law-gdpr-pdpa
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseData Privacy Compliance (GDPR & Taiwan PDPA)
数据隐私合规(GDPR与台湾PDPA)
Overview
概述
Data privacy law governs how organizations collect, process, store, and share personal data. GDPR (EU) is the global benchmark; Taiwan's PDPA (個人資料保護法) applies domestically. Both share core principles but differ in scope, enforcement, and specific requirements.
数据隐私法规规范了组织收集、处理、存储和共享个人数据的方式。欧盟GDPR是全球基准;台湾《个人资料保护法》(PDPA)适用于本地场景。两者核心原则一致,但在适用范围、执法方式和具体要求上存在差异。
Framework
框架
IRON LAW: No Collection Without Legal Basis
You CANNOT collect or process personal data just because you want to.
Every data processing activity requires a legal basis:
- GDPR: 6 legal bases (consent, contract, legal obligation, vital interests, public task, legitimate interests)
- Taiwan PDPA: Specific purposes listed in the act, with consent as primary basis
"We need this data for analytics" is NOT a legal basis.IRON LAW: No Collection Without Legal Basis
You CANNOT collect or process personal data just because you want to.
Every data processing activity requires a legal basis:
- GDPR: 6 legal bases (consent, contract, legal obligation, vital interests, public task, legitimate interests)
- Taiwan PDPA: Specific purposes listed in the act, with consent as primary basis
"We need this data for analytics" is NOT a legal basis.GDPR vs Taiwan PDPA Comparison
GDPR与台湾PDPA对比
| Aspect | GDPR | Taiwan PDPA |
|---|---|---|
| Scope | Any org processing EU residents' data | Any org processing personal data in Taiwan |
| Legal bases | 6 enumerated bases | Consent-centric + specific purpose limitation |
| Consent standard | Freely given, specific, informed, unambiguous, opt-in | Written consent required for sensitive data; implied consent possible for non-sensitive |
| Data subject rights | Access, rectification, erasure, portability, restriction, objection | Access, correction, deletion, cessation of processing |
| Cross-border transfer | Adequacy decision, SCCs, BCRs | Requires central authority approval or adequate protection |
| Breach notification | 72 hours to authority | Report to authority + notify affected individuals "without delay" |
| Penalties | Up to €20M or 4% global turnover | Up to NT$500K per violation (criminal penalties possible) |
| DPO required? | Yes (in certain cases) | Not explicitly required |
| 维度 | GDPR | 台湾PDPA |
|---|---|---|
| 适用范围 | 任何处理欧盟居民数据的组织 | 任何在台湾处理个人数据的组织 |
| 合法依据 | 6项明确列出的依据 | 以同意为核心+特定目的限制 |
| 同意标准 | 自由给出、具体、知情、明确、主动勾选 | 敏感数据需书面同意;非敏感数据可默示同意 |
| 数据主体权利 | 访问、更正、删除、可携、限制处理、反对 | 访问、更正、删除、停止处理 |
| 跨境数据传输 | 充分性认定、SCCs、BCRs | 需主管机关批准或满足充分保护要求 |
| 数据泄露通知 | 72小时内通知主管机关 | 立即通知主管机关+告知受影响个人 |
| 处罚力度 | 最高2000万欧元或全球营业额的4% | 每项违规最高50万台币(可能涉及刑事处罚) |
| 是否需要DPO? | 特定情况下是 | 未明确要求 |
Compliance Assessment Steps
合规评估步骤
- Data inventory: What personal data do you collect, process, and store?
- Legal basis audit: What legal basis justifies each processing activity?
- Purpose limitation: Is data used only for the stated purpose?
- Data minimization: Are you collecting only what's necessary?
- Storage limitation: How long is data retained? Is there a deletion policy?
- Security measures: Are appropriate technical and organizational measures in place?
- Rights fulfillment: Can you respond to data subject rights requests?
- Cross-border transfers: Does data leave the jurisdiction? Under what mechanism?
- Breach response: Is there a breach notification procedure?
- 数据盘点:你收集、处理和存储哪些个人数据?
- 合法依据审核:每项处理活动的合法依据是什么?
- 目的限制:数据是否仅用于声明的目的?
- 数据最小化:你是否仅收集必要的数据?
- 存储限制:数据保留多久?是否有删除政策?
- 安全措施:是否采取了适当的技术和组织措施?
- 权利履行:你能否响应数据主体的权利请求?
- 跨境传输:数据是否会流出管辖区域?基于何种机制?
- 泄露响应:是否有数据泄露通知流程?
