Data Protection in Albania

National data protection authority

Change countries

Change country

Data protection laws in Albania

On 19 December 2024, the Parliament of the Republic of Albania passed Law No. 124/2024, titled “On Personal Data Protection” (the “Data Protection Law”) (Official Gazette of the Republic of Albania No. 9, dated 17 January 2025). This legislation aims to align Albania’s legal framework with the European Union’s standards, particularly by incorporating Regulation (EU) 2016/679 (the General Data Protection Regulation, or GDPR) and Directive (EU) 2016/680, both of which address the protection of personal data in various contexts, including criminal law enforcement.

The adoption of this law marks the culmination of an extensive process, with the Office of the Information and Data Protection Commissioner pursuing the alignment of Albanian data protection laws with the GDPR since 2018.

The Data Protection Law establishes the rules for safeguarding individuals’ personal data and aims to protect fundamental human rights and freedoms, particularly the right to personal data protection.

Scope

The Data Protection Law applies when personal data are processed in whole or in part by automatic means, as well as to the processing of personal data which are part of a filing system or are intended to become part of a filing system where the processing is not carried out by automatic means; however, the law does not cover data processing by natural persons for purely personal or family purposes (Article 3).

Territorial Scope

The Data Protection Law shall apply:

in the framework of the activities of a controller or processor established in the Republic of Albania, regardless of whether the processing takes place in the Republic of Albania or not;
of data subjects, who are located in the Republic of Albania, by a controller who is not established in the Republic of Albania, but the processing operations relate to:

1. the offering of goods or services, whether for payment or not, to data subjects in the Republic of Albania; or
2. the monitoring the behaviour of data subjects, as long as such behaviour takes place in the Republic of Albania;

by a controller or processor, who is not established in the Republic of Albania, but in a territory where Albanian law applies on the basis of public international law (Article 4).

Related resources

Definitions

Definitions in Albania

Definition of Personal Data

Data Protection Law defines personal data as any information relating to a data subject (Article 5(3)).

A “data subject” refers to any identified or identifiable natural person. A person is identifiable if he or she can be identified, directly or indirectly, by reference to one or more specific identifiers, such as a name, an identification number, location data, an online identifier or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity (Article 5(23)).

Definition of Sensitive Personal Data

Data Protection Law defines sensitive data as special categories of personal data that reveal racial or ethnic origin, political opinions, religious beliefs or philosophical views, trade union membership, genetic data, biometric data, data concerning a person’s health, life or sexual orientation (Article 5(28)).

“Genetic data” means personal data relating to the inherited or acquired genetic characteristics of a person which provide unique information concerning his or her physiology or health and which are obtained, in particular, because of the analysis of a biological sample taken from that person (Article 5(25)).

“Biometric data” means personal data resulting from specific technical processing of the physical, physiological or behavioural characteristics of a person which enable or confirm the unique identification of that person, such as facial images or fingerprints (Article 5(24)).

“Data concerning health” means personal data relating to the physical or mental health of a person, including the provision of healthcare services, which indicates information relating to his or her state of health (Article 5(26)).

Authority

National data protection authority in Albania

The Commissioner for the Right to Information and Personal Data Protection (the “Commissioner”) is the Albanian authority in charge of overseeing and ensuring the implementation of the applicable legislation on data protection, with the primary goal of protecting the fundamental rights and freedoms of individuals in relation to the processing of personal data. The Commissioner is an independent authority, elected by a majority of the Parliament members, based on a proposal from the Council of Ministers, for a seven-year term, with the possibility of re-election.

In carrying out their duties and exercising their powers under the Data Protection Law, the Commissioner operates independently, free from any direct or indirect influence, and does not seek or accept instructions. During the Commissioner’s term, they are prohibited from engaging in any activities or professions that may conflict with their duties, whether paid or unpaid.

The Commissioner is supported by the Office of the Commissioner, which is provided with the necessary human, technical, financial, and infrastructural resources to effectively perform its functions. The staff operates under the exclusive direction of the Commissioner and reports to them regularly. To fulfil the mission and objectives of the office, the Commissioner may also consult with external advisors on specific matters. The Commissioner has the authority to approve the organizational structure of the Office of the Commissioner.

The Commissioner is seated at:

Rr. “Abdi Toptani”, Nd. 5
Postal Code 1001
Tirana
Albania

Registration

Registration in Albania

A data controller or processor must notify the Commissioner of the contact details of the Data Protection Officer.

If a data controller or processor is not established in the Republic of Albania but engages in processing activities related to data subjects in Albania, the controller or processor must appoint a representative and notify the Commissioner. This notification must include the identity of the representative appointed in the Republic of Albania. The notification must be provided in writing (Article 25).

This requirement applies when processing involves:

the offering of goods or services, whether for payment or not, to data subjects in the Republic of Albania; or
the monitoring of the behaviour of data subjects, as long as such behaviour takes place in the Republic of Albania.

This requirement shall not apply:

to processing, which is incidental, does not involve the processing of sensitive data or criminal data on a large scale and is not likely to result in a risk to the fundamental rights and freedoms of natural persons, taking into account the nature, context, object and purposes of the processing; or
to public authorities.

Data protection officers

Data protection officers in Albania

Obligation to designate a Data Protection Officer (“DPO”) (Article 33)

The controller and the processor must designate a DPO if:

The processing is carried out by a public authority or body, excluding courts, in the course of judicial activities;
The core activities of the controller or processor involve processing operations that, due to their nature, scope, or purpose, require regular and systematic monitoring of data subjects on a large scale;
The core activities of the controller or processor involve processing sensitive data or criminal data on a large scale.

A group of companies may appoint a single DPO, who should be easily accessible to each member of the group. In the case of a public authority, one DPO may be designated to cover multiple authorities, considering their organizational structure and size.

In situations not covered by the first paragraph above, the controller, processor, associations, or other bodies representing a category of controllers or processors may, or in some cases must, designate a DPO, as required by law.

Duties and position of the DPO (Article 34)

The DPO has the following duties:

Provides advice, upon request, to the management bodies of the controller or processor on all matters related to data protection;
Participates in data protection impact assessments;
Informs and advises the staff of the controller or processor on data protection, including raising awareness and training staff involved in processing operations;
Monitors compliance with the Data Protection Law, other applicable data protection provisions, and the policies of the controller or processor, including the assignment of responsibilities, awareness-raising, staff training, and relevant audits;
Cooperates with and serves as a point of contact for the Commissioner;
Gives due attention to the risks of infringing fundamental rights and freedoms that may arise from personal data processing, considering the nature, context, circumstances, and purposes of the processing.

The DPO must be appointed based on certified professional qualifications, particularly with sound knowledge of data protection law and practices, and the ability to perform the tasks outlined in the paragraph above.

The DPO may be an employee of the controller or processor, or someone under a service contract. The DPO may hold other responsibilities, but the controller or processor must ensure these duties do not conflict with the role of the DPO.

The controller and processor must ensure the DPO is involved in a timely manner in all matters related to data protection and has the necessary resources to carry out their duties. The DPO must also maintain confidentiality regarding their duties.

The controller and processor must ensure the DPO is not given instructions regarding the performance of their duties and cannot be dismissed or penalized for carrying out their responsibilities. The DPO reports directly to the highest level of management of the controller or processor.

Collection and processing

Collection and processing in Albania

The Data Protection Law provides the following definitions:

A “controller” means the natural or legal person and any public authority which, alone or jointly with others, determines the purposes and means of the processing of personal data (Article 5(8)).

A “processor” means the natural or legal person and any public authority which processes personal data on behalf of the controller (Article 5(18)).

Principles for the lawful processing of personal data (Article 6)

Personal data shall be:

processed lawfully, fairly and in a transparent manner (the “lawfulness, fairness and transparency principle”);
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (the “purpose limitation principle”);
adequate, relevant and limited to what is necessary in relation to the purpose(s) (the “data minimization principle”);
accurate and where necessary kept up to date (the “accuracy principle”);
kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (the “storage limitation principle”); and
processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (the “integrity and confidentiality principle”).

The controller is responsible for and must be able to demonstrate compliance with the above principles (the “accountability principle”).

Lawfulness of processing of personal data (Article 7)

Processing shall be lawful only if and to the extent that at least one of the following applies:

the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
processing is necessary for compliance with a legal obligation to which the controller is subject;
processing is necessary in order to protect the vital interests of the data subject or of another natural person;
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Lawfulness of processing of sensitive data (Article 9)

Processing of sensitive data is prohibited.

The processing of sensitive data is permitted if appropriate measures are implemented to protect the fundamental rights and interests of data subjects and only in cases where:

the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where the applicable legislation provides that the prohibition on processing sensitive data cannot be waived by consent from the data subject;
processing is necessary for the fulfilment of a specific obligation or right of the controller or of the data subject in the field of employment, social security and social protection, including obligations and rights arising from a collective agreement, in accordance with the applicable legislation in these areas, provided that the fundamental rights and interests of the data subject are guaranteed;
processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is incapable of giving consent due to his / her health condition or when his / her right to act has been removed or restricted;
processing is carried out in the course of the lawful activity of a not-for-profit political, philosophical, religious or trade union organization, provided that the processing relates only to members or former members of the organization or to persons who have regular contact with it in the context of its activity, and that the personal data are not disseminated outside the organization without the consent of the data subjects;
processing relates to personal data which are manifestly made public by the data subject and the processing is necessary for the pursuit of a legitimate interest;
processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
procesecessary for archiving purposes in the public interest, for historical, research, scientific or statistical purposes, subject to legal provisions.

Lawfulness of processing of data related to criminal offences and convictions (Article 10)

Processing of personal data relating to criminal convictions and offences or security measures related thereto is carried out only under the control of competent authority or when the processing is authorised by law providing for appropriate safeguards for the rights and freedoms of data subjects. The judicial status register is maintained under the control and supervision of the Ministry of Justice, in accordance with the legislation in force.

Processing of data for specific purposes:

Processing of personal data and freedom of expression (Article 43)

To balance data protection with freedom of expression and information, exceptions to the Data Protection Law can be applied for journalistic, academic, artistic, and literary purposes, provided:

The data is necessary for preparing journalistic, academic, literary or artistic materials for publication;
The data is only used for the specified purpose;
The publication serves the public interest;
Applying the Data Protection Law would hinder the purpose;
The processing does not harm the fundamental rights of data subjects.

If these exceptions are applied, personal data should only be retained for as long as needed for the publication and can be shared with those involved in its creation, other potential publishers, or for legal purposes.

Additionally, when publishing, the controller must ensure minors, crime victims, or individuals claiming harm are not identifiable without consent or court approval, except when the victim is a public figure related to their role

Exceptions do not apply to processing data about minors or certain other legal provisions.

Processing of personal data and access to information in the public sector (Article 44)

The right to personal data protection is balanced with the right of access to official documents and information, as outlined in the applicable legislation. Public access to information, is not restricted by personal data protection laws for public authorities or individuals exercising state functions, unless other fundamental rights (such as the right to life or physical integrity) require specific protection of their data.

Processing of personal data for archiving, research, and statistical purposes (Article 45)

The processing of personal data, including sensitive and criminal data, for archiving in the public interest, or for historical, research, scientific, or statistical purposes, is considered a legitimate interest of the controller, unless the data subject’s interests or fundamental rights and freedoms, which require protection of their personal data, take precedence.

Personal data collected for any purpose may be further processed for archiving purposes, historical research, or scientific and statistical purposes.

This processing must be carried out with appropriate safeguards to protect the rights and freedoms of the data subject. These safeguards include, but are not limited to:

Technical and organizational measures taken by the controller in compliance with Data Protection Law, especially principles of data minimization or pseudonymization, to achieve the processing purpose. If the purpose can be achieved by processing anonymized or pseudonymized data, that method should be used;
Pseudonymization of data, and where possible, anonymization before transferring data for further processing;
Specific safeguards to ensure that data is not used for decisions or actions concerning the data subject, unless the data subject has expressly given consent.

Exemptions from certain data subject rights may apply if exercising those rights would significantly hinder or prevent the achievement of the processing purpose. The controller bears the burden of proving that the exercise of these rights would cause such an obstacle to the purpose.

Processing of personal data and direct marketing (Article 46)

See Electronic marketing.

Related resources

Transfer

Transfer in Albania

General principles (Article 39)

Personal data that is being processed or will be processed after transfer may only be transferred to a foreign country or international organization or further transferred from one foreign country or international organization to another, if adequate protection for the data is guaranteed at the destination, or if specific safeguards are in place specifically for such transfer.

Transfers required by foreign court or administrative authority decisions will only be recognized or enforced if they are based on an international agreement, such as a mutual legal assistance treaty, in effect between the requesting third country and Albania, and without violating the other transfer criteria outlined in the Data Protection Law.

Transfer of data based on an adequacy decision (Article 40)

Personal data may be transferred to foreign countries or international organizations if the recipient is located in a country, territory, or sector within a foreign country, or belongs to an international organization that ensures an adequate level of data protection. The adequacy of the data protection level for a country, territory, sector, or international organization is determined by a decision of the Commissioner.

Pursuant to the Decision of the Commissioner No. 8, dated 31 October 2016 the following states have an adequate level of data protection:

European Union member states;
European Economic Area states;
Parties to the Convention No. 108 of the Council of Europe “For the Protection of Individuals with regard to Automatic Processing of Personal Data”, as well as its 1981 Protocol, which have approved a special law and set up a supervisory authority that operates in complete independence, providing appropriate legal mechanisms, including handling complaints, investigating and ensuring the transparency of personal data processing;
States where personal data may be transferred, pursuant to a decision of the European Commission.

Transfer of data in the absence of an adequacy decision (Article 41)

In the absence of an adequacy decision, a controller or processor may transfer personal data to a third country or international organization only if appropriate safeguards are in place, and if enforceable data subject rights and effective legal remedies are available for the data subjects.

If appropriate safeguards are not in place, the transfer may only occur if one of the following conditions is met:

the data subject has explicitly consented to the proposed international transfer, after having been clearly informed of the possible risks of such transfer;
the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request, or the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party;
the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically incapable of giving consent, or their right to act has been removed or restricted;
the transfer is necessary for important reasons of public interest;
the processing is necessary for the establishment, exercise or defence of a right, obligation or legitimate interest before a court or public authority;
the transfer is made from a register that is open for consultation by law and provides information to the general public, provided that the transfer includes only certain information and not entire sections of the register.

Where a transfer could not be based on any of the above, a transfer may take place only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. The controller shall inform the Commissioner and the data subject of the transfer and on the compelling legitimate interests pursued.

Related resources

Security

Security in Albania

General responsibility of the controller (Article 22)

The Data Protection Law requires controllers to implement appropriate technical and organizational measures, based on the nature, scope, context, and purposes of the processing, as well as the potential risks to individuals’ rights and freedoms. These measures must be regularly reviewed and updated as necessary.

Data protection by design and by default (Article 23)

Controllers should consider technological developments, implementation costs, and the specific circumstances of the processing when determining safeguards, such as pseudonymization, to protect data subjects’ rights.

Controllers must ensure that, in a predetermined manner, only the personal data necessary for each specific purpose is processed, including limiting the data collected, its accessibility, and storage period. Security measures must prevent unauthorized access to personal data and maintain the confidentiality, integrity, availability, and resilience of processing systems and services.

Measures to ensure the security of processing (Article 28)

The controller and the processor implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, inter alia, where applicable:

Pseudonymization and encryption of personal data;
The ability to ensure the confidentiality, integrity, availability, and resilience of the processing systems and services;
The ability to restore the availability and access to personal data within a reasonable time in the event of a physical or technical incident;
A process for regularly testing, reviewing, and assessing the effectiveness of the technical and organizational measures to ensure the security of the processing.

The level of security shall be in compliance with the nature of personal data processing. The Commissioner has established additional rules for personal data security by means of Decision No. 6, dated 05 August 2013 “On the Determination of Detailed Rules for the Security of Personal Data”.

Related resources

Breach notification

Breach notification in Albania

Controller’s notification to the Commissioner (Article 29)

In the event of a personal data breach, the controller must notify the Commissioner as soon as possible, and no later than 72 hours after becoming aware of the breach. Notification is not required if the breach is unlikely to result in a risk to the rights and freedoms of data subjects. If the notification is not made within the 72-hour timeframe, the controller must provide an explanation for the delay.

