Data Protection in Albania

Data protection laws

On 19 December 2024, the Parliament of the Republic of Albania passed Law No. 124/2024, titled “On Personal Data Protection” (the “Data Protection Law”) (Official Gazette of the Republic of Albania No. 9, dated 17 January 2025). This legislation aims to align Albania’s legal framework with the European Union’s standards, particularly by incorporating Regulation (EU) 2016/679 (the General Data Protection Regulation, or GDPR) and Directive (EU) 2016/680, both of which address the protection of personal data in various contexts, including criminal law enforcement.

The adoption of this law marks the culmination of an extensive process, with the Office of the Information and Data Protection Commissioner pursuing the alignment of Albanian data protection laws with the GDPR since 2018.

The Data Protection Law establishes the rules for safeguarding individuals’ personal data and aims to protect fundamental human rights and freedoms, particularly the right to personal data protection.

Scope

The Data Protection Law applies when personal data are processed in whole or in part by automatic means, as well as to the processing of personal data which are part of a filing system or are intended to become part of a filing system where the processing is not carried out by automatic means; however, the law does not cover data processing by natural persons for purely personal or family purposes (Article 3).

Territorial Scope

The Data Protection Law shall apply:

  • in the framework of the activities of a controller or processor established in the Republic of Albania, regardless of whether the processing takes place in the Republic of Albania or not;
  • of data subjects, who are located in the Republic of Albania, by a controller who is not established in the Republic of Albania, but the processing operations relate to:
    1. the offering of goods or services, whether for payment or not, to data subjects in the Republic of Albania; or
    2. the monitoring the behaviour of data subjects, as long as such behaviour takes place in the Republic of Albania;
  • by a controller or processor, who is not established in the Republic of Albania, but in a territory where Albanian law applies on the basis of public international law (Article 4).
Last modified 28 January 2025

Law No. 18-07 of 10 June 2018 on protection of natural persons in personal data processing (“Law No. 18-07”).

Last modified 20 January 2025

Angola regulates data privacy and protection issues under the Data Protection Law (Law no. 22/11, 17 June 2011), the Electronic Communications and Information Society Services Law (Law no. 23/11, 20 June 2011) and the Protection of Information Systems and Networks Law (Law no. 7/17, 16 February 2017).

Last modified 30 December 2021

Article 43 of the Federal Constitution, third paragraph, provides, in relevant part that any person may file an action to have access to personal data about such person and to information about the purpose with which they are kept, included in public data registries or banks, or in private data registries or banks, and to request the suppression, correction, confidentiality or updating of the data where inaccurate or discriminatory.

These provisions do not create an express constitutional right to privacy or data protection, but do create the basic framework for the protection of such right, as well as the foundation for the legislation, subsequently enacted, which regulates the details of that protection.

Law 25,326 - the Personal Data Protection Law (PDPL) includes the basic personal data rules. It follows international standards, and has been considered as granting adequate protection by the European Commission. Decree 1558 of 2001 includes regulations issued under the PDPL. Further regulations have been issued by the relevant agencies.

In November 2022, Argentina ratified Decision 108 of the Council of Europe, as amended, by means of Law 27,699.

Last modified 28 January 2025

Personal Data Protection Law as of 18.05.2015, number ՀՕ-49-Ն.

Last modified 20 January 2025
  • National Ordinance Person Registration (Landsverordening persoonsregistratie, National Gazette 2011, Consolidated text no. 37) (“National Ordinance Person Registration”);
  • General Data Protection Regulation (the “GDPR”) – a regulation of the European Union which became effective on May 25, 2018 – may have implications for a data controller / data processor as the extra-territorial reach of the GDPR is not only relevant to businesses established in the European Union but also to international businesses established in Aruba which offer goods or services to individuals in the European Union or monitor their behaviour in the European Union.
Last modified 10 February 2025

Australia regulates data privacy and protection through a mix of Federal, State and Territory laws. The federal Privacy Act 1988 (Cth) ("Privacy Act") and the Australian Privacy Principles ("APPs") contained in the Privacy Act apply to private sector entities (including body corporates, partnerships, trusts and unincorporated associations) with an annual turnover of at least AU$3 million, and all Commonwealth Government and Australian Capital Territory Government agencies.

Under the Privacy Act, the Information Commissioner, who leads the Office of the Australian Information Commissioner ("OAIC"), has authority to conduct investigations, including own motion investigations, to enforce the Privacy Act and seek civil penalties for breaches of the APPs where an entity has failed to implement remedial efforts.

The Privacy and Other Legislation Amendment Act 2024 (Cth) (the "Privacy Act Amendment Act"), which amends the Privacy Act, was passed in late 2024. The majority of the amendments to the Privacy Act introduced by the Privacy Act Amendment Act will commence in 2025, with a few exceptions. Key amendments in the Privacy Act Amendment Act are discussed under the relevant topics in this Guide. Additional key amendments include the introduction of:

  • a statutory tort for serious invasions of privacy, applicable (amongst other criteria) where the conduct in question was intentional or reckless;
  • a framework for a Children's Online Privacy Code to be developed by the Information Commissioner; and
  • a criminal offence for doxing.

The Privacy Act Amendment Act was passed after the Attorney General’s Department released the Privacy Act Review Report 2022 setting out 116 proposed amendments to the Privacy Act.  In the Government Response to the Privacy Act Review Report released in 2023 the Australian Government “agreed” to 38 of the 116 recommended changes, “agreed in principle” to another 68 and rejected 10.  Notwithstanding the passing of the Privacy Act Amendment Act, many of the "agreed in principle" changes are still outstanding and, whilst the timing for the implementation of these changes is not yet clear, the Australian Government has indicated that further reform will occur in 2025. These additional revisions are expected to result in more prescriptive and onerous requirements being imposed on organisations handling personal information of Australian residents.

The Privacy Commissioner and Freedom of Information Commissioner were each appointed in 2024. These roles were previously performed by the Information Commissioner and the Information Commissioner retains overall responsibility for all matters within the OAIC's remit, notwithstanding these appointments.

Most States and Territories in Australia (except Western Australia and South Australia) have their own data protection legislation applicable to relevant State or Territory government agencies, and private businesses that interact with State and Territory government agencies. These Acts include:

  • Information Privacy Act 2014 (Australian Capital Territory);
  • Information Act 2002 (Northern Territory);

  • Privacy and Personal Information Protection Act 1998 (New South Wales);

  • Information Privacy Act 2009 (Queensland);

  • Personal Information Protection Act 2004 (Tasmania); and

  • Privacy and Data Protection Act 2014 (Victoria).

Additionally, there are other parts of State, Territory and federal legislation that relate to data protection. For example, the following all impact privacy and data protection for specific types of data or activities: the Telecommunications Act 1997 (Cth), the Criminal Code Act 1995 (Cth), the National Health Act 1953 (Cth), the Health Records and Information Privacy Act 2002 (NSW), the Health Records Act 2001 (Vic) and the Workplace Surveillance Act 2005 (NSW).

Specific regulators have also expressed an expectation that regulated entities should have specified data protection practices in place. For example, the Australian Prudential and Regulatory Authority ("APRA"), which regulates financial services institutions requires regulated entities to comply with Prudential Standards, including Prudential Standard CPS 234 Information Security ("CPS 234"), and the Australian Securities and Investment Commission regulates corporations more generally.

Other important privacy and data protection laws

Assistance and Access Act

The Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth) ("AA Act") provides law enforcement agencies with access to encrypted data for serious crime investigation and imposes obligations on "Designated Communications Providers". However, the AA Act may inadvertently have a much broader remit with limited judicial oversight, and has been the subject of much criticism from local and global technology firms which have stated the legislation has the potential to significantly impact security / encryption solutions in Australia.

The AA Act allows various agencies to do any of the following:

  • Issue a "technical assistance notice", which requires a communications provider to give assistance that is reasonable, proportionate, practicable and technically feasible;
  • Issue a "technical capability notice", which requires a communications provider to build new capabilities to assist the agency. The Attorney-General must consult with the communications provider prior to issuing the notice, and must be satisfied that the notice is reasonable, proportionate, practicable and technically feasible; and
  • Make "technical assistance requests", to give foreign and domestic communications providers and device manufacturers a legal basis to provide voluntary assistance to various Australian intelligence organizations and interception agencies relating to issues of national interest, national security and law enforcement.

Organizations to which the AA Act applies will need to ensure customer terms and conditions and any commitments made to customers generally are consistent with the AA Act.

Security of Critical Infrastructure Act

The Security of Critical Infrastructure Act 2018 (Cth) ("SOCI Act") applies to organisations that own or operate (or hold a direct interest in) assets in a range of sectors including communications, energy, defence, financial services, transport, data processing or storage, supermarket / grocery supply chains, health and medical, education and space.

Amongst other obligations, organizations to which the SOCI Act applies must:

  • Provide “operational” and ownership information to the Cyber Infrastructure Security Centre for inclusion on the Register of Critical Infrastructure Assets, in accordance with the requirements in Part 2 of the SOCI Act;
  • Notify the Australian Signals Directorate ("ASD") of actual or imminent cyber security incidents with an actual or likely relevant impact within 72 hours of the organisation becoming aware, in accordance with the requirements set out in Part 2B of the SOCI Act; and
  • Implement and comply with a "risk management program", in accordance with the requirements in Part 2A of the SOCI Act and the Security of Critical Infrastructure (Critical infrastructure risk management program) Rules (LIN 23/006) 2023.

Generally, organisations to whom the SOCI Act applies or those that provide services to relevant organisations should ensure that any terms and conditions deal with compliance with the obligations under the SOCI Act.

Consumer Data Right

The Commonwealth Government is in the implementation phases of the Consumer Data Right (“CDR”) following a number of policy reviews including the Productivity Commission's "Data Availability and Use" report and the "Review into Open Banking in Australia".

The CDR allows a consumer to obtain certain data held about that consumer by a third party and require data to be given to accredited third parties for certain purposes. By requiring businesses to provide public access to information on specified products they have on offer, it is intended that consumers' ability to compare and switch between products and services will be improved, as well as encouraging competition between service providers, which could lead to better prices for customers and more innovative products and services. In this way, the CDR provides a mechanism for accessing a broader range of information within designated sectors than is provided for by APP 12 in the Privacy Act, given it applies not only to data about individual consumers but also to business consumers and related products.

The CDR rules have been implemented in respect of the banking and energy sector in Australia. The non-bank lending sector is the next to be added to the CDR. Other sectors across the economy will be added to the CDR over time.

The CDR regime addresses competition, consumer, privacy and confidentiality issues. As such, it is regulated by the Australian Competition and Consumer Commission as well as the OAIC.

Cyber Security Act

The Cyber Security Act 2024 (Cth) ("Cyber Security Act") establishes: 

  • a mandatory reporting requirement for ransomware payments – see Breach Notification section below;
  • a framework for the introduction of mandatory security standards for smart devices;
  • a Cyber Review Board, which will conduct no-fault, post incident reviews of significant cyber security incidents; and
  • a limited use exception, which prevents information which is voluntarily provided to certain Government departments from being used for enforcement purposes, and is designed to encourage enhanced cooperation between industry and Government during cyber incidents.
Last modified 20 January 2025

EU regulation

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.

A 'Regulation' (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States. However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among the Member States.

Territorial Scope

Primarily, the application of the GDPR turns on whether an organization is established in the EU. An 'establishment' may take a wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.

However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related "to the offering of goods or services" (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or "the monitoring of their behaviour" (Article 3(2)(b)) as far as their behaviour takes place within the EU.


Austria regulation

In Austria, the laws concerning the implementation of the GDPR have been adopted gradually. In summer 2017, the existing Data Protection Act 2000 (Datenschutzgesetz 2000) was amended by the Data Protection Amendment Act 2018 (Datenschutz-Anpassungsgesetz 2018) which constituted the first implementation of various regulations related to GDPR, and was intended to enter into force simultaneously with GDPR. The 'Data Protection Act' (Datenschutzgesetz, DSG) has considerably amended the Data Protection Act 2000. In addition to the GDPR, it is now the central piece of legislation in Austria regulating data privacy.

The Privacy Deregulation Act 2018 (Datenschutz-Deregulierungs-Gesetz 2018) further amended the DSG. The DSG, as amended by the Privacy Deregulation Act 2018, came into force on May 25, 2018 and is now the applicable regulation in Austria. The DSG also includes the implementation of the Directive (EU) 2016/680.

In addition to the DSG, further amendments to other statutory laws were adopted in order to implement the GDPR (mostly to adapt to the terminology of the GDPR). These amendments were included in the General Data Protection Adjustment Act (Materien-Datenschutz-Anpassungsgesetz 2018) and the research-sector specific Data Protection Adjustment Act – Science and Research (Datenschutz- Anpassungsgesetz 2018 – Wissenschaft und Forschung – WFDSAG 2018). Further amendments in other laws have been made by the Second General Data Protection Adjustment Act, which was passed in June 2018 and applies retroactively. Finally, ordinances were also passed regulating respectively the cases where a data privacy impact assessment is obligatory (the Obligatory DPIA Ordinance - DSFA-V) and the exemptions from the obligation to conduct a data privacy impact assessment (the DPIA Exemptions Ordinance - DSFA-AV).

Last modified 20 January 2025

Law on Personal Information dated 11 May 2010.

Last modified 15 February 2022

Data Protection (Privacy of Personal Information) Act (“DPA”).

Note that in October 2023, the Governor General of The Bahamas, in the customary Speech from the Throne meant to present the Government of The Bahamas’ legislative and policy agenda, declared the government’s intention to enact new data protection legislation. As of January 2024, there has been no formal disclosure of specific details about the extent of reform that may be seen or a timeline for which a Bill may be laid before Parliament.

Last modified 28 January 2025

Bahrain enacted Law No. 30 of 2018 with respect to Personal Data Protection ("PDPL") on July 12, 2018. The PDPL is the main data protection regulation in Bahrain. The PDPL came into force on August 1, 2019, and supersedes any law with contradictory provisions. On March 17, 2022, the Personal Data Protection Authority ("Authority") has issued 10 ministerial resolutions supplementing the PDPL ("Resolutions"). The Resolutions cover the following:

  1. duties of the Data Protection Officer and related fees; 
  2. technical and organisational measures;
  3. notification procedures;
  4. rules regarding data processing;
  5. rules regarding processing of sensitive personal data;
  6. rules regarding data subject rights;
  7. rules regarding how public registers must treat personal data;
  8. rules regarding data relating to criminal proceedings;
  9. rules regarding making complaints to the Authority; and
  10. rules regarding the transfer of personal data outside Bahrain.
Last modified 20 January 2025

Cyber al Security Act 2023 (CA 2023).

Last modified 3 January 2024

The Data Protection Act (the "Act") was passed on August 12, 2019, and came into force in March 2021.  Some provisions of the Act are yet to be proclaimed.  The purpose of the Act is to regulate the collection keeping, processing, use and dissemination of personal data and to protect the privacy of individuals in relation to their personal data.  Some provisions of the Act are yet to be proclaimed.

Last modified 28 January 2024

The fundamental legal act regulating personal data protection in Belarus is the Law on Personal Data Protection of 7 May 2021 No. 99-Z which entered into force on 15 November 2021 (Data Protection Law). It is the first Belarusian legal act intended specifically for regulation of personal data protection issues.

It worth also to take into consideration the acts implemented within the framework of the Eurasian Economic Union (EEU), e.g. the Protocol on Information and Communication Technologies and Informational Interaction within the Eurasian Economic Union, Annex 3 to the Treaty on the Eurasian Economic Union of 29 May 2014. Following the Decision of the Supreme Eurasian Economic Council of 11 October 2017 the member states of EEU are planning to develop the initiative on conclusion of the Agreement on Data Circulation within the Union (including on personal data protection). The initiative is one of measures aimed at implementation of the Main Directions for Implementation of the Digital Agenda of the Eurasian Economic Union until 2025.

Last modified 20 January 2025

The GDPR has been integrated in Belgium through a few laws. The 'Data Protection Act' of July 30, 2018 provides for the implementation of some of the GDPR provisions open to further definition, derogation or additional requirements. It also includes the transposition of the 2016/680 Directive regarding the processing of personal data in the criminal justice chain and the establishment of a Control body on police information (called 'COC'). Additionally, it regulates the authorities outside the scope of the EU law (including intelligence and security services).The Data Protection Act was amended several times in 2024 to update the rules for the authorities outside the scope of the EU law.2

The Belgian Data Protection Authority, the successor of the Belgian Privacy Commission, was established by the Belgian Federal Chamber of Representatives by the Act of December 3, 2017 ("DPA Act")3. Several other laws have also been adapted to align them with the GDPR (e.g. Video Surveillance Act).

The DPA Act was amended by the Act of 7 September 20234 and the Act of 25 December 20235, in order to strengthen the functioning, the independence, the pragmatic approach and sectoral expertise of the Belgian Data Protection Authority. The legislative reforms included changes with regard to the composition of the Data Protection Authority and the rules of procedure for cases before the Data Protection Authority. As a result, several provisions were transferred from the DPA Act to the Internal Rules of Procedure of the Data Protection Authority.6

The Belgian Constitutional Court ruled that the provisions regarding the language of the proceedings are unconstitutional.7 Article 57 of the DPA Act allows the Belgian Data Protection Authority to decide on the language of the proceedings. However, Aarticle 30 of the Belgian Constitution gives this right to the Belgian Parliament for acts of public authority and judicial matters. Therefore, a change in article 57 of the DPA Act is expected.

Footnotes

1. See Data Protection Act.
2. See Act of 29 March 2024, Act of 29 March 2024, Act of 15 May 2024, Act of 16 May 2024 and Act of 2 June 2024.
3. See DPA Act.
4. Act of 7 September 2023.
5. Act of 25 December 2023.
6.  Internal Rules of Procedure of the Data Protection Authority.
7. Belgian Constitutional Court 28 November 2024, nr. 144/2024.

Last modified 31 December 2024

The data protection regime in Benin is governed by two pieces of legislations namely the Law No. 2017-20 of April 20, 2018 on the digital code amended by law no. 2020-35 of 06 January 2021 and the Law No. 2009-09 of May 22, 2009 Dealing with the Protection of Personally Identifiable Information.

The Law on the digital code deals with the collection, treatment, transmission, storage, and use of personal data by a person, the state, local authorities, and legal persons, as well as automated processing and non-automated processing of personal data contained in files, or any processing of data for public security, defense, research, prosecution of criminal offenses, or the security and essential interests of the state.

By contrast, the Law on the Protection of Personally Identifiable Information relates to the digital processing of personally identifiable information in digital files or manuals, as well as personal identification mechanisms based on nominative, personal, and biometric information processed alongside a national ID number.

Last modified 20 January 2025

The Bermuda legislature passed a comprehensive legislative framework that specifically addresses issues of data protection in the form of the Personal Information Protection Act 2016 (PIPA). The principal provisions of PIPA came into force on 1 January 2025.

Apart from PIPA, Bermuda law recognizes a duty of confidentiality in certain circumstances under the common law.

Last modified 28 January 2024
  • The Political Constitution of the Plurinational State of Bolivia, in Article Nº130

Any individual or collective person who believes to be unduly or illegally prevented from knowing, objecting or obtaining the deletion or rectification of the data registered by any physical, electronic means, magnetic or computer, in public or private files or databases, or that affect their fundamental right to personal or family privacy, or in their own image, honor and reputation, may file a Private Protection Action.

  • Supreme Decree No. 1391

This Supreme Decree requires obtaining the express and written consent of users for any kind of use of their personal data.

 

Last modified 24 January 2022
  • Personal Data Protection Act BES (Wet bescherming persoonsgegevens BES) (“Personal Data Protection Act BES”);
  • General Data Protection Regulation (the “GDPR”) – a regulation of the European Union which became effective on May 25, 2018.
Last modified 10 February 2025

The Law on Protection of Personal Data ('Official Gazette of BIH', nos. 49/06, 76/11 and 89/11) (DP Law) is the governing law regulating data protection issues in Bosnia and Herzegovina (BiH). The DP Law came into force on July 4, 2006 and was amended on October 3, 2011.

Due to the deficiencies and non-alignment of the DP Law with the GDPR, in 2018, the competent authorities initiated the procedure for adoption of a new GDPR compliant data protection law in BiH. According to the publicly available information the draft of the new data protection law (Draft Data Protection Law), was forwarded to the BiH Ministry of Civil Affairs and the adoption procedure before the BiH Parliament should have been initiated. However, due to the complex political the Draft Data Protection Law is not adopted to date. However, we expect the Draft Data Protection Law to be adopted in its current text within the following year.

Last modified 20 January 2025

The Data Protection Act – Act No. 18 of 2024, (“the DPA”) is an Act which was assented to by Parliament on the 19th August 2024  and came into effect on the 29th October 2024.

The DPA regulates the protection of personal data and ensure that the privacy of individuals in relation to their personal data is maintained.

Last modified 20 January 2025

In force since September 18, 2020, the Brazilian General Data Protection Law (LGPD) is Brazil’s first comprehensive data protection regulation, and it broadly aligns with the EU General Data Protection Act (GDPR).

The LGPD applies to any processing operation carried out by a natural person or a legal entity (of public or private law), irrespective of (1) the means used for the processing, (2) the country in which its headquarter is located, or (3) the country where the data are located, provided that:

  • The processing operation is carried out in Brazil;
  • The purpose of the processing activity is to offer or provide goods or services, or the processing of data of individuals located in Brazil; or
  • The personal data was collected in Brazil.

On the other hand, the law does not apply to the processing of personal data that is:

  • Carried out by a natural person exclusively for private and non-economic purposes;
  • Performed for journalistic, artistic, or academic purposes;
  • Carried out for purposes of public safety, national security, and defense or activities of investigation and prosecution of criminal offenses (which will be the subject of a specific law);
  • Originated outside the Brazilian territory and are not the object of communication; or
  • Shared data use with Brazilian processing agents or the object of international transfer of data with another country that is not the country of origin, provided that the country of origin offers a level of personal data protection adequate to that established in the Brazilian law.

In addition, on October 20, 2021, the Brazilian Senate unanimously approved the Proposed Amendment to the Constitution (“PEC”) no. 17/2019, which includes in the Federal Constitution the protection of personal data, including in digital media, as a fundamental right, and to refer privately to the Union (federal government) the responsibility to legislate on this subject. As of February 10, 2022, data protection is now encompassed by the Federal Constitution as a fundamental right.

Last modified 28 January 2024

The British Virgin Islands' Data Protection Act, 2021 (DPA) came into force on 9 July 2021.

The DPA is the primary legislation and the first legislative framework of its kind in the British Virgin Islands to govern how public and private bodies may process personal data. The law strives to promote transparency and accountability, bringing the British Virgin Islands in line with the UK and EU data protection standards.

Last modified 28 January 2025

At present there are no statutory or common law obligations that protects the privacy of information upon which an individual can be directly or indirectly identified, save in respect of banker – customer relationship where banks are under a legal duty to keep customer information confidential.

However, with the publication of the Public Consultation Paper on Personal Data Protection for the Private Sector in Brunei Darussalam by the Authority for Info-communications Technology Industry of Brunei Darussalam (AITI) on 20 May 2021 and the Response to Feedback on Public Consultation Paper on Personal Data Protection for the Private Sector published on 3 December 2021 (together, the Public Consultation Paper), it is anticipated that the Personal Data Protection Order (PDPO) will be enacted and come into force in the near future. Premise on the Public Consultation Paper, which sets out in general terms the data protection framework under the PDPO, it is anticipated that the PDPO will introduce obligations on the part of private sector organizations with respect to collection, use, disclosure or other processing of individuals' personal data and the rights of individuals in relation to the processing of their personal data.

Last modified 3 January 2024

EU regulation

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.

A 'Regulation' (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States. However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among the Member States.

Territorial Scope

Primarily, the application of the GDPR turns on whether an organization is established in the EU. An 'establishment' may take a wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.

However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related "to the offering of goods or services" (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or "the monitoring of their behaviour" (Article 3(2)(b)) as far as their behaviour takes place within the EU.


Bulgaria regulation

Bulgaria implemented the EU Data Protection Directive 95/46/EC with the Personal Data Protection Act (In Bulgarian: Закон за защита на личните данни), promulgated in the State Gazette No. 1 of January 4, 2002, as amended periodically (Act). The Act came into force on January 1, 2002.

In view of the entry into force of Regulation (EU) 2016/679 (General Data Protection Regulation – 'GDPR'), the Personal Data Protection Act was amended by a law for amendment and supplementation which was promulgated in the State Gazette No. 17 of February 26,2019.

The Personal Data Protection Act as amended (hereinafter referred to as the 'Personal Data Protection Act) serves a twofold purpose – it effectively implements the GDPR into national legislation and also transposes Directive (EU) 2016/680 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.

The Personal Data Protection Act complements the GDPR by providing regulation to matters in the field of personal data processing that have not been explicitly covered by the GDPR, or where the GDPR has left room for the exercise of legislative discretion. As the regulation has direct effect and is applicable in all EU member-states without the need of adopting a designated legislative act, the Bulgarian legislator has adopted the approach of directly referring to and implementing the GDPR without repeating the core provisions of the regulation in the Personal Data Protection Act.

Under the Personal Data Protection Act the role of supervising authority is shared between the Commission for Personal Data Protection and the Inspectorate to the Supreme Judicial Council, the latter having competence only with regards to data processing by courts, prosecution offices and criminal investigative bodies in their capacity as judicial authorities. The Personal Data Protection Act further regulates the legal remedies in cases of violation of personal data law, the accreditation and certification in the field of personal data protection, the administrative liability and the administrative measures in cases of violations of its provisions.

Pursuant to an amendment in the Personal Data Protection Act which came into force in May 2023, the Commission for Personal Data Protection was also designated as the competent controlling body under the Bulgarian Whistleblower Protection Act.

Last modified 27 December 2024

The data protection regime in Burkina Faso is governed by the following laws and regulations:

  • Law No. 001-2021 of March 30, 2021 on the protection of persons with regard to the processing of personal data.
  • Law 010-2004/AN on the protection of personal data.
  • Decree No. 2007-283/PRES/PM/MPDH of 18 May 2007 regarding the organisation and functioning of the Commission de l'Informatique et des Libertés;
  • Decree No. 2007-757/PRES/PM/MPDH/MEF appointing the members of the Commission de I'Informatique et des Libertés ; and
  • Order No. 2008/001/CIL fixing the internal regulations of the Commission de I'Informatique et des Libertés.

The Burkina Faso has also adopted on 22 November 2013 the Marrakech resolution issued by the French-speaking association of data protection authorities relating to the procedure for the supervision of personal data transfers of personal data in the French-speaking world by means of binding corporate rules.

Last modified 20 January 2025

Burundi does not have a law that specifically regulates personal data protection. However, several laws and regulations currently in force contain data protection provisions or impose confidentiality obligations on specific types of personal information. For example, employment, banking, telecommunications and health sector laws impose some data protection requirements. Such provisions generally require covered entities to maintain the confidentiality of personal information.

  • Article 2, point 8 of LAW N°1/10 of March 16, 2022 On the Prevention and Repression of Cybercriminality in Burundi defines personal data as any information of any kind, regardless of medium, including sound and image, relating to an identified or identifiable natural person, directly or indirectly, by reference to an identification number or to one or more factors specific to his or her physical, physiological, genetic, mental, cultural, social or economic identity. This law provides for sanctions against individuals (articles 61, 62 ,63) and service providers or any network operator (articles 14,15);
  • Under Law no. 1/07 of march 12, 2020 amending  Law n° 1/012 of May 30, 2018 on the Code of Health Care and Health Services Provision in Burundi, healthcare institutions are required to maintain the confidentiality of patient information, unless confidentiality is waived in cases provided for by law;
  • Law No. 1/17 of August 22, 2017 governing banking activities: Article 133 imposes confidentiality obligations on customer and account information. This article provides that any person who contributes to the operation, control or supervision of a banking institution is bound to professional secrecy. Violations are enforced under penal code provisions without prejudice to disciplinary proceedings;
  • Under Law n°1/11 of November 24, 2020 revisioning decree-law n°1/037 of 07/07/1993 revisioning the labor code of Burundi, labor and social security inspectors, their agents, as well as persons having participated in any capacity whatsoever in any controls, examinations or investigations in collaboration with the labor and social security inspector are bound by professional secrecy (article 430);
  • Several Ministerial Orders applicable to the telecommunications sector have been adopted to protect the privacy of and restrict access to and interception of the contents of communications (Legislative Decree No. 100/153 of June 17, 2013 on the Regulation of the Control and Taxation System for International Telephone Communications entering Burundi; Decree-Law No. 100/112 of April 5, 2012 on the Reorganization and Operation of the Telecommunications Regulatory and Control Agency 'ARCT'; Ministerial Ordinance No. 730/1056 of November 7, 2007 on the interconnection of telecommunications networks and services opened to the public).
Last modified 17 January 2024

 The Ministry of Post and Telecommunications (MPTC) announced on 19 February 2021 their intention to prepare a comprehensive personal data protection law after finalizing the draft cybersecurity law.

On 22 December 2021, the Royal Government of Cambodia issued Sub-Decree No. 252 on the Management, Use, and Protection of Personal Identification Data (only available in Khmer) (Sub-Decree 252) in order to promote broad policy objections, such as:

  • ensuring the protection of peace and order;  
  • serving the public interest; and
  • promoting national development by improving the provision of services.

However, Sub-Decree 252 only applies to "personal identification data" owned by the Ministry of Interior (MOI) and does not apply to personal identification data used by other entities.

In September 2023, the MPTC made available to select private organizations and companies a Draft Law on Personal Data Protection for their review and comment. However, it has not been made available to the public as of writing. Therefore, the information provided regarding the data protection law should be used as a reference and not considered final, as the draft law has not been officially released to the public. The Draft Law on Personal Data Protection establishes rules, principles, and mechanisms to govern the collection, use, and disclosure of personal data. Its main objective is to safeguard the privacy rights of individuals and encourage the lawful and responsible use of personal data.

The E-Commerce Law contains provisions for the protection of consumer data that has been gathered over the course of electronic communications. The E-Commerce Law is thereby restricted in scope to virtual and / or digital data protection.

Other matters pertaining to data protection typically fall under the right to privacy, which is protected in broad terms under the Constitution of the Kingdom of Cambodia 2010, the Civil Code of the Kingdom of Cambodia 2007, the Criminal Code of the Kingdom of Cambodia 2009, the Code of Criminal Procedure of the Kingdom of Cambodia 2010, and other specific laws such as the Banking Law.

Last modified 20 January 2025

The data protection regime in Cameroon is governed by the following laws and regulations:

  • Law No. 2024/017 of 23 December 2024 on the protection of personal data
  • Law N°2010/013 of 21 December 2010 governing electronic communications in Cameroon
  • Law No. 2010/012 of 21 December 2010 on cybersecurity and cybercrime in Cameroon
  • Law N°2016/007 of 12 July 2016 on the Criminal Code
  • Law No 2010/021 of 21 December 2010 on electronic commerce in Cameroon
  • Framework Law N° 2011/012 of 06 May 2011 on Consumer Protection in Cameroon
  • Decree N° 2011/1521/PM of 11 June 2011 laying down the implementing provisions of Law No 2010/021 of 21 December 2010 on electronic commerce in Cameroon
  • Decree No. 2019/150 of 22 March 2019 on the Organisation and Functioning of the National Information and Communication Technology Agency (ANTIC)
  • Regulation No. 03/16-CEMAC-UMAC-CMAC-CM of 21 December 2016 on Systems, Means and Incidents of Payment
  • Law No. 2023/009 of 25 July 2023 on the Charter for the Protection of Children Online in Cameroon
  • Draft Decree No. laying down the implementing provisions of the Data Protection Act in Cameroon 
Last modified 6 January 2025

In Canada there are at least 29 federal, provincial and territorial privacy statutes (excluding statutory torts, privacy requirements under other legislation, federal anti-spam legislation, criminal code provisions etc.) that govern the protection of personal information in the private, public and health sectors. Although each statute varies in scope, substantive requirements, remedies and enforcement provisions, they all set out a comprehensive regime for the collection, use and disclosure of personal information.