Output Format
输出格式
markdown
undefinedmarkdown
undefinedPrivacy Compliance Assessment: {Organization}
隐私合规评估:{Organization}
Data Inventory
数据盘点
| Data Category | Types | Legal Basis | Purpose | Retention |
|---|---|---|---|---|
| {category} | {specific fields} | {basis} | {why collected} | {period} |
| 数据类别 | 具体类型 | 合法依据 | 用途 | 保留期限 |
|---|---|---|---|---|
| {category} | {specific fields} | {basis} | {why collected} | {period} |
Compliance Gaps
合规缺口
| Requirement | Status | Gap | Priority |
|---|---|---|---|
| Legal basis | ✓/✗ | {detail} | H/M/L |
| Consent mechanism | ✓/✗ | ... | ... |
| Data subject rights | ✓/✗ | ... | ... |
| Breach notification | ✓/✗ | ... | ... |
| Cross-border transfer | ✓/✗ | ... | ... |
| 要求项 | 状态 | 缺口详情 | 优先级 |
|---|---|---|---|
| 合法依据 | ✓/✗ | {detail} | H/M/L |
| 同意机制 | ✓/✗ | ... | ... |
| 数据主体权利 | ✓/✗ | ... | ... |
| 泄露通知 | ✓/✗ | ... | ... |
| 跨境传输 | ✓/✗ | ... | ... |
Remediation Plan
整改计划
- {action} — priority: {H/M/L} — timeline: {X weeks}
undefined- {action} — 优先级:{H/M/L} — 时间线:{X周}
undefinedExamples
示例
Correct Application
正确应用示例
Scenario: Privacy assessment for a Taiwanese e-commerce site selling to EU customers
- Applies: Both PDPA (Taiwan customers) AND GDPR (EU customers)
- Gap found: Cookie consent banner only says "By using this site you agree to cookies" → Fails GDPR (not freely given, not specific, no opt-out for non-essential cookies). Must implement granular cookie consent with opt-in for marketing cookies ✓
- Gap found: Customer data shared with logistics partner in China without cross-border transfer mechanism → Fails both GDPR (no adequacy/SCC) and PDPA (no authority approval)
场景: 面向欧盟客户销售的台湾电商网站隐私评估
- 适用法规: 同时适用PDPA(台湾客户)和GDPR(欧盟客户)
- 发现缺口: Cookie同意横幅仅显示“使用本网站即表示您同意使用Cookie”→不符合GDPR要求(非自由给出、不具体、无非必要Cookie的退出选项)。必须实现精细化Cookie同意机制,对营销类Cookie采用主动勾选模式 ✓
- 发现缺口: 客户数据未经跨境传输机制就共享给中国物流合作伙伴→同时违反GDPR(无充分性认定/SCC)和PDPA(无主管机关批准)
Incorrect Application
错误应用示例
- "We're a Taiwan company, GDPR doesn't apply to us" → GDPR applies to ANY organization processing EU residents' data, regardless of where the organization is located. If you sell to EU customers or monitor EU users' behavior, GDPR applies.
- “我们是台湾公司,GDPR不适用于我们”→GDPR适用于任何处理欧盟居民数据的组织,无论组织所在地。如果向欧盟客户销售产品或监控欧盟用户行为,GDPR均适用。
Gotchas
注意事项
- Consent is not always the best legal basis: Under GDPR, "legitimate interests" may be more appropriate than consent for some processing (e.g., fraud prevention). Consent can be withdrawn, creating operational complexity.
- "Anonymous" data may not be anonymous: If data can be re-identified by combining with other datasets, it's pseudonymous, not anonymous, and still subject to privacy law.
- Taiwan PDPA covers public and private sector: Unlike GDPR which primarily targets private sector, PDPA applies to government agencies as well.
- Privacy by design, not afterthought: Both GDPR and best practice require considering privacy at the system design stage, not bolting it on later.
- This is educational guidance, not legal advice: Privacy compliance requires a qualified data protection specialist familiar with applicable jurisdictions.
- 同意并非总是最佳合法依据: 在GDPR下,“合法利益”可能比同意更适合某些处理活动(如欺诈防范)。同意可被撤回,会带来运营复杂性。
- “匿名”数据可能并非真正匿名: 如果数据可通过与其他数据集结合重新识别身份,则属于伪匿名数据,仍受隐私法规约束。
- 台湾PDPA覆盖公私营部门: 与主要针对私营部门的GDPR不同,PDPA同样适用于政府机构。
- 隐私设计前置,而非事后补救: GDPR及最佳实践均要求在系统设计阶段就考虑隐私问题,而非事后补充。
- 本内容为教育指导,非法律建议: 隐私合规需要熟悉相关管辖区域的合格数据保护专家参与。
References
参考资料
- For GDPR Article-by-article reference, see
references/gdpr-articles.md - For Taiwan PDPA implementation guide, see
references/taiwan-pdpa.md
- 如需GDPR逐条参考,请查看
references/gdpr-articles.md - 如需台湾PDPA实施指南,请查看
references/taiwan-pdpa.md