The notification to the Commissioner must include, at a minimum:

A description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects affected, as well as the categories and approximate number of personal data records involved;
The name and contact details of the DPO or another relevant contact point;
A description of the likely consequences of the personal data breach;
A description of the measures taken or proposed to address the breach, including, where applicable, measures to mitigate its potential adverse effects.

If all of the required information is not available at once, it may be provided in stages, as soon as possible.

The controller must document all personal data breaches, including the details, impact, and corrective actions taken, to enable the Commissioner to verify compliance. The Commissioner shall respond to the notification in line with their authority. The Commissioner may also instruct the controller to notify the affected data subjects of the personal data breach if the breach is likely to pose a high risk to their rights and freedoms, and if the controller has not already done so, as outlined in the section below.

Controller’s notification to the data subjects (Article 29)

The controller must inform data subjects if the risks to their rights and freedoms resulting from the data breach are likely to be high, by providing the information as outlined in the notification to the Commissioner above. However, notification to data subjects is not required in the following cases:

The controller has implemented appropriate technical and organizational protective measures, such as encryption, which were applied to the personal data affected by the breach;
The controller has taken additional steps to reduce the risk of harm to the rights and freedoms of data subjects;
The controller publishes the notice or takes other similar actions to notify data subjects of the breach in a uniform and effective manner, where notifying each individual data subject would impose a disproportionate burden on the controller.

Processor’s notification to the controller (Article 29)

The processor shall notify the controller immediately after becoming aware of any personal data breach.

Related resources

Enforcement

Enforcement in Albania

The Commissioner is the competent authority for the supervision and enforcement of Data Protection Law. The Commissioner is responsible, inter alia, for:

Ensuring that data subjects can exercise their rights, including providing them with information and advice on these rights;
Investigating the compliance of personal data processing activities with the Data Protection Law, either proactively or in response to a complaint;
Reviewing complaints filed by individuals or non-profit entities, organizations, or associations representing individuals, in cases of alleged violations of the Data Protection Law;
Evaluating the responses provided by competent authorities to data subjects’ requests regarding their rights of access, rectification, or erasure;
Imposing administrative sanctions and penalties, and overseeing their enforcement.

Administrative offenses related to the processing of personal data may result in a fine of up to ALL 2,000,000,000 (approximately EUR 20,300,000), or, in the case of a company, up to 4% of its total annual global turnover from the previous financial year, whichever amount is greater.

The Commissioner shall issue a directive outlining the rules regarding the imposition of administrative sanctions, which will be based on the guidelines established by the European Data Protection Board.

The sanctioned subject may appeal the fine in court within the deadlines and according to the procedures that regulate the administrative trials.

Electronic marketing

Electronic marketing in Albania

Electronic and direct marketing under the Data Protection Law

The Data Protection Law does not explicitly refer to electronic marketing; nevertheless, it will apply to most electronic marketing activities since they typically involve personal data, like an email address that includes the recipient’s name.

Personal data may be processed for direct marketing purposes as a means of communicating with identifiable individuals to promote goods or services. This includes advertising membership in organizations, soliciting donations, and any direct marketing activities, which also cover any preparatory actions taken by the advertiser or a third party to facilitate such communication (Article 46(1)).

The most common legal grounds for the processing of data for direct marketing are:

The legitimate interests of the controller

Processing for direct marketing purposes, whether carried out by the controller or by third parties, may be based on legitimate interests, provided that the interests of the protection of data subjects are not overridden. This also applies to the use of data obtained from publicly accessible sources for direct marketing purposes.

The consent of the data subject

When relying on consent, it is essential to adhere to the requirements set by Data Protection Law. Notably, when personal data is processed for direct marketing purposes, the data subject has the right to object at any time, without needing to provide a reason, to the processing of their personal data for such purposes, including profiling insofar as it relates to them (Article 19(2) and Article 46(4)).

Furthermore, the controller must be able to demonstrate that the data subject has given consent for the processing of their personal data. If consent is provided in the context of a written statement that includes other matters, the request for consent must be clearly distinguishable from the other information. It should be presented in an intelligible and easily accessible format, using clear and plain language (Article 8(2)). In the context of direct marketing, marketing consent forms should include clear opt-in mechanisms, such as checking an unchecked consent box or signing a statement, rather than just accepting terms and conditions or assuming consent based on actions like visiting a website.

The processing of a minor’s personal data based on consent, in the context of online goods or services directly offered to them, is lawful only if the minor is at least 16 years old. If the minor is under 16, the processing is lawful only if consent is given or authorised by the minor’s parent or legal guardian, and only to the extent that it is given or authorised by them (Article 8(6)).

The processing of sensitive data for direct marketing purposes is carried out with the explicit consent of the data subject (Article 46(3)).

The Commissioner has issued an Instruction no. 06, dated 28 May 2010 “On the correct use of SMSs for promotional purposes, advertising, information, direct sales, via mobile phone”. This instruction emphasizes the importance of the prior consent given by the data subject.

Electronic and direct marketing under the Electronic Communications Law

According to Law 54/2024 “On electronic communications in the Republic of Albania” (“Electronic Communications Law”), natural or legal persons who possess the email addresses of their customers for their products or services may use these addresses for direct marketing of similar products or services only if they have obtained the explicit consent of the customers to be contacted for marketing purposes. Additionally, they are required to provide customers with a simple and free way to opt out of the use of their email address for marketing purposes at any time. It is also prohibited to send SMS or email messages for direct marketing purposes if the sender’s identity is concealed or if a valid address is not provided, through which the recipient can request the cessation of such communications (Article 165 “Unsolicited communications”).

Online privacy

Online privacy in Albania

Online privacy under the Data Protection Law

The Data Protection Law does not include specific regulations for cookies or location data. However, location data and online identifiers (which include cookies) are considered identifying factors for data subjects. As such, the general data protection provisions outlined in the Data Protection Law also apply to online privacy.

Apart from the general data protection principles applied mutatis mutandis, the Data Protection Law contains few specific provisions regarding online privacy. These include:

Right to rectification and erasure (Article 15(2)(dh))

The data subject has the right to request the erasure of personal data relating to them from the controller. The controller is required to erase the personal data as soon as possible, and in any case, no later than 30 days from the receipt of the request, if the data was collected in the context of online provision of goods or services.

The right to be forgotten (Article 16)

When the controller has made personal data public and is required to erase it, they must take reasonable steps, including technical measures, to notify other controllers processing those data that the data subject has requested the removal of any link, copy, or reproduction of the personal data, considering the applicable technology and implementation costs. Additionally, at the data subject’s request, operators of internet search engines must remove outdated information from search results based on the data subject’s name if that information, although no longer current, significantly harms the data subject’s reputation.

In order to provide some clarifications on the notion of cookies and their use, the Commissioner has defined the cookies in an online dictionary as some data stored on the computer, which contain specific information. This rudimentary definition is further complemented by a short explanation which states that cookies allow any server to know what pages have been visited recently, just by reading them.

The Commissioner has also released an opinion (which is somewhat outdated and non-binding for data controllers) regarding the protection of personal data on the websites of both public and private entities. In this opinion, the Commissioner highlights the obligations of data controllers under the Data Protection Law, as well as the rights of data subjects, which must also be observed in the context of online personal data collection:

The right to be fully informed and to give their approval if a website (or an application) processes their data;
The right to keep their online communications secret (including email, the computer’s IP or modem No.);
The right to be notified if their personal data are compromised (data has been lost or stolen, or if their online privacy is likely to be negatively affected);
The right to request that their personal data to be excluded from data processing for direct marketing if they have not given their consent.

Additionally, in this opinion, the Commissioner stresses the importance of public and private controllers drafting and publishing privacy policies on their websites, including, among other things:

The identity of the controller;
The information collected from the users, specifying the category of personal data;
Specific policies regarding cookies and other technologies that allow data controllers to gather information on the users that use the website and to notify the latter about their use.

Online privacy under the Electronic Communications Law

The Electronic Communications Law defines “location data” as any data processed in an electronic communications network, indicating the geographical position of the terminal equipment of a user of the electronic communications network.

Location data may only be processed when they are made anonymous or with the consent of the users or subscribers to the extent and for the duration necessary for the provision of a value added service.

The service provider must inform the users or subscribers, prior to obtaining their consent, of the type of location data which will be processed, of the purposes and duration of the processing and whether the data will be transmitted to a third party for the purpose of providing the value added service.

Users or subscribers shall be given the possibility to withdraw their consent for the processing of location data other than traffic data at any time. Users or subscribers must continue to have the possibility, using a simple means and free of charge, of temporarily refusing the processing of such data for each connection to the network or for each transmission of a communication.

Processing of location data must be restricted to persons acting under the authority of the provider of the public communications network or publicly available communications service or of the third party providing the value added service, and must be restricted to what is necessary for the purposes of providing the value added service (Article 163 of the Electronic Communications Law).

Related resources

Key contacts

Data protection lawyers in Albania

Flonia Tashko

Partner

Tashko Pustina

Tirana

Email Full bio

Alban Shanaj

Partner

Tashko Pustina

Tirana

The Commissioner is seated at:

Rr. “Abdi Toptani”, Nd. 5
Postal Code 1001
Tirana
Albania

Last modified 28 January 2025

Since August 2023, an independent administrative authority for the protection of personal data, known as the "National Data Protection Authority" (National Authority), is hereby established, with its headquarters in Algiers.

The national authority is responsible for ensuring that the processing of personal data is carried out in accordance with the provisions of the law and for ensuring that the use of information and communication technologies does not threat the rights of individuals, public freedoms and privacy.

The National Authority’s missions are the below:

Draw up rules of good conduct and ethics applicable to the processing of personal data;
Advise individuals and entities in the use personal data;
Inform data subjects of their rights and data controllers of their obligations;
Issue authorizations and receive declarations relating to the processing of personal data;
Authorize cross-border transfers of personal data under the conditions laid down by the law;
Publish the authorisations granted and the opinions issued in the national register referred to in Article 28 of Law No. 18-07;
Receive claims, appeals and complaints relating to the processing of personal data and inform their authors of the action taken on them;
Order any changes necessary to protect the personal data processed;
Order the closure, removal or destruction of data; and
Take administrative sanctions under the conditions defined by Article 46 of the present law No. 18-07;

According to the statistics published by the National Authority, as of 31 October 2023, only 3 months after it began operations the achievements were the below:

228 files relating to declarations, requests for authorisation and requests for opinions submitted by bodies processing personal data had been received; and
174 files are awaiting further information, 54 files have been examined, including 46 declarations, 07 requests for authorisation and 01 request for an opinion, and the authority's overall mission is continuing.

More recently (i.e. on 28 February 2024), the National Authority announced on its website that it will begin its first field inspections of companies in the private sector, in order to examine the various processing procedures before extending the operation to individuals and public companies.

Last modified 20 January 2025

The Data Protection Law establishes the Agência de Proteção de Dados (APD) as Angola’s data protection authority. APD’s Organic Statute was stablished by the Presidential Decree 214/2016 of October 10, and it’s board currently in office was nominated by the Presidential Decree 277/2019 September 6.

Last modified 30 December 2021

Pursuant to Decree 746 of 2017, it is the Agency for Access to Public Information (Agencia de Acceso a la Información Pública).

Last modified 28 January 2025

Based on Decision N 573-A of the RA Prime Minister as of July 3, 2015, the Personal Data Protection Agency of the RA Ministry of Justice was appointed as the authorized body for personal data protection.

In the second half of 2024, the Personal Data Protection Agency of the Republic of Armenia officially launched its website to assist citizens in safeguarding their personal data effectively. The platform offers a variety of resources, including training courses on personal data, its categories, and methods of protection. Additionally, it provides access to legislative acts on personal data protection, guidelines, templates, and other essential information.

The website of the Personal Data Protection Agency is available at pdpa.am
You can see the e-courses on personal data protection at the following link: (only Armenian version available) personaldataprotect.notion.site
Guidelines on personal data protection are available at the following link: pdpa.am
The privacy notice form is available at the following link: pdpa.am

Last modified 20 January 2025

National Ordinance Person Registration

Public prosecutor.

GDPR

An independent public authority established by a Member state pursuant to article 51 of the GDPR (Article 4(21), GDPR). The authority is responsible for monitoring the application of the GDPR in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the EU.

Last modified 10 February 2025

The Information Commissioner, under the Office of the Australian Information Commissioner ("OAIC") is the national data protection regulator responsible for Privacy Act oversight.

175 Pitt Street
Sydney NSW 2000

T 1300 363 992

F +61 2 9284 9666

Last modified 20 January 2025

EU regulation

Enforcement of the GDPR is conducted by data protection regulators, known as supervisory authorities (for example, the Cnil in France or the ICO in the UK). The European Data Protection Board (successor of the so-called Article 29 Working Party) is comprised of delegates from the supervisory authorities, and monitors the application of the GDPR across the EU, issuing guidelines to encourage consistent interpretation of the Regulation.

The GDPR establishes the concept of "lead supervisory authority". Where there is cross-border processing of personal data (ie, processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a single establishment of a controller or processor but affecting data subjects in multiple Member States), the starting point for enforcement is that controllers and processors are regulated by and answer to the supervisory authority for their main or single establishment, the so-called "lead supervisory authority" (Article 56(1)).

However, the lead supervisory authority is required to cooperate with all other "concerned" authorities, and a supervisory authority in another Member State may enforce where infringements occur on its territory or substantially affect data subjects only in its territory (Article 56(2)).

The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.

Austria regulation

The Austrian Data Protection Authority (Österreichische Datenschutzbehörde) can be contacted as follows:

Österreichische Datenschutzbehörde
Barichgasse 40-42 1030 Vienna
Austria / Europe
Phone number: +43 1 52 152-0
E-Mail: [email protected]

If possible, the Austrian Data Protection Authority prefers to communicate via email.

Last modified 20 January 2025

The major regulator/enforcement authority (DPA) is the Ministry of Digital Development and Transport.

In addition, the other designated state authorities which are vested in powers to enforce applicable data protection/privacy laws, within the scope of their competences, include the Ministry of Internal Affairs, the Ministry of Justice, the State Security Service, and the Special State Protection Service.

Last modified 15 February 2022

Section 14 DPA establishes a Data Protection Commissioner (‘DPC’), a corporation sole, that is tasked with the enforcement of the provisions of DPA. The DPC operates from the Office of the Data Protection Commissioner which would the Bahamian equivalent of a national data protection authority as seen in other jurisdictions.

Last modified 28 January 2025

Under the PDPL, the Authority will have power to investigate violations of the PDPL on its own, at the request of the responsible minister, or in response to a complaint.

The Authority can issue orders to stop violations, including issuing emergency orders and fines. Civil compensation is also allowed for any individual who has incurred damage arising from the processing of their personal data by the data controller, or violating the provisions of the PDPL by a business's data protection officer. Finally, the most concerning feature of the PDPL for businesses is that it carries criminal penalties for violations of certain provisions.

Decree No. 78 of 2019 (the " Decree") was enacted to determine the administrative authority that will assume the mandated functions and powers of the Authority. This Decree came into force September 29, 2019.

Article I of the aforementioned Decree appoints the Ministry of Justice, Islamic Affairs and Endowments (the " Ministry") as the Authority for the protection of personal data in accordance with the provisions of the PDPL, on a temporary basis pending the financial allocation of the Authority in the general budget of Bahrain and the issuance of a decree forming the Board of Directors pursuant to Article 39 of the PDPL.

The Minister of the Ministry will assume the functions and powers prescribed to Board of Directors of the Authority and the Chairman of Board of Directors, in accordance with the provisions of the PDPL The Undersecretary of the Ministry will assume the same functions and powers as the Executive Chairman.

Last modified 20 January 2025

Cyber Security Agency.

Last modified 3 January 2024

The Data Protection Commissioner (the "Commissioner") was appointed with effect from July 15, 2021 and is responsible for the general administration of the Act.