The summary below focuses on Canada’s private sector privacy statutes:

  • Personal Information Protection and Electronic Documents Act ('PIPEDA')
  • Personal Information Protection Act (Alberta) ('PIPA Alberta')
  • Personal Information Protection Act (British Columbia) ('PIPA BC')
  • Act Respecting the Protection of Personal Information in the Private Sector ('Quebec Private Sector Act'), (collectively, 'Canadian Privacy Statutes')

On June 16, 2022, the federal Government introduced Bill C-27, a wide-reaching piece of legislation intended to modernize and strengthen privacy protection for Canadian consumers and provide clear rules for private-sector organizations. It was the second attempt to modernize federal private-sector privacy legislation, after a previous proposal died on the order paper in 2021. On January 6, 2025, Parliament was prorogued and, as a result, Bill C-27 died on the order paper. Bill C-27 would have replaced PIPEDA with legislation specific to consumer privacy rights and electronic documents. Bill C-27 would have also introduced the Artificial Intelligence and Data Act, which aimed to create rules around the deployment of AI technologies. This means that Canada’s federal privacy regime will remain as-is for the foreseeable future without the modernizations or improvements to PIPEDA that were anticipated in 2025 or the anticipated broad-based federal AI regulation. Parliament is now prorogued until March 24, 2025 and it is unclear what legislative agenda will be implemented when Parliament resumes.

PIPEDA applies to all of the following:

  • Consumer and employee personal information practices of organizations that are deemed to be a ‘federal work, undertaking or business’ (eg, banks, telecommunications companies, airlines, railways, and other interprovincial undertakings)
  • Organizations who collect, use and disclose personal information in the course of a commercial activity which takes place within a province, unless the province has enacted ‘substantially similar’ legislation (PIPA BC, PIPA Alberta and the Quebec Private Sector Act have been deemed ‘substantially similar’)
  • Inter provincial and international collection, use and disclosure of personal information in connection with commercial activity

PIPA BC, PIPA Alberta and the Quebec Private Sector Act apply to both consumer and employee personal information practices of organizations within BC, Alberta and Quebec, respectively, that are not otherwise governed by PIPEDA. In Ontario, amendments have been made to the Ontario Employment Standards Act, 2000 that impose notice obligations related to employee monitoring, although the full range of privacy rights and obligations available in Canadian Privacy Statutes have not been imported into the Employment Standards Act.

Quebec recently enacted a major reform of its privacy legislation with the adoption of Bill 64 on September 22, 2021, which resulted in the coming into force of several key modifications over the course of several years, with the final amendments having come into effect on September 22, 2024. With Bill 64’s changes, Quebec now has in place a sophisticated legal framework for privacy and data protection that resembles the European GDPR in several key areas.

Last modified 26 January 2023

Data Protection Law (Law 133/V/2001 (as amended by Law 41/VIII/2013, Law 121/IX/2021 of 17 March 2021) and Law 132/V/2001, of 22 January 2001.

Last modified 16 January 2025

The Data Protection Act (2021 revision) (DPA) is a Cayman Islands law, which first came into force on 30 September 2019.  The DPA introduced the first legislative framework on data protection in the Cayman Islands. 

Application

The application of the DPA turns on whether an organization is established in the Cayman Islands or has personal data processed in the Cayman Islands.  Specifically, the DPA applies to a data controller in respect of personal data only if:

  • the data controller is established in the Cayman Islands and the personal data are processed in the context of that establishment; or
  • the data controller is not established in the Cayman Islands, but the personal data are processed in the Cayman Islands other than for the purposes of transit of the data through the Cayman Islands.

For these purposes, 'established in the Cayman Islands' means:

  • a body incorporated, or a partnership or other unincorporated association formed, under the laws of the Cayman Islands;
  • a body registered as a foreign company under the laws of the Cayman Islands;
  • an individual who is ordinarily resident in the Cayman Islands; or
  • any other person who maintains (i) an office, branch or agency in the Cayman Islands through which the person carries on any activity; or (ii) a regular practice in the Cayman Islands.

A data controller not established in the Cayman Islands that processes personal data in the Cayman Islands is required to appoint a local representative established in the Cayman Islands who, for all purposes within the Cayman Islands, is the data controller and bears all obligations under the DPA as if it were the data controller.

Last modified 28 January 2025

The data protection regime in Chad is mainly governed by the following laws and regulations: 

  • Act No. 007/PR/2015 of February 10, 2015, on Personal Data protection (‘The Act’);
  • Decree No. 075/PR/2019 of January 21, 2019 implementing the provisions of application of the Act N°007/PR/2015 of February 10, 2015 on the protection of personal data;
  • Act No. 006/PR/2015 on the creation of the National Agency for Computer Security and Electronic Certification;
  • Act No. 008/PR/2015 on electronic transactions; and
  • Act No. 001/PR/2017 on the Criminal Code Decree N°1619/PR/2019 rectifying the provisions of article 5 of decree N°075/PR/2019 of 21 January 2019 on the protection of personal data.
Last modified 6 January 2025

Protection of Personal Data is regulated under various laws in Chile.

Constitution of the Republic of Chile, Art. 19 N° 4

The Chilean constitution establishes the individual’s right to (i) respect and protection of private life, (ii) honor of the person and his/her family, and (iii) protection of his/her personal data. Any individual who, as a result of an arbitrary or illegal act or omission, suffers a “privation, disturbance or threat” to these rights may file a Constitutional Protective Action (“Recurso de protección”).

Law 19,628/1999 'On the protection of private life', commonly referred to as 'Personal Data Protection Law' (hereinafter, the 'PDPL')

The PDPL generally defines and regulates the processing of personal data in public and private databases and is thus the primary body of rules on the processing of personal data not governed by sectoral provisions (for example contained in the laws mentioned below).

Generally, the PDPL stipulates that personal data may only be processed if the processing is (i) permitted by law (eg, labor law, health care law, etc.) or (ii) based on the data subject’s prior informed, written consent. There are only a few narrow exceptions to this principle (eg, certain publicly accessible data, or purely internal data processing for certain purposes). In addition, the PDPL contains special regulations on the processing of personal data relating to economic, banking, and financial obligations.

The PDPL law also provides data subjects the right to access, rectify, delete, block and object to processing of personal data in certain cases.

Decree with Force of Law N° 3/19978, 'General Law of Banks'

Article 154 of this law establishes the confidentiality of an individual’s transactions with and through banks. The law distinguishes transactions covered by secrecy, which in principle are subject to an absolute prohibition of disclosure, and transactions covered by reserve, which may only be disclosed where a legitimate interest exists and if it cannot be foreseen that the knowledge of the disclosed data may cause financial damage to the customer.

Law 20,575/2012 establishing the 'purpose principle' for the processing of personal data of an economic, financial, banking or commercial nature

This law establishes several rules that apply to the processing of personal data referring to financial, economic, banking or commercial information, such as:

  • Limited disclosures: Such data shall only be communicated to established commercial entities for the purpose of a commercial risk assessment in a credit granting process, and to entities that take part in this evaluation.
  • Prohibition on requesting such type of data in the context of processes for personnel selection, pre-school, school or higher education admission, emergency medical care or application for public office.
  • Providers of economic, financial, banking or commercial databases must have a system for recording the name of any person requesting database information, the reason, date and time of the request and the person responsible for delivering or transferring the information. Data subjects have the right to request access to their commercial information every four months and free of charge.
  • Providers of the database must implement the principles of legitimacy, access and objection, data quality, purpose, proportionality, transparency, non-discrimination, use limitation and security in personal data processing, and designate a contact person for data subjects.

Law 19,223/1993 regulating certain computer crimes

This law establishes criminal sanctions for certain specific conduct related to the theft, destruction, obstruction, modification and illegal access and disclosure of information contained in data processing systems. It does not, however, refer specifically to personal data. 

Law 20,584/2012 regulating the rights and duties of individuals in the context of healthcare

This law sets forth that all information contained in patient files or documentations of medical treatments are sensitive data, and establishes the obligation of healthcare professionals to maintain patient data confidential and to comply with the principle of purpose limitation. This law also includes certain specific cases in which such data can be submitted, partially or totally, to the data subject and to other individuals or entities.

Law 21521/2023 promotes competition and financial inclusion through innovation and technology in the provision of financial services, FinTech law (takes effect on February 3rd, 2023)

The law’s objective is to establish a broad framework to facilitate the provision of financial services using technology means. The law delegates regulatory authority to the Financial Market Commission ("CMF").

The following principles will guide the law: financial inclusion and innovation; competition promotion; financial client protection; adequate data protection; integrity and financial stability preservation; and prevention of money laundering and funding of drug trafficking and terrorism.

Bill to Create a Consolidated Debt Registry (Bulletin 14743-03)

The draft bill establishes the right to be forgotten in financial concerns where there are no valid grounds to keep people's personal financial data after its purpose has been completed.  

The bill is in the first constitutional stage in the chamber of deputies, and we will be monitoring its progress over the coming year.

Bill regulating the protection and processing of personal data and creating the Agency for the Protection of Personal Data (Bulletin 11,144-07, consolidated with Bulletin 11,092-07)

This draft law aims to modernize the PDPL and adapt it to international standards. The most important stipulations are:

  • the introduction of further legal bases for the processing of personal data in addition to consent (such as performance of a contract and legitimate interest), and additional requirements for processing sensitive data, depending on the category of data concerned.
  • various basic principles, such as lawfulness, purpose limitation, proportionality, data quality, accountability, security, transparency and information, and confidentiality.
  • regulations on international data transfers.
  • information requirements.
  • special obligations when using data processors.
  • provisions on data protection by design and default and security measures.
  • reporting obligations in the event of data breaches.
  • introduction of the right to portability.
  • the creation of a data protection authority with the competence to impose administrative fines.

The bill is under debate at the second constitutional stage in the chamber of deputies and conclusion of the legislative procedure is expected for this year.

Bill creating a Cybersecurity and Critical Information Infrastructure Framework Law (Bulletin 14847-06)

This law aims to create a harmonized regulatory framework for the strengthening of cybersecurity, both operational and regulatory and addresses essential service providers. It creates a governing body, which is in charge of deciding who the declared essential service providers will be. Declared essential service providers must implement certain technological, organizational, and informational security measures to prevent, report, and resolve cybersecurity events, manage risks, and contain and reduce the impact on operational continuity, confidentiality, and service integrity.

The bill is at the second constitutional stage in the senate.

Last modified 28 January 2023

There is not a single comprehensive data protection law in the People's Republic of China (PRC). Instead, rules relating to personal information protection and data security are part of a complex framework and are found across various laws and regulations. That said, the three main pillars of the personal information protection framework in the PRC are the Personal Information Protection Law (PIPL), the Cybersecurity Law (CSL), and the Data Security Law (DSL).

On June 1, 2017, the CSL came into effect and became the first national–level law to address cybersecurity and data privacy protection. Draft Amendments to the CSL were issued on September 12, 2022, proposing enhanced liabilities for violating obligations of general network operation security, security protection of critical information infrastructure, network information security and personal information protection, etc.

The DSL came into force on September 1, 2021, and focuses on data security across a broad category of data (not just personal information).

Most significantly, the PIPL came into effect on November 1, 2021. The PIPL is the first comprehensive, national–level personal information protection law in the PRC. The PIPL does not replace — but instead enhances and clarifies — earlier personal information laws and regulations.

In addition to the PIPL, CSL and DSL, the following form the backbone of general personal information protection framework currently in the PRC:

  • The Decision on Strengthening Online Information Protection, effective from December 28, 2012 (Decision); 
  • The Draft Regulation of Network Data Security Management, published for consultation on November 14, 2021; 
  • The Measures for the Security Assessment of Outbound Data Transfers, effective from September 1, 2022; 
  • The Measures for the Standard Contract for the Outbound Transfer of Personal Information, effective from 1 June 2023;
  • The Regulations on Facilitating and Regulating the Cross–border Data Transfers, effective from 22 March 2024; and
  • The Network Data Security Management Regulation (Network Data Regulation) , effective from 1 January 2025.

In the past five years, there has also been an abundance of implementing regulations and guidelines (herein referred to as Guidelines) proposed, issued or revised to flesh out the essentials and concepts introduced under the personal information protection framework. These include, non–exhaustively:

  • National Standard of Information Security Technology — Personal Information Security Specification (PIS Specification), as amended and effective from October 1, 2020;
  • Guidelines on Internet Personal Information Security Protection, effective from April 19, 2019;
  • National Standard of Information Security Technology — Guidelines on Personal Information Security Impact Assessment, effective from June 1, 2021;
  • Draft National Standard of Information Security Technology — Requirements for Classification and Grading of Network Data, published for consultation on September 14, 2022; 
  • Practicing Guidelines for Network Security Standards — Technical Specification for Certification of Personal Information Cross-border Processing Activities (V2.0), effective from December 16, 2022; 
  • Standard Contract for Cross-boundary Flow of Personal Information Within the Guangdong–Hong Kong–Macao Greater Bay Area (Mainland, Hong Kong), effective from 10 December 2023;
  • Guidelines on the Filing of Standard Contracts for the Outbound Transfer of Personal Information (Second Edition), effective from 22 March 2024;
  • Guidelines on Application of Security Assessment of Cross-border Data Transfers (Second Edition), effective from 22 March 2024; and
  • National Standard of Data Security Technology – Rules for Data Classification and Grading, effective from March 21, 2024;
  • Draft National Standard of Data Security Technology – Personal Information Protection Compliance Audit Requirements, published for consultation on July 12, 2024; and
  • Guide for Sensitive Personal Information Identification, effective from September 18, 2024.

The Decision has the same legal effect as law, and its purpose is to protect online information security, safeguard the lawful rights and interests of citizens, legal entities or other organizations, and ensure national security and public interests. While the PIS Specification and other Guidelines are only technical guides (covering in detail key issues such as data transfers, sensitive personal information and data subject rights), and thus not legally binding, they have historically been highly persuasive. Although the PIPL takes precedence over the PIS Specification and other Guidelines, the PIS Specification and the Guidelines are still useful for the purposes of supplementing legislation, especially on any part that has not been addressed by the PIPL, CSL or DSL.

In addition to all of the above:

  • provisions found in laws such as the Tort Liability Law have generally been used to interpret data protection rights as a right of reputation or right of privacy. However, such interpretation is not explicit. The PRC Civil Code, effective on January 1, 2021 further reinforces the statutory right of privacy for individuals and establishes data protection principles; and 
  • provisions contained in other laws and regulations may also apply depending on the industry or type of information involved (for example, personal information obtained by financial institutions and e-commerce businesses, personal information collected by telecom or Internet service / content providers, healthcare and genetic information, etc.). Applicability of other laws or regulations (including provincial level laws), such as the PRC Criminal Law, PRC E-Commerce Law, PRC Consumer Rights Protection Law, PRC Anti-Money Laundering Law and the new local data laws at a provincial level will invariably depend on the factual context of each case and further independent analysis is recommended.

Given the personal information protection framework is still evolving, and further regulations accompanying the new PIPL and DSL are anticipated to be published in the coming months, it is recommended that organizations continue to monitor the developments of the PRC data protection regulatory framework.

Extra-territorial scope

The PIPL has extra–territorial effect, and applies both to:

  • data processing activities within the PRC; and
  • processing of PRC residents' data outside of PRC where:
    • for the purposes of providing products or services to PRC residents;
    • for analytics or evaluation of behavior of PRC residents; or
    • for any other reasons as required by law or regulations.

The PIPL applies to both the public and private sectors.

Last modified 20 January 2025

Colombia recognizes two fundamental personal data rights under Articles 15 and 20 of its Constitution: (1) the right to privacy and (2)  the right to data rectification. Personal data processing is further regulated by two statutory laws and several decrees that set out data protection obligations.

Statutory Law 1266 of 2008 (Law 1266) regulates the processing of financial data, credit records and commercial information collected in Colombia or abroad. Law 1266 defines general terms on habeas data and establishes basic data processing principles, data subject rights, data controller obligations and specific rules for financial data.

Law 1266 defines the terms Data Subject, Data Source, User of Data and Data Operator, as follows:

  • ‘Data Subject’ means the owner of the information;
  • ‘Data Source’ means a person or entity who receives or collects the information in the context of a commercial relationship with the Data Subject and shares this information with the Data Operator;
  • ‘User of Data’ means a person or entity who accesses databases and uses the information gathered by the Data Operator;
  • ‘Data Operator’ means a person who manages a database with information provided by the Data Sources and shares it with Users of Data, under the rules provided by Law 1266. The most common example of a Data Operators is a Credit Bureau.

Law 1266 provides the applicable rules and conditions for Data Sources to share information with Data Operators and for such Data Operator to manage and share the information with Users of Data. Notwithstanding this, the Law privileges processing for purposes of managing financial, credit, commercial and services information, considering that this benefits the financial and credit activity as a public interest activity.

Law 1266 was amended by Law 2157 of 2021. The main modifications introduced by Law 2157 are the following:

  • Data whose content refers to the time of default of an individual or a company, or data that refers to a lack of compliance with monetary obligations, shall be erased immediately or as promptly as possible. This erasure requirement applies mainly to small companies, small farmers, armed conflict victims, young people, women from rural areas, and other debtors who are in special situations, with the specificities foreseen in the Law.
  • The obligation to update credit scores was created, provided that any negative data is erased.
  • The Law established that the frequent consultation of a person’s credit history should not be a factor for lowering their credit rating.
  • Claims and requests concerning the processing of financial data must be resolved within fifteen (15) working days from the date of receipt of the communication. If a prompt resolution is not given within this timeframe, the request is presumed accepted for all legal purposes.
  • Financial data, credit records, and commercial information may not be used in making employment decisions.
  • The Law introduced the principle of accountability for the processing of financial information. This update implies the Data Source and the Data Operator should adopt internal policies to guarantee the safety and confidentiality of the information.

Furthermore, Statutory Law 1581 of 2012 (Law 1581) regulates all personal data processing, as well as databases. Law 1581 defines special categories of personal data, including sensitive data and data collected from minors. Under the law a ‘Data Controller’ is a legal or natural person responsible for data treatment, or processing, and a ‘Data Processor’ is a legal or natural person in charge of personal data processing. The Data Controller creates databases on its own or in association with others, while the Data Processor processes personal data on behalf of the Data Controller. Nevertheless, an entity may be regarded as both Controller and Processor of personal data.

The law further regulates the obtention of authorization to treat personal data and the procedures for data processing. Moreover, the law creates the National Register of Data Bases (NRDB).

Law 1581 is applicable to all data collection and processing in Colombia, except data regulated under Law 1266 and certain other types of data or regulated industries. The law is further applicable in any case where a data processor or controller is required to apply Colombian law under international treaties.

Law 1581 does not regulate:

  • Databases regulated under Law 1266;
  • Personal or domestic databases;
  • Databases aimed to protect and guarantee national security, prevent money laundering and terrorism financing;
  • Intelligence and counter-intelligence agency databases;
  • Databases with journalistic information and editorial content; and
  • Databases regulated under Law 79 of 1993 (on population census).

Law 1581 further requires Data Controllers and Data Processors to guarantee that personal data: is maintained pursuant to strict security measures and confidentiality standards, will not be modified or disclosed without the data subject’s consent, and will only be used for purposes identified in a privacy policy or notice.

Decree 1377 of 2013 (Decree 1377), is a piece of secondary regulation related to Law 1581 which outlines requirements for personal and domestic databases regarding authorization of personal data usage and recollection, limitations to data processing, cross-border transfer of data bases and privacy warnings, among others. This Decree also requires controllers and processors to adopt a privacy policy and privacy notice.

Decree 886 of 2014 (Decree 886) and Decree 090 of 2018 (Decree 090) issued by the Ministry of Commerce, Industry and Tourism, regulate the National Register of Data Bases and sets deadlines for registration of existing data bases in Colombia.

Lastly, Title V of the Sole Circular issued by the Superintendence of Industry and Commerce provides additional guidelines regarding the following matters: (i) the processing of financial data, credit records and commercial information; (ii) the National Register of Data Bases and (iii) International Data Transfers.

Last modified 28 January 2024

The data protection regime in Côte d’Ivoire is governed by the following laws and regulations:

  • Law No. 2024-532 of June 6, 2024, on Electronic Communications
  • Law no. 2013-546 of 30 July 2013 on electronic transactions
  • Law no. 2013-451 of 19 June 2013 on the fight against cybercrime
  • Law no. 2013-450 of 19 June 2013 on the protection of personal data
  • Order no. 2012-293 of 21 March 2012 relating to telecommunications and information and communication technologies
  • Decree No. 2015 -79 of 04 February 2015, laying down the procedures for filing declarations, submitting applications, granting and withdrawing authorizations for the processing of personal data
  • Order No. 511/MPTIC/cab of 11 November 2014, defining the profile and setting the conditions of employment of the personal data protection correspondent
  • Ratification of the African Union Convention on Cybersecurity and Protection of Personal Data
Last modified 6 January 2025

Data privacy regulation in Costa Rica is contained in two laws, the "Laws": Law No. 7975, the Undisclosed Information Law, which makes it a crime to disclose confidential and/or personal information without authorization; and Law No. 8968, Protection in the Handling of the Personal Data of Individuals together with its by-laws, which were enacted to regulate the activities of companies that administer databases containing personal information. Therefore, the scope of the second law is limited.

The Costa Rican Congress is currently discussing a bill, which would fully amend the Laws currently in effect.  Such bill was presented to local Congress in January 2021 and is still under discussion.

The proposed bill aims to update the Laws and align its provisions to the principles contained in the EU General Data Protection Regulation (GDPR). It is still unclear when and if the proposed bill will be enacted.

Last modified 28 January 2025

EU regulation

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.

A 'Regulation' (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States. However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among the Member States.

Territorial Scope

Primarily, the application of the GDPR turns on whether an organization is established in the EU. An 'establishment' may take a wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.

However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related "to the offering of goods or services" (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or "the monitoring of their behaviour" (Article 3(2)(b)) as far as their behaviour takes place within the EU.


Croatia regulation

The Act on the Implementation of the General Data Protection Regulation (in Croatian as Zakon o provedbi Opće uredbe o zaštiti podataka) was enacted in the Croatian Parliament on April 27, 2018 and came into force on May 25, 2018 (the ‘Act’).

Also, the Act on Healthcare Data and Information, which came into force on 15 February 2019, regulates rights, obligations and responsibilities of legal and natural persons within the Croatian healthcare system with respect to healthcare data and information and, inter alia, sets out fundamental principles and standards of their collection, processing and protection.

Finally, Electronic Communications Act and Cybersecurity Act provide important framework for protection of people’s rights in online environment, including specific rules relating to usage of cookies and to processing of personal data by public electronic networks and public electronic service providers.

Last modified 16 January 2025

Cuba does not have its own data protection law. 

Cuba regulates data privacy and protection issues, in general, under the following normative: 

  • Constitution of the Republic of Cuba (2019) .- article 97
  • Decree-Law 35/2021 “On Telecommunications, Information and Communication Technologies and the use of the Radioelectric Spectrum”.
  • Decree-Law No. 370/2018 “On the Computerization of the Society in Cuba”.
  • Decree 360/2019 "On the Security of Information and Communication Technologies and the Defence of National Cyberspace".
  • Resolution No. 99/2019 "Regulation for private data networks".
  • Others rules:
    • Regulation for the production of computer programs and applications and the evaluation of their quality (2019).
    • System for registration of computer programs and applications (2019).
    • Regulation with the control measures and the types of security tools that are implemented in private data networks (2019).
    • Regulation with the control measures and the types of security tools that are implemented in private data networks (2019).
    • Regulation of the provider of public accommodation and hosting services in the internet environment (2019).
    • Regulation of the provider of public accommodation and hosting services in the internet environment (2019).
    • Information and communication technology security regulation (2019).
    • Methodology for Information Security Management (2019).
Last modified 16 February 2022
  • National ordinance personal data protection (Landsverordening bescherming persoonsgegevens, National Gazette 2010, Consolidated text no. 84) “(National Ordinance Personal Data Protection”);
  • General Data Protection Regulation (the “GDPR”) – a regulation of the European Union which became effective on May 25, 2018 – may have implications for a data controller / data processor as the extra-territorial reach of the GDPR is not only relevant to businesses established in the European Union but also to international businesses established in Curaçao which offer goods or services to individuals in the European Union or monitor their behaviour in the European Union.
Last modified 10 February 2025

EU regulation

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.

A 'Regulation' (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States. However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among the Member States.

Territorial Scope

Primarily, the application of the GDPR turns on whether an organization is established in the EU. An 'establishment' may take a wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.

However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related "to the offering of goods or services" (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or "the monitoring of their behaviour" (Article 3(2)(b)) as far as their behaviour takes place within the EU.


Cyprus regulation

The Protection of Physical Persons Against the Processing of Personal Data and Free Movement of such Data Law 125(I)/2018, that implements certain provisions of the GDPR into local law, entered into force on July 31, 2018 (the “Law”).

Last modified 21 February 2022

EU regulation

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.

A 'Regulation' (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States. However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among the Member States.

Territorial Scope

Primarily, the application of the GDPR turns on whether an organization is established in the EU. An 'establishment' may take a wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.

However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related "to the offering of goods or services" (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or "the monitoring of their behaviour" (Article 3(2)(b)) as far as their behaviour takes place within the EU.


Czech Republic regulation

The new Czech Act No. 110/2019 Coll., on Personal Data Processing, being the Czech GDPR implementation law, finally came into effect on 24th April 2019. This statute fully replaced the older Personal Data Protection Law (Act No. 101/2000 Coll., as amended) and regulates personal data processing within the scope of Regulation (EU) 2016/679 and then processing of this data by competent authorities for preventing, searching for and detecting criminal activity, ensuring safety and public order etc.

It also regulates jurisdiction of the Office for personal data protection and personal data processing at time of ensuring defense and security of the Czech Republic.

Last modified 16 January 2024

The protection of personal data is included in the law establishing the digital code N°23-010 of 13 March 2023 and published in the official journal on 11 April 2023 (the “Digital Code Law” or “Digital Code”). The Digital Code Law entered into force on the date of its approval (13 March 2023). Several implementing decrees referred to in the Digital Code Law have not yet been issued, except for a Ministerial Decree dated 17 August 2024 adopted by the Minister for Post, Telecommunications and Digital (PTN).

Last modified 6 January 2025

EU regulation

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.

A 'Regulation' (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States. However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among the Member States.

Territorial Scope

Primarily, the application of the GDPR turns on whether an organization is established in the EU. An 'establishment' may take a wide variety of forms and is not necessarily a legal entity registered in an EU Member State.

However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related "to the offering of goods or services" (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or "the monitoring of their behaviour" (Article 3(2)(b)) as far as their behaviour takes place within the EU.


Denmark regulation

To implement the GDPR, the Danish Parliament enacted the Danish Act on Data Protection (the 'Danish Data Protection Act’) on May 17, 2018, enforceable on May 25, 2018 and replacing the previous Danish Act on Processing of Personal Data (Act no. 429 of 31/05/2000). Hence, data protection and processing in Denmark is now regulated by the GDPR as supplemented by the Danish Data Protection Act.

The Danish Data Protection Act does not apply to Greenland and the Faroe Islands.

Last modified 16 January 2025

Section 44 of the Dominican Constitution recognizes citizens’ right to access their personal data stored in public or private databases, as well as their right to information concerning the purpose and use of the same.

The Constitution also establishes that the processing of personal data must be carried out in accordance to the principles of:

  • Reliability
  • Legality
  • Integrity
  • Security, and
  • Purpose of the information

 The collection, storage and safekeeping of personal data, as well as usage and access rights concerning such personal data, are governed by the provisions of Law No. 172-13 on the Protection of Personal Data enacted December 13, 2013 (DPL).

In addition to setting forth the legal regime for the protection of personal data, the DPL establishes regulations governing the constitution and operation of credit bureaus.

For the purposes of the DPL, the term 'credit bureau' refers to companies dedicated to collecting, organizing, storing, conserving, providing, transferring or transmitting data regarding consumers (including goods and services related to the same), as well as any other information provided by the Superintendent of Banks.

Law No. 53-07 on High Technology Crimes and Offenses does not specifically refer to personal data but ensures the protection of information systems and their components, as well as the information or data that are stored or transmitted through them, and it also establishes the penalties for crimes committed against them or any of their components or those committed using such technologies to the detriment of individuals or legal entities.

Last modified 28 January 2025

Constitution 

The Constitution of Ecuador in its article 66, referring to the personal freedom rights of individuals in the Ecuadorian territory, the State recognizes and guarantees in section 19: "The right to the protection of personal data, which includes the access and decision on information and data of this nature, as well as its corresponding protection. The collection, filing, processing, distribution or dissemination of such data or information shall require the authorization of the owner or the mandate of the law." 

Article 92 gives the right to every person to be informed of and have access to information, documents, genetic data, personal data banks or files and reports on him/herself and his/her assets, contained in files and/or databases of public or private entities, in material and/or electronic support. The interested individual has the right to be informed of the use, purpose, origin and destination of his personal data and the time of permanence of the file of the same. 

The responsible parties of the personal data banks or files may disseminate the information filed with the authorization of its owner, before which the owner of the personal data may request from the responsible party access to the file free of charge, as well as the updating, rectification, deletion or cancellation of his personal data. 

In the case of sensitive data, the collection and storage must be authorized by law or by the owner. The adoption of the necessary security measures will be required. If the request is not complied with, the affected individual may appeal to the judge and may sue for the damages caused. 

Personal Data Protection Organic Law 

Since May 26, 2021, Ecuador adopted the Personal Data Protection Organic Law, whose main purpose is to guarantee the right to the protection of personal data, that includes the access and decision on information and personal data, as well as its corresponding protection. The law mainly refers to the conditions that must be verified for the legitimate treatment of personal data. It also refers to the ways through which the owner of the personal data may express his or her consent to the processing of his or her data.

Regulation to the Personal Data Protection Organic Law 

On November 13, 2021, the President of Ecuador issued the Regulation to the Personal Data Protection Organic Law, whose main purpose is to develop aspects already provided for in the law. Among the most important aspects of the Regulation are the specifications for requests related to the exercise of data protection rights, the notification of security breaches, data processing agreements, the data protection officer, and international data transfers.

Last modified 28 January 2025

Personal Data Protection Law No.151 of 2020 (the "Law").

Last modified 19 January 2024

N/A. 

El Salvador’s Congress approved a Personal Data Protection Act on Apr. 22, 2021. As part of the process of creation of a Law in El Salvador, all Acts approved by Congress are later referred to the President of the Republic for his review/veto/approval. In this case, the Act was vetoed and sent back to Congress for review but no further action has been taken in order to review the causes for the veto and/or make any amendments for its further approval. 

Hence, data protection regulation in El Salvador remains disseminated in many other Acts that briefly regulate the confidentiality of a person’s information but no specific regulation is in place.

Last modified 28 January 2024

The applicable law is the Personal Data Protection Law Num. 1/2016 dated 22 July.

Last modified 10 January 2022

EU regulation

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.

A 'Regulation' (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States. However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among the Member States.

Territorial Scope

Primarily, the application of the GDPR turns on whether an organization is established in the EU. An 'establishment' may take a wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.

However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related "to the offering of goods or services" (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or "the monitoring of their behaviour" (Article 3(2)(b)) as far as their behaviour takes place within the EU.


Estonia regulation

In Estonia, all derogations / additional requirements to the GDPR are provided in the Personal Data Protection Act (PDPA) and the Personal Data Protection Implementation Act (Implementation Act).

The PDPA was adopted by the Estonian parliament on December 12, 2018 and entered into force on January 15, 2019. The Implementation Act was adopted on February 20, 2019 and entered into force on March 15, 2019.

