Posted: February 27th, 2023

Digital Ethics – 5

Topic: Global laws & litigation,  BCI (Brain-Computer Interface) technology
1) Select a country or a region from the privacy laws around the world: Indicate which laws are present in this area and the level of maturity of these laws insofar as they pertain to privacy and the protection of people

2) Imagine that you are a lawyer working for the consumer protection organization in the selected country or region. BCI technology is being rolled out extensively in this country or region and you are trying to use the existing laws to protect people from the risks associated with it. What arguments do you use?
3) Where are the gaps between existing regulation and this innovation?

APA Format, 600 words, Due Feb 20th

NOVEMBER 2021

Understanding the Data
Flows and Privacy Risks of
Brain-Computer Interfaces

PRIVACY AND THE
CONNECTED MIND

Authors

Jeremy Greenberg, Policy Counsel, Future of Privacy Forum
Katelyn Ringrose, Policy Fellow, Future of Privacy Forum

Sara Berger, Research Staff Member and Neuroscientist, IBM Research
Jamie VanDodick, AI Ethics Leader, Chief Privacy Office, IBM

Francesca Rossi, AI Ethics Global Leader, IBM
Joshua New, Technology Policy Executive and Senior Fellow, IBM Policy Lab

Acknowledgments

The Future of Privacy Forum would like to thank the following individuals for their advice
and expertise: Dr. Tamara Bonaci, Assistant Teaching Professor at the Khoury College of

Computer Sciences at Northeastern University; Dr. Laura Y. Cabrera, Dorothy Foehr and J.
Lloyd Huck Chair in Neuroethics, Associate Professor, Center for Neural Engineering, The

University of Pennsylvania State University; and Dr. Peter Reiner, Professor of Neuroethics at
the University of British Columbia.

Thank you to FPF Policy Interns: Samuel Adams, Noah Katz, and Hannah Schaller for their
contributions to this paper. An additional thank you to IBM legal counsel, Ron Leviner, and

IBM Racial and Social Justice Scholar, Alex Baria, for their contributions to the paper, and to
Guillermo Cecchi and Jeff Rogers from IBM for their suggestions.

FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 1

Executive Summary ______________________________________________ 2

Introduction ____________________________________________________ 4

Part I: BCIs are Devices That Can Both Record and Modulate an Individual’s
Brain Signals Through the Collection and Processing of Neurodata __________ 5

Part II: BCIs Provide Benefits and Present Risks in a Number of Sectors
Including Health, Gaming, Employment, Education, Smart Cities,
Neuromarketing, and the Military ____________________________________ 11

Part III: A Mix of Technical and Policy Solutions Can Mitigate Risks

__________ 26

Conclusion ____________________________________________________ 32

Endnotes _____________________________________________________ 33

TABLE OF CONTENTS

FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 2

EXECUTIVE SUMMARY

This report provides an overview of the tech-
nology, benefits, privacy and ethical risks,
and proposed recommendations for promot-

ing privacy and mitigating risks associated with
brain-computer interfaces (BCIs). BCIs are com-
puter-based systems that directly record, process,
or analyze brain-specific neurodata and translate
these data into outputs that can be used as visu-
alizations or aggregates for interpretation and
reporting purposes and/or as commands to control
external interfaces, influence behaviors, or modu-
late neural activity. While neurodata can take many
forms, this report discusses “neurodata” as data
generated by the nervous system, which consists
of electrical activity between neurons or proxies of
this activity. Personal neurodata refers to neurodata
that is reasonably linkable to an individual.

BCI devices can be either invasive or non-invasive.
Invasive BCIs are installed directly into—or on top
of—the wearer’s brain through a surgical procedure.
Today, invasive BCIs are typically used in the health
context. Non-invasive BCIs rely on external elec-
trodes and other sensors or equipment connected to
or monitoring the body for collecting and modulating
neural signals. Consumer-facing BCIs use various
non-invasive methods, including headbands.

Some BCI implementations raise few, if any, pri-
vacy issues. For example, individuals using BCIs
to control computer cursors might not reveal any
more personal information than typical mouse us-
ers, provided BCI systems promptly discard cursor
data. However, some uses of BCI technologies raise
important questions about how laws, policies, and
technical controls can safeguard inferences about
individuals’ brain functions, intentions, moods, or
identity. These questions are increasingly urgent in
light of the many potential applications expanded
use of BCIs in:
› Healthcare – where BCIs could monitor

fatigue, diagnose medical conditions, stimulate
or modulate brain activity, and control
prosthetics and external devices.

› Gaming – where BCIs could augment existing
gaming platforms and offer players new ways
to play using devices that record and interpret
their neural signals.

› Employment and Industry – where BCIs could
monitor workers’ engagement to improve safety
during high-risk tasks, alert workers or supervi-
sors to dangerous situations, modulate workers’
brain activity to improve performance, and
provide tools to more efficiently complete tasks.

› Education – where BCIs could track student
attention, identify students’ unique needs, and
alert teachers and parents of student progress.

› Smart Cities – where BCIs could provide new
avenues of communication for construction
teams and safety workers and enable potential
new methods for connected vehicle control.

› Neuromarketing – where marketers
could incorporate the use of BCIs to intuit
consumers’ moods and to gauge product and
service interest.

› Military – where governments are researching
the potential of BCIs to help rehabilitate
soldiers’ injuries and enhance communication.

This report focuses on the current privacy impacts
of BCIs, as well as the data protection questions
raised by realistic, near-future use of BCIs. While the
potential uses of BCIs are numerous, BCIs cannot
at present or in the near future “read a person’s
complete thoughts,” serve as an accurate lie detec-
tor, or pump information directly into the brain. It is
important for stakeholders in this space to delineate
between the current and likely future uses and far-
off notions depicted by science fiction creators, so
that we can identify urgent concerns and prioritize
meaningful policy initiatives. We take seriously the
concerns raised by futuristic potential developments
and keep them in mind as we make recommenda-
tions, but in this paper we focus on the immediately
pressing need to address issues already faced and
likely to be faced in the upcoming decade.

Although the report primarily focuses on the privacy
concerns—including questions about the trans-
parency, control, security, and accuracy of data—
involving existing and emerging BCI capabilities,
these technologies also raise important technical
considerations and ethical implications, related
to, for example fairness, justice, human rights, and
personal dignity.1 These concerns are equally crit-
ical and complex, so this report highlights where

FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 3

additional ethical and technical concerns emerge in
various use cases and applications of BCIs. Greater
in-depth discussion of areas beyond privacy war-
rant additional research and careful consideration,
and we hope to turn to those issues in future efforts.

To promote privacy and responsible use of BCIs,
stakeholders should adopt technical guardrails
including:

› Providing on/off controls when possible—
including hardware switches if practical;

› Providing users with granular controls on devices
and in companion apps for managing the collec-
tion, use, and sharing of personal neurodata;

› Providing heightened transparency and control
for BCIs that specifically send signals to the
brain, rather than merely receive neurodata;

› Designing, documenting, and disclosing
clear and accurate descriptions regarding the
accuracy of BCI-derived inferences;

› Operationalizing industry or research-based
best practices for security and privacy when
storing, sharing, and processing neurodata;

› Employing appropriate privacy enhancing
technologies;

› Encrypting personal neurodata in transit and
at rest; and

› Embracing appropriate protective and defensive
security measures to combat bad actors.

Stakeholders should also adopt policy safeguards
including:

› Ensuring that BCI-derived inferences are not
allowed for uses to influence decisions about
individuals that have legal effects, livelihood
effects, or similar significant impacts—e.g.
assessing the truthfulness of statements
in legal proceedings, inferring thoughts,
emotions or psychological state, or personality
attributes as part of hiring or school
admissions decisions, or assessing individuals’
eligibility for legal benefits;

› Employing sufficient transparency, notice,
terms of use, and consent frameworks to
empower users with a baseline of BCI literacy
around the collection, use, sharing, and
retention of their neurodata;

› Engaging IRBs and other independent review
mechanisms to identify and mitigate risks;

› Facilitating participatory and inclusive
community input prior to and during BCI
system design, development and rollout;

› Creating dynamic technical, policy, and
employee training standards to account for
the gaps in current regulation;

› Promoting an open and inclusive research
ecosystem by encouraging the adoption,
where possible, of open standards for
neurodata and the sharing of research data
under open licenses and with appropriate
safeguards in place. A similar open-skills
approach could also be considered for a
subset of direct-to-consumer BCIs; and

› Evaluating the adequacy of existing policy
frameworks for governing the unique risks of
neurotechnologies and identifying potential
gaps prior to new regulation.

Key Terminology
and Definitions

› Neurodata – Data generated by the
nervous system,2 which consists
of the electrical activities between
neurons or proxies of this activity.

› Personal Neurodata – Neurodata
that is reasonably linkable to an
individual.

› Neurotech/Neurotechnology –
Technology that collects, interprets,
infers or modifies neurodata.

› Brain-Computer Interface (BCI) –
Computer-based systems that
directly record, process, or analyze
brain-specific neurodata and
translate these data into outputs
that can be used as visualizations
or aggregates for interpretation
and reporting purposes and/or
as commands to control external
interfaces, influence behaviors, or
modulate neural activity.

FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 4

INTRODUCTION

Brain-computer interfaces (BCIs) are a prime
example of an emerging technology that is
advancing new areas of human-machine inter-

action. Today, BCIs are primarily used in the health-
care context for purposes including: rehabilitation,
diagnosis, symptom management, and accessibility.
While BCI technologies are not yet widely adopted
in the consumer space, there is a recent interest
and proliferation of new direct-to-consumer neuro-
technologies. The emergence of such technologies
across various sectors poses numerous benefits
and raises significant questions about user privacy.

When connected to the Internet,3 BCIs can be clas-
sified as a type of wearable or implanted instrument
within the Internet of Bodies, a network of devices
connected to, and generating information from, the
human body.4 Such communication has long been
supported by various interfaces, from the keyboard
and mouse to touchscreens, voice commands, and
gesture interactions. As computers become more
integrated into daily human experience, new ways
of commanding computer systems and experienc-
ing digital realities have gained in popularity, with
novel uses ranging from gaming to education.

While BCIs offer benefits from improving patient
health outcomes to providing more immersive and
customizable education, training, and entertain-
ment, the technologies raise many of the same risks
posed by digital home assistants, medical devices,
and wearables. New and heightened risks associ-
ated with privacy of thought also emerge, resulting
from recording, using, and sharing of a variety of

neural signals.5 According to a recent report, con-
sumers list privacy and security as major concerns
regarding neural interfaces, second only to product
safety.6 Sometimes, BCIs must always be on in order
to function properly—particularly in the health and
medical context. Always-on tech can collect more
information than users expect, particularly when
individuals are not provided sufficiently clear and
detailed notice prior to consent. This report explores
how BCIs fit into the broader scheme of next-gen-
eration interfaces, and suggests safeguards to
mitigate potential privacy and security risks.

Because of the emerging-nature of BCIs, it is im-
portant to consider both current and future-facing
privacy and ethical risks based on technical capa-
bilities, use cases, and the current understanding of
neurodata. Along with identifying what neurodata
and personal neurodata are collected by BCIs and
what conclusions or inferences are drawn based on
this data, it is equally important to specify what BCIs
cannot achieve, especially given the current hype
cycle surrounding technologies that can easily
veer into unrealistic, sci-fi territory. At the moment,
BCIs cannot read an individual’s precise thoughts,
accurately determine whether someone is telling
the truth or lying, or directly pump knowledge or
skills into an individual’s brain or make someone
“smarter.” While these capabilities could exist in
the future and warrant discussion and debate, they
are far attenuated from current realities. This report
appreciates the importance of such discussions,
but seeks to focus on the current—and likely, near-
term—capabilities of BCIs discussed in this report.7

FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 5

A. BCIs are Computer-Based Systems
that Record, Modulate—or Both Record
and Modulate—Electrical Brain Signals,
Which Can Be Translated Into Outputs

BCIs are computer-based systems that directly re-
cord, process, or analyze brain-specific neurodata
and translate these data into outputs that can be
used as visualizations or aggregates for interpreta-
tion and reporting purposes and/or as commands
to control external interfaces, influence behaviors,
or modulate neural activity. BCIs can be broadly
divided into three categories: 1) those that record
brain activity; 2) those that modulate brain activity;
and 3) those that do both, also called bi-directional
BCIs (BBCIs).8 BCIs that record brain activity are
more commonly used in the healthcare, gaming,
and military contexts. Modulating BCIs are typically
found in the healthcare context. For example, mod-
ulating BCIs are used to treat Parkinson’s disease
and other movement disorders by using deep
brain stimulation to treat the rigidity, slowness, and
resting tremors common in Parkinson’s patients.9
While BCIs technically refer to devices that directly
record or modulate the brain, other related neu-
rotechnologies indirectly record and modulate.
One of the most successful examples of indirect
stimulation is cochlear implants, which help re-
store hearing and suppress tinnitus by modifying
the information that is provided to a compromised
auditory system.10 BBCIs, which both record and
modulate, can be an especially useful rehabilita-
tion tool for spinal injuries or strokes.11

B. BCIs Can be Invasive or Non-Invasive
and Employ a Number of Techniques for
Collecting Neurodata and Modulating
Neural Signals

BCIs can be invasive or non-invasive.12 Invasive
BCIs are installed directly into—or on top of—the
wearer’s brain through a surgical procedure. To-
day, invasive BCIs are used in the health context.
For example, invasive clinical BCI implants have
been used to improve patients’ motor skills.13 Inva-
sive BCI implants can involve a number of different
types of implants. An electrode array called a Utah
array is installed into the brain and relies on a se-
ries of small metal spikes set within a small square
implant to collect or modulate brain signals. New
innovations like neural lace and neural dust are
meant to drape over or be inserted into multiple
areas within the brain.14

Utah array. Image courtesy Wikipedia.

Part I: BCIs are Devices that Can Both Record and Modulate an Individual’s
Brain Signals Through the Collection and Processing of Neurodata

FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 6

Other prominent examples of invasive BCIs rely on
electrocorticography (ECoG), in which electrodes
are attached to the exposed surface of the brain to
measure electrical activity of the cerebral cortex.
ECoG is most widely used for helping medical
providers locate the area that is the center of epi-
leptic seizures. This detection helps facilitate more
targeted medical treatment but does not constitute
medical treatment itself.15

In April 2021, Neuralink—Elon Musk’s startup cen-
tered around creating a minimally invasive BCI—
released a video of a macaque monkey playing
a videogame using an invasive BCI.16 Explaining
Neuralink’s invasive BCI prototype, “in a lot of
ways,” Musk said, “it’s kind of like a Fitbit in your
skull, with tiny wires.”17 While the Neuralink de-
vice is still in the prototype stage, the technology
points to a possible future where invasive BCIs are
used for commercial purposes, such as gaming,
entertainment, education, and wellness. Today it
seems unlikely that consumers would be willing
to surgically implant a device into their brain for
commercial enjoyment, cognitive monitoring, edu-
cation, and other direct-to-consumer uses, but only
time will tell whether invasive BCIs for commercial
purposes will eventually become mainstream.

Unlike invasive BCIs, non-invasive BCIs do not require
surgery. Instead, non-invasive uses of BCI-technolo-
gy rely on external electrodes and other sensors for
collecting and modulating neural signals.

One of the most prominent examples of a non-in-
vasive BCI technology is an electroencephalogram
(EEG)—a method for recording electrical activity in
the brain, with electrodes placed on the surface of
the scalp to measure the activity of neurons in the
brain.18 EEG-based BCIs are common in the gam-
ing space in which collected brain signals are used
to control in-game characters and select in-game
items. Another noteworthy non-invasive meth-
od is near-infrared spectroscopy (fNIRS), which
measures proxies of brain activity via changes in
blood flow to certain regions, specifically changes
in oxygenated and deoxygenated hemoglobin
concentrations using near-infrared light.19 fNIRS is
especially prominent in wellness and medical BCIs,
such as those used to control prosthetic limbs.20

Other non-invasive techniques go beyond sim-
ply recording neurodata by also modulating the
brain, which is one reason the term “non-inva-
sive” is fairly contentious, with researchers and
scientists finding the line between invasive and
non-invasive uses of BCIs difficult to draw. For
example, can a device that modulates a brain in
a closed-loop fashion—meaning that neurodata
recorded by the BCI serves as an input in how
the BCI stimulates the user’s neural signals—ever
truly be non-invasive? What about a device that
is not implanted surgically, but still carries the
potential for stimulation? For instance, transcranial
direct current stimulation (tDCS)21 and transcranial
magnetic stimulation (TMS)22 are both used to
modulate neuroactivity in various areas, including
the frontal lobes. Researchers have proposed that
these forms of stimulation may increase memory,
and learning abilities; however, such claims are
still under review.23 Non-invasive neurotechnolo-
gies should not be equated to non-harmful tech-
nologies—just because a device is not directly
implanted to sit on or within the human brain does
not mean that device does not pose unique health
and other privacy and data use risks.24

An example of a non-invasive EEG-fitted BCI device.

FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 7

BCIs are generally characterized by four components: 25

› Signal Acquisition and Digitization: involves sensors (e.g. EEG, fMRI, etc.) measuring neural
signals. The device amplifies signals to levels that enable processing and sometimes filters
collected signals to remove unwanted data elements, such as noise and artifacts. These
signals are digitized and transferred to a computer.

› Feature Extraction: As part of signal processing, applicable signals are separated from
extraneous data elements, including artifacts and other undesirable elements.

› Feature Translation: Signals are transformed into usable outputs.

› Device Output: Translated signals can be used as visualizations for research or care, or they
can be used as directed instructions, including feedforward commands utilized to operate
external BCI components (e.g. external software or hardware like a robotic arm) or feedback
commands which may provide afferent (conducted inward) information to the user or may
directly modulate on-going neural signals.

An example of these components can be found in the following figure.

human body. For instance, an electromyography
(EMG) sensor is a neurotechnology that can be
worn non-invasively as a wristband26 or inserted
into the human body to indirectly record motor
neurons and their electrical activity in muscles.27
Today this method is typically used to diagnose
neuromuscular abnormalities, but future use cas-
es point to using EMG for detecting an individual’s
intent to move fingers and other appendages for
operating virtual keyboards and other devices.28

While the focus of this report is technologies that
record or influence neurodata from the brain,
neurodata is also found throughout the nervous
system (including from the spinal cord and periph-
eral nervous system) and thus similar but non-BCI
neurotechnologies are being developed that
capitalize on these downstream signals. Other
invasive and non-invasive techniques include
indirectly collecting neurosignals sent from the
brain with sensors placed on other parts of the

Brain
Signals

Signal Acquisition Digitized Signal Processing
Control
Signals

Feedback

Device
Command

EEG
ECoG

Single Unit

Feature
Extraction

Translation
Algorithm

FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 8

A Timeline of Interfaces 29

1924First Human EEG Recorded

1968

1973

2005

1998

1982

1973

1969

2019

2018

2016

2012

1952 First Voice Interface

First Virtual Reality Headset

First Successful
Cochlear Implant

The Term “Brain-Computer
Interface” is Coined

First Computer Mouse is
Commercially Available

First Multi-Touch Touchscreen

First Invasive BCI That
Produces High-Quality Signals

First Person to Control an
Artificial Hand Using BCI

Paralysis Patients Control
Robotic Arms Using BCI

First BCI to Restore Sensation to
a Paralyzed Person

Signals from an Invasive BCI
are Accurately Decoded Into

Text with an Error Rate as
Low as 3% When Tested On

Vocabularies Up to 300 Words

BCI Provides Rudimentary
Vision to a Low-Vision Patient

2021 A Paralyzed Man Uses a BCI
to Type with His Thoughts

FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 9

C. Recorded Neurodata Becomes Personal
Neurodata When It is Reasonably
Linkable to an Individual

Neurodata is data generated by the nervous
system, which consists of the electrical activities
between neurons or proxies of this activity. These
neurons help carry out tasks, such as comprehen-
sion, movement, and communication. Neurodata
can be both directly collected from the brain, or
indirectly collected from an individual’s spinal cord,
muscles, or peripheral nerve in the form of a down-
stream signal from brain activity or a preparatory
signal prior to brain activity.

At times, neurodata can be personally identifiable
when reasonably linkable to an individual or when
combined with other identifying data associated
with an individual, such as when part of a user
profile. Personal neurodata is neurodata that could
be reasonably linkable to a particular individual.30
The collection and processing of personal neuro-
data can produce information related to an indi-
vidual’s biology and cognitive state. Additionally,
the processing of personal neurodata can lead to
inferences about an individual’s moods, intentions,
and various physiological characteristics, such as
arousal. Machine learning (ML) sometimes plays a
role as a tool for helping determine if a neurodata
pattern matches a general identifier or particular
class or physiological state.

Although identifying individuals based solely on
their collected personal neurodata is likely a difficult
proposition, such identification has been shown to
be possible with relatively little data (less than 30
seconds-worth) within a lab setting,31 and some ex-
perts believe that such identification is feasible if not
today, then in the near-term.32 This possibility has
implications for definitions pertaining to biometric
data, as well as its permitted use. Personal neuroda-
ta can vary in levels of sensitivity, as certain personal
neurodata can reveal seemingly innocuous data
leading to few, if any, inferences about an individual;
health information associated with an individual; or
provide insight into an individual’s private feelings
or intentions. For example, a BCI might reveal what
object a gamer intends to select in a video game,33
which may or may not be innocuous; infer that a
truck driver is becoming less alert while driving,34
which could reveal an individual’s sleeping habits;
or it could reveal whether a patient is depressed,
information pertaining to their health.35

In the future, BCIs could progress into new arenas,
recording increasingly sensitive personal neuroda-
ta, leading to intimate inferences about individuals.
Those arenas include transcribing a wide-range of
a wearer’s thoughts into text, serving as an accu-
rate lie detector, and even implanting information
directly into the brain. These uses are still in the
early research phases and could be decades from
fruition, or perhaps never emerge.36

FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 10

D. Both Invasive and Non-invasive BCIs
Pose Technical Challenges for Effectively
Recording Neurodata and Modulating
Neural Signals

Regardless of the technique used, recording and
processing brain signals to derive usable neu-
rodata is a technologically challenging process.
Wired BCIs—typically associated with the clinical
and medical context—include complex wiring that
involves a prolonged preparation time before use,
while wires limit user movements.37

Wireless BCIs avoid some of the hardware chal-
lenges of wired BCIs, but present new challenges
associated with battery life—especially in the case
of health-related BCIs that are intended to be on
and active for extended sessions—and device
weight, comfort, and practicality.38 Other hard-
ware challenges include the need for commercial
non-invasive headsets to record small neural sig-
nals through a physical barrier of hair, skin, flesh,
and bone, all of which can interfere with the signals
and add noise to the data. Meanwhile, invasive
BCIs require expensive, high-risk surgery.39

Once signals are collected, the device must
process and separate actionable nerve impulses
from those that are created by passive activities,

including artifacts derived from the wearer’s mus-
cle movements, eye blinking, and electrical activity
from the heart. Sometimes this extra data is used
in conjunction with BCIs for various purposes, but
these artifacts often have to be removed for neu-
rodata to be usable. Most neurodata derived via
BCIs is noisy (especially in the case of non-invasive
applications) and creating computer systems that
can classify and remove noise is a complex and
cumbersome undertaking.

After actionable signals are gathered and sorted,
ML40 algorithmic models can be applied for clas-
sifying neurodata. This typically involves a calibra-
tion and training process in which a user performs
a number of operations so that the algorithm can
understand the user’s unique neural data that
represent their patterns when performing various
actions. Using ML systems presents its own set
of preliminary challenges such as: whether these
ML systems can classify data better than chance,
whether a particular system is appropriate to
achieve a desired outcome, or whether the system
does in fact accurately conform to a user’s neural
signature, in addition to any ethical and legal risks.
This process of identifying and processing an accu-
rate and meaningful neural signature is something
that researchers are still attempting to master.

FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 11

This section surveys BCI adoption across sev-
en key sectors: health and wellness; gaming;
education; employment; smart cities; neuro-

marketing; and the military. These sectors repre-
sent areas where consumer BCI technologies are
quickly evolving, and where unique privacy con-
cerns are most salient.41 However, if the past is pro-
logue, individuals and societies will find new and
unexpected uses of technologies as they evolve
and adapt inside and outside of these sectors.

Each sectoral use of BCI technologies examined
below is accompanied by specific benefits and
risks and an analysis of some of the existing laws,
policies, and best practices currently in place that
might safeguard neurodata within a particular
sector. It is worth noting; however, that many of the
benefits, risks, and challenges discussed overlap
across a variety of uses and sectors outside BCIs
and neurotechnologies, such as genetics, biomet-
rics, and AI. While neurodata and BCIs may not be
explicitly mentioned in current law, existing regula-
tions may still be held to apply, even if policymakers
did not contemplate the novel privacy issues asso-
ciated with neurotechnologies. Conversely, new
law may be motivated by the failure of existing law
to contemplate novel privacy issues, such as the
Genetic Information Nondiscrimination Act (GINA)
arising out of a sense that contemporaneous

Part II: BCIs Provide Benefits and Present Risks in a Number of
Sectors Including Health, Gaming, Employment, Education, Smart

Cities, Neuromarketing, and the Military

health law—such as HIPAA—did not sufficiently
contemplate or protect against issues prompted
by genomic technologies.42 Similar regulations
have since been created at state and local levels
in response to increasing usage of biometric data
and associated risks.43

Regulators might recognize a similar need in con-
nection with neurodata, leading to new laws and
standards. But in the absence of amended and
new regulations, developers must consider current
regulations, standards, and frameworks that might
apply to this evolving field or serve as a foundation
for future regulation, guidance, or decision-making
around BCIs. Neurotechnology-specific frame-
works include: the OECD Recommendation on
Responsible Innovation in Neurotechnology44 and
the FDA’s recent guidance on BCIs for Patients
with Paralysis or Amputation.45 Legal frameworks
of note include constitutional and fundamental
rights protection of the right to respect for private
life and confidentiality in some jurisdictions around
the world,46 the protection of personality rights in
Civil Codes in jurisdictions as varied as Germany,
Quebec and, most recently, China,47 the EU’s draft
legal framework on AI,48 as well as comprehensive
data protection laws, such as the California Privacy
Rights Act (CPRA),49 the European General Data
Protection Regulation (GDPR),50 to name a few.

FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 12

Although these legal frameworks do not pertain to
neurotechnology specifically, given BCI’s integra-
tion with AI and neurodata’s overlap with biometric
data conceptualization, some of this guidance may
be relevant or transferable in the future.

Additionally, there are numerous international
brain initiatives that are working together to not
only better understand the ethical issues and risks
associated with BCI technologies and other neu-
roscience applications, but also publish general
guidance, best practices, and key research ques-
tions regarding these topics.51

A. Health BCIs Diagnose Medical
Conditions, Modulate Brain Activity for
Cognitive Disorder Management, and
Promote Accessibility

Today, health BCIs can improve health diagnosis,
rehabilitation, and accessibility. Current break-
throughs in diagnosis include quantifying fatigue,
identifying depression, and measuring stress.52 Di-
agnostic BCIs can also be especially helpful when
patient responses are unavailable, such as when
patients experience disorders of consciousness,
including locked-in syndrome, whereby individuals
are fully conscious but unable to move, speak, or
explain how they are feeling.53 Current research
efforts focus on BCIs that diagnose condition pro-
gression, such as glaucoma.54

While diagnosis typically involves recording brain
activity, health BCIs are also used to modulate pa-
tients’ brains and nervous systems. Brain modula-
tion is used in numerous ways, including stimulation
for modulating and disrupting seizures for epilepsy
patients.55 Recent advances in health BCI modula-
tion include a vision restoration study to bypass the
eye and the optic nerve to feed images directly to
the brain–resulting in low-resolution vision.56

Other than diagnosis and stimulation, BCIs can pro-
vide increased accessibility. A new generation of
prosthetic limbs rely on BCIs. These neuroprosthet-
ics, or artificial limbs, move in response to thought
stimuli, including the creation of BCI-powered
automatic wheelchairs.57 A non-invasive mind-con-
trolled wheelchair, developed by researchers at
Switzerland’s Federal Institute of Lausanne, can
follow simple directions derived from a BCI and
can assess the area around the wheelchair to nav-
igate its surroundings safely.58 Users of neurotech
wheelchairs think of moving their left or right arm

to direct their wheelchair in their chosen direction.
Recent advancements involve users not needing
to think of specific words like “table” in order to
direct their chair to a nearby object; instead, they
can think of associated activities like eating.59 An-
other noteworthy example occurred in 2019 when
scientists implanted a BCI into the brain of a patient
who was left with minimal movement of his arms
and hands after a surfing accident.60 The invasive
electrodes allowed the patient to control both
left and right robot appendages to perform daily
tasks, such as eating.61 Similarly, BCIs act as tools
for providing haptic feedback or haptic sensory
replacement within prosthetics and exoskeletons
for purposes of patient rehabilitation, regaining
sensation, and an increased ability for patients to
perform previously inaccessible tasks.62

There are also efforts to connect BCIs with smart
devices and IoT (internet of things), which could aid
individuals with neurological disorders or motor
impairments in doing activities of daily living or
interacting with various appliances and devices,
enabling improved or sustained quality of life
through increased accessibility within their home
environment.63

As mentioned previously, BCIs are also starting
to emerge in the commercial wellness space as
a method personal tracking and improving cogni-
tive abilities (such as attention or meditation) and
mental and physical health (such as sleep quality
or fatigue). This is a developing space with open
questions about the efficacy of BCIs as wellness
devices still up for debate.64 Many of these well-
ness BCIs overlap with the gaming and toy space.
The NeuroSky Mindwave Mobile 2: Brainwave
Starter Kit provides the user with information about
their brain’s electrical impulses when relaxing and
when listening to music.65 The product includes an
EEG-fitted headband and connects to companion
apps via Bluetooth.66 The device also provides
training games purported to help improve medita-
tion, attention, and enhance the user’s learning ef-
fectiveness.67 Further, the device includes tools for
players to create their own brain-training games.68

1. Health BCI Risks Include: Security Breaches,
Infringement on Mental Privacy, and
Accuracy Concerns

Security breaches represent some of the most
prominent risks in the health and wellness BCI
space. Some of these security risks are presaged

FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 13

by earlier breaches of medical implantable devic-
es. In 2017, half a million pacemakers69 were re-
called because they were vulnerable to hacking.70
Just as pacemakers could be breached, BCIs are
vulnerable to cyber risks, including breaches,71
resulting in potentially severe physical harm to
the patient. In such cases, BCIs run the risk of en-
countering interference—whether by bad actors
or error—that might result in failed communication
around high-stakes medical decisions. Recent-
ly, researchers showed that hackers, through
imperceptible noise variations of an EEG signal,
could force BCIs to spell out certain words that do
not align with what the wearer is thinking.72 The
consequence of this security vulnerability could
range from user frustration to severe misdiag-
nosis. Moreover, breaches of BCIs raise physical
concerns around the sanctity of sensitive health
information that could be captured in a hack.

An equally important risk among health-related
BCIs includes sufficient and verifiable accuracy for
the recording and interpreting of brain signals. High
reliability of medical BCIs is especially important be-
cause inaccurate interpretation or modulation of a
patient’s brain could result in serious consequenc-
es, or even death. Patients relying on modulating
BCIs to help mitigate cognitive disorders, such as
epilepsy, could suffer grave health consequences
should the BCI fail to work as intended. Addition-
ally, patients experiencing locked-in syndrome—
who might be minimally conscious—require BCIs
to accurately convey a patient’s wishes; concerns
are particularly acute when patients rely on BCIs
to communicate crucial information, such as their
choices regarding treatment or even end of life
decisions.73 Accuracy is also crucial in the accessi-
bility context, as prosthetic limbs, wheelchairs, and
other devices controlled via BCIs must operate
correctly and safely according to users’ intentions.

Privacy risks regarding BCI accessibility devices
come from the inferences drawn from conscious
or unconscious intentions of an individual. The
capacity of neural networks that underpin many
of these devices to associate certain thoughts
with directives means that subconscious or caus-
ally-connected intentions may be defined and in-
terpreted by BCIs on a wider scale, leading to new
mental privacy risks. For example, a BCI controlled
wheelchair and its underlying neural network might
not only deduce that the user is thinking about
food, therefore directing the chair to move toward

the table, but also draw other conclusions about
the individual’s biology and preferences, such as
whether or not an individual is hungry or thirsty
and at what times. These additional inferences
capture new information about an individual’s
thoughts, intentions, or interests, many of which
are related to an individual’s specific biology and
unique preferences.

Privacy risks are magnified when these new
inferences are combined with other personal
information about an individual to make decisions
that impact their lives and could interfere with the
autonomy afforded to individuals through the use
of these accessibility BCIs. Organizations collect-
ing and processing these brain signals, leading
to granular inferences tied to an individual, could
have incentive to repurpose this data for adver-
tising or other non-medical purposes, exposing
potentially sensitive biological information to third
parties while running counter to individual notions
of privacy. Additionally, the sharing of patient data
associated with BCI use could potentially disclose
an individual’s previously unknown medical con-
dition to employers, private companies, public
entities, or governments.

2. Some Health BCIs are Subject to Common
Rule Requirements, FCC Oversight, or
International Frameworks

Some of the advancements in health BCIs involve
human subject research, which in certain cases is
governed by a complex regulatory framework. U.S.
researchers whose projects are federally funded
are typically required to obtain subjects’ informed
consent for data collection based on approval from
a Common Rule-based Institutional Review Board
(IRB) prior to undertaking studies.74 In other instanc-
es, such as some research involving open fMRI or
other open neurodata, studies might not require
IRB approval when the data in question involves
secondary data use of de-identified samples.

In addition, wireless IoT BCI devices are likely
subject to Federal Communications Commission
(FCC) oversight because of their designation as
connected wearables.75 However, given the lack
of regulations around consumer wellness technol-
ogies, devices marketed outside of the physician
regulated context—such as brain training games
and meditation-aiding devices like Muse76—may
lack strict oversight. For example, the Health In-
surance Portability and Accountability Act (HIPAA)

FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 14

regulates covered entities—such as physicians
and health insurers—that collect, use, process,
and share health information, but does not usually
apply to wellness device companies.

In Europe, the GDPR is the applicable framework
to any processing of personal data for the pur-
poses of scientific research, including where the
research relies on special categories of personal
data, such as data related to health and biometric
data processed for identification.  There are sev-
eral lawful grounds for processing under Article
6(1) that would allow the necessary processing
of personal data for BCI research, as well as sev-
eral permissions under Article 9(2) for the use of
sensitive personal data. In some situations, this
could allow data controllers to conduct this type
of research even without individual consent for the
processing of the data,77 specifically when sensi-
tive data is necessary for public health purposes
or for research in the public interest;78 however,
there are many complexities surrounding this sort
of processing, with the European Data Protection
Board (EDPB) expected to adopt Guidelines on
processing of personal data for scientific research
purposes in the following months. Given the com-
plexities surrounding human subject research and
privacy, health researchers and other stakeholders
seeking to develop or adopt BCIs, will need to
understand and verify how the product fits into the
shifting regulatory landscape.

The EU’s recent proposed draft AI regulation79
covers all AI systems, including those relying on
biometric data—and is likely to be relevant for fu-
ture regulation of personal neurodata, significantly
altering the regulatory landscape around BCIs and
neurotech. It specifically focuses on AI systems
that pose high risks to the “health, safety and fun-
damental rights” of individuals. BCIs that might be
considered “high risk” AI systems under the pro-
posed regulation, could trigger requirements prior
to entering the market such as going through a
conformity assessment, adoption of adequate risk
assessment, security guarantees, and adequate
notice to the user, among others.80 If considered
a “low risk” system, organizations would have to
fulfil transparency requirements.81 The full scope
and impact of the EU’s AI regulation on the de-
velopment and use of BCIs remains subject to the
ongoing legislative process.

B. Gaming BCIs Often Augment Existing
Platforms and Controls and Offer
Players New Ways to Play Through
Recording Neurodata

Gaming is one of the most prominent consumer
applications of BCI technology. In turn, advances
in gaming may serve as a dry run for innovations
in other sectors with a more immediate impact on
human wellbeing.

Today, most BCI gaming experiences involve
outfitting existing devices and platforms with neu-
rotechnology. Gaming and entertainment-focused
BCIs were originally created for people with motor
disabilities—and still offer accessible experiences
for that community today—but are now increasing-
ly targeted to the broader population.82 The most
common integration of BCI technology in gaming
involves the player wearing an external device—
often a headband, cap, or plastic arm touching
the player’s forehead—fitted with a non-invasive
neurotechnology, such as EEG. These devices
attempt to record the player’s electrical impulses,
collecting and interpreting the player’s brain sig-
nals during play.

An example of an EEG recording.83

One of the earliest examples of EEGs in gaming is
NeuroSky’s 2007 game The Adventures of Neuro-
Boy.84 With the use of a Bluetooth and EEG-fitted
headset, called MindSet, the game claims to mea-
sure the player’s concentration and stress during
play and provide this information to the player.

FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 15

Through concentration of thought, the player is
able to move objects in the game, but NeuroBoy
still relies on mouse and keyboard commands for
much of the gameplay.85

Since the advent of games like The Adventures of
NeuroBoy, BCIs in gaming have evolved to where
recording neural signals is now a primary driver for
gameplay, rather than working in tandem with tradi-
tional controls. However, the immersive experienc-
es offered by most of the current applications of
BCI gaming remain limited. Generally, players can
only complete a discrete set of actions with their
thought patterns. Star Wars Force Trainer II comes
with a non-invasive EEG wearable, and the game
claims that players can use their thoughts, or “the
force,” to control a levitating holographic image of
an x-wing.86 EEG wearable games like Star Wars
Force Trainer II cannot accurately detect when the
player is thinking about specific directions such
as “up” or “down” but rather assigns these move-
ments to an arbitrary set of brain signal patterns,
which inform the player’s neural signature.

Games involving BCIs are not limited to single-play-
er experiences, but have applications pointing to
a future of multiplayer and social games. Cornell
University researchers developed BrainNet, the
first multi-person non-invasive brain-to-brain inter-
face (BBI).87 In BrainNet, three participants, outfit-
ted with external EEG and TMS caps, play a game
similar to Tetris.88 Two of the players can see the
entire game screen, while the third can only see the
block at the top of the screen. The two players who
can see the entire screen “send” neurodata to the
third player about how they should rotate the block
to complete a row. The third player “receives” the
neurodata and then sends a command via nerve
impulse to the game, indicating whether or not to
rotate the block. While not yet widely available,
this type of collaborative gameplay increases the
potential for a more interactive BCI gaming experi-
ence. Moreover, BBI interfaces could unlock a new
method for completing collaborative tasks and
communicating outside the realm of gaming.

Other innovations in BCI gaming involve augment-
ing platforms with BCI technology. This form of aug-
mentation is most common today in the extended
reality (XR) gaming space. Extended reality is the
umbrella term used to describe augmented real-
ity (AR), virtual reality (VR), and mixed reality (MR)
technology.89 Today, when BCIs are integrated into
XR technology, it is typically through the use of a

headset called a head-mounted display (HMD). In
the BCI context, HMDs are fitted with electrodes
which non-invasively collect neurodata needed for
gameplay without the use of cumbersome technol-
ogy or dozens of EEG electrodes.90 Companies like
Neurable are developing their own HMDs outfitted
with EEG electrodes and software compatible with
other HMDs outfitted with the EEG electrodes.91 In
Neurable’s first demo, Awakening, the player as-
sumes the role of a psychokinetically-gifted child
who must escape from a government prison.92
Through recording the player’s electrical brain
impulses, the BCI HMD lets the player choose be-
tween a host of objects to escape from prison and
advance through the game.93

The future of BCI gaming may provide fully-immer-
sive experiences where the player can initiate a
diverse set of in-game actions with their conscious
thoughts. Here, the player’s neurodata would be
collected and combined with other biometric or
physiological information derived from their ges-
tures,94 eye movements,95 facial expressions,96
breathing,97 and heartbeat.98 OpenBCI99 is cur-
rently developing Galea, a software and hardware
platform that uses existing HMDs, most notably the
Valve Index. The device collects neurodata along
with data from the wearer’s heart, skin, muscles, and
eyes through a number of sensors with the initial
goal of providing developers the tools to explore
further integrating this data into future projects.100

Other future advances in BCI gaming will prioritize
social interaction with other players. Immersive
games will continuously record and process neu-
rodata and other physiological data to respond and
adjust in real time—or after the fact during a later
experience—to a player’s expressed mood and skill
level.101 Some game developers predict that immer-
sive gaming BCIs will be able to modulate players’
brains to alter moods during gameplay as well as
providing “better than real visuals” in games.102

1. Gaming BCI Risks Include the Involuntary
Collection of Neurodata, Which Could Lead
to Granular User Profiles that Result in
Decisions Potentially Impacting and Limiting
the User Experience

Key privacy risks associated with BCI gaming are
less about user identifiability, but rather manifest
from the inferences about a user’s psychology and
preferences and how organizations might make
decisions based on these inferences. These risks

FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 16

are especially prevalent when augmenting existing
gaming platforms, particularly VR, with BCI and
neurotechnology sensors. In VR, data is collected
about the immersive digital world in which a user
is interacting. When combining a user’s real-time
neurodata with the content a user is currently ex-
periencing in VR, a profile can be built about an
individual in which inferences can be drawn about
a user’s responses to the virtual content they are
being served.

Brittan Heller has coined the term “biometric psy-
chography,” which describes the notion of com-
bining collected biometric or biological data with
information about the virtual stimuli encountered
by the user to produce inferences about the user’s
psychology.103 For instance, changes in recorded
neurodata throughout a user’s play session could
lead to conclusions about whether particular
content excites, arouses, induces fear, or psycho-
logically impacts a user. Further, when neurodata
can be combined with other biological data which
produces inferences about a user’s psychology,
including changes in pupil size, timing and direc-
tion of eye gaze, changes in skin temperature,
and changes in heartbeat, increasingly detailed
profiles reflecting a user’s psychological response
to content can be inferred.

Unlike other biological indicators, neurodata could
provide potentially heightened sensitive details
about an individual’s psychology collected directly
from the brain in real time to gain insight into a
user’s intent or neurological reactions. In turn, AI
and machine learning models can be trained on a
user’s brain signals—in combination with other bi-
ological changes in response to content—allowing
organizations to associate user-specific changes in
neural signals to certain physiological states, such
as arousal. Moreover, changes in brain signals
might be even more involuntary than something
like eye gaze, which a user has the option of con-
trolling, unlike their electrical neurosignals.

Risks are magnified when decisions that impact
the user are influenced by company or third-party
deduced neurodata inferences. Decisions could
include: which content to serve to a user, which
ads a user might view during BCI gaming, and oth-
er activities across the Internet based on a user’s
involuntary brain signal responses. Beyond ads,
there are genuine concerns that one’s neurodata
could be used to expose vulnerabilities that could
be exploited by nefarious actors who purposefully

target digital spaces that cater to children (e.g.,
human trafficking).104

Today, content recommendations are seen across
gaming, streaming, and other online services.
Currently, the service of content is based on a
voluntary action by the user, such as listening to
a particular song or viewing a particular video,
visiting a certain website, or “liking” a post on
social media. In the case of BCI gaming, content
may one day be served based on involuntary
neurological responses of the user. Therefore, the
types of content—including ads—served to users
can be determined not only by their voluntary en-
tertainment consumption, but further determined
by involuntary inferences resulting in increasingly
granular profiles about individuals. Additionally,
content served to users based on increasingly
granular profiles including their brain signals could
be shared with third parties for advertising or other
purposes, further tailoring the experience users
have across the Internet—sometimes without user
knowledge or consideration of user wishes.

Another concern about inferences resulting from
the collection of neurodata is whether or not these
inferences are accurate, especially given the na-
scent and limited utility of non-invasive BCIs today.
When the inferences about a user’s psychology
are especially accurate, providers run the risk of
serving content so reflective of a user’s interests
that it could promote severely addictive gameplay
or desensitization to various forms of entertain-
ment or interaction, and other potentially unhealthy
habits. When these inferences are inaccurate, pro-
viders run the risk of turning off certain users from
enjoying content and serving them content and
ads that do not comport with, or at times offend,
their interests. Whether these inferences are accu-
rate or not, increasingly granular profiles dictating
which content to serve, or not serve, a user could
result in enhancing the division and filter bubbles
found online today. Moreover, if these inaccurate
inferences are sold to third parties for non-adver-
tising or non-gaming purposes, there could be op-
portunities for impermissible discrimination across
a wide variety of other domains.

FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 17

2. Some BCI Gaming Applications are Regulated
by Children’s Privacy Regulations or General
Biometrics Laws

A regulation that could uniquely impact BCI gaming
in the United States is the Children’s Online Priva-
cy Protection Act (COPPA). Many games, including
some of the games described above, are directed
to children under the age of 13 and as such the
personal information collected is covered by the
Children’s Online Privacy Protection Act (COPPA).105
COPPA applies to “operators’’ of online services
directed to children under 13 or those who have
actual knowledge that they are collecting, using,
or disclosing personal information from children
under 13. COPPA provides parents and guardians
with a number of rights over their children’s per-
sonal information, including access to the child’s
information and deletion rights over the data. The
law places a number of requirements on organiza-
tions such as posting a clear privacy policy on their
website, providing direct notice to parents, obtain-
ing parental consent before collecting information
from children under 13, and enacting reasonable
security to protect the child’s information.

While biometric information, including neurodata,
is not explicitly covered under COPPA, children’s
neurodata, if used to identify a particular child,
could be swept into the law as a “persistent identi-
fier,” which is covered under COPPA. Additionally,
the Federal Trade Commission (FTC) is currently
considering amending COPPA to include biometric
data.106 It is yet to be seen whether biometric data
will be swept into a new iteration of COPPA, and
whether the definition of biometrics would cover
neurodata. Regardless of whether neurodata will
be specifically covered under COPPA, developers
should be aware that BCI games and other toys
that connect to the Internet that collect children’s
other personal information, such as name, ad-
dress, image, or audio recording could potentially
fall under COPPA.

Other potentially applicable laws in this space
are certain state biometric laws, which provide
a number of rights to individuals over their data
and place requirements on companies collecting
biometric data, including but not limited to: prohi-
bitions on collecting, processing, using, or sharing
biometric information without prior opt-in consent;
data security requirements that meet industry stan-
dards; and (in the case of the Illinois law) the ability
for individuals to bring private rights of action for

violation of the law. However, none of these laws
explicitly cover neurodata. Some state biometric
laws define biometrics narrowly and are less likely
to be interpreted to cover neurodata as written to-
day. For instance, the Illinois Biometric Information
Privacy Act (BIPA) defines a biometric identifier as
being limited to: “a retina or iris scan, fingerprint,
voiceprint, or scan of hand or face geometry.”107
Other state biometric laws such as the Washington
law (WASH. REV. CODE § 19.35.010) define biomet-
ric identifiers more broadly as “data generated by
automatic measurements of an individual’s biologi-
cal characteristics, such as a fingerprint, voiceprint,
eye retinas, irises, or other unique biological
patterns or characteristics that are used to identify
a specific individual.”108 State biometric laws with
broader definitions of biometric identifiers, like that
in Washington state, could cover personal neuro-
data if it is used as an identifier.

Additionally, comprehensive privacy laws, such as
the EU’s General Data Protection Regulation (GD-
PR)109 and the California Privacy Rights Act (CPRA)110
could cover personal neurodata with their broader
definitions of biometric data. However, current laws
that could cover personal neurodata are framed in
terms of the ability to identify an individual based
on biometric data. Concepts such as “biometric
psychography” and accompanying inferences may
not be interpreted as covered under these laws.

C. Employment and Training BCIs Can
Monitor Employee Engagement During
High-Risk Tasks, Report Employee
Cognitive Data to Employers, Modulate
Employees’ Neural Signals to Improve
Their Abilities, and Provide New Tools to
Efficiently Complete Tasks

One of the most prominent uses of BCIs in the
employment and industry context is measuring
engagement during high-risk tasks. Engage-
ment-measuring technology is marketed for jobs
where attention is crucial for performance and pre-
vention of physical harms, such as those in sports or
transportation. One noteworthy engagement-mea-
suring BCI is Life, developed by Smartcap,111 which
features an EEG headband that fits inside hardhats,
trucker caps, and other headgear that notifies
truckers and employers when they are drowsy or
inattentive while driving.112 Life and similar technol-
ogies are intended to combat the estimated 70% of
trucking accidents caused by fatigue.113

FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 18

Other engagement-measuring BCIs combine
neurodata with other biometrics to measure and
encourage employee engagement. AttentivU is
a pair of glasses fitted with both EEG electrodes
measuring neurodata and sensors for tracking eye
movements.114 The technology combines these
data streams to draw conclusions about the wear-
er’s fatigue, engagement, and cognitive load. The
device indicates to the wearer when their attention
level changes through audio feedback and a con-
nected vibrating scarf.

Other BCIs in the employment context are used
to collect information related to workers’ moods.115
In some Chinese factories, state-owned compa-
nies, and various transport contexts, workers are
required to wear BCI headsets that collect neuro-
data to measure not only their attention, but also
sudden negative mood changes like acute anxiety,
rage, or pronounced distress.116 Similarly, one
could imagine a sort of “HR dashboard”117 in which
employee engagement or moods are accessed by
management who could use this data for purposes
such as gauging efficiency, managing workloads,
worker happiness levels, or use this data to make
employee hiring, firing, or promotion decisions.
Additional research efforts are underway for the
development of BCIs as lie detectors.118 While
much of this research is occurring in the law en-
forcement, government, and military space, these
technologies may have implications in the private
sector, especially for employees who work on con-
fidential projects.

Modulating BCIs in the employment space are tout-
ed as a tool for improving workers’ performance
and ability to multitask in fast-paced environments
through the use of transcranial direct current stim-
ulation (tDCS), developed by companies such as
Caputron.119 tDCS involves a headset fitted with
electrodes inside sponge inserts that conduct
electricity from the wearer’s scalp.120 While the use
of tDCS is not yet widespread in the employment
context, some early tests show that the technology
could enhance multi-tasking efficiency by approx-
imately 30%.121

Some forecasts suggest BCIs will be used for job
training by requiring invasive BCI technologies,
which are directly installed into the user’s brain.122
Elon Musk’s Neuralink company promotes the
aspirational goal of installing “neural lace,” con-
sisting of many tiny electrodes, into the brain.123
A tissue-like lace overlay that drapes over parts

of an individual’s brain would have numerous ad-
vantages over devices that only pick up signals in
certain regions. Such an overlay could yield a more
fulsome representation of the wearer’s thoughts.
Further, invasive implants could avoid some of the
safety pitfalls of non-invasive devices that have the
potential to break blood vessels or injure tissues.
However, invasive implants necessarily involve
surgery, which comes with its own set of risks.
One of Musk’s goals is to make Neuralink users,
whether they use the neural lace technologies
or another variety of BCI, “smarter” by improving
memory and aiding decision-making, crucial during
a high-pressure or time-sensitive task. While these
innovations appear far from fruition, Neuralink is
currently testing neural lace technology on ani-
mals, and is planning to conduct its first human
tests in 2021.124 Additionally, early work has shown
that certain BCIs might enhance episodic memo-
ry—the ability to recall and reexperience memories
from the past.125

Other non-invasive neurotechnologies show prom-
ise in enhancing employee abilities. Companies
like Facebook are looking to integrate non-invasive
EMG wristbands into emerging technologies, such
as virtual or augmented reality, which can collect a
user’s motor neurons to capture a user’s intent to
move their fingers or other appendages.126

Additionally, researchers developed an invasive
BCI that allows users to type by thinking about
writing specific letters.127 While this technology is
far from mass market—and given its invasive na-
ture might be best suited to provide accessibility to
patients with paralysis—such technological break-
throughs could have widespread impact on the
employment landscape. This could result in users
performing tasks such as typing with their minds
at a faster rate than the dexterity of their hands
would typically allow. Such devices might one day
change how workers send emails, code programs,
or communicate with colleagues.

1. Employment BCI Risks Include: Eroding Worker
Privacy While Chilling Behavior, Making
Impactful Decisions About an Employee Based
on Inaccurate Science, A Lack of Employee
Control Over Their Neurodata, Workers
Questioning Their Identity; and More

BCIs that monitor employee engagement during
high-risk activities might effectively promote safety
and save lives. However, such technologies could

FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 19

compromise employee privacy and autonomy.
An employee who is knowingly being monitored
might increasingly distrust their employer, lose
morale, or chill their behavior—including union
organizing.128 On the other hand, some might view
the collection of a limited neurodata set for safety
purposes as less privacy-invasive129 than other
technologies like in-vehicle cameras.130 However,
even if the collection and analysis of neurodata
is less privacy-intrusive (a claim very much up for
debate), employees might have equal or greater
feelings of being surveilled given the nascence,
opacity, and complexity of a technology recording
data from their brain.

Privacy questions also emerge around whether
the employee, employer, both, or neither ultimately
should have control over employee neurodata. This
is further complicated when an employer institutes
a bring your own device (BYOD) policy, in which
case the employee might own their own device,
but the employer might have control—in full or in
part—of the employee’s associated neurodata.

Comprehensive privacy laws, such as the CPRA,
provide a number of rights to individuals as con-
sumers over their personal data—such as the right
to access, correct, delete, or export their personal
information—but do not currently extend these
same rights to employees. However, the CPRA will
be extending its protections to employees begin-
ning in 2023. A lack of employee control over their
data could further erode employee trust, reduce
autonomy, and open the door for recorded neu-
rodata to be used for purposes unrelated to their
employment, such as building advertising profiles.
Their data might also be used for purposes which
could inadvertently violate worker privacy involv-
ing health data (e.g. influence insurance coverage)
or litigation (e.g. workman’s compensation).

Relatedly, many risks stem from the ability—or lack
thereof—of employees to consent, or not, to being
monitored or having their brains modulated. Even
in situations where employers will only monitor or
modulate employees’ neurodata upon obtaining
express consent, inherent power imbalances be-
tween employers and employees create a dynamic
where employees could be less willing to refuse
to consent, or opt out, of monitoring for fear of
retaliation, losing out on a promotion, or reducing
chances for a raise. There is also the concern of
fairness between employees based on their choice

to use the technology or not, since a disparity in in-
formation and engagement by employees who opt
in vs. those who opt out could make it more difficult
to equitably judge performance between workers.

Risks around employee monitoring are further
heightened when employers make decisions
about employees based on this data. Decisions
based on the collection of employee neurodata
could include disciplinary measures, hiring and
firing decisions, and other potentially adverse
actions. Concerns are exacerbated as experts
have questioned the accuracy of some emotion
detection131 technology using neurodata or other
biometric inputs,132 meaning that employees could
be unjustly punished or inappropriately rewarded,
based on inaccurate and unproven science. Ad-
ditionally, emotion detection is gaining traction in
the US in contexts such as job recruitment,133 which
could include the collection and analysis of neuro-
data in the near future.

Employees who use stimulating BCIs to enhance
cognitive and work performance might question
their own identity and psychology.134 Studies have
shown that the emotional or behavioral changes
in patients might cause them question whether
their psychological state is attributable to the BCI
or themselves.135 Workers questioning their identity
could reduce or confuse their sense of agency, their
capacity to make decisions, and their identity as hu-
man beings both in and outside of the workplace.136

2. Workplace Monitoring, Collective Bargaining,
and Employee Privacy Laws Apply to BCI Use
in Some Employment Contexts

Workplace monitoring laws place limitations on
some types of BCI-based employee monitoring.
The Electronic Communications Privacy Act (ECPA)
prevents employers from monitoring employees’
personal phone calls but allows them to monitor
“workplace communications,” especially when
those conversations take place on company
devices like company-owned computers and
telephones.137 Existing anti-discrimination mea-
sures, including the Americans with Disabilities Act
(ADA),138 may restrain employers who would use
the results of a BCI that reveals a disability in hiring
or firing decisions.

U.S. law grants employers broad leeway in defining
workplace privacy policies for at-will employees.
By contrast, unionized employees, which comprise

FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 20

roughly 11% of the total American workforce, often
stipulate enhanced workplace privacy protections
as part of collective bargaining agreements.139
The types of protections vary depending on the
circumstances, but they typically limit the use of
workplace monitoring systems known as “man-
agement by algorithm,” which are new forms of
monitoring and surveillance using data generated
by workers—potentially including neurodata—that
could exacerbate discrimination and systemic
inequality.140 The GDPR recognizes the inherent
power imbalances between employee and em-
ployer for activities such as employee monitoring
by noting that consent can only serve as a lawful
basis for processing employee personal data un-
der exceptional circumstances.141

The use of BCIs as lie detectors in the employment
space remains limited, but there are federal laws
that specifically protect employee privacy in a nar-
row manner. The Employee Polygraph Protection
Act protects potential employees (absent some
exceptions) from hiring or firing practices on the
basis of a lie detector result.142

Other regulations of note include state microchip
laws, which generally prohibit employers or organi-
zations from requiring employees to be implanted
with microchips.143 Today employers are not requir-
ing or offering that employees install invasive BCIs
or other neurotech into their brains, but there are
non-neurotech examples of employees who have
the option of being “chipped” by employers.144 Or-
ganizations engaged in employee tracking should
be cognizant of these microchip laws and should
consider how a future, invasive BCI would be cov-
ered under these legal regimes.

D. BCIs in Education Record Neurodata
to Help Inform Individualized Learning
Models and Provide Real-Time Feedback
to Students and Teachers on Student
Engagement and Progress

Proponents of BCIs in education argue that BCIs
can help students in both K-12 and higher education
learn, retain information, pay attention, increase
empathy, and improve academic achievement.145
Recent developments in educational BCIs are cited
as helping optimize students’ workload and curricu-
lum difficulty in response to individual needs.146 It is
widely recognized that learning is optimized when
educational materials map to a student’s cognitive

strengths.147 Digital learning environments imple-
menting BCI technology would gather neurodata
from students using EEG, and estimate the difficulty
of workload based on a student’s brainwaves.148
The tools can then adapt the difficulty of assign-
ments in real time to maximize learning. One of the
celebrated elements of customized learning occurs
when the material meets the “Goldilocks test,”
which measures task achievement as neither too
easy nor too difficult, but just right.149

Addressing a different aspect of learning, some
education technology companies are developing
BCIs that measure students’ classroom attention
levels. For example, BrainCo, Inc. is developing
BCI technology that involves students wearing
EEG-fitted headbands in class.150 The students’
neurodata is gathered and displayed on a teach-
er’s dashboard which is said to provide insight into
student attention levels. Student metrics may also
be shared with students’ parents, keeping them up-
to-date on their children’s performance in class.151

1. Educational BCI Risks Include: Making
Decisions About Students’ Cognitive Abilities
Based on Inaccurate Inferences, Chilling
Student Speech, and Perpetuating Injustice

A major risk in the education field arises from in-
accurate or incomplete neurodata used to make
inferences about students’ cognitive abilities.152
In many ways these concerns mirror those found
in the employment space. Measuring a student’s
brain signals to gauge attention levels or ability
to grasp certain material using inaccurate and
not well-understood data, and then using this
information for making important decisions about
a student’s engagement, achievement level, or
academic potential could result in miscategorizing
a student as either a strong or struggling student.

Neurodata can be unreliable or inaccurate for a
number of reasons such as: poorly fitting devices;
devices not containing enough sensors; sullying
the quality of a dataset from facial or body move-
ments; or faulty, not well understood, and not well
tested underlying science. This could put students
at risk for incorrect penalties for inattentiveness
or other perceived behaviors. Further, requiring
students to wear EEG headsets might “chill” a
student’s speech (or thoughts) if they feel they
are being surveilled, as previous studies on the
effects of being monitored have shown. Moreover,
feelings of being surveilled could reduce student

FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 21

and parent trust in the school and the educational
system as a whole.

This chilling of speech could be doubly true for
students with a perceived history of acting out in
school, students who are particularly vulnerable,
have learning differences such as ADHD,153 strug-
gle with mental health, or come from communities
heavily surveilled by law enforcement or others.
This could be especially true when BCIs are used
exclusively or disproportionately among certain
subgroups of students or in disciplinary settings,
such as detention.154 The Health Advanced Re-
search Projects Agency (HARPA),155 has looked
into surveilling students’ social media activity. This
sort of school safety measure in combination with
neurodata could lead to further limiting students’
need to appropriately “vent” online, or drawing
inaccurate conclusions related to the content
posted online by students. While educational BCIs
are sometimes touted as leveling the playing field
for students, disproportionate use of BCIs, or BCIs
used among certain groups of students could
increase rather than relieve injustice. Moreover,
the tracking of student’s cognitive processes and
taking action based on this tracking could lead to
further stigmatization of learning differences or
mental health concerns.156

2. Federal, State, and Local Student Data Laws
Typically Place Requirements on Schools and
Neurotech Companies Collecting, Using, and
Sharing Personal Neurodata, While Granting
Rights to Students and Parents

While BCIs may introduce unprecedented collec-
tion and sharing of neurodata in the education
context, there are dozens of privacy regulations
that touch on education privacy at the local, federal,
and international level. Currently, all 50 states and
Washington, DC have introduced student privacy
legislation, each with its own requirements.157 Not all
of this legislation would have bearing on BCIs, how-
ever, schools, teachers, and BCI companies should
be cognizant of the applicable laws and provisions
in each state where the technology is used. In ad-
dition, stakeholders should be aware of school and
district-specific policies and best practices govern-
ing student data as well as the concerns of parents
and school boards. Developers and purveyors of
BCI technologies should proactively and transpar-
ently communicate their practices to engage and
empower parents and community leaders.

At the federal level, there are a variety of privacy
regulations that specifically impact education. One
of the most relevant is the Family Educational Rights
and Privacy Act (FERPA),158 which protects education
records at all schools that receive federal funding.159
Education records contain information directly relat-
ed to an individual student and are maintained by
an educational agency or institution or by a party
acting for the agency or institution. In certain con-
texts, a student’s personal neurodata could be part
of an education record falling under the protection
of FERPA—which includes biometric records.160
Parents and guardians hold a number of rights over
their children’s data (students themselves hold these
rights when over the age of 17), while restrictions are
placed on school officials maintaining education
records.161 For example, school officials might not be
permitted to disclose personal neurodata collected
from students to third parties without express con-
sent from parents and guardians.

E. Research Efforts are Underway for
Integrating BCIs Into Smart Cities
and Communities for Enhanced
Communication for Construction and
Public Safety and for New Methods of
Control for Connected Vehicles

One of the more future-facing sectors for BCIs is the
smart cities and smart communities162 space where
researchers look to integrate BCIs into smart vehi-
cles and urban planning and construction design.
In the US today, technological mapping of public
and private spaces is becoming ubiquitous, and
a number of emerging technologies have already
entered the smart city arena.163 For example, sen-
sors and other technologies are increasingly inte-
grated in: transportation including smart cars and
bike share services; utilities including smart power
grids and smart water meters; telecommunications
including public broadband; government services
including gunshot detectors and parking monitor-
ing; and environmental monitoring including smart
trash cans and environmental sensors.164 In the
future, neurotechnologies could serve as another
set of sensors—in this case collecting neurodata—
for aiding city and transportation efficiency, public
safety, and energy monitoring.

BCI research is increasingly focused on integration
into smart cities and communities for enhanced
communication promoting efficiency and safety.
For example, Neurable165 and Trimble,166 recently

FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 22

announced that they are utilizing BCIs alongside
technologies like GPS to provide training and
safety services for the transportation, architecture,
engineering, and construction industries.167 Such
technologies could provide voice-free and hands-
free communication interaction between construc-
tion workers and engineers, while also providing
analytics for tracking training efficiency and worker
and citizen safety.168 Firefighters, paramedics, and
other public protection workers could benefit from
this technology, and could operate as members of
an integrated team if able to directly collaborate
with one another via BCI.169 One could imagine fire-
fighters operating in conjunction, and with greater
safety, if they could communicate in real time with-
out the need for a voice interface, or in the case
of voice and other communication outages. Similar
research into BCIs as communication devices is
prevalent in the military context with projects such
as Silent Talk, allowing soldiers to communicate via
neural signals without the need for verbal speech.170

Other BCI research focuses on transportation. As
early as 2014, researchers proposed a prototype
for a Bluetooth-enabled BCI that could control
a smart car.171 Research and prototypes involving
BCIs for connected vehicles is still in the early
phases.172 But as the connected vehicle landscape
expands, BCIs and other neurotechnology could
be increasingly integrated into connected vehicles
for purposes such as vehicle control or monitoring
drivers’ attention levels behind the wheel. Recent
innovations include Hyundai’s Mr. Brain project,
which is designed to measure a driver’s attention
through collecting brainwaves using an earpiece
sensor.173 The device can be connected to a com-
panion smartphone app that notifies the driver
when they are losing their concentration.174

Moreover, research into BCI-controlled drones is
currently underway.175 The ability to control smart
cars, drones, or other vehicles could promote ac-
cessibility to those who lack the motor functions to
control vehicles today and could promote safety
by monitoring driver fatigue levels and warning
drivers when they are drowsy behind the wheel.

1. Privacy Risks of BCIs in the Smart Cities
and Communities Space Include Increased
Surveillance, Public Safety Concerns, and
Exacerbating the Digital Divide

Near-term BCI innovations in smart cities will likely
augment existing sensors, potentially heightening

existing privacy concerns in the smart cities con-
text. A major flashpoint in the privacy debate today
relates to both public and private surveillance of
communities, especially those that have been
historically surveilled and over policed. Advocates
have pinpointed technologies such as facial rec-
ognition, license plate readers, cell site simulators,
and drones as more privacy invasive than tradi-
tional surveillance technologies such as cameras
or wiretaps with the power to locate a vehicle,
device, or person among a crowd of many with the
potential to gather associated metadata, personal
information, or content of communications. Privacy
risks are magnified when these technologies are
deployed in historically surveilled communities by
reducing individual privacy rights, chilling speech,
eroding public trust, and perpetuating systemic
inequalities related to race, social status, gender,
national origin, and other sensitive attributes.
Integrating neurotechnology sensors into commu-
nity architecture, vehicles, and the public square
could lead to the collection, storage, and sharing
of neurodata by law enforcement for surveillance
purposes. Combining neurodata with other person-
al information could lead to even more invasive sur-
veillance than individuals are currently experiencing.

Other concerns emerge around public safety. Early
prototypes of vehicles controlled fully, or in part,
by an individual’s brain signals cannot be operated
with the same precision as vehicles controlled with
steering wheels, controllers, or other haptics. It is
unlikely that vehicles controlled solely by the mind
will enter the market in the near future, but new
public safety questions will emerge around vehi-
cles controlled by BCIs.

Concerns related to the exacerbated digital inequi-
ty could also be prevalent in the smart cities space.
Communities that are already more connected and
have adopted smart city technology will be more
likely to have the infrastructure in place and re-
sources available to implement BCIs in public. On
the other hand, communities that lack these same
technological investments are less likely to be
early adopters and could fall further behind, only
increasing the digital divide at national (wealthy vs.
low-income neighborhoods and communities) and
international (global north vs. global south) levels.

FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 23

2. BCIs in Smart Cities Are Starting to be
Governed176 by a Mix of Legal Frameworks

While companies developing smart cities technol-
ogy are responsible for complying with privacy,
security, and other related regulations, ultimately it
is often up to local governments to regulate emerg-
ing technology integrated into modern, connected
communities. Local laws, ordinances, and frame-
works contain their own idiosyncrasies, often vary
between localities, cities, and states, and sometimes
are written to align with the particular values of their
communities. However, it is important to recognize
that local ordinances and regulations are sometimes
subject to preemption by state or federal regulation.
On the international level, laws governing smart cit-
ies technology could contain vast differences, often
highly dependent on differing cultures and gov-
ernment systems. For example, cultures that place
a greater emphasis on individual freedom might
codify individual rights and obligations on emerging
technologies differently than communities that place
a greater emphasis on collective wellbeing. Smart
city infrastructure and associated emerging gover-
nance are already complicated at the baseline, and
the potential integration of BCIs into this space will
only make technical and regulatory considerations
more complex. As such, it remains to be seen how
the BCI smart city landscape will unfold and what the
ultimate privacy implications will be.

F. Neuromarketing Involves Recording
Neurodata to Gain Insight Into
Individuals’ Reactions, Preferences,
and Motivations When Encountering
a Product or Service

Neuromarketing generally refers to collecting physi-
ological and neural signals for the purposes of learn-
ing about individuals’ reactions, mood, preferences,
and motivations when purchasing or using a product
or service.177 Neuromarketers typically use two brain
scanning methods—functional magnetic resonance
imaging (fMRI) and EEG.178 fMRI offers researchers
deeper and potentially more accurate insights into
how consumers make decisions based on various
stimuli than the more accessible and less expensive
EEG methods.179 In one well-publicized study using
fMRI scanning, participants were asked to drink unla-
beled soft drinks.180 Absent brand cues, participants
displayed little preference for either Coca-Cola or
Pepsi; however, when given brand cues around
which beverage they were drinking, participants

displayed heightened brain activity in areas correlat-
ed with recall and memory.181 These tests revealed
positive feelings like nostalgia when it came to the
participant’s preferred drink.182 Understanding why
individuals choose the products and services that
they do poses untold benefits for advertisers.183
Where fMRI is too inaccessible or expensive, neuro-
marketers turn to less accurate, but more accessible,
portable, and less expensive EEG methods.184

Often in tandem with fMRI or EEG technology, neu-
romarketing researchers gather information from
sources other than direct neural signals. Alterna-
tive tracking methods include: eye tracking, pupil
dilation, skin conductivity, and facial expression
coding as a way to quantify attention, arousal, and
psychology. When neurodata is combined with
these other inputs, the advertising profiles tied to
individuals will become increasingly granular and
more attractive to advertisers, third parties, and
other stakeholders in the advertising technology
ecosystem looking to share, sell, and place more
impactful behavioral ads to these individuals
across the Internet.

1. Neuromarketing Risks Include the Repurposing
of Personal Neurodata for Advertising, Promoting
Addicting or Unhealthy Behaviors, and
Inadequate Consent When Collecting or Sharing
Involuntary Neurodata Due to Poor Transparency

The adoption of BCIs across numerous sectors
could pose unprecedented privacy risks within the
ad tech ecosystem. While granular user profiles for
advertising purposes exist today, adding neuroda-
ta would further animate already detailed profiles,
revealing more details about a particular individual
and inferences about their preferences. Many BCIs
across various sectors, by their very nature, collect
personal neurodata. Organizations collecting and
retaining personal neurodata—and other related
information—for various purposes could be incen-
tivized by advertiser dollars to share or sell this
data for advertising.

Further, the use of neurotechnologies in marketing
could provide stakeholders insight into new and
sensitive inferences about an individual’s sexual
preferences, arousal, health, and other especially
sensitive details. Not only could this offend individ-
uals’ notions of privacy, and erode user trust, but
could incentivize the further collection of especially
sensitive information encouraging the creation of
increasingly granular, and sensitive, profiles sought

FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 24

after by advertisers for delivering more impactful
behavioral ads. If taken too far, granular and accu-
rate profiles could lead to serving advertising con-
tent which encourages addictive activities related
to content consumption, gameplay, gambling, or
promoting unhealthy habits. Granular profiles built
from inaccurate biometric data collection can also
lead to inaccurate conclusions about individuals
and can falsely target advertising content to them.

Additionally, the privacy risks and associated con-
sequences could extend well beyond frustration or
annoyance when advertising profiles are shared
or sold to third parties for purposes other than
advertising. One could imagine a scenario where
impactful decisions could be made about individ-
uals based on advertising profiles, such as health
care premiums determined in part by a users’ pref-
erences for a “healthy” or “unhealthy” diet based
on both buying decisions and how their neurons
react to certain food.

Moreover, mood and eye tracking software—as it
exists today—can collect involuntary responses of
a user in reaction to stimuli. Involuntary responses
could be especially valuable to advertisers because
they could reveal unfiltered user preferences ripe
for impactful behavioral advertising. The tracking
of involuntary responses makes user transparency
and control especially difficult because it is often
happening without user awareness. The current
widespread model of companies’ terms of service
and privacy policies stating information such as:
“we will be collecting data from this device and
software to understand more about you,” would
well miss the mark of providing transparency to us-
ers. Organizations engaged in tracking involuntary
brain signals and other biometric or physiological
measurements from users might rethink current
consent protocols, as well as transparency and ex-
plainability models, for providing both an accurate
and clearly understood snapshot of what data is
being collected from users and for what purposes.

2. Neuromarketing is Potentially Governed
by Comprehensive Privacy Laws, FTC
Enforcement Authority, and Neuromarketing-
Specific Codes of Ethics

State laws such as the CPRA provide a number
of rights to consumers, including rights of access,
information, deletion, portability, and right to opt
out of “selling” personal information, while placing
new obligations on businesses. Personal neuro-

data is not specifically mentioned in the law, but
such information could be classified as “biometric
information”—covered and broadly defined under
CPRA. The CPRA offers a specific opt out of
“cross contextual behavioral advertising” (aka
advertising targeted to an individual based on
their behavior online).

In addition to comprehensive privacy laws, the Fed-
eral Trade Commission (FTC) has authority to inves-
tigate, under Section 6 of the FTC Act, and authority
to enforce penalties on the basis of deceptive and
unfair trade practices—including those related to
advertising—under Section 5 of the Act.185

Other than laws and agency enforcement, volun-
tary self-regulatory initiatives could also inform this
space. The Neuromarketing Science & Business
Association’s (NMSBA’s) Code of Ethics enshrines
commitments around integrity; consent (including
requiring informed consent from parents when
studies involve children); transparency; and pri-
vacy.186 These ethics codes could act as tools to
educate and guide organizations wading into this
emerging and unique sector of advertising. Addi-
tionally, the United Nations Convention on Rights
of the Child has called for the specific prohibition
of certain forms of advertising to children, including
neuromarketing, signaling that some policymakers
view neuromarketing as creating heightened risks
for vulnerable populations, such as children.187

G. Military BCIs include Restorative
Devices, Communications Tools,
Vehicle and Weapon Control,
Deception Detection, and More

Today, military use of BCIs is largely non-invasive
and focused on the creation of restorative devices
for injured service members.188 However, the U.S.
and China have explored the viability of BCIs as
next-generation weaponry. In the U.S., Defense
Advanced Research Projects Agency (DARPA) re-
cently announced $104 million in funding to support
its Next-Generation Nonsurgical Neurotechnology
(N3) program, which provides funding for research-
ers to develop high-performance brain-computer
interfaces for military service members.189 These
devices are intended to be non-invasive, allowing
“super-warriors” to control drones and other vehi-
cles with their brain signals during complex military
operations.190 Other military research includes BCIs
for communication between military personnel,

FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 25

such as Silent Talk, in which personnel communi-
cate via neural signals without the need for verbal
speech or gestures.191

Much of the research in the military space is in-
formed by breakthroughs from other sectors. No-
tably, DARPA recently awarded a number of grants
to BCI researchers,192 including a project from the
University at Buffalo in which neurodata is collect-
ed from videogamers during gameplay in hopes of
using this data to train future advanced AI robots
for military use.193 The military has expanded its re-
search into deception detection using BCIs, taking
a page from law enforcement and other defense
offices’ use of polygraph research.194

Innovations in invasive BCIs in the civilian arena
adopted for military use could lead to massive
breakthroughs with implications for both modern
warfare and society at large. For instance, DARPA’s
Restoring Active Memory (RAM) program aims to
help with memory recall and formation for service
members suffering brain injury through the use of an
invasive BCI.195 RAM involves similar technology and
methods as invasive BCIs that have proved effective
for stroke, Alzheimer’s, and head injury patients.196

1. Risks Associated with Military BCIs Include
Hacking, Reduction in Battlefield Teamwork,
and Physical and Mental Harm

Use of BCIs on the battlefield leads to risks such as
disruption of service or interception of signals by
adversaries.197 Like other technologies deployed
by the government and military, BCIs could become
the latest system that could be compromised by
hackers. BCIs that collect and record brain signals
could open the door for enemies to gain access to
communications, strategy, and secrets. More trou-
bling is the possibility of hackers gaining control
over modulating BCIs and physically and mentally
harming military personnel.

Additional risks relate to an erosion of teamwork
and comradery between soldiers on the battlefield
and in training when using BCIs for communica-
tion.198 While it is possible that communication
between soldiers using BCIs could increase bond-
ing and trust, encouraging soldiers connecting to
one another through a new and currently limited
technology could also erode cohesion, comradery,
and a group dynamic important for encouraging
cooperation between military personnel.

Other concerns are more future-facing. While
BCIs are not currently being deployed for torture
or pacification, developers in his space would be
wise to consider the ethical implications of using
BCIs for these purposes. Controversy and ethical
concerns around the military’s use of torture have
existed for decades, and BCIs could offer another
avenue for a military organization to engage in
these activities. Additionally, weapons that target
neurodata and nervous systems may proliferate,
such as uncharacterized directional phenomena
in the form of vibration, pressure, and sound such
as those experienced by U.S. military personnel in
Havana, Cuba.199 Time will tell whether BCIs are
used for these purposes and whether they will be
more or less humane than current methods.

2. Some Military Use of BCIs is Governed by
Military Ethics, International Treaties, and U.S.
Constitutional Law

While BCIs in the military are still nascent, there
are existing military ethics guidelines200—and
international treaties such as the Geneva Conven-
tion201—that could prohibit future use of invasive
BCIs on subjects without consent.202 However, it
is important to note that to our knowledge, today
there are no military regulations limiting the use of
non-invasive transcranial stimulation in particular
for torture, pacification, or interrogation.203

Military BCIs might also be governed by U.S. consti-
tutional law depending on their use. BCIs used for
purposes such as deception detection could violate
the Fifth Amendment’s “guarantee against self-in-
crimination” because collecting a soldier’s thoughts
might not constitute a permissible physical piece of
evidence.204 Moreover, BCIs used for this purpose
could run up against the Fourth Amendment as
an unreasonable search and seizure.205 However,
others argue that Fourth and Fifth Amendment pro-
tections might not apply to neurodata collected by
BCIs because of a history of real-time collection of
medical data being admissible as evidence in the
court of law and the third-party-doctrine resulting
in users forfeiting their expectation of privacy over
data shared with a company.206 Various interna-
tional treaties might also govern BCIs used for
interrogation. If it is determined that a BCI is used
in conjunction with a “toxic chemical”—defined as
a chemical that can cause “temporary incapaci-
tation”—this could be in violation of the Chemical
Weapons Convention (CWC).207

FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 26

Responsible use of BCIs and associated neuro-
data is paramount in the health and wellness
area, as well as the consumer and military

contexts. A diverse and inclusive list of interna-
tional stakeholders spanning end-users, directly
and indirectly impacted communities, interested or
invested industries and marketplaces, academia,
and governments, and others must commit to
articulate a vision for how technology, law, and
policy can shape these services in a way that is
beneficial to all with sufficient privacy protections.
The challenges in meeting this goal are significant.

While BCIs have shown demonstrable benefits for
healthcare for a number of years, the technology—
especially in the consumer market—is in its infancy.
With a scant number of exceptions—most notably
BBI technology—breakthroughs in health services
have informed BCI use in the consumer market.
Open questions emerge around how moving this
technology into the consumer space evolves the
privacy and ethical risks seen today in the health
context. Moreover, because the uses of this tech-
nology are often especially future-facing—even as

compared to other emerging technologies—there is
no way to comprehensively and accurately predict
the specific risks that will emerge in the decades
to come. Allowing these technologies to evolve ab-
sent strong accountability and enforcement frame-
works will result in substantial risks. The guidelines,
frameworks, and regulations cited throughout this
work—including GDPR, CPRA, OECD Guidelines,
and the proposed EU AI framework—could serve
as a foundation for future rules governing BCIs. But
regulation must be cognizant of the need to provide
a structure for future technological advances and
uses, as well as new risks. Moreover, in addition
to laws, the proposition that existing human rights
conceptualizations need to be updated to reflect
these concerns is gaining momentum in some
neuroscience spaces—this is an idea around which
further discussion is warranted (see the call-out
box below on neurorights). The grand challenge
of promoting strong privacy protections for BCIs
will require a mix of technical and non-technical
solutions. While not comprehensive or definitive,
the following suggestions provide a starting point.

Part III: A Mix of Technical and Policy Solutions Can Mitigate Risks

FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 27

Case Study: Neurorights in Chile

On October 25, 2021, the Chilean government approved a constitutional reform208 to protect “the
mental integrity of neurotechnologies.”209

Chile is also considering a neuroprotection bill,210 based on five fundamental human rights-based
principles: the right to personal identity, free will, mental privacy, equitable access to technologies
that augment human capacities, and the right to protection against bias and discrimination.211 The bill
would likely limit the use of neurotechnologies and associated neurodata to clinical and health re-
search and therapy, meaning that many of the consumer-focused use cases described in this report
would likely be prohibited. The bill also provides a number of noteworthy rights and requirements
including: obtaining express, opt-in consent from the user when engaging with neurotechnology;
providing notice of possible physical, cognitive, or emotional effects of the treatment; retaining neu-
rodata for only the time necessary to carry out the purpose for which the neurodata was collected;
and requiring the state to promote equitable access of neurotechnologies in the public interest.

Perhaps most noteworthy, the bill calls for the collection, storage, treatment, and dissemination
of neurodata to be treated as an organ under Chilean organ transplant law.212 This treatment of
data as an organ could create practical consequences, while significantly limiting both medical
and non-medical use of neurotechnologies and neurodata including: prohibiting the selling of
personal neurodata to neuromarketers and researchers; prohibiting the collection of neurodata
from patients 18-years-old and younger; and prohibiting patients from receiving neurotechnolo-
gy-related treatment who do not have full use of their mental faculties and do not have a positive
physical fitness report.

Philosopher Abel Wajnerman Paz argues that analogizing neurodata with organ transplants is not
a logical fit because neurodata, unlike an organ, contains no organic material, is produced by oth-
ers outside human bodies, and requires “elaborate construction by clinicians and researchers.”213
Dr. Paz provides an alternative avenue for regulating neurotechnologies suggesting instead regu-
lating neurodata as intellectual property. Dr. Paz argues that this could enable the data subject to
financially benefit from sharing their neurodata and may lead to creating large data repositories
needed for Parkinson’s and Alzheimer’s research.214

A. Technical Solutions Include: Providing
On/Off and App Controls to Users;
End-to-End Encryption of Neurodata,
Privacy Enhancing Technologies,
and More

1. Developers Should Provide On/Off Controls
Where Possible and Provide Granular Controls
on BCI Devices and Companion Apps

The notion of on/off controls for tracking technol-
ogies as a form of privacy protection is not new;
however, the need for some BCIs to be “always
on,” or on for extended periods, especially in the
health context, complicates the debate around

such devices. In the consumer context, an “always
on” default is typically not essential for the device
to function properly. In these cases users should
have a clear and definite way to control when BCIs
are on or off with a hard on/off switch on the de-
vice, or through on/off controls readily accessible
through a companion app. As with other devices,
there are considerable privacy risks when a BCI is
always gathering data or when it can be turned on
unintentionally, collecting data without the user’s
knowledge.215 These risks are magnified when
BCIs record personal neurodata that could be
combined with other information overtime to draw
vast and sensitive inferences about the personal
lives of users.

FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 28

In addition to on/off controls, BCI companies
developing and deploying BCIs should provide
granular controls to users for managing their neu-
rodata, and other associated personal information.
Many consumer BCI devices rely on companion
mobile apps, which should provide user controls.
While companies and device manufacturers ulti-
mately have the best understanding and expertise
regarding what data is necessary to operate BCIs,
user controls are crucial safeguards to ensure that
individuals can manage data collection, deletion,
use, and sharing.

2. Developers Should Utilize Best Practices for
Privacy and Security to Store and Process
Neurodata and Use Privacy Enhancing
Technologies Where Appropriate

Regardless of whether neurodata is stored and
processed on a BCI device, by a companion app,
or on a server operated by the BCI provider, de-
velopers should seek to maximize privacy and
security. Developers should rely on storage and
computing services that can meet appropriate se-
curity standards commensurate with the sensitivity
of the neurodata. Developers should also look to
privacy enhancing technologies as a way of max-
imizing the utility of neurodata, while minimizing
privacy risks. Techniques could include differential
privacy, in accordance with principles of data mini-
mization and privacy by design. When appropriate,
they should use de-identification methods like Pri-
vacy Preserving Data Mining (PPDM) and Privacy
Preserving Data Publishing (PPDP) for stored and
shared data.216 Additionally, developers should
ensure sensitive personal neurodata is encrypt-
ed when in transit and at rest. These techniques
could be especially useful in the BCI space, as the
neurodata collected by BCIs could be ripe for data
driven research in the medical field. These tech-
niques are often promoted as a way to maximize
the utility of data for research, while minimizing
user identifiability.

Researchers should also stay abreast and im-
plement appropriate security safeguards. Poor
cybersecurity can leave systems vulnerable to
hacking, data breaches, and other malicious ac-
tivities, endangering user safety. Device hacking
is especially dangerous as many BCIs are used
for critical health management regimens. Not only
could a bad actor access personal neurodata and
other collected personal information, but more

alarmingly control how a device modulates, or fails
to modulate, a patient’s brain, resulting in physical
or psychological harm. Given how quickly the
technology, capabilities, and threats in this space
are evolving, cybersecurity professionals should
take time to consider appropriate, practical, and
tailored solutions. A good starting place could be
the National Institute of Standards and Technolo-
gy (NIST) Cybersecurity Framework—a dynamic
resource consisting of standards, guidelines, and
best practices built to adapt to a particular technol-
ogy, use case, and context.217

B. Policy Solutions Include: Rethinking
Transparency and Control; IRBs and
Ethical Review Boards; Multi-Stakeholder
Engagement; and Standards Setting and
Other Agreements.

1. Given the Novelty of BCIs, Along with the
Complexity of Recording and Modulating
Neurodata, Organizations should Rethink
Traditional Transparency and Control Models

The novelty and complexity of BCIs warrants an
emphasis on transparency and control beyond
most other emerging technologies. Transparency
and control frameworks might have to be re-
thought in the neurotechnology field. Consumer,
government, and health-focused BCIs can vary sig-
nificantly in their technological capabilities, sophis-
tication, machine learning techniques, purposes,
and user-bases, often presenting differing privacy
risks. These differences often warrant different
levels and methods of transparency necessary
for consumers, patients, and lawmakers to under-
stand device capabilities, data flows, data storage,
and who controls and has access to the data, while
encouraging informed consent. For example, a
non-invasive EEG-based device that only records
neurodata along with an individual’s eye move-
ments, muscle movements, and heartbeat—does
not have the same risks as a health device that
records and modulates a patient’s brain using an
invasive BCI. Despite these significant differences,
BCIs as a whole are often incorrectly framed and
lumped together by the popular media as “mind
reading technologies from the future” that can
capture and understand the innermost thoughts
and workings of the human mind.

Developers and regulators should think creatively
about how to promote the transparency necessary

FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 29

for meaningful user control. Privacy policies, terms
of service, and other similar documents, while
required by law, are often not effective means of
providing transparency on their own. Even when
these privacy policies are accurate in describing
consumer rights and data governance, they might
still lack transparency in that they are difficult to
understand, vague, and fail to show the complete
picture of what is happening with consumer data. In
the absence of strong enforcement and without a
commitment to trust, transparency, and explainabil-
ity, privacy policies are likely neither agile enough
to keep pace with quickly evolving technology nor
adequately accessible to end-users.

Furthermore, although there are attempts to make
user controls more flexible, more research is need-
ed on how to best enable user control in ways that
are more fluid, nuanced, and longitudinal. BCIs that
operate in conjunction with companion apps could
provide pop-up notice with the option for users to
access more detailed information in a layered ap-
proach before consenting to device recording or
modulating or other terms. BCI developers might
want to also consider using audio and visual cues
understandable to users, indicating when a device
is recording or modulating. In the future, develop-
ers might take advantage of this particular technol-
ogy by sending a particular signal to a user’s brain
indicating some sort of activity. In this scenario, the
user can respond to this signal with a particular
thought pattern providing or denying consent.