Last modified 28 January 2024

The National Personal Data Protection Centre ("NPDPC") is the competent authority for the protection of personal data subjects' rights. The main tasks of the NPDPC are taking measures to protect the rights of personal data subjects in the processing of their personal data and organising training on personal data protection issues.

In accordance with these tasks NPDPC performs the following functions:

controls the processing of personal data by operators (authorised persons);
considers complaints of personal data subjects regarding the processing of personal data;
determines the list of foreign countries having proper level of data subjects’ rights protection;
issues permits for cross-border transfer of personal data, if the level of protection of personal data subjects' rights in a foreign country is not adequate, as well as establishes the procedure for issuing such permits;
makes proposals on the improvement of the personal data legislation, participates in the drafting of legal acts on personal data;
provides explanations on the application of personal data legislation, carries out other explanatory work on personal data legislation;
determines the cases in which it is not necessary to notify NPDPC of the breach of personal data protection systems;
establishes the classification of information resources (systems) containing personal data in order to determine the technical and cryptographic protection requirements for personal data;
participates in the work of international organisations on personal data protection issues;
cooperates with authorities (organisations) for protection of rights of personal data subjects in foreign countries;
publishes annually by 15 March, the report in mass media on its activities;
implements educational programs of additional education for adults in accordance with the legislation on education;
exercises other authority established by the personal data legislation.

NPDPC constantly develops legislation in a field of personal data protection. Data protection authority publishes its recommendations and clarifications on application of Data Protection Law provisions and specifics of personal data protection on various matters (inter alia, on the content of privacy policy, on personal data processing in employment and pre-employment relations, in educational sphere, on relations between operators and authorised persons in terms of personal data processing).

Contact information of NPDPC

Build. 24-3
K.Zetkin str.
Minsk, 220036

T: + 375 17 367 07 90

e-mail: [email protected]

Last modified 20 January 2025

EU regulation

Enforcement of the GDPR is the prerogative of data protection regulators, known as supervisory authorities (for example, the Cnil in France or the ICO in the UK). The European Data Protection Board (the replacement for the so-called Article 29 Working Party) is comprised of delegates from the supervisory authorities, and monitors the application of the GDPR across the EU, issuing guidelines to encourage consistent interpretation of the Regulation.

The GDPR creates the concept of "lead supervisory authority". Where there is cross-border processing of personal data (ie, processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a single establishment of a controller or processor but affecting data subjects in multiple Member States), then the starting point for enforcement is that controllers and processors are regulated by and answer to the supervisory authority for their main or single establishment, the so-called "lead supervisory authority" (Article 56(1)).

The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.

Belgium regulation

The DPA Act establishes the Data Protection Authority as the successor of the Privacy Commission which was established under the old data protection legislation. The Data Protection Authority has the competences as set out in the GDPR whenever that competence has not been explicitly assigned to another body.

The Data Protection Act appoints three more regulatory authorities at the federal level (COC¹, Committee I² and Committee P³) with varying data protection related competences next to the general Data Protection Authority. In addition, there are also regional supervisory authorities who have been entrusted mainly with the supervision of the public authorities of the regions.

The Data Protection Authority consists of 6 Committees: the Executive Committee, the General Affairs Secretariat, the First-line Service, the Authorisation and Opinion Service (formerly ‘Knowledge Centre’), the Inspection Service and the Litigation Chamber. In the past, the composition of the Data Protection Authority has proven controversial due to the involvement of some members in government bodies. The European Commission warned Belgium mid 2021 that it would start an infringement procedure before the EU Court of Justice if the problems regarding the Data Protection Authority’s independence would not be resolved.

Therefore, a legislative proposal has been introduced before the Federal Parliament at the end of 2021 to amend the DPA Act by partially reforming the rules on the composition of the Data Protection Authority, which in the meantime has been adopted. Additionally, a revocation procedure was initiated by the Belgian federal parliament in March 2022 following an audit of the Belgian Court of Auditors. The Belgian Chamber of Representatives voted to revoke the mandate of two directors of the Data Protection Authority under the so-called Article 45 procedure of the DPA Act. As the Chamber’s decision is not public, the exact allegations and reasons for revocation of the mandates are unknown. In 2023, the two mandates have been reinstated and two new directors were appointed at the Data Protection Authority.

The DPA Act was reformed by the Act of 7 September 2023⁴ and the Act of 25 December 2023⁵. This resulted in a change in the composition of the Data Protection Authority, including the presidency of the Data Protection Authority. Currently, the presidency is rotated every three years between the Head of the Authorisation and Opinion Service and the Head of the General Affairs Secretariat. In the future, this rotation will be abolished, and the Head of the General Affairs Secretariat will have a non-renewable mandate as president for six years. The Data Protection Authority can now also rely on external experts for their legal, ethical, societal, technical and economical expertise.⁶ These experts will be appointed by the Data Protection Authority.

The reform of the DPA Act also impacted the procedural rules before the Data Protection Authority. As a result of these reforms, several provisions were transferred from the DPA Act to the Internal Rules of Procedure of the Data Protection Authority.⁷

Footnotes

1. Art. 231 Data Protection Act.
2. Art. 72 para. 2 °7 Data Protection Act.
3. Art. 26 °7, c) Data Protection Act.
4. Act of 7 September 2023.
5. Act of 25 December 2023.
6. Art. 18/1 DPA Act.
7. Internal Rules of Procedure of the Data Protection Authority.

Last modified 31 December 2024

The APDP (The Beninese data protection authority) is the regulator for data in the Republic of Benin. It is an independent and administrative body with a legal personality as it ensures the application of the provisions of the Digital Code and the right to privacy.

The APDP’s powers and responsibilities which include:

raising public awareness of the risks, rules, and rights surrounding the processing of personal data;
authorising or denying requests for processing;
receiving and investigating complaints about the misuse of personal data;
conducting necessary inspections regarding personal data processing, and obtaining all information and documents needed;
informing data controllers of alleged violations of the law and issuing mandatory measures for remedying these violations;
imposing administrative sanctions on data controllers in the case of noncompliance;
informing the public prosecutor of offenses committed under the law;
keeping a public register of personal data processing operations;
issuing public opinions on the state of data protection law;
proposing amendments to simplify and improve data protection legislation, where necessary; and
cooperating with international data protection authorities to share information and assistance, as well as participating in international negotiations.

Data controllers are required to file an annual report with the APDP concerning compliance with the processing.

Last modified 20 January 2025

Alexander White, a US lawyer, has been the appointed Privacy Commissioner since 20 January 2020. He is responsible for setting up the Privacy Commissioner's Office, hiring and training staff, undertaking investigations, providing reports and developing public awareness of the rights of individuals and the obligations of organisations under PIPA.

Last modified 28 January 2024

There is no dedicated Data Protection Authority. However, certain agencies, such as telecommunications or financial regulators, touch on protection of personal data within their respective sectors.

Last modified 24 January 2022

Personal Data Protection Act BES

The Personal Data Protection Committee as referred to in article 44 of Personal Data Protection Act BES.

GDPR

Last modified 10 February 2025

The Personal Data Protection Agency (DPA) is the national data protection authority in BiH. The DPA is seated in:

Dubrovačka 6
Sarajevo
www.azlp.ba

The DPA remains national data protection authority under Draft Data Protection Law.

Last modified 20 January 2025

A body known as the Information and Data Protection Commission (“the Commission”) as established under the DPA has been formed and is the designated body tasked with data protection and ensuring the effective application of, and compliance with the DPA, and in particular, the right to protection of personal data, access rectification, objection and cancellation of such data.

Last modified 20 January 2025

The LGPD established the National Data Protection Authority (ANPD). On October 25, 2022, Law 14,460/2022 was published, altering ANPD’s role into a special and independent autarchic regime with administrative and budgetary autonomy as opposed to linking the ANPD to the Presidency of the Republic. The ANPD is also given technical and decision-making autonomy with jurisdiction over the Brazilian territory. In addition, the ANPD will have its own appointed public attorneys, which enables the National Authority to independently take judicial measures that it deems appropriate.

The ANPD is now in operation and it is headquartered in the Federal District. Its structuring process started on August 27, 2020, with the publication of Decree No. 10,474/2020, which approved and regulated the regulatory structure of the ANPD, and its board of commissioned positions and nominated trust functions. On November 6, 2020, this Decree entered into force with the appointment of the Director-President and the members of the Board of Directors of the ANPD, after having been approved by the plenary of the Federal Senate. On March 9, 2021, the ANPD’s Internal Regulations were published, establishing the competencies and organization of the National Authority.

The ANPD is composed of:

A Board of Directors
A national council for Personal Data and Privacy Protection (Council)
Bodies of direct and immediate assistance to the Board of Directors (General Secretariat, General Coordination of Administration, General Coordination of Institutional and International Relations)
An Internal Affairs Office (inspection body)
An ombudsman
The Prosecution
Its own legal advisory body, and
Administrative and specialized units for the enforcement of the LGPD (ie, General Coordination of Standardization; General Coordination of Supervision; and General Coordination of Technology and Research)

The ANPD has the authority to issue sanctions for violations of the LGPD. This sanctions authority came into force on August 1, 2021. On October 29, 2021, the ANPD issued Regulation CD/ANPD 01/2021 for the Regulation of the Inspection Process and the Sanctioning Administrative Process, establishing the procedures regarding the supervision and enforcement of the LGPD. However, the Regulation is still pending further instructions relating to the parameters of calculation of such penalties, which are expected to be regulated by the end of 2023.

In August 2021, the President of the Republic appointed representatives of the National Council for Personal Data and Privacy Protection (Council). The Council contributes to the performance of the ANPD and has the authority to, among other things:

Oversee the protection of personal data
Issue regulations and procedures related to personal data protection
Deliberate, at an administrative level, upon the interpretation of the LGPD and matters omitted in its redaction
Supervise and apply sanctions in the event of data processing performed in violation of the legislation
Implement simplified mechanisms for recording complaints about the processing of personal data in violation of the LGPD

In addition, the ANPD Council is responsible for, among other functions:

Proposing strategic guidelines and allowance for the creation of the National Policy for the Protection of Personal Data and the operation of ANPD
Suggesting actions to be carried out by the ANPD
Preparing studies and conducting public debates and hearings about the protection of personal data

Since the ANPD started its operations, several actions have already been implemented to protect personal data, including:

Determining the procedures regarding the inspection and application of administrative sanctions
Providing specific regulation regarding small-sized data processing agents
Publishing guidelines regarding cookie policy and banner
Opening public consultation regarding international transfers
Publishing guidance on reporting a security incident with personal data and its assessment to the ANPD
Explaining availability of a claim by the data subject against controller
Providing educational materials on data protection, such as (1) guidelines for defining personal data processing agents and the DPO, (2) how consumers should protect their personal data, and (3) information security for small processing agents.

However, there are still several provisions of the LGPD requiring further regulation and interpretation by the ANPD, which stakeholders should monitor for future compliance.

Last modified 28 January 2024

The supervisory authority under the DPA is the Office of the Information Commissioner.

Given the recent enactment of the DPA, the Office of the Information Commissioner has not yet been staffed.

Last modified 28 January 2025

At present nil.

It is anticipated that the PDPO will establish a national data protection authority referred to as the Responsible Authority. It is anticipated that AITI will be designated as the Responsible Authority.

Last modified 3 January 2024

EU regulation

The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.

Bulgaria regulation

The Bulgarian data protection authority (DPA) is the Personal Data Protection Commission (In Bulgarian: Комисия за защита на личните данни, the 'Commission').

2 Professor Tsvetan Lazarov, Sofia 1592
Bulgaria

[email protected]
www.cpdp.bg

Last modified 27 December 2024

The Burkina Faso's data protection authority is the Commission de l'Informatique et des Libertés ('CIL').

The CIL draws its membership from various segments of society. It is charged with:

making individual or regulatory decisions in cases provided for under the law;
assisting with data processing inspections and obtaining all information and documents needed for its mission;
issuing model rules to ensure security; and where appropriate, prescribing safety measures including the destruction of information;
issuing enforcement notices to data controllers and sharing with the prosecutor’s office the offenses of which the body is aware;
ensuring that the implementation of the right of access and rectification indicated in the acts and declarations do not impede the free exercise of this law;
receiving complaints and petitions;
staying informed of the latest technological developments, and keeps abreast of their effects on the right to the protection of privacy, the exercise of freedoms, and the functioning of democratic institutions;
advising individuals and organisations that use automated processing, or who carry out tests or experiments likely to lead to such processing;
responding to requests for public opinion; and
proposing legislation or regulations to the Government to adapt the protection of freedoms to technological evolution.

Last modified 20 January 2025

There is no national data protection authority in Burundi.

Last modified 17 January 2024

Since Cambodia does not have any dedicated laws on data protection, there are no regulatory or enforcement authorities that are specifically tasked with handling, overseeing or implementing personal data protection matters in Cambodia.

That said, the following governmental bodies may have substantial powers over data protection matters:

the Ministry of Commerce (“MOC”);
the Ministry of Post and Telecommunications (“MPTC”); and
the Ministry of Interior (“MOI”).

Last modified 20 January 2025

Cameroon's data protection authority is an independent public body responsible for, among other things:

ensuring the application of this law, the texts adopted for its application and international conventions on the subject;
issuing the authorisations provided for in this law, together with the relevant specifications;
drawing up, publishing and updating the reference system of technical and organisational measures for personal data;
approve the certification mechanisms for personal data processing processes and techniques;
dealing with complaints, petitions and claims lodged by a data subject or by a body, organisation or association and, to the extent necessary, examining or investigating the subject of said complaints, petitions or claims, and informing the author of the complaint, petition or claim of the progress and outcome of the investigation within a reasonable period of time;
draw up and publish a list of countries recognised as offering a level of protection of personal data equivalent to the requirements under Cameroonian law;
to cooperate with other authorities responsible for the protection of personal data, in liaison with the administrations and structures concerned.

Last modified 6 January 2025

Office of the Privacy Commissioner of Canada ('PIPEDA')‎

Office of the Information and Privacy Commissioner of Alberta ('PIPA Alberta')‎

Office of the Information and Privacy Commissioner for British Columbia ('PIPA ‎BC'), and

Commission d’accès à l’information du Québec (the “CAI”) ('Quebec Private Sector Act')‎

Other jurisdictions have their own privacy regulators that oversee provincial public-sector privacy and access to information regimes.

Last modified 26 January 2023

The national data protection authority in Cape Verde is the Comissão Nacional de Proteção de Dados Pessoais ('data protection authority').

Last modified 16 January 2025

The supervisory authority under the DPA is the Office of the Ombudsman of the Cayman Islands (the Ombudsman), who periodically issues detailed guidance on the DPA, most recently in May 2023, accessible on the Ombudsman's website at https://ombudsman.ky/data-protection.

The Ombudsman's contact details are as follows:

Office of the Ombudsman

PO Box 2252
Grand Cayman KY1-1107
Email: [email protected]
Telephone number: +1 345 946 6283

Last modified 28 January 2025

The National Data Protection Authority is the Agence Nationale de Sécurité Informatique et de Certification Électronique ("ANSICE").

ANSICE is responsible for ensuring compliance, on the national territory, with the provisions of the Act. As such, it has the power to sanction any violation of the Act.

ANSICE main duties include:

informing the data holders and the data controllers of their rights and obligations;
receiving the formalities prior to the creation of processing of personal data;
receiving complaints, petitions and claims relating to the implementation of the processing of personal data and informs their authors of the follow-up given to them;
informing the judicial authorities without delay of the offences of which it has knowledge;
entitling its members or agents with the task of carrying out verifications relating to any processing and, where appropriate, obtaining copies of any document or information medium useful for its mission;
imposing a sanction on a data controller;
Keeping a directory of personal data processing at the disposal of the public;
Authorizing, under the conditions provided for in the Act, the transborder transfer of personal data.

(Article 6 of the Act Act No. 006/PR/2015 on the creation of the National Agency for Computer Security and Electronic Certification)

Last modified 6 January 2025

In Chile, there is no specific authority dedicated to overseeing matters related to data protection concerning processing activities performed by private persons or entities exists. Law 20,285/2008 on access to public information provides that the Transparency Council (Consejo para la Transparencia, the control body that ensures compliance with the aforementioned law which provides the rights to transparency and access to information of the state administration), shall ensure proper compliance with the data protection law by the organs of the state administration; however, the Transparency Council does not have powers to impose fines.