Last modified 16 January 2025

Ethiopia has several laws that relate to privacy and data security, including:

  • The 1995 Constitution of the Federal Democratic Republic of Ethiopia;
  • Tthe 2005 Criminal Code of the Federal Democratic Republic of Ethiopia:
  • The 1960 Civil Code, the Computer Crime Proclamation No. 958/2016;
  • Freedom of the Mass Media and Access to Information Proclamation No. 590/2008 (as amended by the Media Proclamation No. 1238/2021);
  • Federal Advocacy Service Licensing and Administration Proclamation No.1249/2021;
  • Telecom Fraud Offence Proclamation No. 761/2012;
  • Registration of Vital Events and National Identification Cards Proclamation No. 760/2012 (as amended);
  • Federal Tax Administration Proclamation No.983/2016;
  • Authentication and Registration of Documents' Proclamation No.922/2015;
  • Electronic Signature Proclamation No.1072/2018;
  • Communications Service Proclamation No.1148/2019;
  • Electronic Signature Proclamation No.1072/2018;
  • Electronic Transaction Proclamation No.1205/2020;
  • National Bank of Ethiopia (NBE) Licensing and Authorization of Payment Instrument Issuers Directive No. ONPS/01/2020;
  • NBE Financial Consumer Protection Directive No. FCP/01/202
Last modified 12 January 2023

There are no data protection laws or statutes outside of the telecommunications context. The relevant text is the Federated States of Micronesia Code (“FSM Code”).

Last modified 31 January 2023

There is no specific legislation for personal data protection in Fiji. Clause 24 of the Constitution (2013) provides the right to personal privacy, includes right to confidentiality of personal information.

Some sector-specific laws criminalise (or expose to other serious action) the unauthorised disclosure by others of personal / client information as follows:

  • Banking Act 1995 – by central bank personnel (s.27) and licensed financial institution personnel (s.71);
  • Fiji Revenue and Customs Service Act 1998 – by tax officials (s.52 (2));
  • Medical and Dental Practitioner Act 2010 – by statutory administrators of any data obtained in the course of their duties (s.126);
  • Under the Rules of Professional Conduct and Practice (para 1.4) of the Legal Practitioners Act 2009 - information received by legal practitioners from or on behalf of clients;
  • Cybercrime Act 2021 defines "computer data" which is broad enough to capture personal data if it is stored in a computer system.

These laws, however, do not directly protect personal information.

Last modified 3 January 2024

EU regulation

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.

A 'Regulation' (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States. However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among the Member States.

Territorial scope

Primarily, the application of the GDPR turns on whether an organization is established in the EU. An 'establishment' may take a wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.

However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related "to the offering of goods or services" (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or "the monitoring of their behaviour" (Article 3(2)(b)) as far as their behaviour takes place within the EU.


Finland regulation

Finland has passed a supplementary implementation act of the GDPR, the Data Protection Act of Finland (Tietosuojalaki), which entered into force on January 1, 2019.

Other key Finnish laws concerning data privacy and protection are: the Act on Electronic Communication Services 917/2014 (Laki sähköisen viestinnän palveluista) of January 1, 2015, which aims to, inter alia, ensure the confidentiality of electronic communication and the protection of privacy; the Act on the Protection of Privacy in Working Life 759/2004 (‘Working Life Act’) (Laki yksityisyyden suojasta työelämässä), which aims to promote the protection of privacy and other rights safeguarding the privacy in working life, and; the Act on the Processing of Personal Data in Criminal Cases and in connection with Maintaining National Security 1054/2018 (Laki henkilötietojen käsittelystä rikosasioissa ja kansallisen turvallisuuden ylläpitämisen yhteydessä), which entered into force on January 1, 2019 along with the Data Protection Act.

The Working Life Act includes some specific provisions on privacy issues relating to employment and work environments such as right to monitor employees’ email communication. The protection of employees’ privacy has traditionally been strict in Finland and Finland uses the national leeway provided in the GDPR with regard to processing of personal data in the context of employment and maintains the specific law concerning privacy in working life.

Last modified 4 January 2023

EU regulation

The General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR” or ”Regulation”) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.

A 'Regulation' (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States. However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among the Member States.

Territorial Scope

Primarily, the application of the GDPR turns on whether an organization is established in the EU. This is the “establishment criterion”. An 'establishment' may take a wide variety of forms and is not necessarily a legal entity registered in an EU Member State.

However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related "to the offering of goods or services" (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or "the monitoring of their behavior" (Article 3(2)(b)) as far as their behavior takes place within the EU. This is the “targeting criterion”.


France regulation

France updated Law No. 78-17 of January 6, 1978 on information technology, data files and civil liberties (the “Law”) to GDPR  with the enactment of (i) Law No. 2018-493 of June 20, 2018 on the protection of personal data, and (ii) Order No. 2018-1125 of December 12, 2018, adopted pursuant to Article 32 of Law No. 2018-493, updates the Law and other French laws relating to personal data protection in order to “simplify the implementation and make the necessary formal corrections to ensure consistency with EU data protection law”. France domestic data protection legislation was further completed with the adoption of Decree No. 2019-536 of May 29, 2019, adopted for the application of the Law (the “Decree”). The Decree clarifies procedural rules of the French data protection authority, including its control and sanctions, and further specifies data subject rights.

The Law and the Decree have been updated:

  • In 2021, (i) Law No. 2021-988 of July 30, 2021, on the prevention of acts of terrorism and intelligence amended articles 48 and 49 of the Law to create exceptions to the rights of individuals when processing is justified by national security and (ii) Law No. 2021-1017 of August 2, 2021, relating to bioethics which modified article 75 of the Law relating to processing in the health field;
  • In 2022, (i) Law No. 2022-52 of January 24, 2022, on criminal liability and homeland security amends articles 10, 20, 125 of the Law and created article 22-1 to introduce the simplified sanction procedure of the French data protection authority and (ii) Decree No. 2022-517 of April 8, 2022, amends the Decree to define the modalities of this simplified sanction procedure as introduced by Law No. 2022-52 of January 24, 2022. The objective of these new texts is to introduce more flexibility in the use of formal notices or sanctions; and
  • In 2024, Law No. 2024-449 of May 21, 2024 aiming to secure and regulate the digital space, which (i) extends the territorial scope of the Law, (ii) extends the powers and missions of the French supervisory authority, mainly in light of the new EU Digital Decade Regulation and (iii) introduces new obligations upon organizations processing personal data (e.g. in relation to the implementation of age verification systems or the hosting of health data).

Territorial Scope

Initially, Article 3 of the Law provided that it applied only when (i) the data controller or data processor is established in France (whether the processing takes place in France or not) or (ii) the data subjects reside in France (for the possible legal variations as permitted from time to time of the GDPR). Further to Law No. 2024-449 of May 21, 2024, the territorial scope of the Law has been extended and it now also applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to the monitoring of their behaviour within the EU, in particular through the collection of their personal data with a view to reconciling it with data relating to their online activity.

Last modified 5 January 2025

The data protection regime in Gabon is governed by the following laws and regulations:

  • Act no. 025/2023 of 09/07/2023 amending Act no. 001/2011 of 25 September 2011 on the protection of personal data;
  • Law No. 26/2018 of 22 October 2018 regarding Electronic Communications in Gabon;
  • Law No. 02/2004 of 30 March 2005 ratifying the International Convention for the Suppression of the Financing of Terrorism;
  • Regulation No. 01/CEMAC/UMAC/CM of 11 April 2016 on the prevention and suppression of money laundering, terrorist financing and proliferation in Central Africa;
  • Law No. 025/2021 of 28/12/2021 regulating electronic transactions in the Gabonese Republic;
  • Law No. 027/2023 of 11/07/2023 regulating cybersecurity and the fight against cybercrime in the Gabonese Republic; and
  • Ratification of the African Union Convention on Cybersecurity and Personal Data Protection on 17 October 2024.
Last modified 6 January 2025

As of March 1st, 2024, the new Law of Georgia on Personal Data Protection (“Data Protection Law” or / and “Law”) has come into effect. This law establishes rights for data subjects and imposes obligations on data controllers and processors, closely mirroring the GDPR framework. Key provisions include the introduction of the Data Protection Officer role, enhanced internal accountability for controllers through internal registration of data processing activities and impact assessments, stricter data security obligations, and a redefined framework for international data transfers.

While the GDPR does not apply in Georgia, the Data Protection Law serves as the cornerstone of the country’s data protection framework. Its similarity to the GDPR stems from Georgia's commitment to aligning with EU standards as part of its path toward EU membership.

Georgia does not have extensive sector-specific data privacy regulations. Instead, sectoral laws typically refer to the Data Protection Law for guidance. This approach is evident in the regulations governing the telecom sector (via the Electronic Communications Law), the e-commerce sector (via the E-Commerce Law), the media sector (via the Broadcasting Law), and the banking sector (via the Commercial Bank Activities Law).

Furthermore, also the Georgian Civil Code grants individuals the right to access their personal data and records concerning their financial or private matters and to obtain copies of such data, except where restricted by Georgian law. Access to information containing personal data cannot be denied, and entities must provide such data to third parties upon receiving a written request and the explicit consent of the individual concerned, ensuring confidentiality is maintained. These rights are further elaborated and regulated in Chapter III of the Data Protection Law, particularly in Articles 13 and 14.

Material and Territorial Scope

The Data Protection Law applies: 

  • to the processing of data wholly or partly by automated means within the territory of Georgia; 
  • to the processing other than by automated means of data which form part of a filing system or are processed to form part of a filing system within the territory of Georgia;
  • to the processing of data by a controller not established in Georgia, using technical means available in Georgia, except where the technical means are used solely for the transit of data (hence law develops here extra-territorial effect).

The law does not apply to: 

  1. the processing of data by a natural person in the course of purely personal and / or household activities, which has no connection to his / her entrepreneurial and / or economic and professional activities or the performance of official duties. The processing of data in the course of purely personal and / or household activities can include correspondence and the holding of addresses, or online activity (including social networking) undertaken within the context of such activities; 
  2. the processing of data for the purposes of national security (including economic security), defense, intelligence and counter-intelligence activities; 
  3. semi-automated processing and non-automated processing of data deemed to be a state secret, for the purposes of the prevention, investigation and prosecution of crime, and the conduct of operative and investigative activities or the protection of the rule of law; 
  4. the processing of data for the purposes of court proceedings; 
  5. the processing of data by mass media for public information (except for particularly stipulated cases); 
  6. the processing of data for academic, artistic or literary purposes. 

Also, at the outset, the Data Protection Law establishes an important principle, stating that anyone who unintentionally comes into possession of another person’s data, not intended for them, must respect the rights of the data subject and refrain from engaging in any unlawful processing of such data.

Last modified 6 January 2025

At a glance

  • Germany adjusted its legal framework to align with the GDPR through the new German Federal Data Protection Act (BDSG), which came into force on May 25, 2018. The BDSG leverages GDPR's opening clauses, allowing Member States to tailor or restrict certain data processing requirements.
  • Part 3 of the BDSG implements the EU's Law Enforcement Directive (EU) 2016/680, which governs data processing for law enforcement purposes.
  • Germany also has data protection rules embedded in area-specific laws, such as those regulating financial trade and the energy sector.

EU regulation

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.

A 'Regulation' (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States. However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among the Member States.

Territorial Scope

Primarily, the application of the GDPR turns on whether an organization is established in the EU. An 'establishment' may take a wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.

However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related "to the offering of goods or services" (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or "the monitoring of their behaviour" (Article 3(2)(b)) as far as their behaviour takes place within the EU.


Germany regulation

Germany has adjusted the German legal framework to the GDPR by passing the new German Federal Data Protection Act (Bundesdatenschutzgesetz – "BDSG"). The BDSG came into force together with the GDPR on May 25, 2018. The purpose of the BDSG is especially to make use of the numerous opening clauses under the GDPR which enable Member States to specify or even restrict the data processing requirements under the GDPR. Part 3 of the BDSG implements the Law Enforcement Directive (EU) 2016/680.

Find the English version here.

In addition to the BDSG, there exist a number of data protection rules in area-specific laws, for example those regulating financial trade or the energy sector. As of 1 December 2021, the Telecommunications-Telemedia-Data Protection Act, renamed Telecommunications-Digital-Services-Data Protection Act as of 14 May 2024 (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz – "TDDDG"), provides data protection regulations for telecommunication and digital services providers, which are intended to eliminate a long-standing legal uncertainty about the applicability of the data protection regulations of the German Telecommunications Act (Telekommunikationsgesetz – "TKG") and the German Digital Services Act (Digitale-Dienste-Gesetz – "DDG") in interaction with the GDPR. The TDDDG also transposes the “cookie consent” requirement under Article 5 (3) ePrivacy Directive into German law.

Last modified 16 January 2025

The primary legislation governing privacy / data protection in Ghana is the Data Protection Act, 2012 (Act 843).

Other laws, examples of which are set out below, contain some privacy/data protection provisions:

1992 Constitution

Article 18(2) provides citizens with a fundamental right to privacy. The Article provides that “no person shall be subjected to interference with the privacy of his home, property, correspondence or communication except in accordance with law and as may be necessary in a free and democratic society for public safety or the economic well-being of the country, for the protection of health or morals, for the prevention of disorder or crime or for the protection of the rights or freedoms of others.”

Electronic Communications Act, 2008 (Act 775)

A network operator or a service provider who is a holder of a Class Licence shall not use or permit another person to use or disclose confidential, personal or proprietary information of a user, another network operator or service provider without lawful authority unless the use or disclosure is necessary for the operation of the network or service, the billing and collection of charges, the protection of the rights or property of the operator or provider, or the protection of the users or other network operators or service providers from the fraudulent use of the network or service.

A person who intentionally uses or discloses personal information in contravention of the Act commits an offence and is liable on summary conviction to a fine of not more than one thousand five hundred penalty units or to a term of imprisonment of not more than four years or both.

Act 775 defines a Class Licence as “a licence, other than an individual licence, granted on the same terms to each applicant in respect to a class of electronic communications networks or services or radio-communication services.”

Electronic Communications Regulations, 2011 (L.I. 1991)

The principle of privacy and secrecy in electronic communications applies to the National Communications Authority, operators of electronic communications networks and providers of electronic communications services.

The operator is required to comply with international best practices in the industry to promote privacy, secrecy and security of communications carried or transmitted by the operator or through the communications system of the operator, and the personal and accounts data related to subscribers.

Credit Reporting Act, 2007 (Act 726)

The Bank of Ghana has the overall supervisory and regulatory authority under the Act to: (a) register, license and regulate bureaus, data providers and credit information recipients and their agents; and (b) control and supervise activities of the credit bureaus, data providers, credit information recipients and their agents.

The Act requires the recipient of a credit report to keep such report confidential while ensuring that the information contained in it is used solely for its specified purpose. A credit bureau, data provider or credit information recipient is required to observe the principles of: (a) equality of credit information subjects; (b) confidentiality of information; (c) non-interference in the private life of citizens; (d) respect for the rights, liberties and lawful interests of persons and legal entities; (e) accuracy and transparency of information; and (f) `privacy and secrecy of communication.

Credit Reporting Regulations, 2020 (L.I. 2394) 

These regulations made pursuant to the Credit Reporting Act, 2007 (Act 726), set standards for the safety and security of credit information, standards for data submission by data providers as well as standards for privacy and data security which are to be observed credit bureaus. These include:

  • Confidentiality of credit information;
  • Controls and security measures to be taken by credit bureaus; and
  • Standards to be observed in the processing of data submitted. 

*A penalty unit is equivalent to GHS12 ( approximately USD11.6 as at 22 December 2023).

Public Health Act, 2012 (Act 851)

Article 45 of the International Health Regulations (2005) of World Health Organisation Regulations which is annexed to Act 851 as the Seventh Schedule provides that “health information collected or received by a State Party pursuant to these Regulations from another State Party or from WHO which refers to an identified or identifiable person shall be kept confidential and processed anonymously as required by national law.”

Children’s Act, 1998 (Act 560)

The purpose of this Act is to reform and consolidate the law relating to children, to provide for the rights of the child, maintenance and adoption, regulate child labour and apprenticeship, and provide for ancillary matters concerning children generally.

Act 560 provides that “a child’s right to privacy must be respected throughout the proceedings at a Family Tribunal”. In furtherance of this, the Act restricts participants to the sittings of the Family Tribunal to persons with an interest in the matter including parents of the child and officers of the Tribunal.

Act 560 further provides that it is an offence for any person to “publish any information that may lead to the identification of a child in any matter before a Family Tribunal except with the permission of the Family Tribunal.”


Cybersecurity Act, 2020 (Act 1038)

The purpose of this Act is to regulate cybersecurity activities in Ghana, promote the development of cybersecurity and to provide for other related matters. This Act permits interception of data under limited circumstances.

Act 1038 makes provision for certain authorized persons to apply to the courts for a production order to collect subscriber information or for an interception warrant to collect or record traffic data or content data stored in real time.

Applications made in this regard must indicate the measures to be taken to ensure that the data will be procured:

  • whilst maintaining the privacy of other users, customers and third parties; and
  • without the disclosure of the traffic data of any party not part of the investigation.
Last modified 19 January 2024

Following the UK’s exit from the European Union, Gibraltar ceased to be a territory within the European Union as of midnight 31st December 2020. As a consequence, the Gibraltar Government transposed the General Data Protection Regulation (Regulation (EU) 2016/679) into Gibraltar national law (thereby creating the “Gibraltar GDPR”). In so doing, Gibraltar made  number of technical changes to the GDPR to account for its status as a national law of Gibraltar. The Gibraltar GDPR replaces EU terminology with domestic equivalents (e.g. references to “Member State law” become references to “Gibraltar law” and references to “a third country” to “a country or territory outside of Gibraltar”. These changes were made under Gibraltar’s Data Protection, Privacy and Electronic Communications (Amendments Etc) (EU) Exit Regulations 2019.

All material GDPR obligations on controllers and processors remain the same under the Gibraltar GDPR.

Additionally, Gibraltar’s Data Protection Act 2004 (“DPA04) remains in place as a national data protection law, and supplements the Gibraltar GDPR. It deals with matters that were previously permitted derogations and exemptions from the EU GDPR (for example substantial public interest bases for the processing of special category data, and context-specific exemptions form parts of the GDPR such as subject rights).

In addition:

  • Part III of the DPA04 transposes the Law Enforcement Directive ((EU) 2016/680) into Gibraltar law, creating a data protection regime specifically for law enforcement personal data processing: and
  • Parts V and VI set out the scope of the Information Commissioner's mandate and his enforcement powers, and creates a number of criminal offences relating to personal data processing.

Territorial Scope

Primarily, the application of the Gibraltar GDPR turns on whether an organization is established in GibraltarAn 'establishment' may take a wide variety of forms, and is not necessarily a legal entity registered in Gibraltar.

However, the Gibraltar GDPR also has extra-territorial effect. An organization that it is not established within Gibraltar will still be subject to the Gibraltar GDPR if it processes personal data of data subjects who are in Gibraltar where the processing activities are related "to the offering of goods or services" (Article 3(2)(a)) (no payment is required) to such data subjects in Gibraltar or "the monitoring of their behaviour" (Article 3(2)(b)) as far as their behaviour takes place within Gibraltar.

Last modified 19 January 2024

EU regulation

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.

A 'Regulation' (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States. However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among the Member States.

Territorial Scope

Primarily, the application of the GDPR turns on whether an organization is established in the EU. An 'establishment' may take a wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.

However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related "to the offering of goods or services" (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or "the monitoring of their behaviour" (Article 3(2)(b)) as far as their behaviour takes place within the EU.


Greece regulation

The Greek Law 4624/2019 “on the Hellenic Data Protection Authority, the implementation of Regulation 2016/679 and the transposition of Directive 2016/680” (hereinafter the “Greek Data Protection Law”) (Government Gazette A/137/29.08.2019) was enacted and entered into force in August 28, 2019. The Greek Data Protection Law regulates the operation of the Hellenic Data Protection Authority, introduces GDPR supplementary rules and transposes the Law Enforcement Directive into Greek Law.

Last modified 16 January 2025

Guatemala does not have a personal data protection law, however the Law on Access to Public Information (Ley de Acceso a la Información Pública – Decree 57-2008 of the Congress of the Republic), even if it pertains to information in public files and records, does address the matter in certain provisions which can be applicable to private parties.

Last modified 21 December 2021

The Data Protection (Bailiwick of Guernsey) Law, 2017 ("DPL 2017") came into force on 25 May 2018 to coincide with the enforcement of the EU's General Data Protection Regulation (EU) 2016/670 ("GDPR"). 

Adequacy

The DPL 2017 replaced Guernsey's first set of data protection legislation that was introduced in 2001 in the form of the Data Protection (Bailiwick of Guernsey) Law, 2001, as amended ("DPL 2001"). The DPL 2001 had been implemented in response to the EU Directive 95/46/EC. Whereas the DPL 2001 was modelled on a UK enactment, the DPL 2017 is stated to be 'equivalent' to the GDPR.

In 2003 Guernsey was recognised by the European Commission as providing an adequate level of protection for the free flow of personal data to the Bailiwick (see Opinion 02072/07/EN WP 141 and Opinion 10595/03/EN WP 79). Following the enforcement of the GDPR from 25 May 2018, the adequacy decision remains valid and effective in respect of Guernsey's revised data protection regime under the DPL 2017. The adequacy decision continued to apply pending reassessment by the European Commission (as per Article 45(9) GDPR), which has now taken place.  The European Commission's report (COM/2024/7 final) concluded that Guernsey continues to provide an adequate level of protection for personal data. 

The UK have also recognised Guernsey  as providing an adequate level of protection for personal data for the purposes of transfers under the UK GDPR (see The Data Protection (Law Enforcement) (Adequacy) (Bailiwick of Guernsey) Regulations 2023 (SI 2023/744).

Scope and applicability

The DPL 2017 applies in relation to the processing of personal data where:

  • the processing is by automated means (whether wholly or partly) OR if, the processing is not by automated means, it is intended to form part of a filing system; and
  • the processing is conducted by a controller or processor established in the Bailiwick of Guernsey ("Bailiwick") OR the personal data is that of a Bailiwick resident and is processed in the context of the offering good or services (whether or not for payment) to the resident or the monitoring of the resident's behaviour in the Bailiwick. The term "established in the Bailiwick" is defined under the DPL 2017.

In practice, this means that there may be instances where controllers and processors established in the Bailiwick are subject to both the DPL 2017 and, where they process personal data of data subjects who are in the EU, the GDPR.

A domestic exception is available where the processing is for the purpose of an individual's personal, family or household affairs.

As from 25 May 2019, the initial period of transitional relief granted to controllers and processors in Guernsey came to an end.  All controllers and processors must therefore comply with all aspects of the DPL 2017 (including the duty to notify pre-collected data, carry out privacy impact assessments, comply with statutory obligations in relation to processor and joint controller-led duties and renew consents collected prior to 25 May 2018). 

There is also a requirement (in certain instances) for controllers not 'established in the Bailiwick' to designate and authorise a representative in the Bailiwick.


The Prevention of Discrimination (Guernsey) Ordinance, 2022  is in effect from 1st October 2023 and legislates against discriminating people on the grounds of religion, belief, sexuality, race, disability or carer status. Additional provisions will be coming into effect in 2028.  While not directly impacting data protection considerations, it is likely to impact the way in which employers are required to collect and use personal data about potential, new and existing employees. It is also likely to include the processing of special category data.  As the impact becomes clear, this will be updated.

Last modified 16 January 2025

Law n° L/2016/037/AN dated July 28, 2016, on Cybersecurity and Personal Data Protection in the Republic of Guinea regulates personal data.

Last modified 20 December 2021

Arrêté fixant les règles relatives à la protection des données à caractère personnel, published in the official gazette, Le Moniteur, #87 of May 15, 2018.

Code Penal, Published in the official gazette, Le Moniteur, Special #10, June 24, 2020.

Last modified 16 January 2025

Personal data protection is regulated mainly in:

National Constitution: Article 182 provides the constitutional protection of habeas data, giving individuals the right 'to access any file or record, private or public, electronic or hand written, that contains information which may produce damage to personal honour and family privacy. It is also a method to prevent the transmission or disclosure of such data, rectify inaccurate or misleading data, update data, require confidentiality and to eliminate false information. This guarantee does not affect the secrecy of journalistic sources.'

Law of the Civil Registry (Article 109, Decree 62-2004). This law refers only to public personal information that is contained in the archives of the Civil Registry.

Law for Transparency and for Access to Public Information (Article 3.5, Decree 170-2006). This law enables the access of any person to all the information contained in public entities, except that which is classified as 'Confidential.' It also extends the constitutional protection of habeas data and forbids the transmission of personal information that may cause any kind of discrimination or any moral or economic damage to people.

Rulings on the Law for Transparency and for Access to Public Information (Article 42, Accord 001-2008). Provide a definition of databases containing personal confidential information, and requires data subject consent, prior to the use of it by any third party.

In addition, the Law for the Protection of Confidential Personal Data (the “Law”) is currently in discussion in the Honduran Congress. Congress has approved the first chapters of the Law. The complete approval of the Law and the date for when the Law will enter into force is expected in the first half of 2019.

Last modified 10 February 2025

The Personal Data (Privacy) Ordinance (Cap. 486) (Ordinance) regulates the collection and handling of personal data. The Ordinance has been in force since 1996, but in 2012/2013 was significantly amended (notably with regard to direct marketing). The Personal Data (Privacy) (Amendment) Ordinance (Amendment Ordinance) came into force in October 2021 and introduced new offences of doxxing and corresponding penalties.

At Bill stage, the Amendment Ordinance had originally included a number of other proposed amendments to the Ordinance (as per the January 2020 Consultation Paper), e.g. introducing a mandatory data breach notification mechanism, requiring data users to formulate a data retention policy, empowering the Office of the Privacy Commissioner for Personal Data (PCPD) to impose administrative fines linked to annual turnover and regulating data processors directly (Proposed Amendments). According to its report to the Legislative Council in February 2023 (PCPD’s Report), the PCPD is studying the Proposed Amendments with the Government to strengthen personal data protection and to address challenges including those posed by internet technology developments. The summary of the Panel on Constitutional Affairs Meeting held in February 2024 (Panel Meeting Summary) further reinforced that the PCPD has plans to implement the Proposed Amendments and is in the process of formulating a concrete proposal, but media reports in Autumn 2024 suggested that some or all of the Proposed Amendments have been put on hold.

In addition, the Government released the Protection of Critical Infrastructures (Computer Systems) Bill in December 2024 (Bill). The Bill aims to protect critical infrastructure (CI), which include (inter alia) infrastructure which substantially affects the maintenance of critical societal or economic activities in Hong Kong in the event of a data breach. Under the Bill, CI operators would be required (inter alia) to implement a cybersecurity management plan and conducting security risk assessments. The Bill is currently passing through the Legislative Counsel.

Last modified 20 January 2025

EU regulation

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.

A 'Regulation' (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States. However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among the Member States.

Territorial Scope

Primarily, the application of the GDPR turns on whether an organization is established in the EU. An 'establishment' may take a wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.

However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related "to the offering of goods or services" (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or "the monitoring of their behaviour" (Article 3(2)(b)) as far as their behaviour takes place within the EU.


Hungary regulation

The Hungarian Parliament implemented the GDPR into Hungarian laws by amending Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information. As of 26 April 2019 all the relevant sectorial laws were also amended in Hungary in order to comply with the provisions of the GDPR.

Last modified 11 January 2024

EU regulation

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.

A 'Regulation' (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States. However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among the Member States.

Territorial Scope

Primarily, the application of the GDPR turns on whether an organization is established in the EU. An 'establishment' may take a wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.

However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related "to the offering of goods or services" (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or "the monitoring of their behaviour" (Article 3(2)(b)) as far as their behaviour takes place within the EU.


Iceland regulation

The GDPR was incorporated in the EEA Agreement by a Joint Committee Decision dated July 6, 2018. The Act No. 90/2018 on Data Protection and the Processing of Personal Data (the ‘DPA’) implements the GDPR in Iceland. The law contains derogations and exemptions from the position under the GDPR in certain permitted areas.

Last modified 16 January 2025

Until 2023, India did not have a standalone law or framework to govern data protection. The Information Technology Act, 2000 (IT Act) and rules notified thereunder formed the basis around which the data protection framework revolved. This included the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Privacy Rules).

In 2017, a constitutional bench of nine judges of the Supreme Court of India in Justice K. S. Puttaswamy (Retd.) v. Union of India [Writ Petition No. 494/ 2012] upheld that privacy is a fundamental right, which is entrenched in Article 21 [Right to Life & Liberty] of the Constitution of India. This led to the process of formulation of a comprehensive data protection framework for India. After releasing different draft versions of a data protection legislation and considering the recommendations from different stakeholders, the Ministry of Electronics and Information Technology (MeitY), Government of India, released the draft of the Digital Personal Data Protection Bill in 2022 (DPDP Bill).

The version of the DPDP Bill which was eventually passed by both houses of the Indian Parliament marked a few significant changes to the original draft of the DPDP Bill. On August 11, 2023, the Government of India published that version as the Digital Personal Data Protection Act, 2023 (DPDP Act), which will form the personal data protection and regulatory regime in India. The DPDP Act introduces several compliances with respect to the collection, processing, storage and transfer of digital personal data. However, further actions on behalf of the Government are required to make the DPDP Act effective, including notifying the sections of the DPDP Act itself, repealing the Privacy Rules and notifying the rules and regulations required for effective implementation and enforcement of the DPDP Act. The DPDP Act is applicable only to personal data in digital form and does not regulate non-personal and non-digital data. Considering this, collection and handling of non-personal data is currently unregulated in India.

To clarify, the current privacy regime is contained within the IT Act and the Privacy Rules. While the Government of India (see below) has released a draft of the rules under the DPDP Act, the provisions of the Act itself have not yet come into force. 

Rules

On January 3, 2025, MeitY released a draft of the Digital Personal Data Protection Rules, 2025 (Draft Rules), inviting comments from the public and stakeholders till February 18, 2015. The feedback received by the government will be taken into consideration after this date. 

Rules related to the establishment and functioning of the Data Protection Board of India are likely to come into effect immediately upon the publication of the rules in the Official Gazette (after the DPDP Act is implemented). For the remaining rules, an extended period may be provided for entities to comply with after which these rules will come into effect. The timeline has not been specified in the Draft Rules. 

Note

The DPDP Act has been drafted on the following principles:

  • usage of personal data by an organization is to be done in a manner that is lawful, fair and transparent to the individuals concerned;
  • usage of personal data is to be limited to the purpose for which it was collected;
  • only those items of personal data that are required for attaining a specific purpose are to be collected;
  • reasonable efforts should be made to ensure that the personal data of the individual is accurate and kept up to date;
  • storage of data is required to be limited to such duration as is necessary for the stated purpose for which personal data was collected;
  • reasonable safeguards are to be undertaken to ensure that there is no unauthorised collection or processing of personal data. This is intended to prevent personal data breach; and
  • the person who decides the purpose and means of processing of personal data i.e. Data Fiduciary is accountable for such processing.

Scope and Applicability

The DPDP Act pertains to the processing of digital personal data within India, encompassing situations where the personal data is either (i) collected in a digital form or (ii) collected in a non-digitized form and subsequently converted into digital form. Consequently, the DPDP Act does not apply to the processing of personal data in its non-digitized state. The DPDP Act defines ‘personal data’ broadly to include any data about an individual who is identifiable by or in relation to such data. It also  defines ‘digital personal data’ as personal data in digital form.

While the DPDP Act is applicable to Indian entities which engage in the processing of personal data, it also has extra-territorial applicability, applying to foreign entities who offer goods and services to Data Principals (as defined below) located within the territory of India and process personal data in connection to such activities. The DPDP Act does not apply to (i) personal data utilized by an individual for personal or domestic purposes or (ii) personal data deliberately made publicly accessible by either the Data Principal to whom the personal data relates or any other individual or entity mandated by law to disclose personal data to the public.

Last modified 6 January 2025

Specific regulations

Indonesia has adopted an overarching framework for personal data protection through the enactment of Law No. 27 of 2022 concerning Personal Data Protection ("PDP Law") since 17 October 2022. Data controllers, data processors and relevant parties that process personal data were given a two (2) year transition period following the enactment of the PDP Law, thus up to 17 October 2024 to conform with the PDP Law. As the transition period ended on 17 October 2024, all such parties are now required to fully comply with all the provisions of the PDP Law and any non-compliance thereto may be enforced.

