PDPA Compliance
REQUIRED
TW Personal Data Protection Act requires data collection consent, breach notification, and privacy policy. Relatively straightforward to comply with for standard SaaS.
Regional Deep Dive/APAC
Tax & Regulatory // Taiwan
Entity type: Limited Company (有限公司) or Corporation (股份有限公司)
Core Compliance
Corporate Tax
20%
Flat rate. Undistributed earnings face additional 5% surtax.
VAT (营业税)
5%
Lowest VAT in the region. Uniform application to most products and services.
Foreign Ownership
Generally permitted
Most tech sectors allow 100% foreign ownership via investment approval.
Regulatory Vectors
watch
Foreign Investment Approval
REQUIRED
Foreign investment requires Investment Commission (MOEAIC) approval. Generally approves within 30 days for technology businesses not in restricted sectors.
Data Residency
NOT MANDATED
No mandatory data localisation. TW government agencies have practical preferences for TW hosting but no legal requirement.
NCC Licensing (telecoms/broadcast)
CONDITIONAL
National Communications Commission licence required for telecom, broadcasting, or internet services above certain thresholds.
Key Legislation
Personal Data Protection Act (PDPA)
Governs collection, processing, and use of personal information.
Act Governing Relations between the People of the Taiwan Area and the Mainland Area
Governs commercial relations with mainland China — relevant for cross-strait data flows.
Company Act (公司法)
Governs company formation and corporate governance in TW.
Entry Recommendation
TW has moderate regulatory complexity and is very accessible for foreign investment. Incorporate a local entity, obtain PDPA documentation, and get Investment Commission approval. Straightforward process with a local TW law firm.
Regulatory Flashpoints — Evidence Base
Primary regulatory flashpoint
confidence 40Personal Data Protection Act controls on collection and use.
Needs human review