Since December 24, 2021, due to a provision in the newly adopted so-called Pro-Consumer Law (Law 21,398/2021), the consumer protection agency SERNAC has the competency to monitor compliance with the provisions of the data protection law in consumer matters. The SERNAC cannot impose fines but may initiate and participate in judicial proceedings and collective voluntary proceedings. This is the first time that private controllers’ processing of (consumer) personal data has been subject to regulatory control.

A special data protection authority is to be created by the above-mentioned legislative project (Bill that regulates the protection and processing of personal data and creates the Agency for the Protection of Personal Data (Bulletin 11,144-07, consolidated with Bulletin 11,092-07). However, as noted, there is no clear timeline for when to expect this bill to pass.

Last modified 28 January 2023

The PIPL has now clarified that the Cyberspace Administration of China (CAC) is primarily responsible for the overall planning and coordination of personal information protection and related supervision. Prior to the PIPL coming into force, various other legislative and administrative authorities have also claimed jurisdiction over data protection matters, and may continue to play some form of role in the context of personal information protection, such as:

National People's Congress Standing Committee Ministry of Public Security;
Ministry of Industry and Information Technology State Administration for Market Regulation; and
Ministry of Science and Technology.

It is also anticipated that the local Public Security Bureau branches and industry regulators will still have a role in both management and enforcement of data protection; and the TC260 technical committee will continue to have delegated responsibility to publish technical standards.

Notwithstanding the CAC's role, sector-specific regulators, such as the People's Bank of China or the China Banking and Insurance Regulatory Commission, may also monitor and enforce data protection issues of regulated institutions within their sector.

Last modified 20 January 2025

According to Law 1266, there are two different authorities on data protection and data privacy matters. The first of them, which acts as a general authority, is the Superintendent of Industry and Commerce (SIC). The second authority is the Superintendence of Finance (SOF), which acts as a supervisor of financial institutions, credit bureaus and other entities that manage financial data or credit records and verifies the enforcement of Law 1266.

Nevertheless, under Law 1581, the SIC is the highest authority regarding personal data protection and data privacy. It is empowered to investigate and impose penalties on companies for the inappropriate collection, storage, usage, transfer and elimination of personal data.

Last modified 28 January 2024

In Côte d'Ivoire, the Autorité de Régulation des Télécommunications/TIC de Côte d'Ivoire (ARTCI) is the body responsible for protecting personal data. Created by Ordinance no. 2012-293 of 21 March 2012, ARTCI performs the duties of a personal data protection authority in accordance with Law no. 2013-450 of 19 June 2013.

According to Article 47 of this law, the ARTCI's main missions in terms of personal data protection are as follows:

Inform data subjects and data controllers of their rights and obligations
Respond to any request for an opinion on the processing of personal data
Drawing up internal rules specifying the rules relating to deliberations, investigation and presentation of files
Receive declarations and grant authorisations for the implementation of personal data processing or withdraw them in the cases provided for by law
Receiving claims and complaints relating to the processing of personal data and informing the complainants of the action taken
To inform the competent judicial authority without delay of any offences of which it becomes aware in the course of its duties
To determine the essential guarantees and appropriate measures for the protection of personal data
To carry out checks on any processing of personal data by sworn officials
To impose administrative and financial penalties on data controllers who fail to comply with the provisions of the law
To update and make available to the public a directory of personal data processing operations
Advise persons and bodies carrying out personal data processing or carrying out tests or experiments in this area
Giving its opinion on any draft legal text relating to the protection of freedoms and privacy
To draw up rules of conduct relating to the processing and protection of personal data
Participate in scientific research, training and study activities relating to the protection of personal data and, more generally, freedoms and privacy
To authorise cross-border transfers of personal data, subject to certain conditions laid down by decree in the Council of Ministers
Propose legislative or regulatory measures to adapt the protection of freedoms to developments in IT processes and techniques
Set up cooperation mechanisms with the personal data protection authorities of other countries
Participate in international negotiations on the protection of personal data
To prepare and submit an annual activity report to the President of the Republic and the President of the National Assembly

Last modified 6 January 2025

Pursuant to Law No. 8968, the Agency for the Protection of Individual's Data (PRODHAB) is the entity charged with enforcing compliance with the Laws.

The Constitutional Court and local civil courts also have jurisdiction to hear claims alleging violations of the Laws.

Last modified 28 January 2025

EU regulation

The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.

Croatia regulation

Croatian Personal Data Protection Agency (in Croatian as Agencija za zaštitu osobnih podataka).

Last modified 16 January 2025

Ministry of Communications.

Last modified 16 February 2022

National Ordinance Personal Data Protection

The Personal Data Protection Committee as referred to in article 42 of the National Ordinance Personal Data Protection.

GDPR

Last modified 10 February 2025

EU regulation

The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.

Cyprus regulation

The authority designated under the Law as being the local regulatory body for the purposes of the GDPR is the Commissioner for the Protection of Personal Data in Cyprus (the “Commissioner”).

The Law affords certain powers to and imposes obligations on the Commissioner which are in addition to the GDPR, including, inter alia, the following:

Examination of complaints and providing information to the person making the complaint within 30 days of submission thereto.
The obligation to inform the data subject, the data controller and the processor of the deadlines indicated under Articles 60-66 of the GDPR.
The publication of a list of processing activities requiring the appointment of a data protection officer.
To consult specialists or the police for exercising its regulatory powers under Article 58 of the GDPR.
To enter, without giving any prior notice to the data controller or the processor or their representatives, any office, business premises or means of transport with the exception of housing premises, for inspections.
To inform the Attorney General's Office and / or the police for breaches of the GDPR and the national law giving rise to criminal liability.
To permit the combination of filing systems and to impose terms and conditions in relation thereto.
To impose terms and conditions to the exemption from the obligation of the data controller to notify data subjects for breaches of personal data as provided for in Article 23 of the GDPR.
To impose explicit restrictions on the transfer of special categories of personal data to third countries or international organizations.

Further, the Certification Body for the purposes of Article 43 of the GDPR is the Cyprus Organisation of the Promotion of Quality which is the national organization for accreditations in Cyprus operating under the Standardisation, Accreditation and Technical Notification Law (L156(I)/2002).

Last modified 21 February 2022

EU regulation

The GDPR creates the concept of "lead supervisory authority". Where there is cross-border processing of personal data (i.e. processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a single establishment of a controller or processor but affecting data subjects in multiple Member States), then the starting point for enforcement is that controllers and processors are regulated by and answer to the supervisory authority for their main or single establishment, the so-called "lead supervisory authority" (Article 56(1)).

The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.

Czech Republic regulation

The Czech Republic is supervised by the Office for Personal Data Protection (UOOU).

UOOU is the central administrative authority for the protection of personal data, which is in Czech Republic governed by Regulation (EU) 2016/679 and the Act No. 110/2019 Coll.

Last modified 16 January 2024

APD (Autorité de Protection des Données) or the authority in charge of data protection.

According to Article 262 of the Digital Code provides that a decree from the Prime Minister will have to establish the APD and determine its organization, its functioning and regulatory powers. To date, no such decree has been adopted.

A ministerial decree dated 17 August 2024 adopted by the Minister for Post, Telecommunications and Digital (PTN) has, temporarily, transferred the tasks of three of the regulatory bodies brought in existence by the Digital Code and to be created by prime minister’s decree, including the APD, to the Autorité de Régulation des Postes, Télécommunications et Technologies de l’Information et de la Communication (ARPTIC). This is considered as being illegal by many law scholars and practitioners but has not been challenged yet.

Last modified 6 January 2025

EU regulation

Enforcement of the GDPR is the prerogative of data protection regulators, known as supervisory authorities (for example, the CNIL in France or the ICO in the UK). The European Data Protection Board (the replacement for the so-called Article 29 Working Party), also known as the “EDPB”, is comprised of delegates from the national supervisory authorities and monitors the application of the GDPR across the EU, issuing guidelines to encourage consistent interpretation of the Regulation.

The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.

Denmark regulation

Datatilsynet
Carl Jacobsens Vej 35
2500 Valby
T +45 33 19 32 00
[email protected]

Last modified 16 January 2025

The Dominican Republic does not have a national data protection authority dedicated to overseeing matters related to data protection concerning processing activities performed by private persons or entities.

However, Section 29 of the DPL establishes that databases and registries, whether public or private, intended to provide credit reports (ie credit bureaus) are subject to the inspection and supervision of the Superintendent of Banks.

Additionally, the General Law for the Protection of Consumer or User Rights No. 358-05 determines that the National Institute for the Protection of Consumer Rights, "Pro Consumidor" is the competent authority for monitoring compliance in data protection in consumer matters. The "Pro-Consumidor" cannot impose fines or administrative sanctions but users, consumers and suppliers can initiate conciliation and arbitration processes before them.

Last modified 28 January 2025

Pursuant to the provisions of Articles 76 and 77 of the Organic Law for the Protection of Personal Data, the Authority for the Protection of Personal Data will be the Superintendence of Data Protection, which once constituted will act as the control and surveillance body in charge of guaranteeing all citizens the protection of their personal data, and of carrying out all necessary actions to ensure that the principles, rights, guarantees and procedures provided for in the Law and its implementing regulations are respected.

Last modified 28 January 2025

Pursuant to Article (19) of the Law, the Personal Data Protection Centre (the "Centre") is a public economic authority that has a legal personality and is under the authority of the Minister of Communications and Information Technology. Such authority aims to protect personal data and regulate the activities of processing and granting access to such personal data. The Centre shall practice all the competences stipulated by the Law for achieving its objectives. Particularly, the Centre has the following competences:

Setting and developing the policies, strategy plans and the programs necessary for protecting personal data and the execution thereof;
Unifying the policies and plans for protecting and processing personal data within the Arab Republic of Egypt;
Setting and applying the decisions, regulations, measures, procedures and criteria related to the protection of personal data;
Setting a guidance framework for the codes of conduct related to the protection of personal data and approving the codes of conduct of different entities;
Organizing and cooperating with all the entities, governmental and non-governmental bodies in guaranteeing personal data protection measures and connecting with all the related initiatives;
Supporting the development of the competence of the personnel working in all governmental and non-governmental entities who are competent with the protection of personal data;
Issuing licenses, permits, certifications and various measures related to the protection of personal data and the enforcement of the provisions of the Law;
Accrediting the entities or individuals and granting them the required permits to provide consultation in relation to personal data protection measures;
Receiving complaints and communications related to the provisions of the Law and issuing the necessary decisions in this regard;
Advising on draft laws and international agreements which are related to, regulating, or affecting the personal data directly or indirectly;
Controlling and inspecting the addresses of the provisions of the Law, and take the necessary legal procedures;
Verifying the conditions of cross-border personal data transfer and issuing the decisions regulating the same;
Organizing conferences, workshops, training and educational courses and issuing publications to raise awareness and to educate individuals and entities about their rights in relation to dealing with personal data;
Providing all types of expertise and consultations related to the protection of personal data, in particular to the investigation and judicial authorities;
Entering into agreements and memoranda of understanding, coordinating cooperating, and knowledge exchange agreements, with international entities, which are relevant to the Centre’s work;
Issuing circulars which update the personal data protection measures, in accordance with the activities of different sectors and with the Centre’s recommendations; and
Preparing and issuing an annual report on the status of protection of personal data in the Arab Republic of Egypt.

Last modified 19 January 2024

The Personal Data Protection Act on Apr. 22, 2021 created the National Authority for the Protection of Personal Data; however, said institution is not in force given that the Act was not finally approved.

Some protection of data is handled by the Institution of Access to Public Information but in regards specifically to data of persons who have had a direct relationship with the Government, such as current or former public employees, contractors, etc.

Last modified 28 January 2024

The Governing Data Protection Body.

Last modified 6 March 2025

EU regulation

The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.

Estonia regulation

The PDPA specifies that in the meaning of Article 51(1) of the GDPR the independent supervisory authority of Estonia shall be the Estonian Data Protection Inspectorate (DPI). The PDPA further specifies the requirements for and appointing of the head of the DPI.

In addition to the tasks provided in Article 57 of the GDPR, the PDPA specifies that the DPI is competent to:

raise awareness and understanding of the public, the controllers and processors about the risks of processing personal data, the standards and safeguards applicable to processing, and the rights related to the processing of personal data; The DPI may provide indicative guidance for this task;
provide information to the data subject, upon request, about the exercise of his rights under this PDPA and, if necessary, cooperate with other supervisory authorities of the European Union Member States for this purpose;
initiate, where necessary, misdemeanor proceedings and impose sanctions in the event where it is not possible to achieve compliance with the requirements provided by law or GDPR with the application of other administrative measures;
cooperate with international data protection supervisory organizations and other data protection supervisory authorities and other competent authorities and persons of foreign states;
monitor relevant trends insofar as they affect the protection of personal data, in particular the development of information and communication technology;
participate in the European Data Protection Board;
apply administrative coercion to the extent and pursuant to the procedure prescribed by law;
submit opinions to the Estonian parliament, the Government of the Republic, the Chancellor of Justice and other institutions and the public on its own initiative or upon request on issues related to the protection of personal data;
on behalf of the Republic of Estonia, file a domestic collective representative action in a county court to protect the collective interests of data subjects, as well as a cross-border collective representative action in the court of another European Union Member State;
perform other duties arising from law.

In addition to the rights and powers under the GDPR the PDPA specifies that the DPI has the right to:

warn the controller and the processor that the data processing activities are likely to violate the PDPA;
demand the rectification of personal data;
demand the deletion of personal data;
demand restriction of processing of personal data;
demand the termination of the processing of personal data, including destruction or archiving;
implement organizational, physical and informational security measures for the protection of personal data without delay, if necessary, in accordance with the procedure provided for by the Substitutional Performance and Non-Compliance Levies Act, if necessary, in order to prevent damage to the rights and freedoms of a person, unless personal data are processed by a public authority;
impose a temporary or permanent restriction on the processing of personal data, including a prohibition on the processing of personal data;
initiate state supervisory proceedings on the basis of a complaint or on its own initiative.

Last modified 16 January 2025

There is no data protection authority.

Last modified 12 January 2023

None.

Last modified 31 January 2023

None.

Last modified 3 January 2024

EU regulation

The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.

Finland regulation

In Finland The Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) is the local supervisory authority. The Office of the Data Protection Ombudsman contains the Data Protection Ombudsman himself, two Assistant Data Protection Ombudsmen as well as various data protection experts and secretaries as public servants.

Post address: P.O. Box 800, 00531 Helsinki Finland

Visiting address: Lintulahdenkuja 4, 00530 Helsinki Finland

T +358 29 56 66700

[email protected]

www.tietosuoja.fi

The Data Protection Act specifies the Data Protection Ombudsman’s duties and rights under the GDPR regarding e.g., audits, right to receive information and right to impose sanctions on entities.

Last modified 4 January 2023

EU regulation

Enforcement of the GDPR is the prerogative of data protection regulators, known as supervisory authorities (for example, the CNIL in France or the ICO in the UK). The European Data Protection Board (the replacement for the so-called Article 29 Working Party) is comprised of delegates from the supervisory authorities, and monitors the application of the GDPR across the EU, issuing guidelines to encourage consistent interpretation of the Regulation.

The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.

France regulation

The « Commission Nationale de l’Informatique et des Libertés » or « CNIL » is the French supervisory authority

Address

3 place de Fontenoy
TSA 80175
75334 Paris Cedex 07

Telephone

01 53 73 22 22

Website

cnil.fr

The CNIL has different missions and powers, which mainly include:

informing data subjects and data controllers / processors (whether public or private) about their rights and obligations;
ensuring compliance of all personal data processing with French and EU data protection rules as well as data protection rules resulting from international commitments of France;
anticipating new challenges and issues arising from innovation and the use of new technologies, including privacy in general and ethics;
controlling and sanctioning.

In addition, the Law provides for mutual assistance and joint operations with other EU Supervisory Authorities, as well as cooperation with non-EU supervisory authorities.