The PDP Law is closely aligned with international data privacy standards, and is largely modelled on the European Union’s General Data Protection Regulation ("GDPR").

Before the enactment of the PDP Law, there was no comprehensive law on privacy / personal data protection in Indonesia. Instead, separate legislations which were embedded in and / or spread out in a number of sector specific (e.g. financial sector), matter specific (e.g. e-commerce), and / or nature specific (e.g. personal data processed in / through electronic systems) regulations regulate the general aspects of the protection of privacy / personal data were relied upon. Examples include the Law No. 11 of 2008 regarding Electronic Information and Transactions ("EIT Law") as amended by Law No. 19 of 2016 regarding the Amendment of EIT Law and Law No. 1 of 2024 regarding the Second Amendment of EIT Law, Government Regulation No. 71 of 2019 regarding the Operation of Electronic Systems and Transactions ("Reg. 71") and its implementing regulations such as the Minister of Communications and Informatics Regulation No. 5 of 2020 regarding the Private Sector Electronic System Operator, as lastly amended by Minister of Communications and Informatics Regulation No. 10 of 2021 ("MOCI Reg. 5/2020"), and Minister of Communication & Informatics Regulation No. 20 of 2016 regarding the Protection of Personal Data in an Electronic System ("MOCI Reg. 20/2016"). These existing rules on privacy / personal data protection in the framework of processing personal data through electronic systems will be referred to as “General Data Protection Regulations”.

Other than provisions relating to data protection under General Data Protection Regulations, examples of sector specific regulations which also include provisions relating to data protection include the following:

Telecommunications sector

Article 40 of Law No. 36 of 1999 regarding Telecommunications ("Telecommunications Law") as partially amended by Law No. 11 of 2020 on Job Creation which was later revoked and replaced by Law No. 6 of 2023 on the Enactment into Law of Government Regulation in Lieu of Law No. 2 of 2022 on Job Creation (generally referred to as the "Omnibus Law")  provides that any person is prohibited from any kind of tapping of information transmitted through any kind of telecommunications network. Article 42 paragraph (1) of the Telecommunications Law stipulates that any telecommunications services operator has to keep confidential any information transmitted or received by a telecommunications service subscriber through telecommunications networks or telecommunications services provided by the relevant operator.1

Public information sector

Article 6 paragraph (3) point c of Law No. 14 of 2008 regarding Disclosure of Public Information ("Public Information Law")2 provides that information relating to personal rights may not be disclosed by public bodies. Furthermore, Article 17 point (h) of the Public Information Law, together with other laws, prohibits the disclosure of private information of any person, particularly that which concerns family history; medical and psychological history; financial information (including assets, earnings and bank records), evaluation records concerning a person's capability / recommendation / intellectual, and / or formal and informal education records.

Banking and capital market sectors

Data privacy in the banking sector is regulated under Law No. 7 of 1992 as amended by Law No. 10 of 1998 on Banking ("Banking Law") and as partially amended by the Omnibus Law and Law No. 4 of 2023 on the Development and Strengthening  of the Financial Sector, including the implementing regulations. As regards the capital market sector, it is generally regulated under Law No. 8 of 1995 on Capital Market ("Capital Market Law”) which was partially revoked by Government Regulation In Lieu of Law No. 1 of 2017 on Access to Financial Information for Tax Purposes and amended by Law No. 4 of 2023 on the Development and Strengthening of the Financial Sector, including the implementing regulations3. The regulations mentioned above apply to both individuals and corporate data4.

Principally, commercial banks' customer data transfer (by way of establishing a data center or a data processing outside Indonesia territory) necessitates prior approval being obtained from the Indonesian Financial Services Authority ("FSA")5.

Generally, those separate sector specific legislations will principally still be valid so long as they do not contradict the PDP Law. It is anticipated that further implementing regulations will be drawn up and issued (which may or may not revoke existing legislation on the protection of privacy / personal data), and a separate institution / agency will be formed to specifically handle and undertake the organization of the protection of privacy / personal data in accordance with the PDP Law ("PDP Agency"), which is targeted to be formed and operating by 2026 based on the latest news.

In the meantime, the first draft of Government Regulation on the Implementation of the PDP Law ("Draft Implementing Regulation to PDP Law") was circulated for public comments from August 31st, 2023 until September 25th, 2023 and has been discussed with relevant stakeholders during 2024. The said Draft Implementing Regulation to PDP Law is currently in the "harmonization stage", after which it would proceed to the finalisation stage before finally being enacted. The status can be monitored through a dedicated website that is accessible at pdp.id.

Footnotes

1. Please note that the Omnibus Law only partially amended the Telecommunications Law, thus Articles 40 and 42 of the Telecommunications Law are still valid and fully enforced.

2. Please note that Law No. 14 of 2008 regarding Disclosure of Public Information has been partially amended with Constitutional Court Judgement Number 77 / PUU-XIV / 2016, however Articles 6 and 17 of Law No. 14 of 2008 regarding Disclosure of Public Information have not been amended.

3. Please note that Law No.4 of 2023 regarding The Development and Strengthening of The Financial Sector has been partially amended by the judgments of the Constitutional Court Number 59/PUU-XXI/2023 and Number 85/PUU-XXII/2024. However, these amendments do not relate to provisions on data protection.

4. Please note that the Omnibus Law does not amend the Articles that governs data protection in Banking Law.

5. Please note that Article 35 paragraph (3) of the Financial Services Authority Regulation No. 11/POJK.03/2022 on the Organization of Information Technology by Commercial Banks necessitates commercial banks to obtain prior approval from the FSA in the event such commercial banks intend to establish a data center or a data processing outside Indonesia territory.

Last modified 20 January 2025

Iran has not enacted comprehensive data protection legislation. However, several laws and regulations incorporate data protection provisions. 

These include: 

  • Sharia law principles
  • The Constitution of the Islamic Republic of Iran
  • Draft of the Bill on Protection of Data and Privacy in the Cyber Space 2018
  • Charter of Citizen’s Rights 2016
  • Cyber Crime Act 2011
  • The Law Concerning Protection of Consumers Rights 2010
  • The Law on Publishing and Access to Data 2010
  • Stock Market Law 2006
  • Electronic Commerce Law (ECL 2004)
  • The Law on Facilitation of Competition and Prevention of Monopoly 2004
  • The Law on respect for Legitimate Rights and Citizen Rights 2004
  • The Law on Establishment of the Ministry of Justice Official Experts 2003
  • Press Law 2001
  • Criminal Code 1997
  • Bylaw Concerning Official Translators 1996
  • Criminal Procedures Code 1994
  • Direct Taxation Act as amended 1988
  • The Law on Statistic Centre of Iran1976
  • Civil Liability Code 1960
  • The Law on Establishment of Notary Public Offices 1937
  • Iranian Bar Association Law 1936
Last modified 23 May 2019

EU regulation

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.

A 'Regulation' (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States. However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among the Member States.

Territorial Scope

Primarily, the application of the GDPR turns on whether an organization is established in the EU. An 'establishment' may take a wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.

However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related "to the offering of goods or services" (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or "the monitoring of their behaviour" (Article 3(2)(b)) as far as their behaviour takes place within the EU.


Ireland regulation

The Irish Data Protection Act 2018 (“DP Act”) came into force on 25 May 2018 in order to give further effect to the GDPR in Ireland. The DP Act includes certain derogations, provides for the establishment of a new Data Protection Commission, implements the Law Enforcement Directive and otherwise addresses procedural aspects of the enforcement of data protection in Ireland.

The previous data protection legislation in Ireland, the Data Protection Acts 1988 to 2003, were largely repealed by the DP Act, however those Acts continue to apply in relation to certain limited purposes including national security and defence. Additionally, the previous legislation continues to apply in relation to complaints or infringements which occurred prior to 25 May 2018 as well as to investigations commenced (but not completed) prior to that date.

Last modified 17 January 2025

The laws that govern the right to privacy in Israel are the Basic Law: Human Dignity and Liberty, 5752 -1992; the Protection of Privacy Law, 5741-1981 and the regulations promulgated thereunder (the 'PPL') and the guidelines of the Israel Privacy Authority (as defined below). On August 5, 2024, the Israel Knesset approved PPL (Amendment No. 13), 5774-2024 ("Amendment 13") which shall come into effect on August 14, 2025.

Last modified 25 December 2024

EU regulation

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two year transition period, became directly applicable law in all Member States of the European Union on 25 May 2018, without requiring implementation by the EU Member States through national law.

A 'Regulation' (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States. However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among the Member States.

Territorial Scope

Primarily, the application of the GDPR turns on whether an organization is established in the EU. An 'establishment' may take a wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.

However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related "to the offering of goods or services" (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or "the monitoring of their behaviour" (Article 3(2)(b)) as far as their behaviour takes place within the EU.


Italy regulation

The Italian data protection law framework has been harmonized with the GDPR by means of the Legislative Decree 101/2018, that entered into force on 19 September 2018, and amended a number of provisions of the Legislative Decree 196/2003 (the "Privacy Code"), as well as introduced some transitional provisions regulating the migration to the new regime.

Last modified 16 January 2025

The Act on the Protection of Personal Information ("APPI") regulates privacy protection issues in Japan and the Personal Information Protection Commission ("PPC"), a central agency acts as a supervisory governmental organization on issues of privacy protection.

The APPI was originally enacted in 2003 but was amended and the amendments came into force on 30 May 2017. On 5 June 2020, the Japanese Diet approved a bill to further amend the APPI ("Amended APPI"). The Amended APPI came into force on April 1, 2022. Also, there was a separate data protection law for public sector. However, the data protection law for public sector was integrated into the APPI and became effective on April 1, 2022 (the data protection law for local governments became effective after April 1, 2023).

Currently, discussions are underway regarding amendments to the APPI from 2025 onward. Key topics include the introduction of an administrative monetary penalty system in addition to the current fines, as well as the establishment of systems for injunction claims and remedies for damages initiated by organizations like qualified consumer organizations. However, the specific timing for the enactment and implementation of the APPI amended provisions remains unclear at this time.

Last modified 20 January 2025

The Data Protection (Jersey) Law, 2018 (DPJL) and the Data Protection Authority (Jersey) Law, 2018 (DPAJL) came into force on May 25, 2018. These laws superseded the Data Protection (Jersey) Law 2005, which had been held to be adequate by the European Commission for the purposes of the European Data Protection Directive (Directive 95/46/EC) (see Commission Decision 2008/393/EC). This decision continued to apply pending a review of Jersey's adequacy (to be conducted under Article 45 of the European General Data Protection Regulation (GDPR)) which has now taken place. The European Commission's report (COM/2024/7 final) concluded that Jersey continues to provide an adequate level of protection for personal data. 

The DPJL and DPAJL provide a broadly equivalent regime to that under the GDPR.

The UK have also recognised Jersey as providing an adequate level of protection for personal data for the purposes of transfers under the UK GDPR (see The Data Protection (Law Enforcement) (Adequacy) (Bailiwick of Jersey) Regulations 2023 (SI 2023/1221).

Last modified 16 January 2025

Personal data protection is regulated in Jordan under the Law of Personal Data Protection No. (24) of the Year 2023 (the “Law”). Jordan took a serious steps to enact this legislation aimed at the protection of personal data. The Data Protection law was published in the Official Gazette no. 5881 page 4338 on 17 September 2023.

Details on the law

Within this Law, numerous restrictions are placed on the processing of personal data, the most important and notable one being the requirement for prior consent being “explicit and documented in writing or electronically, it should also be specific in terms of duration and purpose.” The Law also stipulates that citizens should be informed in advance of their data’s date and reasons for collection. It also criminalizes the processing of data for reasons other than the purpose intended. 

As for now, all communications that may contain personal information are protected and private under Article 18 of the Jordanian Constitution, which states that “All postal and telegraphic correspondence, telephonic communications, and other communications means shall be regarded as secret and shall not be subject to censorship, viewing, suspension or confiscation except by a judicial order in accordance with the provisions of the law”. Additionally, Article (7) states that personal freedom shall be protected, and that any infringement of the rights and public freedoms or sanctity of private life of Jordanians is a crime punishable by law.  

Personal information protection in the public sector is regulated in Jordan under a specific law. Article 18 of the Jordanian Constitution in addition to the Data Protection law are applicable to both private and public sector. 

The right of privacy is protected under the Jordanian Constitution and Law of Personal Data Protection. In accordance with the Data Protection Law, a public authority may process personal data without prior consent or notifying the person if the processing is carried out directly by a competent public authority to the extent required to carry out the tasks entrusted to it by law or through other contracted parties, provided that the contract (in case a governmental entity assigns its duties to another party to provide it services by signing a contract, then this contract must adhere to the provisions of the Data Protection Law). This includes observance of all obligations and conditions stipulated in this law and the regulations and instructions issued pursuant thereto. 

Article (6) of the same provides for exceptions to the requirement of prior consent, as follows:  

  1. Processing carried out directly by a competent Public entity to the extent required to carry out the tasks entrusted to it in accordance with the provisions of the legislation in force or through other contracting parties provided that the contract includes compliance with all obligations and conditions stipulated in this Law and the regulations and instructions issued pursuant thereto.
  2. If necessary to preventine medical purpose medical diagnosis or provision of health care by a licensee licensed to practice any of the medical professions.
  3. If necessary to protect the life of the concerned person or his vital interests.
  4. If necessary for the prevention of a crime or for its detection by a competent authority for the prosecution of crimes committed in violation of the provisions of the Law.
  5. If required or authorized by virtue of any legislation or in implementation thereof or by virtue of a decision of the competent court.
  6. If required for the purposes of the entities subject to the control and supervision of the Central Bank of Jordan to carry out their activities as determined by the Central Bank of Jordan including the transfer and exchange of data inside or outside the Kingdom.
  7. The treatment carried out in accordance with the provisions of the Regulations issued pursuant to the provisions of this Law.
  8. If necessary for the purposes of scientific or historical research if they are not intended to take any decision or action with respect to a specific person.  
  9. If necessary for statistical purposes or national security requirements or achieve the public interest.
  10. If the subject of the processing is publicly available data from the Person concerned.

Article (15) of the law, relating to the cross-border transfer of personal data outside of the Hashemite Kingdom of Jordan, states that:  

  1. Regional or international judicial cooperation under international conventions or treaties in force in the Kingdom.
  2. Regional or international cooperation between the Kingdom and international or regional bodies, organizations or agencies working in the field of combating crime of all kinds or prosecuting the perpetrators.
  3. Exchange of personal medical data of the person concerned with processing when necessary for processing and exchange of data related to epidemics or health disasters or what affects public health in the Kingdom.
  4. Exchange of data related to epidemics or health disasters or what affects public health in the Kingdom.
  5. Transfer my occur if the concerned individual provides explicit consent after being informed that an adequate level of protection is unavailable.
  6. Transactions involving banking operations and money transfers outside the Kingdom.

Before initiating the Data transfer, the Official is obligated to verify the level of protection guaranteed by the Recipient outside the Kingdom, ensuring the safety and security of the Data.

Article (7) of the  Law, carries on specifying the Special conditions for the processing (which includes transferring or sharing) of personal dataIt is prohibited to process personal data without the consent (standard of consent is set out above).

It is impermissible to conduct processing of personal data for anyone whom is incapacitated, without the prior written or electronic consent of one of his parents, and in the absence of a parent for any reason, the consent of the legally appointed guardian is taken to follow up on his affairs.

As for the processing of sensitive personal data, the following conditions apply: As per Article (6) of the Law, It is prohibited to process sensitive personal data without the prior approval of the concerned person, except in the following cases: 

  1. Processing carried out directly by a competent Public entity to the extent required to carry out the tasks entrusted to it in accordance with the provisions of the legislation in force or through other contracting parties provided that the contract includes compliance with all obligations and conditions stipulated in this Law and the regulations and instructions issued pursuant thereto.
  2. If necessary to preventine medical purpose medical diagnosis or provision of health care by a licensee licensed to practice any of the medical professions.
  3. If necessary to protect the life of the concerned person or his vital interests.
  4. If necessary for the prevention of a crime or for its detection by a competent authority for the prosecution of crimes committed in violation of the provisions of the Law.
  5. If required or authorized by virtue of any legislation or in implementation thereof or by virtue of a decision of the competent court.
  6. If required for the purposes of the entities subject to the control and supervision of the Central Bank of Jordan to carry out their activities as determined by the Central Bank of Jordan including the transfer and exchange of data inside or outside the Kingdom.
  7. The treatment carried out in accordance with the provisions of the Regulations issued pursuant to the provisions of this Law.
  8. If necessary for the purposes of scientific or historical research if they are not intended to take any decision or action with respect to a specific person. 
  9. If necessary for statistical purposes or national security requirements or achieve the public interest.
  10. If the subject of the processing is publicly available data from the Person concerned.

The protection officer, personal data processor and recipient of personal data are committed to ensuring the integrity and security of personal data and tracking cases of abuse of personal data security. The personal data must be handled and processed in such a way that ensures confidentiality, safety, and non-modification.

Last modified 11 January 2024

The main legal act regulating personal data in Kazakhstan is the law of the Republic of Kazakhstan No. 94-V dated May 21, 2013 'On Personal Data and Its Protection' (the 'Law').

There are also a number of other laws providing for personal data protection requirements, including:

  • The Law on Informatisation;
  • The Law on Communication;
  • The Labour Code of Kazakhstan;
  • The Law on Online Platforms and Online Advertising.
Last modified 4 February 2025

The Data Protection Act, 2019 (the “Act”) came into force on 25th November, 2019 and is now the primary statute on data protection in Kenya. It gives effect to Article 31 c) and d) of the Constitution of Kenya, 2010 (right to privacy).

In October 2020, by virtue of the powers conferred to him under the Act, the Cabinet Secretary for Information, Communication, Technology, Innovation and Youth Affairs gazetted the Data Protection (Civil Registration) Regulations, 2020 (the “Regulations”). The Regulations apply to civil registries involved in processing personal data for registrations such as births, deaths, adoptions, persons, passports and marriages.

Since the Data Protection Commissioner’s (DPC) appointment on 16 November 2020, significant efforts have been made in developing regulations for the implementation of the Act.

  • Data Protection (Complaints Handling Procedure & Enforcement) Regulation, 2021 (the “Complaints Handling Regulations”) - sets out the complaints handling procedures and enforcement mechanisms in the event of non-compliance with the provisions of the Act;
  • Data Protection (Registration of Data Controllers & Data Processors) Regulations, 2021 (the “Registration Regulations”) - provides for the registration of data controllers and data processors with the Office of the Data Protection Commissioner (ODPC). The threshold for mandatory registration is also set out under these regulations; and
  • Data Protection (General) Regulations, 2021 (the “General Regulations”) – elaborates in more detail the rights of data subjects, restrictions on commercial use of personal data, duties and obligations of data controllers and data processors, elements of implementing data protection by design or default, notification of personal data breaches, transfer of personal data outside Kenya, conduct of data protection impact assessment and other general provisions.

The above regulations were gazetted in January and came into effect on 14 February 2022 with the exception of the Registration Regulations, 2021 which came into force on 14 July 2022.

The ODPC has also issued a number of guidelines, these include:

  • Guidance Note on Registration of Data Controllers and Data Processors - developed to assist entities in ascertaining if they are data controllers or data processors, and to understand their obligations with respect to mandatory registration;
  • Guidance Note on Processing Personal Data for Electoral Purposes - developed to assist data controllers and data processors dealing with voters’ personal data and members of political parties’ personal data to understand their obligations under the Act;
  • Guidance Note on Data Protection Impact Assessment - to assist data controllers and data processors to understand their obligations under the Act and the need to undertake a Data Protection Impact Assessment;
  • Guidance Note on Consent - developed to assist data controllers and data processors to understand their duties under the Act and their obligations as far as obtaining consent is concerned;
  • Guidance Note for the Communications Sector – it applies to communication service providers processing personal data in either the public or private sectors and provides considerations that must be present in when processing subscribers’ personal data, network traffic, location or geographical data, financial data, and mobile operators’ privacy policies;
  • Guidance Note for the Education Sector – developed to assist educational institutions to understand their obligations under the DPA and remain compliant. The guidance note also covers institutions offering remote e-learning solutions and services;
  • Guidance Note on the Processing of Health Data – developed to provide healthcare institutions with a clear understanding of their obligations under the DPA and applies to all healthcare institutions operating in Kenya, including hospitals & clinics, laboratories, pharmaceutical services, health insurance providers, health research and training institutions, and professional health bodies.  The guidance note also extends to the processing of digital health processing platforms such as Health Management Information System (HMIS), eHealth and mHealth applications; and
  • Guidance Note for Digital Credit Providers – sets out the compliance requirements that digital credit providers (DCPs) must implement while processing personal data in line with the administration of digital credit and in compliance with the DPA.

The ODPC has also published a Complaints Management Manual which sets out the complaints management handling procedure by the ODPC; and the Alternative Disputes Resolution Framework which provides guidance to stakeholders who wish to engage in Alternative Dispute Resolution (ADR) to resolve their disputes arising under the Act.

The ODPC is also in the process of developing the following regulations, which are currently undergoing public participation:

  • Data Protection (Conduct of Compliance Audit) Regulations, 2024 – sets out the procedure for the conduct of audits by the ODPC as well as the procedure for entities that want to be accredited by the ODPC to carry out data protection audits; and
  • Data Sharing Code – outlines the requirements that data controllers and processors are required to observe prior to sharing personal data, as well as the measures to put in place to ensure the protection of the data subject.   
Last modified 6 February 2025

The Law on Protection of Personal Data No.06/L-082 (“LPPD”) is the Kosovan law which entered into force and became applicable on 13 February 2019.  The LPPD transposes the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”). 

Scope of application 

The LPPD has a wide scope of application. Namely, the LPPD applies to (Article 2):

  • processing activities by private as well as public bodies;
  • processing of personal data in diplomatic and consular offices, including any representative office of Kosovo abroad. 

The LPPD has extraterritorial scope in that it applies to data controllers not established in Kosovo, which for the purposes of processing personal data make use of automatic or other equipment in Kosovo; nevertheless, the LPPD will not apply if such equipment is used only for transit purposes through the territory of Kosovo (Article 2(2)).

In addition to LPPD, in 2023 Kosovo has adopted Regulation no.02/2023 on Processing of Personal Data Obtained from Drone Use (“Regulation 02/2023”) which aims to define and establish specific responsibilities and measures related to processing of personal data by the drone owner or operator.

Last modified 4 February 2025

To date, Kuwait does not have a dedicated personal data protection law applying to all juristic or natural personsw. However, legislation such as Kuwait Law No. 20 of 2014, on Electronic Transactions (the “E-Commerce Law”), includes provisions related to data privacy and data protection of private and public electronic records, documents, and information related to civil, commercial, or administrative transactions conducted in whole or in part through electronic means and applies to private companies, government authorities, public institutions, and non-governmental organizations, and their employees. Furthermore, Kuwait Law No. 63 of 2015, on Combating Cyber Crimes the (“Cybercrime Law”) imposed heavy penalties for illegal tampering with or acquisition of personal or governmental data or information.

Additionally, Kuwait Administrative Decision No. 26 of 2024 Concerning the Issuance of the Data Privacy Protection Regulation (“Data Protection Regulation”) by the Communications and Telecommunications Regulatory Authority (“CITRA”), imposes obligations in relation to data protection on Telecommunication Services Providers and related industry sectors who collect, process, or store personal data, in whole or in part. The Data Protection Regulation applies exclusively to individuals and entities operating as service providers within the telecommunications sector and holding licenses issued by CITRA, and describes the conditions for collecting and possessing personal data and the obligation of a service provider during the provision of the service or after the end thereof, in relation to the collection and processing of such data. The Data Protection Regulation provides a wider ambit of the definition of “service provider” which ranges from traditional telecommunications service providers to anyone who operates a website, smart application or cloud computing service, collects or processes personal data or directs another party to do so on its behalf through information centers owned or used by them directly or indirectly. Furthermore, the Data Protection Regulation indicates that users have a right to withdraw their consent and, consequently, the service provider must delete / destroy the information provided by the user. However, the provisions of the Data Protection Regulation do not apply to natural persons who collect and process personal and family data; or security authorities for the purposes of controlling crimes and the prevention of threats related to public security.

Last modified 4 February 2025

The Constitution of the Kyrgyz Republic prohibits collection, storage, use and dissemination of confidential information, private life information is not allowed without consent confidential / private life information subject.

More detailed regulation of personal data may be found in the Law of the Kyrgyz Republic on Personal Data No.58 dated 14 April 2008 ('The Law on Personal Data'), which entered into force on 18 April 2008. The most recent amendments were made to the Law on Personal Data on 29 November 2021. These amendments state that rules of processing of personal data for purposes of protection of the rights of participants in criminal proceedings is determined by the Cabinet of Ministers of the Kyrgyz Republic.

The Law on Personal Data is directed at legal regulation of work with personal data based on the standard international norms and principles according to the Constitution of the Kyrgyz Republic and laws of the Kyrgyz Republic is necessary first of all for assuring human personal rights and freedoms relating to the personal data gathering, processing and use. 

The Law on Personal Data regulates relations arising at work with personal data, irrespective of the applied information processing means, except the work realization with the personal data, with its further transfer to the third persons.

Additional requirements to collection, use and transfer of personal data can be found in the following normative-legal acts:

  • Procedure for Obtaining Consent of Personal Data Subject on Collection and Processing of its Personal Data, the Procedure and Form of Notification of Personal Data Subject on Transfer of their Personal Data to a Third Party approved by the Regulation of the Government of the Kyrgyz Republic dated 21 November 2017 # 759;
  • Requirements for Ensuring the Security and Protection of Personal Data During their Processing in Personal Data Information Systems, the Implementation of Which Ensures the Established Levels of Protection of Personal Data approved by Regulation of the Government of the Kyrgyz Republic dated 21 November 2017 # 760; and
  • Procedure for registration of holders (owners) of arrays of personal data, arrays of personal data and lists of personal data in the Register of holders (owners) of arrays of personal data approved by Regulation of the Cabinet of Ministers of the Kyrgyz Republic dated 18 November 2022 #638.

According to Article 30 of the Law on Personal Data - arrays of personal data and holders (owners) of these arrays are subject to mandatory registration with the State Agency for Personal Data Protection under the Cabinet of Ministers of the Kyrgyz Republic.

However, the Law does not specify if only local entities may be considered as a holder of personal data array or if this concept includes foreign entities as well. It shall be noted that the current registration procedure allows the registration only for local entities as the electronic registration system requires submission of local registration data. 

Given that there is no practical possibility to be registered as a holder of personal data array we believe that this requirement do not apply to the foreign legal entities.

The most recent amendments were made to the Law on Personal Data on 12 July 2022. These amendments include that part 5 and 6 of article 6 are stated as follows:

  • At the request of the subject of personal data, the mode of public access to information (bibliographic directories, telephone and address books, private announcements, etc.) can be established. Exceptions are cases when information must be public in cases of administration of justice and execution of a judicial act, as well as in cases provided for by the laws of the Kyrgyz Republic in the field of electronic governance, national security, countering terrorism and corruption, operational-search activities and other cases determined by laws of the Kyrgyz Republic.
  • From the moment of state registration of the death of the subject of personal data, the person is assigned the status of "deceased". The personal data of the deceased subject are subject to archiving and storage.1

Footnotes

1. Law of the Kyrgyz Republic on Amendments to the Law of the Kyrgyz Republic on Personal Data dated July 12, 2022 No. 61

Last modified 4 February 2025

In Laos, the comprehensive regulatory framework on data privacy focuses on data in its digital form – electronic data – and none other.

From 2012, Laos has introduced this framework by circulating relevant information only. This trend has accelerated since 2015 with the publication of the Law on Cyber Crime. Issues pertaining specifically to the protection of electronic data are regulated by the Law on Electronic Data Protection and the subsequent Instructions on the Implementation of the Law on Electronic Data Protection, as follows:

  • Law on Electronic Transactions (2022);
  • Law on Cyber Crime (2015);
  • Decision on the Penalties of the Law on Cyber Crime (2017);
  • Law on Electronic Data Protection (2017);
  • Penal Code (2017);
  • Instructions on the Implementation of the Law on Cyber Crime (2018);
  • Instructions on the Implementation of the Law on Electronic Data Protection (2018).

In addition, for both professionals or non-professionals, the authorities have provided a series of guidelines of best practices for the use of software and hardware, social media platforms, and better protection of electronic data.

The two main pieces of regulation relating to data privacy are the Law on Electronic Data Protection and the Instructions on the Implementation of the Law on Electronic Data Protection.

Last modified 8 January 2025

EU regulation

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.

A Regulation (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States. However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among the Member States.

Territorial Scope

Primarily, the application of the GDPR turns on whether an organization is established in the EU. An 'establishment' may take a wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.

However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related "to the offering of goods or services" (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or "the monitoring of their behaviour" (Article 3(2)(b)) as far as their behaviour takes place within the EU.


Latvia regulation

The Personal Data Processing Law has been approved by the parliament and came into force on July 5, 2018. This law provides legal prerequisites for the implementation of the GDPR in Latvia and replaced the current Personal Data Protection Law.

Last modified 4 February 2025

Law No. 81/2018 relating to Electronic Transactions and Personal Data Law (the “Law”).

Last modified 21 December 2022

The right to privacy is recognized and protected under the Constitution of the Kingdom of Lesotho.

Lesotho has established a Data Protection Act, 2013 (the DP Act). The DP Act provides principles for the regulation of the processing of any personal information in order to protect and reconcile the fundamental and competing values of personal information privacy.

Last modified 20 December 2021

Data Privacy Protection Laws.

Last modified 23 February 2024

Currently, there is no specific data protection law in Libya. However in recent years, Libya has witnessed a significant transformation in its legal framework with the introduction of pivotal legislation addressing data protection, cybercrime and electronic transactions.

Law No. 5/2022 regarding Combating Cybercrime and Law No. 6/2022 concerning Electronic Transactions not only marks a significant step in adapting to the evolving digital landscape but also strengthens the overall data protection framework within the country. Articles 12 and 13 of the Constitution 2011 guarantee the right to a private life for citizens and the confidentiality of correspondence, telephonic conversations and other forms of communications except where required by a judicial warrant respectively.

In other words, there is no detailed information concerning privacy systems in Libya that protect individuals when their data is processed. With regard to privacy protection, there are some provisions in the Libyan Penal Code (1953) that provide general protection for private correspondence and homes from any interference by others. These articles provide that the public servants who commit an offence against private correspondence will face imprisonment of no less than six months.

Also, there are some articles in the Act No 4 (1990) on the National System for Information and Documentation, which governs the government’s collection of personal data for conducting research for social and economic reasons. This Act provides some provisions which require government entities to take some steps to protect the collected data, such as prohibiting the government from forcing individuals to give their data in order to conduct its research. However, these articles do not provide protection to personal data when individuals process their data.

Also, the Central Bank of Libya regulated general criteria for protecting personal data which is available online. However, this is applicable to only Libyan banks.

Last modified 18 January 2024

EU regulation

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.

A Regulation (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States. However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among the Member States.

Territorial Scope

Primarily, the application of the GDPR turns on whether an organization is established in the EU. An 'establishment' may take a wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.

However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related "to the offering of goods or services" (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or "the monitoring of their behaviour" (Article 3(2)(b)) as far as their behaviour takes place within the EU.


Lithuania regulation

The implementation of the GDPR has been achieved in the Republic of Lithuania. The Law on Legal Protection of Personal Data (hereinafter ‘Data Protection Law’) has been in force since July 16, 2018.

The Data Protection Law replaced the previous Law on Legal Protection of Personal Data which implemented the EU Data Protection Directive (Directive 95/46/EC).

Last modified 3 February 2025

EU regulation

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.

A Regulation (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States. However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among the Member States.

Territorial Scope

Primarily, the application of the GDPR turns on whether an organization is established in the EU. An 'establishment' may take a wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.

However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related "to the offering of goods or services" (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or "the monitoring of their behaviour" (Article 3(2)(b)) as far as their behaviour takes place within the EU.