2. When Appropriate, BCI Providers Should
Engage IRBs or Independent Review Boards,
as well as Multi-Stakeholder Engagement
Before and During Roll Out of New BCI
Products or Services

In some circumstances, BCI providers might be
required to complete IRB review before gathering
primary research data from human subjects or
pre-registering clinical trials. Organizations may
need to obtain proper approval from bodies like
the FDA prior to rolling out new BCI products and
services. However, BCIs in the consumer market
are not typically subject to these same require-
ments. One option for consumer-focused BCI
organizations seeking to promote strong privacy
protections would be committing to an indepen-
dent review board to consider questions around

neurodata collection, use, sharing, storage, and
other related concerns. A number of prominent
AI researchers and developers have crafted prin-
ciples and approaches to AI and ML.218 Because
BCIs often involve the use of AI and ML, many of
these AI principles will inform BCI development.
However, AI frameworks do not contemplate all of
the major challenges around recording or modu-
lating a user’s brain. As BCIs become more wide-
spread, providers should consider creating internal
BCI-specific principles for informing their internal
design, policy, and technical decisions. Review
boards could also determine whether BCI-related
data should be used for research where obtaining
prior user consent is impractical.

Organizations should also facilitate multi-stake-
holder engagement throughout the development
and deployment lifecycle of BCIs. Stakeholder
outreach should include researchers, policy pro-
fessionals, early adopters of the technology, and
those who either have yet to adopt the technology
but might do so in the future or may be impacted
due to the use of technology by others. The latter
group should include those who are often not
given a seat at the table when developers make
ethical decisions about emerging technology.
This should include individuals from vulnerable
populations, such as the disability community, in-
dividuals from historically surveilled communities,
and individuals from geolocations most exposed
to digital inequity, among others. The conversation
with all stakeholders, and perhaps most crucially
with vulnerable populations, should be co-partici-
patory and co-created from the start, meaning that
providers should not only inform these populations
about the technology, but absorb community feed-
back and integrate this feedback into internal de-
cision making. Providers should be sure to present
these changes and their internal design and de-
cision-making process back to these stakeholders
to help continue facilitating an ongoing and col-
laborative conversation. Further, providers should
be engaging these stakeholders from the start of
product development, research, and rollout. Pro-
viders should avoid premature decisions prior to
community engagement, and should be willing to
change course, heavily alter, or altogether scrap a
project if it runs counter to a particular communi-
ties’ preferences or could foreseeably cause harm.

FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 30

3. Companies, Research Institutions, and
Policymakers Should Set Policy and Technical
Standards for BCI Research, Development,
and Use that are Capable of Adapting as the
Technology, User Base, and Uses Evolve

Because of the fast-moving nature of this technol-
ogy, industry, research institutions, and policymak-
ers should draft and subscribe to standards, best
practices, and pragmatic regulations. As indicated
in this report, a number of laws, best practices,
and enforcement bodies can serve as founda-
tions for neurotechnology-specific standards and
frameworks. If and where possible, technical and
governance communities should leverage existing
policies, practices, and bodies pertaining to relat-
ed technologies to govern BCIs, as well as identify
places where existing frameworks or processes do
not sufficiently address novel risks.

The latter point is particularly pertinent, since a
number of notable privacy challenges are not
addressed by current rules. Many of the existing
comprehensive, and sectoral, privacy laws, includ-
ing GDPR, BIPA, and CPRA, carve out de-identified
data. Yet there is still no legal consensus on which
types of neurodata can or will be interpreted as
biometric data, and in the event that it is, research
has shown that biometric data is more difficult
to effectively de-identify.219 Another major gap
in current regulation relates to what immersive
technology expert Brittan Heller refers to as
“biometric psychography,” which describes com-
bining collected biometric data with information
about stimuli encountered by the user to produce
inferences about the user’s likes, dislikes, sexual
attraction, fears, and other psychology.220 It might
be necessary to rethink and broaden concepts
and associated definitions of biometrics to be
more inclusive—and therefore more predictive
of—downstream emerging properties of neuro-
data, including psychographical characteristics.

To protect against privacy and responsible gover-
nance risks related to these and other BCI-related
challenges, stakeholders should develop technical
and policy standards for responsible develop-
ment and use of BCIs capable of adapting as the
technology, user base, and use evolves. Technical
standards should promote privacy protective
techniques, including privacy enhancing technol-
ogies; data quality thresholds; testing standards
to ensure that AI and ML techniques are accurate,

interpretable, and explainable; among several oth-
er elements. Policy standards should include stan-
dards related to privacy by design, user profiling,
purpose limitations, data minimization, contractual
agreements between BCI manufacturers and third
parties related to de-identification, data sharing,
and retention, among other concerns.

Alongside technical and policy standards, industry
and regulators should promote up-to-date training
for developers around processes such as data han-
dling and de-identification learned from academia.
For example, depending on the magnet strength,
some fMRI images are capable of reconstructing
an individual’s face.221 It is common practice in the
academic neuroimaging sector to remove the first
few slices or images of a file before uploading to
a database to prevent identification through 3D
reconstruction of a participant’s face. But this is not
common practice across all organizations who col-
lect or share these kinds of images, particularly in
open-source communities. In addition, stakehold-
ers should consider a policy-driven call to action
for the development of tech-driven safeguards to
test for these kinds of errors and flag them, remove
them, or fix them.

4. BCI Stakeholders Should Encourage the
Adoption of Open Standards for Neurodata
and Share De-Identified Research Data Under
Open Licenses to Promote an Open and
Inclusive Research Ecosystem

The development of neurotechnologies presents
significant barriers to entry, as BCIs often require
significant capital investment and highly special-
ized skill sets that would likely be inaccessible to
all but a select few of companies and organiza-
tions. This creates an environment in which lead-
ing neurotechnology organizations could create
proprietary standards, fragmenting the neurotech-
nology research ecosystem. This would prevent
many in industry and academia from: accessing
the best and most cost-effective tools available,
sharing their knowledge, and incorporating di-
verse perspectives to advance innovation in the
field. To minimize such barriers to an open and in-
clusive research ecosystem, companies and other
stakeholders should support the development and
widespread adoption of open standards for neu-
rodata. Stakeholders may also consider whether
open-licensing of properly de-identified and con-
sented neurotechnology and neurodata research

FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 31

datasets is feasible and appropriate—while this
has the potential to maximize data accessibility by
trusted researchers.

5. Policymakers Should Review the Adequacy of
Existing Policy Frameworks for Governing the
Unique Risks of Neurotechnologies

As established by this report, neurotechnologies
can pose both familiar and novel risks. For familiar
risks, such as vulnerability to hacking, the need
to protect sensitive data, or the collection of data
from minors, existing policy frameworks likely
apply just as effectively to neurotechnologies as
they do to consumer and medical technologies
available today. However, the unique risks posed
by neurotechnologies, such as the potential ero-
sion of mental privacy or even more challenging
concerns such as the implications for free will and
human agency, highlight the possibility that exist-
ing policy frameworks may be insufficient to ad-
equately protect people from harm. Furthermore,
as neurotechnologies mature and become more
commonplace, new applications unimaginable to-

day will pose a host of new, unforeseen risks and
benefits that today’s policy frameworks were not
designed to address.

Policymakers and other BCI stakeholders should
carefully evaluate how existing policy frameworks
apply to neurotechnologies and identify potential
areas where existing laws and regulations may be
insufficient for the unique risks of neurotechnolo-
gies. Importantly, policymakers should prioritize a
focus on well-defined risks, while tracking devel-
opments that can raise future concerns. Future ad-
vances may create unexpected problems, but may
also be mitigated by other factors in the future such
as yet-to-be-developed technological safeguards
or changing societal norms. Potential decisions to
ban particular high-risk uses of neurotechnology
should similarly be discussed and considered
in depth among experts prior to such decisions.
Regardless, it is critical that policymakers are well
educated about the risks neurotechnologies can
pose and potential solutions to these risks so that
they can swiftly and effectively implement these
solutions when appropriate.

FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 32

CONCLUSION

As BCIs evolve and are more commercially
available across numerous sectors, it is
paramount to understand the unique risks

such technologies pose. It is just as important to
understand how these technologies work and
what data is necessary for them to function. Pri-
vacy and data governance risks can be minimized
through broad adoption of both technical and
policy recommendations that can make BCI data
less identifiable, less potentially harmful, and more
secure. Because the field of neurotechnology is
especially future-facing, developers, researchers,
and policymakers will have to create best practices
and policies that consider existing risks and strate-
gically prioritize future risks in ways that balance
the need for proactive solutions while mitigating
misinformation and hype; deciding which of the
technical, social, or policy issues outlined in this
report to prioritize first remains an open but vitally
important area for discussion and concrete action.
BCIs will also likely augment and be combined

with many existing technologies that are current-
ly on the market. This means that new technical
and ethical issues are likely to arise and existing
issues could be compounded with one another. In
the near future, BCI providers, neuroscience and
neuroethics experts, policymakers, and societal
stakeholders will need to come together to con-
sider what constitutes high-risk use in the field and
make informed decisions around whether certain
BCI applications should be prohibited, a position
around which more robust and critical discussion is
needed. Finally and perhaps more fundamentally,
it is also possible that the future of privacy itself
and our notions of what it means to have or obtain
privacy at basic human or societal levels could be
challenged in ways that we cannot currently com-
prehend or anticipate. We hope this report and our
ongoing work helps support the technical, legal,
and policy developments that will be required to
ensure the advances in this sector are implement-
ed in ways that benefit society.

FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 33

ENDNOTES
1. Concepts such as mental privacy, human agency, and fairness are complicated, contextually-dependent, and culturally-influenced.

Likewise, terms used throughout this report—such as conscious, unconscious, subconscious, or intentional—have diverging meanings for
neuro-scholars, legal experts, and the general public. We do not have the space in this report to dive deeper into these notions; however,
it is important to acknowledge their nuance up-front, and we recommend that conversations around these topics and efforts at better
standardizing the language used in this space is warranted and should be prioritized.

2. Although the definition of neurodata is the same for humans and animals, the focus of this report is neurodata coming from human nervous
systems. There are also two points worth mentioning for the sake of clarity. First, while the majority of neurodata is currently related to
neurons (their electrical, hemodynamic, and chemical activity, their anatomical components, their connections, etc.), there already exists
neurotechnology which targets glia—helper cells of the nervous system—to change perception and health. While this report is focused on
neuronal neurodata, It is widely believed that these sorts of non-neuronal applications will continue to grow in the future, and thus what
is included in the concept of neurodata is likely to expand and change in parallel. Second and related, it is a scientific fact that any human
behavior can be traced back to neurodata; for the purposes of this report, we constrain the focus to primary neurodata and first order proxies
of neurodata, but it is important to acknowledge that second-order or downstream behaviors and associated analyses of these behavioral
data may also be seen as extensions of neurodata by some neuroscientists, neurotechnicians, and neuroethicists in the field.

3. While often connected to the Internet, some BCIs, including those that rely on implantable pulse generator technology (IPG) use
radiofrequency, rather than internet technologies such as WiFi or Bluetooth for communication and control.

4. See Andrea M. Matwyshyn, The Internet of Bodies, 61 Wm. & Mary L. Rev. 77 (2019), available at https://scholarship.law.wm.edu/wmlr/vol61/iss1/3/.
5. See Marcello Ienca & Gianclaudio Malgieri, Mental Data Protection and the GDPR, 4 (May 5, 2021), available at https://papers.ssrn.com/sol3/

papers.cfm?abstract_id=3840403, coining the term: “digital mind” to describe the “moment-by-moment quantification of the individual-level
human mind using data from neural interfaces and other digital technology—and a more intimate connection between minds and machines.”

6. The Institute of Electrical and Electronics Engineers, Inc., Standards Roadmap: Neurotechnologies for Machine Interfacing, (2020), https://
standards.ieee.org/content/dam/ieee-standards/standards/web/documents/presentations/ieee-neurotech-for-bmi-standards-roadmap .

7. There is no currently agreed-upon definition of technological maturity within the neurotech community or a mappable timeline to reasonably expect
translation of neuroscience research into direct-to-consumer products. Therefore, concepts such as “near-term” or “far-term” are not well delineated
and may change depending on the marketplace. Moreover, given that there are multiple technologies emerging or evolving simultaneously, it is
unknown what (if anything) will change and propel the field forward faster than imaging. This is particularly true where technologies intersect (e.g.
artificial intelligence + neurotech or quantum computing + neurotech). While it is necessary to dampen hype and misinformation around the field
as this can create unrealistic expectations or unwarranted fears, it would be unwise to not plan for more advanced capabilities whenever, or if ever,
they arise. Research on predicting the trajectory of BCI’s and other neurotechnological capabilities would be particularly useful for aiding in planning
and prioritizing issues while still remaining vigilant towards potential future or unknown down-stream consequences.

8. Bidirectional BCIs are systems that translate neural signals recorded from various areas of the brain into certain actions or sensations and
perceptions (for example, using motor cortex signals to create motor commands). In addition to bi-directional BCIs, BCIs can also be closed
loop—meaning that the device senses the effect of the modulation and then alters this modulation based on the observed effect. Closed
loop BCIs are often used to treat movement disorders like Parkinson’s Disease or sensorimotor impairments caused by spinal cord injury. See
Patrick D. Ganzer et al., Restoring the Sense of Touch Using a Sensorimotor Demultiplexing Neural Interface, Cell (Apr. 23, 2020), available
at https://www.cell.com/cell/fulltext/S0092-8674(20)30347-0.

9. Simon Little et al., Adaptive Deep Brain Stimulation in Advanced Parkinson Disease, Annals of Neurology (Jul. 12, 2013), available at https://
onlinelibrary.wiley.com/doi/full/10.1002/ana.23951; S. Andrew Josephson, A Novel Brain-Computer Interface Approach to Deep Brain
Stimulation for Parkinson’s Disease (2013), https://www.medscape.com/viewarticle/814726.

10. See SLUCare, After Sudden Hearing Loss, Cochlear Implant Returns Patient’s Quality of Life, (Sept. 24, 2019), https://www.youtube.com/
watch?v=Mb0wlYsq_UM; see also Ann Perreau, et al., Programming a Cochlear Implant for Tinnitus Suppression, Journal of the American
Academy of Audiology (Apr. 31, 2020), available at https://www.thieme-connect.de/products/ejournals/abstract/10.3766/jaaa.18086.

11. James Wu & Rajesh P. N. Rao, Melding Mind and Machine: How Close Are We?, Smithsonian Magazine (Apr. 11, 2017), https://www.
smithsonianmag.com/innovation/melding-mind-and-machine-how-close-are-we-180962857/.

12. Intro to Brain Computer Interface, NeurotechEDU, (last accessed Jun. 17, 2021), http://learn.neurotechedu.com/introtobci/. There is widely
accepted definition of an invasive procedure, but researchers recently proposed a new definition, which defines an “invasive procedure” as one
where purposeful/deliberate access to the body is gained via an inclusion, percutaneous puncture, where instrumentation is used in addition to
the puncture needle, or instrumentation via a natural orifice. See Sian Cousins et al., What Is an Invasive Procedure? A Definition to Inform Study
Design, Evidence Synthesis, and Research Tracking, BMJ Open (Jul. 9, 2019), https://bmjopen.bmj.com/content/bmjopen/9/7/e028576.full .

13. Jeremiah D. Wander & Rajesh P. N. Rao, Brain-Computer Interfaces: A Powerful Tool for Scientific Inquiry, Current Opinion in Neurobiology
(2014) 25: 70–75.

14. See Angela Chen, Elon Musk’s Dreams of Merging AI and Brains Are Likely to Remain Just That–for at Least a Decade, The Verge (Apr. 21,
2017), https://www.theverge.com/2017/4/21/15370376/elon-musk-neuralink-brain-computer-ai-implant-neuroscience.

15. Intro to Brain Computer Interface, supra note 12.
16. Jane Wakefiled, Elon Musk’s Neuralink ‘Shows Monkey Playing Pong with Mind’, BBC (Apr. 9, 2021), https://www.bbc.com/news/

technology-56688812; See Neuralink, Monkey MindPong, YouTube (Apr. 8, 2021), https://www.youtube.com/watch?v=rsCul1sp4hQ.
17. John Koetsier, Elon Musk Wants to Put a ‘Fitbit In Your Skull’ to Summon Your Tesla, Forbes (Aug. 28, 2020), https://www.forbes.com/sites/

johnkoetsier/2020/08/28/elon-musk-wants-to-put-a-fitbit-in-your-skull-to-summon-your-tesla/?sh=6b74efb3586a; In addition to Neuralink,
several other companies are active in BCI development. See Cathy Hackl, Meet the 10 Companies Working On Reading Your Thoughts (And
Even Those of Your Pets), Forbes (Jun. 21, 2020), https://www.forbes.com/sites/cathyhackl/2020/06/21/meet-10-companies-working-on-
reading-your-thoughts-and-even-those-of-your-pets/?sh=23ed1f26427c.

18. Bryn Farnsworth, What is EEG (Electroencephalography) and How Does it Work?, iMotions Blog (Jul. 15, 2019), https://imotions.com/blog/what-is-eeg/.
19. See Murta Kulich, et al., Neurosensory Disorders in Mild Traumatic Brain Injury, 23-47, (Michael E. Hoffer & Carey D. Balaban ed., 2019).

https://scholarship.law.wm.edu/wmlr/vol61/iss1/3/

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3840403

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3840403

https://standards.ieee.org/content/dam/ieee-standards/standards/web/documents/presentations/ieee-neurotech-for-bmi-standards-roadmap

https://standards.ieee.org/content/dam/ieee-standards/standards/web/documents/presentations/ieee-neurotech-for-bmi-standards-roadmap

https://onlinelibrary.wiley.com/doi/full/10.1002/ana.23951

https://onlinelibrary.wiley.com/doi/full/10.1002/ana.23951

https://www.medscape.com/viewarticle/814726

https://www.thieme-connect.de/products/ejournals/abstract/10.3766/jaaa.18086

https://www.smithsonianmag.com/innovation/melding-mind-and-machine-how-close-are-we-180962857/

https://www.smithsonianmag.com/innovation/melding-mind-and-machine-how-close-are-we-180962857/

https://bmjopen.bmj.com/content/bmjopen/9/7/e028576.full

https://www.theverge.com/2017/4/21/15370376/elon-musk-neuralink-brain-computer-ai-implant-neuroscience

https://www.bbc.com/news/technology-56688812

https://www.bbc.com/news/technology-56688812

https://www.forbes.com/sites/johnkoetsier/2020/08/28/elon-musk-wants-to-put-a-fitbit-in-your-skull-to-summon-your-tesla/?sh=6b74efb3586a

https://www.forbes.com/sites/johnkoetsier/2020/08/28/elon-musk-wants-to-put-a-fitbit-in-your-skull-to-summon-your-tesla/?sh=6b74efb3586a

https://www.forbes.com/sites/cathyhackl/2020/06/21/meet-10-companies-working-on-reading-your-thoughts-and-even-those-of-your-pets/?sh=23ed1f26427c

https://www.forbes.com/sites/cathyhackl/2020/06/21/meet-10-companies-working-on-reading-your-thoughts-and-even-those-of-your-pets/?sh=23ed1f26427c

https://imotions.com/blog/what-is-eeg/

FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 34

20. See Noman Naseer & Keum-Shik Hong, fNIRS-Based Brain-Computer Interfaces: A Review, 9:3 (Front Hum Neurosci) (2015), available at
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4309034/.

21. What is Transcranial Direct Current Stimulation?, Neuromodec, (last accessed May 16, 2021), https://neuromodec.com/what-is-transcranial-
direct-current-stimulation-tdcs/.

22. What is Transcranial Magnetic Stimulation (TMS)?, Neuromodec, (last accessed May 16, 2021), https://neuromodec.com/what-is-transcranial-
magnetic-stimulation-tms/.

23. See Nicola Riccardo Polizzotto et al., Is It Possible to Improve Working Memory with Prefrontal tDCS? Bridging Currents to Working
Memory Models, Front. Psycholo. (May 26, 2020), available at https://www.frontiersin.org/articles/10.3389/fpsyg.2020.00939/full; Can Brain
Stimulation Aid Memory and Brain Health?, Harvard Health Publishing (Aug. 6, 2015), https://www.health.harvard.edu/mind-and-mood/can-
brain-stimulation-aid-memory-and-brain-health, recognizing that more research is needed on the efficacy of brain stimulation for memory
retention and learning improvement.

24. Other methods used for non-invasive techniques to study the brain include: positron emission tomography (PET); functional magnetic
resonance imaging (fMRI); magnetic resonance tomography (MRT); magnetoencephalography (MEG); among many others.

25. Jerry J. Shih et al., Brain-Computer Interfaces in Medicine, 87(3) Mayo Clin Proc. 268-279 (Dec. 8, 2011), available at https://www.ncbi.nlm.nih.
gov/pmc/articles/PMC3497935/.

26. See Adi Robertson, I Tried the Wristband that Lets You Control Computers with Your Brain, The Verge (Jun. 6, 2018), https://www.theverge.
com/2018/6/6/17433516/ctrl-labs-brain-computer-interface-armband-hands-on-preview.

27. Electromyography (EMG), Brigham Health (last accessed May 16, 2021), https://www.brighamandwomens.org/neurology/neuromuscular-
diseases/electromyography.

28. Inside Facebook Reality Labs: The Next Era of Human-Computer Interaction, Tech@Facebook (Mar. 9, 2021), https://tech.fb.com/inside-
facebook-reality-labs-the-next-era-of-human-computer-interaction/.

29. This timeline is not intended to be a comprehensive list of neurotechnology breakthroughs, but rather a chronology of some foundational
moments in communication interfaces, BCIs, and related technology. While the BCI field is still emerging and innovating, this timeline shows that
research related to BCIs is part of a tradition of research related to electronic communication techniques and has been in the works for decades.

30. For more information about identifying individuals based on neurodata, see Russell A. Poldrack et al., Long-Term Neural and Physiological
Phenotyping of a Single Human, Nature Communications (Dec. 9, 2015), https://www.nature.com/articles/ncomms9885; Elise Hu, < Move
Objects with Your Mind? We’re Getting There, With the Help of an Armband, NPR (Jul. 16, 2019), https://www.npr.org/transcripts/717487081.

31. See Jason da Silva Castanheira et al., Brief Segments of Neurophysiological Activity Enable Individual Differentiation, Nature
Communications 12: 5713 (2021), available at https://www.nature.com/articles/s41467-021-25895-8 .

32. See e.g. Voices of VR, Podcast: #987: The Neuroscience of Neuromotor Interfaces + Privacy Implications with Facebook Reality Labs’
Thomas Reardon (Mar. 30, 2021), available at https://voicesofvr.com/987-the-neuroscience-of-neuromotor-interfaces-privacy-implications-
with-facebook-reality-labs-thomas-reardon-2/, suggesting that while identification based solely on an individual’s motor map is not being
done today, it is feasible given the uniqueness of motor maps.

33. Emily Gera, The Neuroscience of Mind-Control Gaming, Variety (Nov. 26, 2018), https://variety.com/2018/gaming/features/brain-computer-
interface-neurable-1203036143/.

34. Road Transport, SmartCap (last accessed May 16, 2021), http://www.smartcaptech.com/industries/transport/.
35. Brent J. Lance et al., Brain-Computer Interface Technologies in the Coming Decades, 100 Proceedings of the IEEE 1585-1599 (Mar. 1, 2012),

available at https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6162941.
36. A brain implant has been developed that uses AI to recognize brain activity related to speech and translate the activity into sentences.

See Jason Arunn Murugesu, Mind-Reading AI Turns Thoughts Into Words Using Brain Implant, New Scientist (Mar. 30, 2020), https://www.
newscientist.com/article/2238946-mind-reading-ai-turns-thoughts-into-words-using-a-brain-implant/; Facebook hopes to someday incorporate
similar technology into VR headsets, which, unlike brain implants, are non-invasive. See Daphne Leprince-Ringuet, Facebook’s Mind-Reading
Plans Just Took Another Step Forward, ZDNet (Apr. 1, 2020), https://www.zdnet.com/article/facebooks-mind-reading-plans-just-took-another-
step-forward/.

37. Alexandre Gonfalonieri, Consumer Brain-Computer Interface: Challenges & Opportunities, Medium (May 18, 2021), https://
alexandregonfalonieri.medium.com/consumer-brain-computer-interface-challenges-opportunities-e8204190d828.

38. Id., citing Mariam Hassib & Stefan Schneegass, Brain Computer Interfaces for Mobile Interaction: Opportunities and Challenges, MobileHCI’15,
August 24-27, available at https://www.medien.ifi.lmu.de/pubdb/publications/pub/hassib2015mobilehci/hassib2015mobilehci .

39. Intro to Brain Computer Interface, supra note 12.
40. IBM defines machine learning as “a branch of artificial intelligence and computer science which uses data and algorithms to imitate the way humans

learn, gradually improving its accuracy,” IBM Cloud Education, Machine Learning (Jul. 15, 2020), https://www.ibm.com/cloud/learn/machine-learning.
41. We recognize that the neuroscience research sector is already and will continue to be greatly impacted by these kinds of neurotechnologies,

as more accessible BCIs will change who can perform what research and at what scale. For example, the company Kernal is making EEGs
more affordable and offering neuroscience studies as a service; see Ashlee Vance, Can a $110 Million Helmet Unlock the Secrets of the
Mind?, Bloomberg Businessweek (Jun. 16, 2021), https://www.bloomberg.com/news/features/2021-06-16/braintree-founder-s-helmet-size-
hospital-aims-to-mine-mind-data. However, the focus in this report is primarily commercial or private sectors, and thus we have excluded
basic research as a section in this report.

42. See Ellen Wright Clayton et al., The Law of Genetic Privacy: Applications, Implications, and Limitations, Journal of Law and the Biosciences,
(Oct. 2019) 6(1), available at https://academic.oup.com/jlb/article/6/1/1/5489401.

43. See Biometric Information Privacy Act (BIPA), 740 ILCS 14/1 (2008), available at https://www.ilga.gov/legislation/ilcs/ilcs3.
asp?ActID=3004&ChapterID=57; see also California Privacy Rights Act (CPRA) of 2020 (2020), available at https://www.caprivacy.org/
annotated-cpra-text-with-ccpa-changes/

44. OECD Recommendation on Responsible Innovation in Neurotechnology (Dec. 11, 2019), available at https://www.oecd.org/science/
recommendation-on-responsible-innovation-in-neurotechnology.htm.

45. Implanted Brain-Computer Interface (BCI) Devices for Patients with Paralysis or Amputation – Non-Clinical Testing and Clinical Considerations,
FDA (May 2021), available at https://www.fda.gov/regulatory-information/search-fda-guidance-documents/implanted-brain-computer-
interface-bci-devices-patients-paralysis-or-amputation-non-clinical-testing.

https://www.frontiersin.org/articles/10.3389/fpsyg.2020.00939/full

https://www.health.harvard.edu/mind-and-mood/can-brain-stimulation-aid-memory-and-brain-health

https://www.health.harvard.edu/mind-and-mood/can-brain-stimulation-aid-memory-and-brain-health

https://www.nature.com/articles/ncomms9885

#987: The Neuroscience of Neuromotor Interfaces + Privacy Implications with Facebook Reality Labs’ Thomas Reardon

#987: The Neuroscience of Neuromotor Interfaces + Privacy Implications with Facebook Reality Labs’ Thomas Reardon

http://www.smartcaptech.com/industries/transport/

https://www.newscientist.com/article/2238946-mind-reading-ai-turns-thoughts-into-words-using-a-brain-implant/

https://www.newscientist.com/article/2238946-mind-reading-ai-turns-thoughts-into-words-using-a-brain-implant/

https://www.zdnet.com/article/facebooks-mind-reading-plans-just-took-another-step-forward/

https://www.zdnet.com/article/facebooks-mind-reading-plans-just-took-another-step-forward/

https://www.bloomberg.com/news/features/2021-06-16/braintree-founder-s-helmet-size-hospital-aims-to-mine-mind-data

https://www.bloomberg.com/news/features/2021-06-16/braintree-founder-s-helmet-size-hospital-aims-to-mine-mind-data

https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57

https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57

FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 35

46. Notably, Article 8 of the European Convention on Human Rights; Articles 7 and 8 of the EU Charter of Fundamental Rights. Many Constitutions
in Latin American countries also recognize the right to respect for private life and confidentiality, and sometimes an individual, separate right to
protection of personal data. See also below our Case Study on Chile and specific neurorights elevated recently at constitutional level.

47. The concept of “personality rights” is generally used to denote the bundle of rights aimed at the protection of the integrity and inviolability of
the individual, and it usually encompasses the right to private life, to one’s own image, to respect of a person’s name, to the inviolability of a
person’s body, to reputation etc. See Giorgio Resta The new frontier of personality rights and the problem of commodification: European and
comparative perspectives (2011), Tulane European and Civil Law Forum, Vol. 26, p. 33–65.

48. Proposal for a Regulation Laying Down Harmonised Rules on Artificial Intelligence, European Commission (Apr. 2021), available at https://
digital-strategy.ec.europa.eu/en/library/proposal-regulation-laying-down-harmonised-rules-artificial-intelligence.

49. CPRA, supra note 43.
50. General Data Protection Regulation (EU) 2016/679, (2016), available at https://gdpr-info.eu/.
51. See e.g. Karen S. Rommelfanger et al., Neuroethics Questions to Guide Ethical Research in the International Brain Initiatives, 100: 19-36

Neuron (Oct. 2018), available at https://www.sciencedirect.com/science/article/pii/S0896627318308237.
52. See Xiaotong Fu, et al., EEG-Based Brain-Computer Interfaces (BCIs): A Survey of Recent Studies on Signal Sensing Technologies and

Computational Intelligence Approaches and Their Applications, IEEE/ACM Transactions on Computational Biology and Bioinformatics (Dec.
2020), available at https://www.researchgate.net/publication/347966443_EEG-based_Brain-Computer_Interfaces_BCIs_A_Survey_of_
Recent_Studies_on_Signal_Sensing_Technologies_and_Computational_Intelligence_Approaches_and_their_Applications.

53. Emilia Mikołajewski & Dariusz Mikołajewski, Non-invasive EEG-based Brain-computer Interfaces in Patients With Disorders of Consciousness,
Military Medical Research (2014) 1(14), available at https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4459059/.

54. Masaki Nakanishi et al., Detecting Glaucoma with a Portable Brain-Computer Interface for Objective Assessment of Visual Function Loss,
JAMA Ophthalmology (2017), 135(6): 550-557, available at https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5772598/.

55. L. Huang & G. van Luijtelaar, Brain Computer Interface for Epilepsy Treatment, IntechOpen (Jun. 5, 2013), available at https://www.
semanticscholar.org/paper/Brain-Computer-Interface-for-Epilepsy-Treatment-Huang-Luijtelaar/8bdb7cc1897ce0b109d14b61567635b567f681cf.

56. Russ Juskalian, A New Implant for Blind People Jacks Directly Into the Brain, MIT Technology Review (Feb. 6, 2020), https://www.
technologyreview.com/s/615148/a-new-implant-for-blind-people-jacks-directly-into-the-brain/.

57. See e.g., Frost & Sullivan, Brain-Computer Interface Hold a Promising Future, Alliance of Advanced Biomedical Engineering (2017), https://
aabme.asme.org/posts/brain-computer-interface-the-most-investigated-areas-in-health-care-hold-a-promising-future.

58. Duncan Graham-Rowe, Wheelchair Makes the Most of Brain Control, MIT Technology Review (Sept. 13, 2010), https://www.technologyreview.
com/s/420756/wheelchair-makes-the-most-of-brain-control/.

59. The Brain Powered Wheelchair, Enabled.in (2014), https://enabled.in/wp/brain-powered-wheelchair/.
60. Brian Implants Enable Man to Simultaneously Control Two Prosthetic Limbs with ‘Thoughts’, Neuroscience News (Dec. 12, 2020), https://

neurosciencenews.com/bci-prosthetic-limb-movement-17423/.
61. Id.
62. See Mathis Fluery et al., A Survey on the Use of Haptic Feedback for Brain-Computer Interfaces and Neurofeedback, Front. in Neurosci.

(Jun. 23, 2020), available at https://www.frontiersin.org/articles/10.3389/fnins.2020.00528/full.
63. See Xiang Zhang et al, Internet of Things Meets Brain-Computer Interface: A Unified Deep Learning Framework for Enabling Human-Thing

Cognitive Interactivity, IEEE Internet of Things Journal, 6:2, 2084-2092 (Oct 2018), available at https://ieeexplore.ieee.org/document/8506382;
see e.g. Neal Ungerleider, This Life-Changing Philips Hue Hack Makes the Internet of Everything Mean Something, Fast Company (Aug. 6, 2014),
https://www.fastcompany.com/3034044/this-life-changing-philips-hue-hack-makes-the-internet-of-everything-mean-something.

64. See Iris Coates McCall et al., Owning Ethical Innovation: Claims about Commercial Wearable Brain Technologies, Neuron (Mar. 2019), 102(4)
728-731, available at https://www.cell.com/neuron/fulltext/S0896-6273(19)30289-2.

65. Neurosky Store (last accessed May 16, 2021), https://store.neurosky.com/.
66. Id.
67. Id.
68. Id.
69. Firmware Update to Address Cybersecurity Vulnerabilities Identified in Abbott’s (formerly St. Jude Medical’s) Implantable Cardiac

Pacemakers: FDA Safety Communication, iData Research (Jan. 9, 2017), https://idataresearch.com/firmware-update-address-cybersecurity-
vulnerabilities-identified-abbotts-formerly-st-jude-medicals-implantable-cardiac-pacemakers-fda-safety-communication/.

70. Ms. Smith, Hacking Pacemakers, Insulin Pumps and Patients’ Vital Signs in Real Time, CSO (Aug. 12, 2018), https://www.csoonline.com/
article/3296633/hacking-pacemakers-insulin-pumps-and-patients-vital-signs-in-real-time.html.

71. Jeffrey Tully et al., Connected Medical Technology and Cybersecurity Informed Consent: A New Paradigm, 22(3) J Med Internet Res (2020),
available at https://www.jmir.org/2020/3/e17612/.

72. Xiao Zhang et al., Tiny Noise Can Make an EEG-Based Brain-Computer Interface Speller Output Anything, arxiv (Jul 16, 2020), available at
https://arxiv.org/abs/2001.11569.

73. Walter Glannon, Ethical Issues With Brain-Computer Interfaces, Front. Syst. Neurosci., (Jul. 30, 2014), https://www.frontiersin.org/
articles/10.3389/fnsys.2014.00136/full.

74. 45 C.F.R. part 46 (2018), https://www.ecfr.gov/cgi-bin/
retrieveECFR?gp=&SID=83cd09e1c0f5c6937cd9d7513160fc3f&pitd=20180719&n=pt45.1.46&r=PART&ty=HTML.

75. Connect2HealthFCC – Wireless Health and Medical Devices Background, FCC.gov (last accessed May. 16 2021), https://www.fcc.gov/general/
connect2healthfcc-wireless-health-and-medical-devices-background.

76. See Muse (last accessed, Oct. 31, 2021), https://choosemuse.com/.
77. The consent usually required for participation in a research project is different and separate than the consent for processing of personal data

for the purposes of the research project under the GDPR – see EDPB Q&A Document on processing of personal data for scientific health
research – https://edpb.europa.eu/sites/…reresearch_final (February 2021).

https://www.technologyreview.com/s/615148/a-new-implant-for-blind-people-jacks-directly-into-the-brain/

https://www.technologyreview.com/s/615148/a-new-implant-for-blind-people-jacks-directly-into-the-brain/

https://aabme.asme.org/posts/brain-computer-interface-the-most-investigated-areas-in-health-care-hold-a-promising-future

https://aabme.asme.org/posts/brain-computer-interface-the-most-investigated-areas-in-health-care-hold-a-promising-future

https://www.technologyreview.com/s/420756/wheelchair-makes-the-most-of-brain-control/

https://www.technologyreview.com/s/420756/wheelchair-makes-the-most-of-brain-control/

https://enabled.in/wp/brain-powered-wheelchair/

https://ieeexplore.ieee.org/document/8506382

https://www.csoonline.com/article/3296633/hacking-pacemakers-insulin-pumps-and-patients-vital-signs-in-real-time.html

https://www.csoonline.com/article/3296633/hacking-pacemakers-insulin-pumps-and-patients-vital-signs-in-real-time.html

https://arxiv.org/abs/2001.11569

https://www.frontiersin.org/articles/10.3389/fnsys.2014.00136/full

https://www.frontiersin.org/articles/10.3389/fnsys.2014.00136/full

https://www.ecfr.gov/cgi-bin/retrieveECFR?gp=&SID=83cd09e1c0f5c6937cd9d7513160fc3f&pitd=20180719&n=pt45.1.46&r=PART&ty=HTML

https://www.ecfr.gov/cgi-bin/retrieveECFR?gp=&SID=83cd09e1c0f5c6937cd9d7513160fc3f&pitd=20180719&n=pt45.1.46&r=PART&ty=HTML

https://www.fcc.gov/general/connect2healthfcc-wireless-health-and-medical-devices-background

https://www.fcc.gov/general/connect2healthfcc-wireless-health-and-medical-devices-background

FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 36

78. GDPR, supra note 50, arts. 6(1) and 9(2)(i) and 9(2)(j) (2016), available at https://gdpr-info.eu/art-6-gdpr/.
79. European Commission, supra note 48.
80. See Valeria Marcia & Kevin C. Desouza, The EU Path Towards Regulation on Artificial Intelligence, Brookings (Apr. 26, 2021), https://www.

brookings.edu/blog/techtank/2021/04/26/the-eu-path-towards-regulation-on-artificial-intelligence/.
81. Id.
82. Melody Moore Jackson & Rudolph Mappus, “Applications for Brain-Computer Interfaces,” in Brain-Computer Interfaces: Applying our Minds

to Human-Computer Interaction, ed. Desney S. Tan and Anton Nijolt, (2010), London: Springer, 89–104.
83. Raw EEG recordings contain noise and require significant post-processing to provide even rudimentary interpretations. This runs counter to

common myths that raw EEG recordings alone can provide deep insight into the inner workings of the human mind and detailed explanations
of what the wearer is thinking.

84. Priya Singh, 10 Real Life Examples of BCI Devices That You Can Control With Your Thoughts, Analytics India Magazine (Nov. 20, 2017), https://
analyticsindiamag.com/10-times-companies-made-inexpensive-consumer-based-bci-devices-using-eeg/.

85. Diamond Feit, Hands On: NeuroBoy, a Game You Play With Your Brain, Wired (Oct. 1, 2009), https://www.wired.com/2009/10/adventures-of-neuroboy/.
86. Star Wars Science Force Trainer II Brain-Sensing Hologram Electronic Game, Amazon.com (last accessed Mar. 16, 2020), https://www.

amazon.com/Science-Trainer-Brain-Sensing-Hologram-Electronic/dp/B00X5CCDYQ.
87. Linxing Jiang et al., BrainNet: A Multi-Person Brain-to-Brain Interface for Direct Collaboration Between Brains, Scientific Reports (2019), 9:

6115, available at https://www.nature.com/articles/s41598-019-41895-7.
88. Sarah McQuate, How You and Your Friends Can Play a Video Game Together Using Only Your Minds, UW News (Jul. 1, 2019), https://www.

washington.edu/news/2019/07/01/play-a-video-game-using-only-your-mind/.
89. Lauren Goode, Get Ready to Hear a Lot More about ‘XR’, Wired (Jan. 5, 2019), https://www.wired.com/story/what-is-xr/.
90. Victor Tangermann, Expert: VR Headsets Should Have Brain Interfaces, Futurism (Mar. 26, 2019), https://futurism.com/brain-computer-interface-vr-headsets.
91. See Neurable (last accessed Mar. 17, 2020), https://www.neurable.com/; Other than EEG electrodes, companies are experimenting with other

non-invasive methods, such as fNIRS, integrated into HMDs.
92. Gera, supra note 33.
93. Id.
94. See e.g. Ryota Horie et al., A Hands-On Game by using a Brain-Computer Interface, and Immersive Head Mounted Display, and a Wearable

Gesture Interface, IEEE Global Conference on Consumer Electronics (GCCE) (2017), https://ieeexplore.ieee.org/document/8229324.
95. See e.g. Nataliya Kos’myna, Project AttentivU, MIT Media Lab (last updated Feb. 4, 2020), https://www.media.mit.edu/projects/attentivu/overview/.
96. See e.g. Seongah Chin & Chung-Yeon Lee, Personality Trait and Facial Expression Filter-Based Brain-Computer Interface, International

Journal of Advanced Robotic Systems (May 15, 2017), https://journals.sagepub.com/doi/full/10.5772/55665.
97. See e.g. Kyle Melnick, Sundance: Breathe is a Multi-Person Mixed Reality Experience Powered By Breathing, VRScout (Jan. 24, 2020),

https://vrscout.com/news/sundance-breath-multi-person-vr-breathing/.
98. See e.g. Neurowear (last accessed Sept. 24, 2021), https://neurowear.com/.
99. See OpenBCI (last accessed Feb. 16, 2021), https://openbci.com/.
100. Antony Vitillo, OpenBCI: Games Using Brain-Interfaces Coming in 3 Years, The Ghost Howls (Feb. 12, 2021), https://skarredghost.

com/2021/02/12/openbci-galea-valve-index-bci/amp/?__twitter_impression=true&s=0.
101. Tangermann, supra note 90; another prominent example of BCI technology combined with a VR HMD is the hardware developed by

NextMind; See NextMind (last accessed Jun. 11, 2021), https://www.next-mind.com/.
102. Luke Appleby, Gabe Newell Says Brain-Computer Interface Tech Will Allow Video Games Far Beyond What Human ‘Meat Peripherals’ Can

Comprehend, 1 News (Jan. 24, 2021), https://www.tvnz.co.nz/one-news/new-zealand/gabe-newell-says-brain-computer-interface-tech-allow-
video-games-far-beyond-human-meat-peripherals-can-comprehend.

103. Brittan Heller, Reimagining Reality: Human Rights and Immersive Technology, Carr Center for Human Rights Policy (Jun. 12, 2020), available
at https://carrcenter.hks.harvard.edu/files/cchr/files/ccdp_2020-008_brittanheller .

104. See Courtney Fiedman, Traffickers Targeting People Online More Than Ever Before, Experts Warning Parents, KSAT.com (Jan. 17, 2021),
https://www.ksat.com/news/local/2021/01/18/traffickers-targeting-people-online-more-than-ever-before-experts-warning-parents/.

105. 16 C.F.R. § 312 (1998, updated 2013).
106. Request for Public Comment on the Federal Trade Commission’s Implementation of the Children’s Online Privacy Protection Rule, 84 FR

35842 (proposed Jul. 25, 2019), https://www.federalregister.gov/documents/2019/07/25/2019-15754/request-for-public-comment-on-the-
federal-trade-commissions-implementation-of-the-childrens-online.

107. BIPA, supra note 43, 96. 740 ILL. COMP. STAT. ANN. 14/10.
108. WASH. REV. CODE § 19.35.010.
109. GDPR, supra note 50, art. 14(4) (2016), available at https://gdpr-info.eu/art-14-gdpr/.
110. CPRA, supra note 43.
111. See SmartCap (last accessed May 17, 2021), http://www.smartcaptech.com/.
112. Julie Weed, Wearable Tech That Tells Drowsy Truckers It’s Time to Pull Over, New York Times (Feb. 11, 2020), https://www.nytimes.

com/2020/02/06/business/drowsy-driving-truckers.html.
113. Id.
114. Kos’myna, supra note 95.
115. Erin Winick, With Brain-Scanning Hats, China Signals It Has No Interest in Workers’ Privacy, MIT Technology Review (Apr. 30, 2018), https://

www.technologyreview.com/f/611052/with-brain-scanning-hats-china-signals-it-has-no-interest-in-workers-privacy/.
116. Stephen Chen, ‘Forget The Facebook Leak’: China is Mining Data Directly From Workers’ Brains On an Industrial Scale, South China Morning

Post (Apr. 29, 2018), https://www.scmp.com/news/china/society/article/2143899/forget-facebook-leak-china-mining-data-directly-workers-brains.