The CNIL has a range of tools to complete its missions including e.g., publication of reference frameworks created after consultations with the relevant stakeholders or sectors, among which standard regulations (which are mandatory in respect of processing of biometric, genetic, health or criminal convictions and offences data), reference methodologies in the sector of health, guidelines, recommendations and standards, approval of codes of conduct and certifications, broad range of on-site and off-site investigation powers and sanctions. The Law provides further precisions on the functioning of the CNIL and its specific tasks and powers, notably the extent of on-site investigations and procedural requirements, in connection with the missions described above.

Last modified 5 January 2025

The Gabonese National Authority for Data Protection is The APDPVP (Authority for the Protection of Personal Data and Privacy in accordance with Article 7 of the Personal Data Act 2023).

According to article 8 of the 2023 law on personal data, the main tasks of the Personal Data Protection and Privacy Authority (APDPVP) are to inform the persons concerned and the data controllers of their rights and obligations in terms of personal data. It is also responsible for monitoring the implementation of personal data processing and the protection of privacy.

The APDPVP's remit includes in particular:

Authorising the processing operations specified in article 80, giving an opinion on those mentioned in articles 81 and 82, and receiving declarations concerning other processing operations;
Drawing up and publishing standards and issuing model regulations to guarantee the security of systems;
To receive claims, petitions and complaints relating to the implementation of personal data processing, informing the authors of the action taken;
Responding to requests for advice from public authorities and the courts, while advising individuals and organisations involved in automated data processing _ personal data;
To inform the Public Prosecutor of offences found to have been committed and to submit observations relating to criminal law;
Sessions of chargeur members or agents to carry out checks on personal data processing and, if necessary, obtain copies of relevant documents;
Pronounce measures and sanctions against a controller in accordance with Articles 199 to 204;
Respond to requests for access from data subjects to the processing of their personal data;
To issue opinions on the compliance of draft professional rules, products and procedures for the protection of personal data with the law in force;
Issue opinions on the guarantees offered by professional rules previously recognised as complying with the law, taking into account the fundamental rights of individuals;
To issue labels to products or procedures that comply with the law after evaluation;
Issue opinions on draft laws or decrees relating to the protection of individuals with regard to automated processing;
Propose legislative or regulatory measures to adapt the protection of freedoms to developments in computer processes and techniques;
To provide assistance in matters of personal data protection at the request of other bodies and administrations;
To participate, at the request of the Government, in the preparation and definition of the Gabonese position in international negotiations relating to the protection of personal data and privacy;
Being part of the Gabonese delegation to the work of the competent Community and international organisations in the field of the protection of personal data and privacy, at the request of the Government.

Last modified 6 January 2025

The national data protection authority is Personal Data Protection Service, which is an independent state body established and operating on the basis of law. the Personal Data Protection Service is guided by the Constitution of Georgia, the international treaties of Georgia, generally recognized principles and norms of international law, the Data Protection Law and other relevant legal acts.

The principles of activities the Personal Data Protection Service adheres to are:

legality;
the protection of human rights and freedoms;
independence and political neutrality;
objectivity and impartiality;
professionalism;
the ensuring of secrecy and confidentiality.

The structure, the rules for activities and the distribution of powers among employees of the Personal Data Protection Service are established by the regulations of the Personal Data Protection Service, which is approved by the head of the Personal Data Protection Service. An employee of the Personal Data Protection Service (except for the head, first deputy head and the head of the Personal Data Protection Service) is regarded as a public servant. The activities of the Personal Data Protection Service are financed from the State Budget of Georgia.

The Personal Data Protection Service is independent in exercising its powers and is not subject to any body or official. Any influence on the head of the Personal Data Protection Service or the employees of the Personal Data Protection Service, and any unlawful interference in their activities, is not allowed and is punishable by law. In order to ensure the independence of the Personal Data Protection Service, the State creates appropriate conditions for its activities.

Once a year, not later than 31 March, the head of the Personal Data Protection Service submits to the Parliament of Georgia a report on the status of data protection in Georgia, the monitoring of the conduct of covert investigative actions, and the activities carried out in the electronic data identification central bank. The annual report of the Personal Data Protection Service contains information on the activities carried out by the Personal Data Protection Service in the field of data protection during the reporting period, general assessments related to the status of data protection in Georgia, conclusions and recommendations, information on significant violations identified during the year and measures taken, and general statistical information on the activities carried out in the field of monitoring the conduct of covert investigative actions. Information on the activities carried out by the Personal Data Protection Service will be made public through the website of the Personal Data Protection Service. The Personal Data Protection Service is also authorized to publish a special report at any time on its own initiative on issues related to its activities and which it considers important.

An official Website of Personal Data Protection Service can be found here.

Last modified 6 January 2025

EU regulation

Enforcement of the GDPR is the prerogative of data protection regulators, known as supervisory authorities (for example, the CNIL in France or the Garante in Italy). The European Data Protection Board (the replacement for the so-called Article 29 Working Party) is comprised of delegates from the supervisory authorities, and monitors the application of the GDPR across the EU, issuing guidelines to encourage consistent interpretation of the Regulation.

The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.

Germany regulation

Germany does not have one central supervisory authority for data protection law but authorities in each of the sixteen German federal states (Länder) that are competent for the public and the private sector in the respective state. In addition, there are different supervisory authorities for private broadcasters as well as for public broadcasters and several supervisory authorities for religious communities.

The German Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragter für Datenschutz und Informationsfreiheit – "BfDI") is the supervisory authority for all federal public bodies as well as for certain social security institutions; it also supervises telecommunications and postal service providers, insofar as they provide telecommunications or postal services. The BfDI represents Germany in the European Data Protection Board. To ensure that all the supervisory authorities have the same approach, a committee consisting of members of all authorities for the public and the private sector has been established – the 'Data Protection Conference' (Datenschutzkonferenz "DSK"); however, decisions of the DSK are not binding for the different authorities due to constitutional principles. The coordination mechanism between the German supervisory authorities for data protection law mirrors the consistency mechanism under the GDPR.

A list with the contact details and websites of most of the supervisory authorities can be found here.

Last modified 16 January 2025

Data Protection Commission ('Commission')

Pawpaw Street
East Legon
Accra
Ghana
GPS: GA-414-1469

P.O. Box CT7195
Accra
Ghana

Tel: +233-(0)30 2222 929
Email: [email protected]

Last modified 19 January 2024

Gibraltar’s Information Commissioner (whose functions are discharged through the Gibraltar Regulatory Authority ("GRA")) is the supervisory authority for Gibraltar for the purposes of Article 51 of the Gibraltar GDPR. Following Brexit the GRA will no longer be a competent supervisory authority for the purposes of the EU GDPR. The Gibraltar GDPR also omits Chapter 7 (Cooperation and Consistency) of the EU GDPR, on the basis that Gibraltar will not be part of the EU’s cooperation and consistency mechanisms.

The GRA's contact details are:

Information Commissioner

Gibraltar Regulatory Authority
Suite 603 Europort
Gibraltar

T 200 74636
F 200 72166

[email protected]

Last modified 19 January 2024

EU regulation

The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.

Greece regulation

Hellenic Data Protection Authority (HDPA)

Kifissias 1-3
115 23 Athens
Greece

T: +30-210 6475600

F: +30-210 6475628

Email: [email protected]

The HDPA is responsible for supervising the implementation and enforcement of data protection Law in Greece.

Last modified 16 January 2025

According to Art. 46 of the Law on Access to Public Information the competence as National Data Protection Authority is the Ombudsman (Procurador de los Derechos Humanos).

Last modified 21 December 2021

Overall oversight of the implementation of the DPL 2017 is vested in the Data Protection Authority ("Authority"). The Authority delegates many of the day-to-day regulatory functions and provides governance to an independent operational body known as the Office of the Data Protection Authority ("ODPA") (formerly, the Office of the Data Protection Commissioner).

The Authority and the ODPA are also required, pursuant to The Data Protection (International Cooperation and Assistance) (Bailiwick of Guernsey) Regulations, 2018 to have regard to Articles 60 – 62 GDPR by providing mutual cooperation with other supervisory authorities relating to both the GDPR and the DPL 2017.

The office of the data protection authority

St Martin’s House
Le Bordage
St. Peter Port
Guernsey
GY1 1BR

Telephone: +44 (0) 1481 742074

E-mail: [email protected]

odpa.gg

Last modified 16 January 2025

It is provided for by Article 47 of Law on Cybersecurity and Personal Data Protection in the Republic of Guinea that the authority in charge of personal data protection shall be established by regulatory means. The establishment of this authority is still not effective.

Last modified 20 December 2021

Such entity does not exist yet in Haiti.

Last modified 16 January 2025

Two entities are responsible for enforcing personal data protection:

National Civil Registry
http://www.rnp.hn
Institute for the Access to Public Information
http://www.iaip.gob.hn

Last modified 10 February 2025

The Office of the Privacy Commissioner for Personal Data (PCPD)

Unit 1303, 13/F, Dah Sing Financial Centre
248 Queen's Road East
Wanchai
Hong Kong

Telephone: +852 2827 2827

Fax: +852 2877 7026

Email: [email protected]

Website: pcpd.org.hk

The PCPD is responsible for overseeing compliance with the Ordinance.

Last modified 20 January 2025

EU regulation

The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.

Hungary regulation

The Hungarian Supervisory Authority is the Hungarian National Authority for Data Protection and Freedom of Information (in Hungarian: Nemzeti Adatvédelmi és Információszabadság Hatóság).

Last modified 11 January 2024

EU regulation

The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.

Iceland regulation

The Data Protection Authority (Icelandic: ‘Persónuvernd’) is the supervisory authority in Iceland for the purposes of Article 51 of the GDPR.

Contact details:
Persónuvernd – The Icelandic Data Protection Authority
Laugarvegur 166 (4th. floor), 105 Reykjavík, Iceland.
Tel. +354 510-9600
[email protected]
www.personuvernd.is

The Board of Directors and employees of the Data Protection Authority have an obligation of confidentiality in accordance with Chapter X of the Icelandic Administrative Procedures Act no. 37/1993. The same applies to others who work on behalf of the Authority.

Last modified 16 January 2025

Data Protection Board of India

The DPDP Act provides for the establishment of a Data Protection Board of India (Board), an independent body tasked with overseeing the implementation and enforcement of the DPDP Act. The Government of India is yet to establish the Board. The Board has been envisaged as an online complaint resolution mechanism, with all its proceedings being conducted online. Once established, the Board will conduct inquiries based on complaints, address personal data breaches, and issue directions and impose penalties for non-compliance. The Board is required to scrutinize the contravention, conduct an inquiry, and communicate its decision in writing. The Draft Rules prescribe that any inquiry of the Board is required to be completed within six months of the receipt of the complaint (which may be extended by up to three months at a time by recording reasons in writing).

An appeal against any order of the Board will lie with the Telecom Disputes Settlement and Appellate Tribunal (TDSAT). Other civil courts are restricted from entertaining any suit or proceeding in respect of any matter for which the Board is empowered under the DPDP Act. Thereafter, a final appeal may be made to the Supreme Court of India. Hence, a three-tier appeal mechanism has been established under this regime.

Last modified 6 January 2025

Under the PDP Law, a separate institution / agency (the PDP Agency mentioned earlier) will be formed to specifically handle and undertake the organization of the protection of privacy / personal data, whom will be tasked, among others, to formulate policies / strategies, to supervise / monitor the implementation of the PDP Law, to enforce administrative sanctions for non-compliance with the PDP Law, and to facilitate non-court dispute settlements. A presidential regulation would be issued in respect to such a PDP Agency, while procedures to implement the authorities of the PDP Agency will be set out in a government regulation, both which as of writing are yet to be issued.

Until a PDP Agency is formed and operating, the Ministry of Communications and Informatics of the Republic of Indonesia (MOCI) (which is now known as the Minister of Communications and Digital or commonly referred to as "KOMDIGI") will largely still have the authority over data privacy matters that are processed through electronic systems in accordance to the General Data Protection Regulations.

However, it does not rule out the possible enforcement by:

other relevant sector’s regulatory authority (in the event the data controller / processor is subject to a regulated sector) which may also impose certain other administrative sanctions; for example, the FSA has the authority to act as the regulator of data privacy in the capital market sector (since 31 December 2012) and with regard to banks’ customer data privacy issues (since 31 December 2013); or
the law enforcement agency (prosecutor) if non-compliance involves a criminal offense, which may subject the accused to imprisonment and / or fines.

Last modified 20 January 2025

There is no national data protection authority in Iran.

Last modified 23 May 2019

EU regulation

The GDPR creates the concept of "lead supervisory authority". Where there is cross-border processing of personal data (ie. processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a single establishment of a controller or processor but affecting data subjects in multiple Member States), then the starting point for enforcement is that controllers and processors are regulated by and answer to the supervisory authority for their main or single establishment, the so-called "lead supervisory authority" (Article 56(1)).

The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.

Ireland regulation

The DP Act established the Data Protection Commission (“DPC") to act as the supervisory authority for data protection law in Ireland.

As well as supervising many domestic Irish businesses and organisations, the DPC also regulates many international and multi-national companies under the GDPR’s main establishment (or “one-stop shop”) regulatory mechanism.

The DP Act provides that the DPC can consist of up to three members. The Government, during July 2022 approved the commencement of the process to appoint two additional Commissioners. In February 2024, Helen Dixon, who served two five-year terms was replaced by Dr. Des Hogan and Mr. Dale Sunderland as Commissioners for Data Protection. Where there is more than one Commissioner, a Chairperson is appointed. Dr. Des Hogan is the current Chairperson of the Irish Data Protection Commission.

The contact details of the DPC (or An Coimisiún um Chosaint Sonraí) are as follows:

Dublin office

21 Fitzwilliam Square South
Dublin 2, D02 RD28
Ireland

Regional office

Canal House
Station Road
Portarlington
R32 AP23 Co. Laois
Ireland

Website

www.dataprotection.ie

Last modified 17 January 2025

The Israel Privacy Authority ("IPA"), established in September 2006, as determined by Israel's Government decision no. 4660, dated 19.01.2006.

Last modified 25 December 2024

EU regulation

The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.

Italy regulation

The Privacy Code provides that the supervisory authority in Italy is the Garante per la protezione dei dati personali (the “Garante”). The Garante is composed of a Council and an Office. The Council is made up of four members, two elected by the Chamber of Deputies and two by the Senate of the Republic. The members are elected amongst those who apply for this position in a selection procedure whose details are published on the websites of the Chamber of the Deputies, the Senate of the Republic and the Garante. The members elect a Chairman, in the event of parity of votes. Law Decree 139/2021 (so-called “Decreto Capienze”) introduced an important change to the number of Garante’s members, which, starting from January 1st, 2022, increases from 162 to 200 members, recruited by way of a public competition.

Last modified 16 January 2025

The PPC has been tasked with providing many of the details necessary to interpret and enforce the APPI. The PPC issues guidelines for general rules for handling Personal Information, offshore transfer, confirmation and record requirements upon provision of Personal Information to third parties and creation and handling Anonymously or Pseudonymously Processed Information. The PPC is neutral and independent, and it has the power to enforce the APPI. However, it will only have the right to perform audits and issue cease and desist orders; it will not have the power to impose administrative fines and criminal penalties.

Personal Information Protection Commission

Kasumigaseki Common Gate West Tower
32nd Floor
3-2-1 Kasumigaseki
Chiyoda-ku Tokyo 100-0013
Japan

Telephone

+81-(0)3-6457-9680

Website

ppc.go.jp

Last modified 20 January 2025

The DPAJL created a Data Protection Authority (the Authority) to oversee the DPJL. Save in respect of certain matters (in particular the issuing of a formal public statement in relation to data protection issues or the issuing of an administrative fine), its functions are delegated to the Information Commissioner.

Last modified 16 January 2025

Not applicable.