Luxembourg regulation

In addition to the GDPR, the legal regime of data protection in Luxembourg is completed by the following laws:

  • The Law of August 1, 2018 on the organization of the National Data Protection Commission (CNPD) and the general data protection framework. It has repealed the previous Law on Data Protection (amended Law of August 2, 2002) and completes the GDPR at the national level. Most of all it gives the framework for the CNPD's organization, composition and powers under the GDPR and the applicable national law;
  • The Law of August 1, 2018 on the protection of individuals with regard to the processing of personal data in criminal matters as well as in matters of national security, implementing Directive (EU) 2016/680; and
  • The amended Law of May 30, 2005 on data protection and electronic communications governs the protection of personal data in the field of telecommunications and electronic communications, implementing the Directive 2002/58/EC.

It is also to be noted that Article L. 261-1(1) of the Labour Code provides specific regulations concerning employer workplace surveillance.

Along with several CNPD’s recommendations, the Law of July 17, 2020 introducing a series of measures to combat the Covid-19 pandemic as amended provides a legal framework on the processing of personal data in the context of the COVID-19 crisis.

Furthermore, two draft bills are currently being discussed in Luxembourg's data protection landscape:  

  • Draft bill 8148 on the retention of personal data and amending the amended Law of May 30, 2005 on data protection and electronic communications; and
  • Draft bill 8395 on the use of data in a trusted environment.
Last modified 4 February 2025

Macau Personal Data Protection Law no. 8/2005 of August 22nd (Law).

Last modified 19 December 2023

Law No. 2014-038 relating to protection of personal data is the main regulatory framework in Madagascar (the “Data Protection Law”).

After discussion at the National Assembly of Madagascar, the Data Protection Law was adopted on 16 December 2014. The Law was promulgated by the President of Republic of Madagascar on 9 January 2015 and published in the Official Gazette of the Republic of Madagascar on 09 June 2015.

The Data Protection Law has been in force for nine (09) years, but its application is not yet effective, as no implementing decree has been published.

Law no. 2024-004 ratifying the African Union Convention on Cyber Security and Personal Data Protection (the “Malabo Convention”) was adopted by the Senate and the National Assembly on 21 June 2024. The law was also subject to a constitutionality review in accordance with High Constitutional Court Decision no. 01-HCC/D1 dated 10 July 2024, confirming the constitutionality of the ratification law and the Malabo Convention itself. Publication in the Official Gazette of the République of Madagascar is still pending.

Generally, the provisions of the Data Protection Law are in line with the provisions of the Malabo Convention on Data Protection. In addition, no amendments to the Data Protection law are currently planned.

Last modified 4 February 2025

Malaysia's first comprehensive personal data protection legislation, the Personal Data Protection Act 2010 (PDPA), was passed by the Malaysian Parliament on June 2, 2010 and came into force on November 15, 2013.

As part of an ongoing review of the PDPA, the Personal Data Protection Commissioner of the Ministry of Communications and Multimedia Malaysia has issued Public Consultation Paper No. 01/2020 – Review of Personal Data Protection Act 2010 (PC01/2020) dated February 14, 2020 to seek the views and comments of the public on 22 issues set out in PC01/2020, some of which are set out below.

The Personal Data Protection Department (PDP Department) has indicated that, out of the 22 issues, 5 issues have been shortlisted as the key proposed amendments to the PDPA. The amendments to the PDPA, namely the Personal Data Protection (Amendment) Act 2024 (“Amending Act”), were first tabled as a bill in the Malaysian Parliament in July 2024 and subsequently passed by both the Dewan Rakyat (House of Representatives) and the Dewan Negara (Senate) of the Malaysian Parliament on July 16 and 31, 2024 respectively. Such bill has received the Royal Assent and was gazetted as law on October 17, 2024.

On December 19, 2024, the Minister of Digital appointed three dates on which the provisions of the Amending Act would come into force. While the provisions which do not introduce any new obligations onto data users / data controllers (i.e. Section 7, 11, 13, and 14 of the Amending Act) came into force on January 01, 2025, the provisions introducing new requirements such as the appointment of a data protection officer, data breach notification and right of data portability (i.e. Section 6 and 9 of the Amending Act) will come into force on June 01, 2025. The remaining amendments under the Amending Act will come into force on April 01, 2025.

Additionally, the Digital Minister, Gobind Singh Deo, announced that seven (7) guidelines are planned to be issued and / or developed under the PDPA, which are:

  1. Notification of Data Breach Guidelines;
  2. Data Protection Officers Guidelines;
  3. Data Portability Guidelines;
  4. Cross Border Data Transfer Guidelines;
  5. Data Protection Impact Assessment Guidelines;
  6. Privacy by Design Guidelines; and
  7. Automated Decision-Making Guidelines. 

To date, the PDP Department has issued five (5) Public Consultation Papers to gather public opinion and feedback – four (4) pertain to the guidelines listed as (i), (ii), (iii) and (iv) above, while one addresses the revision of the Personal Data Protection Standard 2015 (“Standards”) which was published and came into force on December 23, 2015. Notably, the Commissioner of PDP Department has announced that these four guidelines and the revised standards are expected to be released by early 2025, with the remaining three guidelines anticipated to be released in the third quarter of 2025.

Last modified 20 January 2025

EU regulation

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.

A Regulation (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States. However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among the Member States.

Territorial Scope

Primarily, the application of the GDPR turns on whether an organization is established in the EU. An 'establishment' may take a wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.

However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related "to the offering of goods or services" (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or "the monitoring of their behaviour" (Article 3(2)(b)) as far as their behaviour takes place within the EU.


Malta regulation

The relevant law is the Data Protection Act 2018 (Act) (Chapter 586 of the Laws of Malta) and the Regulations (at present 9 in number) issued under it. The Act repealed and replaced the previous Data Protection Act (Chapter 440 of the Laws of Malta).

In 2020, Subsidiary Legislation 586.10 (‘Processing Of Data Concerning Health for Insurance Purposes Regulations’) was significantly amended. Pursuant to Article 9 of the GDPR, it was made explicit that processing of data concerning health shall be deemed to be in the substantial public interest when such processing is necessary for the purpose of the business of insurance or insurance distribution activities. However, this is made subject to suitable and specific measures designed to safeguard the fundamental rights and freedoms of data subjects.

The main legislative amendments that came into effect in 2021 were those to Subsidiary Legislation 586.07 (Processing of Personal Data (Education Sector) Regulations). The main purpose of these amendments was to bring the terminology used in these regulations in line with the wording of the GDPR rather than the previous local law. The full text, in English, is available here.

In 2021, certain procedural amendments were also made to the Act. The amending act (having the aim of providing for the amendment of various laws for the purpose of reforming the procedure for the making of various appointments) can be read here.

In 2023, a new Subsidiary Legislation was introduced: the Enforcement of the Rights of Data Subjects in Relation to Transfers of Personal Data to a Third Country or an International Organisation Regulations (S.L. 586.12). The scope and purpose of this law is to establish rights in Maltese law for third party beneficiaries with respect to transfers of personal data to a third country or an international organisation. This law provides a clear mechanism in Malta for data subjects to enforce their rights (including those granted under GDPR) when their personal data is transferred to a third country, even though they would not be parties to the instrument (either the Standard Contractual Clauses or any other appropriate safeguard), by virtue of which the third country transfer is being made. As a general principle of Maltese law, a contract is not normally deemed to have the power to confer rights to third parties, rendering S.L. 586.12 an exception to the rule, albeit, a necessary one. The full text of the law can be read here.

See all Maltese Legislation here.

Last modified 18 January 2024

Mauritius regulates data protection under the Data Protection Act 2017 (DPA 2017 or Act), proclaimed through Proclamation No. 3 of 2018 and effective on January 15, 2018. The Act repeals and replaces the Data Protection Act 2004, so as to align with the European Union General Data Protection Regulation 2016/679 (GDPR).

Last modified 6 January 2025

The Federal Law on the Protection of Personal Data held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares) ("the Law") entered into force on July 6, 2010.

Subsequently, the Executive Branch has also issued the following (collectively, with the Law, referred to herein as "Mexican Privacy Laws"):

  • The Regulations to the Federal Law on the Protection of Personal Data held by Private Parties (Reglamento de la Ley Federal de Protección de Datos Personales en Posesión de los Particulares) (the Regulations), which entered into force on December 22, 2011
  • The Privacy Notice Guidelines (the Guidelines), which entered into force on April 18, 2013
  • The Recommendations on Personal Data Security, on November 30, 2013
  • The Parameters for Self-Regulation regarding personal data, which entered into force on May 30, 2014
  • The General Law for the Protection of Personal Data in Possession of Obligated Subjects (Ley General de Protección de Datos Personales en Posesión de Sujetos Obligados), which entered into force on January 27, 2017

On June 12, 2018, a decree was published in the Official Gazette of the Federation approving two important documents:

  • Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data dated January 28, 1981, and its
  • Additional Protocol regarding supervisory authorities and trans-border data flows dated November 8, 2001.

Mexican Privacy Laws apply to all personal data processing under any of the following circumstances:

  • Processing carried out by a data controller established in Mexican territory
  • Processing carried out by a data processor, regardless of its location, if the processing is performed on behalf of a data controller established in Mexico
  • Processing by or on behalf of a data controller not located in Mexico, where Mexican legislation is applicable pursuant to the execution of an agreement or Mexico’s adherence to an international convention or
  • Processing carried out within Mexican territory, on behalf of a data controller not established in Mexican territory, unless such processing is only for transit purposes

The Law only applies to private individuals or legal entities that process personal data, and not to the government, credit reporting companies governed by the Law Regulating Credit Reporting Companies or persons carrying out the collection and storage of personal data exclusively for personal use where it is not disclosed for commercial use. Further, Mexican Privacy Law also does not generally apply to business-to-business data, including:

  • Data of legal entities.
  • Data of individuals acting as merchants or professionals.
  • Data of natural persons acting on behalf of a business (e.g., their employer), where the personal data processed is (a) limited to first and last names, title, position and functions performed, and business contact data, such as mailing or physical address, email address, telephone number and fax number, and (b) the personal data is processed solely for the purpose of representing the business or administering the business relationship (i.e., fulfilling orders, providing services, carrying out transactions between the business entities)

Additionally, the INAI has issued several documents and guidelines for the private sector regarding the processing of personal data, including the following:

  • The Privacy Notice Guidelines (the Guidelines), which entered into force on April 18, 2013
  • The Recommendations on Personal Data Security, on November 30, 2013
  • The Parameters for Self-Regulation regarding personal data, which entered into force on May 30, 2014
  • Recommendations for the Designation of the Data Protection Officer or the Data Protection Department
  • Guideline to Implement Compensatory Measures
  • Guideline for the orientation of the due processing of personal data in the activity of extrajudicial collection
  • Guideline for the Secure Deletion of Personal Data
  • Suggested minimum criteria for contracting cloud computing services that involve the processing of personal data
  • Guideline for the Processing of Biometric Data.
Last modified 28 January 2024

The main national legal acts regulating personal data protection in Moldova are:

  • the Constitution of the Republic of Moldova (Article 28);
  • the Law No. 133 of 08 July 2011 on Personal Data Protection;
  • the Law No. 182 of 10 July 2008 regarding the approval of the National Centre for Personal Data Protection regulation, structure, staff-limit and its financial arrangements;
  • the Government Decision No. 296 of 15 May 2012 on the approval of the Regulation regarding the Register of evidence of the personal data controllers;
  • the Governmental Decision No. 1123 of 14 December 2010 on the approval of the requirements for the assurance of personal data security and their processing within the information systems of personal data.  

The law on Personal Data Protection is the core legal act establishing the legal framework of personal data protection in Moldova.  It has been adopted to harmonize the national regulations with the provisions of the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. 

In addition to Law No 133 of 8 July 2011 on Personal Data Protection, a new data protection law has been enacted. Specifically, on 25 July 2024, Law No 195 on Personal Data Protection was adopted and is scheduled to come into effect on 23 August 2026 (the "New Data Protection Law”). This new legislation partially incorporates the provisions of the European General Data Protection Regulation (GDPR) into national law, while introducing certain specific provisions that deviate from the GDPR framework.

Please note that Moldova is not an EU country and European provisions on personal data protection are not directly applicable in Moldova.

Last modified 16 January 2025

Within the Principality of Monaco (Monaco) data protection law have been recently updated by Data Protection Law n° 1.565 of December 3, 2024 (the “DPL”). Article 22 of the Monegasque Constitution still protects the right to privacy and the secrecy of correspondence of every citizen.

Monaco is not part of the EU and did not adopt Data Protection Directive 95/46/EC (hereinafter referred to as the “European Directive”) or its successor the General Data Protection Regulation (Regulation EU 2015/679) of April 27, 2016 (hereinafter referred to as the “GDRP”). However, the new DPL recently adopted offers a strong level of protection similar to GDPR. The aim of the new law was to obtain an adequacy decision from EU.

Monaco is also part of the Council of Europe and entered into Convention n° 108 of the European Council of January 28, 1981 for the protection of individuals with regard to automatic processing of personal data, and into its protocol addendum regarding the controlling authorities and cross-border flows of data, both effective from April, 1st 2009 (through Sovereign Ordinances 2.118 and 2.119 of March 23, 2009).

It is however important to note that, pursuant to Article 3.2. of the GDPR and waiting for this adequacy decision, GDPR is still applicable to companies established in Monaco that process personal data of persons (or “data subjects”) residing in the EU where such processing is related to:

  1. the supply of goods or services to such persons (irrespective of a payment for such supply); and
  2. the monitoring of their behavior taking place within the Union.

It shall be noted that in such a case, the company established in Monaco may be required to designate in writing a representative in the European Union (article 27 of GDPR) and that both GDPR and Monaco DPL will be applicable to these companies.

Last modified 6 February 2025

On 17 December 2021, the Parliament of Mongolia (the “Parliament”) adopted the Law of Mongolia on Personal Data Protection (the “Data Protection Law”) which came into effect and full force from 1 May 2022. The Data Protection Law applies to matters related to personal privacy and relations in connection with the collecting, processing, using, and security of Personal Data (as defined below) of an individual, as well as the collection, processing and use of individual’s Personal Data with the help of technology and software. The Data Protection Law regulates the handling of Personal Data and Sensitive Personal Data by Data Controllers (as defined below).

The Data Protection Law defines specific components of Personal Data and persons that are subject to regulations of the Data Protection Law. For instance, “data owner” means any individual (or his / her legal representative) who can be determined by his / her Personal Data defined under the Data Protection Law (“Data Owner”) and “data controller” means a natural or legal person, who collects, processes and uses Personal Data based on the permission of the Data Owner or in accordance with the law (“Data Controller”).

The Data Protection Law mainly divides human data (information) into two categories:

  • Personal Data; and
  • Sensitive Personal Data.
Last modified 16 January 2025

The Law on Protection of Personal Data, Official Journal of Montenegro, nos. 79/2008, 70/2009, 44/2012 22/2017 and 77/2024, (DP Law) is the governing data protection law. It was first enacted in December 2008 and last amended on 31 July 2024.

The Montenegrin Parliament is expected to adopt a new Data Protection Law to harmonize its data protection law with the EU General Data Protection Regulation (GDPR). However, there is no certainty when exactly, i.e. within which timeframe such adoption (and further implementation) should occur.

Last modified 16 January 2025

Morocco’s law governing privacy and data protection is Law No 09-08, dated February 18, 2009 relating to protection of individuals with regard to the processing of personal data and its implementation Decree n° 2-09-165 of May 21, 2009 (together the DP Law).

Last modified 18 January 2024

In Mozambique there is no specific legislation on data protection or privacy. However, there are other sources of law that impose some privacy obligations, including:

  • Constitution of the Republic of Mozambican, as approved by the Parliament on 16 November 2004 (“CRM”);
  • The Civil Code (Decree-Law no. 47344, of November 25, 1966, in force in Mozambique through Edict no. 22869, dated September 4, 1967);
  • The Penal Code (Law no. 24/2019, of December 24, as amended by Law no. 17/2020 of 23 December);
  • The new Labour Law (Law no. 13/2023, of 25 August) which enters into force on 22 February 2023;
  • The Credit Institutions and Financial Companies Law (Law n.º 20/2020, of 31 December) ("LCIFC”);
  • The Electronic Transactions Law (Law no. 3/2017, of January 9);
  • The Consumer Law (Law n.º 22/2009, of 28 September);

  • The Consumer Law Regulations (Decree n.º 27/2016, of 18 July); 

  • The Publicity Code (Decree No. 38/2016, of 31 August 2016); 

  • The Regulation on Licensing of Telecommunication and Scarce Resources (Decree no. 26/2017, of 30 June); 

  • The Regulations on Registration and Licensing of Intermediary Electronic Service Providers and Operators of Digital Platforms (Decree no. 59/2023, of 27 October); and
  • Resolution no. 5/2019, of 20 June, ratifies the African Union Convention on Cybersecurity and Personal Data Protection (“AU Convention”); and
  • Proposal of Cybersecurity Law, available at the National Institute for Technologies and Communication (“INTIC”) website, identified as version 6 of 15 September 2023 (“Cybersecurity Law”).
Last modified 16 January 2025

There is no general data protection law in Myanmar. Relevant laws on data protection and privacy can be found in various legislation, which include:

  • Financial Institutions Law (2016);
  • Telecommunications Law (2013);
  • Competition Law (2015);

  • Law Protecting the Privacy and Security of Citizens (2017);

  • Notification 116/97 of the Ministry of Finance and Revenue;
  • Law Relating to Private Health Care Services (2007); and
  • Electronic Transactions Law (2004) and its 2021 amendment.
Last modified 18 December 2024

Namibia recognises the right to privacy as a fundamental human right under Article 13 of the Namibian Constitution. Accordingly, all persons have a right to privacy in their homes and communications. The right to privacy is limited as required by law and in the interest of protecting: 

  • national security and public safety;
  • the nation’s economy;
  • health and morals;
  • against disorder and crime;
  • the rights and freedoms of others.

Save for the constitutional right to privacy, Namibia has not enacted comprehensive data privacy legislation. However, various sector-specific laws are in place to protect client information, including in the legal and banking sectors. 

The Namibian Government has published the Draft Data Protection Bill, 2021. The objectives of this draft Bill are to:

  • establish a Data Protection Supervisory Authority and to provide for its powers, duties and functions;
  • establish obligations of data controllers and processors;
  • make provision for the regulation of the processing of information relating to individuals in order to protect the fundamental rights and freedoms of individuals, and in particular, their right to privacy concerning the processing of such information;
  • provide for the rights of individuals about whom information is processed;
  • provide for restrictions and exceptions under the provisions of this Act; and
  • provide for codes of conduct of controllers and processors and for matters connected therewith.
Last modified 18 January 2024
  1. Individual Privacy Act, 2018 (2075) (“Privacy Act”)
  2. Individual Privacy Regulation, 2020 (2077) (“Privacy Regulation”)
  3. National Penal Code, 2017 (2074) (“Penal Code”)
  4. Advertisement Act, 2019 (2076) (“Advertisement Act”)
  5. Advertisement Regulation, 2020 (2076) (“Advertisement Regulation”)
  6. National Broadcasting Regulation 1995 (2052) (“National Broadcasting Regulation”)
Last modified 20 January 2025

EU regulation

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.

A Regulation (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States. However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among the Member States.

Territorial Scope

Primarily, the application of the GDPR turns on whether an organization is established in the EU. An 'establishment' may take a wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.

However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related "to the offering of goods or services" (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or "the monitoring of their behaviour" (Article 3(2)(b)) as far as their behaviour takes place within the EU.


Netherlands regulation

The Dutch GDPR Implementation Act (Uitvoeringswet AVG, the Implementation Act) constitutes the local implementation of the GDPR in the Netherlands. The Implementation Act follows a policy-neutral approach, meaning that the requirements of the previous Dutch Data Protection Act (Wet bescherming persoonsgegevens) are maintained insofar as possible under the GDPR. The Implementation Act provides for, among other things, national rules where this is necessary for the implementation of GDPR provisions on the position of the regulatory authority or the fulfilment of discretionary powers provided by the GDPR. There is a pending legislative proposal, the Data Protection Collection Act (Verzamelwet gegevensbescherming), that will affect the Implementation Act on a few specific topics. For example, adjustments will be made to the definition of criminal data and the existing derogations under the Implementation Act for the processing of biometric data will be further conditioned.

Last modified 18 January 2024

The Privacy Act 2020 (Act) and its Information Privacy Principles (IPPs) govern how agencies collect, use, disclose, store, retain and give access to personal information. The Act gives the Privacy Commissioner the power to issue codes of practice that modify the operation of the Act in relation to specific industries, agencies, activities or types of personal information. The following codes are currently in place:

  • Credit Reporting Privacy Code;
  • Health Information Privacy Code;
  • Justice Sector Unique Identifier Code;
  • Superannuation Schemes Unique Identifier Code;
  • Telecommunications Information Privacy Code; and
  • Civil Defence National Emergencies (Information Sharing) Code.

The Privacy Commissioner is well into the process of introducing a new code to regulate the collection of biometric information which is expected to come into force in 2025. The exposure draft of the Biometrics Processing Privacy Code (Code) was issued in April 2024 followed by an updated draft Code and draft guidance in December 2024. The draft Code sets out rules governing the purpose, sourcing, collection, storage, accessibility, retention, disclosure and limitations on the use of biometric information.

Enforcement is through the Privacy Commissioner who has the power to investigate any action which appears to interfere with the privacy of an individual and can do so either on a complaint made to the Privacy Commissioner or on the Privacy Commissioner’s own initiative. The Privacy Commissioner can also issue compliance notices requiring agencies to do or refrain from doing something in order to comply with the Act.

Under the Act, an agency can be any person or body of persons, whether corporate or unincorporated, and whether in the public sector or in the private sector.

The Act has an extraterritorial scope — it applies to any actions taken by an overseas organisation in the course of carrying on business in New Zealand, regardless of where the information is or was collected or held and where the person to whom the information relates is located. An organisation may still be treated as carrying on business in New Zealand regardless of whether or not it has a physical place of business in New Zealand, charges any monetary payment for goods or services within New Zealand, or makes a profit from its business in New Zealand. For organisations subject to the Act (whether New Zealand agencies or overseas agencies), it is irrelevant where the personal information was collected, where it is held, or where the individual is or was located (i.e. the Act can extend to personal information collected overseas about foreign data subjects).


In September 2024, the Statutes Amendment Bill (SA Bill) was introduced into Parliament and proposes a variety of minor and technical amendments to the Act including clarifications around principal agency's liability, more discretion for the Privacy Commissioner to decide to investigate a complaint and the limited application of the Act to domestic affairs. The SA Bill passed its first reading in October 2024 and the Select Committee is due to report back in April 2025.

In September 2023, the New Zealand government released the Privacy Amendment Bill (PA Bill), which, if passed, will amend the Privacy Act. The PA Bill looks set to proceed following the release of the Select Committee report in late 2024. The main amendments to the Act will be the introduction of a new IPP 3A, requiring organisations that collect personal information 'indirectly' (i.e. not directly from the relevant individual) to provide the individual with information about the processing of their data. Currently, under IPP 3, the Act requires organisations who collect personal information directly from the individual to ensure the individual is aware of certain details, such as the fact of collection, the purposes for which the information will be used, the intended recipients and the individual's right to request access to and correction of their personal information.

IPP 3A will require agencies collecting personal information from a source other than from the individual concerned to take reasonable steps to ensure that the individual is aware of the same information.

The PA Bill includes certain exceptions to complying with IPP 3A including where the individual has previously been made aware of the organisation's collection of their personal information, or compliance with IPP 3A is not reasonably practicable in the circumstances.

The PA Bill is set to come into force on 1 June 2025 and the PA Bill clarifies that IPP 3A will not have retrospective effect.

In September 2023, the Privacy Commissioner issued (non–binding) guidance on the application of the Act's IPPs to the use of AI tools in New Zealand (the Guidance). The Guidance is consistent with key themes from developing international regulations (e.g. the importance of transparency and explainability; accuracy; robustness and security; accountability; and human values and fairness). The Privacy Commissioner has recommended, among other things, that while not mandatory under the Act, it is generally best practice to undertake a Privacy Impact Assessment at the outset of an AI project. The Guidance also recognises an important element which is unique to New Zealand – the need to consider te ao Māori perspectives on privacy (broadly, te ao Māori is the Māori worldview including tikanga Māori - Māori customs and protocols). Specific concerns identified in the Guidance include:

  • bias from systems developed overseas that do not work accurately for Māori;
  • collection of Māori information without work to build relationships of trust, leading to inaccurate representation of Māori taonga that fail to uphold tapu and tikanga; and
  • exclusion from processes and decisions of building and adopting AI tools that affect Māori whānau, hapū, and iwi, including use of these tools by the public sector.
Last modified 24 January 2025

Ley No. 787 Ley de Protección de Datos Personales (Law No. 787 Personal Data Protection Law) effective since 29th of March 2012 published in the Official Gazzette No. 61 same day. 

Last modified 28 January 2024

The data protection regime in Niger is governed by the following laws and regulations:

  • Law n° 2023-31 of 04 July 2023 amending law n°2022-59 of 16 December 2022 on the protection of personal data;
  • Law n°2022-59 of December 16, 2022 relating to the protection of personal data;
  • Law No.2018-45 of July 12, 2018 on the regulation of electronic communications in Niger;
  • Cybercrime Amendment Act 2022 (2019);
  • Order No. 000045 of October 5, 2020 determining the profile and setting the conditions of remuneration of the personal data protection correspondent; 
  • Decree No. 2020-309/PRN/MJ of April 30, 2020 setting the terms of application of Law No. 2017-28 of May 3, 2017 on the protection of personal data as amended and supplemented by Law No. 2019-71 of December 24, 2019; 
  • Ratification of the African Union Convention on Cyber Security and Personal Data Protection.
Last modified 6 January 2025

Principal regulation

Nigeria Data Protection Act 2023 (Act)

The Act has been enacted to safeguard the fundamental rights and freedoms, and the interests of data subjects, as guaranteed under the Constitution of the Federal Republic of Nigeria. Among other things, the objective of the Act include: the protection of personal information; establishment the Nigeria Data Protection Commission for the regulation of the processing of personal information; promotion of data processing practices that safeguard the security of personal data and privacy of data subjects; protection of data subjects' rights, and provision of means of recourse and remedies, in the event of the breach of the data subjects' rights; and strengthening the legal foundations of the national digital economy and guarantee the participation of Nigeria in the regional and global economies through the beneficial and trusted use of personal data etc. The Act received Presidential assent on 13 June 2023.

Subsidiary legislation

There are several subsidiary legislation that provide guidance, rules, and procedures to implement and enforce the provisions of the Act. Some of these legislations had already been made before the enactment of the Act. With the coming into force of the Act, the provisions of the subsidiary legislation that do not conflict with the Act remain applicable. The subsidiary legislation are as follows:

Nigeria Data Protection Regulation 2019 (NDPR)

The personal and territorial scope of the NDPR is defined by citizenship and physical presence. It applies to residents of Nigeria, as well as Nigerian citizens abroad. The NDPR provides legal safeguards for the processing of personal data. Under the NDPR, Personal Data must be processed in accordance with a specific, legitimate and lawful purpose disclosed to the Data Subject.

Nigeria Data Protection Regulation: Implementation Framework 2020 (Framework)

The Framework builds on the NDPR to ensure a tailored implementation of the data protection regime in Nigeria. It serves as a guide to data controllers and administrators / processors to understand the standards required for compliance within their organisations. The Framework is to be read in conjunction with the NDPR and does not supersede the NDPR.

Guidelines for the Management of Personal Data by Public Institutions in Nigeria 2020 (Guidelines)

The Guidelines apply to all public institutions (PIs) in Nigeria, including ministries, departments, agencies, institutions, public corporations, publicly funded ventures, and incorporated entities with government shareholding, either at the Federal, State or Local levels, that process the personal data of a data subject. The Guidelines mandate all PIs to protect personal data in any incidence of processing of such data. Processing in this context retains the same meaning it has under the NDPR. All forms of personal data of a Nigerian citizen, resident or non-Nigerian individual that has interactions with PIs, or such PIs have access to the personal data in furtherance of a statutory or administrative purpose, are to be protected in accordance with the NDPR or any other law or regulation in force in Nigeria.

General Application and Implementation Directive 2024 (GAID) 

Although currently a draft, the GAID provides guidelines for implementing the Act, addressing topics such as the scope and applicability of the Act, legal bases for processing, cross-border data transfers, data breach notifications, and the exercise of data subjects’ rights. Once adopted, the GAID is expected to replace certain existing subsidiary legislation.

Sectoral laws

In addition to the principal and subsidiary legislation mentioned, the Constitution of the Federal Republic of Nigeria and various sector-specific laws make different provisions for privacy and data protection matters. Key provisions in the mentioned laws are outlined hereunder:

The laws

Constitution of the Federal Republic of Nigeria 1999 (As Amended) (Constitution)

The Constitution provides Nigerian citizens with a fundamental right to privacy. Section 37 of the Constitution guarantees privacy protections to citizens in their homes, correspondence, telephone conversations and telegraphic communications. The Constitution neither defines the scope of privacy nor contains detailed privacy provisions.

Child Rights Act 2003 (Act)

The Act reiterates the constitutional right to privacy as it relates to children. Section 8 of the Act guarantees a child's right to privacy subject to parent or guardian rights to exercise supervision and control of their child's conduct. Some Nigerian states have also enacted Child Rights Laws. Under the Act / Laws, age of a child is any person under the age of 18.

Consumer Code of Practice Regulations 2007 (NCC Regulations)

The Nigerian Communications Commission (NCC) issued the NCC Regulations which requires all licensees to take reasonable steps to protect customer information against improper or accidental disclosure, and ensure that such information is securely stored and not kept longer than necessary. The NCC Regulations further prohibit the transfer of customer information to any party except to the extent agreed with the customer, as permitted or required by the NCC or other applicable laws or regulations.

Consumer Protection Framework 2016 (Framework)

The Framework was enacted pursuant to the Central Bank of Nigeria Act 2007. The Framework includes provisions that prohibit financial institutions from disclosing customers' personal information. The Framework further requires that financial institutions have appropriate data protection measures and staff training programs in place to prevent unauthorized access, alteration, disclosure, accidental loss or destruction of customer data. Financial services providers must obtain written consent from consumers before personal data is shared with a third party or used for promotional offers.

Credit Reporting Act 2017 (CRA)

The CRA establishes a legal and regulatory framework for credit reporting by Credit Bureaus. Section 5 of the CRA requires Credit Bureaus to maintain credit information for at least 6 years from the date that such information is obtained, after which the information must be archived for a 10-year period prior to its destruction. Section 9 of the CRA provides the rights of data subjects (i.e. persons whose credit data are held by a Credit Bureau) to privacy, confidentiality and protection of their credit information. Section 9 further prescribes conditions under which the credit information of the data subject may be disclosed.

Cybercrimes (Prohibition, Prevention Etc) Act 2015 (Cybercrimes Act)

The Cybercrimes Act provides a legal and regulatory framework that prohibits, prevents, detects, prosecutes and punishes cybercrimes in Nigeria. The Cybercrimes Act requires financial institutions to retain and protect data and criminalizes the interception of electronic communications.

Freedom of Information Act, 2011 (FOI Act)

The FOI Act seeks to protect personal privacy. Section 14 of the FOI Act provides that a public institution is obliged to deny an application for information that contains personal information unless the individual involved consents to the disclosure, or where such information is publicly available. Section 16 of the FOI Act provides that a public institution may deny an application for disclosure of information that is subject to various forms of professional privilege conferred by law (such as lawyer-client privilege, health workers-client privilege, etc.).

National Identity Management Commission Act 2007 (NIMC Act)

The NIMC Act creates the National Identity Management Commission (NIMC) to establish and manage a National Identity Management System (NIMS). The NIMC is responsible for enrolling citizens and legal residents, creating and operating a National Identity Database and issuing Unique National Identification Numbers to qualified citizens and legal residents. Section 26 of the NIMC Act provides that no person or corporate body shall have access to data or information in the Database with respect to a registered individual without authorization from the NIMC. The NIMC is empowered to provide a third party with information recorded in an individual's Database entry without the individual's consent, provided it is in the interest of National Security.