10 Real Life Examples Of BCI Devices That You Can Control With Your Thoughts

10 Real Life Examples Of BCI Devices That You Can Control With Your Thoughts

https://www.wired.com/2009/10/adventures-of-neuroboy/

https://www.washington.edu/news/2019/07/01/play-a-video-game-using-only-your-mind/

https://www.washington.edu/news/2019/07/01/play-a-video-game-using-only-your-mind/

https://www.wired.com/story/what-is-xr/

https://futurism.com/brain-computer-interface-vr-headsets

https://www.media.mit.edu/projects/attentivu/overview/

https://vrscout.com/news/sundance-breath-multi-person-vr-breathing/

https://carrcenter.hks.harvard.edu/files/cchr/files/ccdp_2020-008_brittanheller

https://carrcenter.hks.harvard.edu/files/cchr/files/ccdp_2020-008_brittanheller

https://www.federalregister.gov/documents/2019/07/25/2019-15754/request-for-public-comment-on-the-federal-trade-commissions-implementation-of-the-childrens-online

https://www.federalregister.gov/documents/2019/07/25/2019-15754/request-for-public-comment-on-the-federal-trade-commissions-implementation-of-the-childrens-online

https://gdpr-info.eu/art-14-gdpr/

http://www.smartcaptech.com/

https://www.nytimes.com/2020/02/06/business/drowsy-driving-truckers.html

https://www.nytimes.com/2020/02/06/business/drowsy-driving-truckers.html

https://www.technologyreview.com/f/611052/with-brain-scanning-hats-china-signals-it-has-no-interest-in-workers-privacy/

https://www.technologyreview.com/f/611052/with-brain-scanning-hats-china-signals-it-has-no-interest-in-workers-privacy/

https://www.scmp.com/news/china/society/article/2143899/forget-facebook-leak-china-mining-data-directly-workers-brains

FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 37

117. Alexandre Gonfalonieri, What Brain-Computer Interfaces Could Mean for the Future of Work, Harvard Business Review (Oct. 6, 2020), https://
hbr.org/2020/10/what-brain-computer-interfaces-could-mean-for-the-future-of-work#.

118. See e.g. Sujatha K et al., Brain Computer Interface Technology in Polygraphy, 117 International Journal of Pure and Applied Mathematics 235
(2017), available at https://acadpubl.eu/jsi/2017-117-20-22/articles/22/44 .

119. See Caputron (last accessed Jun. 17, 2021), https://caputron.com; see also Best tDCS Device of 2021, tDCS.com (Jan. 20, 2021), https://www.
tdcs.com/best-tdcs-devices.

120. Royal Society, iHuman: Blurring Lines Between Mind and Machine, 42 (Sept. 2019), https://royalsociety.org/-/media/policy/projects/ihuman/
report-neural-interfaces .

121. Justin M. Nelson et al., The Effects of Transcranial Direct Current Stimulation (tDCS) on Multitasking Performance and Oculometrics, Military
Psychology (2019) 31(3): 212–226, available at https://www.tandfonline.com/doi/abs/10.1080/08995605.2019.1598217?journalCode=hmlp20.

122. Gonfalonieri, supra note 117.
123. Sarah Marsh, Neurotechnology, Elon Musk and the Goal of Human Advancement, The Guardian (Jan. 1, 2018), https://www.theguardian.com/

technology/2018/jan/01/elon-musk-neurotechnology-human-enhancement-brain-computer-interfaces.
124. Evelyn Arevalo, Neuralink Could Start The First Human Trials Later This Year, Tesmanian Blog (Feb. 8, 2021), https://www.tesmanian.com/

blogs/tesmanian-blog/neuralink.
125. John F. Burke et al., Brain Computer Interface to Enhance Episodic Memory in Human Participants, Front. Hum. Neurosci. (2014) 8: 1055,

https://www.frontiersin.org/articles/10.3389/fnhum.2014.01055/full.
126. Tech@Facebook, supra note 28.
127. Francis R. Willett et al., High-Performance Brain-To-Text Communication Via Handwriting, 593 Nature, 249-254 (May 12, 2021), https://www.

nature.com/articles/s41586-021-03506-2; Pavithra Rajeswaran & Amy L. Osborn, Neural Interface Translates Thoughts into Type, Nature (May
12, 2021), https://www.nature.com/articles/d41586-021-00776-8.

128. See Gabrielle Rejouis, Data, Camera, Busted: How Surveillance Interferes with the Right to Organize at Work, Center on Privacy &
Technology at Georgetown Law (May 6, 2020), https://medium.com/center-on-privacy-technology/data-camera-busted-how-surveillance-
interferes-with-the-right-to-organize-at-work-ea974763f328, discussing the chilling effects of worker surveillance.

129. Commercial, Smart Cap (last accessed Apr. 11, 2021), http://www.smartcaptech.com/industries/commercial/, arguing that drivers’ privacy is
protected because the technology does not use privacy-invasive in-cab cameras.

130. See e.g. Annie Palmer, Amazon is Using AI-Equipped Cameras in Delivery Vans and Some Drivers are Concerned About Privacy, CNBC
(Feb. 3, 2021), https://www.cnbc.com/2021/02/03/amazon-using-ai-equipped-cameras-in-delivery-vans.html.

131. See Jingxin Liu et al., Emotion Detection From EEG Recordings, 12th International Conference on Natural Computation, Fuzzy Systems and
Knowledge Discovery (ICNC-FSKD) (Aug. 13-15, 2016), https://ieeexplore.ieee.org/document/7603437.

132. See Hannah Devlin, AI Systems Claiming to ‘Read’ Emotions Pose Discriminatory Risks, The Guardian (Feb. 16, 2020), https://www.
theguardian.com/technology/2020/feb/16/ai-systems-claiming-to-read-emotions-pose-discrimination-risks.

133. Patricia Nilsson, How AI Helps Recruiters Track Jobseekers’ Emotions, Financial Times (Mar. 2, 2018), https://medium.com/financial-times/
how-ai-helps-recruiters-track-jobseekers-emotions-3dbd85ffeca0.

134. See Gabrice Jotterand & James Giordano, Transcranial Magnetic Stimulation, Deep Brain Stimulation and Personal Identity: Ethical
Questions, and Neurological Approaches for Medical Practice, 23:5 International Review of Psychiatry 476-485 (2011), available at https://
www.tandfonline.com/doi/full/10.3109/09540261.2011.616189, specifically discussing identity concerns in the medical context, but these
challenges could similarly impact employees using neurotechnology.

135. See Eran Klein et al., Brain-Computer Interface-Based Control of Closed-Loop Brain Stimulation: Attitudes and Ethical Considerations, 3:3
Brain Computer Interfaces 140-148 (2016), available at https://www.tandfonline.com/doi/full/10.1080/2326263X.2016.1207497.

136. Roberto Portillo-Lara et al., Mind the Gap: State-of-the-Art Technologies and Applications for EEG-Based Brain-Computer Interfaces, 5:3 APL
Bioengineering (2021), available at https://aip.scitation.org/doi/10.1063/5.0047237.

137. Electronic Communications Privacy Act (ECPA), Public Law 99-508, available at https://www.govinfo.gov/content/pkg/STATUTE-100/pdf/
STATUTE-100-Pg1848 .

138. Americans With Disabilities Act of 1990, Pub. L. No. 101-336, 104 Stat. 328 (1990), available at https://www.ada.gov/pubs/ada.htm.
139. U.S. Department of Labor, Bureau of Labor Statistics, Union Members – 2020 (Jan. 22, 2021), https://www.bls.gov/news.release/pdf/union2 .
140. AFL-CIO, AFL-CIO Commission on the Future of Work and Unions (Sept. 13, 2019), https://aflcio.org/reports/afl-cio-commission-future-work-and-unions.
141. GDPR, supra note 50, art. 7(4)(i).
142. 29 U.S.C. §§ 2001 – 2009 (2002), available at https://www.law.cornell.edu/uscode/text/29/chapter-22, for example EPPA exempts employer

use of polygraph exams for certain government employees, defense contract employees, certain employer investigations of employee theft
and drug-related conduct, and employees hired to perform security services.

143. See Katherine F. Mendez & Christina Jaremus, Future Employer: Are Humans with Microchips in Their Brains the Future of Work, Seyfarth
(May 19, 2021), https://www.seyfarth.com/news-insights/future-employer-are-humans-with-microchips-in-their-brains-the-future-of-work.
html#page=1, citing microchip laws in California, Oklahoma, and Missouri.

144. See e.g. Roy Cellan-Jones, Office Puts Chips Under Staff’s Skin, BBC (Jan. 29, 2015), https://www.bbc.com/news/technology-31042477.
145. See Christopher Wegemer, Brain-Computer Interfaces and Education: the State of Technology and Imperatives for the Future, International

Journal of Learning Technology 14(2): 141 (Jan. 2019), available at https://www.researchgate.net/publication/335486095_Brain-computer_
interfaces_and_education_the_state_of_technology_and_imperatives_for_the_future.

146. Martin Spüler et al., “Brain-Computer Interfaces for Educational Applications,” in Informational Environments: Effects of Use, Effective Designs, ed.
Jürgen Buder et al., (Oct. 2017), https://www.researchgate.net/publication/320378280_Brain-Computer_Interfaces_for_Educational_Applications.

147. Peter Gerjets & Friedrich Hesse. When Are Powerful Learning Environments Effective? The Role of Learner Activities and of Students’
Conceptions Of Educational Technology, International Journal of Educational Research (2004) 41(6): 445-465, https://www.sciencedirect.com/
science/article/abs/pii/S0883035505000595.

148. Spüler, supra note 146.

https://caputron.com

Best tDCS Devices of 2024

Best tDCS Devices of 2024

https://www.theguardian.com/technology/2018/jan/01/elon-musk-neurotechnology-human-enhancement-brain-computer-interfaces

https://www.theguardian.com/technology/2018/jan/01/elon-musk-neurotechnology-human-enhancement-brain-computer-interfaces

https://www.tesmanian.com/blogs/tesmanian-blog/neuralink

https://www.tesmanian.com/blogs/tesmanian-blog/neuralink

https://www.nature.com/articles/s41586-021-03506-2

https://www.nature.com/articles/s41586-021-03506-2

https://medium.com/center-on-privacy-technology/data-camera-busted-how-surveillance-interferes-with-the-right-to-organize-at-work-ea974763f328

https://medium.com/center-on-privacy-technology/data-camera-busted-how-surveillance-interferes-with-the-right-to-organize-at-work-ea974763f328

https://www.theguardian.com/technology/2020/feb/16/ai-systems-claiming-to-read-emotions-pose-discrimination-risks

https://www.theguardian.com/technology/2020/feb/16/ai-systems-claiming-to-read-emotions-pose-discrimination-risks

https://medium.com/financial-times/how-ai-helps-recruiters-track-jobseekers-emotions-3dbd85ffeca0

https://medium.com/financial-times/how-ai-helps-recruiters-track-jobseekers-emotions-3dbd85ffeca0

https://www.tandfonline.com/doi/full/10.3109/09540261.2011.616189

https://www.tandfonline.com/doi/full/10.3109/09540261.2011.616189

https://www.bls.gov/news.release/pdf/union2

https://aflcio.org/reports/afl-cio-commission-future-work-and-unions

FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 38

149. John Sweller et al., Cognitive Architecture and Instructional Design, Educational Psychology Review (1998) 10(3): 251–296, https://www.
researchgate.net/publication/200772805_Cognitive_Architecture_and_Instructional_Design.

150. Sydney Johnson, This Company Wants to Gather Student Brainwave Data to Measure ‘Engagement’, EdSurge (Oct. 26, 2017), https://www.
edsurge.com/news/2017-10-26-this-company-wants-to-gather-student-brainwave-data-to-measure-engagement.

151. These headbands have since faced backlash for this application: see Jane Li, A “Brain-Reading” Headband for Students is Too Much Even
for Chinese Parents, Quartz (Nov. 5, 2019), https://qz.com/1742279/a-mind-reading-headband-is-facing-backlash-in-china/.

152. Nicole Kobie, Why Computers Won’t Be Reading Your Mind Anytime Soon, Wired UK (Mar. 12, 2020), https://www.wired.co.uk/article/brain-computer-interfaces.
153. Siobhan Ball, Glasses Act as a Shock Collar For Students Who Don’t Pay Attention, Daily Dot (Aug. 31, 2019), https://www.dailydot.com/

unclick/shock-student-glasses/.
154. Sydney Johnson, Brainwave Headsets Are Making Their Way Into Classrooms—For Meditation and Discipline, EdSurge (Nov. 17, 2017), https://

www.edsurge.com/news/2017-11-14-brainwave-headsets-are-making-their-way-into-classrooms-for-meditation-and-discipline.
155. See HARPA (last accessed May 17, 2021), https://www.harpa.org/.
156. See Jacqueline Alemany, White House Considers New Project Seeking Links Between Mental Health and Violent Behavior, Washington Post

(Aug. 22, 2019), https://www.washingtonpost.com/politics/2019/08/22/white-house-considers-new-project-seeking-links-between-mental-
health-violent-behavior/.

157. State Student Privacy Laws, Student Privacy Compass (last accessed May 16, 2021), https://studentprivacycompass.org/state-laws/.
158. 20 U.S.C. § 1232(g) (2001), available at https://www.law.cornell.edu/uscode/text/20/1232g.
159. U.S. Department of Education, Family Educational Rights and Privacy Act (FERPA) (last accessed Sept. 25, 2021), https://www2.ed.gov/policy/

gen/guid/fpco/ferpa/index.html.
160. U.S. Department of Education, Biometric Record (last accessed May 16, 2021), https://studentprivacy.ed.gov/content/biometric-record.
161. A Parent’s Guide to Student Data Privacy, ConnectSafely et. al. 3 (2015), https://www.connectsafely.org/wp-content/uploads/2015/04/

StudentDataPrivacy .
162. This report uses the terms “smart cities and smart communities” to refer to communities of all shapes and sizes with digital infrastructure.
163. See e.g. Smarter Cities, IBM (last accessed Jun. 17, 2021), https://www.ibm.com/smarterplanet/us/en/smarter_cities/solutions/planning_mgt_solutions/.
164. See Shedding Light on Smart City Privacy, FPF (last accessed Jun. 17, 2021), https://fpf.org/uncategorized/smart-cities/.
165. See Neurable, supra note 91.
166. See Trimble (last accessed May 17, 2021), https://www.trimble.com/.
167. Neurable and Trimble Partner to Explore the Use of Brain-Computer Interfaces For the Transportation and AEC Industries, Financial Release,

Trimble (Jan. 3, 2019), https://investor.trimble.com/news-releases/news-release-details/neurable-and-trimble-partner-explore-use-brain-computer.
168. Id.
169. Jiang, supra note 87.
170. For more information about Silent Talk, see 2010 Defense Department Budget, https://www.darpa.mil/attachments/(2G7)%20Global%20

Nav%20-%20About%20Us%20-%20Budget%20-%20Budget%20Entries%20-%20FY2010%20(Approved) ; see also Patrick Tucker,
It’s Now Possible to Telepathically Communicate with a Drone Swarm, Defense One (Sept. 6, 2018), https://www.defenseone.com/
technology/2018/09/its-now-possible-telepathically-communicate-drone-swarm/151068/.

171. Sung-Ja Choi & Byeong-Gwon Kang, Prototype Design and Implementation of an Automatic Control System Based on a BCI, Wireless
Personal Communications (2014) 79(4): 2551–2563, https://www.researchgate.net/publication/271659937_Prototype_Design_and_
Implementation_of_an_Automatic_Control_System_Based_on_a_BCI.

172. See e g. Autonomos Labs (last accessed May 17, 2021), https://autonomos.inf.fu-berlin.de/.
173. Paul Myles, Hyundai Claims Brainwave in Driver Health Monitoring, Automotive (Jul. 21, 2021), https://www.tu-auto.com/hyundai-claims-

brainwave-in-driver-health-monitoring/.
174. Id.
175. See Andrew London, I Flew a Drone with My Brain – But That’s Only the Beginning, Techradar (Mar. 24, 2018), https://www.techradar.com/

news/i-flew-a-drone-with-my-brain-but-thats-only-the-beginning.
176. For an overview of some of the emerging governance in this area, see Jeff Merritt et al., Governing Smart Cities: Policy Benchmarks for

Ethical and Responsible Smart City Development, World Economic Forum (Jul. 2021), available at https://www3.weforum.org/docs/WEF_
Governing_Smart_Cities_2021 .

177. Eben Harrell, Neuromarketing: What You Need to Know, Harvard Business Review (Jan. 23, 2019), https://hbr.org/2019/01/neuromarketing-
what-you-need-to-know#:~:text=%E2%80%9CNeuromarketing%E2%80%9D%20loosely%20refers%20to%20the,pricing%2C%20and%20
other%20marketing%20areas.

178. Sharad Agarwal & Tanusree Dutta, Neuromarketing and Consumer Neuroscience: Current Understanding and the Way Forward, 42(4)
DECISION, 457-462 (Nov. 2015), available at https://www.researchgate.net/publication/284234343_Neuromarketing_and_consumer_
neuroscience_current_understanding_and_the_way_forward.

179. Id.
180. Samuel M. McClure et al., Neural Correlates of Behavioral Preference for Culturally Familiar Drinks, Neuron (2004) 44(2): 379–387, available

at https://pubmed.ncbi.nlm.nih.gov/15473974/.
181. Id.
182. Id.
183. The Advertising Research Foundation encouraged its members to use neuromarketing technology in 2017. Introduction to Neuroscience and

Biometric Marketing Research Methods, The Advertising Research Foundation (Aug. 2017), http://thearf.org/wp-content/uploads/2018/02/
KAH-Neuroscience-FINAL-web .

184. For more information about the differences between fMRI and EEG, see Christoph Mulert, Simultaneous EEG and fMRI: Towards the Characterization of
Structure and Dynamics of Brain Networks, Dialogues Clin Neurosci. (Sept. 2013), available at https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3811108/.

https://www.edsurge.com/news/2017-10-26-this-company-wants-to-gather-student-brainwave-data-to-measure-engagement

https://www.edsurge.com/news/2017-10-26-this-company-wants-to-gather-student-brainwave-data-to-measure-engagement

https://www.wired.co.uk/article/brain-computer-interfaces

Glasses act as a shock collar for students who don’t pay attention 

Glasses act as a shock collar for students who don’t pay attention 

https://www.harpa.org/

https://studentprivacycompass.org/state-laws/

https://studentprivacy.ed.gov/content/biometric-record

https://www.trimble.com/

https://investor.trimble.com/news-releases/news-release-details/neurable-and-trimble-partner-explore-use-brain-computer

https://www.darpa.mil/attachments/(2G7)%20Global%20Nav%20-%20About%20Us%20-%20Budget%20-%20Budget%20Entries%20-%20FY2010%20(Approved)

https://www.darpa.mil/attachments/(2G7)%20Global%20Nav%20-%20About%20Us%20-%20Budget%20-%20Budget%20Entries%20-%20FY2010%20(Approved)

Home

https://www.researchgate.net/publication/284234343_Neuromarketing_and_consumer_neuroscience_current_understanding_and_the_way_forward

https://www.researchgate.net/publication/284234343_Neuromarketing_and_consumer_neuroscience_current_understanding_and_the_way_forward

http://thearf.org/wp-content/uploads/2018/02/KAH-Neuroscience-FINAL-web

http://thearf.org/wp-content/uploads/2018/02/KAH-Neuroscience-FINAL-web

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3811108/

FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 39

185. See A Brief Overview of the Federal Trade Commission’s Investigative, Law Enforcement, and Rulemaking Authority, FTC (Oct. 2019), https://
www.ftc.gov/about-ftc/what-we-do/enforcement-authority.

186. NMSBA Code of Ethics, NMSBA (last accessed Jun. 17, 2021), https://www.nmsba.com/neuromarketing-companies/code-of-ethics.
187. See United Nations Convention on the Rights of the Child, General Comment on Children’s Rights in Relation to the Digital Environment

¶ 42 (2021), available at https://docstore.ohchr.org/SelfServices/FilesHandler.ashx?enc=6QkG1d%2fPPRiCAqhKb7yhsqIkirKQZLK2M-
58RF%2f5F0vEG%2bcAAx34gC78FwvnmZXGFUl9nJBDpKR1dfKekJxW2w9nNryRsgArkTJgKelqeZwK9WXzMkZRZd37nLN1bFc2t.

188. Charles N. Munyon, Neuroethics of Non-primary Brain Computer Interface: Focus on Potential Military Applications, Front. Neurosci. (Oct. 23,
2018), https://www.frontiersin.org/articles/10.3389/fnins.2018.00696/full.

189. Al Emondi, Next-Generation Nonsurgical Neurotechnology, DARPA (last accessed May 21, 2021), https://www.darpa.mil/program/next-
generation-nonsurgical-neurotechnology.

190. Paul Tullis, The US Military Is Trying to Read Minds, MIT Technology Review (Oct. 16, 2019), https://www.technologyreview.com/s/614495/us-
military-super-soldiers-control-drones-brain-computer-interfaces/.

191. See 2010 Defense Department Budget, supra note 170.
192. DARPA Public Affairs, Six Paths to the Nonsurgical Future of Brain-Machine Interfaces, DARPA (May 20, 2019), https://www.darpa.mil/news-

events/2019-05-20.
193. Kristin Houser, DARPA Is Using Gamers’ Brain Waves To Train Robot Swarms, Futurism (Feb. 8, 2020), https://futurism.com/the-byte/darpa-

gamers-brain-waves-train-robots-swarms.
194. Michael N. Tennison & Jonathan D. Moreno, Neuroscience, Ethics, and National Security: The State of the Art, PLoS Biology (Mar. 20, 2012),

https://journals.plos.org/plosbiology/article?id=10.1371/journal.pbio.1001289#s4.
195. Matthew Pava, Restoring Active Memory (RAM), DARPA (last accessed Sept. 25, 2021), https://www.darpa.mil/program/restoring-active-memory.
196. Anika Binnendijk, et al., Brain-Computer Interfaces: U.S. Military Applications and Implications, RAND Corporation (2020) 9, https://www.rand.

org/content/dam/rand/pubs/research_reports/RR2900/RR2996/RAND_RR2996 .
197. Id. at 22.
198. Id. at 23-23.
199. See Ragini Verma et al., Neuroimaging Findings in US Government Personnel with Possible Exposure to Directional Phenomena in Havana, Cuba, 322(4):

336-347 JAMA (Jul. 2019), available at https://jamanetwork.com/journals/jama/fullarticle/2738552?guestAccessKey=47486c47-c01c-47fa-8b6e-
41fc69f29cf4&utm_source=For_The_Media&utm_medium=referral&utm_campaign=ftm_links&utm_content=tfl&utm_term=072319.

200. George J. Annas, Military Medical Ethics—Physician First, Last, Always, New England Journal of Medicine (Sept. 11, 2008), 359(11): 1087-1090,
available at https://www.nejm.org/doi/full/10.1056/NEJMp0805975.

201. Munyon, supra note 188.
202. Annas, supra note 100.
203. Munyon, supra note 190.
204. Tennison, supra note 194.
205. Id.
206. Lucille Nalbach Tournas, If Police Have Devices That Can Read Your Mind, How Does the Fifth Amendment Fit In?, Slate (May 28, 2021),

https://slate.com/technology/2021/05/brain-computer-interface-mind-reading-fifth-amendment.html.
207. Tennison, supra note 194.
208. Constitutional reform text and procedural documents available at https://www.senado.cl/appsenado/templates/tramitacion/index.

php?boletin_ini=13827-19.
209. En histórica Votación, Aprueban Proyecto Del Ley Que Regulará Los Neuroderechos en Chile, La Tercera (Apr. 13, 2021), https://www.

latercera.com/que-pasa/noticia/en-historica-votacion-aprueban-proyecto-del-ley-que-regulara-los-neuroderechos-en-chile/4IAQJIVHM5F75G
RLAR2GQ27V24/.

210. Bill of Law Establishing Neuroprotection, available at https://www.senado.cl/appsenado/templates/tramitacion/index.php?boletin_ini=13828-19.
211. Nayef Al-Rodhan, The Rise of Neurotechnology Calls for a Parallel Focus on Neurorights, Scientific American (May 27, 2021), https://www.

scientificamerican.com/article/the-rise-of-neurotechnology-calls-for-a-parallel-focus-on-neurorights/.
212. Law No. 19.451, available at https://www.bcn.cl/leychile/navegar?idNorma=30818.
213. Abel Wajnerman Paz, Are Neural Data Protected by Bodily Integrity? A Discussion of the ‘Organic’ View on Neural Data Rights, Neuroethics

Blog (May 12, 2021), http://www.theneuroethicsblog.com/2020/05/are-neural-data-protected-by-bodily.html.
214. Id.
215. See Stacey Gray, Always On: Privacy Implications of Microphone-Enabled Devices, FPF (Apr. 2016), https://fpf.org/wp-content/

uploads/2016/04/FPF_Always_On_WP .
216. See Jules Polonetsky & Jeremy Greenberg, NSF Convergence Accelerator: The Future of Privacy Technology (C-Accel 1939288), FPF

(2020), https://fpf.org/wp-content/uploads/2020/03/NSF_FPF-REPORT_C-Accel1939288_Public .
217. See NIST, Cybersecurity Framework (Apr. 2018), available at https://www.nist.gov/cyberframework.
218. See e.g. IBM’s Multidisciplinary, Multidimensional Approach to AI Ethics (last accessed May 15, 2021), https://www.ibm.com/artificial-

intelligence/ethics; Artificial Intelligence and Ethics, Microsoft EU Policy Blog (last accessed Nov. 1, 2021), https://blogs.microsoft.com/
eupolicy/artificial-intelligence-ethics/; Sundar Pichai, AI at Google: Our Principles, The Keyword (Jun. 7, 2018), https://www.blog.google/
technology/ai/ai-principles/; Jerome Pesenti, AI at F8 2018: Open Frameworks and Responsible Development, Facebook Engineering (May
2, 2018), https://engineering.fb.com/2018/05/02/mlapplications/ai-at-f8-2018-open-frameworks-and-responsible-development/.

219. See e.g. Mark Roman Miller et al., Personal Identifiability of User Tracking Data During Observation of 360-Degree VR Video, 10 Scientific
Reports (Oct. 15, 2020), available at https://www.nature.com/articles/s41598-020-74486-y, showing that a pool of 511 de-identified
participants experiencing less than 5 minutes of VR could be identified, based on biometric tracking, by a random forest with 95% accuracy.

220. Heller, supra note 103.
221. See e.g. Rufin VanRullen & Leila Reddy, Reconstructing Faces from fMRI Patterns Using Deep Generative Neural Networks, 2

Communications Biology (2019), available at https://www.nature.com/articles/s42003-019-0438-y.

https://www.frontiersin.org/articles/10.3389/fnins.2018.00696/full

https://www.darpa.mil/program/next-generation-nonsurgical-neurotechnology

https://www.darpa.mil/program/next-generation-nonsurgical-neurotechnology

https://www.technologyreview.com/s/614495/us-military-super-soldiers-control-drones-brain-computer-interfaces/

https://www.technologyreview.com/s/614495/us-military-super-soldiers-control-drones-brain-computer-interfaces/

https://www.darpa.mil/news-events/2019-05-20

https://www.darpa.mil/news-events/2019-05-20

https://futurism.com/the-byte/darpa-gamers-brain-waves-train-robots-swarms

https://futurism.com/the-byte/darpa-gamers-brain-waves-train-robots-swarms

https://fpf.org/wp-content/uploads/2016/04/FPF_Always_On_WP

https://fpf.org/wp-content/uploads/2016/04/FPF_Always_On_WP

https://fpf.org/wp-content/uploads/2020/03/NSF_FPF-REPORT_C-Accel1939288_Public

https://www.nature.com/articles/s41598-020-74486-y

1400 EYE STREET NW | SUITE 450 | WASHINGTON, DC 20005 INFO@FPF.ORG | 202-768-8950

The Future of Privacy Forum (FPF) is a catalyst for privacy leadership and scholarship,
advancing responsible data practices in support of emerging technologies. FPF is based
in Washington, DC, and includes an advisory board comprising leading figures from
industry, academia, law, and advocacy groups. Learn more at fpf.org.

DATA PROTECTION
LAWS OF THE WORLD
Full Handbook

Downloaded: 20 June 2022

 

TABLE OF CONTENTS

Albania . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Algeria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Angola . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Argentina . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Armenia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Aruba . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Australia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Austria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Azerbaijan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Bahamas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Bahrain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Bangladesh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Barbados . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Belarus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Belgium . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Benin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Bermuda . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Bolivia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Bonaire, Sint Eustatius and Saba . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Bosnia and Herzegovina . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Botswana . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Brazil . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

British Virgin Islands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Brunei . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Bulgaria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Burkina Faso . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

Burundi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

Cambodia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

Canada . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

Cape Verde . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

Cayman Islands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Chad . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Chile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

China . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

Colombia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

Costa Rica . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240

Croatia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

Cuba . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256

Curaçao . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259

Cyprus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

Czech Republic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

Democratic Republic of Congo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288

Denmark . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

Dominican Republic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309

Ecuador . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313

Egypt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319

El Salvador . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325

Equatorial Guinea . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328

Estonia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

Ethiopia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345

Fiji . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348

Finland . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351

France . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365

Gabon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381

Georgia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387

Germany . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391

Ghana . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406

Gibraltar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412

Greece . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425

Guatemala . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442

Guernsey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445

Guinea . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460

Haiti . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464

Honduras . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467

Hong Kong, SAR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471

Hungary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477

Iceland . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488

India . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501

Indonesia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507

Iran . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515

Ireland . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518

Israel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534

Italy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540

Japan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552

Jersey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559

Jordan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570

Kazakhstan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574

Kenya . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579

Kosovo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585

Kuwait . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594

Kyrgyzstan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597

Laos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601

Latvia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606

Lebanon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618

Lesotho . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 621

Liberia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627

Libya . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630

Lithuania . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633

Luxembourg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647

Macau . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 661

Madagascar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 664

Malaysia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 668

Malta . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 674

Mauritius . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689

Mexico . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696

Moldova . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 704

Monaco . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709

Mongolia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715

Montenegro . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 721

Morocco . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 726

Mozambique . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 731

Myanmar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 734

Namibia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 736

Nepal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 738

Netherlands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 741

New Zealand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 754

Nicaragua . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 762

Niger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 765

Nigeria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 770

North Macedonia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 778

Norway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 785

Pakistan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 798

Panama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 802

Paraguay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 807

Peru . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 812

Philippines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 819

Poland . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 827

Portugal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 843

Qatar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 857

Qatar – Financial Centre . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 862

Republic of Congo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 867

Romania . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 870

Russia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 885

Rwanda . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 890

Saudi Arabia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 896

Senegal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 901

Serbia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 907

Seychelles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 913

Singapore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 918

Sint Maarten . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 926

Slovak Republic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 931

Slovenia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 945

South Africa . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 956

South Korea . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 963

Spain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 971

Sri Lanka . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 984

Sweden . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 993

Switzerland . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1004

Taiwan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1013

Tajikistan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1017

Tanzania . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1020

Thailand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1024

Tonga . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1029

Trinidad and Tobago . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1031

Tunisia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1035

Turkey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1039

Turkmenistan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1047

UAE – Abu Dhabi Global Market Free Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1050

UAE – Dubai (DIFC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1059

UAE – Dubai Health Care City Free Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1068

UAE – General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1072

Uganda . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1083

Ukraine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1087

United Kingdom . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1093

United States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1105

Uruguay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1114

Uzbekistan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1118

Venezuela . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1124

Vietnam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1128

Zambia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1136

Zimbabwe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1141

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World 6 | | www.dlapiperdataprotection.com

I. INTRODUCTION

EU data protection legislation is facing huge changes. Data protection laws are built on fundamental rights enshrined in the Charter

of Fundamental Rights of the European Union which are the core building blocks of the EU’s legal regime. Privacy issues arising

from an exponential growth in consumer and mobile technologies, an increasingly connected planet and mass cross- border data

flows have pushed the EU to entirely rethink its data protection legislation to ensure that these fundamental rights are fully

protected in today’s digital economy. 

In 2012, the European Commission published a draft regulation (the General Data Protection Regulation, ‘GDPR’). Just over four

years later, the final text of GDPR was published in the Official Journal of the European Union on April 27, 2016. Regulation

 heralds some of the most stringent data protection laws in the world and has been in force since May 25, 2018. 2016/679

The previous EU Data Protection Directive (95/46/EC) was adopted in 1995. It was implemented differently by EU Member States

into their respective national jurisdictions, resulting in the fragmentation of national data protection laws within the EU. As it is a

Regulation, GDPR came into effect immediately on May 25, 2018 without any need for additional domestic legislation in EU

Member States. However, with more than 30 areas where Member States are permitted to legislate (differently) in their domestic

laws there will continue to be significant variation in both substantive and procedural data protection laws among the EU’s

different Member States. 

With fines of up to 4% of total worldwide annual turnover for failing to comply with the requirements of GDPR, organizations

have had a great deal to do to comply with the new regime.

II. CURRENT SITUATION

After almost four years of often fractious negotiations, GDPR was published in the Official Journal of the European Union as

Regulation 2016/679 on April 27, 2016. 

There was a two-year transition period to allow organizations and governments to adjust to the new requirements and

procedures. Following the end of this transitional period, the Regulation became directly applicable throughout the EU from May

25, 2018, without requiring implementation by the EU Member States through national law.

The goal of European legislators was to harmonize the previous legal framework, which was fragmented across Member States. A

‘Regulation’ (unlike a Directive) is directly applicable and has consistent effect in all Member States, and GDPR was intended to

increase legal certainty, reduce the administrative burden and cost of compliance for organizations that are active in multiple EU

Member States, and enhance consumer confidence in the single digital marketplace. However, in order to reach political

agreement on the final text there are more than 30 areas covered by GDPR where Member States are permitted to legislate

differently in their own domestic data protection laws. There continues to be room for different interpretation and enforcement

practices among the Member States. There is therefore likely to continue to be significant differences in both substantive and

procedural data protection laws and enforcement practice among EU Member States with GDPR in force.

We have summarized the key changes introduced by the GDPR in the following sections.

Key changes to the previous data protection framework include:

A. WIDER TERRITORIAL SCOPE

Where organizations are established within the EU

GDPR applies to processing of personal data “in the context of the activities of an establishment” (Article 3(1)) of any organization

within the EU. For these purposes “establishment” implies the “effective and real exercise of activity through stable arrangements”

(Recital 22) and “the legal form of such arrangements…is not the determining factor” (Recital 22), so there is a wide spectrum of

what might be caught from fully functioning subsidiary undertakings on the one hand, to potentially a single individual sales

representative depending on the circumstances. 

Europe’s highest court, the Court of Justice of the European Union (the CJEU) has been developing jurisprudence on this concept,

https://www.dlapiperdataprotection.com

http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en

http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World 7 | | www.dlapiperdataprotection.com

recently finding ( , (C-131/12)) that Google Inc. with EU-based sales andGoogle Spain SL, Google Inc. v AEPD Mario Costeja Gonzalez

advertising operations (in that particular case, a Spanish subsidiary) was established within the EU. More recently, the same court

concluded ( (C-230/14)) that a Slovakian property website was also established in Hungary and therefore subjectWeltimmo v NAIH

to Hungarian data protection laws.

Where organizations are not established within the EU

Even if an organization is able to prove that it is not established within the EU, it will still be caught by GDPR if it processes

personal data of data subjects who are in the Union where the processing activities are related “to the offering of goods or

services” (Art 3(2)(a)) (no payment is required) to such data subjects in the EU or “the monitoring of their behavior” (Art 3(2)(b))

as far as their behavior takes place within the EU. Internet use profiling (Recital 24) is expressly referred to as an example of

monitoring.

Practical implications

1. Compared to the previous Directive, GDPR captures many more overseas organizations. US tech should particularly take note

as the provisions of GDPR have clearly been designed to capture them.

2. Overseas organizations not established within the EU who are nevertheless caught by one or both of the offering goods or

services or monitoring tests must designate a representative within the EU (Article 27).

B. TOUGHER SANCTIONS

Revenue-based fines

GDPR joins anti-bribery and anti-trust laws as having some of the very highest sanctions for non-compliance including

revenue-based fines of up to 4% of annual worldwide turnover.

To compound the risk for multinational businesses, fines are imposed by reference to the revenues of an undertaking rather than

the revenues of the relevant controller or processor. Recital 150 of GDPR states that ‘undertaking’ should be understood in

accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union which prohibit anti-competitive

agreements between undertakings and abuse of a dominant position. Unhelpfully the Treaty doesn’t define the term either and the

extensive case-law is not entirely straightforward with decisions often turning on the specific facts of each case. However, in many

cases group companies have been regarded as part of the same undertaking. This is bad news for multinational businesses as it

means that in many cases group revenues will be taken into account when calculating fines, even where some of those group

companies have nothing to do with the processing of data to which the fine relates provided they are deemed to be part of the

same undertaking. The assessment will turn on the facts of each case.

Fines are split into two broad categories. 

The highest fines (Article 83(5)) of up to 20,000,000 Euros or in the case of an undertaking up to 4% of total worldwide turnover

of the preceding year, whichever is higher apply to breach of:

the basic principles for processing including conditions for consent

data subjects’ rights

international transfer restrictions

any obligations imposed by Member State law for special cases such as processing employee data

certain orders of a supervisory authority

The lower category of fines (Article 83(4)) of up to 10,000,000 Euros or in the case of an undertaking up to 2% of total worldwide

turnover of the preceding year, whichever is the higher apply to breach of:

obligations of controllers and processors, including security and data breach notification obligations

obligations of certification bodies

obligations of a monitoring body

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World 8 | | www.dlapiperdataprotection.com

Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective,

proportionate and dissuasive (Article 83(1)). 

Fines can be imposed in combination with other sanctions.

Broad investigative and corrective powers

Supervisory authorities also enjoy wide investigative and corrective powers (Article 58) including the power to undertake on-site

data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.

Right to claim compensation

GDPR makes it considerably easier for individuals to bring private claims against data controllers and processors. In particular:

any person who has suffered “material or non-material damage” as a result of a breach of GDPR has the right to receive

compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means that

individuals will be able to claim compensation for distress and hurt feelings even where they are not able to prove financial

loss.

data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf

(Article 80). Although this falls someway short of a US style class action right, it certainly increases the risk of group

privacy claims against consumer businesses. Employee group actions are also more likely under GDPR.

Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77). 

All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against

a decision of a supervisory authority concerning them or for failing to make a decision (Article 78).

Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).

Practical implications

1. The scale of fines and risk of follow-on private claims under GDPR means that actual compliance is a must. GDPR is not a legal

and compliance challenge – it is much broader than that, requiring organizations to completely transform the way that they collect,

process, securely store, share and securely wipe personal data. Engagement of senior management and forming the right team is

key to successful GDPR readiness. 

2. Organizations caught by GDPR need to map current data collection and use, carry out a gap analysis of their current

compliance against GDPR and then create and implement a remediation plan, prioritizing high risk areas.

3. GDPR requires suppliers and customers to review supply chains and current contracts. Contracts will need to be renegotiated

to ensure GDPR compliance and commercial terms will inevitably have to be revisited in many cases given the increased costs of

compliance and higher risks of non-compliance.

4. The very broad concept of ‘undertaking’ is likely to put group revenues at risk when fines are calculated, whether or not all

group companies are caught by GDPR or were responsible for the infringement of its requirements. Multinationals even with quite

limited operations caught by GDPR will therefore need to carefully consider their exposure and ensure compliance.

5. Insurance arrangements need to be reviewed and cyber and data protection exposure added to existing policies or purchased as

stand-alone policies where possible. The terms of policies require careful review as there is wide variation among wordings and

many policies may not be suitable for the types of losses which are likely to occur under GDPR. 

C. MORE DATA CAUGHT

Personal data is defined as “any information relating to an identified or identifiable natural person.” (Article 4) A low bar is set for

“identifiable” – if anyone can identify a natural person using “all means reasonably likely to be used” (Recital 26) the information is

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World 9 | | www.dlapiperdataprotection.com

personal data, so data may be personal data even if the organization holding the data cannot itself identify a natural person. A

name is not necessary either – any identifier will do such as an identification number, location data, an online identifier or other

factors which may identify that natural person.

Online identifiers are expressly called out in Recital 30 with IP addresses, cookies and RFID tags all listed as examples.

Although the definition and recitals are broader than the equivalent definitions in the current Directive, for the most part they are

simply codifying current guidance and case law on the meaning of ‘personal data’.

GDPR also includes a broader definition of “special categories” (Article 9) of personal data which are more commonly known as

sensitive personal data. The concept has been expanded to expressly include the processing of genetic data and biometric data.

The processing of these data are subject to a much more restrictive regime.

A new concept of ‘pseudonymisation’ (Article 4) is defined as the processing of personal data in such a manner that the personal

data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional

information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not

attributed to an identified or identifiable natural person. Organizations which implement pseudonymization techniques enjoy

various benefits under GDPR.

Practical implications

1. If in any doubt, it is prudent to work on the assumption that data is personal data given the extremely wide definition of

personal data in GDPR.

2. GDPR imposes such a high bar for compliance, with sanctions to match, that often the most effective approach to minimize

exposure is not to process personal data in the first place and to securely wipe legacy personal data or render it fully anonymous,

reducing the amount of data subject to the requirements of GDPR.

3. Where a degree of identification is required for a specific purpose, the next best option is only to collect and use

pseudonymous data. Although this falls within the regulated perimeter, it enjoys a number of benefits for organizations in

particular that in the event of a data breach it is much less likely that pseudonymous data will cause harm to the affected

individuals, thereby also reducing the risk of sanctions and claims for the relevant organization.

4. Organizations should only use identifiable personal data as a last resort where anonymous or pseudonymous data is not

sufficient for the specific purpose.

D. SUPPLIERS (PROCESSORS) CAUGHT TOO

GDPR directly regulates data processors for the first time. The current Directive generally regulates controllers (i.e., those

responsible for determining the purposes and means of the processing of personal data) rather than ‘data processors’ –

organizations who may be engaged by a controller to process personal data on their behalf (e.g., as an agent or supplier). 

Under GDPR, processors are required to comply with a number of specific obligations, including to maintain adequate

documentation (Article 30), implement appropriate security standards (Article 32), carry out routine data protection impact

assessments (Article 32), appoint a data protection officer (Article 37), comply with rules on international data transfers (Chapter

V) and cooperate with national supervisory authorities (Article 31). These are in addition to the requirement for controllers to

ensure that when appointing a processor, a written data processing agreement is put in place meeting the requirements of GDPR

(Article 28). Again, these requirements have been enhanced and gold-plated compared to the equivalent requirements in the

Directive. 

Processors are directly liable to sanctions (Article 83) if they fail to meet these criteria and may also face private claims by

individuals for compensation (Article 79).

Practical implications

1. GDPR completely changes the risk profile for suppliers processing personal data on behalf of their customers. Suppliers now

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World 10 | | www.dlapiperdataprotection.com

face the threat of revenue-based fines and private claims by individuals for failing to comply with GDPR. Telling an investigating

supervisory authority that you are just a processor won’t work; they can fine you too. Suppliers need to take responsibility for

compliance and assess their own compliance with GDPR. In many cases, this requires the review and overhaul of current

contracting arrangements to ensure better compliance. The increased compliance burden and risk requires a careful review of

business cases.

2. Suppliers need to decide for each type of processing undertaken whether they are acting solely as a processor or if their

processing crosses the line and renders them a data controller or joint controller, attracting the full burden of GDPR.

3. Customers (as controllers) face similar challenges. Supply chains need to be reviewed and assessed to determine current

compliance with GDPR. Privacy impact assessments need to be carried out. Supervisory authorities may need to be consulted. In

many cases contracts are likely to need to be overhauled to meet the new requirements of GDPR. These negotiations will not be

straightforward given the increased risk and compliance burden for suppliers. They will also be time consuming and it would be

sensible to start the renegotiation exercise sooner rather than later, particularly as suppliers are likely to take a more inflexible

view over time as standard positions are developed. 