Last modified 11 January 2024

The main state authority in the field of personal data protection is the Ministry of Digital Development, Innovations and Aerospace Industry of the Republic of Kazakhstan (the ‘Ministry’). The Ministry:

shapes and implements the state policy on personal data and its protection;
develops the procedure for implementation of personal data protection measures by the owner and / or operator of a personal data database and a third party related to the owner and / or operator of a personal data database;
develops the rules to be followed by the personal data database owner and (or) operator when determining the scope of personal data necessary and sufficient for the performance of their tasks;
develops the procedure for determining the list of personal data necessary and sufficient for the performance of tasks by the owner and (or) operator of a personal data database;
determines the procedure for implementation of personal data protection measures by the owner and (or) operator of a personal data database, as well as by a third party;
reviews requests of a personal data subject or his / her legal representative on compliance of the content of personal data and methods of its processing with the purpose of its processing and makes a respective decision;
takes measures on bringing persons who have violated personal data laws of Kazakhstan to liability in accordance with the laws of Kazakhstan;
requests the owner and / or operator of a personal data database and a third party related to the owner and / or operator of a personal data database to clarify, block or destroy inaccurate or illegally obtained personal data;
takes measures on improving protection of rights of personal data subjects;
creates an advisory council on issues of personal data and its protection as well as determines the procedure for its formation and activities;
approves the rules for collection and processing of personal data;
approves the rules for conducting a survey in order to assess the security level when storing, processing and distributing limited access personal data contained in electronic information resources and such rules should be agreed with the National Security Committee of the Republic of Kazakhstan;
approves the rules for the functioning of the state service for control of access to personal data;
coordinates the integration of non-state informatization entities with the state informatization entities and (or) state legal entities, which involves personal data transfer and (or) provision of access to personal data;
approves the rules for integration with the state service for control of access to personal data;
exercises other powers provided by Kazakh law.

The Government of Kazakhstan develops the main directions of state policy on personal data and its protection.

In relation to personal data and its protection, state authorities (each within its competence):

develop and / or approve regulatory acts;
consider appeals of individuals and / or legal entities regarding personal data and protection of personal data issues;
take measures for bringing persons who have violated personal data legislation of Kazakhstan to liability;
exercise other powers provided for by Kazakh law.

Supervision over observance of Kazakh law in respect of personal data and its protection is carried out by the prosecution authorities of Kazakhstan.

Last modified 4 February 2025

Part II of the Act

The Act established the ODPC whose mandate includes overseeing the implementation and enforcement of the provisions of the Act. The ODPC is also tasked with the maintenance of the register of data controllers and processors, receiving and investigation of complaints under the Act and carrying out inspections of public and private entities to evaluate the processing of personal data.

Last modified 6 February 2025

The competent national data protection authority in Kosovo is the Information and Privacy Agency (“IPA”) which is established as an independent agency, responsible for the supervision of implementation of the legislation on personal data protection, as well as access to public documents, in order to protect the rights and fundamental freedoms of natural persons in relation to the personal data processing and ensuring the guarantee of access to public documents.

IPA is divided into two organisational structures, namely (Article 58 (4)):

access to public documents;
protection of personal data.

IPA is charged with the following tasks (Article 64 (1)):

supervision of the implementation of the LPPD;
advising of public and private bodies on issues related to data protection;
informing the public on issues and developments in the area of personal data protection;
promotion and support of fundamental rights;
deciding on complaints submitted by the data subjects;
advising the Assembly, the Government and other institutions and bodies on legislative and administrative measures with regards to the protection of fundamental rights and freedoms of natural persons in terms of data processing;
carrying out inspections with regards to the implementation of the LPPD;
on its own initiative or upon request, providing opinions for public and private bodies, as well as publishing on any issues related to personal data protection.

Last modified 4 February 2025

There is no national data protection authority in Kuwait.

Last modified 4 February 2025

The President of the Kyrgyz Republic by Decree No. 391 dated as of 14 September 2021 announced creation of the State Agency for Protection of Personal Data.

The Regulation on the Agency was adopted by the Resolution of the Cabinet of Ministers of the Kyrgyz Republic "On the State Agency for Personal Data Protection under the Cabinet of Ministers of the Kyrgyz Republic" dated December 22, 2021 № 325.

On January 10, 2022, the Agency was registered with the justice authorities.

The Agency consists of two departments:

Department of legislative expertise of personal data;
Department of ensuring protection and control of personal data processing.

Expert Council

In order to improve the personal data protection system within the Agency, an Expert Council was created, composed of independent experts and representatives of civil society in the field of cybersecurity and digital law.

The Regulation "On the Expert Council of the State Agency for Personal Data Protection under the Cabinet of Ministers of the Kyrgyz Republic" was approved by the Agency's Order No. 4-A dated April 22, 2022.

The purpose of the Expert Council is to make recommendations on amending the existing legislation and making proposals for the development of new normative legal acts and acts of the Agency.

Last modified 4 February 2025

The Law on Electronic Data Protection (2017) originally delegated the Ministry of Post and Telecommunications (MPT) to handle matters related to the protection of electronic data. The MPT has now been renamed Ministry of Technology and Communication (MTC) and is the main administration in charge of issues pertaining to electronic data privacy across the country. The MTC is assisted by its departments located in each of the 17 provinces that compose Laos.

In its tasks to analyze and respond to digital issues and threats, the MPT was originally assisted by the Lao Computer Emergency Response Team (LaoCERT), which was established in 2012. LaoCERT is now a Division under direct supervision of the Department of Cyber Security in the MTC and is the agency on the front lines that receives reporting of security breaches from individuals or legal entities operating in Laos and / or complaints of offenses committed online.

Last modified 8 January 2025

EU regulation

The GDPR creates the concept of lead supervisory authority. Where there is cross-border processing of personal data (ie, processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a single establishment of a controller or processor but affecting data subjects in multiple Member States), then the starting point for enforcement is that controllers and processors are regulated by and answer to the supervisory authority for their main or single establishment, the so-called lead supervisory authority (Article 56(1)).

However, the lead supervisory authority is required to cooperate with all other concerned authorities, and a supervisory authority in another Member State may enforce where infringements occur on its territory or substantially affect data subjects only in its territory (Article 56(2)).

The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.

Latvia regulation

According to The Personal Data Processing Law the Data State Inspectorate (DSI) has become an independent institution, however, still supervised by the government.

In addition to the tasks provided by the GDPR, The Personal Data Processing Law provides for the DSI to perform the following tasks:

Verifying the compliance of the processing of personal data with the requirements of regulatory enactments when the controller is prohibited by law from providing information to the data subject, after receiving a relevant application from the data subject
Investigating administrative offenses
Participating, in accordance with its competence, in the drafting of laws and policies, and giving an opinion on draft laws and policy planning documents prepared by other institutions
Providing opinions on the compliance of the personal data processing systems created by state and local government institutions with the requirements of regulatory enactments
Monitoring the circulation of information society services in relation to the personal data protection
monitoring the operation of credit information offices
Issuing a license to credit information offices
Cooperating with the supervisory authorities of foreign personal data protection, information disclosure and access control, and the prohibition of sending commercial communications
Providing the transferring of a data subject's request for information concerning themselves to Eurojust and Europol
Representing Latvia in international organizations and activities in the field of data protection
Carrying out studies, analyzing situations, making recommendations, opinions and informing the public about current issues in the areas of its competence
Performing other tasks prescribed by regulatory enactments

Last modified 4 February 2025

There is no National Data Protection Authority in Lebanon.

The Ministry of Economy and Trade is responsible for issuing permits and licenses for the processing of personal data when required under the Law.

Last modified 21 December 2022

The Data Protection Commission (Commission).

Part 2 of the DP Act provides for the establishment of a Data Protection Commission, an independent and administrative authority established to have oversight and control over the DP Act and the respective rights of information privacy.

The powers and duties of the Commission are set out in section 8 of the DP Act.

Last modified 20 December 2021

No specific national data protection agency or authority exists in Liberia, and besides a broad statement in the Liberian Constitution that “no person shall be subjected to interference with his privacy of person, family, home or correspondence except by order of a court of competent jurisdiction”, there is no dedicated privacy law whether of person or in respect of data, not to mention any dedicated data protection authority.

Admittedly, Liberia is a signatory to The ECOWAS Supplemental Act of which, requires member States, including Liberia, to establish National Data Authority within their jurisdiction. However, Liberia has not yet established such authority.

Last modified 23 February 2024

There is no data protection authority as per Libyan Law. However, through an inclusive approach involving the government, private sector, academia, and civil society organizations, the National Information Security & Safety Authority (NISSA) was established to dynamically safeguard the confidentiality, integrity, availability, and resilience of information and communication technologies (ICT) infrastructure, resources, services, and data by providing high-quality information security and safety services. It is also positioned as an authoritative source for trusted information security expertise in the Libyan region.

Despite NISSA's policies on personal data protection, which are applicable only to Libyan state entities, private entities may consider these as indicators of the government's approach to data protection.

Last modified 18 January 2024

EU regulation

The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.

Lithuania regulation

There are two supervisory authorities in Lithuania: the State Data Protection Inspectorate and the Inspector of Journalist Ethics. The State Data Protection Inspectorate is responsible for monitoring the application of the GDPR and the Data Protection Law as well as ensuring these acts are applied, except where it is within the competence of the Journalist Ethics Officer. The Journalist Ethics Officer performs the same functions where the personal data is processed for journalistic purposes and for academic, artistic or literary expression, except for tasks and powers listed in Article 57(1) (j) to (l) and (n) to (t), Article 58(1) (b) to (c), Article 58(2) (e), (g), (h) and (j), and Article 58(3) (a), (c) and (e) to (j) of the GDPR.

In addition to the tasks established in the GDPR, the Data Protection Law authorizes the State Data Protection Inspectorate to perform the following tasks:

To provide advice to data subjects, data controllers and processors on the protection of personal data and privacy protection, and also to develop methodological recommendations for the protection of personal data and to publish them publicly on their website
To cooperate with personal data protection supervisory authorities of other countries, European Union institutions and international organizations and to take part in their activities
To participate in the formation of state policy in the field of personal data protection and to implement it
To implement the provisions of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108) and its Protocols
To perform other functions specified in the Data Protection Law and other legal acts

In addition to the powers established in the GDPR, the Data Protection Law authorizes the State Data Protection Inspectorate to:

Receive all necessary information, copies of documents and duplicates, and copies of the data from the data controllers and data processors, state and municipal institutions and bodies, other legal and natural persons; as well as access to all data and documents which are necessary for the execution of tasks and functions of the State Data Protection Inspectorate
During the investigation of the infringements to enter the premises of the person or entity which is subject to the inspection and to exercise similar actions with respect to related persons or entities
Participate in meetings of the Parliament, the Government, and other state institutions when issues related to the protection of personal data or privacy are being considered
Invite experts and consultants, to form working groups on examination of processing or protection of personal data, preparation of personal data protection documents and to deal with other issues which fall under the competence of the State Data Protection Inspectorate
Provide recommendations and instructions to data controllers, data processors and other legal or natural persons regarding the processing of personal data or the protection of privacy
Exchange information with other countries' personal data protection supervisory authorities and international organizations to the extent necessary for their functions
Participate in court hearings when infringements of international, European Union or national law provisions on personal data protection issues are being considered
Use technical measures during the investigation of infringements
Receive oral and written explanations from legal entities and natural persons during the infringement proceedings and to demand that they arrive to provide explanations to the premises of the State Data Protection Inspectorate
Use the information held by the State Data Protection Inspectorate, including personal data obtained during the investigation of infringements or received by the State Data Protection Inspectorate for other functions
Involve police officers in order to ensure the possible use of violence and in order to maintain public order
Perform other functions specified in the law

More information and contact details of supervisory authorities are available at:

Last modified 3 February 2025

EU regulation

The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.

Luxembourg regulation

Commission Nationale pour la Protection des Données (CNPD)
15, Boulevard du Jazz, L-4370 Belvaux
T +352 26 10 60 1
F +352 26 10 60 29.

The CNPD is in charge of monitoring and checking that the data are processed in accordance with the GDPR, as well as the Law of August 1, 2018 on the organization of the National Data Protection Commission, the Law of August 1, 2018 on the protection of individuals with regard to the processing of personal data in criminal matters and in matters of national security, and any applicable legislation that may include specific personal data protection provisions.

Last modified 4 February 2025

The Office for Personal Data Protection (OPDP) is the Macau regulatory authority responsible for supervising and coordinating the implementation of the Law.

Last modified 19 December 2023

The Data Protection Law provides for the creation of the Commission Malagasy sur l'Informatique et des Libertés (“CMIL”).

The CMIL was established by the adoption of Decree no. 2023-1541 dated 06 December 2023 setting out CMIL's mission and organisation. The representative of the National Assembly was recently appointed to the CMIL towards the end of 2024. However, the CMIL will not be fully operational until all its members have been appointed, namely:

a Member of the National Assembly elected at a plenary session;
a senator elected by the Permanent Bureau of the Senate;
a judge from the Court of Cassation elected by his peers;
one administrative judge from the Conseil d'Etat elected by his peers;
a financial judge from the Cour des Comptes elected by his peers;
a representative of the private sector, with experience in the field of information and communication technologies, appointed by the Fédération des Chambres du Commerce et de l’Industrie;
two leading figures with expertise in information and communication technologies information and communication technologies, appointed by the Fédération Nationale de l'ordre des ingénieurs;
one person with particular expertise in human rights, appointed by the appointed by the Commission Nationale Indépendante des Droits de l'Homme.

Last modified 4 February 2025

Pursuant to the PDPA, a Personal Data Protection Commissioner (Commissioner) has been appointed to implement the PDPA's provisions. The Commissioner will be advised by a Personal Data Protection Advisory Committee who will be appointed by the Minister, and will consist of one Chairman, three members from the public sector, and at least seven, but no more than eleven other members. The appointment of the Personal Data Protection Advisory Committee will not exceed a term of three years; however, members can be appointed for two successive terms.

The Commissioner's decisions can be appealed through the Personal Data Protection Appeal Tribunal. The following are examples of appealable decisions:

Decisions relating to the registration of data controller under Part II Division 2 of the PDPA;
The refusal of the Commissioner to register a code of practice under Section 23(5) of the PDPA;
The service of an enforcement notice under Section 108 of the PDPA;
The refusal of the Commissioner to vary or cancel an enforcement notice under Section 109 of the PDPA; or
The refusal of the Commissioner to conduct or continue an investigation that is based on a complaint under Part VIII of the PDPA.

If a data controller is not satisfied with a decision of the Personal Data Protection Advisory Committee, the data controller may proceed to file a judicial review of the decision in the Malaysian High Courts.

Last modified 20 January 2025

EU regulation

The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.

Malta regulation

The Information and Data Protection Commissioner (Commissioner). Informally, the Office of the Information and Data Protection Commissioner (OIDPC).

Level 2, Airways House
Second Floor
High Street
Sliema SLM 1549
Malta

T: +356 2328 7100
F: +356 23287198

[email protected]

www.idpc.org.mt

The Commissioner has the function (among others) of generally protecting individuals' data protection rights against privacy violations in personal data processing.

Last modified 18 January 2024

Under DPA 2017, the Data Protection Office (DPO) is responsible for data protection oversight. The DPO is an independent and impartial public office that is not subject to the control or direction of any person or authority. The DPO is headed by the Data Protection Commissioner (Commissioner), with the assistance of public officers as may be necessary. The contact details of the DPO are:

Data Protection Office

5th Floor, SICOM Tower
Wall Street, Ebene
Republic of Mauritius

Telephone

+230 460 0251

Fax

+230 489 7341

Website

dataprotection.govmu.org

Email

[email protected]

Last modified 6 January 2025

The National Institute of Transparency for Access to Information and Personal Data Protection (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales) (INAI) and the Ministry of Economy (Secretaría de Economía) serve as Mexico’s data protection authorities.

Last modified 28 January 2024

The National Centre for Personal Data Protection (“NCPDP”) is the national data protection authority. The permanent headquarters of the Centre are located in Chisinau, 48, Serghei Lazo str., MD-2004, T: +37322820801, F: +37322820807, www.datepersonale.md.