National Health Act 2014 (NH Act)

The NH Act provides rights and obligations for health users and healthcare personnel. Under the NH Act, health establishments are required to maintain health records for every user of health services and maintain the confidentiality of such records. The NH Act further imposes restrictions on the disclosure of user information, and requires persons in charge of health establishments to set up control measures for preventing unauthorized access to information. The NH Act applies to all information relating to patient health status, treatment, and admittance into a health establishment, and further applies to DNA samples collected by a health establishment.

Nigerian Communications Commission (registration of telephone subscribers) Regulation 2011 (Regulation)

Section 9 and 10 of the Regulation provides confidentiality for telephone subscribers' records maintained in the NCC's central database. The Regulation further provides telephone subscribers with a right to view and update personal information held in the NCC's central database of a telecommunication company in camera.

Last modified 18 January 2025

The Republic of North Macedonia regulates personal data protection issues with the Law on Personal Data Protection (Official Gazette of the Republic of North Macedonia, no. 42/20 and 294/21, “DP Law”), effective 24 February 2020. Data controllers and data processors had an 18-month period from the DP Law’s entry into force (i.e. until 24 August 2021) to harmonize their operations with the DP Law. This period has been informally prolonged for additional six months, during which time the data protection authority assisted companies in the implementation of the new rules through education and corrective measures, as opposed to directly issuing fines for non-compliance.

The DP Law is largely harmonized with the General Data Protection Regulation (GDPR) of the European Union (EU).

Last modified 17 January 2024

EU regulation

The General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR") is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.

A 'Regulation' (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States. However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among the Member States.

Territorial Scope

Primarily, the application of the GDPR turns on whether an organization is established in the EU. An 'establishment' may take a wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.

However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related "to the offering of goods or services" (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or "the monitoring of their behaviour" (Article 3(2)(b)) as far as their behaviour takes place within the EU.


Norway regulation

The GDPR was incorporated in the EEA Agreement by a Joint Committee Decision dated July 6, 2018. The new Norwegian Personal Data Act (LOV-2018-06-15-38) ("PDA") implements GDPR and became effective as of July 20, 2018.

In addition to implementing GDPR, the PDA includes specific regulations as described below. In connection with the implementation of GDPR, several sector-specific regulations, e.g, in the healthcare sector, has been updated to ensure compliance with GDPR.

The PDA has a similar geographical scope as GDPR article 3 in that it applies to:

  1. data controllers and processors established in Norway regardless of whether the processing activities takes place Norway / EEA or not; and
  2. processing activities by a data controller or data processor which is not established in the EEA to the extent the processing activity relates to:
    1. offering of goods and services to data subjects in Norway, irrespective of whether a payment of the data subject is required; or
    2. the monitoring of their behavior, to the extent that such behavior takes place within Norway.

The PDA applies to processing of personal data by controller who is not established in Norway, but in a place governed by Norwegian law according to public international law.

Last modified 16 January 2025

Pakistan currently has not enacted data protection legislation per se similar to data protection legislation enacted in other countries of the world, however the Prevention of Electronic Crimes Act, 2016 (“PECA 2016”) at present serves the same purpose to a certain extent.

Moreover, a draft of the Personal Data Protection Bill 2023 (“PDPB”) has been introduced by the Ministry of Information Technology and Telecommunications with a view to having the same being promulgated into law after public consultation, approval from both Houses of Parliament and receipt of assent from the President of Pakistan.

Last modified 4 January 2024

Panama has taken significant legislative steps in regulating data protection. Law No. 81 of March 26, 2019, supplemented by Executive Decree No. 285 of May 28th, 2021 (together the Ley sobre Protección de Datos Personales; the ‘Data Protection Law’), regulates data protection in the Republic of Panama. The Data Protection Law governs the following:

  • The principles, rights, obligations, and procedures applicable to the protection of personal data in Panama
  • The individuals or legal entities, whether private or public, who are subject to the Data Protection Law, as well as those entities that are classified as “regulated subjects” (ie, banks, insurance companies, telecommunication providers, etc.)
  • The data subject’s right to access, rectification, cancellation, opposition, and portability
  • The fines and penalties applicable to those who violate an individual’s right to data protection

As mandated by the Data Protection Law, it’s expected that several sectoral laws will be modified to include certain data protection terms, such as Rule No. 1-2022, dated February 24th, 2022, which includes special guidelines for the protection of data processed by banks established by the Superintendency of Banks and Resolution AN N° 1267-ADM, dated June 14th, 2023, which pertains to protection of data in public utilities and services.

In addition to the Data Protection Law, the following general rules govern data protection:

  • The Constitution
  • The Criminal Code
Last modified 28 January 2024
  • National Constitution, art. 135, Habeas Data: Any person may file an action to have access to (i) personal data about such person or its property; and (ii) information about the use of such data and purpose for which it is kept, whether it is stored in public or private data registries. Additionally, any person may request the suppression, correction, confidentiality or updating of the data where inaccurate or discriminatory;
  • Criminal Code, art. 174 (Unlawful access to computer systems) and art. 175 (Sabotage of computer systems): individuals or entities that unlawfully access or alter personal data contained in databases (computer systems) are criminally liable;
  • Law No. 6534/2020 “of protection of personal credit data” (“Personal Credit Data Protection Law” or “Law”). The previous data protection regulatory regime lead by Law No. 1682/2001 “which regulates the use of private information” as amended by laws No. 1969/2002 and 5543/2015 is no longer in force and was replaced in full by the Personal Credit Data Protection Law (Art. 30 of the Law); and
  • Law No. 4868/2013 “Electronic Commerce” (“Electronic Commerce Law”) and its regulatory decree No. 1165/2014 (“Regulatory Decree of the Electronic Commerce Law").   
Last modified 28 January 2025

Article 2 of the Political Constitution of Peru sets forth certain fundamental rights that every person has, including a right to privacy regarding information that affects personal and family privacy, which was the basis for the creation of a law that specifically protects the use of personal data of any natural person and applies to both private and state entities.

The Personal Data Protection Law N° 29733 ('PDPL') was enacted in June 2011. In March 2013, the Supreme Decree N° 003-2013-JUS-Regulation of the PDLP ('Regulation') was published in order to develop, clarify and expand on the requirements of the PDPL and set forth specific rules, terms and provisions regarding data protection. 

However, it should be noted that a new Regulation to the PDPL was enacted through Supreme Decree 016-2024-JUS, dated November 30, 2024 ('New Regulation'). The New Regulation aims to enhance the protection of personal data under the PDPL by including improvements to contribute to the defense of the protection of personal data considering the rapid development of e-commerce, artificial intelligence, and similar digital technologies. The New Regulation will formally enter into force on March 30, 2025, except for some dispositions that will enter into force subsequently, and will replace the current Regulation. Likewise, this New Regulation includes new obligations (eg, designation of a data protection officer or the notification of security incidents).  

Together, the PDLP and its Regulation are the primary data protection laws in Peru.

Further, enacted in 2001 and amended several times since then, Law Nº 27489 regulates private risk centers and the protection of the owner's personal information. Law Nº 27489 eregulates activities related to risk centers and companies that handle:

  • Information posing higher risks to individuals (eg, related to financial, commercial, tax, employment or insurance obligations or background of a natural or legal person that allows evaluating its economic solvency), and
  • Sensitive personal data (according to the PDPL)
Last modified 26 January 2023

The Data Privacy Act of 2012 (“Act” or “DPA”) or Republic Act No. 10173, which took effect on 8 September 2012, is the governing law on data privacy matters in the Philippines.

In 2022, two bills (House Bill No. 892 and House Bill No. 898) were filed in the House of Representatives of the Philippines, seeking to amend the DPA. The proposed amendments under House Bill No. 892 broadly include:

  • Increasing the penalties (both the period of imprisonment and monetary fines) for violations of the DPA; and
  • Providing for perpetual absolute disqualification as a penalty for a public official or employee who violates provisions of the DPA.

On the other hand, the proposed amendments under House Bill No. 898 broadly include:

  • Defining biometric and genetic data.
  • Expanding the exclusions on the applicability of the DPA.
  • Redefining “sensitive personal information” to include biometric and genetic data, and labor affiliation. Clarifying the extraterritorial application of the DPA by specifying clear instances when the processing of personal data of Philippine citizens and / or residents is concerned.
  • Defining the digital age of consent to process personal information as more than fifteen (15) years, applicable where information society services are provided and offered directly to a child.
  • Including the performance of a contract as a new criterion of the lawful basis for processing of sensitive personal information.
  • Allowing Personal Information Controllers (“PIC”) outside of the Philippines to authorize Personal Information Processors (“PIP”) or any other third party in the country, in writing, to report data breaches to the National Privacy Commission (“NPC”) on behalf of the PIC.
  • Modifying criminal penalties under the DPA, giving the proper courts the option to impose either imprisonment or fine upon its sound judgment.

The said bill remains pending before the Philippine House of Representatives.

A further bill was filed in 2022 and is pending before the Philippine Senate (Senate No. 1367) likewise seeking to amend the DPA. Specifically, the bill seeks to exclude the applicability of the DPA to personal information and sensitive personal information that are necessary to address a health crisis during a period of a declared national emergency or pandemic.

In 2021, the Philippine House of Representatives approved a bill (House Bill No. 9651) proposing amendments to the DPA similar to that of House Bill No. 898. The said bill has been transmitted to the Philippine Senate for concurrence the same year but remain pending as of date.

Given the rigorous process of passing a law in the Philippines there are no indications that any of these pending bills will be passed into law within the next 12 months.

Last modified 20 January 2025

EU regulation

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable in all Member States of the European Union on 25 May 2018, without requiring implementation by the EU Member States through national law.

The Regulation (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States. However, there remain more than 50 areas covered by the GDPR where Member States are permitted to legislate differently in their own domestic data protection laws, and there continues to be room for different interpretations and enforcement practices among Member States.

Territorial Scope

Primarily, the application of the GDPR depends on whether an organisation is established in the EU. An 'establishment' may take a wide variety of forms and is not necessarily a legal entity registered in an EU Member State.

However, the GDPR also has extra-territorial effect. An organisation that it is not established in the EU will still be subject to the GDPR if it processes personal data of data subjects who are in the EU where the processing activities are related "to the offering of goods or services" (Article 3(2)(a)) (no payment is required) to those data subjects or "the monitoring of their behaviour" (Article 3(2)(b)) to the extent their behaviour takes place in the EU.


Poland regulation

As a member of the European Union, Poland implemented the EU Data Protection Directive 95/46/EC in the Personal Data Protection Act of 29 August 1997 (consolidated text: Journal of Laws of 2016, item 922, hereinafter: “previous PDPA”).

In relation to GDPR, on 12 September 2017, two bills on personal data protection were published in Poland. The first one was passed into law on 25 May 2018 as the new Personal Data Protection Act of 10 May 2018 (Journal of Laws of 2019, item 1781 (“PDPA”), while the second one was passed into law on 4 May 2019 as the Act on amendments to sectorial acts accompanying the GDPR of 21 February 2019, containing amendments to over 160 sectorial regulations, including banking, insurance and labour law (Journal of Laws of 2019, item 730, hereinafter: the “Implementing Act”).

The two new pieces of legislation are aimed at implementing the GDPR into the Polish legal order, as well as regulating matters in which the GDPR leaves a certain amount of freedom for EU Member States. The new PDPA establishes a new supervisory body – the President of the Office for Personal Data Protection (hereinafter: the “Polish DPA”), which has a much wider range of powers than the previous DPA (the Inspector General for the Protection of Personal Data – hereinafter: the “Inspector General”).

A number of provisions of the Electronic Communication Act of 12 July 2024 (hereinafter: "Electronic Communication Act") are applicable to the processing of personal data by the electronic communications service provider, the electronic communications undertaking and the telecommunications undertaking and a number of sector-specific statutes relating to, among other things, employment and banking matters also contain specific regulations on the processing of personal data.

Several provisions of the law on clinical trials of medicinal products for human use of 9 March 2023 (Journal of Laws 2023, item 605) are also applicable to the processing of personal data. When carrying out clinical trials that are scientific research, it is allowed to limit the application of the provisions of articles 15, 16, 18 and 21 of the GDPR. Those restrictions may be imposed if it is likely that the rights set out in the aforementioned provisions will prevent or seriously hinder the achievement of the objectives of the clinical trial which is a scientific study, and if those restrictions are necessary to achieve those objectives. 

According to the Polish Labour Code, the employer may introduce sobriety tests on employees if necessary to ensure the protection of life and health of employees or other persons or the protection of property. The employer processes information about the date and exact time of the sobriety test and its result only if this is necessary to ensure the protection of property, and stores this information in the employee's personal file for a period not exceeding one year from the date of its collection.

Last modified 16 January 2025

EU regulation

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.

A Regulation (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States. However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among the Member States.

Territorial Scope

Primarily, the application of the GDPR turns on whether an organization is established in the EU. An 'establishment' may take a wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.

However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related "to the offering of goods or services" (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or "the monitoring of their behaviour" (Article 3(2)(b)) as far as their behaviour takes place within the EU.


Portugal regulation

Currently, processing of personal data in Portugal is governed by GDPR and Law no 58/2019 of 8 August, ensuring the execution of GDPR in Portugal. However, local supervisory authority (CNPD) issued the Decision 494/2019 deciding not to apply certain provisions of such law as they were considered in contradiction with GDPR:

  • article 2(1) and (2): scope of the Law;
  • article 20(1): duty of secrecy;
  • article 23: processing of personal data by public entities for different purposes;
  • article 28(3)(a): consent of employee in an employment context;
  • article 37(1)(a)(h)(k) and (2): misdemeanors and applicable sanctions;
  • article 38(1)(b) and (2): misdemeanors and applicable sanctions;
  • article 39(1) and (3): misdemeanors and applicable sanctions;
  • article 61(2): connection between the expiry of consent and termination of the agreement (for existing agreements);
  • article 62(2): revocation of provisions requiring prior authorization or notification to CNPD with effect from the date of entry into force of the GDPR.

Furthermore, Law no 59/2019 of 8 August contains provisions related with personal data processing for purposes of prevention, detection, investigation and repression of criminal offenses and for purposes of execution of criminal sanctions, transposing EU Directive 2016/680 of the European Parliament and the Council of 27, April, 2016.

Relevant data protection provisions in the context of electronic communications may also be found in Law 41/2004, of 18 August (Law on the processing of personal data and the protection of privacy in the electronic communications, as amended by Law 46/2012, of 29 August and enacted pursuant to Directive 2002/58/EC) (with subsequent amendments arising from Article 2 of Directive 2009/136/EC).

Last modified 17 January 2024

Note: Please also see Qatar Financial Center (a business center located on-shore in Qatar with its own regulations separate from those of the State of Qatar, including separate data protection regulations).

This overview is based on an unofficial English translation of the Law No. (13) of 2016 Concerning Personal Data Protection. The Qatar government does not issue official English translations of the laws of the State of Qatar.

Qatar has implemented Law No. (13) of 2016 Concerning Personal Data Protection ("the Data Protection Law"). 

With its Data Protection Law – adopted in 2016 – Qatar became the first Gulf Cooperation Council (GCC) member state to issue a generally applicable data protection law.

The Data Protection Law is supplemented with a set of regulatory guidelines issued by the National Cyber Governance and Assurance Affairs (NCGAA) of the National Cyber Security Agency. The guidelines incorporate concepts from EU privacy regulatory frameworks and seek to clarify obligations under, and address matters that are not dealt with in, the Data Protection Law. The introduction of these guidelines provide a mechanism for which those subject to the Data Protection Law would be able to better understand their obligations under the Data Protection Law and comply with its provisions more fully.

The Data Protection Law applies to personal data when this data is any of the following:

  • Processed electronically;
  • Obtained, collected or extracted in any other way in preparation for electronic processing; and
  • Processed by combining electronic processing and traditional processing.

The Data Protection Law provides that each individual shall have the right to privacy of their personal data. Such data may only be processed within a framework of transparency, honesty, respect for human dignity and in accordance with the provisions of the Data Protection Law.

Last modified 17 January 2024

Note: Please also see Qatar.

The Qatar Financial Centre ("QFC"), a business center located on-shore in Qatar with its own regulations that are separate and distinct from those of the State of Qatar, implemented QFC Regulation No. 6 of 2005 on QFC Data Protection Regulations ("DPL").

Additionally, under the powers granted to the QFC Authority under Article 32(6) of the DPL, the QFC Authority has issued the Data Protection Rules 2005 (DPR).

The QFC updated the DPL and DPR on 6 December 2023. This note reflects the position under the DPL and DPR as amended. As a general comment, the changes provide increased clarity around the DPL and DRP as well as creating certain new obligations and bring the QFC more closely in line with the position under the GDPR and other similar laws, which should assist international businesses in taking a relatively uniform approach to their data compliance activities.

The DPL and DPR apply to the processing of personal data of living natural persons. Such processing may be by automated means or non-automated means. The DPL and DPR apply to data controllers and processors incorporated or registered in the QFC and to those that are not if, as part of ongoing arrangements, the data controller or processor process personal data through a data controller or processor that is incorporated or registered in the QFC unless it does so on an occasional basis.

Last modified 17 January 2024

The protection of personal data is governed by the law on the protection of data with a personal character N° 29 - 2019 of 10 October 2019 and was published in the official journal on 7 November 2019 (the "Law"). The Law entered into force on the date of its approval (25 November 2020).

Beside the Law, there are several sectoral laws or decrees that contain data protection aspects (on cybersecurity, mobile telecommunications, etc.)

Last modified 23 February 2024

EU regulation

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.

A regulation (unlike the directive which it replaced) is directly applicable and has consistent effect in all Member States. However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among the Member States.

Territorial Scope

Primarily, the application of the GDPR turns on whether an organization is established in the EU. An establishment may take a wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.

However, the GDPR also has extraterritorial effect. An organization that it is not established within the EU will still be subject to the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related "to the offering of goods or services" (no payment is required) to such data subjects in the EU or "the monitoring of their behaviour" as far as their behaviour takes place within the EU.


Romania regulation

Law no. 190/2018 on the measures for the application of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ("Law no. 190/2018") was published in the Official Gazette no. 651/26.07.2018 and became applicable on July 31, 2018. 

Law no. 190/2018 regulates, among others, the following activities, in addition to providing certain derogations and a framework related to the sanctions applicable to public authorities and public bodies:

  • Processing of genetic data, biometric data or health data
  • Processing of a national identification number
  • Processing of personal data in the context of employment relationships
  • Processing of personal data and of special categories of personal data within the performance of a task carried out in the public interest
Last modified 17 January 2024

Fundamental provisions of data protection law in Russia can be found in the Russian Constitution, international treaties and specific laws.

Key legislation includes (but is not limited to):

  • Federal law No. 152 FZ of 27 July 2006, “On Personal Data” (the Data Protection Act or DPA);
  • Federal law No. 149-FZ of 14 July 2006, “On Information, Information Technologies and Protection of Information” (the Information Law); The Labor Code of the Russian Federation; and The Constitution of the Russian Federation.

The DPA is the most comprehensive source for Russia data protection rules and contains most of the provisions setting forth most of the provisions discussed herein. The Information Law sets forth rules related to information in a broader context and the Constitution provides for even broader rights to privacy (Articles 23 and 24). The Labor Code contains specific provisions for data protection in employment relationships.

Russia is a member of the Strasbourg Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (the Convention) (ratified by Russia in 2006).

Last modified 17 January 2024

The law governing data protection in Rwanda is the Law n°058/2021 of 13/10/2021 relating to the protection of personal data and privacy (the “Data Protection Law”). 

Data Protection Law came into effect 15th October 2021. Data controllers and processors who are already in operation have a period of two (2) years from the Data Protection Law commencement date to conform to its provisions. 

The Law n° 24/2016 of 18/06/2016 governing Information and Communication Technologies in Rwanda (the “ICT Law”). 

The Law nº 60/2018 of 22/8/2018 on prevention and punishment of cyber-crimes (the “Cyber Crime Law”).

Last modified 17 January 2024

The Personal Data Protection Law (issued pursuant to Royal Decree No. M/19 of 9/2/1443 H (corresponding to 16 September 2021), as amended by Royal Decree No. M/148 dated 5/9/1444H (corresponding to 27 March 2023)) ("PDPL") came into effect on 14 September 2023, but data controllers have a further year in which to comply (although that period may be further extended for certain entities). Accordingly, businesses within the scope of the PDPL will have until 14 September 2024 to adjust their status to become compliant with the PDPL.

The Implementing Regulations are also now in force, and provide further detail and guidance on various requirements in the PDPL. It comprises of two connected regulations, with the first being the 'Implementing Regulations to the PDPL', and the second being the 'Regulations on Personal Data Transfers outside the Kingdom' ("Transfer Regulations").

The PDPL is a law that applies on a national level and will apply to all sectors, with certain limited exceptions. For this reason, the PDPL will need to be considered in the broader legal and regulatory framework of the Kingdom of Saudi Arabia ("KSA"), with other sector specific frameworks such as those issued by the Saudi Central Bank, National Cybersecurity Authority or Communication, Space and Technology Commission ("CST").

Last modified 23 February 2024

The data protection regime in Senegal is mainly governed by the following laws and regulations: 

  • Act No 2008-12 of 25 January 2008 Concerning Personal Data Protection ("the Act");
  • Decree No 2008-721 of 30 June 2008 on electronic certification in application of law no. 2008-08 of 25 January 2008 on electronic transactions.
  • Act No. 2008-08 of January 25, 2008, on electronic transactions; and
  • Act no. 2016-29 dated 8 November 2016 amending Law No.65-60 of 21 July 1965 on the Penal Code of Senegal.

As regards international conventions, Senegal is a member of the African Union Convention on Cyber Security and Protection of Personal Data known as the Malabo Convention adopted by the General Assembly of the African Union on 27 June 2014.

The aim is to create a comprehensive legal framework for e-commerce, data protection, cybercrime and cybersecurity on the continent.1

Last modified 23 February 2024

In late 2018, Serbia updated its data protection law to better align with the EU General Data Protection Regulation. Serbia enacted a new Data Protection Law on 9 November 2018 (published in the Official Gazette of the Republic of Serbia, no. 87/2018) (“DP Law”). Although the DP Law entered into force 21 November 2018, its effective date was postponed until 21 August 2019 (except for the maintenance of the Central Register of Personal Databases which has already been terminated).

The DP Law was long awaited, as it has been 10 years since the previous data protection law was passed. Its content is largely harmonized with the GDPR. It is now fully effective as of 21 August 2019.

Last modified 17 January 2024

The Data Protection Act 2023 (the Act) enacted in 2023 replaces the Data Protection Act 2003, which was never brought into force.

The Act itself has not been brought into force yet. Pending the its coming into force, data protection in Seychelles continues to be governed by general principles of privacy and confidentiality in the Civil Code of Seychelles and some provisions of various legislation, eg Financial Institutions Act and Revenue Administration Act.

The principal object of the Act is  to provide for the protection of individuals with regards to the processing of personal data and to recognise the right to privacy. The Act seeks to strengthen the control and personal autonomy of data subjects over their personal data in compliance with current relevant international standards and best practice. The Act also seeks to promote and facilitate responsible and transparent flow of information by private and public entities while ensuring respect for individual’s privacy.

Last modified 17 January 2024

Singapore enacted the Personal Data Protection Act of 2012 (No. 26 of 2012) on October 15, 2012, and it was subsequently amended / enhanced via the Personal Data Protection (Amendment) Act 2020 (together, the “Act”).

The Act has extraterritorial effect, meaning it applies to organizations collecting, using or disclosing personal data in Singapore whether or not the organization itself has a physical presence or is registered as a company in Singapore.

In addition to the Act, the Singapore data protection regime consists of various general or sector / industry-specific guidelines issued by the Personal Data Protection Commission (“Commission”). While these guidelines are advisory in nature and not legally binding, they indicate the manner in which the Commission will interpret the Act. Therefore, it is best practice to carefully observe and follow these guidelines.

The data protection obligations under the Act do not apply to the public sector, to whom separate rules under the Government Instruction Manual 8 (“IM8”) and the Public Sector (Governance) Act apply. Collectively, these rules provide comparable standards of data protection compared to the Act, including similar investigations and enforcement actions taken against data security breaches. The Public Sector Data Security Review Committee was convened on March 31, 2019 to conduct a comprehensive review of data security policies and practices across the public sector. The Government implemented its recommendations and adopted changes to its data security measures. Examples include:

  • Requiring officers to password-protect files containing sensitive data when sending out; and
  • Enhancing the data incident management framework with standardized process to notify affected individuals in data incidents and conduct post-incident inquiry.
Last modified 23 January 2025
  • National ordinance personal data protection (Landsverordening bescherming persoonsgegevens, National Gazette 2010, Consolidated text no. 2) “(National Ordinance Personal Data Protection”);
  • General Data Protection Regulation (the “GDPR”) – a regulation of the European Union which became effective on May 25, 2018 – may have implications for a data controller / data processor as the extra-territorial reach of the GDPR is not only relevant to businesses established in the European Union but also to international businesses established in Sint Maarten which offer goods or services to individuals in the European Union or monitor their behaviour in the European Union.
Last modified 10 February 2025

EU regulation

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two year transition period, became directly applicable law in all Member States of the European Union on 25 May 2018, without requiring implementation by the EU Member States through national law.

A 'Regulation' (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States. However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among the Member States.

Territorial Scope

Primarily, the application of the GDPR turns on whether an organization is established in the EU. An 'establishment' may take a wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.

However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related "to the offering of goods or services" (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or "the monitoring of their behaviour" (Article 3(2)(b)) as far as their behaviour takes place within the EU.


Slovak Republic regulation

As a member of the European Union, Slovakia is bound by the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the "GDPR").

Furthermore, Slovakia adopted Act No. 18/2018 Coll. on the protection of personal data and on amending and supplementing certain acts (the "Slovak Data Protection Act") implementing the GDPR, which became effective as of 25 May 2018.

Last modified 17 January 2024

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable in all Member States of the European Union on 25 May 2018, without requiring implementation by the EU Member States through national law.

A 'Regulation' (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States. However, there remain more than 50 areas covered by the GDPR where Member States are permitted to legislate differently in their own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among the Member States.

The new Slovenian Data Protection Act (ZVOP-2) which implements certain aspects of the GDPR has been adopted in December 2022 and has entered into force on 26 January 2023. From thereon, data protection is regulated by three main legal acts: (i) ZVOP-2; (ii) GDPR and (iii) Slovenian Act on the Protection of Personal Data in the Area of Treatment of Criminal Offences (Zakon o varstvu osebnih podatkov na področju obravnavanja kaznivih dejanj, Official Gazette no. 177/20; ZVOPOKD), which has entered into force on 31 December 2020 and implements Directive 2016/680. In relation to ZVOP-2, ZVOPOKD is considered lex specialis, therefore provisions of ZVOP-2 will not be used for questions specifically provided for and regulated by ZVOPOKD.

ZVOP-2 also regulates certain areas of data processing, not regulated by GDPR, namely:

  • processing of personal data of deceased persons;
  • processing of personal data in relation to carrying out activities outside of EU-law scope; and
  • processing of personal data by the authorities of Slovenia when acting in areas of security and defence policy and carrying out intelligence and security activities.

Certain other Slovenian acts also regulate personal data processing, which is not set forth by GDPR, i.e.:

  • Defence Act (Zakon o obrambi, Official Gazette no. 103/04 as amended from time to time and in force);
  • Slovenian Intelligence and Security Agency Act (Zakon o Slovenski obveščevalno-varnostni agenciji; Official Gazette no. 81/06 as in force);
  • Attorneys Act (Zakon o odvetništvu, Official Gazette no. 18/93 as amended from time to time and in force);
  • Classified Information Act (Zakon o tajnih podatkih; Official Gazette no. 50/06 as amended from time to time and in force);
  • Electronic Communications Act (Zakon o elektronskih komunikacijah, Official Gazette no. 130/22 as in force);
  • Minor Offences Act (Zakon o prekrških; Official Gazette no. 29/11 as amended from time to time and in force);
  • Patients’ Rights Act (Zakon o pacientovih pravicah; Official Gazette no. 15/08 as amended from time to time and in force);
  • Mass Media Act (Zakon o medijih; Official Gazette no. 110/06 as amended from time to time and in force);
  • Banking Act (Zakon o bančništvu; Official Gazette no. 92/21 and 123/21 as in force);
  • Public Procurement Act (Zakon o javnem naročanju; Official Gazette no. 91/15 as amended from time to time and in force);
  • Employment Relationship Act (Zakon o delovnih razmerjih; Official Gazette no. 21/13 as amended from time to time and in force).

In accordance with Article 3(3) ZVOP-2, the above-listed acts are considered lex specialis in relation to ZVOP-2, meaning that provisions of ZVOP-2 will be applicable subsidiarily, when certain questions are not covered by the above-mentioned acts. Despite that, provisions of Articles 4-7 and 9-23 of GDPR would still apply mutatis mutandis, when such applicability is possible and appropriate (for instance in matters of threat to national security national legal provisions would prevail over the provisions of GDPR).

Territorial Scope

Primarily, the application of the GDPR turns on whether an organization is established in the EU. An 'establishment' may take a wide variety of forms and is not necessarily a legal entity registered in an EU Member State.

However, the GDPR also has extra-territorial effect. An organization that is not established within the EU will still be subject to the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related "to the offering of goods or services" (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or "the monitoring of their behaviour" (Article 3(2)(b)) as far as their behaviour takes place within the EU.

In addition to the above, provisions of ZVOP-2 (together with GDPR) will apply when:

  • processing of personal data is carried out within the public sector of Slovenia (Article 4(1) ZVOP-2); or
  • processing of personal data is carried out within private sector when the following conditions are met:
    • the processor and / or controller is established in Slovenia, even if the processing of personal data does not take place in Slovenian territory (Article 4(1) ZVOP-2); or
    • the processor and / or controller is established outside EU but carries out activities of “offering services and goods” to persons domiciled in Slovenia in relation to person data processing, irrespective of whether a payment of data subject is required or are in relation to monitoring of data subjects’ behaviour (Article 4(2) ZVOP-2).
Last modified 17 January 2024

The right to privacy is recognized as a fundamental human right in the Bill of Rights of the Constitution of the Republic of South Africa and is protected in terms of the Constitution and the common law. This right to privacy is not absolute and may be limited where it is reasonable and justifiable to do so.

The Protection of Personal Information Act 4 of 2013 (POPIA) came into effect on 1 July 2020 but was subject to a one year grace period which ended on 30 June 2021. POPIA specifically regulates the processing of personal information that is entered into a record pertaining to natural living persons as well as existing legal persons.

Last modified 17 January 2024

The main laws that apply to the handling of data about individuals are the Personal Information Protection Act (“PIPA”), the Act on the Use and Protection of Credit Information (“CIA”) and the Act on the Protection and Use of Location Information (“LIA”).

In 2023, the PIPA was amended in keeping up with the principle of “same conduct – same regulation” for all personal data controllers by repealing special provisions that previously only applied to Online Service Providers (OSPs).  The Amended PIPA has become effective from 15 September 2023, with certain exceptions such as the right of portability, where the effective date is yet to be determined. On 30 April 2024, the Personal Information Protection Commission (“PIPC”) which is tasked with enforcing the PIPA proposed an amendment to the Enforcement Decree of the PIPA to provide the subordinate details of the PIPA amendments.

Last modified 20 January 2025

EU regulation

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two year transition period, became directly applicable law in all Member States of the European Union on 25 May 2018, without requiring implementation by the EU Member States through national law.

A 'Regulation' (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States. However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among the Member States.

Territorial Scope

Primarily, the application of the GDPR turns on whether an organization is established in the EU. An 'establishment' may take a wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.

However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related "to the offering of goods or services" (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or "the monitoring of their behaviour" (Article 3(2)(b)) as far as their behaviour takes place within the EU.


