個人或家庭活動之目的,而蒐集、處理或利用個人資料
。
二、於公開場所或公開活動中所蒐集、處理或利用之未與其他個人資料結
合之影音資料。
公務機關及非公務機關,在中華民國領域外對中華民國人民個人資料蒐集
、處理或利用者,亦適用本法。
第 52 條 第二十二條至第二十六條規定由中央目的事業主管機關或直轄市、縣(市
)政府執行之權限,得委任所屬機關、委託其他機關或公益團體辦理;其
成員因執行委任或委託事務所知悉之資訊,負保密義務。
前項之公益團體,不得依第三十四條第一項規定接受當事人授與訴訟實施
權,以自己之名義提起損害賠償訴訟。
第 53 條 本法所定特定目的及個人資料類別,由法務部會同中央目的事業主管機關
指定之。
第 54 條 本法修正施行前非由當事人提供之個人資料,依第九條規定應於處理或利
用前向當事人為告知者,應自本法修正施行之日起一年內完成告知,逾期
未告知而處理或利用者,以違反第九條規定論處。
第 55 條 本法施行細則,由法務部定之。
第 56 條 本法施行日期,由行政院定之。
現行條文第十九條至第二十二條及第四十三條之刪除,自公布日施行。
前項公布日於現行條文第四十三條第二項指定之事業、團體或個人應於指
定之日起六個月內辦理登記或許可之期間內者,該指定之事業、團體或個
人得申請終止辦理,目的事業主管機關於終止辦理時,應退還已繳規費。
已辦理完成者,亦得申請退費。
前項退費,應自繳費義務人繳納之日起,至目的事業主管機關終止辦理之
日止,按退費額,依繳費之日郵政儲金之一年期定期存款利率,按日加計
利息,一併退還。已辦理完成者,其退費,應自繳費義務人繳納之日起,
至目的事業主管機關核准申請之日止,亦同。
-------------------------------------------
reference:
http://law.moj.gov.tw/Eng/LawClass/LawAll.aspx?PCode=I0050021
2011.1.16
at Mosa