4. There are opportunities for suppliers to offer GDPR “compliance as a service” solutions, such as secure cloud solutions, though

customers will need to review these carefully to ensure they dovetail to their own compliance strategy.

E. DATA PROTECTION PRINCIPLES

The core themes of the data protection principles in GDPR remain largely as they were in the Directive, though there has been a

significant raising of the bar for lawful processing (see ) and a new principle of accountability hasHigher Bar for Lawful Processing

been added.

Personal data must be (Article 5):

processed lawfully, fairly and in a transparent manner (the “lawfulness, fairness and transparency principle”)

collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with

those purposes (the “purpose limitation principle”)

adequate, relevant and limited to what is necessary in relation to the purpose(s) (the “data minimization principle”)

accurate and where necessary kept up-to-date (the “accuracy principle”)

kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which

the data are processed (the “storage limitation principle”)

processed in a manner that ensures appropriate security of the personal data, using appropriate technical and

organizational measures (the “integrity and confidentiality principle”)

The controller is responsible for and must be able to demonstrate compliance with the above principles (the accountability

principle).

Practical implications

1. Controllers need to assess and ensure compliance of data collection and use across their organizations with each of the above

principles as any failure to do so attracts the maximum category of fines of up to 20 million Euros / 4% of worldwide annual

turnovers. Data mapping, gap analysis and remediation action plans need to be undertaken and implemented.

2. The enhanced focus on accountability will require a great deal more papering of process flows, privacy controls and decisions

made to allow controllers to be able to demonstrate compliance. See Accountability and Governance 

F. HIGHER BAR FOR LAWFUL PROCESSING

The lawfulness, fairness and transparency principle among other things requires processing to fall within one or more of the

permitted legal justifications for processing. Where special categories of personal data are concerned, additional much more

restrictive legal justifications must also be met. 

Although this structure is present in the Directive, the changes introduced by GDPR will make it much harder for organizations to

https://www.dlapiperdataprotection.com

https://www.dlapiper.com/focus/eu-data-protection-regulation/key-changes

https://www.dlapiper.com/focus/eu-data-protection-regulation/key-changes/#accountability

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World 11 | | www.dlapiperdataprotection.com

fall within the legal justifications for processing. Failure to comply with this principle is subject to the very highest fines of up to 20

million Euros or in the case of an undertaking up to 4% of annual worldwide turnover, whichever is the greater.

In particular:

The bar for valid consents has been raised much higher under GDPR. Consents must be fully unbundled from other terms

and conditions and will not be valid unless freely given, specific, informed and unambiguous (Articles 4(11) and 6(1)(a)).

Consent also attracts additional baggage for controllers in the form of extra rights for data subjects (the right to be

forgotten and the right to data portability) relative to some of the other legal justifications. Consent must be as easy to

withdraw consent as it is to give – data subjects have the right to withdraw consent at any time – and unless the

controller has another legal justification for processing any processing based on consent alone would need to cease once

consent is withdrawn.

To compound the challenge for controllers, in addition to a hardening of the requirements for valid consent, GDPR has

also narrowed the legal justification allowing data controllers to process in their legitimate interests. This justification also

appears in the Directive though the interpretation of the concept in the current regime has varied significantly among the

different Member States with some such as the UK and Ireland taking a very broad view of the justification and others

such as Germany taking a much more restrictive interpretation. GDPR has followed a more Germanic approach,

narrowing the circumstances in which processing will be considered to be necessary for the purposes of the legitimate

interests of the controller or a third party. In particular, the ground can no longer be relied upon by public authorities.

Where it is relied upon, controllers will need to specify what the legitimate interests are in information notices and will

need to consider and document why they consider that their legitimate interests are not overridden by the interests or

fundamental rights and freedoms of the data subjects, in particular where children’s data is concerned.

The good news is that the justification allowing processing necessary for the performance of a contract to which the data subject

is party or in order to take steps at the request of the data subject to enter into a contract is preserved in GDPR, though

continues to be narrowly drafted. Processing which is not necessary to the performance of a contract will not be covered. The

less good news for controllers relying on this justification is that it comes with additional burdens under GDPR, including the right

to data portability and the right to be forgotten (unless the controller is able to rely on another justification).

Other justifications include where processing is necessary for compliance with a legal obligation; where processing is necessary to

protect the vital interests of a data subject or another person where the data subject is incapable of giving consent; where

processing is necessary for performance of a task carried out in the public interest in the exercise of official authority vested in the

controller. These broadly mirror justifications in the previous Directive.

Processing for new purposes

It is often the case that organizations will want to process data collected for one purpose for a new purpose which was not

disclosed to the data subject at the time the data was first collected. This is potentially in conflict with the core principle of

purpose limitation and to ensure that the rights of data subjects are protected, GDPR sets out a series of considerations that the

controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were

initially collected (Article 6(4)). These include:

any link between the original purpose and the new purpose

the context in which the data have been collected

the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are

processed (with the inference being that if they are it will be much harder to form the view that a new purpose is

compatible)

the possible consequences of the new processing for the data subjects

the existence of appropriate safeguards, which may include encryption or pseudonymization.

If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new

purpose are a fresh consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and

proportionate measure in a democratic society).

Processing of special categories of personal data

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World 12 | | www.dlapiperdataprotection.com

As is the case in the Directive, GDPR sets a higher bar to justify the processing of special categories of personal data. These are

defined to include “data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union

membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data

concerning health or data concerning a natural person’s sex life or sexual orientation.” (Article 9(1)) Processing of these data are

prohibited unless one or more specified grounds are met which are broadly similar to the grounds set out in the Directive.

Processing of special categories of personal data is only permitted (Article 9(2)):

with the explicit consent of the data subject

where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and

social protection law or a collective agreement

where necessary to protect the vital interests of the data subject or another natural person who is physically or legally

incapable of giving consent

in limited circumstances by certain not-for-profit bodies

where processing relates to the personal data which are manifestly made public by the data subject

where processing is necessary for the establishment, exercise or defense of legal claims or where courts are acting in their

legal capacity

where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to

the aim pursued and with appropriate safeguards

where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical

diagnosis, provision of health or social care or treatment of the management of health or social care systems and services

where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border

threats to health or ensuring high standards of health care and of medical products and devices

where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical

purposes in accordance with restrictions set out in Article 89(1)

The justifications and conditions for processing special categories of data is one area where Member States are permitted to

introduce domestic laws including further conditions and limitations for processing with regard to processing genetic data,

biometric data and health data.

Processing of personal data relating to criminal convictions and offenses

GDPR largely mirrors the requirements of the Directive in relation to criminal conviction and offences data. This data may only be

processed under official authority or when authorized by Union or Member State law (Article 10) which means this is another

area where legal requirements and practice is likely to diverge among the different Member States.

Practical Implications

1. Controllers need to ensure that they have one or more legal justifications to process personal data for each purpose. Practically

this will require comprehensive data mapping to ensure that all personal data within the extended enterprise (i.e. including data

processed by third parties as well as data within the organization) has a legal justification to be processed.

2. Consideration needs to be given as to which are the most appropriate justifications for different purposes and personal data,

given that some justifications attract additional regulatory burdens.

3. The common practice of justifying processing with generic consents needs to cease with GDPR in force. Consent comes with

many additional requirements under GDPR and as such is likely to be a justification of last resort where no other justifications are

available.

4. Where controllers propose to process legacy data for new purposes, they need to be able to demonstrate compliance with the

purpose limitation principle. To do that, controllers should document decisions made concerning new processing, taking into

account the criteria set out in GDPR and bearing in mind that technical measures such as encryption or psuedonymisation of data

will generally make it easier to prove that new purposes are compatible with the purposes for which personal data were originally

collected.

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World 13 | | www.dlapiperdataprotection.com

G. TRANSFERS

International transfers and particularly those to the US have regularly made front page headline news over the last 12 months with

the successful torpedoing of the EU/US Safe Harbor regime by Europe’s highest court. Organizations will be relieved to hear that

for the most part GDPR does not make any material changes to the previous rules for transfers of personal data cross-border,

largely reflecting the regime under the Directive. That said, in contrast to the previous regime where sanctions for breaching

transfer restrictions are limited, failure to comply with GDPR’s transfer requirements attract the highest category of fines of up to

20 million Euros or in the case of undertakings up to 4% of annual worldwide turnover.

Transfers of personal data to third countries outside the EU are only permitted where the conditions laid down in GDPR are met

(Article 44).

Transfers to third countries, territories or specified sectors or an international organization which the Commission has decided

ensures an adequate level of protection do not require any specific authorization (Article 45(1)). The adequacy decisions made

under the current Directive shall remain in force under GDPR until amended or repealed (Article 45(9)); so for the time being

transfers to any of the following countries are permitted: Andorra, Argentina, Canada (with some exceptions), Switzerland, Faeroe

Islands, Guernsey, Israel, Isle of Man, Jersey, Eastern Republic of Uruguay and New Zealand.

The well-publicized gap for transfers from the EU to US following the ruling that Safe Harbor is invalid will, it is hoped, be filled

with the new EU/US Privacy Shield. 

Transfers are also permitted where appropriate safeguards have been provided by the controller or processor and on condition

that enforceable data subject rights and effective legal remedies for the data subject are available. The list of appropriate safeguards

include among other things binding corporate rules which now enjoy their own Article 47 under GDPR and standard contractual

clauses. Again, decisions on adequacy made under the Directive will generally be valid under GDPR until amended, replaced or

repealed.

Two new mechanics are introduced by GDPR to justify international transfers (Article 46(2)(e) and (f)): controllers or processors

may also rely on an approved code of conduct pursuant to Article 40 or an approved certification mechanism pursuant to Article

42 together in each case with binding and enforceable commitments in the third country to apply these safeguards including as

regards data subjects’ rights. GDPR also removes the need to notify and in some Member States seek prior approval of model

clauses from supervisory authorities.

GDPR includes a list of derogations similar to those included in the Directive permitting transfers where: 

(a) explicit informed consent has been obtained

(b) the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures

(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject

between the controller and another natural or legal person

(d) the transfer is necessary for important reasons of public interest

(e) the transfer is necessary for the establishment, exercise or defense of legal claims

(f) the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained

(g) the transfer is made from a register which according to EU or Member State law is intended to provide information to the

public, subject to certain conditions. 

There is also a very limited derogation to transfer where no other mechanic is available and the transfer is necessary for the

purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data

subject; notification to the supervisory authority is required if relying on this derogation.

Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48)are only recognized

or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in

force between the requesting third country and the EU or Member State; otherwise transfer in response to such requests where

there is no other legal basis for transfer will breach GDPR’s restrictions.

Practical Implications

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World 14 | | www.dlapiperdataprotection.com

1. Given the continued focus of the media and regulators on international transfer and the increased sanctions to be introduced by

GDPR, all controllers and processors need to carefully diligence current data flows to establish what types of data is being shared

with which organizations in which jurisdictions.

2. Current transfer mechanics need to be reviewed to assess compliance with GDPR and, where necessary, remedial steps

implemented before GDPR comes into force.

3. For intra-group transfers, consider binding corporate rules which not only provide a good basis for transfers but also help

demonstrate broader compliance with GDPR helping to comply with the principle of accountability.  

H. DATA BREACH NOTIFICATION

One of the most profound changes to be introduced by GDPR is a European wide requirement to notify data breaches to

supervisory authorities and affected individuals.

In the US,  and the hefty penalties for failing to notify havedata breach notification laws are now in force in all 50 States

fundamentally changed the way US organizations investigate and respond to data incidents. Not notifying has become a high risk

option. 

In contrast, Europe previously had no universally applicable law requiring notification of breaches. In the majority of Member

States there was either no general obligation to notify or minimal sanctions for failing to do so; for many organizations not

notifying and thereby avoiding the often damaging media fall-out is still common practice in Europe. That fundamentally changes

with  GDPR in force.

GDPR requires “the controller without undue delay, and where feasible, not later than 72 hours after having become aware of it,

[to] notify the … breach to the supervisory authority” (Article 33(1)). When the personal data breach is likely to result in a high

risk to the rights and freedoms of individuals the controller is also required to notify the affected individuals “without undue delay”

(Article 34). Processors are required to notify the controller without undue delay having become aware of the breach (Article

33(2)).

The notification to the regulator must include where possible the categories and approximate numbers of individuals and records

concerned, the name of the organization’s DPO or other contact, the likely consequences of the breach and the measures taken

to mitigate harm (Article 33(3)).

Although the obligation to notify is conditional on awareness, burying your head in the sand is not an option as controllers are

required to implement appropriate technical and organizational measures together with a process for regularly testing, assessing

and evaluating the effectiveness of those measures to ensure the security of processing (Article 32). Controllers are also required

to keep a record of all data breaches (Article 33(5)) (whether or not notified to the supervisory authority) and permit audits by

the supervisory authority.

Failing to comply with the articles relating to security and data breach notification attract fines of up to 10 million Euros or 2% of

annual worldwide turnover, potentially for both the controller and the processor. As data breach often leads to investigations by

supervisory authorities and often uncovers other areas of non-compliance, it is quite possible that fines of up to 20 million Euros

or 4% of annual worldwide turnover will also be triggered. 

Practical implications

1. Notification will become the norm: Sweeping breaches under the carpet has become a very high risk option under GDPR.

Organizations that are found to have deliberately not notified can expect the highest fines and lasting damage to corporate and

individual reputations. Notifying and building data breach infrastructure to enable prompt, compliant notification will be a necessity

under GDPR.

2. A coordinated approach, including technology, breach response policy and training and wider staff training. Data breaches are

increasingly a business as usual event. Lost or stolen devices; emails sent to incorrect addresses in error and the continuing rise of

cybercrime means that for many organizations, data breaches are a daily occurrence. To deal with the volume of breaches,

https://www.dlapiperdataprotection.com

http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World 15 | | www.dlapiperdataprotection.com

organization’s need a combination of technology, breach response procedures and staff training.

a. Technology requirements: these will vary for each organization but will typically include a combination of firewalls, log

recording, data loss prevention, malware detection and similar applications. There are an increasingly sophisticated array of

applications that learn what “normal” looks like for a particular corporate network to be able to spot unusual events more

effectively. The state of the art continues to change rapidly as organizations try to keep pace with sophisticated hackers. Regular

privacy impact assessments and upgrades of technology are required.

b. Breach response procedures: to gain the greatest protection from technology, investment is required in dealing with red flags

when they are raised by internal detection systems or notified from external sources. Effective breach response requires a

combination of skill sets including IT, PR and legal. Develop a plan and test it regularly.

c. Staff training: the weak link in security is frequently people rather than technology. Regular staff training is essential to raise

awareness of the importance of good security practices, current threats and who to call if a breach is suspected. It is also

important to avoid a blame culture that may deter staff from reporting breaches.

3. Consider privilege and confidentiality as part of your plan. Make sure that forensic reports are protected by privilege wherever

possible to avoid compounding the losses arising from a breach. Avoid the temptation to fire off emails when a breach is

suspected; pick up the phone. Don’t speculate on what might have happened; stick to the facts. Bear in mind that you may be

dealing with insider threat – such as a rogue employee – so keep any investigation on a strictly need to know basis and always

consider using external investigators if there is any possibility of an inside attack.

4. Appoint your external advisors today if you haven’t done so already. When a major incident occurs, precious time can be

wasted identifying and then retaining external support teams when you are up against a 72 hour notification deadline. Lawyers,

forensics and PR advisors should ideally be contracted well before they are needed for a live incident. Find out more about DLA

Piper’s breach response credentials and team.

5. Insurance: many insurers are now offering cyber insurance. However, there is a lack of standardization in coverage offered.

Limits are often too small for the likely exposure. Conditions are often inappropriate such as a requirement for the insured to

have fully complied with all applicable laws and its own internal policies which will rarely be the case. That said, it is usually possible

to negotiate better coverage with carriers in what continues to be a soft insurance market. Now is a good time to check the

terms of policies and work with your legal team and brokers to ensure that you have the best possible coverage. You should

clarify with brokers and underwriters what amounts to a notifiable incident to insurers under your policies as again there is no

common standard and failing to notify when required may invalidate cover. You should also ensure that your insurance policies

will cover the costs of your preferred external advisors as many policies will only cover advice from panel advisors. 

6. Develop standard notification procedures: Perhaps the greatest challenge facing organizations and regulators is the sheer

volume of data breach and the lack of standards or guidance as to how breaches should be notified and at what point they become

notifiable. In the absence of guidance organization’s will need to make an informed decision as to how to develop internal

operations for the detection, categorization, investigation, containment and reporting of data breaches. Similarly, supervisory

authorities will need to develop standard approaches and standard categorizations of incidents to ensure that limited resources

are focused on the most serious incidents first. 

I. MORE RIGHTS FOR INDIVIDUALS

GDPR builds on the rights enjoyed by individuals under the previous Directive, enhancing those rights and introducing a new right

to data portability. These rights are backed up with provisions making it easier to claim damages for compensation and for

consumer groups to enforce rights on behalf of consumers.

Transparency

One of the core building blocks of GDPR’s enhanced rights for individuals is the requirement for greater transparency. Various

information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using clear and

plain language (Article 12(1)).

The following information must be provided (Article 13) at the time the data is obtained: 

https://www.dlapiperdataprotection.com

https://www.dlapiper.com/services/intellectual-property-and-technology/cybersecurity/

https://www.dlapiper.com/services/intellectual-property-and-technology/cybersecurity/

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World 16 | | www.dlapiperdataprotection.com

the identity and contact details of the controller

the Data Protection Officer’s contact details (if there is one)

both the purpose for which data will be processed and the legal basis for processing including if relevant the legitimate

interests for processing

the recipients or categories of recipients of the personal data

details of international transfers

the period for which personal data will be stored or, if that is not possible, the criteria used to determine this

the existence of rights of the data subject including the right to access, rectify, require erasure (the “right to be

forgotten”), restrict processing, object to processing and data portability; where applicable the right to withdraw consent,

and the right to complain to supervisory authorities

the consequences of failing to provide data necessary to enter into a contract

the existence of any automated decision making and profiling and the consequences for the data subject.

In addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that

further processing, providing the above information.

Slightly different transparency requirements apply (Article 14) where information have not been obtained from the data subject.

Subject access rights (Article 15)

These broadly follow the existing regime set out in the Directive though some additional information must be disclosed and there

is no longer a right for controllers to charge a fee, with some narrow exceptions. Information requested by data subjects must be

provided within one month as a default with a limited right for the controller to extend this period for up to three months.

Right to rectify (Article 16)

Data subjects continue to enjoy a right to require inaccurate or incomplete personal data to be corrected or completed without

undue delay.

Right to erasure (right to be forgotten)(Article 17)

This forerunner of this right made headlines in 2014 when Europe’s highest court ruled against Google (Judgment of the CJEU in

), in effect requiring Google to remove search results relating to historic proceedings against a Spanish national forCase C-131/12

an unpaid debt on the basis that Google as a data controller of the search results had no legal basis to process that information.

The right to be forgotten now has its own Article in GDPR. However, the right is not absolute; it only arises in quite a narrow set

of circumstances notably where the controller has no legal ground for processing the information. As demonstrated in the Google

Spain decision itself, requiring a search engine to remove search results does not mean the underlying content controlled by third

party websites will necessarily be removed. In many cases the controllers of those third party websites may have entirely

legitimate grounds to continue to process that information, albeit that the information is less likely to be found if links are

removed from search engine results. 

The practical impact of this decision has been a huge number of requests made to search engines for search results to be removed

raising concerns that the right is being used to remove information that it is in the public interest to be accessible.

Right to restriction of processing (Article 18)

Data subjects enjoys a right to restrict processing of their personal data in defined circumstances. These include where the

accuracy of the data is contested; where the processing is unlawful; where the data is no longer needed save for legal claims of the

data subject, or where the legitimate grounds for processing by the controller and whether these override those of the data

subject are contested.

Right to data portability (Article 20)

This is an entirely new right in GDPR and has no equivalent in the previous Directive. Where the processing of personal data is

justified either on the basis that the data subject has given their consent to processing or where processing is necessary for the

performance of a contract, or where the processing is carried out be automated means, then the data subject has the right to

https://www.dlapiperdataprotection.com

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=152065&occ=first&dir=&cid=667631

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=152065&occ=first&dir=&cid=667631

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World 17 | | www.dlapiperdataprotection.com

receive or have transmitted to another controller all personal data concerning them in a structured, commonly used and

machine-readable format.

The right is a good example of the regulatory downsides of relying on consent or performance of a contract to justify processing –

they come with various baggage under GDPR relative to other justifications for processing.

Where the right is likely to arise controllers need to develop procedures to facilitate the collection and transfer of personal data

when requested to do so by data subjects.

Right to object (Article 21)

The Directive’s right to object to the processing of personal data for direct marketing purposes at any time is retained. 

In addition, data subjects have the right to object to processing which is legitimized on the grounds either of the legitimate

interests of the data controller or where processing is in the public interest. Controllers will then have to suspend processing of

the data until such time as they demonstrate “compelling legitimate grounds” for processing which override the rights of the data

subject or that the processing is for the establishment, exercise or defense of legal claims.

The right not to be subject to automated decision making, including profiling (Article 22)

This right expands the Directive right not to be subject to automated decision making. GDPR expressly refers to profiling as an

example of automated decision making. Automated decision making and profiling “which produces legal effects concerning [the

data subject] … or similarly significantly affects him or her” are only permitted where 

(a) necessary for entering into or performing a contract

(b) authorized by EU or Member State law, or

(c) the data subject has given their explicit i.e. opt-in) consent.(

The scope of this right is potentially extremely broad and may throw into question legitimate profiling for example to detect fraud

and cybercrime. It also presents challenges for the online advertising industry and website operators who will need to revisit

consenting mechanics to justify online profiling for behavioral advertising. This is an area where further guidance is needed on how

Article 22 will be applied to specific types of profiling.

Practical implications

1. Controllers need to review and update current fair collection notices to ensure compliance with the expanded information

requirements. Much more granular notices are required using plain and concise language.

2. Consideration should be given to which legal justifications for processing are most appropriate for different purposes, given that

some such as consent and processing for performance of a contract come with additional regulatory burden in the form of

enhanced rights for individuals.

3. For some controllers with extensive personal data held on consumers, it is likely that significant investment in customer

preference centers is required on the one hand to address enhanced transparency and choice requirements and on the other hand

to automate compliance with data subject rights.

4. Existing data subject access procedures should be reviewed to ensure compliance with the additional requirements of GDPR.

5. Policies and procedures need to be written and tested to ensure that controllers are able to comply with data subjects’ rights

within the time limits set by GDPR. In some cases, such as where data portability engages, significant investments may be required.

J. DATA PROTECTION OFFICERS

GDPR introduces a significant new governance burden for those organizations which are caught by the new requirement to

appoint a DPO. Although this was already a requirement for most controllers in Germany under previous data protection laws, it

is an entirely new requirement (and cost) for many organizations.

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World 18 | | www.dlapiperdataprotection.com

The following organizations must appoint a data protection officer (DPO) (Article 37):

public authorities

controllers or processors whose core activities consist of processing operations which by virtue of their nature, scope or

purposes require regular and systemic monitoring of data subjects on a large scale

controllers or processors whose core activities consist of processing sensitive personal data on a large scale.

DPOs must have “expert knowledge” (Article 37(5)) of data protection law and practices though perhaps in recognition of the

current shortage of experienced data protection professionals, it is possible to outsource the DPO role to a service provider

(Article 37(6)).

Controllers and processors are required to ensure that the DPO is involved “properly and in a timely manner in all issues which

relate to the protection of personal data” (Article 38(1)). The role is therefore a sizeable responsibility for larger controllers and

processors.

The DPO must directly report to the highest management level, must not be told what to do in the exercise of their tasks and

must not be dismissed or penalized for performing their tasks (Article 38(3)).

The specific tasks of the DPO are set out in GDPR including (Article 39):

to inform and advise on compliance with GDPR and other Union and Member State data protection laws

to monitor compliance with law and with the internal policies of the organization including assigning responsibilities,

awareness raising and training staff

to advise and monitor data protection impact assessments

to cooperate and act as point of contact with the supervisory authority

Practical implications

1. Organizations need to assess whether or not they fall within one or more of the categories where a DPO is mandated. Public

authorities will be caught (with some narrow exceptions) as will many social media, search and other tech firms who monitor

online consumer behavior to serve targeting advertising. Many b2c businesses which regularly monitor online activity of their

customers and website visitors will also be caught.

2. There is currently a shortage of expert data protection officers as outside of Germany this is a new requirement for most

organizations. Organizations will therefore need to decide whether to appoint an internal DPO with a view to training them up

over the next couple of years or use one of the external DPO service providers several of which have been established to fill this

gap in the market. Organizations might consider a combination of internal and external DPO resources as given the size of the

task it may not be realistic for just one person to do it. 

K. ACCOUNTABILITY AND GOVERNANCE

Accountability is a recurring theme of GDPR. Data governance is no longer just a case of doing the right thing; organizations need

to be able to prove that they have done the right thing to regulators, to data subjects and potentially to shareholders and the

media often years after a decision was taken.

GDPR requires each controller to demonstrate compliance with the data protection principles (Article 5(2)). This general

principle manifests itself in specific enhanced governance obligations which include:

Keeping a detailed record of processing operations (Article 30)

The requirement in previous data protection laws to notify the national data protection authority about data processing

operations was abolished and replaced by a more general obligation on the controller to keep extensive internal records

of their data protection activities. The level of detail required is far more granular compared to many previous Member

State notification requirements. There is some relief granted to organizations employing fewer than 250 people though the

exemption is very narrowly drafted.

Performing data protection impact assessment for high risk processing (Article 35)

A data protection impact assessment is a mandatory pre-requisite before processing personal data for processing which is

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World 19 | | www.dlapiperdataprotection.com

likely to result in a high risk to the rights and freedoms of individuals. Specific examples are set out of high risk processing

requiring impact assessments including: automated processing including profiling that produce legal effects or similarly

significantly affect individuals; processing of sensitive personal data; and systematic monitoring of publicly accessible areas

on a large scale. DPOs, where in place, have to be consulted. Where the impact assessment indicates high risks in the

absence of measures to be taken by the controller to mitigate the risk, the supervisory authority must also be consulted

(Article 36) and may second guess the measures proposed by the controller and has the power to require the controller

to impose different or additional measures (Article 58).

Designating a data protection officer (Article 37) See Data Protection Officers

Notifying and keeping a comprehensive record of data breaches (Articles 33 and 34) See Data Breach Notification

Implementing data protection by design and by default (Article 25)

GDPR introduces the concepts of “data protection by design and by default.” “Data protection by design” requires taking

data protection risks into account throughout the process of designing a new process, product or service, rather than

treating it as an afterthought. This means assessing carefully and implementing appropriate technical and organizational

measures and procedures from the outset to ensure that processing complies with GDPR and protects the rights of the

data subjects.

“Data protection by default” requires ensuring mechanisms are in place within the organization to ensure that, by default,

only personal data which are necessary for each specific purpose are processed. This obligation includes ensuring that only

the minimum amount of personal data is collected and processed for a specific purpose; the extent of processing is limited

to that necessary for each purpose; the data is stored no longer than necessary and access is restricted to that necessary

for each purpose.

Practical implications

1. Data mapping: every controller and processor needs to carry out an extensive data audit across the organization and supply

chains, record this information in accordance with the requirements of Article 30 and have governance in place to ensure that the

information is kept up-to-date. The data mapping exercise is also be crucial to be able to determine compliance with GDPR’s

other obligations so this exercise should be commenced as soon as possible.

2. Gap analysis: Once the data mapping exercise is complete, each organization needs to assess its current level of compliance with

the requirements of GDPR. Gaps need to be identified and remedial actions prioritized and implemented.

3. Governance and policy for data protection impact assessments: the data mapping exercise should identify high risk processing.

Data protection impact assessments need to be completed and documented for each of these (frequently these will include third

party suppliers) and any remedial actions identified implemented. Supervisory authorities may need to be consulted. A procedure

needs to be put in place to standardize future data protection impact assessments and to keep existing impact assessments

regularly updated where there is a change in the risk of processing.

4. Data protection by design and by default: in part these obligations will be addressed through implementing remedial steps

identified by the gap analysis and in data protection impact assessments. However, to ensure that data protection by design and by

default is delivered, extensive staff and supplier engagement and training will also be required to raise awareness of the importance

of data protection and to change behaviors.

L. DEROGATIONS

European data protection laws today are in many cases substantively very different among Member States. This is partly due to the

ambiguities in the Directive being interpreted and implemented differently, and partly due to the Directive permitting Member

States to implement different or additional rules in some areas. As GDPR will become law without the need for any secondary

implementing laws, there will be a greater degree of harmonization relative to the current regime. However, GDPR preserves the

right for Member States to introduce different laws in many important areas and as a result we are likely to continue to see a

patchwork of different data protection laws among Member States, for certain types of processing.

Each Member State is permitted to restrict the rights of individuals and transparency obligations (Article 23) by legislation when

the restriction “respects the essence of fundamental rights and freedoms and is a necessary and proportionate measure in a

democratic society” to safeguard one of the following:

https://www.dlapiperdataprotection.com

https://www.dlapiper.com/focus/eu-data-protection-regulation/key-changes/#data protection officers

https://www.dlapiper.com/focus/eu-data-protection-regulation/key-changes/#data breach notification

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World 20 | | www.dlapiperdataprotection.com

(a) national security

(b) defense

(c) public security

(d) the prevention, investigation, detection or prosecution of breaches of ethics for regulated professions, or crime, or the

execution of criminal penalties

(e) other important objectives of general public interest of the EU or a Member State, in particular economic or financial interests

(f) the protection of judicial independence and judicial proceedings

(g) a monitoring, inspection or regulatory function connected with national security, defense, public security, crime prevention,

other public interest or breach of ethics

(h) the protection of the data subject or the rights and freedoms of others

(i) the enforcement of civil law claims

To be a valid restriction for the purposes of GDPR, any legislative restriction must contain specific provisions setting out:

(a) the purposes of processing

(b) the categories of personal data

(c) the scope of the restrictions

(d) the safeguards to prevent abuse or unlawful access or transfer

(e) the controllers who may rely on the restriction

(f) the permitted retention periods

(g) the risks to the rights and freedoms of data subjects

(h) the right of data subjects to be informed about the restriction, unless prejudicial to the purpose of the restriction

In addition to these permitted restrictions, Chapter IX of GDPR sets out various specific processing activities which include

additional derogations, exemptions and powers for Member States to impose additional requirements. These include:

processing and freedom of expression and information (Article 85)

processing and public access to official documents (Article 86)

processing of national identification numbers (Article 87)

processing in the context of employment (Article 88)

safeguards and derogations to processing for archiving purposes in the public interest, scientific or historical research

purposes or statistical purposes (Article 89)

obligations of secrecy (Article 90)

existing data protection rules of churches and religious associations (Article 91)

These special cases also appeared in the Directive, though in some cases have been amended or varied in GDPR.

Practical implications

1. Controllers and processors first need to determine which Member States’ laws apply to their processing activities and whether

processing will be undertaken within any specific processing activities which may be subject to additional restrictions.

2. These Member State laws then need to be checked to determine what additional requirements engage. Changes in law need to

be monitored and any implications for processing activities addressed.

3. Derogations pose a challenge to multi-national organizations seeking to implement standard European-wide solutions to address

compliance with GDPR; these need to be sufficiently flexible to allow for exceptions where different rules engage in one or more

Member State.

M. CROSS-BORDER ENFORCEMENT

The ideal of a one-stop-shop ensuring that controllers present in multiple Member States would only have to answer to their lead

home regulator failed to make it into the final draft. GDPR includes a complex, bureaucratic procedure allowing multiple

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World 21 | | www.dlapiperdataprotection.com

‘concerned’ authorities to input into the decision making process.

The starting point for enforcement of GDPR is that controllers and processors are regulated by and answer to the supervisory

authority for their main or single establishment, the so-called “lead supervisory authority” (Article 56(1)).

However, the lead supervisory authority is required to cooperate with all other “concerned” authorities and there are powers for

a supervisory authorities in another Member State to enforce where infringements occur on its territory or substantially affects

data subjects only in its territory (Article 56(2)).

In situations where multiple supervisory authorities are involved in an investigation or enforcement process there is a cooperation

procedure (Article 60) involving a lengthy decision making process and a right to refer to the consistency mechanism (Articles 63 –

65) if a decision cannot be reached, ultimately with the European Data Protection Board having the power to take a binding

decision.

There is an urgency procedure (Article 66) for exceptional circumstances which permits a supervisory authority to adopt

provisional measures on an interim basis where necessary to protect the rights and freedoms of data subjects.

Practical implications

1. Controllers and processors need to determine which Member States’ supervisory authorities have jurisdiction over their

processing activities; which is the lead authority and which other supervisory authorities may have jurisdiction.

2. An important aspect of managing compliance risk is to try to stay on the right side of your regulator by engaging positively with

any guidance published and taking up opportunities such as training and attending seminars.

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World 22 | | www.dlapiperdataprotection.com

DATA PROTECTION AND PRIVACY GROUP KEY CONTACTS

Americas

Europe, Middle East and Africa

Asia Pacific

Jennifer Kashatus
Partner

T +1 202 799 4448

jennifer.kashatus@dlapiper.com

Kate Lucente
Partner and Co-Editor,

Data Protection Laws of

the World

T +1 813 222 5927

kate.lucente@dlapiper.com

Andrew Serwin
Partner, Global

Co-Chair Data

Protection, Privacy and

Security Group

T +1 858 677 1418

andrew.serwin@dlapiper.com

Andrew Dyson
Partner, Global

Co-Chair Data

Protection, Privacy and

Security Group

T +44 (0)113 369 2403

andrew.dyson@dlapiper.com

Ewa Kurowska-Tober
Partner, Global

Co-Chair Data

Protection, Privacy and

Security Group

T +48 22 540 74 1502

ewa.kurowska-tober@dlapiper.com

Denise
Lebeau-Marianna
Partner

T + 33 (0)1 40 15 24 98

denise.lebeau-marianna@dlapiper.com

Diego Ramos
Partner

T +349 17901658

diego.ramos@dlapiper.com

Richard van Schaik
Partner

T +31 20 541 9828

richard.vanschaik@dlapiper.com

Carolyn Bigg
Partner, Global

Co-Chair of Data

Protection, Privacy and

Security Group

T +852 2103 0576

carolyn.bigg@dlapiper.com

Nicholas Boyle
Partner

T +61 2 9286 8479

nicholas.boyle@dlapiper.com

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World 23 | | www.dlapiperdataprotection.com

EDITORS

James Clark
Senior Associate and

Co-Editor, Data

Protection Laws of the

World

T +44 113 369 2461

james.clark@dlapiper.com

Kate Lucente
Partner and Co-Editor,

Data Protection Laws of

the World

T +1 813 222 5927

kate.lucente@dlapiper.com

Lea Lurquin
Associate and

Contributing Editor,

Data Protection Laws of

the World

T +1 415 615 6024

lea.lurquin@dlapiper.com

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Albania 24 | | | www.dlapiperdataprotection.com

ALBANIA

Last modified 22 December 2021

LAW

The Republic of Albania regulates personal data protection pursuant to Law No. 9887, dated 10 March 2008 “On Protection of

Personal Data”, as amended (” “) (Official Gazette of the Republic of Albania No. 44, dated 1 April 2008).Data Protection Law

The Data Protection Law was last amended in 2014, thus it is yet to be harmonized with the Regulation (EU) 2016/679 of the

European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of

personal data and on the free movement of such data (” “). GDPR

The complete harmonization of the current Albanian legislation in force on data protection with the GDPR has been one of the

main objectives of the Office of Information and Data Protection Commissioner since 2018, however this objective has yet to be

achieved (due in part to the Covid-19 pandemic).

DEFINITIONS

Definition of Personal Data

Data Protection Law defines personal data as any information relating to an identified or identifiable natural person, directly or

indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological,

mental, economic, cultural or social identity.

Definition of Sensitive Personal Data

Data Protection Law defines sensitive data as any information related to a natural person referring to his racial or ethnic origin,

political opinions, trade union membership, religious or philosophical beliefs, criminal prosecution, as well as data concerning his

health and sexual life.

NATIONAL DATA PROTECTION AUTHORITY

The Right to Information and Data Protection Commissioner (the ” “) is the Albanian independent authority inCommissioner

charge of supervising and monitoring the protection of personal data and the right to information by respecting and guaranteeing

the fundamental human rights and freedoms in compliance with the legal framework. 

The Commissioner is a public legal person, elected by the Parliament upon a proposal of the Council of Ministers for a 5-year

term, eligible for re-election. The Parliament also designates the organizational structure of the Commissioner’s Office. 

The information obtained by the Commissioner while exercising his duties shall be used only for supervisory purposes in

compliance with the legislation on the protection of personal data. The Commissioner shall remain under the obligation of

confidentiality even after the termination of his functions. 

The Commissioner is seated at Rr. “Abdi Toptani”, Nd. 5, 1001, Tirana, Albania.

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Albania 25 | | | www.dlapiperdataprotection.com

REGISTRATION

Data Protection Law provides for the legal obligation of every controller to notify the Commissioner on the processing of

personal data for which it is responsible. The notification shall be made before the controller processes the data for the first time,

or when a change of the processing notification status is required. 

The notification shall contain the name and address of the controller, the purpose of personal data processing, the categories of

data subjects and personal data, the recipients and categories of the recipients of personal data, the proposal on the international

transfers that the controller aims to carry out and a general description of the measures for the security of personal data. The

notification is done either online, on the website of the Commissioner, or manually, by submitting the competed notification form

to the Commissioner’s Office. 

The information submitted by the data controller through the notification, except for the general description of the measures for

the security of personal data, shall be published by the Commissioner’s Office on the Electronic Register of Controllers which is

accessible by the public on the .official website

The notification process and the publication of the information it contains is fundamental to ensure transparency for the public and

consequently to protect personal data. Through the access to the Electronic Register of Controllers, the public has the means of

understanding how personal data are processed by the controlling entities. 

The failure of the controlling entities to comply with the obligation to notify the Commissioner constitutes an administrative

offence and is punishable by a fine. 

However, there are cases when the controllers are exempted from the notification obligation as follows: 

The processing of personal data is performed in order to keep a register, which in accordance with the law or sub-legal

acts provides information for the public;

The processing of personal data is performed in order to protect the constitutional institutions, national security interests,

foreign policies, economic or financial interests of the state, or for the prevention or prosecution of criminal offences;

The processing of data is done pursuant to Decision of the Commissioner No. 4 “On the Determination of the Cases

Exempted from the Notification Obligation of the Personal Data which are Processed”, dated 27 December 2012.

DATA PROTECTION OFFICERS

In compliance with the responsibility to issue instructions on measures to be undertaken for the activity of specific sectors, the

Commissioner has issued two instructions:

Instruction No. 22 “On the Determination of Rules for Maintaining the Security of Personal Data Processed by Small

Processing Entities”, dated 24 September 2012, as amended. 

Small processing entities shall mean the controllers or processors that process personal data by way of electronic or manual

means, by fewer than six processing persons, either directly or through processors. 

Instruction No. 47 “On the Determination of Rules for Maintaining the Security of Personal Data Processed by Large

Processing Entities”, dated 14 September 2018. 

Large processing entities shall mean the controllers or processors that process personal data by way of electronic or manual

means, by six or more processing persons, either directly or through processors. 

Personal data processing entities are responsible for the internal supervision of the protection of the processed personal data.

Each subject that is subject to instruction no. 47, dated 14 September 2018 (i.e., large processing entities), shall authorize in

writing at least one Data Protection Officer (” “) who shall be charged to carry out theDPO (Albanian terminology: Contact Person)

internal supervision. Small processors contracted by large processors are also advised to appoint a DPO. 

Instruction no. 47, dated 14 September 2018 determines the criteria that a person must fulfil in order to be appointed as a DPO,

https://www.dlapiperdataprotection.com

https://www.idp.al/

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Albania 26 | | | www.dlapiperdataprotection.com

as well as the duties and responsibilities of a DPO, which include, among others:

the internal supervision of the fulfilment of the obligations for the protection of personal data by the personal data

processing entity;

the implementation of technical, organizational and staff related measures;

the necessary cooperation with the Commissioner;

etc.

COLLECTION & PROCESSING

Data Protection Law states that fair and lawful processing is one of the core principles for the protection of personal data.

Personal data shall be collected and/or processed for specific, clearly defined and legitimate purposes. 

Personal data protection is based on data adequacy, data which are relevant to the purpose of their processing and not excessive

in relation to such purpose, as well as data accuracy, data which are updated and complete. 

Additionally, the data are to be kept in a form that allows the identification of data subjects for no longer than it is necessary for

the purpose for which they were collected or further processed. 

Data Protection Law provides for the legal criteria for personal data processing, sensitive data processing and special processing of

data.

Personal data may be processed only: 

with the consent of the personal data subject;

if necessary, for the performance of a contract to which the data subject is a party or in order to negotiate or amend a

draft/contract at the request of the data subject;

to protect the vital interests of the data subject;

to comply with a legal obligation of the controller;

for the performance of a legal task of public interest or in exercise of powers of the controller or of a third party to

whom the data are disclosed;

if the processing is necessary for the protection of the legitimate rights and interests of the controller, the recipient or any

other interested party. However, in any case, the processing of personal data cannot be in clear contradiction with the

data subject’s right to protection of personal life and privacy. 

The processing of personal data in the field of national security, criminal law and crime prevention, shall be performed by official

authorities as stipulated in the law. 

The controller or processor that processes personal data for the purpose of offering business opportunities or services may use

personal data obtained from a public data list. The controller or processor cannot process these data further, if the data subject

has expressed his disagreement or has objected their further processing. 

It should be noted that additional personal data cannot be added to the data obtained from the public data list without the consent

of the data subject. However, the controller is allowed to keep these personal data in its filing system even after the data subject

has objected the processing. Such data can be used only if the data subject gives his content. 

Collection of personal data which is related to a data subject solely for reasons of direct marketing is allowed only if the data

subject has given his explicit consent. 

Sensitive data may be processed only if: 

the data subject has given his consent, which may be revoked at any given moment making any further processing of data

illegal;

it is in the vital interest of the data subject or another person and the data subject is physically or mentally incapable of

giving his consent;

it is authorized by the responsible authority for an important public interest, under adequate safeguards;

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Albania 27 | | | www.dlapiperdataprotection.com

it is related to data which are widely made known by the data subject or it is necessary, for exercising/protecting a legal

right;

the data are processed for historic, scientific or statistical purposes, under adequate safeguards;

the data are required for the purposes of preventive medicine, medical diagnosis, the provision of health care, treatment

or management of health care services and the data are used by the medical personnel or other persons with the

obligation to preserve confidentiality;

the data are processed by non-profit political, philosophical or religious organizations and trade unions for purposes of

their legitimate activity, only for members, sponsors, or other persons related to their activity. These data shall not be

disclosed to a third party without the consent of the data subject unless otherwise stipulated by law.

the data processing is necessary for the purpose of fulfilling the legal obligations and specific rights of the controller in the

field of employment in compliance with the Labour Code. 

Special processing of data: 

Processing for historical, scientific and statistical purposes: 

Personal data collected for any purpose, may be further processed for historic, scientific or statistical purposes, provided that the

data is not processed in order to take measures or decisions related to an individual. 

The transmission of sensitive data for scientific research shall take place only in case of an important public interest. Personal data

shall be used exclusively by individuals who are bound by the obligation of confidentiality. When data processing is made in a

manner that allows the identification of the data subject, the data should be encrypted immediately in order for the subjects to be

no longer identifiable. Encrypted personal data shall be used exclusively by individuals bound by the obligation of confidentiality. 

Processing of personal data and freedom of expression: 

The Commissioner has issued an Instruction No. 31, dated 27 December 2012 “On the Determination of the Conditions and

Criteria for the Exemption from the relevant Obligations in Personal Data Processing for Journalism, Literature or Artistic

Purposes”. The exemptions for these purposes shall be allowed up to the extent that they reconcile the right of personal data

protection with the rules governing the right to freedom of expression.  