Spain regulation

After a long delay the Spanish Parliament approved the new Spanish Fundamental Law on Data Protection and digital rights guarantee developing and refining the GDPR in December 2018. It has been in force from 7 December 2018 (“NLOPD”).

Last modified 22 January 2024

Sri Lanka until recently did not have legislation pertaining to protection of data and privacy, although different sector specific laws such as the Computer Crimes Act No. 24 of 2007, the Banking Act No. 30 of 1988, the Electronic Transactions Act No. 19 of 2006, the Right to Information Act No. 12 of 2016 and the Telecommunications Act No. 25 of 1991 recognize the need for privacy and confidentiality. Identifying this lacuna, the Personal Data Protection Bill was first published as a draft bill in 2019. It was subject to several rounds of revisions, and subsequently was passed by the Parliament of Sri Lanka on 19 March, 2022 as the Personal Data Act No. 9 of 2022 (“PDPA”).

Although certified by the Speaker of Parliament, except for Part V of the PDPA which deals with provisions relating to the regulator under the law, i.e. the Data Protection Authority, the PDPA is yet to become operative as it provides for different time periods within which certain parts of the law would come into force, allowing controllers and processors a much-needed grace period. The majority of the law will come into operation within 18 to 36 months from the 19 March, 2022, while the part governing the sending of marketing messages using personal data would become operative within 24 to 48 months from the 19 March, 2022. With regard to Part V, it should be noted that an order has been issued by the Minister of Technology which provides that the said Part V of the PDPA has been brought into operation on 17 July, 2023. Accordingly, the Data Protection Authority is now in the process of being established, upon the completion of which the other parts of the PDPA are expected to follow suit.

The PDPA is primarily inspired by the European Union's General Data Protection Regulation (“GDPR”) and, therefore, shares many similarities with the GDPR.

The PDPA applies both territorially to the processing of personal data where such processing takes place wholly or partly within Sri Lanka, or by a person or entity within Sri Lanka; and extraterritorially, in so far as a person or entity outside Sri Lanka provides goods or services to individuals within Sri Lanka or monitors the behaviour of individuals within Sri Lanka.

Whilst the PDPA is the primary law that governs the protection of personal data in Sri Lanka, the following regulations / directions, which have been promulgated under the relevant sector specific laws, contain detailed provisions on data protection which are as follows:

  1. The Financial Consumer Protection Regulations No. 1 of 2023 (the “FCPR”), published on the 9 August, 2023, promulgated under the Monetary Law Act, No.58 of 1949 (now replaced by the Central Bank of Sri Lanka Act, No. 16 of 2023), provides obligations substantially similar to the PDPA in relation to the protection of personal information of financial consumers. The FCPR is applicable to licensed commercial banks, licensed specialised banks, licensed finance companies, specialized leasing companies, authorized primary dealers, authorized money brokers, licensed microfinance companies, participants of the payment and settlement systems or any other financial institutions approved by the Central Bank of Sri Lanka. The FCPR provides protection not only to personally identifiable information but also extends to all information pertaining to financial consumers, which includes corporate entities and other legal bodies. The FCPR also provides for grace periods before the same becomes operational, with a majority of the regulations becoming operational upon the expiration of 6 months from the date of its publication. Additionally, the requirements of the FCPR pertaining to the security of personal information are buttressed by the Regulatory Framework on Technology Risk Management and Resilience for Licensed Banks, directions No. 16 of 2021, dated 9 December 2021, promulgated under the Banking Act No. 30 of 1988 (as amended). The applicability of this framework however is limited to licensed commercial banks and licensed specialized banks in Sri Lanka and its concentration lies on the information security requirements of such organizations.
  2. The Special Direction No. 91 published by the Consumer Affairs Authority on the 17 May, 2023, under the Consumer Affairs Authority Act No. 09 of 2003 (as amended), sets out provisions governing e-commerce entities and platform operators for the purpose of protecting consumers. These directions, although not in extensive detail, enumerate the principles set out in PDPA, aiming to the protect the personal data of consumers. It should be noted that unlike the PDPA, these directions are operational as at date.
Last modified 3 January 2024

EU regulation

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in 2016 and, following a two year transition period, became directly applicable law in all Member States of the European Union on 25 May 2018, without requiring implementation by the EU Member States through national law.

A 'Regulation' (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States. However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among the Member States.

Territorial Scope

Primarily, the application of the GDPR turns on whether an organisation is established in the EU. An 'establishment' may take a wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.

However, the GDPR also has extra-territorial effect. An organsation that it is not established within the EU will still be subject to the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related "to the offering of goods or services" (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or "the monitoring of their behaviour" (Article 3(2)(b)) as far as their behaviour takes place within the EU.


Sweden regulation

In addition to the GDPR, the Data Protection Act (2018:218) (the "Data Protection Act") and the Data Protection Ordinance (2018:219) apply. The Data Protection Act regulates general aspects of data protection where the GDPR allows, e.g. processing of personal identity numbers and processing of data relating to criminal convictions and offences. The Data Protection Act applies from 25 May 2018 (i.e. the same date as the GDPR).

In addition to the Data Protection Act and the Data Protection Ordinance, there are sector and processing specific regulations.

The Camera Surveillance Act (2018:1200) contains provisions regarding camera surveillance. The Camera Surveillance Act applies inter alia where camera surveillance is carried out with equipment located in Sweden and where the one carrying out the surveillance is established in Sweden or in a third country. The Camera Surveillance Act applies from 25 May 2018 (i.e. the same date as the GDPR).

The Whistleblowing Act (2021:890) entered into force on 17 December 2022 and implements the EU Directive 2019/1937 (the Whistleblowing Directive). Chapter 7 of the Whistleblowing Act contains inter alia provisions on permitted purposes of processing personal data, internal access to personal data and retention periods.

Moreover, a vast number of sector specific acts apply in Sweden, for example relating to the healthcare, ethical review of research, finance, education, referendums / elections, enterprise, communication, certain aspects of the labor market, etc.

For example, the Credit Information Act (1973:1173) applies to credit reference agencies and contains specific provisions regarding the processing of personal data.

The Patient Data Act (2008:355) and the Patient Data Ordinance (2008:360) regulates healthcare providers' processing of personal data. As of 1 January 2023, the new the Act (2022:913) on shared health and care documentation applies. It contains further provisions regarding the processing of personal data.

Furthermore the Electronic Communications Act (2022:482) (the "Electronic Communications Act") and the Electronic Communications Ordinance (2022:511) apply to inter alia electronic communications networks and electronic communications services and associated facilities and services as well as other radio use. The Electronic Communications Act implements Directive (EU) 2018/1972 (the Electronic Communications Code) and Directive 2002/58/EC (the so called ePrivacy Directive). The Electronic Communications Act applies to providers of public electronic communications networks and publicly available electronic communications services' processing of personal data, and regulates the use of so-called cookies.

Last modified 22 January 2024

The processing of personal data is mainly regulated by the Federal Act on Data Protection of 25 September 2020 (FADP) and its ordinances, i.e., the Ordinance on Data Protection (ODP) and the Ordinance on Data Protection Certification. The FADP (including its ordinances) has entered into force on 1 September 2023 and become effective without any transition period.

The FADP has recently been revised with the aim to strengthen data protection in general and to align it with the requirements of the EU General Data Protection Regulation (GDPR) in order to facilitate compliance of Swiss companies with those aspects of the GDPR that are applicable to controllers or processors outside of the EU, and to ensure that the EU will continue to consider Switzerland as providing an adequate level of data protection. However, the FADP continues to provide for certain deviations from the GDPR, thus requiring certain “Swiss Add-Ons” in a number of areas.

The processing of personal data is further restricted by provisions in other laws, mainly with regard to the public sector and regulated markets.

Key differences between the former and the new FADP

  • Scope of “personal data”: The former FADP was applicable to personal data pertaining to both natural persons and legal persons. In contrast, the new FADP only protects personal data of natural persons.
  • Data processing principles: While the data processing principles have essentially remained the same, the new FADP, in addition, explicitly provides for the principles of “privacy by design” and “privacy by default”.
  • Information obligation: With the new FADP, an extended duty to inform data subjects has been introduced.
  • Additional obligations: The new FADP imposes a number of additional obligations. In particular, the controller and/or processor must, under certain circumstances, maintain records of processing activities, perform data protection impact assessments and notify data security breaches.
  • Data subject rights: With the new FADP, certain data subject rights have been extended and a new right to data portability has been introduced.
  • Supervisory authority: The new FADP grants the supervisory authority expanded powers, in particular to issue administrative measures in the event that data protection provisions have been violated.

Sanctions: While the new FADP continues to provide for criminal sanctions that are (primarily) directed against the responsible individual, the catalogue of punishable offences has been extended and the fines have been significantly increased.

Territorial scope

The FADP, like the GDPR, has an extraterritorial scope and is applicable to circumstances that have an effect in Switzerland, even if they were initiated abroad. This includes, for instance, international companies with group entities in Switzerland or, under certain circumstances, international companies even without such subsidiary in Switzerland based on their doing business in Switzerland. For civil claims, the Swiss conflict of law rules apply.

In addition, the FADP provides that private controllers domiciled abroad must designate a representative in Switzerland if they process personal data of data subjects in Switzerland and if the data processing fulfils all of the following requirements:

The processing is connected to offering goods or services in Switzerland or to monitoring the behaviour of data subjects in Switzerland;

  • the processing is extensive;
  • the processing is carried out regularly;
  • the processing involves a high risk for the personality of the data subjects.
Last modified 22 August 2023

The Taiwan Personal Data Protection Act (“PDPA”) as most recently amended on May 31, 2023 and the Enforcement Rules of the Personal Data Protection Act (“Enforcement Rules”) as most recently amended on March 2, 2016.

Last modified 18 December 2023
  • Personal Data Protection Law, No.1537 of 3 August 2018
  • Protection Data Law, No.631 of 15 May 2002
  • Informatization Law, No. 40 of 6 August 2001 – Legislation has passed (April 04, 2019, No 1595) that amends and supplements the Informatization Law but the amendments are only of a terminological nature.
  • Information Law, No.609 of 10 May, 2002
  • Regulation on Certification of Information Security Facilities, Attestation of Information Objects and the Procedure for Their State Registration, No.404 of 1 October 2004
  • The List of Information Security Facilities Subject to State Certification, No.424 of 24 February 2008
  • The decree of the Communication Service under the Government of the Republic of Tajikistan “On the Procedure of implementation by the owner, operator and third party of measures for personal data protection” dated 02.07.2021, #2.21-11
Last modified 27 January 2025

On 1 May 2023, the Personal Data Protection Act, 2022 (“PDPA”) came into force. The PDPA provides for matters relating to protection of personal data and establishes the principles guiding and conditions for collection and processing of personal data. The principles guiding protection of personal data are provided under section 5 of the PDPA, which include:

  1. personal data must be processed lawfully, fairly, in a transparent manner ensuring its security and in accordance with the right to privacy of the data subject;
  2. personal data must be collected for explicit, specified, and legitimate purposes and not further processed contrary to those purposes;
  3. personal data must be accurate and kept up to date and corrected or deleted without delay when inaccurate;
  4. personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed;
  5. personal data must be kept in a form which identifies the data subjects for longer than is necessary for the purposes for which it was processed; and
  6. personal data must not be transferred outside Tanzania contrary to the provisions of the DPA.

In addition, the PDPA provides for the following, among other things:

  • Part 2 establishes the Personal Data Protection Commission (“Commission”) which will be responsible to ensure implementation of the provisions of the Act. The Commission will also be responsible for registration of data processors and data collectors in Tanzania;
  • Part 3 provides for registration of the controllers and processors of personal data;
  • Part 4 provides for principles relating to collection, use, disclosure and storage of personal data;
  • Part 5 provides for transfer of personal data outside Tanzania; and
  • Part 6 provides for rights of the data subjects.

The Personal Data Protection (Personal Data Collection and Processing) Regulations, 2023 (“PDPA Regulations”) made under the PDPA also came into effect on 4 July 2023 and make provisions for matters connected with the PDPA.

The PDPA and its Regulations are the principal data protection laws, supplementing other laws providing for data protection in Tanzania, including the Constitution of the United Republic of Tanzania, 1977 (“Constitution”) and other sector specific legislations, for instance the Electronic and Postal Communications Act, 2010 (“EPOCA”) and its regulations applicable to the electronic and postal communication sector and the National Payment System Act, 2015 (“NPS Act”) and the Bank of Tanzania (Financial Consumer Protection) Regulations, 2019 applicable to the financial services sector.

Last modified 25 January 2024

At a glance

  • Thailand's Personal Data Protection Act ("PDPA") became law on May 28, 2019. Following multiple extensions, it came into full force on June 1, 2022, after the formation of the Personal Data Protection Committee and the issuance of subordinate regulations.
  • Since the PDPA's full enforcement, several regulations have been issued, including guidelines on data collection for research, security measures for collecting and protecting criminal record data, and criteria for handling data subjects' requests for deletion, destruction, or anonymization of personal data.
  • In April 2024, a master plan was launched to enhance Thailand's data protection framework. It focuses on enforceability, raising public awareness, and promoting collaboration to align with global data protection standards.

On 28 May 2019, the Personal Data Protection Act ("PDPA") became law in Thailand. There was an original one–year grace period for the formation of the Personal Data Protection Committee and the issuance of subordinate regulations, as well as for organisations to become compliant with the PDPA. However, on 21 May 2020, the Royal Decree Establishing Organisations and Businesses that the Personal Data Controllers are Exempted from the Applicability of the PDPA B.E. 2563 (2020) ("Royal Decree") was published in the Royal Gazette, which effectively extended the implementation of the key provisions of the PDPA until 31 May 2021. On 8 May 2021, an amendment to the Royal Decree was published in the Royal Gazette (Royal Decree No. 2), which postpone the full enforcement of the PDPA for another year. The PDPA then came into full force on 1 June 2022.

In January 2022, the Personal Data Protection Committee was established. Various public hearings on the subordinate regulations have been held. Many of these subordinate regulations have been published including three recent subordinate regulations released in 2024, which provide clarification on the following issues:

  • Measures that data controllers must comply and implement for collection of personal data for the purposes of (i) research or statistic under Section 24 (1) of the PDPA, and (ii) scientific, historical, or statistic research, or other public interests under Section 26 (5) (d) of the PDPA;
  • Permitted purpose for collection of criminal record data and the required security measures for protection of criminal record data which includes organizational measures, technical measures, and physical measures; and
  • Criteria for data controllers in handling data subjects' request for deletion or destruction or anonymization of personal data.

In addition, in April 2024, the Personal Data Protection Committee has outlined master plan for enhancement and protection of personal data of Thailand for 2024-2027. This plan aims to strengthen enforceability, raise public awareness, and foster domestic and international collaboration to elevate Thailand’s data protection standards to align with global levels.

Given that the PDPA only came into full effect in June 2022, the law is still in its developmental stages, with many subordinate regulations anticipated to be promulgated in the future. 

The key principles of the PDPA are highly influenced by the EU General Data Protection Regulation (often referred to as GDPR) regime, but with some key local differences. The PDPA acknowledges individual data subjects' right to control how their personal data is collected, stored, processed, and disseminated by data controllers, provides lawful bases for the processing of personal data, as well as prescribes the duties and responsibilities of data controllers and data processors. Whilst Thailand has adapted several concepts from the GDPR, there are still some unique national perspectives in the provisions of privacy notice and data subject rights, notably as regards consent. The data protection obligations under the PDPA generally apply to all organisations that collect, use, or disclose personal data in Thailand or of Thai residents, regardless of whether they are formed or recognised under Thai law, and whether they are residents or have a business presence in Thailand. This extraterritorial scope of the PDPA represents a significant expansion of Thailand's data protection obligations to cover all processing activities relating to Thailand–based data subjects.

Data controllers are permitted to continue to process personal data collected before 1 June 2022 if the purpose for which the personal data was collected remains the same. However, data controllers must publicise a consent withdrawal method and notify the data subjects of the same so that data subjects have the option to withdraw their consent / opt–out. However, if a data controller uses or discloses personal data beyond the original purpose for which the data subjects had previously given consent, further specific consent is required for each separate purpose.

Last modified 6 January 2025

Based on English common law where not addressed by statute.

Last modified 15 February 2022

The Data Protection Act, 2011 (DPA) provides for the protection of personal privacy and information processed and collected by public bodies and private organizations.

The DPA was partially enacted on January 6, 2012 by Legal Notice 2 of 2012, and only Part I and sections 7 to 18, 22, 23, 25(1), 26 and 28 of Part II,42(a),(b) of Part III have come into operation, including the processing of personal information under the control of a public body.

No timetable has been set for enacting the remainder of the DPA, and it is possible that there may be changes to the remainder of the legislation before it is proclaimed.

Last modified 26 January 2023

Tunisia has established itself as a regional pioneer in the protection of personal data, initiating pioneering efforts in this field as early as 2002. These initiatives were consolidated by the adoption of law no. 2004-63 of July 27, 2004, which established a legal framework regulating personal data, reinforced by its implementing decrees, in particular:

  • Decree no. 2007-3003 of November 27, 2007, setting out the operating procedures of the National Authority for Personal Data Protection; and
  • Decree no. 2007-3004 of November 27, 2007, establishing the conditions and procedures for the declaration and authorization of personal data processing.

This legislative framework was subsequently ratified and strengthened in 2022 by a constitutional consecration of privacy protection. This major step forward elevated this right to a priority among the fundamental freedoms to be guaranteed in the new Tunisian Republic, thus affirming the country's commitment to data protection and privacy as a pillar of human rights.

Tunisia has also modernized its legal arsenal in response to digital challenges. Decree-Law no. 2022-54 of September 13, 2022 introduced strict sanctions against cybercrime, while Decree-Law no. 2023-17 of March 11, 2023 regulated cybersecurity and introduced the notion of “cloud” into Tunisian law for the first time. In particular, the decree imposes mandatory periodic audits on companies carrying out automated data processing.

To accompany these reforms, several ministerial orders published in September 2023 specified the terms of application:

  • Order of the Minister of Communication Technologies of September 12, 2023, setting out the procedures and mechanisms for classifying organizations subject to a mandatory periodic audit of their information systems;
  • Order of the Minister of Communication Technologies of September 12, 2023, establishing the technical audit criteria and the methods for following up the recommendations contained in the audit report;
  • Order of the Minister of Communication Technologies of September 12, 2023, defining the procedures and conditions for granting and withdrawing the “secure” label; and
  • Order of the Minister of Communication Technologies of September 13, 2023, specifying the procedures and conditions for granting, renewing and withdrawing the “Government Cloud Service Provider (G-cloud)” and “National Cloud Service Provider (N-cloud)” labels.

Additionally, articles 56, 61 and 75 of the Organic Law n°2015-26 of August 7, 2015 on the Fight Against Terrorism and the Prohibition of Money Laundering addresses the subject of personal data and when the use of personal data is permitted.

Tunisia became the 51st Member State of the Council of Europe Convention 108 on November 1, 2017 and its Additional Protocol No.181 on supervisory authorities and transborder data flows.

In March 2018, it introduced a new draft law on the protection of personal data in line with the new European GDPR in Parliament, however the law has not yet been passed.

In Tunisia, there is a whole legal arsenal relating to the processing of personal data.

In addition to the above-mentioned texts, there are also decisions rendered by the Instance such as:

  • Decision n° 2 of October 6, 2017 on the processing of personal data in the political field;
  • Decision n° 3 of September 5, 2018 establishing the countries that represent an adequate level of protection of personal data;
  • Decision n° 4 of September 5, 2018 organizing personal health data;
  • Decision n° 5 of September 5, 2018 establishing the conditions and procedures for the installation of cameras and video surveillance; and
  • Decision n°6 of July 2, 2019 concerning control activities carried out by the National Authority for the Protection of Personal Data.
Last modified 27 January 2025

The main piece of legislation covering data protection in Turkey is the Law on the Protection of Personal Data No. 6698 dated April 7, 2016 (LPPD). The LPPD is primarily based on EU Directive 95/46/EC.

To date, the legislature has enacted several regulations to implement various aspects of the LPPD. The notable ones are mentioned below:

  • Regulation on the Erasure, Destruction and Anonymizing of Personal Data (published in the Official Gazette dated October 28, 2017, numbered 30224);
  • Regulation on the Working Procedures and Principles of Personal Data Protection Board (published in the Official Gazette dated November 16, 2017, numbered 30242);
  • Regulation on the Registry of Data Controllers (published in the Official Gazette dated December 30, 2017, numbered 30286);
  • Regulation on the Organization of Personal Data Protection Authority (published in the Official Gazette dated April 26, 2018, numbered 30403);
  • The Communiqué on Procedures and Principles for Compliance with the Obligation to Inform (published in the Official Gazette dated March 10, 2018, numbered 30356);
  • The Communiqué On The Principles And Procedures For The Request To Data Controller (published in the Official Gazette dated March 10, 2018, numbered 30356);
  • The Decision of Data Protection Board, dated January 31, 2018, numbered 2018/10 on Adequate Measures to be taken by Data Controllers in Processing the Special Categories of Personal Data;
  • Regulation on the Procedures and Principles on the Cross Border Personal Data Transfers (published on the Official Gazette dated July 10, 2024, numbered 32598).

Certain general laws such as the Turkish Criminal Code no. 5237 and sector specific laws such as Electronic Communications Law No. 5809 also touch upon data protection and are mentioned below when relevant.

Last modified 27 January 2025

The Law of Turkmenistan No.519-V ‘On Information about Private Life and its Protection’ (the ‘Data Protection Law’) is the main and only law governing matters relating to collection and processing of personal data in Turkmenistan. 

The Data Protection Law was enacted on 20 March 2017, ie after the adoption of the General Data Protection Regulation (the ‘GDPR’) and entered into force on 1 July 2017. In fact, the Data Protection Law partly reflects the rules and principles perpetuated in the GDPR. However, the similarities that can be discovered between the Data Protection Law and the GDPR are few and in most cases the Data Protection Law implements the simplified approach suggested by the GDPR.

Last modified 23 December 2022

Note: Please also see UAE – General, UAE – DIFC, UAE – DHCC.

The Abu Dhabi Global Market ("ADGM") is a financial freezone in Abu Dhabi emirate. The ADGM has powers to issue laws regarding its governance. On 14 February 2021 the ADGM issued the ADGM Data Protection Regulations 2021 ("DPR").

An important feature of the new framework is the establishment of an independent Office of Data Protection, headed by a Commissioner of Data Protection.

In order to assist businesses in understanding the requirements DPR, and how those should be applied to their activities, in August 2021 the Office of Data Protection issued a suite of eight guidance documents which cover the following topics:

  1. General overview;
  2. Data subject rights
  3. Data protection by design and default, fees, record of Processing activities (“ROPA”), data protection officers (“DPOs”) and Processor obligations;
  4. Data protection impact assessments (“DPIAs”);
  5. Security of Processing and data breaches;
  6. International transfers;
  7. Codes of conduct and the role of the Commissioner of Data Protection and the Office of Data Protection; and
  8. Individual Rights and Remedies.
Last modified 9 January 2024

Note: Please also see UAE – GeneralUAE – ADGMUAE – DHCC.

The Dubai International Financial Centre (“DIFC”) is a financial freezone in Dubai emirate. The DIFC has powers to issue laws regarding its governance. The DIFC Law No. 5 of 2020 on Data Protection Law (“DPL”) came into effect in July 2020.

In addition, alongside the DPL a new set of accompanying Data Protection Regulations (“DPRs”) were introduced. These were updated in 2023 to include regulations on processing via artificial intelligence systems.

Last modified 27 January 2025

Note: Please also see UAE – General, UAE – DIFC, UAE – ADGM.

The Dubai Healthcare City ("DHCC"), a healthcare free zone in Dubai, implemented DHCC Health Data Protection Regulation No 7 of 2013  (which repealed and replaces the DHCC Data Protection regulation No. 7 of 2008) ("HDPR").

The HDPR regulates the protection of Patient Health Information, as opposed 'personal data'.

Note that as opposed to the ICT Health Law, which applies to entities across the UAE, including within freezones such as the DHCC (please see UAE – General), the DHCC HDPR only applies to those entities licensed within the DHCC and to patient information generated and stored therein.

In addition to the HDPR, the DHCC has also issued certain guidelines and standards, some of which have implications from a personal data protection standpoint, such as the DHCR Telehealth Standard (2017).

While the DHCC continues to have the HDPR available upon its website, the DHCC website also notes that “All healthcare regulations in the Dubai Healthcare City free zone are managed by Dubai Health Authority. Please click here[1] for more information on all healthcare regulations related-matters”. 

Therefore, the actual application of the DHCC HDPR may still be subject to the interpretation and application of the Dubai Health Authority (“DHA”), including the application of the DHA’s own Policy for Health Data Protection and Confidentiality 2022.

Last modified 27 January 2025

Generally

As part of the 50th anniversary of its founding, the United Arab Emirates (“UAE”) has issued a set of sweeping legal reforms, including the much anticipated Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data Protection (“PDPL”), which was issued on 26 September 2021.

The executive regulations to the PDPL (“Executive Regulations”) were due to be published within six months of the issuance of the PDPL. However as of 6 January 2025, those have not yet been published. Once the Executive Regulations are issued, organisations have a further six months from their date of the issuance in which they can adjust operations to compliance with the PDPL.

Reassuringly, the PDPL does not contain any major divergences from other well-known data protection regimes, including the GDPR. In this regard we expect it will be welcomed by local, regional and international businesses, in particular those that rely heavily upon personal data and international personal data flows. International businesses with global privacy compliance programs should seek to expand those to cover the UAE and achieve some synergies. However, businesses that are not used to compliance with laws like the GDPR may find some of the new obligations challenging; for example, the PDPL introduces rights for individuals to access, rectify, correct, delete, restrict processing, request cessation of processing or transfer of data, and object to automated processing. There are also new requirements around transfers of data outside of the UAE and requirements to keep data secure, and to notify the new data protection regulator, and in some circumstances Data Subjects, of data breaches. The requirements regarding keeping data secure, and new data breach obligations, will definitely up the ante for businesses in the UAE to take cyber security seriously.

Territorial scope

The PDPL applies to:

  • processing of personal data of people residing in the UAE, or people having a business within the UAE;
  • each Controller or Processor inside the UAE, irrespective of whether the personal data they process is of individuals inside or outside the UAE
  • each Controller or Processor located outside the UAE, who carries out processing activities of Data Subjects that are inside the UAE.

Other data protection and privacy laws in the UAE

The PDPL keeps intact existing data protection and privacy laws within the UAE’s financial free zones, DIFC and ADGM, as well as the rules of the Dubai Health Care City, (links to our summaries are above) as well as applicable onshore laws regulating health data and banking and credit data.  For this reason the data protection landscape in the UAE (and the wider GCC region) remains complex to navigate and somewhat fragmented, meaning that the application of the PDPL will need to be considered carefully.

There are several UAE federal level laws that contain various provisions in relation to privacy and the protection of personal data:

  • United Arab Emirates Constitution of 1971;
  • Federal Law 31 of 2021, on the Issuance of the Crimes and Penalties Law (“UAE Criminal Law”);
  • Federal Decree Law No. 34 of 2021 on Combatting Rumors and Cybercrimes (“UAE Cyber Crime Law”);
  • Federal Law by Decree No. 3 of 2003 as amended) On Organising the Telecommunications Sector (“UAE Telecommunications Law”) including several implementing regulations / policies enacted by the Telecommunications and Digital Government Regulatory Authority ('TDRA') in respect of data protection of telecoms consumers in the UAE.

There are also some federal level sectoral regulations in banking and finance, and in health, which should be considered.

The Central Bank Law (Federal Law No. 14 of 2018); Central Bank’s Consumer Protection Regulation issued under Central Bank Notice No. 444 of 2021, and related Central Bank Consumer Protection Standards issued under Notice No. 1158 of 2021 on Consumer Protection Standards

Article 120 of the Central Bank Law requires that all data and information related to customers should be considered confidential in nature.  

On 31 December 2020 the UAE Central Bank published its Consumer Protection Regulation. It applies to all Central Bank Licensed Financial Institutions, which had one year in which to ensure their compliance.

Article 6 of the Consumer Protection Regulation requires that Licensed Financial Institutions must collect the minimal amount of Consumer Data and information needed in respect of their licensed activities and remain in compliance with all other related laws and treat Consumers' information relationships and business affairs as private and confidential.

The Central Bank Consumer Protection Standards outline detailed requirements regarding how Licensed Financial Institutions must comply with.  These standards include Licensed Financial Institutions:

  • having a proper Data Management Control Framework;
  • using secure digital transaction processing and controls;
  • designating responsibility and accountability for the data management and protection function to a senior position in management who reports directly to senior management;
  • ensuring personal data is:
    • collected for a lawful urpose directly related to the Licensed Financial Activities of the Licensed Financial Institution;
    • adequate and not excessive in relation to the stated purpose; and
    • collected with appropriate security and protection measures against unauthorized or unlawful processing and accidental loss, destruction, or damage.
  • notifying consumers prior to requesting consent to share consumer personal data;
  • obtaining express consent of consumers prior to use or sharing of their data;
  • retaining all personal data, documents, records and files securely for a minimum of 5 years;
  • notifying the Central Bank of any material data breaches, losses, destruction or alteration when they occur.

Central Bank’s Stored Value Facilities Regulation

On 30 September 2020 the UAE Central Bank issued a new Stored Value Facilities Regulation (“SVF Regulation”), repealing and replacing the Regulatory Framework for Stored Values and Electronic Payment Systems it has issued in September 2016. While the SVF Regulation makes amendments to the licensing and enforcement regime for SVF (on onshore UAE only; it does not apply in, or affect, the DIFC and ADGM free zones), from a data protection perspective little has changed. The SVF Regulation applies to those providing Stored Value Facilities, which is now defined as:

 A facility (other than cash) for or in relation to which a Customer, or another person on the Customer's behalf, pays a sum of money (including Money's Worth such as values, reward points, Crypto-Assets or Virtual Assets) to the issuer, whether directly or indirectly, in exchange for: (a) the storage of the value of that money (including Money's Worth such as values, reward points, Crypto-Assets or Virtual Assets), whether in whole or in part, on the facility; and (b) the “Relevant Undertaking”. SVF includes Device-based Stored Value Facility and Non-device based Stored Value Facility.

Article 10 of the SVF Regulation requires that licensees providing SVF services (“SVFLicensee”) must have in place adequate policies, measures and procedures to protect its information and accounting systems, databases, books and accounts, and other records and documents from unauthorized access, unauthorized retrieval, tampering and misuse.

An SVF Licensee must also adequately protect customer data (including customer identification and transaction records) which are required to be stored and maintained in the UAE. Such data can only be made available to the corresponding customer, the Central Bank, other regulatory authorities following prior approval of the Central Bank, or by a UAE court order. An SVF Licensee must store and retain all customer and transaction data for a period of five years from the date of the creation of the customer data, or longer if required by other laws.

Article 8 of the SVF Regulation requires that outsourcing arrangements must also contain adequate data protection and data handling controls. 

Central Bank’s Retail Payment Services and Card Schemes Regulation

On 6 June 2021, the UAE Central Bank issued the Retail Payment Services and Card Schemes1 Regulation (“Retail Services Regulation”). The Retail Services Regulation outline obligations and controls for the provision of Retail Payment Services and Card Schemes.

A Retail Payment Service includes any of the following: Payment Account Issuance Services; Payment Instrument Issuance Services; Merchant Acquiring Services; Payment Aggregation Services; Domestic Fund Transfer Services; Cross-border Fund Transfer Services; Payment Token Services; Payment Initiation Services; and Payment Account Information Services. The Retail Services Regulation does not apply to Stored Value Facilities.

Article 10 of the Retail Services Regulation requires that Payment Service Providers must have in place adequate policies, measures and procedures in relation to corporate governance, risk management, accounting and audit, record keeping, notification requirements and professional indemnity insurance. Amongst other things, article 10 requires the maintenance of confidential information, and that Payment Service Providers keep all necessary records on Personal and Payment Data for a period of 5 years.