Last modified 16 January 2025

The Monegasque regulator is the Commission for Control of Personal Data (Commission de Contrôle des Informations Nominatives or “CCIN”) whose composition was recently amended by Sovereign Ordinance n°8.575

The CCIN has different missions and powers, which mainly include (i) a mission of registration and examination of cases (e.g. it receives declarations of processing, expresses advices and opinions, issues authorizations when needed), (ii) a mission of council and proposal (e.g. it makes proposals to the competent authorities and recommendations, informs the data subjects of their rights and obligations, publishes reports) and (iii) a mission of control and investigation.

Last modified 6 February 2025

The National Human Rights Commission, the Ministry of Digital Development, Innovation and Communications, and other relevant state authorities have various degrees of oversight of data protection under Chapter 6 of the Data Protection Law.

The Human Rights Commission is entitled to exercise the following with respect to data protection:

Monitor the implementation of the legislation on protection of Personal Data, organise public awareness and advocacy activities and submit requirements and recommendations to relevant organisations and provide comment on the relevant regulations;
Receive complaints and information for investigation or initiate an investigation in its sole discretion if it is considered that human rights and freedoms protected under the Data Protection Law have been infringed or potentially infringed in the course of collecting, processing, using and protecting Personal Data and submit requirements and recommendations to the relevant organisations;
Provide requirement and recommendations to the relevant entities in the context of collecting, processing, using and protecting Sensitive Personal Data;
Receive and review records submitted by Data Controllers regarding the violations detected during the collection, processing and use of Personal Data and the measures taken to eliminate its negative consequences, and make recommendations on further issues to be considered; and
Make recommendations for the prevention of violations of human rights and freedoms in the collection, processing and use of information through technology without human intervention.

The Ministry of Digital Development, Innovation and Communications is entitled to exercise the following with respect to data protection:

Maintain the implementation of legislation on protection of Personal Data, organise public awareness and advocacy activities, provide professional advice and cooperate with the relevant organisations;
Adopt the technological safety requirement and regulations to be followed in the processing of personal sensitive, genetics and biometric data; and
Receive and register information about security breaches and cyber-attacks on information systems intended for data collection, processing and use, and take necessary measures immediately.

In addition, other state authorities are entitled to monitor the collection, processing and use of Personal Data by Data Controllers within the scope of their functions specified under relevant laws.

Last modified 16 January 2025

The Agency for Protection of Personal Data and Free Access to Information (DPA) is the local data protection authority. The DPA is currently located at:

Bulevar revolucije 11
Podgorica

Website

www.azlp.me

Last modified 16 January 2025

The relevant authority is the Data Protection National Commission (Commission Nationale de Protection des Données Personnelles).

Last modified 18 January 2024

There is no data protection authority in Mozambique but the National Institute of Information and Communications Technology (Instituto Nacional de Tecnologia de Informação e Comunicação – “INTIC”) has some competencies in this regard.

The Cybersecurity Bill will establish INTIC as the national cybersecurity authority, insofar as it relates to electronic communications.

Last modified 16 January 2025

None.

Last modified 18 December 2024

There is no national data protection authority in Namibia.

Last modified 18 January 2024

Not applicable.

Last modified 20 January 2025

EU regulation

Enforcement of the GDPR is the prerogative of data protection regulators, known as supervisory authorities (for example, the Cnil in France or the DPC in Ireland). The European Data Protection Board (the replacement for the so-called Article 29 Working Party) is comprised of delegates from the supervisory authorities, and monitors the application of the GDPR across the EU, issuing guidelines to encourage consistent interpretation of the Regulation.

The GDPR creates the concept of lead supervisory authority. Where there is cross-border processing of personal data (i.e. processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a single establishment of a controller or processor but affecting data subjects in multiple Member States), then the starting point for enforcement is that controllers and processors are regulated by and answer to the supervisory authority for their main or single establishment, the so-called lead supervisory authority (Article 56(1)).

The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.

Netherlands regulation

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) has been appointed by law as the supervisory data protection authority and supervises compliance with the GDPR and the Implementation Act.

The Dutch Data Protection Authority's contact details are as follows:

Autoriteit Persoonsgegevens
Postbus 93374
2509 AJ DEN HAAG

Telephone number

(+31) - (0)70 - 888 85 00

Website

autoriteitpersoonsgegevens.nl

Last modified 18 January 2024

The Privacy Commissioner’s Office

Level 11
Grant Thornton House
215 Lambton Quay
Wellington 6011
New Zealand

Telephone

+64 9 302 8680
0800 803 909

Email

[email protected]

Website

privacy.org.nz

Last modified 24 January 2025

Personal Data Protection Directorate (it has not been formally incorporated).

Last modified 28 January 2024

High Authority for the Protection of Personal Data (known by its French Acronym “HAPDP”).

The HAPDP is composed under the new Article 7 of the 2023 Act amending the 2022 Act on personal data of eleven members chosen because of their legal and / or technical competence.

In accordance with the new Article 6 of the aforementioned law, The HAPDP is attached to the Presidency of the Republic. The HAPDP is an independent administrative authority The HAPDP's role is to ensure that any processing of personal data is in accordance with the Law. In addition, the HAPDP's responsibilities include informing data controllers and data subjects of their rights and obligations, handling complaints, conducting audits, and sanctioning data controllers who are in breach of the Law.

Last modified 6 January 2025

Nigeria Data Protection Commission

The Nigeria Data Protection Commission (the Commission) was established under the Nigeria Data Protection Act 2023 (the Act) as the supervisory and regulatory authority for data protection in Nigeria, a function previously undertaken by the Nigeria Data Protection Bureau (NDPB). Essentially, the Commission is the successor-in-title to the duties, power and functions of the NDPB.

Last modified 18 January 2025

The Personal Data Protection Agency (“DPA”) was established in 2005 with the Law on Protection of Personal Data dated 2005 (then called the Directorate for Personal Data Protection of the Republic of Macedonia, while with the adoption of the DP Law it became an agency) as North Macedonia’s data protection authority. The DPA is an independent state agency with competence to oversee the implementation of the DP Law, with its registered seat located at:

Boulevard Goce Delcev 18

1000 Skopje, Republic of North Macedonia

Website

azlp.mk

Last modified 17 January 2024

EU regulation

The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.

Norway regulation

The Norwegian Data Protection Authority is:

Datatilsynet

www.datatilsynet.no

Together with other EEA countries (Iceland and Lichtenstein) the Norwegian Data Protection Authority became members of the EDBP however without voting rights and without the right to be elected as chair and vice-chair, for GDPR-related matters.

Last modified 16 January 2025

There is currently no authority specific to data protection in Pakistan. However, section 16(2) of PECA 2016 authorizes the Federal Investigation Agency (“FIA”) established under the Federal Investigation Agency Act, 1974, along with Pakistan Telecommunication Authority (“PTA”) established under the Pakistan Telecommunication (Re-organization) Act, 1996, to enforce PECA and to take action against unauthorized access and use of identity information. PECA 2016 also grants other powers to PTA to regulate the access, use, processing and retention of data through promulgating various rules under PECA 2016.

The PDPB provides for the creation of a National Commission for Personal Data Protection (“Commission”) within six months of the coming into force of the PDPB as law.

Last modified 4 January 2024

The Data Protection Regulations are enforced and overseen by:

Panama’s National Authority of Transparency and Access to Information (‘ANTAI’) through the Directorate for the Protection of Personal Data

(Autoridad Nacional de Transparencia y Acceso a la Información)
Del Prado Avenue, Bulding 713, Balboa, Ancon, Panama
T (507) 527-9270 to 74
[email protected]

The National Authority for Government Innovation

(Autoridad Nacional para la Innovación Gubernamental) in matters related to Information and Communications Technology (ICT) supporting ANTAI
61st Street and Ricardo Arango Avenue, Sucre, Arias y Reyes Bulding, Floor 3
Obarrio, Panama
T (507) 520-7400
[email protected]

Last modified 28 January 2024

There is no National Data Protection Authority in Paraguay.

For activities that are considered to be “electronic commerce” as provided by the Electronic Commerce Law, the national authority is the General Direction of Digital Signature and Electronic Commerce – Ministry of Industry and Commerce (“Electronic Commerce Direction”).

Last modified 28 January 2025

The Directorate for the Protection of personal data, which is part of the General Directorate of Transparency, Access to Public Information and Protection of Personal Data (NDPA), is the primary agency in charge of enforcing data protection matters.

The NDPA’s current address is:

Scipion Llona 350
Miraflores, L-18
Lima
Peru

Website

Last modified 26 January 2023

The National Privacy Commission (“NPC” or Commission) is an independent body mandated to administer and implement the Act, and to monitor and ensure compliance of the country with international standards set for personal data protection. The NPC was created in 2016 and the implementing rules and regulations of the Act took effect in the same year.

Last modified 20 January 2025

EU regulation

Enforcement of the GDPR is the prerogative of data protection regulators, known as supervisory authorities (for example, the CNIL in France). The European Data Protection Board (the replacement for the so-called Article 29 Working Party) is comprised of delegates from the supervisory authorities, and monitors the application of the GDPR across the EU, issuing guidelines to encourage consistent interpretation of the Regulation.

The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.

Poland regulation

The President of the Office for Personal Data Protection.

Office of the President for Personal Data Protection
Urzad Ochrony Danych Osobowych
Stawki 2
00-193 Warsaw
Poland

Tel. +48 22 531 03 00
Fax +48 22 243 05 69
[email protected]

Helpline (in Polish only): phone no. +48 606-950-000 is open from Monday to Friday from 10 am to 2 pm.

The Office of the President is open from Monday to Friday from 8 am to 4 pm.

Last modified 16 January 2025

EU regulation

The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.

Portugal regulation

Comissão Nacional de Proteção de Dados (‘National Commission for the Protection of Data’. also known as ‘CNPD’).

Av. D. Carlos I, 134 - 1.º

1200-651 Lisboa

T +351 21 392 84 00

F +351 21 397 68 32

[email protected]

www.cnpd.pt

Last modified 17 January 2024

National Cyber Governance and Assurance Affairs (NCGAA) of the National Cyber Security Agency

Last modified 17 January 2024

The Data Protection Office at the QFC Authority is the administrator of the DPL and DPR in the QFC ("DPO").

Last modified 17 January 2024

The Law provides for the creation of a national data protection Commission by a separate law. This Commission plays an important role in the Law and its application. However, we are not aware this Commission has been established.

Last modified 23 February 2024

EU regulation

Enforcement of the GDPR is the prerogative of data protection regulators, known as supervisory authorities (similar to the CNIL in France or the ICO in the UK). The European Data Protection Board (the replacement for the so-called Article 29 Working Party) is comprised of delegates from the supervisory authorities, and monitors the application of the GDPR across the EU, issuing guidelines to encourage consistent interpretation of the GDPR.

The GDPR creates the concept of "lead supervisory authority." Where there is cross-border processing of personal data (ie, processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a single establishment of a controller or processor but affecting data subjects in multiple Member States), then the starting point for enforcement is that controllers and processors are regulated by, and answer to, the supervisory authority for their main or single establishment, the so-called "lead supervisory authority."

Romania regulation

The National Supervisory Authority For Personal Data Processing
(in Romanian 'Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal' or 'ANSPDCP')
28 30 Magheru Blvd
District 1, Bucharest
T +40 318 059 211
F +40 318 059 602
www.dataprotection.ro

Last modified 17 January 2024

Federal Service for Supervision of Communications, Information Technologies and Mass Media or, in short, Roscomnadzor (‘Agency’)

Build. 2, 7, Kitaigorodskiy proezd
Moscow, 109074

Telephone

+7 495 987 6800

Fax

+7 495 987 6801

Website

rsoc.ru/

Last modified 17 January 2024

The supervisory authority regarding Data protection is the National Cyber Security Authority (“NCSA”) (article 3, 23°).

Last modified 17 January 2024

The Saudi Authority for Data and Artificial Intelligence ("SDAIA") will be the data regulator for at least two years. During this time, consideration will be given to transferring the competence to supervise the application of the PDPL (and its Implementing Regulations) to the National Data Management Office.

The Saudi Central Bank and the CST both appear to maintain their jurisdiction to regulate data protection within their remit.

Last modified 23 February 2024

The authority responsible for data protection is the Senegalese Data Protection Authority established by Law No. 2008-12 of 25 January 2008.¹

Commission for the Protection of Personal Data of Senegal (CDP) is located at 34 Sicap Mermoz VDN Lot B. 25528 Dakar, Fann.

The CDP is composed of eleven 11 members chosen because of their legal and / or technical competence. They:

Ensure that the processing of character data is implemented in accordance with the legal provisions;
Inform the data subjects and controllers of their rights and obligations;
Regulate the assurance that information and communication technologies (ICTs) do not threaten the freedoms and privacy of Senegalese;
Advise individuals and organizations who have used personal data processing or who have already undergone tests or experiences of a nature about such treatments;
Publish the authorizations granted and the declaration issued to the directory of the processing of personal data and draw up an annual report of activities submitted to the President of the Republic and the President of the National Assembly.

The CDP also formulate recommendations by cooperating with the personal data protection authorities of third countries and participate in negotiations on the protection of personal data.²

Footnotes

1: 2008-12 on the Protection of Personal Data; Articles 5 and following
2: cdp.sn/missions

Last modified 23 February 2024

The Serbian data protection authority is the Commissioner for Information of Public Importance and Protection of Personal Data (Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti) (“DPA”).

It is seated at Bulevar kralja Aleksandra 15 Belgrade and its website is www.poverenik.rs.

Last modified 17 January 2024

The creation of the Office of the Data Protection Commissioner is envisaged by the Act but has not yet taken place.

Last modified 17 January 2024

Personal Data Protection Commission

Address

10 Pasir Panjang Road #03-01
Mapletree Business City
Singapore 117438

Telephone

+65 6377 3131

Fax

+65 6577 3888

Email

[email protected]

Website

www.pdpc.gov.sg

Last modified 23 January 2025

National Ordinance Personal Data Protection

The Personal Data Protection Committee as referred to in article 42 of the National Ordinance Personal Data Protection.

GDPR

Last modified 10 February 2025

EU regulation

The GDPR creates the concept of "lead supervisory authority." Where there is cross-border processing of personal data (i.e. processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a single establishment of a controller or processor but affecting data subjects in multiple Member States), then the starting point for enforcement is that controllers and processors are regulated by, and answer to, the supervisory authority for their main or single establishment, the so-called "lead supervisory authority."

Slovak Republic regulation

The Data Protection Office of the Slovak Republic (the ‘Slovak Office’) is:

Úrad na ochranu osobných údajov Slovenskej republiky (Official Slovak Name)

Hraničná 12
820 07, Bratislava 27
Slovak Republic

The Slovak Office is the supervisory authority and is responsible for overseeing the Slovak Data Protection Act and the GDPR in Slovakia.

Last modified 17 January 2024

Enforcement of the GDPR is the prerogative of data protection regulators, known as supervisory authorities (for example, the Cnil in France or the ICO in the UK). The European Data Protection Board (the replacement for the so-called Article 29 Working Party) is comprised of delegates from the supervisory authorities and monitors the application of the GDPR across the EU, issuing guidelines to encourage consistent interpretation of the Regulation.

The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.

The Slovenian Data Protection Authority (Informacijski pooblaščenec) can be contacted as follows:

Informacijski pooblaščenec
Dunajska cesta 22, 1000 Ljubljana
Slovenia / Europe

Phone number: +386 1 230 97 30

Enail: [email protected]

Last modified 17 January 2024

The Information Regulator has established an Enforcement Committee and initiates investigations into various possible violations of POPIA. There is scrutiny by the Information Regulator into security compromises including the establishment of a security compromise register. These activities are in line with the powers, duties and functions of the office of the Information Regulator which include providing education regarding the protection and processing of personal information; monitoring and enforcing compliance with the provisions of POPIA; consulting with interested parties and acting as mediator; receiving, investigating and attempting to resolve complaints; issuing enforcement notices and codes of conduct; and facilitating cross-border cooperation.

Last modified 17 January 2024

The PIPC is in charge of the enforcement of the PIPA.