TRANSFER

The international transfer of personal data may be carried out with recipients from states which have an adequate level of personal

data protection. The level of personal data protection for a state is established by assessing all circumstances related to the nature,

purpose and duration of the processing, the country of origin and final destination, as well as the legal provisions and security

standards in force in the recipient state. 

Pursuant to the Decision of the Commissioner No. 8, dated 31 October 2016 the following states have an adequate level of data

protection:

European Union member states;

European Economic Area states;

Parties to the Convention No. 108 of the Council of Europe “For the Protection of Individuals with regard to Automatic

Processing of Personal Data”, as well as its 1981 Protocol, which have approved a special law and set up a supervisory

authority that operates in complete independence, providing appropriate legal mechanisms, including handling complaints,

investigating and ensuring the transparency of personal data processing;

States where personal data may be transferred, pursuant to a decision of the European Commission. 

International transfer of personal data with a state that does not have an adequate level of personal data protection may be done

if:

it is authorized by international acts ratified by the Republic of Albania and are directly applicable;

the data subject has given his consent for the international transfer;

the transfer is necessary for the performance of a contract between the data subject and the controller or for the

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Albania 28 | | | www.dlapiperdataprotection.com

implementation of pre-contractual measures taken in addressing a request of the data subject, or the transfer is necessary

for the conclusion or performance of a contract between the controller and a third party, in the interest of the data

subject;

it is a legal obligation of the controller;

it is necessary for protecting vital interests of the data subject;

it is necessary or constitutes a legal requirement over an important public interest or for exercising and protecting a legal

right;

it is done from a register that is open for consultation and provides information to the general public. 

Pursuant to the Data Protection Law, the Commissioner issues instructions in order to allow certain categories of personal data

to be transferred to a state that does not have an adequate level of personal data protection. In these cases, the controller is

exempted from the authorization request. Accordingly, the Commissioner has issued the Instruction No. 41, dated 13 June 2014

“On Allowing some Categories of International Transfers of Personal Data in a Country that does not have an Adequate Level of

Personal Data Protection”. 

Controllers wishing to transfer personal data to other countries lacking adequate personal data protection, may fill in an

application form “For the Approval of the Transfer of Personal Data to a State that does not have an Adequate Level of Data Protection,

through the Authorization of the Commissioner”. 

In 2014, the Commissioner has also issued a Manual on the International Transfer of Personal Data which provides guidelines to

the international transfer of personal data. 

The exchange of personal data with the diplomatic representations of foreign governments or international institutions in the

Republic of Albania shall be considered an international transfer of data.

SECURITY

Data Protection Law introduces the obligation of the data controller or processor to undertake appropriate organizational and

technical measures to protect personal data from unlawful or accidental destruction, accidental loss, or from being accessed or

disclosed by unauthorized persons, as well as from any kind of unlawful processing. 

The controller is under the obligation to document the measures it has undertaken to ensure protection of personal data, in

compliance with the law and other legal regulations. 

The data controller undertakes the following special security measures: 

defines the functions among the organizational units and the operators for the use of data;

the use of data shall be done by order of authorized organizational units or operators;

instructs all operators on their obligations arising from the data protection legal framework;

prohibits access of unauthorized persons to the working facilities of the data controller or processor;

data and programs shall be accessed only by authorized persons;

prohibits access to and use of the filing system by unauthorized persons;

data processing equipment shall be operated only with an authorization and every device shall be secured with preventive

measures against unauthorized operation;

records and documents data alteration, rectification, erasure, transfer etc. 

The level of security shall be in compliance with the nature of personal data processing. The Commissioner has established the

detailed rules for personal data security by means of Decision No. 6, dated 05 August 2013 “On the Determination of Detailed

Rules for the Security of Personal Data”. 

The recorded data may only be used in accordance with their collection purpose, unless they are used to guarantee national

security, public security, for the prevention or investigation of a criminal offence, or prosecution of the author thereof, or of any

infringement of ethics of the regulated professions. 

The data documentation shall be kept for as long as it is necessary for their collection purpose. 

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Albania 29 | | | www.dlapiperdataprotection.com

The obligation of confidentiality and integrity of the controllers, processors and any other persons that come to know the content

of the processed data while exercising their duty shall survive the termination of their functions. The processed data shall not be

disclosed unless provided otherwise by law. Anyone acting under the authority of the controller or the processor shall not

process the personal data to which they have access, without the authorization of the controller, unless obliged by law.

BREACH NOTIFICATION

Data Protection Law does not provide for a general obligation of the data controller or data processor to notify the

Commissioner in case of personal data breach. 

However, pursuant to Instruction No. 47, dated 14 September 2018 “On the Determination of Rules for Maintaining the Security

of Personal Data Processed by Large Processing Entities”, which, as mentioned above applies only to large data processing entities,

the DPO shall promptly notify the large data processing entity in writing of any risk of violation of the data subjects’ rights,

including in case of the violation of personal data protection legislation. 

In the event that, following the notification of the DPO, the large data processing entity fails to take appropriate measures to

address the problem in a timely manner, the DPO notifies the Commissioner without delay. Therefore, in case of breach of data

handled by a large data processing entity, resulting from the violation of violation of the data subjects’ rights, or from the violation

of personal data protection legislation, which has not been addressed effectively, the DPO has the obligation to notify the

Commissioner. 

It should also be noted, that pursuant to an opinion of the Commissioner on the protection of personal data on the websites of

public and private controllers, data subjects have the right to be notified by the data controller if their personal data have been

compromised (data has been lost or stolen, or if their online privacy is likely to be negatively affected). To the best of our

understanding the opinion expressed by the Commissioner in this opinion, merely serves as a guideline and has not a binding

effect. 

On the other hand, Law No. 9918, dated 19 May 2008 “On Electronic Communications in the Republic of Albania”, as amended (”

“), (Official Gazette of the Republic of Albania No. 84, dated 10 June 2008) provides forElectronic Communications Law

another breach notification procedure. 

The Electronic Communications Law defines personal data breach as any breach of security leading to the destruction, loss, alteration or

unauthorized distribution, accidental or unlawful, or access to personal data transmitted, stored or processed, in connection with the provision

of an electronic communications service available to the public. 

Pursuant to article 122 of the Electronic Communications Law, entrepreneurs of public electronic communications networks and

services are under the obligation to, individually or when necessary, in cooperation with each-other, implement technical and

organizational measures, to ensure the security of networks and/or services, provided by them. 

These measures are meant to ensure an adequate level of protection and security of personal data against potential, foreseeable

risks. With respect to the personal data of the users, entrepreneurs of public electronic communications networks and services

are under the obligation to inform their users about any specific risk, how the risk can be reduced by the users, as well as the

possible costs, which must be covered by the user, if the risk that happens is beyond the measures that the entrepreneur can

take. 

In addition, in case of personal data breach, the entrepreneur who provides electronic communications services available to the

public promptly notifies the Authority of Electronic and Postal Communications (” “). When the breach of personal dataAEPC

may adversely affect the personal data and privacy of the subscriber or individual, the entrepreneur shall also promptly notify the

said subscriber or individual. 

However, if the entrepreneur has proved to the AEPC that it has implemented the necessary technological protection measures

and these measures have been applied to the relevant data, then the entrepreneur is not required to notify the subscriber or the

individual of the violation of personal data. These technological safeguards ensure that the personal data become illegible to any

person who does not have authorized access to the data.

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Albania 30 | | | www.dlapiperdataprotection.com

ENFORCEMENT

The Commissioner is the competent authority for the supervision and enforcement of Data Protection Law. The Commissioner

has the right to: 

conduct administrative investigations, have access to personal data processing and collect all the necessary information in

order to fulfil his supervisory obligations;

order the blocking, erasure, destruction or suspension of the unlawful processing of personal data;

give instructions prior to the processing of data and ensure their publication. 

In cases of recurring or intentional serious infringement of the Data Protection Law by a controller or processor, the

Commissioner acts in compliance with article 39 of Data Protection Law and reports the case publicly or reports it to the

Parliament and the Council of Ministers. 

Article 39 (1) of Data Protection Law specifies that data processing in violation of the Data Protection Law constitutes

administrative offences and may be subject to administrative fines which vary from 10,000 ALL (approx. 83 EUR) to 1,000,000 ALL

(approx. 8300 EUR), with legal persons being subject to double the amount specified herein. 

Data Protection Law also states that the fine is doubled when the following provisions are breached: 

When the data subject has filed a complaint, the controller shall have no right to make any changes to the personal data

until a final decision is reached.

The Commissioner is responsible for authorizing, in special cases, the use of personal data for purposes not designated

during the phase of their collection in compliance with the principles of the Data Protection Law. 

The sanctioned subject may appeal the fine in court within the deadlines and according to the procedures that regulate the

administrative trials. 

Fines shall be paid no later than 30 days from their issuing. When the deadline expires, the decision becomes an executive title and

is executed in a mandatory manner by the bailiff’s office, upon request of the Commissioner. Fines are cashed in the state budget. 

In case the offence consists in a crime, the Commissioner files the relevant criminal charges with the competent law enforcement

authorities.

ELECTRONIC MARKETING

Data Protection Law provides that the collection of personal data related to a data subject, solely for reasons of direct marketing

is allowed only if the data subject has given his explicit consent. 

Data Protection Law defines direct marketing as the communication of the promotional material, by every means and way, using personal

data of legal or natural persons, agencies or other entities with or without interference. 

Moreover, the data subject has the right to demand the controller not to start processing, or in case the processing has started, to

stop processing personal data related to him for the purposes of direct marketing and to be informed in advance before personal

data are disclosed for the first time for such purpose. 

The Commissioner has issued an Instruction no. 06, dated 28 May 2010 “On the correct use of SMSs for promotional purposes,

advertising, information, direct sales, via mobile phone”. This instruction emphasizes the importance of the prior consent given by

the data subject. 

In addition, pursuant to article 124 of the Electronic Communications Law, electronic communications service providers may

process traffic data for marketing purposes only after prior approval by the subscriber. Subscribers should be informed on the

type of traffic data being processed, before give approval for their processing. Subscribers and users have the right to withdraw to

any time from the approval they have made.

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Albania 31 | | | www.dlapiperdataprotection.com

ONLINE PRIVACY

The Data Protection Law does not provide for regulatory measures targeting cookies. Accordingly, the general data protection

rules, as provided for by the Data Protection Law apply to online privacy as well. 

Although there are no specific regulatory measures under the data protection regulatory framework, the Commissioner has tried

to provide some clarifications on the notion of cookies and on their use, albeit in a minimalist way. 

The Commissioner has defined the cookies in an online dictionary as some data stored on the computer, which contain specific

This rudimentary definition is further complemented by a short explanation which states that cookies information. allow any server

to know what pages have been visited recently, just by reading them. 

In addition, the Commissioner has issued an opinion (which is slightly dated and as mentioned above does not have a binding effect

on the data controllers) on the protection of personal data on the websites of public and private controllers. In this opinion the

Commissioner reminds the data controllers on their obligations per the Data Protection Law and on the rights of data subjects,

which apply to online personal data collection: 

The right to be fully informed and to give their approval if a website (or an application) processes their data;

The right to keep their online communications secret (including email, the computer’s IP or modem No.);

The right to be notified if their personal data are compromised (data has been lost or stolen, or if their online privacy is

likely to be negatively affected);

The right to request that their personal data to be excluded from data processing for direct marketing if they have not

given their consent. 

Furthermore, in this opinion the Commissioner emphasizes the importance for data controllers to adopt privacy policies, which

should include, inter alia:

The identity of the controller;

The information collected from the users, specifying the category of personal data;

Specific policies regarding cookies and other technologies that allow data controllers to gather information on the users

that use the website and to notify the latter about their use. 

In addition to the above, it should be noted that the Electronic Communication Law (articles 124 -126), introduces rules on the

processing of location data. 

Under these rules, electronic communication providers may process traffic data only as long as such data is necessary for the

purpose of the transmission of the communication’s transmission and thereafter must delete such data or render them

anonymous. 

Electronic communications service providers must provide in the contract entered into with the user details on the storage, the

duration and the manner of processing of the traffic data. The Electronic Communication Law provides that these traffic data can

be processed only by the relevant persons which are authorized by the electronic communications service providers, namely

those who are responsible for billing or traffic management, customer service, marketing, fraud detection, or the provision of

added value services, provided that the processing of traffic data should be limited only to the scope of their respective activity. 

In addition, the Electronic Communication Law provides that the processing of location data can be carried out for the duration

value added services and only if the data is rendered anonymous or if the user has granted their prior consent, which consent may

be revoked at any time. 

Prior to obtaining the consent of the users, the electronic communications service providers must provide information on: 

the type of location data to be processed;

the purposes and duration of processing;

the possibility that the location data be shared with third parties, for value-added service purposes. 

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Albania 32 | | | www.dlapiperdataprotection.com

The location data can be processed only by the relevant persons which are authorized by the electronic communications service

providers, namely those who are responsible for the provision of the service or by third parties which are responsible for the

provision of added value services, provided that the processing of traffic data should be limited only to the scope of their

respective activity.

KEY CONTACTS

Tashko Pustina

tashkopustina.com/

DATA PRIVACY TOOL

You may also be interested in our  to assess your organization’s level of data protection maturity.Data Privacy Scorebox

Flonia Tashko
Partner

T +35542389190

flonia.tashko@tashkopustina.com

Alban Shanaj
Senior Associate

T +35542389190

alban.shanaj@tashkopustina.com

https://www.dlapiperdataprotection.com

Home

https://www.dlapiperdataprotection.com/scorebox/

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Algeria 33 | | | www.dlapiperdataprotection.com

ALGERIA

Last modified 22 December 2021

LAW

Law No. 18-07 of 10 June 2018 on protection of natural persons in personal data processing (“ ”).Law No. 18-07

DEFINITIONS

Definition of Personal Data

Any information, regardless of the medium, relating to an identified or identifiable person, hereinafter referred to as “data subject”,

directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her

physical, physiological, genetic, biometric, mental, economic, cultural or social identity.

Definition of Sensitive Personal Data

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership of

the data subject or relating to health, including genetic data.

NATIONAL DATA PROTECTION AUTHORITY

An independent administrative authority for the protection of personal data, known as the “national authority”, is hereby

established, with its headquarters in Algiers. 

The national authority is responsible for ensuring that the processing of personal data is carried out in accordance with the

provisions of the law and for ensuring that the use of information and communication technologies does not pose a threat to the

rights of individuals, public freedoms and privacy. 

However, although Law No. 18-07 provides for the existence of a national authority, it has not yet been set up.

REGISTRATION

Any processing of personal data is subject to prior declaration to or authorisation by the national authority. 

The prior declaration, which includes an undertaking that the processing will be carried out in accordance with Law No. 18-07, is

filed with the national authority. It may be made by electronic means. 

However, as the national authority has not yet been set up, this procedure is not yet applicable.

DATA PROTECTION OFFICERS

The data controller shall implement appropriate technical and organisational measures to protect personal data against accidental

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Algeria 34 | | | www.dlapiperdataprotection.com

or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing

involves the transmission of data over a network, and against all other unlawful forms of processing.

COLLECTION & PROCESSING

Personal data processing may only be processed with the express consent of the data subject. The data subject may withdraw

his/her consent at any time. 

However, in some cases, consent is not required if the processing is necessary. 

The person concerned by the collection of their data has a right to information, a right of access, a right of rectification and a right

to object to their data being collected.

TRANSFER

The data controller may only transfer personal data to a foreign State with the authorisation of the national authority in

accordance with Law No. 18-07 and if that State ensures an adequate level of protection of the privacy and fundamental rights and

freedoms of individuals with regard to the processing of such data. 

In any case, it is forbidden to communicate or transfer personal data to a foreign country, when such transfer is likely to affect

public security or the vital interests of the State. 

However, as the national authority has not yet been established, the consent of the data subject is required.

SECURITY

The controller must put in place measures to ensure the integrity and protection of the data. 

These measures must ensure a level of security appropriate to the risks presented by the processing and the nature of the data to

be protected. 

If the processing is carried out on behalf of the controller, the controller must choose a processor providing sufficient guarantees

in respect of the technical and organisational security measures relating to the processing to be carried out and must ensure

compliance with those measures.  

Transfer of data abroad 

The foreign State must ensure an adequate level of protection of the privacy and fundamental rights and freedoms of individuals

with regard to data processing. 

The adequacy of the level of protection provided by a State is assessed in particular by the security measures applicable there.

BREACH NOTIFICATION

Administrative measures 

In case of violations of the provisions of Law No. 18-07 by the controller, administrative measures are taken by the national

authority: 

warning;

formal notice;

provisional withdrawal for a period not exceeding one year, or definitive withdrawal of the declaration receipt or

authorisation;

a fine. 

The national authority may also impose fines on the controller which: 

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Algeria 35 | | | www.dlapiperdataprotection.com

refuses, without legitimate reason, the rights of information, access, rectification or opposition;

fails to make the required notifications to the national authority. 

Criminal sanctions 

Violation of the provisions of Law No. 18-07 is punishable by imprisonment and/or a fine.  

However, as the national authority has not yet been established, the related sanctions are not applicable.

Mandatory breach notification

Where the processing of personal data over electronic communication networks results in the destruction, loss, alteration,

disclosure or unauthorised access of such data, the service provider must notify the national authority and the data subject

without delay where such a breach may affect the privacy of the data subject. 

Failure by a service provider to notify the national authority or the data subject of a personal data breach is punishable by

imprisonment and a fine.

ENFORCEMENT

The application of the sanctions listed under the above headings is relatively limited, as the national authority is not yet

established. 

However, offences committed by the data controller may be subject to criminal prosecution (without the need for action by the

national authority).

ELECTRONIC MARKETING

Law No. 18-05 of 10 May 2018 on electronic commerce provides that the e-provider who collects personal data and builds up

customer and prospect files must only collect the data necessary to conclude commercial transactions. It must: 

collect the consent of e-consumers prior to the collection of data;

guarantee the security of information systems and the confidentiality of data;

comply with the relevant legislative and regulatory provisions.

ONLINE PRIVACY

Not applicable.

KEY CONTACTS

L& P Partners

DATA PRIVACY TOOL

You may also be interested in our  to assess your organization’s level of data protection maturity.Data Privacy Scorebox

Benaouda Miloudi
Associate

T +213 (7) 93 99 92 34

bmiloudi@dz-lpp.com

https://www.dlapiperdataprotection.com

https://www.dlapiperdataprotection.com/scorebox/

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Algeria 36 | | | www.dlapiperdataprotection.com

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Angola 37 | | | www.dlapiperdataprotection.com

ANGOLA

Last modified 30 December 2021

LAW

Angola regulates data privacy and protection issues under the Data Protection Law (Law no. 22/11, 17 June 2011), the Electronic

Communications and Information Society Services Law (Law no. 23/11, 20 June 2011) and the Protection of Information Systems

and Networks Law (Law no. 7/17, 16 February 2017).

DEFINITIONS

Definition of personal data

The Data Protection Law defines personal data as any given information, regardless of its nature, including images and sounds

related to a specific or identifiable individual.

An identifiable person is an individual directly or indirectly identified, notably, by reference to his or her identification number or

to the combination of specific elements of his or her physical, physiological, mental, economic, cultural or social identity.

Definition of sensitive personal data

The Data Protection Law defines sensitive personal data as personal data related to:

Philosophical or political beliefs

Political affiliations or trade union membership

Religion

Private life

Racial or ethnic origin

Health or sex life (including genetic data)

NATIONAL DATA PROTECTION AUTHORITY

The Data Protection Law establishes the (APD) as Angola’s data protection authority. APD’s OrganicAgência de Proteção de Dados

Statute was stablished by the Presidential Decree 214/2016 of October 10, and it’s board currently in office was nominated by the

Presidential Decree 277/2019 September 6.

REGISTRATION

As provided by Law, entities shall provide prior notice to, or obtain prior authorization from, APD (depending on the type of

personal data and purpose of processing) to process personal data. Please note that in the case of authorization, compliance with

specific legal conditions is mandatory. APD has authority to exempt certain processing from notification requirements. 

Generally, notification and authorization requests should include the following: 

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Angola 38 | | | www.dlapiperdataprotection.com

The name and address of the controller and of its representative (if applicable)

The purposes of the processing

A description of the data subject categories and the personal data related to those categories

The recipients or under which categories of recipient to whom the personal data may be communicated and respective

conditions

Details of any third party entities responsible for the processing

The possible combinations of personal data

The duration of personal data retention

The process and conditions for data subjects to exercise their rights

Any predicted transfers of personal data to third countries

A general description (to allow APD to assess whether security measures adopted are suitable to protect personal data in

its processing)

DATA PROTECTION OFFICERS

There is no requirement to appoint a data protection officer.

COLLECTION & PROCESSING

Generally, entities must obtain prior express consent from data subjects and provide prior notice to the APD to lawfully collect

and process personal data. However, data subject consent is not required in certain circumstances provided by law.

To lawfully collect and process sensitive personal data, a legal provision must allow for processing and entities must obtain prior

authorization from APD (please note that the authorization may only be granted in specific cases provided by law). If sensitive

personal data processing results from a legal provision, APD must be provided with notice.

All data processing must follow these general principles: transparency, legality, good faith, proportionality, truthfulness and respect

to private life as well as to legal and constitutional guarantees.

It is also mandatory that data processing is limited to the purpose for which the data is collected and that personal data is not held

for longer than is necessary for that purpose.

There are specific rules applicable to the processing of personal data related to the following:

Sensitive data on health and sexual life

Illicit activities, crimes and administrative offenses

Solvency and credit data

Video surveillance and other electronic means of control

Advertising by email

Advertising by electronic means (direct marketing)

Call recording

Specific rules for the processing of personal data within the public sector also apply.

TRANSFER

International transfers of personal data to countries with an adequate level of protection require prior notification to the APD. An

adequate level of protection is understood as a level of protection equal to the Angolan Data Protection Law. APD decides which

countries ensure an adequate level of protection by issuing an opinion to this respect.

International transfers of personal data to countries that do not ensure an adequate level of protection are subject to prior

authorization from the APD, which will only be granted if specific requirements are met. For transfers between companies in the

same group, the requirement of an adequate level of protection may be reached through the adoption of harmonized and

mandatory internal rules on data protection and privacy.

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Angola 39 | | | www.dlapiperdataprotection.com

Please note that the communication of personal data to a recipient, a third party or a subcontracted entity is subject to specific

legal conditions and requirements.

SECURITY

Data controllers must implement appropriate technical and organizational measures and adopt adequate security levels to protect

personal data from accidental or unlawful total or partial destruction, accidental loss, total or partial alteration, unauthorized

disclosure or access (in particular where the processing involves the transmission of data over a network) and against all other

unlawful forms of processing.

Such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to

be protected, relative to the entities facilities and implementation costs. Specific security measures shall be adopted regarding

certain type of personal data and purposes (notably, sensitive data, call recording and video surveillance).

Under the Protection of Information Systems and Networks Law, service providers, operators and companies offering information

society services must: (i) guarantee the security of any device or set of devices used in the storage, processing, recovery or

transmission of computer data on execution of a computer program and (ii) promote the registration of users as well as the

implementation of technical measures in order to anticipate, detect and respond to risk situations. The Law requires an accident

and incident management plan in case of a computer emergency.

BREACH NOTIFICATION

There is no mandatory breach notification requirement under the Data Protection Law.

However, pursuant to the Electronic Communications and Information Society Services Law, companies offering electronic

communications services accessible to the public shall, without undue delay, notify the APD and the Electronic Communications

Authority, , (INACOM) of any breach of security committed with intent or that recklessly leadsInstituto Angolano das Comunicações

to destruction, loss, partial or total modification or non-authorized access to personal data transmitted, stored, retained or in any

way processed under the offer of electronic communications services.

Companies offering electronic communications services accessible to the public shall also keep an accurate register of data

breaches, indicating the concrete facts and consequences of each breach and the measures put in place to repair or prevent the

breach.

The same applies under Protection of Information Systems and Networks Law.

ENFORCEMENT

Data protection

As mentioned above, the competent authority for the enforcement of Data Protection Law is the APD. However, considering that

the APD was recently created, the level of enforcement is not significant at this stage.

Electronic communications

INACOM regulates and monitors compliance with the Electronic Communications and Information Society Services Law, and

issues penalties for its violation. Presently, INACOM’s level of enforcement is not yet significant.

ELECTRONIC MARKETING

The dissemination of electronic communications for advertising purposes is generally subject to the prior express consent of its

recipient (opt-in) and to prior notification to APD.

Entities may process personal data for electronic marketing purposes without data subject consent in specific circumstances,

notably:

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Angola 40 | | | www.dlapiperdataprotection.com

When advertising is addressed to the data subject as representative employee of a corporate person, and

When advertising communications are sent to an individual with whom the product or service supplier has already

concluded a transaction, provided an opportunity to refuse consent was expressly provided to the customer at the time

of the transaction at no additional cost.

ONLINE PRIVACY

The Electronic Communications and Information Society Services Law establishes the right of all Citizens to enjoy protection

against abuse or violations of their rights through the Internet or other electronics means, such as:

The right to confidentiality of communications and to privacy and non-disclosure of their data

The right to security of their information by improvement of quality, reliability and integrity of the information systems

The right to security on the Internet, specifically for minors

The right not to receive spam

The right to the protection and safeguarding of their consumer rights and as users of networks or electronic

communications services

In view of the above, entities are generally prohibited from storing any kind of personal data without prior consent of the user.

This does not prevent technical storage or access for the sole purpose of carrying out the transmission of a communication over

an e-communication network or if strictly necessary in order for the provider of an information society service to provide a

service expressly requested by the subscriber or user.

Traffic data

The processing of traffic data is allowed when required for billing and payment purposes, but processing is only permitted until the

end of the period during which the bill may lawfully be challenged or payment pursued. Traffic data must be eliminated or made

anonymous when no longer needed for the transmission of the communication.

The storage of specific information and access to that information is only allowed on the condition that the subscriber or user has

provided his or her prior consent. The consent must be based on accurate, clear and comprehensive information, namely about

the type of data processed, the purposes and duration of the processing and the availability of data to third parties in order to

provide value added services.

Electronic communications operators may store traffic data only to the extent required and for the time necessary to market

electronic communications services or provide value added services. Prior express consent is required and such consent may be

withdrawn at any time.

Processing should be limited to those employees in charge of:

Billing or traffic management

Customer inquiries

Fraud detection

Marketing of electronic communications

Services accessible to the public

The provision of value added services

Notwithstanding the above, electronic communication operators should keep in an autonomous file all traffic and localization data

exclusively for the purpose of:

Investigation

Detection, or

Prosecution of criminal offenses on Information and Communication Technologies (ICT)

Location data

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Angola 41 | | | www.dlapiperdataprotection.com

Location Data processing is only allowed if the data is made anonymous or to the extent and for the duration necessary for the

provision of value added services, provided prior express consent is obtained. In this case, prior complete and accurate

information must be provided on the type of data being processed, as well as the purposes and duration of processing and any

possibility of disclosure to third parties for the provision of value added services.

Electronic communication operators must ensure that data subjects have the opportunity to withdraw consent, or temporarily

refuse the processing of such data for each connection to the network or for each transmission of a communication, at any time.

The withdrawal mechanism must be provided through simple means, free of charge to the user. Processing should be limited to

those employees in charge of electronic communications services accessible to the public.

KEY CONTACTS

ACDA

DATA PRIVACY TOOL

You may also be interested in our  to assess your organization’s level of data protection maturity.Data Privacy Scorebox

Joni Garcia
Associate

ACDA

T +244 926 61 25 25

j.garcia@adca-angola.com

Murillo Costa Sanches
Of Counsel

ACDA

T +244 926 61 25 25

m.sanches@adca-angola.com

https://www.dlapiperdataprotection.com

https://www.dlapiperdataprotection.com/scorebox/

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Argentina 42 | | | www.dlapiperdataprotection.com

ARGENTINA

Last modified 24 January 2022

LAW

Article 43 of the Federal Constitution, third paragraph, provides, in relevant part that any person may file an action to have access

to personal data about such person and to information about the purpose with which they are kept, included in public data

registries or banks, or in private data registries or banks, and to request the suppression, correction, confidentiality or updating of

the data where inaccurate or discriminatory.

These provisions do not create an express constitutional right to privacy or data protection, but do create the basic framework

for the protection of such right, as well as the foundation for the legislation, subsequently enacted, which regulates the details of

that protection.

Law 25,326 – the Personal Data Protection Law (PDPL) includes the basic personal data rules. It follows international standards,

and has been considered as granting adequate protection by the European Commission. Decree 1558 of 2001 includes regulations

issued under the PDPL. Further regulations have been issued by the relevant agencies.

DEFINITIONS

Definition of personal data

Personal data is defined as information of any type referred to individuals or legal entities, determined or which may be

determined.

Definition of sensitive personal data

Sensitive data includes personal data which reveal racial or ethnic origin, political opinions, religious, philosophical or moral

convictions, trade union affiliation and information related to health and sexual activities.

NATIONAL DATA PROTECTION AUTHORITY

Pursuant to Decree 746 of 2017, it is the Agency for Access to Public Information (Agencia de Acceso a la Información Pública).

REGISTRATION

All archives, registries, databases and data banks, whether public or private, having the purpose of supplying information, must be

registered with the Registry organized by the national data protection authority. This registration requires the following

information, to be provided to the registry:

The name and domicile of the person responsible for the archive, registry, database or data bank

The characteristics and purpose of the archive, registry, database or data bank

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Argentina 43 | | | www.dlapiperdataprotection.com

The nature of the personal data included or to be included in the archive, registry, database or data bank

The way in which data are collected and updated

The destination of the data and the identity of the individuals or legal entities to whom such data may be transferred

The way in which the recorded information is interrelated

The means to assure the security of the data, indicating the category of persons with access to the processing of data

The term during which the data will be preserved

The way and conditions pursuant to which interested persons may have access to the data referring to such persons, and

the procedures to be followed to rectify and update the registered data

DATA PROTECTION OFFICERS

Generally, there is no specific requirement to appoint a data protection officer. Under certain circumstances, in which special

security standards apply, it may be necessary to appoint an officer in charge of data security.

COLLECTION & PROCESSING

Personal data collected for purposes of processing must be truthful, adequate, relevant and not excessive in relation with the

scope and purpose for which they were obtained. The gathering of data shall not take place by unfair or fraudulent means or in an

otherwise illegal manner.

Personal data may not be used for purposes different from or incompatible with those for which the personal data was initially

collected. Personal data must be accurate and properly updated when necessary. Totally or partially inaccurate personal data, or

those that are incomplete, shall be suppressed and substituted, or completed where relevant, by the person responsible for the

archive or database, whenever such person becomes aware of the inaccurate or incomplete character of the information.

Consent from the data subject is required, which must be free, express and informed consent and in writing or in another

equivalent form, unless:

The personal data were obtained from sources open to unrestricted public access

The personal data were obtained as part of the performance of state duties or in compliance with a legal obligation

 

The personal data consists of lists whose data are limited to the name, national identity document number, tax or social

security identification, occupation, date of birth and domicile

The personal data are derived from a contractual, scientific or professional relationship and are necessary for such

relationship

The personal data result from operations conducted by financial entities with their clients or consist in the information

such financial entities receive from their clients pursuant to the Financial Entities Law

When the authorization for the collection and processing of data is requested, the data subject must be informed about the

purpose for which the data will be processed, as well as about the individuals or groups of individuals who will have access to the

processed information. In addition, the archive, registry or data bank where the information will be kept must be identified,

together with the person responsible for it. The data subject must be informed about the voluntary or compulsory nature of the

answers requested from such owner, as well as about the consequences of providing the personal data or of refusing to give such

information or of providing untruthful information. The data subject must also be informed about the right to access, rectify and

suppress the relevant data.

Special rules apply to sensitive data. No person may be required to disclose sensitive data. Sensitive data may only be collected

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Argentina 44 | | | www.dlapiperdataprotection.com

and processed where necessary, and with consent, as expressly permitted by law, or for statistical or scientific purposes provided

the person they refer to may not be identified.

Data related to criminal records may only be processed by the relevant public authorities.

TRANSFER

Transfers and disclosures to third parties

Personal data may only be transferred for legitimate purposes of the transferor and the transferee, and generally with the prior

consent of the data subject who must be informed of the transfer’s purpose and of the transferee’s identity. This consent may be

rescinded.

Consent is not required in the case of transfer of data regarding which consent was not necessary for collection. Also, it is not

necessary in the case of transfer of data between state agencies, for purposes of performance of their respective activities, on in

connection with health-related data, if the transfer is necessary for public health or emergency reasons, or for the performance of

epidemiological studies, provided the identity of the persons to whom such data refer is reserved by means of adequate

dissociation mechanism. In addition, consent is not necessary, for personal data generally, if an adequate dissociation mechanism is

used in a way such that the data subjects are not identifiable.

Cross-border transfers

The cross-border transfer of personal data is prohibited to countries or international or supranational organization which do not

provide adequate protection to such data, unless:

The data subjects expressly consents to that transfer 

The transfer is necessary for international judicial cooperation

The transfer takes place as part of certain exchanges of medical data

Bank or stock exchange transfers, in the context banking or stock exchange transactions

The transfer takes place as provided in the context of international treaties to which Argentina is a party

The transfer has as its purpose the international cooperation between intelligence agencies engaged in combating

organized crime, terrorism and drug traffic

SECURITY

The person responsible for a data archive, or using such archive, must adopt the technical and organizational measures to assure

the security and confidentiality of personal data, so as to avoid their adulteration, loss, consultation or non-authorized processing,

and to detect the misuse of information. The recording of personal data in archives, registries or data banks that do not comply

with the legal requirements on integrity and security is prohibited.

BREACH NOTIFICATION

Not specifically required under data protection law.

Failure to notify a data security breach is not in itself a violation of the data protection regime, but may bear on the effects of

security violation, especially if lack of such notification results in other security breaches or damages. The person responsible for

the data must keep records on security breaches, and these records may be requested by the data protection authority.

Breach notification may be mandatory if the data protection authority specifically requests information about data breaches.

ENFORCEMENT

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Argentina 45 | | | www.dlapiperdataprotection.com

There are several enforcement mechanisms:

The data protection authority may enforce the legal provisions and regulations on data protection, imposing fines in case

of violation.

Violation of data protection rules may constitute a crime subject to prison terms imposed by criminal courts.

Court actions may be brought to have access to personal data and to request their correction, suppression, confidentiality

or updating.

ELECTRONIC MARKETING

Electronic marketing, to the extent that it may involve processing of personal data, is subject to the general rules applicable to

such data, such as valid data subject consent, adequate privacy notices as to use and disclosure of personal data and data subject

rights.

ONLINE PRIVACY

Although there are no detailed regulations on online privacy, the general rules on privacy provided by the Civil and Commercial

Code are applicable in this context. Nuisances from unrequested communications may be actionable. Unauthorized collection of

personal data will be subject to the general rules applicable to such data.

KEY CONTACTS

DATA PRIVACY TOOL

You may also be interested in our  to assess your organization’s level of data protection maturity.Data Privacy Scorebox

Guillermo Cabanellas
Senior Partner

T +5411 41145500

g.cabanellas@dlapiper.ar

https://www.dlapiperdataprotection.com

https://www.dlapiperdataprotection.com/scorebox/

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Armenia 46 | | | www.dlapiperdataprotection.com

ARMENIA

Last modified 21 December 2021

LAW

Personal Data Protection Law as of 18.05.2015, number .ՀՕ-49-Ն

DEFINITIONS

Definition of Personal Data

Personal Data is defined as any information related to an individual that allows or may allow directly or indirectly identifying a person.

Definition of Sensitive Personal Data

Special Category is define as any information related to a person’s

race

nationality or ethnicity

political views

religious or philosophical beliefs

membership in a professional union

health status, and

sexual life.

NATIONAL DATA PROTECTION AUTHORITY

Personal Data Protection Agency of the Ministry of Justice of the Republic of Armenia.

REGISTRATION

Registration is voluntarily unless otherwise specified by the authorised body.

DATA PROTECTION OFFICERS

No requirement to appoint a data protection officer.

COLLECTION & PROCESSING

By and large, the entities must obtain prior express consent from data subjects to lawfully collect and process personal

data The consent is not necessary in the cases directly provided by the legislation or if the data is being collected from

public sources.

The data subject may give his or her consent in person or through the representative, where the power of attorney

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Armenia 47 | | | www.dlapiperdataprotection.com

specifically provides for such a power.

The data subject’s consent shall be considered to be given and the processor shall have the right to process, where:

personal data are indicated in a document addressed to the processor and signed by the data subject, except for

the cases when the document, by its content, is an objection against processing of personal data;

the processor has obtained data on the basis of an agreement concluded with the data subject and uses it for the

purposes of operations prescribed by this Agreement;

the data subject, voluntarily, for use purposes, verbally transfers information on his or her personal data to the

processor. 

Personal data may be processed without the data subject’s consent, where the processing of data is directly provided for

by law.

The processor of personal data or the authorised person, for obtaining the data subject’s written consent, shall notify the

data subject of the intention to process the data.

The data subject shall give his or her consent in writing or electronically, validated by electronic digital signature; in case of

an oral consent — by means of such reliable operations which will obviously attest the consent of the data subject on

using the personal data 

Specific regulations regarding persons with incapacity or limited capacity and minor under the age of 16. 

Specific regulations regarding biometric personal data.

TRANSFER

Transfer to third parties shall mean an operation aimed at transferring personal data to certain scope of persons or public at large

or at familiarising with them, including disclosure of personal data through the mass media, posting in information communication

networks or otherwise making personal data available to another person. 

The processor may transfer personal data to third parties or grant access to data without the personal data subject’s consent,

where it is provided for by law and has an adequate level of protection. 

The processor may transfer special category personal data to third parties or grant access to data without the personal data

subject’s consent, where: 

the data processor is considered as a processor of special category personal data prescribed by law or an interstate

agreement, the transfer of such information is directly provided for by law and has an adequate level of protection;

in exceptional cases provided for by law special category personal data may be transferred for protecting life, health or

freedom of the data subject. 

Personal data may be transferred to another country with the data subject’s consent or where the transfer of data stems from the

purposes of processing personal data and/or is necessary for the implementation of these purposes. 

Personal data may be transferred to another state without the permission of the authorised body, where the given state ensures

an adequate level of protection of personal data.

SECURITY

The processor has an obligation to destruct or block personal data that are not necessary for achieving the legitimate purpose. 

In the course of processing personal data the processor shall be obliged to use encryption keys to ensure the protection of

information systems containing personal data against accidental loss, unauthorised access to information system, unlawful use,

recording, destructing, altering, blocking, copying, and disseminating personal data and other interference. 

The processor is obliged to prevent the access of appropriate technologies for processing personal data for persons not having a

right thereto and ensure that only data, subject to processing by him or her, are accessed by the lawful user of these systems and

the data which are allowed to be used. 

The requirements for ensuring security of processing of personal data in information systems, the requirements for tangible media

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Armenia 48 | | | www.dlapiperdataprotection.com

of biometric personal data and technologies for storage of these personal data out of information systems shall be prescribed by

the decision of the government of the Republic of Armenia. In case another body exercising control is prescribed by law, this

body, within the scope of powers reserved to it by law, may prescribe higher requirements other than provided above. 

Use and storage of biometric personal data out of information systems may be carried out only through such tangible media,

application of such technologies or forms, which ensure the protection of these data from the unauthorised access thereof,

unlawful use, destruction, alteration, blocking, copying, dissemination of the personal data, etc. 

Processors of personal data or other persons provided for by this law shall be obliged to maintain confidentiality both in the

course of performing official or employment duties concerning the processing of personal data and after completing thereof.

BREACH NOTIFICATION

In case unlawful operations performed upon personal data are revealed, the processor shall be obliged to immediately, but not

later than within three working days eliminate the committed violations. In case it is impossible to eliminate the violations, the

processor shall be obliged to immediately destruct personal data. 

The processor shall be obliged to inform the data subject or his or her representative on the elimination of violations or the

destruction of personal data within three working days, and where the request is received from the authorised body for the

protection of personal data — also this body.

Mandatory breach notification

In case of outflow of personal data from electronic systems the processor shall be obliged to immediately publish an

announcement thereon, meanwhile reporting on the outflow the Police of the Republic of Armenia and authorised body for the

protection of personal data.

ENFORCEMENT

Authorised body for the protection of personal data is entitled to: 

check, on its initiative or on the basis of an appropriate application, the compliance of the processing of personal data with

the requirements of this Law;

apply administrative sanctions prescribed by law in the case of violation of the requirements of this Law;

require blocking, suspending or terminating the processing of personal data violating the requirements of this Law;

require from the processor rectification, modification, blocking or destruction of personal data where grounds provided

for by this Law exist;

prohibit completely or partially the processing of personal data as a result of examination of the notification of the

processor on processing personal data;

keep a register of processors of personal data;

recognise electronic systems for processing of personal data of legal persons as having an adequate level of protection and

include them in the register;

check the devices and documents, including the existing data and computer software used for processing data;

apply to court in cases provided for by law;

exercise other powers prescribed by law;

maintain the confidentiality of personal data entrusted or known to it in the course of its activities;

ensure the protection of rights of the data subject;

consider applications of natural persons regarding the processing of personal data and deliver decisions within the scope

of its powers;

submit, once a year, a public report on the current situation in the field of personal data protection and on the activities of

the previous year;

conduct researches and provide advice on processing data on the basis of applications or coverages of processors or

inform on best practices on processing of personal data;

report to law enforcement bodies where doubts arise with regard to violations of criminal law nature in the course of its

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Armenia 49 | | | www.dlapiperdataprotection.com

activities.

ELECTRONIC MARKETING

There is no regulation. However, it is advisable to obtain user consent, such as through appropriate disclaimers.

ONLINE PRIVACY

There is no regulation on cookies and location data. However, it is advisable to obtain user consent, such as through appropriate

disclaimers.

KEY CONTACTS

LEGELATA Law Firm

legelata.am/

DATA PRIVACY TOOL

You may also be interested in our  to assess your organization’s level of data protection maturity.Data Privacy Scorebox

Arthur Buduryan
Partner

LEGELATA Law Firm

T +37495993696

arthur.buduryan@legelata.am

Artyom Poghosyan
Associate

LEGELATA Law Firm

T +37495992636

artyom.poghosyan@legelata.am

https://www.dlapiperdataprotection.com

https://legelata.am/

https://www.dlapiperdataprotection.com/scorebox/

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Aruba 50 | | | www.dlapiperdataprotection.com

ARUBA

Last modified 21 December 2021

LAW

National Ordinance Person Registration ( , National Gazette 2011, ConsolidatedLandsverordening persoonsregistratie

text no. 37) (“National Ordinance Person Registration”);

General Data Protection Regulation (the “GDPR”) – a regulation of the European Union which became effective on

May 25, 2018 – may have implications for a data controller / data processor as the extra-territorial reach of the GDPR is

not only relevant to businesses established in the European Union but also to international businesses established in Aruba

which offer goods or services to individuals in the European Union or monitor their behaviour in the European Union.

DEFINITIONS

Definition of Personal Data

National Ordinance Person Registration 

According to the Explanatory Memorandum on the National Ordinance Person Registration the term personal data has a broad

meaning. This does not only concern data that can identify a person, but concerns any data that can be associated with a particular

person; it is foreseeable that under certain circumstances data can be traced to one person through systematic comparison and

lengthy investigations. Personal identifiable confidential data is therefore not only limited to home address, email address,

telephone number, membership number and/or identity number. 

GDPR 

Personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is one

who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number,

location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic,

cultural or social identity of that natural person.

Definition of Sensitive Personal Data

National Ordinance Person Registration 

Religion or belief, race, political opinion, sexuality, as well as personal data of a medical, psychological or disciplinary nature, and

personal data concerning the trade union membership. 

GDPR 

Data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic

data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Aruba 51 | | | www.dlapiperdataprotection.com

NATIONAL DATA PROTECTION AUTHORITY

National Ordinance Person Registration 

Public prosecutor. 