Payment Service Providers must also put in place measures to ensure all business records can be restored in case they are lost, and that Retail Payment Service Users can access their own records in a timely manner. Payment Service Providers are also obligated to notify users of any loss in their records, and make reasonable effort to ensure that personal records are not wrongfully used.

Article 14 covers obligations towards Retail Payment Service Users, including protection of payment and personal data. Payment Service Providers to put in place policies and procedures to protect payment data and personal data and that Payment Service Providers only disclose Payment and Personal Data under the conditions outlined in the article.

The Retail Services Regulation further requires that Payment Service Providers store and maintain personal and payment data within the UAE, and must establish a safe and secure backup of all Personal and Payment Data in a separate location for the required period of 5 years.

Article 18 of the Retail Services Regulation considers Card Schemes, and place obligations on Card Scheme’s to notify the Central Bank in the case of a Data Breach no later than 72 hours after having become aware of such Data Breach.

ICT in Health Fields Law and Regulations, and Federal Ministerial Decision No 51 of 2021 Cases Allowing the Storage and Transfer of Medical Data and Information Out of the State

On 6 February 2019 Federal Law No. 2 of 2019 on the Use of the Information and Communication Technology (“ICT”) in Health Fields (“ICT in Health Fields Law”) was issued.  The primary purpose of the ICT in Health Fields Law is to establish a central electronic system of medical records for use within the health industry within the UAE. 

Article 13 of the ICT in Health Fields Law states that the Health Information and data related to the health services provided in the UAE may not be stored, processed, generated or transferred outside the UAE, unless in the cases defined by virtue of a decision issued by the Health Authority of the relevant emirate in coordination with the Federal Ministry of Health.

The Minister of Health issued a decision on 28 April 2021 outlining the circumstances when Health Information can be transferred outside of the UAE.

The UAE ICT in Health Fields Law applies to all Competent Entities.

“Competent Entity” is defined as:

Any entity in the State providing medical services, health insurance or national health insurance services, brokerage services, claims management services or electronic services in the medical field of any entity related, whether directly or indirectly, to the implementation of the provisions hereof.

“Health Information” is defined as:

The health information that were processed and were given a visual, audible or readable indication, and that may be attributed to the health sector, whether related to the health or insurance facilities or entities or to the health services beneficiaries.

On 22 April 2020 the Federal Cabinet issued Cabinet Resolution No. 32 of 2020 concerning the Regulations Concerning the Use of the Information and Communications Technology in the Areas of Health (“ICT in Health Fields Regulations”). The regulations provide further details, including on permission controls to access and use the central system, and on the storage and exchange of information on the central system.  

Dubai Data Law

In December 2015 the Dubai Government published the Dubai Law No. 26 of 2015 on the Regulation of Data Dissemination and Exchange in the Emirate of Dubai, ("Dubai Data Law"). The purpose of the Dubai Data Law to collate and manage data that relates to the emirate of Dubai and, where appropriate, to publish it as “Open Data” or at least ensure that it is shared it between authorised persons. This law is considered unique as it is the only one in the world we are aware of that provides a government with the power to require designated private sector entities to provide to a government with information held by the company in relation to a city, for the purposes of making that information Open Data.

Footnotes

1. The Retail Services Regulation define Card Schemes as “a single set of rules, practices and standards that enable a holder of a Payment Instrument to effect the execution of Card-based Payment Transactions within the State which is separated from any infrastructure of payment system that supports its operation, and includes the Card Scheme Governing Body. For the avoidance of doubt, a Card Scheme may be operated by a private or Public Sector Entity”.

Last modified 27 January 2025

Generally, a person’s right to informational privacy is protected under Article 27 of the Constitution of the Republic of Uganda. The protection under the Constitution is supplemented by the Data Protection and Privacy Act, 2019 and the Data Protection and Privacy Regulations, 2021, which regulate the collection, processing, use, storage, and disclosure of personal data. The Act and Regulations apply to any person, entity or public body:

  • collecting, processing, holding or using personal data within Uganda;
  • outside Uganda who is collecting, processing, holding or using personal data of Ugandan citizens.

The Data Protection and Privacy Act commenced on 3 May 2019 while the Regulations took effect on 12 March 2021.

There are also other sector specific laws that incorporate data protection provisions applicable to the activities governed under those laws. These laws include, but are not limited to:

  • The Access to Information Act, 2005;
  • The Regulation of Interception of Communications Act, 2010 and Regulations, 2023;
  • The Computer Misuse Act, 2011 (as amended); and
  • The Registration of Persons Act, 2015.
Last modified 27 January 2025

The Law of Ukraine No. 2297 VI "On Personal Data Protection" as of June 1, 2010 (Data Protection Law) is the main legislative act regulating personal data protection in Ukraine. On December 20, 2012, the Data Protection Law was substantially amended by the Law of Ukraine, "On introducing amendments to the Law of Ukraine" "On Personal Data Protection" dated November 20, 2012, No. 5491-VI. Additional significant changes to Data Protection Law were introduced by the Law of Ukraine "On Amendments to Certain Laws of Ukraine regarding Improvement of Personal Data Protection System" dated July 3, 2013, No. 383-VII which came into force on January 1, 2014.

In addition to the Data Protection Law, certain data protection issues are regulated by subordinate legislation specifically developed to implement the Data Protection Law, in particular:

  • Procedure of notification of the Ukrainian Parliament's Commissioner for Human Rights on the processing of personal data, which is of particular risk to the rights and freedoms of personal data subjects, on the structural unit or responsible person that organizes the work related to protection of personal data during processing thereof (Notification Procedure);
  • Model Procedure of processing of personal data (Model Procedure);
  • Procedure of control by the Ukrainian Parliament's Commissioner for Human Rights over the adherence of personal data protection legislation.

The Data Protection Law essentially complies with EU Data Protection Directive 95/46/EC.

The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, executed in Strasbourg on January 28, 1981 and the Additional Protocol to the Convention regarding supervisory authorities and trans-border data flows, executed in Strasbourg on November 8, 2001 were ratified by the Ukrainian Parliament on July 6, 2010 (Convention on Automatic Processing of Personal Data) and have become fully effective in Ukraine.

In addition, data protection is regulated by:

  • The Constitution of Ukraine dated June 28, 1996;
  • The Civil Code of Ukraine dated January 16, 2003, No 435 IV;
  • Law of Ukraine "On Information" No 2657 XII, dated October 2, 1992;
  • Law of Ukraine "On Protection of Information in the Information and Telecommunication Systems" dated July 5, 1994 No. 80/94 VR;
  • Law of Ukraine "On Electronic Commerce" dated September 3, 2015, No 675-VIII; and
  • Some other legislative acts.

Furthermore, on October 25, 2022 the new Draft Law “On Personal Data Protection” No. 8153 has been submitted to Ukrainian Parliament. The said draft law is aimed at harmonizing Ukrainian data protection legislation with the standards enshrined by the GDPR and Convention 108+. The draft law was adopted as a basis on November, 20 2024 and currently is being prepared for consideration in the second reading by Ukrainian Parliament.

Last modified 27 January 2025

Following the UK’s exit from the European Union, the UK Government has transposed the General Data Protection Regulation (Regulation (EU) 2016/679) into UK national law (thereby creating the UK GDP”). In so doing, the UK has made a number of technical changes to the GDPR in order account for its status as a national law of the United Kingdom (e.g. to change references to “Member State” to “the United Kingdom”). These changes were made under the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. 

At this time, all material obligations on controller and processors essentially remain the same under the UK GDPR as under the ‘EU GDPR’. 

The Data Protection Act 2018 (DPA) remains in place as a national data protection law, and supplements the UK GDPR regime.  It deals with matters that were previously permitted derogations and exemptions from the EU GDPR (for example, substantial public interest bases for the processing of special category data, and context-specific exemptions from parts of the GDPR such as data subject rights). 

In addition,

  • Part 3 of the DPA transposes the Law Enforcement Directive ((EU) 2016/680) into UK law, creating a data protection regime specifically for law enforcement personal data processing;
  • Part 4 of the DPA updates the data protection regime for national security processing; and
  • Parts 5 and 6 set out the scope of the Information Commissioner's mandate and her enforcement powers, and creates a number of criminal offences relating to personal data processing.

In October 2024, the government has proposed reforms to data protection and e-privacy laws through the new Data (Use and Access) Bill (DUAB). The DUAB follows the previous government’s unsuccessful attempts to reform these laws post-Brexit, which led to the abandonment of the Data Protection and Digital Information (No.2) Bill (DPDI Bill), in the run-up to the general election.

The Bill proposes very limited changes to the UK data protection regime. These are targeted and incremental and unlikely to have a material impact on day-to-day compliance for most businesses operating in the UK. Data protection is no longer the main focus of the Bill, with large sections of the Bill set aside to deal with wider digital policy matters, including smart data schemes and certification for digital identity service providers.

The Bill will be debated in the first months of 2025, and will likely be enacted through the course of the year.

Territorial Scope

The application of the UK GDPR turns principally on whether an organization is established in the United Kingdom.  As under the EU GDPR, an 'establishment' may take a wide variety of forms, and is not limited to a company registered in the United Kingdom.

The UK GDPR also has extra-territorial effect, following the same principles as set out in the EU GDPR. As a result, an organisation that it is not established within the United Kingdom will be subject to the UK GDPR if it processes personal data of data subjects who are in the United Kingdom  where the processing activities are related "to the offering of goods or services" (Article 3(2)(a)) to such data subjects in the United Kingdom or "the monitoring of their behaviour" (Article 3(2)(b)) as far as their behaviour takes place within the United Kingdom.

Last modified 6 February 2025

United States privacy law is a complex patchwork of national, state and local privacy laws and regulations. There is no comprehensive national privacy law in the United States. However, the US does have a number of largely sector-specific privacy and data security laws at the federal level, as well as many more at the state (and local) level. In recent years, beginning with California in 2018, states have begun to introduce and enact their own comprehensive privacy laws. Although bipartisan draft bills (e.g., the American Privacy Rights Act of 2024) have been introduced since then , changes in the political climate, industry influence, and the increasing complexity of privacy concerns have stifled efforts of passing an omnibus law. Thus, a comprehensive privacy law on the federal level is not expected to pass any time soon.

Federal and State Privacy Laws and Regulations

Federal laws and regulations include those that apply to financial institutions, telecommunications companies, credit reporting agencies and healthcare providers, as well as driving records, children’s online privacy, telemarketing, email marketing, biometrics, and communications privacy laws. 

There are also a number of state privacy and data security laws that can overlap with federal law(s)—some of these state privacy laws are preempted in part by federal laws, while others are not. Some US states have also privacy and data security laws and regulations that apply across sectors and go beyond requirements imposed by federal laws—such as data security laws, secure destruction, Social Security number privacy, online privacy, biometric information privacy, and data breach notification laws. Generally, these state laws apply to personal information about residents of or activities that occur within each of these states, respectively. Thus, many businesses operating in the United States must comply not only with applicable federal law, but also with numerous state privacy and security laws and regulations.

For example, California alone has more than 25 state privacy and data security laws, including the comprehensive CCPA, which provides definitions and broad individual rights and imposes requirements and restrictions on the collection, use, disclosure, and processing of personal information of CA residents. The CCPA is unique among the existing state comprehensive privacy laws in that, it applies not only to personal information related to consumers but also in the HR and B2B context. Enforcement of the updated CCPA regulations, which were finalized March 29, 2023,  commenced on March 29, 2024,  by the newly established California Privacy Protection Agency, referred to as the ‘CPPA’ or ‘Agency.’ On November 8, 2024, the Agency Board voted to commence supplementary CCPA rulemaking on certain additional regulatory subjects: CCPA Updates, Cybersecurity Audits, Risk Assessments, Automated Decisionmaking Technology (ADMT), and Insurance Companies. Specifically, the proposed regulations seek to (1) update existing CCPA regulations; (2) implement requirements for certain businesses to conduct privacy risk assessments and complete annual cybersecurity audits; (3) implement the right to access and opt-out of being subject to ADMT; and (4) clarify when insurance companies must comply with the CCPA. The public comment period for these proposed regulations closes on February 19, 2025.

The CPPA also enforces the "Delete Act," effective January 1, 2024, which imposes deletion obligations on data brokers, thereby allowing consumers to more easily delete their personal information held by data brokers in California. Under the Delete Act, the CPPA must establish an accessible deletion mechanism by January 1, 2026. This mechanism is intended to allow consumers to make a single verifiable deletion request to have their data deleted by  data brokers and their associated service providers or contractors.

In August 2022, the California legislature passed the California Age-Appropriate Design Code (CAADC), which was slated to take effect July 1, 2024, and would apply to companies that meet the definition of “business” under the CCPA and that provide online services that are likely to be accessed by individuals under 18 years of age. However, on September 18, 2023, a California District Court issued an injunction blocking the law from coming into effect on First Amendment grounds. Following an appeal to the Ninth Circuit by the California Attorney General's office, the fate of the law is currently uncertain. More information on the California Age-Appropriate Design Code is available online.

Similarly, Maryland has enacted the “Kids Code” and Connecticut amended its Consumer Data Protection Act to include similar protections for children’s personal information. Moreover, in January 2025, the Federal Trade Commission (FTC) finalized significant changes to the federal Children’s Online Privacy Protection Act (COPPA). While the FTC periodically reviews the COPPA rule, these rule changes are the first amendment to COPPA since 2013. According to the FTC, the final amended rule reflects technological advancements since COPPA was last amended and is intended to enhance online safety for children. More information on the amended rule is available online. The combined efforts of federal and state regulators are intended to pave the way for a safer digital landscape and ensure that children's privacy is prioritized in an increasingly connected world.

Beyond California’s CCPA, additional comprehensive state privacy laws have also taken effect, including the

  • Colorado Privacy Act, Connecticut Data Privacy Act (including amendments regulating consumer health data, children’s data, and social media platforms),
  • Delaware Personal Data Privacy Act,
  • Florida Data Privacy and Security Act,
  • Iowa Consumer Data Protection Act,
  • Montana Consumer Data Privacy Act,
  • Nebraska Data Privacy Act,
  • New Hampshire Consumer Expectation of Privacy Act,
  • New Jersey Personal Data Privacy Act,
  • Oregon Consumer Privacy Act,
  • Texas Data Privacy and Security Act,
  • Utah Consumer Privacy Act, and
  • Virginia Consumer Data Protection Act.

While not identical, the these comprehensive state privacy laws are, with the exception of the CCPA, substantially similar to each other in most respects, but may differ in certain regards, for example, scope, privacy notice disclosures, privacy rights, and certain key definitions. These state laws are also generally inapplicable to personal information collected about, and processed in the context of, employee and business relationships. While the CCPA has some practical similarities with these state laws, it adopts more granular definitions, requirements, and restrictions that vary considerably from these laws, and, notably, also applies to personal information collected from California residents in employment and B2B contexts.

There have also been significant developments in the health data space, beginning in 2023 with Washington passing the landmark My Health My Data Act (MHMD). The law ostensibly applies only to consumer health data, but its exceptionally broad definitions and scope combined with its private right of action may mean its enforcement touches on data many companies may not typically consider “health” data. More information on the MHMD Act is available online. Since MHMD, other states have followed suit—Nevada passed the Nevada Consumer Health Data Privacy Law through senate bill 370, effective March 31, 2024, and Connecticut amended the Consumer Data Privacy Act to include similar provisions for protecting consumer health data, effective October 1, 2023.

Finally, the pace of state privacy legislation has continued to accelerate overall, with the following states also passing their own comprehensive privacy laws or variations thereof, and even more states introducing similar legislation:

  • Tennessee (effective July 1, 2025)
  • Minnesota (effective July 21, 2025)
  • Maryland (effective November 1, 2025)
  • Indiana (effective January 1, 2026)
  • Kentucky (effective January 1, 2026)
  • Rhode Island (effective January 1, 2026)

Enforcement of Unfair and Deceptive Trade Practices

In the United States, consumer protection laws, which prohibit unfair and deceptive business practices, provide another avenue for enforcement against businesses for their privacy and security practices.

At the federal level, the US Federal Trade Commission (FTC) uses its authority to protect consumers against unfair or deceptive trade practices, to take enforcement actions against businesses for materially unfair privacy and data security practices. The FTC uses this authority to, among other things, take enforcement actions and investigate companies for:

  • Failing to implement reasonable data security measures
  • Making materially inaccurate or misleading privacy and security statements, including in privacy policies
  • Failing to abide by applicable industry self-regulatory principles
  • Transferring or attempting to transfer personal information to an acquiring entity in a bankruptcy or M&A transaction, in a manner not expressly disclosed on the applicable consumer privacy policy
  • Violating consumer privacy rights by collecting, using, sharing or failing to adequately protect consumer information, in violation of standards established in their prior enforcement precedents  

Many state attorneys general have similar enforcement authority over unfair and deceptive business practices, including failure to implement reasonable security measures and violations of consumer privacy rights that harm consumers in their states. State attorneys general also sometimes work together on enforcement actions against companies for actions that broadly affect the consumers of multiple states (such as data breaches). 

Key Areas of Privacy Class Action

Privacy class actions continue to be a significant risk area in the United States, including in the context of biometric privacy (under the Illinois Biometric Privacy Act), text messaging (under the federal Telephone Consumer Privacy Act) and call recording, wiretapping and related claims under the California Invasion of Privacy Act, the Video Privacy Protection Act (VPPA) and other state laws. Online monitoring and targeting activities—including via cookies, pixels, chat bots, and so-called “session replay” tools—are an area of particular focus in the eyes of both regulators and plaintiff’s attorneys. Under the CCPA, data breaches due to inadequate security measures, allow for a private right of action. The highlight the evolving landscape of privacy litigation, emphasizing the need for businesses to comply with stringent data protection regulations to avoid legal repercussions.

Last modified 6 February 2025

Data Protection Act Law No. 18.331 (11 August 2008); Decree No. 414/009 (31 August 2009), Arts 47 to 40, Act Law No. 19.670 (15 October 2018), Decree No. 64/2020 (17 February 2020) and Arts 62 and 63, Act No. 20.075 (20 October 2022). .

Last modified 28 January 2024

The main legal act governing processing and protection of personal data in Uzbekistan is the Law of the Republic of Uzbekistan No. ZRU-547 "On Personal Data" ("Law on Personal Data"), adopted on 2 July 2019 and effective from 1 October 2019.

The scope of application of the Law on Personal Data is rather broad, as it applies to relations arising from processing and protection of personal data, regardless of the applied means of processing, including information technologies.

Apart from the Law on Personal Data, there are certain legal acts that establish fundamental principles of data protection processing and / or set liability for violation of data protection rules. They include:

  • Constitution of the Republic of Uzbekistan (in the new edition), effective from 1 May 2023;
  • Civil Code of the Republic of Uzbekistan, effective from1 March 1997;
  • Labour Code of the Republic of Uzbekistan (in the new edition), effective from 30 April 2023;
  • Code of the Republic of Uzbekistan on Administrative Liability, effective from 1 April 1995 (‘Code on Administrative Liability’);
  • Criminal Code of the Republic of Uzbekistan, effective from 1 April 1995 (‘Criminal Code’);
  • Law No. 439-II 'On Principles and Guarantees of Freedom of Information' dated December 12, 2002; and
  • Law No. 560-II 'On Informatization' dated December 11, 2003.

Lastly, there are also sector-specific laws applicable depending on the type of industry. Data protection regulation exists mainly in financial, telecommunication, health and insurance sectors and consists of the following legal acts:

  • Law No. 530-II 'On Bank Secrecy' dated August 30, 2003, under which a bank is prohibited to disclose bank secrecy, and should guarantee its protection;
  • Law No. 265-I 'On Protection of Citizens’ Health' dated August 29, 1996, under which the medical secrecy is protected;
  • Law No. ZRU-730 'On Insurance Activities' (in the new edition) dated November 23, 2021, under which insurance companies should guarantee the confidentiality of information which became available in course of provision of insurance services; and
  • Law No. ZRU-1015 'On Telecommunications' dated December 28, 2024, under which all operators and service providers are obliged to ensure the secrecy of communications.
Last modified 27 January 2025

There is no specific legislation about data privacy or data protection in Venezuela, however, there are isolated provisions in some existing laws that regulate certain aspects related to data protection (e.g., Law on Privacy Protection of Communications, the Special Law against Computer Crimes, the Organic Law on Prevention, Conditions, and the Working Environment, and the Civil Code, Communications from the National Superintendency of Banks). 

Likewise, the Constitution of the Bolivarian Republic of Venezuela (the "Constitution") establishes general principles that serve as a framework for the protection of information. These principles were developed by decision No. 1318 of the Supreme Court of Justice ("TSJ" for its Spanish acronyms) of August 2011, guarding the honour, privacy, intimacy, self-image, confidentiality, and reputation of individuals. The principles are: 

  • Principle of free will, which implies the need of a prior, free, informed, unequivocal and revocable consent for the use, and collection of personal data.
  • Principle of legality, according to which the collection of personal data entails that the limitation to information self-determination is a result of a legal provision.
  • Principle of purpose and quality, which means that the collection of personal data must respond to predetermined purposes, motives, or causes that are not contrary to constitutional and legal provisions, also a prerequisite to obtain valid consent. Data can only be extracted and treated for the fulfilment of specific, explicit, and legitimate purposes related to the activity of those who get them. This principle entails the necessary proportionality in the collection of data, which must be adequate, relevant, and not excessive.
  • Principle of temporality or conservation, under which the data should be preserved until the purposes or objectives that its collection are achieved.
  • Principle of accuracy and self-determination, which means that the data must be complete, accurate and up to date, in response to the real situation of the person as the data may be subject to control by the individuals whose data is collected. The interested party must have clear and expeditious procedures to obtain from the person responsible for the use or receipt of the information: the confirmation of the use of data; the purposes of such registers and its recipients; the rectification or cancellation of inaccurate, inadequate, or excessive data, and; the knowledge of such modifications by those whose wrong information has been communicated.
  • Principle of foreseeability and integrity: Although the rights relating to the collection of information should be initially aimed at protecting the rights of the individuals whose information is collected, the analysis of the impact that the collection of data has on such rights cannot be isolated and without reference to data that may be collected in other registries.
  • Principle of security and confidentiality, which implies the guarantee of confidentiality, of no alteration of data by third parties, and of access to such data by the competent authorities in accordance with the law. The data must be protected from alteration, loss, accidental destruction, unauthorised access, or fraudulent use. This protection goes as far as preventing international data transfers to States whose legislation does not guarantee a level of protection similar to the one described.
  • Principle of guardianship, which means that in addition to having judicial protection to enforce the right to access the information and obtain knowledge of the use of the personal data, there should be public entities that ensure the right to the protection of personal data with powers to create or implement simplified models and based on technical standards to measure the level of efficiency of the structures and procedures in place and the level of protection of the personal data.
  • Principle of liability, under which a violation of the right to the protection of personal data gives rise to liability and the imposition of civil, criminal, and administrative penalties, as the case may be. 

Also, Article 28 CRBV sets the right for individuals to access their personal information stored in public or private records, to know for what use such information will be recorded, and, rectify or destroy it when incorrect or when it unlawfully affects their rights. Although there is no legal regulation in this regard, the TSJ has agreed to the possibility of maintaining this information and personal data in systems or records, stored in a way that a profile of them can be done with the purpose of using the information for personal gain or for third parties, as long as the rights set in Article 28 CRBV are respected. According to this Article, a double right is guaranteed: (i) to collect information about people and their goods, and (ii) access to such information that has been collected and is reflected in the records. However, whoever collects the information or data of the individuals or their goods, shall respect the right of the people to protect their honour, privacy, intimacy, self-image, confidentiality, and reputation, all of this provided in Article 60 CRBV. 

Additionally, the decision also stipulates that the particular data that someone keeps for study purposes, or for personal use or to fulfill professional objectives, which do not form a system capable of designing a total or partial profile of individuals are not subject to these principles, since they lack a general projection. However, records that, when cross-referenced with others, make it possible to outline a profile of the private life of individuals, or of their economic situation, political tendencies, etc., could be part of the records protected by the Constitution. The mere potential of intersecting and complementing the data of a registry, with the information stored in others that complete it, makes the set of records susceptible to the rights referred to in article 28 of the Constitution. 

Last modified 12 December 2022

In 2023, Vietnam passed its first comprehensive data protection law, namely Decree No. 13/2023/ND-CP of the Government dated 17 April 2023 on Personal Data Protection (“PDPD”). However, the PDPD does not supersede data protection rights and obligations set out under other legislations in Vietnam. In particular, the right of privacy and the right of reputation, dignity and honour, and the fundamental principles of such rights, are provided for in the Constitution 2013 ("Constitution") and Civil Code 2015 ("Civil Code") as inviolable and protected by law.

Regarding personal information, the key principles on collection, storage, use, process, disclosure or transfer of personal information are specified in the following main laws and guiding documents, among others:

  • Criminal Code No. 100/2015/QH13, passed by the National Assembly on 27 November 2015; as amended from time to time ("Criminal Code");
  • Law No. 24/2018/QH14 on Cybersecurity, passed by the National Assembly on 12 June 2018 ("Cybersecurity Law");
  • Law No. 86/2015/QH13 on Network Information Security, passed by the National Assembly on 19 November 2015; as amended by Law No. 35/2018/QH14 dated 20 November 2018, on amendments to some articles concerning planning of 37 Laws ("Network Information Security Law");
  • Law No. 60/2024/QH15 on Data, passed by the National Assembly on 30 November 2024 (“Data Law”);
  • Law No. 19/2023/QH15 on Protection of Consumers' Rights, passed by the National Assembly on 20 June 2023 ("CRPL");
  • Law No. 67/2006/QH11 on Information Technology, passed by the National Assembly on 29 June 2006; as amended by Law No. 21/2017/QH14 dated 14 November 2017 on planning ("IT Law");
  • Law No. 20/2023/QH11 on E-transactions, passed by the National Assembly on 22 June 2023 ("E-transactions Law");
  • Decree No. 13/2023/ND-CP of the Government dated 17 April 2023 on Personal Data Protection (“PDPD”);
  • Decree No. 53/2022/ND-CP of the Government dated 15 August 2022 elaborating a number of articles of the Law on Cybersecurity of Vietnam ("Decree 53");
  • Decree No. 85/2016/ND-CP dated 1 July 2016, on the security of information systems by classification ("Decree 85");
  • Decree No. 147/2024/ND-CP dated 9 November 2024 of the Government, on management, provision and use of Internet services and online information ("Decree 147");
  • Decree No. 52/2013/ND-CP dated 16 May 2013 of the Government; as amended by Decree No. 08/2018/ND-CP dated 15 January 2018, on amendments to certain Decrees related to business conditions under state management of the Ministry of Industry and Trade and Decree No. 85/2021/ND-CP dated 25 September 2021 ("Decree 52");
  • Decree No. 91/2020/ND-CP of the Government dated 14 August 2020 on anti-spam messages, emails and calls ("Decree 91");
  • Decree No. 15/2020/ND-CP of the Government dated 3 February 2020 on penalties for administrative violations against regulations on postal services, telecommunications, radio frequencies, information technology and electronic transactions; as amended by Decree 14/2022/ND-CP of the Government dated 27 January 2022 ("Decree 15");
  • Decree No. 98/2020/ND-CP of the Government dated 26 August 2020 prescribing penalties for administrative violations against regulations on commerce, production and trade in counterfeit and prohibited goods, and protection of consumer rights; as amended by Decree No. 17/2022/ND-CP of the Government dated 31 January 2022 ("Decree 98");
  • Circular No. 12/2022/TT-BTTTT of the Ministry of Information and Communications dated 12 August 2022 on guidelines for Decree 85 ("Circular 12");
  • Circular No. 20/2017/TT-BTTTT dated 12 September 2017 of the Ministry of Information and Communications, providing for Regulations on coordinating and responding to information security incidents nationwide ("Circular 20");
  • Circular No. 24/2015/TT-BTTTT dated 18 August 2015 of the Ministry of Information and Communications, providing for the management and use of Internet resources, as latest amended and supplemented by Circular No. 21/2021/TT-BTTTT dated 8 December 2021 ("Circular 24");
  • Decision No. 05/2017/QD-TTg of the Prime Minister dated 16 March 2017 on emergency response plans to ensure national cyber-information security ("Decision 05");
  • Decision No. 724/QD-BTTTT of the Minister of Information and Communications dated 7 May 2024 on issuance of Criteria for basic network information security requirements applicable to surveillance camera (“Decision 724”); and
  • Resolution No. 27/NQ-CP of the Government dated 7 March 2022 approving the Draft Personal Data Protection Decree ("Resolution 27").

Each aspect and each industry may have their respective regulating documents. In other words, applicability of legal documents will depend on the factual context of each case, e.g. businesses in the banking and finance, education, healthcare sectors may be subject to specialized data protection regulations, not to mention to regulations on employees’ personal information as provided in Labour Code 2019 (“Labour Code”).

The most important Vietnamese legal documents regulating data protection are the PDPD, the Cybersecurity Law and the Network Information Security Law. However, it is worth noting that, unlike cybersecurity laws in other jurisdictions that were inspired by the GDPR of the EU, the Cybersecurity Law of Vietnam shares similarities with China's Cybersecurity Law enacted in 2017. Such law focuses on providing the government with the ability to control the flow of information; meanwhile, the Network Information Security Law enforces data privacy rights for individual data subjects.

The PDPD took effect on 1 July 2023 without any transitional period (save in limited cases), and has affected all local and foreign enterprises which directly participate in or relate to personal data processing activities in Vietnam. The PDPD is the most comprehensive regulation governing the field of personal data protection. It sets out for the first time the key definitions of “personal data”, “sensitive personal data”, “data controller”, “data processor”, “personal data processing”, etc., which should be carefully examined in order to duly comply with the PDPD.

The PDPD is designed to have extraterritorial effect. The scope of the PDPD extends to foreign agencies, organizations and individuals directly involved in or related to the processing of personal data in Vietnam. Therefore, regardless of whether foreign entities have a local presence in Vietnam or not, to the extent that such entities are involved in the collection and processing of personal data of Vietnamese citizens, they are subject to the requirements of the PDPD.

In 2024, the Ministry of Public Security (“MPS”) has been actively working on a new Personal Data Protection Law. On 24 September 2024, the Vietnamese government released the first draft of this law, known as the Draft Personal Data Protection Law (“Draft PDPL”), for public consultation. Although the Draft PDPL includes many elements from the existing PDPD, it remains uncertain whether it will replace the PDPD or exist alongside it. The draft PDPL covers a wide range of areas, including marketing services, behavioral advertising, big data processing, AI, cloud computing, employee monitoring and recruitment, financial banking and credit information, healthcare, insurance, social network and communication services through cyberspace and more. The National Assembly will provide its initial feedback on this draft law during its 9th session (May 2025) and is expected to pass it in the final session of 2025 (November).

Decree 53 took effect on 1 October 2022 and notably sets out the requirements relating to data localization and the establishment of branches / representative offices of foreign service providers, which will be discussed further below.

A Draft Decree on Sanctioning of Administrative Violations in the field of Cybersecurity ("Draft Decree on Sanctioning") was released by the MPS for public consultation on 21 September 2021 and have been subject to many rounds of review since. The latest draft was released in 2024 and notably included sanctions for violations of the PDPD.

The Data Law regulates data processing in general (not limited to personal data) and introduces key terms such as “digital data,” “important data,” and “core data.” Scheduled to take effect on 1 July 2025, the Data Law aims at establishing a national database and a national data center. It also creates new market opportunities for local businesses by acknowledging data-related products and services, although these have yet to be defined.

Last modified 20 January 2025

Data Protection Act No. 3 of 2021 (the “DPA") and the Data Protection (Registration and Licensing) Regulations, 2021.

Last modified 27 January 2025
  • Cyber and Data Protection Act [Chapter 12:07] (the “Act”); and
  • Cyber and Data Protection (Licensing of Data Controllers and Appointment of Data Protection Officers) Regulations, 2024 (the “Regulations”).
Last modified 27 January 2025

Continue reading

  • no results

Back to top