The PIPC shall perform the following work:

Matters concerning the improvement of law relating to personal information protection;
Matters concerning the establishment or execution of policies, systems or plans relating to personal information protection;
Matters concerning investigation into infringement upon the rights of data subjects and the ensuing dispositions;
Handling of complaints or remedial procedures relating to personal information processing and mediation of disputes over personal information;
Exchange and cooperation with international organizations and foreign personal information protection agencies to protect personal information;
Matters concerning the investigation and study, education and promotion of law, policies, systems and status relating to personal information protection;
Matters concerning the support of technological development and dissemination relating to personal information protection and nurturing of experts; and
Matters specified as the work of the PIPC by the PIPA or other statutes.

Last modified 20 January 2025

EU regulation

Enforcement of the GDPR is the prerogative of data protection regulators, known as supervisory authorities. The European Data Protection Board (the replacement for the so-called Article 29 Working Party) is comprised of delegates from the supervisory authorities, and monitors the application of the GDPR across the EU, issuing guidelines to encourage consistent interpretation of the Regulation.

The GDPR creates the concept of "lead supervisory authority". Where there is cross-border processing of personal data (i.e. processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a single establishment of a controller or processor but affecting data subjects in multiple Member States), then the starting point for enforcement is that controllers and processors are regulated by and answer to the supervisory authority for their main or single establishment, the so-called "lead supervisory authority" (Article 56(1)).

The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.

Spain regulation

The Spanish competent national supervisory authority is the Agencia Española de Protección de Datos (“AEPD”), which also represents Spain on the European Data Protection Board. Regional Data Protection Commissioners do exist to supervise personal data processing by regional public authorities and other entities controlled by regional public authorities.

Contact details of the AEPD

Address

C/Jorge Juan, 6
28001 Madrid
Spain

Telephone

+34 901 100 099 /
+34 91 266 35 17

Website

www.aepd.es

Last modified 22 January 2024

The Data Protection Authority of Sri Lanka ("Authority") is recognized as the regulator of personal data governed by the PDPA. The law provides for comprehensive objects and powers of the Authority as the regulator, which include making rules, issuing guidelines, receiving complaints, conducting inquiries, examining persons under oath, issuing directives and imposing fines in the event of non-compliance with the law.

Last modified 3 January 2024

EU regulation

The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.

Sweden regulation

In Sweden, the Swedish Authority for Privacy Protection (Sw: Integritetsskyddsmyndigheten) is the supervisory authority.

Postal address

Box 8114
104 20 Stockholm
Sweden

Visiting address

Fleminggatan 14, 7th Floor
112 26 Stockholm
Sweden

Phone number

+46 8 657 61 00

E-mail

[email protected]

Website

www.imy.se

Last modified 22 January 2024

Federal Data Protection and Information Commissioner (FDPIC)
Feldeggweg 1
CH - 3003 Berne Switzerland
T +41 (0)58 462 43 95
F +41 (0)58 465 99 96

Website and contact forms: https://www.edoeb.admin.ch/

The FDPIC supervises and advises federal and private bodies, comments on federal legislative projects and informs the public about his findings and rulings in cases of general interests.

Last modified 22 August 2023

Currently, the regulatory body with overall responsibility for data protection is the National Development Council ("NDC”). However, according to the May 31, 2023 amendment of the PDPA, the NDC is expected to be replaced by an independent data protection authority (i.e. the Personal Data Protection Commission). This amendment has not been effective yet and its effective date remains uncertain as of date.

In addition, the authority with jurisdiction over the relevant data collector has primary enforcement responsibility (e.g. the Financial Supervisory Commission has the primary enforcement responsibility vis-á-vis financial institutions).

Last modified 18 December 2023

The Main Department is Communication Service under the Government of the Republic of Tajikistan (hereafter 'Regulator').

Address:

57 Rudaki avenue
Dushanbe, Tajikistan
734001

Tel: +992 37 223 11 53
[email protected]
Website: khadamotialoqa.tj

Last modified 27 January 2025

The PDPA provides for establishment of the Commission which will be responsible for monitoring and implementation of the provisions of PDPA in Tanzania. The Commission is yet to be established, but its functions are currently handled under the Ministry of Information, Communication, and Information Technology.

Last modified 25 January 2024

The Personal Data Protection Committee ("Regulator") has been established to supervise compliance with the PDPA, under the supervision of the Minister of Digital Economy and Society.

Last modified 6 January 2025

None.

Last modified 15 February 2022

The Office of the Information Commissioner is responsible for the oversight, interpretation and enforcement of the DPA. It has broad authority, including to authorize the collection of personal information about an individual from third parties and to publish guidelines regarding compliance with the Act.

Last modified 26 January 2023

The National Authority for Protection of Personal Data (the Instance) was created by Decree n° 2007-3003 of November 27th, 2007. It Has several prerogatives and exercises several control operations that are organized by the decision n° 6 of the Instance dated July 2, 2019.

Any person may file a complaint with the INPDP regarding the violation of personal data committed by any entity.

The decisions of the Instance can be appealed before the Court of Appeal of Tunis and before the Court of Cassation.

Last modified 27 January 2025

The national data protection authority is the Kisisel Verileri Koruma Kurumu (Personal Data Protection Authority). The Personal Data Protection Authority’s decision-making body is Kisisel Verileri Koruma Kurulu (Personal Data Protection Board). The organizational structure of the Authority and the duties and powers of its bodies are regulated under the Regulation on the Organization of Personal Data Protection Authority and the Regulation on the Working Procedures and Principles of Personal Data Protection Board.

Kisisel Verileri Koruma Kurumu
Nasuh Akar Mah. Ziyabey Cad. 1407. Sok. No: 4
06520 Balgat-Çankaya / Ankara

T +90 312 216 5050

Website

kvkk.gov.tr

Last modified 27 January 2025

There is no special national authority in the field of data protection policy.

Last modified 23 December 2022

The Commissioner of Data Protection performs his functions with the support of the Office of Data Protection. Those functions include the following:

exercising investigative powers, where necessary;
monitoring and enforcing the application of the DPR;
promote public awareness and understanding of the risks, rules, safeguards and rights in relation to Processing;
advising and issuing opinions to the ADGM Board of Directors, Registration Authority, Financial Services Regulatory Authority, ADGM Courts, and other institutions and bodies on legislative and administrative measures relating to the protection individuals rights with regard to the Processing of Personal Data;
promoting the awareness of Controllers and Processors of their obligations under the DPR. The Commissioner may also engage in outreach programmes to raise awareness and increase understanding DPR;
providing the public with opportunities to provide views on the activities of the Office of Data Protection;
handling complaints lodged by individuals, and investigating, to the extent appropriate, the complaint and informing the complainant of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation is necessary;
cooperating with, including sharing information and provide mutual assistance to, other data protection authorities with a view to facilitating the effective enforcement of legislation for the protection of Personal Data worldwide;
monitoring relevant developments insofar as they have an impact on the protection of Personal Data, in particular the development of information and communication technologies and business practices;
adopting standard contractual clauses (as per Sections 26(6) and 42(2) DPR);
publishing and maintaining a list as to the types of Processing operations which typically require a DPIA (as per Section 34(4) DPR);
approving codes of conduct and certification criteria (as per Sections 38(1) and 39(1) DPR);
authorising contractual clauses and provisions referred to in Section 42(4) DPR;
approving binding corporate rules pursuant to Section 43 DPR;
issuing guidance and publishing standard forms (e.g. The August 2021 Guidance and the template DPIA);
keeping records of non-compliance by those entities caught by the DPR, as well as any measures taken as a result of such non-compliance; and
collecting data protection fees and renewal fees.

The contact details for the Office of Data Protection are as follows:

The Office of Data Protection
Authorities Building
ADGM Square
Al Maryah Island
Abu Dhabi
UAE

Email

[email protected]

There is also a “Make An Enquiry” form available on the Office for Data Protection’s website.

Last modified 9 January 2024

The Commissioner of Data Protection (“Commissioner”) is essentially the regulating body in the DIFC from a data protection standpoint.

The Commissioner of Data Protection
Dubai International Financial Centre Authority
Level 14, The Gate
P.O. Box 74777
Dubai
United Arab Emirates

[email protected]

Tel: +971 4 362 2222

Last modified 27 January 2025

The DHCC Board of Directors and the Executive Body of the Dubai Healthcare City Authority ("DHCA") are responsible for ensuring proper administration the HDPR and any Rules, Standards and Policies made under the HDPR.

The Centre for Healthcare Planning and Quality is responsible for the compliance and enforcement of the HDPR ("CPQ").

Dubai Healthcare City Authority - Regulatory
Tel: +971-4-3838300
Fax: +971-4-3838300
[email protected]

Last modified 27 January 2025

At the date of writing this update the Data Office responsible for administering and enforcing the PDPL has not yet been established.

The UAE Central Bank is responsible for its Consumer Protection Regulation and Standards, the SVF Regulation and the Retail Services Regulation.

The Ministry of Health and Prevention is responsible for the ICT in Health Fields Law.

The Telecommunications and Digital Government Regulatory Authority (“TDRA”) is responsible for the regulation of its Consumer Protection Regulations.

Last modified 27 January 2025

The Personal Data Protection Office established by Section 4 of the Data Protection and Privacy Act and Regulation 3 of the Data Protection and Privacy Regulations is responsible for personal data protection. The Office operates under the National Information Technology Authority-Uganda (NITA-U) and was operationalized in August 2021.

Last modified 27 January 2025

Starting from January 1, 2014, Ukrainian Parliament's Commissioner for Human Rights (Ombudsman) is the state authority in charge of controlling the compliance of the data protection legislation.

Last modified 27 January 2025

The Information Commissioner (whose functions are discharged through the Information Commissioner's Office ("ICO")) is the supervisory authority for the UK for the purposes of Article 51 of the UK GDPR. Following Brexit, the ICO no longer has influence or membership in the European Data Protection Board and can no longer be nominated as a lead supervisory authority under the EU GDPR regime. This is reflected in the UK GDPR which omits Chapter 7 (Cooperation and Consistency) of the EU GDPR, on the basis that the UK will not be part of the EU’s cooperation and consistency mechanisms.

The ICO's contact details are:

Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

T +0303 123 1113 (or +44 1625 545745 if calling from overseas)

F 01625 524510

www.ico.org.uk

Last modified 6 February 2025

There is no single national authority.

With some exceptions (such as for banks, credit unions and insurance companies), the FTC has jurisdiction over most commercial entities and has authority to issue and enforce federal privacy regulations (including telemarketing, email marketing, and children's privacy) and to take enforcement action to protect consumers against unfair or deceptive trade practices, including materially unfair privacy and data security practices.

Many state attorneys general have similar enforcement authority over unfair and deceptive business practices, including failure to implement reasonable security measures and violations of consumer privacy rights that harm consumers in their states.

California

The California Attorney General and the California Privacy Protection Agency (the Agency) share authority to enforce the CCPA.

California consumers also have a private right of action under the CCPA for certain data breaches, and the CCPA provides for statutory damages.

Other State Comprehensive Privacy Laws

State Attorneys General in all the other states with comprehensive state privacy laws have authority to enforce their state comprehensive privacy laws. Additionally, in some states such as Colorado, district attorneys can enforce the law.

None of these states currently provide for a private right of action.

Washington

The Washington Attorney General has the authority to enforce the MHMD Act.

Washington residents also have a private right of action under the Act, but unlike the CCPA the MHMD Act does not provide for statutory damages, meaning plaintiffs must prove actual damages to succeed.

Sector-Specific Enforcement

In addition, a wide range of sector-specific regulators, particularly those in the healthcare, financial services, telecommunications and insurance sectors, have authority to issue and enforce privacy and security regulations, with respect to entities under their jurisdiction.

Last modified 6 February 2025

(“URCDP”), Unidad Reguladora de Control y Actos Personales (“Data Protection Authority”).

Last modified 28 January 2024

The Law on Personal Data designates the Cabinet of Ministers of the Republic of Uzbekistan (the "Cabinet of Ministers") and State Personalization Centre under the Cabinet of Ministers (the "State Personalization Centre") as the main regulatory authorities in respect of the protection of personal data. That said, following administrative reforms, effective January 1, 2023, the State Personalization Centre was reorganised into the Personalization Agency under the Ministry of Justice of the Republic of Uzbekistan (the "Personalization Agency").

Additionally, following the latest amendments to Resolution of the Cabinet of Ministers of the Republic of Uzbekistan No. 707 “On Measures for Further Improvement of Information Security in Internet” dated September 5, 2018 (“Resolution No. 707”) adopted in pursuance of the recently introduced localization requirement, the State Inspection of the Republic of Uzbekistan on Informatization and Telecommunication was designated as a state authority empowered, inter alia, to:

implement the state control over the activity of personal database owners and operators by monitoring their activities;
issue notifications, instructions, as well as orders that are to be fulfilled by public authorities, individuals and / or legal entities, in order to ensure compliance with the data protection laws;
maintain the Register of Infringers of the Rights of Personal Data Subjects.

Last modified 27 January 2025

There is no National Data Protection Authority in Venezuela.

Last modified 12 December 2022

Vietnam does not have a single national data protection authority. Instead, the authority on State management of certain aspects of information and / or data protection has been given to a number of competent State authorities. To some extent, the key State competent authorities in charge of information and / or data protection would be the MPS, the Ministry of Information and Communications ("MIC") and the Vietnam Cybersecurity Emergency Response Teams / Coordination Center ("VNCERT/CC") directly managed by the Authority of Information Security ("AIS") under the MIC. Their key roles are particularly as follows:

The MPS, particularly the Department for Cybersecurity and High-tech Crime Prevention and Fighting ("A05"), is responsible for supervision of processing of personal data and national cybersecurity, e.g. to request cyberspace service providers to (i) store data and establish branches or representative offices in Vietnam (if applicable), (ii) provide users' information for serving investigation into cybersecurity crime. The MPS has established and is managing and operating the National Portal on personal data protection; and is tasked to assess the sufficiency of personal data protection by relevant agencies, organizations and individuals;
The MIC, particularly the AIS, is responsible for management of the provision of cyberspace services (e.g. social networks, online gaming, e-commerce, etc.), such as requesting cyberspace service providers to delete illegal data uploaded on their system / network; and
VNCERT/CC acts as the National Coordination Center for response to cybersecurity incidents and information security testing.

In addition to the above, subject to each specific industry (e.g. banking and finance; education; healthcare; natural resources and environment; culture, sports and tourism; etc.), the State management authority in charge of such industry and its IT center shall be involved in relevant information system protection.

Last modified 20 January 2025

The Office of the Data Protection Commissioner.

Last modified 27 January 2025

The Data Protection Authority, also referred to as the "Authority," is the Postal and Telecommunications Regulatory Authority of Zimbabwe (the “Authority”). It was established by the Postal and Telecommunications Act [Chapter 12:05] and designated as the Data Protection Authority by the Act.

Last modified 27 January 2025

Quick links

Data Protection in Albania

National data protection authority

National Ordinance Person Registration

GDPR

EU regulation

Austria regulation

Contact information of NPDPC

EU regulation

Belgium regulation

Footnotes

Personal Data Protection Act BES

GDPR

EU regulation

Bulgaria regulation

Office of the Ombudsman

EU regulation

Croatia regulation

National Ordinance Personal Data Protection

GDPR

EU regulation

Cyprus regulation

EU regulation

Czech Republic regulation

EU regulation

Denmark regulation

EU regulation

Estonia regulation

EU regulation

Finland regulation

EU regulation

France regulation

Address

Telephone

Website

EU regulation

Germany regulation

Data Protection Commission ('Commission')

Information Commissioner

EU regulation

Greece regulation

Hellenic Data Protection Authority (HDPA)

The office of the data protection authority

The Office of the Privacy Commissioner for Personal Data (PCPD)

EU regulation

Hungary regulation

EU regulation

Iceland regulation

Data Protection Board of India

EU regulation

Ireland regulation

Dublin office

Regional office

Website

EU regulation

Italy regulation

Personal Information Protection Commission

Telephone

Website

Part II of the Act

Expert Council

EU regulation

Latvia regulation

EU regulation

Lithuania regulation

EU regulation

Luxembourg regulation

EU regulation

Malta regulation

Data Protection Office

Telephone

Fax

Website

Email

Website

EU regulation

Netherlands regulation

Telephone number

Website

The Privacy Commissioner’s Office