GDPR 

An independent public authority established by a Member state pursuant to article 51 of the GDPR (Article 4(21), GDPR). The

authority is responsible for monitoring the application of the GDPR in order to protect the fundamental rights and freedoms of

natural persons in relation to processing and to facilitate the free flow of personal data within the EU.

REGISTRATION

National Ordinance Person Registration 

No registration required. 

GDPR 

Article 30 GDPR requires companies to keep an internal electronic registry, which contains the information of all personal data

processing activities carried out by the company.

DATA PROTECTION OFFICERS

National Ordinance Person Registration 

Pursuant to article 8 of the National Ordinance Person the data controller shall execute appropriate technical and organizational

measures to secure personal data against loss or violation of the data against unauthorized access, change or transmission thereof. 

Besides the measures above, the National Ordinance Person Registration does not contain any clauses on appointing a mandatory

data protection officer. 

GDPR 

The appointment of a data protection officer under the GDPR is only mandatory in three situations:

When the organisation is a public authority or body;

If the core activities require regular and systematic monitoring of data subjects on a large scale; or

If the core activities involve large scale processing of special categories of personal data and data relating to criminal

convictions.

COLLECTION & PROCESSING

National Ordinance Person Registration 

Collection: a natural or legal person, public authority, agency or other body which who has control over a person registration. 

Processor: a natural or legal person, public authority, agency or other body which who owns all or part of the has equipment in

his possession, with which a personal registration of which he is not the holder. 

GDPR 

Collection: a natural or legal person, public authority, agency or other body that collect personal data and use it for certain

purposes, like a website that markets to users based on their online behaviour. 

Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Aruba 52 | | | www.dlapiperdataprotection.com

controller. Processors act on behalf of the relevant controller and under their authority.

TRANSFER

National Ordinance Person Registration 

By means of article 9 of the National Ordinance Person Registration, recorded data will only be made available to third parties in

accordance with the purpose of the register and if obligated by law or done with the consent of the registered persons. 

GDPR 

The GDPR restricts transfers of personal data outside the European Economic Area, or the protection of the GDPR, unless the

rights of the individuals in respect of their personal data is protected in another way, or one of a limited number of exceptions

applies.

SECURITY

National Ordinance Person Registration 

Pursuant to article 8 of the of the National Ordinance person Registration the data controller shall execute appropriate technical

and organizational measures to secure personal data against loss or violation of the data against unauthorized access, change or

transmission thereof. 

GDPR 

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as

well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor

shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (article 32

GDPR).

BREACH NOTIFICATION

National Ordinance Person Registration 

Contains no specific clauses. 

GDPR 

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after

having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with article 55

GDPR, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. 

Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

ENFORCEMENT

National Ordinance Person Registration 

Pursuant to article 20 of the National Ordinance person registration, the individual violating the provisions of the national

ordinance person registration can be punished with a maximum fine of Afl.10.000. (USD. 5586.59). 

GDPR 

The GDPR holds a variety of potential penalties for businesses. 

For example, article 77 of GDPR states that: 

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Aruba 53 | | | www.dlapiperdataprotection.com

“Every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her

habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data

relating him or her infringes this Regulation.” 

Additionally, article 79 of the Regulation states that “such proceedings may be brought before the courts of the Member State where the

 data subject has his or her habitual residence.”

Penalties 

Compensation to Data Subjects. One penalty that may be imposed is compensation to, as stated in article 82 of the Regulation,

for the damage they’ve“Any person who has suffered material or non-material damage as a result of an infringement of this Regulation”

suffered. 

Fines 

Article 83 of GDPR specifies a number of different fines that may vary based on the nature of the infraction, its severity, and the

level of cooperation that “data processors” (i.e. you) provide to the “supervisory authority.” Less severe infringements may incur

administrative fines of up to 10,000,000 Euros or 2% of your total worldwide annual turnover for the preceding year (whichever is

greater), while more severe infractions may double these fines (20,000,000 or 4% annual turnover). 

Individual Member States of the EU may have additional fines and penalties that may be applied as well. However, these additional

penalties are not specifically listed in the text of the Regulation since they’re up to the individual EU nations to set—the only

guidelines in article 84 of GDPR are that “ and that “Such penalties shall be effective, proportionate and dissuasive” Each Member State

shall notify to the Commission the provisions of its law which it adopts pursuant to paragraph 1, by 25 May 2018.”

ELECTRONIC MARKETING

National Ordinance Person Registration 

N/A 

GDPR

Under article 22 GDPR organizations cannot send marketing emails without active, specific consent.

Companies can only send email marketing to individuals if:

The individual has specifically consented.

They are an existing customer who previously bought a similar service or product and were given a simple way to opt out.

ONLINE PRIVACY

National Ordinance Person Registration

Contains no specific clauses. 

GDPR 

Cookies, insofar as they are used to identify users, qualify as personal data and are therefore subject to the GDPR. Companies do

have a right to process their users’ data as long as they receive consent or if they have a legitimate interest. 

Location data, the GDPR will apply if the data collector collects the location data from the device and if it can be used to identify a

person. 

If the data is anonymized such that it cannot be linked to a person, then the GDPR will not apply. However, if the location data is

processed with other data related to a user, the device or the user’s behavior, or is used in a manner to single out individuals from

others, then it will be “personal data” and fall within the scope of the GDPR even if traditional identifiers such as name, address

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Aruba 54 | | | www.dlapiperdataprotection.com

etc. are not known.

KEY CONTACTS

HBN Law & Tax

hbnlawtax.com/

DATA PRIVACY TOOL

You may also be interested in our  to assess your organization’s level of data protection maturity.Data Privacy Scorebox

Maarten Willems
Senior Associate

HBN Law & Tax

T +297 588 6060

maarten.willems@hbnlawtax.com

Misha Bemer
Partner

HBN Law & Tax

T +297 588 6060

misha.bemer@hbnlawtax.com

https://www.dlapiperdataprotection.com

Homepage

https://www.dlapiperdataprotection.com/scorebox/

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Australia 55 | | | www.dlapiperdataprotection.com

AUSTRALIA

Last modified 23 December 2021

LAW

Australia regulates data privacy and protection through a mix of federal, state and territory laws. The federal Privacy Act 1988

(Cth) (Privacy Act) and the Australian Privacy Principles contained in the Privacy Act apply to private sector entities(“APPs”)

(including body corporates, partnerships, trusts and unincorporated associations) with an annual turnover of at least AU$3 million,

and all Commonwealth Government and Australian Capital Territory Government agencies.

The Privacy Act regulates the handling of personal information by relevant entities and under the Privacy Act, the Privacy

Commissioner has authority to conduct investigations, including own motion investigations, to enforce the Privacy Act and seek

civil penalties for serious and egregious breaches or for repeated breaches of the APPs where an entity has failed to implement

remedial efforts.

Most States and Territories in Australia (except Western Australia and South Australia) have their own data protection legislation

applicable to relevant State or Territory government agencies, and private businesses that interact with State and Territory

government agencies. These Acts include:

(Australian Capital Territory)Information Privacy Act 2014

Information Act 2002 (Northern Territory)

Privacy and Personal Information Protection Act 1998 (New South Wales)

Information Privacy Act 2009 (Queensland)

Personal Information Protection Act 2004 (Tasmania), and

Privacy and Data Protection Act 2014 (Victoria)

Additionally, there are other parts of State, Territory and federal legislation that relate to data protection. For example, the

following all impact privacy and data protection for specific types of data or activities: the (Cth), the Telecommunications Act 1997

(Cth), the (Cth), the (NSW), the Criminal Code Act 1995 National Health Act 1953 Health Records and Information Privacy Act 2002

(Vic) and the (NSW).Health Records Act 2001 Workplace Surveillance Act 2005

Specific regulators have also expressed an expectation that regulated entities should have specified data protection practices in

place. For example, the Australian Prudential and Regulatory Authority (“ ”), which regulates financial services institutionsAPRA

requires regulated entities to comply with Prudential Standards, including Prudential Standard CPS 234 Information Security (CPS

234), and the Australian Securities and Investment Commission regulates corporations more generally.

Other important privacy and data protection laws

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Australia 56 | | | www.dlapiperdataprotection.com

Assistance and Access Act

The (“ ”) provides lawTelecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth) AA Act

enforcement agencies with access to encrypted data for serious crime investigation and imposes obligations on “Designated

Communications Providers”. However, the AA Act may inadvertently have a much broader remit with limited judicial oversight,

and has been the subject of much criticism from local and global technology firms which have stated the legislation has the

potential to significantly impact security / encryption solutions in Australia.

The AA Act allows various agencies to do any of the following:

Issue a “technical assistance notice”, which requires a communications provider to give assistance that is reasonable,

proportionate, practicable and technically feasible

Issue a “technical capability notice”, which requires a communications provider to build new capabilities to assist the

agency. The Attorney-General must consult with the communications provider prior to issuing the notice, and must be

satisfied that the notice is reasonable, proportionate, practicable and technically feasible

Make “technical assistance requests”, to give foreign and domestic communications providers and device manufacturers a

legal basis to provide voluntary assistance to various Australian intelligence organizations and interception agencies relating

to issues of national interest, national security and law enforcement

Organizations will need to ensure customer terms and conditions deal carefully with the matter of legal compliance and any

commitments made to customers generally.

Consumer Data Right

The Commonwealth Government is in the implementation phases of the Consumer Data Right (“ ”) following a number ofCDR

policy reviews including the Productivity Commission’s “Data Availability and Use” report and the “Review into Open Banking in

Australia”.

The CDR allows a consumer to obtain certain data held about that consumer by a third party and require data to be given to

accredited third parties for certain purposes. By requiring businesses to provide public access to information on specified products

they have on offer, it is intended that consumers’ ability to compare and switch between products and services will be improved,

as well as encouraging competition between service providers, which could lead to better prices for customers and more

innovative products and services. In this way, the CDR provides a mechanism for accessing a broader range of information within

designated sectors than is provided for by APP 12 in the Privacy Act, given it applies not only to data about individual consumers

but also to business consumers and related products.

The CDR rules have been implemented in respect of the banking sector in Australia. The energy sector is the next to be added to

the CDR, with the telecommunications sector currently scheduled to follow. Other sectors across the economy will be added to

the CDR over time.

The CDR regime addresses competition, consumer, privacy and confidentiality issues. As such, it is regulated by the Australian

Competition and Consumer Commission as well as the Office of the Australian Information Commissioner.

DEFINITIONS

Definition of personal data 

Personal data (referred to as ‘personal information’ in Australia) means information or an opinion about an identified individual, or

an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or

opinion is recorded in material form or not.

The Privacy Act currently contains an exemption for “employee records”, such that any records containing personal information

which an employer makes in connection with a current or former employment relationship are exempt from the Privacy Act. 

However there are some further carve outs to this (for example, the exemption does not apply to contractors or unsuccessful

applicants), and it is widely anticipated that the employee records exemption will be removed from the Privacy Act as a result of

the ongoing review of the Privacy Act (see ).Enforcement

https://www.dlapiperdataprotection.com

https://www.dlapiperdataprotection.com/countries/australia/enforcement.html

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Australia 57 | | | www.dlapiperdataprotection.com

Definition of sensitive personal data

Sensitive personal data (referred to as ‘sensitive information’ in Australia) means information or an opinion about:

Racial or ethnic origin

Political opinions

Membership of a political association

Religious beliefs or affiliations

Philosophical beliefs

Membership of a professional or trade association

Membership of a trade union

Sexual orientation or practices

Criminal record that is also personal information

Health information about an individual

Genetic information about an individual that is not otherwise health information

Biometric information that is to be used for the purpose of automated biometric identification or verification

Biometric templates

NATIONAL DATA PROTECTION AUTHORITY

The Privacy Commissioner, under the Office of the Australian Information Commissioner (” “) is the national dataOAIC

protection regulator responsible for Privacy Act oversight.

175 Pitt Street Sydney NSW 2000

T 1300 363 992

F +61 2 9284 9666

REGISTRATION

There is no registration requirement in Australia for data controllers or data processing activities. Under the Privacy Act,

organizations are not required to notify the Privacy Commissioner of any processing of personal information.

DATA PROTECTION OFFICERS

Organizations are not required to appoint a data protection officer. However, the Privacy Commissioner has issued guidance

recommending that organizations appoint a data protection officer as good practice.

COLLECTION & PROCESSING

Organizations may not collect personal information unless the information is reasonably necessary for one or more of its business

functions or activities.

Under the Privacy Act, organizations must take reasonable steps to ensure that personal information collected is accurate and

up-to-date.

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Australia 58 | | | www.dlapiperdataprotection.com

At or before the time organizations collect personal information, or as soon as practicable afterwards, they must take reasonable

steps to provide individuals with notice of:

The Organization’s identity and contact information

Why it is collecting (or how it will use the) information about the individual

The entities or types of entities to which it might give the personal information

Any law requiring the collection of personal information

The main consequences (if any) for the individual if all or part of the information is not provided

The fact that the organization’s privacy policy contains information about how the individual may access and seek

correction of their personal information, how they may make a complaint about a breach of the APPs and how the

organization will deal with such complaint

Whether the organization is likely to disclose their personal information to overseas recipients and, if so, the countries in

which such recipients are likely to be located

Organizations should comply with these notification requirements by preparing a “collection statement” or “privacy notice” for

each significant collection of personal information, and providing this to individuals  prior to collecting their personal information.

This notification requirement applies in addition to the requirement for organisations to maintain a broader privacy policy, which

details the general personal information handling processes of the organisation. APP 1 lists the information which is required to be

included in a privacy policy.

In practice, a major Privacy Act compliance issue often arises because organizations fail to recognize that the mandatory notice

requirements outlined above also apply to any personal information collected from a third party. Organizations must provide

individuals with required notice on receipt of personal information from a third party, even though they did not collect personal

information directly from the individual. Unlike Europe, Australian privacy law does not distinguish between ‘data processors’ and

‘data controllers.’

Organizations must not use or disclose personal information about an individual unless one or more of the following applies:

The personal information was collected for that purpose (the primary purpose) or a different (secondary) purpose which

is related to (and, in the case of sensitive information, directly related to) the primary purpose of collection and the

individual would reasonably expect the organization to use or disclose the information for that secondary purpose.

The individual consents.

The information is not sensitive information and disclosure is for direct marketing and it is impracticable to seek the

individual’s consent and (among other things) the individual is told that they can opt out of receiving marketing from the

organization.

A ‘permitted general situation’ or ‘permitted health situation’ exists; for example, the entity has reason to suspect that

unlawful activity relating to the entity’s functions has been engaged in, or there is a serious threat to the health and safety

of an individual or the public.

It is required or authorized by law or on behalf of an enforcement agency.

In the case of use and disclosure for the purpose of direct marketing, organizations are required to ensure that:

Each direct marketing communication provides a simple means by which the individual can opt out

The individual has not previously requested to opt out of receiving direct marketing communications

The above direct marketing requirements apply to all forms of direct marketing. Additionally, specific requirements for

commercial electronic messaging are outlined in .Electronic Marketing

https://www.dlapiperdataprotection.com

https://www.dlapiperdataprotection.com/countries/australia/electronic-marketing.html

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Australia 59 | | | www.dlapiperdataprotection.com

The Privacy Act affords additional protections when processing involves sensitive information. Organizations are prohibited from

collecting sensitive information from an individual unless certain limited requirements are met, including one or more of the

following:

The individual has consented to the collection and the collection of the sensitive information is reasonably necessary for

one or more of the entity’s functions or activities.

Collection is required or authorized by law or a court/tribunal order.

A ‘permitted general situation’ or ‘permitted health situation’ exists (for example, where the information is required to

establish or defend a legal or equitable claim or there is a serious threat to the life or health of the individual or the

public).

The entity is an enforcement body and the collection is reasonably necessary for that entity’s functions or activities.

The entity is a nonprofit organization and the information relates to the activities of the organization and solely to the

members of the organization (or to individuals who have regular contact with the organization relating to its activities).

Organizations must provide individuals with access to their personal information held by the organization upon an individual’s

request. Additionally, individuals have a right to correct inaccurate, out-of-date, and irrelevant personal information held by an

organization. Under certain circumstances, the organization may limit the extent to which it provides an individual with access or

correction rights, including in emergency situations, specified business imperatives, and law enforcement or other public interests.

Further, organizations must provide individuals with the option to not identify themselves, or use a pseudonym, when dealing with

the organization, unless it is impractical to do so or the organization is required or authorized by law to deal with identified

individuals.

TRANSFER

Unless certain limited exemptions under the Privacy Act apply, personal information may only be disclosed to an organization

outside of Australia where the entity has taken reasonable steps to ensure that the overseas recipient does not breach the APPs

(other than APP 1) in relation to the personal information. The disclosing / transferring entity will generally remain liable for any

act(s) done or omissions by that overseas recipient that would, if done by the disclosing organization in Australia, constitute a

breach of the APPs. However, this provision will not apply where any of the following apply:

The organization reasonably believes that the recipient of the information is subject to a law or binding scheme which

effectively provides for a level of protection that is at least substantially similar to the Privacy Act, including as to access to

mechanisms by the individual to take action to enforce the protections of that law or binding scheme. There can be no

reliance on contractual provisions requiring the overseas entity to comply with the APPs to avoid ongoing liability

(although the use of appropriate contractual provisions is a step towards ensuring compliance with the ‘reasonable steps’

requirement).

The individual consents to the transfer. However, under the Privacy Act the organization must, prior to receiving consent,

expressly inform the individual that if he or she consents to the overseas disclosure of the information the organization

will not be required to take reasonable steps to ensure the overseas recipient does not breach the APPs.

A ‘permitted general situation’ applies.

The disclosure is required or authorized by law or a court/tribunal order.

SECURITY

An organization must have appropriate security measures in place (ie, ‘take reasonable steps) to protect any personal information

it retains from misuse and loss and from unauthorized access, modification or disclosure. The Privacy Commissioner has issued

detailed guidance on what it considers to be reasonable steps in the context of security of personal information, which we

recommend be reviewed and implemented. Depending on the organization, and how and by which government agency it is

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Australia 60 | | | www.dlapiperdataprotection.com

regulated, as noted above specific requirements or expectations may also exist and with which organizations should be familiar. An

organization must also take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed

for the purpose(s) for which it was collected.

BREACH NOTIFICATION

Entities with obligations to comply with the Privacy Act must comply with the mandatory data breach notification regime under

the Privacy Act.

The mandatory data breach notification includes data breaches that relate to:

Personal information

Credit reporting information

Credit eligibility information

Tax file numbers

In summary, the regime requires organizations to notify the OAIC and affected individuals of “eligible data breaches” (in

accordance with the required contents of a notice). Where it is not practicable to notify the affected individuals individually, an

organization that has suffered an eligible data breach must make a public statement on its website containing certain information as

required under the Privacy Act, and take reasonable steps to publicise the contents of the statement.

An “eligible data breach” occurs when the following conditions are satisfied in relation to personal information, credit reporting

information, credit eligibility information or tax file information:

All of the following conditions are satisfied:

There is unauthorized access to, or unauthorized disclosure of, or loss of the information

A reasonable person would conclude that the access or disclosure, or loss would be likely to result in serious

harm to any of the individuals to which the information relates

Prevention of the risk of serious harm through remedial action has not been successful

While “serious” harm is not defined in the legislation, the OAIC has released guidance on how serious harm may be interpreted

and assessed by organizations. There are a number of key criteria to examine when determining if “serious” harm is likely to result

from a breach which should be assessed holistically and take into account: the kinds of information, sensitivity, security measures

protecting the information, the nature of the harm ( , physical, psychological, emotional, financial or reputational harm) and theie

kind(s) of person(s) who may obtain the information.

The regime also imposes obligations on organizations to assess within 30 calendar days whether an eligible data breach has

occurred where the organization suspects (on reasonable grounds) that an eligible data breach has occurred, but that suspicion

does not amount to reasonable grounds to believe that an eligible data breach has occurred.

There are various exceptions to the requirement to notify affected individuals and/or the OAIC of a data breach notification

including in instances where law enforcement related activities are being carried out or where there is a written declaration by the

Privacy Commissioner.

The introduction of the regime has resulted in many organizations requiring detailed contractual obligations with third party

suppliers in relation to cybersecurity and the protection of personal information of their customers / clients. Complimenting this

regime, the OAIC has also released several guidance notes relating to the regime which include topics such as the security of

personal information and whilst these are not legally binding, they are considered industry best practice.

Further, organizations may have additional obligations to notify other regulators of data breaches in certain circumstances

including under the Prudential Standard CPS 234 Information Security (” “) which aims to strengthen APRA-regulatedCPS 234

entities’ resilience against information security incidents (including cyberattacks), and their ability to respond swiftly and effectively

in the event of a breach. CPS 234  applies to all APRA-regulated entities who  among other things, are required to notify APRA

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Australia 61 | | | www.dlapiperdataprotection.com

within 72 hours “after becoming aware” of an information security incident and no later than 10 business days after “it becomes

aware of a material information security control weakness which the entity expects it will not be able to remediate in a timely

manner”. 

ENFORCEMENT

The Privacy Commissioner is responsible for the enforcement of the Privacy Act and will investigate an act or practice if the act or

practice may be an interference with the privacy of an individual and a complaint about the act or practice has been made.

Generally, the Privacy Commissioner prefers mediated outcomes between the complainant and the relevant organization.

Importantly, where the Privacy Commissioner undertakes an investigation of a complaint which is not settled, it is required to

ensure that the results of that investigation are publicly available. Currently, this is undertaken by disclosure through the OAIC

website of the entire investigation report.

The Privacy Commissioner may also investigate any “interferences with the privacy of an individual” (ie, any breaches of the APPs)

on its own initiative (ie, where no complaint has been made) and the same remedies as below are available.

After investigating a complaint, the Privacy Commissioner may dismiss the complaint or find the complaint substantiated and make

declarations that the organization rectify its conduct or that the organization redress any loss or damage suffered by the

complainant (which can include non-pecuniary loss such as awards for stress and/or humiliation). Furthermore, fines of up to

AU$440,000 for an individual and AU$2.2 million for corporations may be requested by the Privacy Commissioner and imposed

by the Courts for serious or repeated interferences with the privacy of individuals.

Following the release of the Australian Competition and Consumer Commission’s Digital Platforms Inquiry report in December

2019, the Australian Government accepted the need for proposed reforms to the Privacy Act. A draft bill has been published

which would increase penalties under the Privacy Act to the greater of: AU$ 10 million, three times the value of the benefit

obtained through the misconduct, or 10% of annual turnover (as well as introducing the framework for a binding online privacy

code for social media and certain other online platforms including data brokerage services and platforms with more than 2,500,000

end users in Australia (excluding customer loyalty schemes). If these changes proceed, they would bring penalties for corporations

in line with those already in force under the Competition and Consumer Act 2010 (Cth) for breaches of the Australian Consumer

Law. As well as the current prosed changes, a broader review of the Privacy Act is currently being undertaken by the Australian

Government, in accordance with the published terms of reference.

ELECTRONIC MARKETING

The sending of electronic marketing (referred to as ‘commercial electronic messages’ in Australia) is regulated under the Spam Act

(“ ”) and enforced by the Australian Communications and Media Authority.2003 (Cth) Spam Act

Under the Spam Act, a commercial electronic message (which includes emails and SMS’s sent for marketing purposes) must not be

sent without the prior opt-in consent of the recipient.

In addition, each electronic message (which the recipient has consented to receive) must identify the sender and contain a

functional unsubscribe facility to enable the recipient to opt out of receiving future electronic marketing. Requests to unsubscribe

must be processed within 5 business days.

A failure to comply with the Spam Act (including unsubscribing a recipient that uses the unsubscribe facility) may have costly

consequences, with repeat offenders facing penalties of up to AU$2.1 million per day.

ONLINE PRIVACY

There are no laws or regulations in Australia specifically relating to online privacy, beyond the application of the Privacy Act, the

Spam Act and State and Territory privacy laws relating to online / e-privacy, and other specific laws regarding the collection of

location and traffic data etc. Specifically, the are no specific legal requirements regarding the use of cookies (or any similar

technologies). If the cookies or other similar technologies collect personal information of a user the organization must comply

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Australia 62 | | | www.dlapiperdataprotection.com

with the Privacy Act in respect of collection, use, disclosure and storage of such personal information. App developers must also

ensure that the collection of customers’ personal information complies with the Privacy Act and the Privacy Commissioner has

released detailed guidance on this.

KEY CONTACTS

DATA PRIVACY TOOL

You may also be interested in our  to assess your organization’s level of data protection maturity.Data Privacy Scorebox

Nicholas Boyle
Partner

T +61 2 9286 8479

nicholas.boyle@dlapiper.com

https://www.dlapiperdataprotection.com

https://www.dlapiperdataprotection.com/scorebox/

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Austria 63 | | | www.dlapiperdataprotection.com

AUSTRIA

Last modified 21 February 2022

LAW

The General Data Protection Regulation (Regulation (EU) 2016/679) ( ) is a European Union law which entered into forceGDPR

in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on

May 25, 2018, without requiring implementation by the EU Member States through national law.

A ‘Regulation’ (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States.

However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their

own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among

the Member States.

Territorial Scope

Primarily, the application of the GDPR turns on whether an organization is established in the EU. An ‘establishment’ may take a

wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.

However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to

the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related “to the

” (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or “offering of goods or services the monitoring of their

” (Article 3(2)(b)) as far as their behaviour takes place within the EU.behaviour

In Austria, the laws concerning the implementation of the GDPR have been adopted gradually. In summer 2017, the

existing Data Protection Act 2000 ( ) was amended by the Data Protection Amendment Act 2018 (Datenschutzgesetz 2000

) which constituted the first implementation of various regulations related to GDPR,Datenschutz-Anpassungsgesetz 2018

and was intended to enter into force simultaneously with GDPR. The ‘Data Protection Act’ ( hasDatenschutzgesetz, DSG)

considerably amended the Data Protection Act 2000. In addition to the GDPR, it is now the central piece of legislation in

Austria regulating data privacy.

The Privacy Deregulation Act 2018 ( ) further amended the DSG. The DSG, asDatenschutz-Deregulierungs-Gesetz 2018

amended by the Privacy Deregulation Act 2018, came into force on May 25, 2018 and is now the applicable regulation in

Austria. The DSG also includes the implementation of the Directive (EU) 2016/680.

In addition to the DSG, further amendments to other statutory laws were adopted in order to implement the GDPR

(mostly to adapt to the terminology of the GDPR). These amendments were included in the General Data Protection

Adjustment Act ( ) and the research-sector specific Data ProtectionMaterien-Datenschutz-Anpassungsgesetz 2018

Adjustment Act – Science and Research (Datenschutz- Anpassungsgesetz 2018 – Wissenschaft und Forschung – WFDSAG

). Further amendments in other laws have been made by the Second General Data Protection Adjustment Act, which2018

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Austria 64 | | | www.dlapiperdataprotection.com

was passed in June 2018 and applies retroactively. Finally, ordinances were also passed regulating respectively the cases

where a data privacy impact assessment is obligatory (the Obligatory DPIA Ordinance – ) and the exemptions fromDSFA-V

the obligation to conduct a data privacy impact assessment (the DPIA Exemptions Ordinance – DSFA-AV).

DEFINITIONS

” ” is defined as ” ” (Article 4). A low bar is set forPersonal data any information relating to an identified or identifiable natural person

“identifiable” – if the natural person can be identified using “ ” (Recital 26) the information isall means reasonably likely to be used

personal data. A name is not necessary either – any identifier will do, such as an identification number, phone number, location

data or other factors which may identify that natural person.

Online identifiers are expressly referred to in Recital 30, with IP addresses, cookies and RFID tags listed as examples.

The GDPR creates more restrictive rules for the processing of ” ” (Article 9) of personal data (including dataspecial categories

relating to race, religion, sexual life, data pertaining to health, genetics and biometrics) and personal data relating to criminal

(Article 10).convictions and offences

The GDPR concerns the ” ” of personal data. Processing has a broad meaning, and includes any set of operationsprocessing

performed on data, including mere storage, hosting, consultation or deletion.

Personal data may be processed by either a ” ” or a ” “. The controller is the decision maker, the person whocontroller processor

” ” (Article 4). The processor “alone or jointly with others, determines the purposes and means of the processing of personal data processes

“, acting on the instructions of the controller. In contrast to former legislation, the GDPRpersonal data on behalf of the controller

imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.

The ” ” is a living, natural person whose personal data are processed by either a controller or a processor.data subject

The DSG does not include any additional definitions or derogations to the GDPR. However, Section 1 DSG, which

provides a constitutional (human) right to data privacy, does not use the definition of “data subject” of the GDPR, but

rather uses the term “everyone” which is currently interpreted to include legal entities and other organizations too.

Consequently, the constitutional (human) right to data privacy, as well as some basic data subject rights, as regulated in

Section 1 DSG, also apply to legal entities and other organizations.

NATIONAL DATA PROTECTION AUTHORITY

Enforcement of the GDPR is conducted by data protection regulators, known as supervisory authorities (for example, the Cnil in

France or the ICO in the UK). The European Data Protection Board (successor of the so-called Article 29 Working Party) is

comprised of delegates from the supervisory authorities, and monitors the application of the GDPR across the EU, issuing

guidelines to encourage consistent interpretation of the Regulation.

The GDPR establishes the concept of ” “. Where there is cross-border processing of personal data (lead supervisory authority

processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a singleie,

establishment of a controller or processor but affecting data subjects in multiple Member States), the starting point for

enforcement is that controllers and processors are regulated by and answer to the supervisory authority for their main or single

establishment, the so-called “lead supervisory authority” (Article 56(1)).

However, the lead supervisory authority is required to cooperate with all other “concerned” authorities, and a supervisory

authority in another Member State may enforce where infringements occur on its territory or substantially affect data subjects

only in its territory (Article 56(2)).

The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Austria 65 | | | www.dlapiperdataprotection.com

The Austrian Data Protection Authority ( ) can be contacted as follows:Österreichische Datenschutzbehörde

Österreichische Datenschutzbehörde

Barichgasse 40-42  1030 Vienna

Austria / Europe

Phone number: +43 1 52 152-0

E-Mail: dsb@dsb.gv.at

If possible, the Austrian Data Protection Authority prefers to communicate via email.

REGISTRATION

There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general

notification obligations. However, Member States may impose notification obligations for specific activities ( processing ofeg,

personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases

following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or

processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory

authority (Article 37(7)).

In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by

rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain

comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data

processing carried out within an organization and must be provided to supervisory authorities on request. This is a sizeable

operational undertaking.

DATA PROTECTION OFFICERS

Each controller or processor is required to appoint a data protection officer if one of the following conditions are met:

it is a public authority;

its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and

systemic monitoring of data subjects on a large scale; or

its core activities consist of processing sensitive personal data on a large scale.

Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities

(Article 37(2)), provided that the data protection officer is easily accessible from each establishment (meaning that larger

corporate groups may find it difficult in practice to operate with a single data protection officer).

DPOs must have ” ” (Article 37(5)) of data protection law and practices, though it is possible to outsource theexpert knowledge

DPO role to a service provider (Article 37(6)).

Controllers and processors are required to ensure that the DPO is involved “properly and in a timely manner in all issues which relate

” (Article 38(1)), and the DPO must directly report to the highest management level, must not beto the protection of personal data

told what to do in the exercise of his or her tasks and must not be dismissed or penalized for performing those tasks (Article

38(3)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

to inform and advise on compliance with GDPR and other Union and Member State data protection laws;

to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities,

awareness raising and training staff;

to advise and monitor data protection impact assessments where requested; and

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Austria 66 | | | www.dlapiperdataprotection.com

to cooperate and act as point of contact with the supervisory authority.

The DSG contains in its Section 5 some additional regulation in respect to the rights and obligations of the DPO.

Thereunder, the DPO and all persons working for the DPO are obliged to retain confidentiality regarding the identity of

the persons that have approached the data protection officer as well as regarding all the circumstances that could reveal

the identity of such persons.

Under certain circumstances, the DPO and their assistant personnel have the right to refuse testimony regarding the data

obtained in their capacity as data protection officer, if a person employed in a position subject to the data protection

officer’s supervision is entitled to such right and to the extent that person has exercised such right. All files and other

documents of the data protection officer which are subject to this statutory right to remain silent in the aforementioned

extent cannot be lawfully seized.

Further regulations in Section 5 concern the DPOs of public organizations.

COLLECTION & PROCESSING

Data Protection Principles

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under

these principles, personal data must be (Article 5):

processed lawfully, fairly and in a transparent manner (the “lawfulness, fairness and transparency principle”);

collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with

those purposes (the “purpose limitation principle”);

adequate, relevant and limited to what is necessary in relation to the purpose(s) (the “data minimization principle”);

accurate and where necessary kept up-to-date (the “accuracy principle”);

kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which

the data are processed (the “storage limitation principle”); and

processed in a manner that ensures appropriate security of the personal data, using appropriate technical and

organizational measures (the “integrity and confidentiality principle”).

The controller is responsible for and must be able to demonstrate compliance with the above principles (the “accountability

principle”). Accountability is a core principle of the GDPR. Organizations must not only comply with the GDPR but also be able to

compliance, potentially for years after a particular decision regarding processing of personal data. Record-keeping,demonstrate

audit and appropriate governance will all form a key role in achieving accountability.

Legal Basis under Article 6

In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate

basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are

(Article 6(1)):

with the consent of the data subject (where consent must be ” “, and must befreely given, specific, informed and unambiguous

capable of being withdrawn at any time);

where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of

the data subject prior to entering into a contract;

where necessary to comply with a legal obligation (of the EU) to which the controller is subject;

where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited

to ‘life or death’ scenarios, such as medical emergencies);

where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority

vested in the controller; or

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Austria 67 | | | www.dlapiperdataprotection.com

where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a

balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms

of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).

Special Category Data

Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in

effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an

Article 6 basis):

with the explicit consent of the data subject;

where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and

social protection law or a collective agreement;

where necessary to protect the vital interests of the data subject or another natural person who is physically or legally

incapable of giving consent;

in limited circumstances by certain not-for-profit bodies;

where processing relates to the personal data which are manifestly made public by the data subject;

where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in

their legal capacity;

where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to

the aim pursued and with appropriate safeguards;

where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical

diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;

where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border

threats to health or ensuring high standards of health care and of medical products and devices; or

where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical

purposes in accordance with restrictions set out in Article 89(1).

Member States are permitted to introduce national legislation regarding processing of genetic data, biometric data and health data.

Criminal Convictions and Offences data

Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an

official public authority, or specifically authorized by national legislation (Article 10).

Section 4 Para 3 DSG regulates the processing of data regarding actions punishable under criminal or administrative law,

criminal convictions or suspected criminal actions.

Processing must (i) be based on an explicit legal authorization or obligation to process such data or (ii) be justified by a

statutory duty of care or legitimate interests pursuant to Article 6 (1) lit f GDPR, and be carried out in a manner ensuring

to protect the data subjects interests set out in the GDPR and the DSG.

For example, legitimate interest may be established in recruitment processes for trustworthy personnel.

Processing for a Secondary Purpose

Increasingly, organisations wish to ‘re-purpose’ personal data –  use data collected for one purpose for a new purpose which wasie,

not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of

purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the

controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were

initially collected (Article 6(4)). These include:

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Austria 68 | | | www.dlapiperdataprotection.com

any link between the original purpose and the new purpose

the context in which the data have been collected

the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are

processed (with the inference being that if they are it will be much harder to form the view that a new purpose is

compatible)

the possible consequences of the new processing for the data subjects

the existence of appropriate safeguards, which may include encryption or pseudonymization.

If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new

purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and

proportionate measure in a democratic society).

Transparency (Privacy Notices)

The GDPR places considerable emphasis on transparency,  the right for a data subject to understand how and why his or herie,

data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily

accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.

Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using

clear and plain language (Article 12(1)).

The following information must be provided (Article 13) at the time the data are obtained: 

the identity and contact details of the controller;

the data protection officer’s contact details (if there is one);

both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate

interests for processing;

the recipients or categories of recipients of the personal data;

details of international transfers;

the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;

the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object

to processing and data portability;

where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;

the consequences of failing to provide data necessary to enter into a contract;

the existence of any automated decision making and profiling and the consequences for the data subject; and

in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that

further processing, providing the above information.

Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.

Rights of the Data Subject

Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable,

while others only apply in quite limited circumstances. Controllers must provide information on action taken in response to

requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two

months where the request is onerous.

Right of access (Article 15)

A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information

about the how the data have been used by the controller.

Right to rectify (Article 16)

Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Austria 69 | | | www.dlapiperdataprotection.com

a.

b.

c.

Right to erasure (‘right to be forgotten’) (Article 17)

Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s

highest court ruled against Google ( ), in effect requiring Google to remove search resultsJudgment of the CJEU in Case C-131/12

relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the

search results had no legal basis to process that information.

The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the

data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise

of the objection right, or of the withdrawal of consent.

Right to restriction of processing (Article 18)

Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the

accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of

the data subject, or where the legitimate grounds for processing by the controller are contested.

Right to data portability (Article 20)

Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to

processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or

have transmitted to another controller all personal data concerning him or her in a structured, commonly used and

machine-readable format ( commonly used file formats recognised by mainstream software applications, such as .xsl).eg,

Right to object (Article 21)

Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where

processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they

demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.

In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at

any time. 

The right not to be subject to automated decision making, including profiling (Article 22)

Automated decision making (including profiling) “which produces legal effects concerning [the data subject] … or similarly significantly

” is only permitted where: affects him or her

necessary for entering into or performing a contract;

authorized by EU or Member State law; or 

the data subject has given their explicit ( opt-in) consent.ie,

Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain

human intervention, to contest the decision, and to express his or her point of view.

The Austrian DSG imposes further obligations upon controllers and processors. Pursuant to Section 6, all employees,

agents or contractors of a controller or a processor who have access to personal data must be contractually obliged to

transfer personal data only after receiving an adequate and documented instruction by their employer (confidentiality

obligation). All employees, agents or contractors of a controller or a processor must be subject to confidentiality

undertakings or professional or statutory obligations of confidentiality. Measures must be taken to ensure that all

employees, agents or contractors of a controller or a processor are bound by the aforementioned undertakings and/or

obligations of confidentiality even after the termination of their respective contract, regardless of the cause or form

thereof.

https://www.dlapiperdataprotection.com

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=152065&occ=first&dir=&cid=667631

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Austria 70 | | | www.dlapiperdataprotection.com

CCTV, or rather more broadly processing of images made in public or private spaces, including related sound recordings,

are subject to further regulation and requirements pursuant to Sections 12 and 13 DSG. This provision provides

limitations regarding the lawfulness of such processing as compared to Art 6 GDPR, as processing of image data is only

permissible in the following cases:

processing is necessary in order to protect the vital interests of the data subject

the data subject has given their consent

the processing is required or permitted by specific statutory law, or

the interests of the data controller override the interests of the data subjects in the specific case, and the

processing is proportionate

Overriding legitimate interests are assumed by the law in some cases listed as examples, such as preventive protection of

property or persons on private properties or publicly accessible spaces controller by the data controller.

The capturing of images / CCTV is always prohibited in the following cases:

processing of images capturing persons in their personal area of life without their express consent

processing of CCTV images for the purpose of employee monitoring

the automated comparison of personal data obtained by means of capturing images / CCTV without explicit

consent and for the creation of personality profiles with other personal data, or

the evaluation of personal data obtained by means of image capturing on the basis of special categories of personal

data (Art. 9 GDPR) as a selection criterion

In early 2020, the Austrian Data Protection Authority has published a non-binding opinion, referring to two decisions of

the Federal Administrative Court, and stating that Sections 12 and 13 DSG are not in line with the GDPR and shall

therefore no longer be applied. The Authority shall assess CCTV data processings exclusively on the basis of the GDPR.

However, the contents of the Sections 12 and 13 DSG are still practically used as criteria for assessment of the lawfulness

of the processing.

Other additional regulations for processing of data include:

regulation relating to processing for archiving purposes in the public interest, scientific or historical research

purposes or statistical purposes (Section 7), which allows processing of such data if they are publicly accessible,

have been collected lawfully for other research purposes or other lawful purposes, or are pseudonymized; other

data may only be processed to the extent there are specific statutory regulations, the data subjects have given

their consent or the Data Protection Authority has approved the processing

further regulation regarding the processing of data for purposes pursuant to Art 89(1) GDPR, most notably for

research purposes, included in the Act on Research Organisation ( FOG); thisForschungsorganisationsgesetz –

regulation includes provisions which lessen to some extent the requirements for processing of special categories

of data, including in particular the concept of “broad consent”, and limit the rights of data subjects in this respect

regulation relating to the processing of addresses for informing or sending questionnaires to data subjects (Section

8), which in principle requires consent for such processing, but also provides some derogations

regulation regarding data processing in cases of catastrophes (Section 10)

TRANSFER

Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and

Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).

The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides

for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)).

Currently, the following countries or territories enjoy adequacy decisions: Andorra, Argentina, Canada (with some exceptions),

Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, Eastern Republic of Uruguay and New Zealand.

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Austria 71 | | | www.dlapiperdataprotection.com

a.

b.

c.

d.

e.

f.

g.

a.

b.

c.

d.

Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor

and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of

appropriate safeguards includes among others binding corporate rules and standard contractual clauses. The GDPR has removed

the need which existed in some Member States under the previous law to notify and in some cases seek prior approval of

standard contractual clauses from supervisory authorities.

The GDPR also includes a list of context specific derogations, permitting transfers to third countries where: 

explicit informed consent has been obtained;

the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;

the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject

between the controller and another natural or legal person;

the transfer is necessary for important reasons of public interest;

the transfer is necessary for the establishment, exercise or defense of legal claims;

the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or

the transfer is made from a register which according to EU or Member State law is intended to provide information to the

public, subject to certain conditions. 

There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the

purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data

subject; notification to the supervisory authority and the data subject is required if relying on this derogation.

Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognized

or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in

force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is

no other legal basis for transfer will infringe the GDPR.

SECURITY

Security

The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate,

context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and

organizational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account

of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A ‘one size fits all’

approach is therefore the antithesis of this requirement.

However the GDPR does require controllers and processors to consider the following when assessing what might constitute

adequate security:

The pseudonymization and encryption of personal data

The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services

The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical

incident, and

A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for

ensuring the security of the processing

Section 13 DSG imposes further obligations on Controllers in regard to CCTV and / or processing of captured images

pursuant to Section 12 DSG. The controller needs to secure the access to the CCTV / captured images in a way that

makes any access and / or subsequent alteration of captured images by an unauthorized third party impossible.

BREACH NOTIFICATION

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Austria 72 | | | www.dlapiperdataprotection.com

The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority,

and for more serious breaches to also be notified to affected data subjects. A “personal data breach” is a wide concept, defined as

any “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal

” (Article 4).data transmitted, stored or otherwise processed

The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours

after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and

freedoms of natural persons. When the personal data breach is likely to result in a risk to natural persons, the controller ishigh

also required to notify the affected data subjects without undue delay (Article 34).

Where the breach occurs at the level of the processor, they are required to notify the controller without undue delay upon

becoming aware of the breach (Article 33(2)).

The notification to the supervisory authority must include where possible the categories and approximate numbers of individuals

and records concerned, the name of the organization’s data protection officer or other contact, the likely consequences of the

breach and the measures taken to mitigate harm (Article 33(3)).

Controllers are also required to keep a record of all data breaches (Article 33(5)) (whether or not notified to the supervisory

authority) and permit audits of the record by the supervisory authority.

ENFORCEMENT

Fines

The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million

(whichever is higher).

It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of

an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that

‘undertaking’ should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European

Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. The Treaty does not

define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the specific facts of

each case. However, in many competition cases, group companies have been regarded as part of the same undertaking. Under EU

case-law regarding competition, there is also precedent for regulators to impose joint and several liability on parent companies for

fines imposed on those subsidiaries in some circumstances (broadly where there is participation or control), so-called “look

through” liability. It is not yet clear whether this will translate directly to GDPR enforcement.

Fines are split into two broad categories. 

The highest fines (Article 83(5)) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of

the preceding year, whichever is higher, apply to infringement of:

the basic principles for processing including conditions for consent;

data subjects’ rights;

international transfer restrictions;

any obligations imposed by Member State law for special cases such as processing employee data; and

certain orders of a supervisory authority.

