Data Controller

According to Article 4(7) of the EU's General Data Protection Regulation (GDPR), a data controller is the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Taiwanese companies are subject to GDPR if they offer goods/services to, or process the personal data of, EU residents. Fines can reach up to €20 million or 4% of global annual turnover, whichever is higher. Moreover, international clients, especially in the semiconductor and automotive supply chains, increasingly require suppliers to comply with data protection standards as a condition for business.

The primary related standard is ISO/IEC 27701 (Privacy Information Management System), which extends ISO/IEC 27001 to align with GDPR requirements for PII controllers and processors. It is also closely linked to its foundation, ISO/IEC 27001 (Information Security Management System), and the British standard BS 10012 (Personal Information Management System).

Winners Consulting is a pioneer in Taiwan, integrating ERM, technology law, industrial engineering, and data science. Led by a founder with a preventive law background, our interdisciplinary team of tech lawyers and ISO Lead Auditors helps companies like those in the semiconductor sector seamlessly integrate regulations like GDPR and standards like ISO 27701 into their existing governance and internal control frameworks, preventing redundant systems and effectively protecting trade secrets and client trust.