The lower category of fines (Article 83(4)) of up to EUR 10 million or, in the case of an undertaking, up to 2% of total worldwide

turnover of the preceding year, whichever is the higher, apply to infringement of:

obligations of controllers and processors, including security and data breach notification obligations;

obligations of certification bodies; and

obligations of a monitoring body.

Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective,

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Austria 73 | | | www.dlapiperdataprotection.com

proportionate and dissuasive (Article 83(1)).

Fines can be imposed in combination with other sanctions.

Investigative and corrective powers

Supervisory authorities also enjoy broad investigative and corrective powers (Article 58) including the power to undertake on-site

data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.

Right to claim compensation

The GDPR provides for specific provision for individuals to bring private claims against controllers and processors:

any person who has suffered “material or non-material damage” because of a breach of the GDPR has the right to receive

compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means that

individuals will be able to claim compensation for distress even where they are not able to prove financial loss. These

claims can be made at any competent court.

Data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf

(Article 80).

Furthermore, individuals may lodge a complaint to a supervisory authority (Article 77).

All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against

a decision of a supervisory authority concerning them or for failing to make a decision (Article 78).

Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).

In Austria, the Austrian Data Protection Authority is responsible for the enforcement of the GDPR. Pursuant to Section

11 DSG, the Austrian Data Protection Authority is obliged to impose administrative fines pursuant to the Article 83

GDPR in an adequate way. The Authority should in particular also apply the measures pursuant to Art 58 GDPR in case of

first time breaches, in particular the possibility to issue warnings instead of imposing fines.

The fines under the GDPR are imposed under Austrian administrative criminal law. The Austrian administrative criminal

law in general does not allow authorities to impose fines against a legal entity, but provides only for the liability of natural

persons; in cases where violations are committed by a legal entity, the liable persons are either statutory representatives

(directors) or persons appointed as responsible persons for adherence with specific administrative laws. However, the

DSG provides a possibility to impose fines against legal entities, in the following cases:

A violation of GDPR or DSG is committed by a natural person who has power (1) to represent the legal entity or

to make decisions on behalf of the legal entity; or (2) has supervisory powers in the legal entity and has

committed this offence either alone or as a part of an organ of the legal entity ( management board)eg,

An employee of the legal entity violates the provisions of GDPR or DSG and the violation was possible due to

insufficient supervision or control by a person by a natural person that has power to (1) represent the legal entity;

(2) or to make decisions on the behalf of the legal entity; or (3) has supervisory powers in the legal entity,

provided the violation is not subject to criminal law.

The possibility to impose fines against a legal entity or a responsible natural person, as appropriate. If the fine is imposed

against a legal entity, the Authority is required to identify a particular natural person whose violations are to be attributed

to said entity; the responsible natural person may not be fined for the same breach.

Public bodies cannot be fined for violations of GDPR or DSG.

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Austria 74 | | | www.dlapiperdataprotection.com

ELECTRONIC MARKETING

The GDPR applies to most electronic marketing activities, as these will involve use of personal data ( eg, an email address which

includes the recipient’s name). The most relevant legal bases for electronic marketing will be consent, or the legitimate interests of

the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon, the strict

standards for consent under the GDPR apply, and marketing consent forms will need to incorporate clearly worded opt-in

mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and merely the acceptance of termsnot

and conditions, or consent implied from conduct, such as visiting a website).

Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic

marketing) at any time (Article 21(3)).

Directive 2002/58/EC (ePrivacy Directive), as transposed into the local laws of each Member State, provides for specific rules on

electronic marketing (including circumstances in which consent must be obtained). The ePrivacy Directive is yet to be replaced by

a Regulation. However, it is currently uncertain when this is going to happen. In the meantime, Article 94 makes it clear that

references to the repealed Directive 95/46/EC will be replaced with references to the GDPR. As such, references to the Directive

95/46/EC standard for consent in the ePrivacy Directive will be replaced with the GDPR standard for consent.

The GDPR or DSG do not specifically address (electronic) marketing, however, the use of personal data for marketing purposes is

clearly within their scope. It is arguable that the processing of personal data of the existing customers within the scope of the

business is permissible for marketing purposes, and this has become common practice in Austria. For persons who are not yet

customers, the consent of the data subjects is generally required.

Electronic marketing is also regulated by the Austrian Telecommunications Act ( 2021, ‘TKG’). PursuantTelekommunikationsgesetz

to the TKG the sending of electronic messages without prior consent of the recipient is unlawful, if the sending is for direct

marketing purposes. No consent is required if the data has been obtained in the course of the sale of goods or provision of

services, occurs for the same or similar goods or services, the recipient is able to decline easily and with no costs for the use of

his or her personal data and the recipient has not previously declared, by requesting to be entered on to the relevant list

(maintained by the Austrian Regulatory Authority for Broadcasting and Telecommunications (RTR)), that they do not want to be

contacted.

The GDPR implementation Acts do not provide any amendments or derogations in respect of electronic marketing.

However, electronic marketing was and still is separately regulated in Austria in the Telecommunications Act

2021, TKG), Section 174, which implements the ePrivacy Directive.(Telekommunikationsgesetz

Pursuant to the TKG the sending of electronic messages without prior consent of the recipient is unlawful insofar as the

message is sent for direct marketing purposes. Explicit consent is not required where (1) the data have been obtained in

the context of the sale of goods or provision of services; (2) the electronic marketing concerns same or similar goods or

services of the sender; (3), the recipient is able to decline easily and with no costs for the use of his or her personal data

for electronic marketing, both when the data are collected as well as with each message received (‘opt-out’), and the

recipient has not previously declared, by requesting to be entered on to the relevant lists (the “Robinson lists”, maintained

by the Austrian Regulatory Authority for Broadcasting and Telecommunications (RTR) and the Austrian Chamber of

Commerce (WKO)), that he or she does not want to be contacted.

ONLINE PRIVACY

Online privacy is specifically regulated by the TKG.

Traffic data

Traffic Data held by communications services providers (CSPs) must be erased or anonymized when it is no longer necessary for

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Austria 75 | | | www.dlapiperdataprotection.com

the purpose of the transmission of a communication. However, Traffic Data can be retained for purposes of invoicing the services.

In such a case, if the invoice has been paid and no appeal has been lodged with the CSP within three months the Traffic Data must

be erased or anonymized.

Location data

Location Data may only be processed for emergency services and with consent of the user. Even in case of consent, the user must

be able to prohibit the processing by simple means, for free of charge and for a certain time period.

Cookie compliance

The relevant section of the TKG stipulates that a user must give informed consent for the storage of personal data, which includes

a cookie. The user has to be aware of the fact that consent for the storage or processing of personal data is given, as well as the

details of the data to be stored or processed, and has to agree actively. Therefore obtaining consent via some form of pop-up or

click through agreement seems advisable. Consent by way of browser settings, or a pre-selected checkbox etc. is probably not

sufficient in this respect.

If for technical reasons the short term storage of content data is necessary, such data must be deleted immediately thereafter.

Online privacy is still specifically regulated by the TKG, and the GDPR implementation acts have introduced only minor

amendments thereto. There are no regulations regarding online privacy in the DSG itself.

Media privilege

In an effort to balance freedom of speech and freedom of information publishers as well as owners and employees of

media outlets are granted privileges regarding the processing of data for journalistic purposes (Section 9 DSG). Certain

Chapters of the GDPR are not applicable to such processings, specifically:

Chapter II (Principles);

Chapter III (Rights of the data subject);

Chapter IV (Controller and Processor);

Chapter V (Transfers of personal data to third countries or international organizations);

Chapter VI (Independent supervisory authorities);

Chapter VII (Cooperation and consistency); and

Chapter IX (Provisions relating to specific processing situations).

The same exceptions (with the slight difference of Article 5 of Chapter II remaining applicable) are stipulated if data is

processed for scientific, artistic or literary purposes.

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Austria 76 | | | www.dlapiperdataprotection.com

KEY CONTACTS

DATA PRIVACY TOOL

You may also be interested in our  to assess your organization’s level of data protection maturity.Data Privacy Scorebox

Sabine Fehringer
Partner

T +43 1 531 78 1460

sabine.fehringer@dlapiper.com

Stefan Panic
Counsel

T +43 531 78 1034

stefan.panic@dlapiper.com

https://www.dlapiperdataprotection.com

https://www.dlapiperdataprotection.com/scorebox/

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Azerbaijan 77 | | | www.dlapiperdataprotection.com

AZERBAIJAN

Last modified 15 February 2022

LAW

Law on Personal Information dated 11 May 2010.

DEFINITIONS

Definition of Personal Data

Any information allowing to identify a person, directly or indirectly, is considered personal data.

Definition of Sensitive Personal Data

Personal data of special category includes information relating to race or nationality of an individual, his/her family life, religion and

belief, health or conviction.

NATIONAL DATA PROTECTION AUTHORITY

The major regulator/enforcement authority (DPA) is the Ministry of Digital Development and Transport. 

In addition, the other designated state authorities which are vested in powers to enforce applicable data protection/privacy laws,

within the scope of their competences, include the Ministry of Internal Affairs, the Ministry of Justice, the State Security Service,

and the Special State Protection Service.

REGISTRATION

Information systems of personal data must be registered with the DPA. There are also certain exemptions from such registration

requirement.

DATA PROTECTION OFFICERS

The DPA, through its officers, may demand elimination of violations of statutory requirements by legal entities and individuals, also

take necessary actions for holding accountable persons who breached the statutory requirements regarding collection, processing

and protection of personal data. 

COLLECTION & PROCESSING

Collection and processing of personal data can be implemented either with obtaining a prior consent of a data subject or when the

data is of open category (i.e. non-confidential).

TRANSFER

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Azerbaijan 78 | | | www.dlapiperdataprotection.com

Transfer of personal data can be performed with a prior written consent of a data subject, unless the data is of open category.

SECURITY

Adequate level of protection of personal data should be provided by owners of operators of personal data.

BREACH NOTIFICATION

There is no specific requirement as to notification of the DPA by the owner or operator of personal data about breach.

ENFORCEMENT

If the rights of a data subject are breached as a result of the illegal collection and processing of personal data, inadequate

protection of such data, or non-compliance with the statutory requirements, the data subject may claim for compensation of

material and moral damages sustained by him/her through the local court.

ELECTRONIC MARKETING

No consent of a recipient is required for e-mail marketing, provided only that service providers must establish a registration

system for persons who wish to opt out from receiving marketing materials, and comply with such system. 

ONLINE PRIVACY

There are no rules directly regulating use of cookies in Azerbaijani legislation. However, if cookies contain any personal data, the

Azerbaijani data protection rules will apply as to the use of such cookies. 

If a data subject cannot be identified just based on location data, it would unlikely be deemed as personal data, falling outside the

scope of personal data protection related requirements.

KEY CONTACTS

MGB Law Offices

mgb-law.com/

DATA PRIVACY TOOL

You may also be interested in our  to assess your organization’s level of data protection maturity.Data Privacy Scorebox

Ismail Askerov
Senior Partner

MGB Law Offices

T +99412 493 6669

ismail.askerov@mgb-law.com

Lala Hasanova
Senior Associate

MGB Law Offices

T +99412 493 6669

lala.hasanova@mgb-law.com

https://www.dlapiperdataprotection.com

https://mgb-law.com/

https://www.dlapiperdataprotection.com/scorebox/

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Bahamas 79 | | | www.dlapiperdataprotection.com

BAHAMAS

Last modified 22 December 2021

LAW

Data Protection (Privacy of Personal Information) Act (“DPA”).

DEFINITIONS

Definition of Personal Data

Section 2 DPA defines ‘personal data’ as data relating to a living individual who can be identified either from the data or from the

data in conjunction with other information in the possession of the data controller.

Definition of Sensitive Personal Data

‘Sensitive personal data’ is further defined in Section 2 DPA as personal data relating to: racial origin; political opinions or religious

or other beliefs; physical or mental health (other than any such data reasonably kept by them in relation to the physical or mental

health of their employees in the ordinary course of personnel administration and not used or disclosed for any other person);

trade union involvement or activities; sexual life; or criminal convictions, the commission or alleged commission of any offence, or

any proceedings for any offence committed, the disposal of such proceedings or the sentence of any court in such proceedings. 

It should be noted that although sensitive personal data (‘ ’) is distinguished from personal data under DPA in its specificity ofSPD

certain categories of data, SPD does not otherwise receive any special treatment compared to general personal data. While DPA

provides that the relevant Minister responsible for data protection may create regulations that would provide safeguards for such

data under the Act, such a regulation has never materialized.

NATIONAL DATA PROTECTION AUTHORITY

Section 14 DPA establishes a Data Protection Commissioner (‘ ’), a corporation sole, that is tasked with the enforcement ofDPC

the provisions of DPA. The DPC operates from the Office of the Data Protection Commissioner which would the Bahamian

equivalent of a national data protection authority as seen in other jurisdictions.

REGISTRATION

There is no obligation under DPA to register with the Office of the Data Protection Commissioner as a data controller (or data

processor).

DATA PROTECTION OFFICERS

There is no statutory duty to appoint a Data Protection Officer under DPA.

COLLECTION & PROCESSING

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Bahamas 80 | | | www.dlapiperdataprotection.com

DPA in The Bahamas has only limited extraterritorial effect (as it concerns data controllers). Per Section 4(1) of DPA, the Act

only applies to: data controllers established in The Bahamas (where the data is processed in the context of the local

establishment); and data controllers established outside The Bahamas that use equipment in The Bahamas for processing data

(other than for transit through The Bahamas). 

In the above context, an ‘established’ data controller can be any of the following (in accordance with Section 4(3) of DPA): an

individual ordinarily resident in The Bahamas; a body incorporated or registered under Bahamian law; a partnership or other

unincorporated association formed under Bahamian law; and any person that does not fall into any of the foregoing categories but

maintains an office, branch or agency in The Bahamas through which they carry on a business activity or regular practice. It can be

seen, therefore, that a nexus to The Bahamas of the kind described above must be established for DPA to apply outside the

jurisdiction. 

Data controllers are defined in Section 2 DPA as a person who, alone or with others, determines the purposes for which and the

manner in which any personal data are, or are to be processed. Data controllers owe a statutory duty of care to data subjects

pursuant to Section 12(1) as it regards the collection by him of personal data or information intended for inclusion in such data or

his dealing with such data. Further, Section 12(2) provides that data controllers must use contractual or other legal means to

provide a ‘comparable’ level of protection from any third party to whom he discloses information for the purpose of data

processing. 

Data controllers, under Sections 6(1), must abide by several core duties as it relates that the collection, processing, keeping, use

and disclosure of data of data subjects, namely, to ensure:

The data or information constituting the data has been collected by means which are lawful and fair in the circumstances

of the case (e.g., data subjects should not be deceived or misled as to the purpose(s) for which the data is being processed

or collected – and the use of such data should not cause damage or distress to the data subject);

The data is accurate and kept up to date where necessary (except in the case of data back-up);

The data is only kept only for one or more specified or lawful purpose(s);

The data is not used or disclosed in a manner which is incompatible with that/those purpose(s);

The data collected is adequate, relevant and not excessive in relation to that purpose or purposes;

The data is not kept for a period longer than necessary for the purpose(s) for which it was collected (except in cases

where personal data needs to be kept for historical, statistical or research purposes);

There are appropriate security measures in place to prevent unauthorised access to, or alteration, disclosure or

destruction of data and against its accidental loss or destruction.

TRANSFER

Section 17 DPA speaks to the international transfer of data. Under Section 17(1) the DPC may prohibit the transfer of personal

data from The Bahamas to a place outside The Bahamas in cases where there is a failure to provide protection either by contract

or otherwise equivalent to that provided under DPA, subject to certain exceptions. In arriving at a determination to prohibit the

international transfer of data, the DPC must consider whether such a transfer would cause damage or distress to any person and

consider the desirability of the transfer. Pursuant to Section 17(8) however, data constituting data required or authorized to be

transferred under another enactment; or data that is required by any convention or other instrument imposing an international

obligation on The Bahamas; or otherwise, data that a data subject has consented to having transferred, will not apply under

Section 17.

SECURITY

As mentioned previously, Section 6(1)(d) provides that data controllers must ensure that appropriate security measures are taken

against unauthorised access to, or alteration, disclosure or destruction of, the data and against their accidental loss or destruction.

In practice, appropriate security measures typically mean ‘industry-standard’ (particularly for institutions that store SPD, e.g. law

firms, hospitals, banks, insurance companies, etc).

BREACH NOTIFICATION

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Bahamas 81 | | | www.dlapiperdataprotection.com

There is no breach notification obligation under the provisions of DPA.

ENFORCEMENT

The DPC of The Bahamas is largely responsible for the enforcement of data protection in the jurisdiction. Section 15(1) states that

the DPC may investigate or cause to be investigated whether any of the provisions of DPA have been contravened by a data

controller or a data processor in relation to an individual when an individual has complained of a contravention of any DPA

provisions or where he may otherwise be of the opinion that a contravention make have occurred. Enforcement measures the

DPC can utilize include enforcement notices (Section 16 DPA), prohibition notices (Section 17 DPA), information notices (Section

18 DPA), and in rare instances bringing and prosecuting summary offences under DPA (Section 28 DPA). 

Aside from its statutory functions, the DPC is also tasked with educating the public of data protection issues and trends and

providing assistance in data breach remediation. 

In accordance with Section 29(1) DPA, penalties for a person guilty of an offence under DPA are liable on summary conviction to

a fine not exceeding $2,000.00 Bahamian Dollars; or on conviction on information, to a fine not exceeding $100,000.00 Bahamian

Dollars. Further, Section 29(2) provides that where a person is convicted of a DPA offence, the court may also order that any data

material which appears to the court to be connected with the commission of the offence to be forfeited or destroyed and any

(relevant) data to be erased.

ELECTRONIC MARKETING

Data subjects have the right to prohibit processing for the purposes of direct marketing by way of Section 11 DPA. Though DPA

provides that ‘direct marketing’ includes direct mailing, it also applies by extension to electronic marketing and newsletters. In

order to prohibit such processing a data subject may make a written request to the data controller to cease using any data that

has been kept for the purpose of direct marketing. The data controller then has no more than forty days to either erase or cease

using the said data and notify the data subject in writing accordingly.

ONLINE PRIVACY

Outside of the current provisions of DPA and legislation governing law enforcement access to one’s computing devices and

encrypted data (e.g. the Interception of Communications Act, Computer Misuse Act, National Crime Intelligence Agency Act etc.),

online privacy is largely unregulated and there are no specific laws aimed at the use of cookies or the collection of location data. 

Under the Electronic Communications and Transactions Act (‘ ’), however, Section 20 provides for online intermediary aECTA

procedure for ‘dealing with unlawful, defamatory, etc. information’. An intermediary is defined under Section 2 ECTA as, in the

context of an electronic communication, a person including a host on behalf of another person who sends, receives or stores

either temporary or permanently that electronic communication or provides related services with respect to that electronic

communication. Section 20(1) states that where an intermediary has actual knowledge that information in an electronic

communication gives rise to civil or criminal liability, then as soon as possible the intermediary should remove the information

from any information processing system within the intermediary’s control and cease to provide or offer services in respect of that

information and notify the police of the any relevant facts and of the identity of the person from whom the intermediary was

supplying services in respect of the information, if the identity of that person is known to the intermediary. Similarly, Section 20(2)

states that if an intermediary is aware of facts or circumstances from which the of civil or criminal liability in respect oflikelihood

the information in an electronic communication ought reasonably to have been known should, as soon as practicable, follow any

relevant procedure set out in any code of conduct that may be applicable to the intermediary under the Act or notify the police

and relevant Minister responsible for electronic communications. The Minister may then direct the intermediary to remove the

electronic communication from any information processing system within the control of the intermediary and cease to provide

services to the person to whom the intermediary was supplying services in respect of that electronic communication. It can be

argued that these provisions give intermediaries (e.g. telecommunications providers) facilitating communications between end

users’ communications broad powers to potentially cease services or effectively censor electronic communications they deem

objectionable on the grounds that civil or criminal liability could likely arise without any liability arising provided the action is made

in good faith.

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Bahamas 82 | | | www.dlapiperdataprotection.com

KEY CONTACTS

GrahamThompson

grahamthompson.com/

DATA PRIVACY TOOL

You may also be interested in our  to assess your organization’s level of data protection maturity.Data Privacy Scorebox

Sean G. McWeeney Jr.
Associate

GrahamThompson

T +1 (242) 322-4130

sgm@gtclaw.com

https://www.dlapiperdataprotection.com

Home

https://www.dlapiperdataprotection.com/scorebox/

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Bahrain 83 | | | www.dlapiperdataprotection.com

BAHRAIN

Last modified 7 December 2021

LAW

Bahrain enacted Law No. 30 of 2018 with respect to Personal Data Protection (” “) on July 12, 2018. The PDPL is the mainPDPL

data protection regulation in Bahrain. The PDPL came into force on August 1st 2019, and supersedes any law with contradictory

provisions.

DEFINITIONS

Definition of personal data

Personal data is defined under the PDPL as any information of any form related to an identifiable individual, or an individual who

can be identified, directly or indirectly, particularly through their personal identification number, or one or more of their physical,

physiological, intellectual, cultural or economic characteristics or social identity.

Definition of sensitive personal data

Sensitive personal data is a subset of personal data. It is personal data which reveals, directly or indirectly, the individual’s race,

ethnicity, political or philosophical views, religious beliefs, union affiliation, criminal record or any data related to their health or

sexual life. Sensitive personal data requires more rigorous treatment by data controllers. 

NATIONAL DATA PROTECTION AUTHORITY

Under the PDPL, the Personal Data Protection Authority (” “) will have power to investigate violations of the PDPL onAuthority

its own, at the request of the responsible minister, or in response to a complaint.

The Authority can issue orders to stop violations, including issuing emergency orders and fines. Civil compensation is also allowed

for any individual who has incurred damage arising from the processing of their personal data by the data controller, or violating

the provisions of the PDPL by a business’s data protection officer. Finally, the most concerning feature of the PDPL for businesses

is that the it carries criminal penalties for violations of certain provisions.

Decree No. 78 of 2019 (the ” “) was enacted to determine the administrative authority that will assume the mandatedDecree

functions and powers of the Authority. This Decree came into force 29 September 2019.

Article I of the aforementioned Decree appoints the Ministry of Justice, Islamic Affairs and Endowments (the ” “) as theMinistry

Authority for the protection of personal data in accordance with the provisions of the PDPL, on a temporary basis pending the

financial allocation of the Authority in the general budget of Bahrain and the issuance of a decree forming the Board of Directors

pursuant to Article 39 of the PDPL.

The Minister of the Ministry will assume the functions and powers prescribed to Board of Directors of the Authority and the

Chairman of Board of Directors, in accordance with the provisions of the PDPL The Undersecretary of the Ministry will

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Bahrain 84 | | | www.dlapiperdataprotection.com

assume the same functions and powers as the Executive Chairman.

REGISTRATION

The Authority must create a register of data protection officers. To be accredited as a data protection officer, an individual must

be registered in that register.

DATA PROTECTION OFFICERS

Data controllers may voluntarily appoint a data protection officer. The Authority’s Board of Directors may also issue a decision

requiring specific categories of data controllers to appoint data protection officers. However, in all instances, the data controller

must notify the Authority of such an appointment within three days of its occurrence.

A data protection officer must help the data controller in exercising its rights and fulfilling its obligations prescribed under the

PDPL The data protection officer also has a number of other roles, including liaising with the Authority, verifying that personal

data is processed in accordance with the PDPL, notifying the Authority of any violations of the PDPL that the data protection

supervisor becomes aware of and maintaining a register of processing operations that the data controller must notify the

Authority about.

The Authority must create a register of data protection officers. To be accredited as a data protection officer, an individual must

be registered in that register.

COLLECTION & PROCESSING

Processing is defined under the PDPL as any operation or set of operations carried out on personal data by automated or

non-automated means, such as collecting, recording, organizing, classifying in groups, storing, modifying, amending, retrieving, using

or revealing such data by broadcasting, publishing, transmitting, making them available to others, integrating, blocking, deleting or

destroying them.

Processing of personal data can only occur with the consent of the data subject, unless the processing is necessary:

to implement a contract to which the data subject is a party;

to take steps at the request of the data subject to conclude a contract;

to implement an obligation required by law, contrary to a contractual obligation or an order from a competent court;

to protect the vital interests of the data subject; or

to exercise the legitimate interests of the data controller or any third party to whom the data is disclosed, unless this

conflicts with the fundamental rights and freedoms of the data subject.

Processing of sensitive personal data is also prohibited without the consent of the data subject, except when the processing:

is required by the data controller to carry out their obligations;

is necessary for the protection of the data subject;

of the data is made available to the public by the data subject;

is necessary to exercise any of the procedures of claims of legal rights or the defence thereof;

is necessary for the purposes of preventive medicine, medical diagnosis, provision of healthcare, treatment or management

of healthcare services;

is carried out within the activities of associations, unions and other non-profit organisations;

is carried out by a competent public entity; or

is related to the race or ethnicity, if they are necessary to ascertain equal opportunities or treatment of the society’s

individuals.

Data controllers are prohibited from processing the following personal data types without the prior written authorization of the

Authority:

automatic processing of sensitive personal data of data subjects who cannot provide consent;

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Bahrain 85 | | | www.dlapiperdataprotection.com

automatic processing of biometric data;

automatic processing of genetic data (unless such processing was provided by physicians and specialists at a licensed

medical establishment and is necessary for purposes of preventative medicine or diagnostic medicine, or purposes to

provide treatment or healthcare);

automatic processing of personal data files that are in the possession of two or more data controllers that are processing

personal data for different purposes; or

processing that consists of visual recording to be used for monitoring purposes.

TRANSFER

Transfers of personal data out of Bahrain is prohibited unless the transfer is made to a country or region that provides sufficient

protection to personal data. Those countries need to be listed by the Authority and published in the Official Gazette.

Data controllers can also transfer personal data to countries that are not determined to have sufficient protection of personal data

where:

the transfer occurs pursuant to a permission to be issued by the Authority on a case-by-case basis, if it deems that the

data will be sufficiently protected;

if the data subject has consented to that transfer;

if the data to be transferred has been extracted from a register that was created in accordance with the PDPL for the

purpose of providing information to the public, regardless of whether viewing of this register is available to everyone or

limited to the parties concerned in accordance with specific terms and conditions. In this instance, one shall have to satisfy

the terms and conditions prescribed for viewing the register before viewing that information;

if the transfer is necessary for any of the following:

to implement a contract between the data subject and the data controller, or to undertake preceding steps at the

data subject’s request for the purpose of concluding a contract;

to implement or conclude a contract between the data controller and a third party for the benefit of the data

subject;

to protect the data subject’s vital interests;

to implement an obligation imposed by the PDPL (even if this is contrary to the contractual obligation), or to

implement an order issued by a competent court, the public prosecution, the investigating judge or the military

prosecution; or

to prepare, execute or defend a legal claim.

SECURITY

The PDPL requires that data controllers apply technical and organizational measures capable of protecting the data against

unintentional or unauthorized destruction, accidental loss, unauthorized alteration, disclosure or access, or any other form of

processing.

The PDPL requires that the Authority’s Board of Directors issues a decision specifying the terms and conditions that the technical

and organizational measures must satisfy. The decision may require specific activities by applying special security requirements

when processing personal data.

Data controllers must also use data processors who will provide sufficient guarantees about applying the technical and

organizational measures that must be adhered to when processing the data. Data controllers must also take reasonable steps to

verify that data processors comply with these measures.

BREACH NOTIFICATION

The PDPL contains a general requirement on the data protection officer to notify the Authority of any breach under the PDPL of

which that the data protection officer becomes aware.

Mandatory breach notification

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Bahrain 86 | | | www.dlapiperdataprotection.com

Under the PDPL, there is no mandatory data breach notification provision requiring data controllers to notify the Authority or

data subject in the event that there is a breach of personal data held by the data controller. 

ENFORCEMENT

The Authority can issue orders to stop violations, including emergency orders and fines. Civil compensation is also allowed for any

individual who has incurred damage arising from the processing of their personal data by the data controller, or arising from the

data protection officer’s violation of the PDPL Appeals can be made against decisions of the Authority.

The PDPL also carries a range of criminal penalties and administrative fines for violating certain provisions.

Criminal penalties of imprisonment of not more than one year and / or a fine between BHD 1,000 to BHD 20,000, can be issued

against any individual who:

processes sensitive personal data in violation of the PDPL;

transfers personal data outside Bahrain to a country or region in violation of the PDPL;

processes personal data without notifying the Authority;

fails to notify the Authority of any change made to the data of which they have notified the Authority;

processes certain personal data without prior authorization from the Authority;

submits to the Authority or the data subject false or misleading data to the contrary of what is established in the records,

data or documents available at their disposal;

withholds from the Authority any data, information, records or documents which they should provide to the Authority or

enable it to review them in order to perform its missions specified under the PDPL;

causes to hinder or suspend the work of the Authority’s inspectors or any investigation which the Authority is going to

make; and / or

discloses any data or information which they are allowed to have access to, due to their job or which they used for their

own benefit or for the benefit of others unreasonably and in violation of the provisions of the PDPL

ELECTRONIC MARKETING

Under the PDPL, data controllers must notify the data subject when data is collected directly or indirectly of whether data will be

used for direct marketing purposes. Notice is important because it alerts data subjects of their right to object to any direct

marketing relating to their personal data.

ONLINE PRIVACY

There is no specific online privacy regulation in Bahrain.

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Bahrain 87 | | | www.dlapiperdataprotection.com

KEY CONTACTS

DATA PRIVACY TOOL

You may also be interested in our  to assess your organization’s level of data protection maturity.Data Privacy Scorebox

Mohamed Toorani
Legal Director – Head of Bahrain Office

T +973 I 755 0896

mohamed.toorani@dlapiper.com

Lulwa Alzain
Associate

T +973 I 755 089I

lulwa.alzain@dlapiper.com

Jenan Banahi
Associate

T +973 1755 0897

jenan.banahi@dlapiper.com

https://www.dlapiperdataprotection.com

https://www.dlapiperdataprotection.com/scorebox/

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Bangladesh 88 | | | www.dlapiperdataprotection.com

BANGLADESH

Last modified 11 January 2022

LAW

Digital Security Act 2018 (“ ”).DSA 2018

DEFINITIONS

Definition of personal data

Section 26 of the DSA defines the term “identity information” as “any external, biological or physical information or any other

information which singly or jointly can identify a person or a system, such as name, photograph, address, date of birth, mother’s name,

father’s name, signature, national identity card, birth and death registration number, finger print, passport number, bank account number,

driving license, e-TIN number [Tax identification Number], electronic or digital signature, username, credit or debit card number, voice print,

retina image, iris image, DNA profile, security related question or any other identification which are available for advance technology”.

Definition of sensitive personal data

The DSA 2018 does not define the term “Sensitive Personal Data” or any similar or equivalent term.

NATIONAL DATA PROTECTION AUTHORITY

Digital Security Agency.

REGISTRATION

No requirements.

DATA PROTECTION OFFICERS

No requirements.

COLLECTION & PROCESSING

There are no statutes that expressly allow the collection and processing of identification information.

The DSA 2018 came into force in full on 8 October 2018. Section 26 of the DSA 2018 has been drafted in very wide terms. The

contents of this provision would appear to provide, that if anyone collects, sells, keepsinter alia, without lawful authority

possession of, supplies or uses identification information of another person, it would constitute an offence . The punishment for1

a first-time offender would be imprisonment of a term not exceeding five years or a fine not exceeding Taka 5,00,000 (approx.

US$ 5,950 as at 19 January 2021) or both. The punishment for second-time offenders or repeat offenders would be imprisonment

of a term not exceeding 10 years or a fine not exceeding Taka 10,00,000 (approx. US$ 11,900 as at 19 January 2021), or both.

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Bangladesh 89 | | | www.dlapiperdataprotection.com

Please note that the DSA 2018 does not contain any exceptions to the Section 26 requirement. However, identification

information may be, among other things, collected and stored by a person if he has . The term “lawful authority”lawful authority

has not been defined in the DSA 2018. Due to the very recent enactment of this legislation, the Government of Bangladesh has

not yet issued any clarification as to what would constitute ‘lawful use’ and has provided no guidance on what would satisfy the

‘lawful authority’ requirement. It is for these reasons (among others) that the legislation has been widely criticised.

In our opinion, a person will be deemed to have lawful authority if they are authorized by statute or contract to collect and store

such identification information.

Note 1. Please note that this is an unofficial English translation of the wording of the provision in question.

TRANSFER

Bangladesh does not specifically regulate data transfers within Bangladesh or from Bangladesh to outside of Bangladesh. In our

opinion, transfers would be permitted provided consent of the data subject is obtained.

While there are no general restrictions on transfer of data outside Bangladesh, please note that there are certain industry specific

restrictions that are discussed below.

Banks 

Section I2 of the Bank Companies Act, I 99 I has imposed a restriction upon bank companies with regard to removal of documents

and records outside Bangladesh without prior permission of Bangladesh Bank (i.e. the central bank of Bangladesh).

The requirement for obtaining prior written permission from Bangladesh Bank is upon the transferor, i.e. the bank company.

Banks must also maintain confidentiality in banking transactions.

Telecommunication companies 

The Bangladesh Telecommunication Regulatory Commission (” “) is the authority that is responsible for regulatingCommission

telecommunications companies (” “) in Bangladesh and issuing licenses to telcos for providing mobile phone services.telcos

The license which is granted to the telcos contains a provision regarding subscriber confidentiality. The confidentiality requirement

applies to As such, telcos will be prohibited from sharing any subscriber information (to”all information provided by the subscriber”.

entities or persons located inside or outside Bangladesh) that does not come within the exemptions listed above. Furthermore, in

our opinion, subscribers would not have the option of giving consent to the telcos to share their data, instead for such sharing,

approval from the Commission will be required.

SECURITY

There are no data security requirements.

BREACH NOTIFICATION

There is no requirement to report data breaches to any individual or regulatory body.

ENFORCEMENT

There is no enforcement mechanism. Appropriate relief may be sought through courts of law having jurisdiction in the matter.

ELECTRONIC MARKETING

There is no regulation on electronic marketing.

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Bangladesh 90 | | | www.dlapiperdataprotection.com

ONLINE PRIVACY

There is no regulation on cookies and location data. However, it is advisable to obtain user consent, such as through appropriate

disclaimers.

KEY CONTACTS

Dr. Kamal Hossain and Associates

www.khossain.com/

DATA PRIVACY TOOL

You may also be interested in our  to assess your organization’s level of data protection maturity.Data Privacy Scorebox

Dr. Sharif Bhuiyan
Partner and Deputy Head of Chambers – International and Commercial Practice

Dr. Kamal Hossain and Associates

T +88 02 9552946

sbhuiyan@khossain.com

Najeeb Huda
Associate

Dr. Kamal Hossain and Associates

T +88 02 9552946

nhuda@khossain.com

https://www.dlapiperdataprotection.com

Homepage

https://www.dlapiperdataprotection.com/scorebox/

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Barbados 91 | | | www.dlapiperdataprotection.com

BARBADOS

Last modified 10 January 2022

LAW

The Data Protection Act (the ” ) was passed on August 12, 2019, and came into force in March 2021. The purpose of the ActAct”

is to regulate the collection keeping, processing, use and dissemination of personal data and to protect the privacy of individuals in

relation to their personal data.

DEFINITIONS

Definition of Personal Data

“Personal data” means data which relates to an individual who can be identified:

from that data; or

from that data together with other information which is in the possession of or is likely to come into the possession of

the data controller.

Definition of Sensitive Personal Data

“Sensitive personal data” means personal data consisting of information on a data subject’s:

racial or ethnic origin;

political opinions;

religious beliefs or other beliefs of a similar nature;

membership of a political body;

membership of a trade union;

genetic data;

biometric data;

sexual orientation or sexual life;

financial record or position;

criminal record; or

proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the

sentence of any court of competent jurisdiction in such proceedings.

NATIONAL DATA PROTECTION AUTHORITY

A Data Protection Commissioner (the ” “) is responsible for the general administration of the Act.Commissioner

REGISTRATION

A data controller must be registered in the Register of Data Controllers. 

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Barbados 92 | | | www.dlapiperdataprotection.com

A data processor must be registered in the Register of Data Processors.

DATA PROTECTION OFFICERS

The data controller and the data processor must designate a data privacy officer where:

the processing is carried out by a public authority or body, except for a court of competent jurisdiction acting in their

judicial capacity;

the core activities of the data controller or the data processor consist of processing operations which, by virtue of their

nature, their scope and their purposes, require regular and systematic monitoring of data subjects on a large scale; or

the core activities of the data controller or the data processor consist of processing on a large scale of sensitive personal

data.

The data privacy officer must be designated on the basis of professional qualities and, in particular, expert knowledge of data

protection law and practices and the ability to fulfil the duties and functions as set out under the Act.

COLLECTION & PROCESSING

Where personal data relating to a data subject is collected from the data subject, the data controller must, at the time when

personal data is obtained, provide the data subject with the following:

the identity and the contact details of the data controller and, where applicable, of the data controller’s representative;

the contact details of the data privacy officer, where applicable;

Processing must be lawful where:

the data subject has given consent to the processing of his personal data for one or more specific purposes; or 

the processing is necessary

for the performance of a contract to which the data subject is a party;

for the taking of steps at the request of the data subject with a view to entering into a contract;

for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed

by contract;

in order to protect the vital interests of the data subject;

for the administration of justice;

for the exercise of any functions of either House of Parliament;

for the exercise of any functions conferred on any person by or under any enactment;

for the exercise of any functions of a public authority;

for the purposes of legitimate interests pursued by the data controller or by the third party to whom the data is

disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights

and freedoms or legitimate interests of the data subject; or

processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third

party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data

subject which require protection of personal data, in particular where the data subject is a child.

TRANSFER

Transfer of personal data is unlawful unless certain conditions are satisfied. Where the data subject has given their consent to the

transfer of their personal data, the restrictions on the transfer of the data do not apply. The Act also sets out various other

exemptions for the restrictions where transfer of the personal data is necessary e.g. for the performance of a contract between

the data subject and the data controller, reasons of substantial public interest, for the purpose of obtaining legal advice, etc. 

Personal data obtained must not be transferred to a country or territory outside Barbados unless that country or territory

provides for (a) an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of

personal data and (b) appropriate safeguards on condition that the rights of the data subject are enforceable and there are

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Barbados 93 | | | www.dlapiperdataprotection.com

available, effective legal remedies for data subjects. 

The circumstances for determining an adequate level of protection as well as methods for providing appropriate safeguards

including the development of binding corporate rules must submitted to the Commissioner for authorisation. 

The ” ” must specify (but not limited to) the following: binding corporate rules

the structure and contact details of the group of undertakings, or group of enterprises engaged in a joint economic activity

and of each of its members;

the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the

type of data subjects affected and the identification of the third country or countries in question;

their legally binding nature, both in and outside of Barbados.

SECURITY

The data controller and the data processor must implement appropriate technical and organisational measures to ensure a level of

security appropriate to the risk.

BREACH NOTIFICATION

In certain circumstances, a data controller is required to report to the Commissioner data breaches which have affected a data

subject.

Mandatory breach notification

Where there is a personal data breach the data controller must without undue delay and, where feasible, not later than 72 hours

after having become  aware of it, notify the personal data breach to the Commissioner, unless the personal data breach is unlikely

to result in a risk to the rights and freedoms of an individual. 

Where a personal data breach is likely to result in a high risk to the rights and freedoms of individuals, the data controller must

communicate the personal data breach to the data subject without undue delay and, where feasible, not later than 72 hours after

having become aware of it.

ENFORCEMENT

Where the Commissioner is satisfied that a data controller or a data processor has contravened or is contravening this Act, the

Commissioner may serve him an “enforcement notice”. 

In deciding whether to serve an enforcement notice, the Commissioner must consider whether the contravention has caused or is

likely to cause any person damage or distress.

ELECTRONIC MARKETING

There are no specific laws in respect of these matters.

ONLINE PRIVACY

There are no specific laws in respect of these matters.

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Barbados 94 | | | www.dlapiperdataprotection.com

KEY CONTACTS

Chancery Chambers

chancerychambers.com/

DATA PRIVACY TOOL

You may also be interested in our  to assess your organization’s level of data protection maturity.Data Privacy Scorebox

Angela R Robinson
Senior Associate

Chancery Chambers

T +246 431 0070

arobinson@chancerychambers.com

Giles A M Carmichael
Partner

Chancery Chambers

T +246 431 0070

gcarmichael@chancerychambers.com

https://www.dlapiperdataprotection.com

https://chancerychambers.com/

https://www.dlapiperdataprotection.com/scorebox/

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Belarus 95 | | | www.dlapiperdataprotection.com

BELARUS

Last modified 21 February 2022

LAW

The fundamental legal act regulating personal data protection in Belarus is the Law on Personal Data Protection of 7 May 2021

No. 99-Z which entered into force on 15 November 2021 (Data Protection Law). It is the first Belarusian legal act intended

specifically for regulation of personal data protection issues.

It worth also to take into consideration the acts implemented within the framework of the Eurasian Economic Union

(EEU), e.g. the Protocol on Information and Communication Technologies and Informational Interaction within the

Eurasian Economic Union, Annex 3 to the Treaty on the Eurasian Economic Union of 29 May 2014. Following the

Decision of the Supreme Eurasian Economic Council of 11 October 2017 the member states of EEU are planning to

develop the initiative on conclusion of the Agreement on Data Circulation within the Union (including on personal data

protection). The initiative is one of measures aimed at implementation of the Main Directions for Implementation of the

Digital Agenda of the Eurasian Economic Union until 2025.

DEFINITIONS

Definition of personal data

Data Protection Law defines “personal data” as any information relating to an identified or identifiable natural person.

In its turn, “individual who can be identified” means an individual who can be directly or indirectly determined, in particular

through the surname, proper name, patronymic, date of birth, identification number, or through one or more of characteristic

features of her/his physical, psychological, mental, economic, cultural or social identity.

The Law also defines “special personal data”, “biometric personal data”, “genetic personal data” and “publicly available personal

data”.

Definition of sensitive personal data

Data Protection Law defines “special personal data” which include information about race, nationality, political, religious and other

convictions, health and sexual activity; criminal conviction records; biometric and genetic personal data.

“Biometric personal data” means information describing the physiological and biological characteristics of a person, which is used

for her/his unique identification (fingerprints, palms, iris, characteristics of the face and its image, etc.), while “genetic personal

data” is defined as information related to the inherited or acquired genetic characteristics of a person, which contain unique data

on her/his physiology or health and can be identified, in particular, during the study of her/his biological sample.

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Belarus 96 | | | www.dlapiperdataprotection.com

NATIONAL DATA PROTECTION AUTHORITY

The National Personal Data Protection Centre (NPDPC) is the competent authority for the protection of personal data subjects’

rights. The main tasks of the NPDPC are taking measures to protect the rights of personal data subjects in the processing of their

personal data and organising training on personal data protection issues.

In accordance with these tasks NPDPC performs the following functions:

controls the processing of personal data by operators (authorised persons);

considers complaints of personal data subjects regarding the processing of personal data;

determines the list of foreign countries having proper level of data subjects’ rights protection;

issues permits for cross-border transfer of personal data, if the level of protection of personal data subjects’ rights in a

foreign country is not adequate, as well as establishes the procedure for issuing such permits;

makes proposals on the improvement of the personal data legislation, participates in the drafting of legal acts on personal

data;

provides explanations on the application of personal data legislation, carries out other explanatory work on personal data

legislation;

determines the cases in which it is not necessary to notify NPDPC of the breach of personal data protection systems;

establishes the classification of information resources (systems) containing personal data in order to determine the

technical and cryptographic protection requirements for personal data;

participates in the work of international organisations on personal data protection issues;

cooperates with authorities (organisations) for protection of rights of personal data subjects in foreign countries;

publishes annually by 15 March, the report in mass media on its activities;

implements educational programs of additional education for adults in accordance with the legislation on education;

exercises other authority established by the personal data legislation.

Contact information of NPDPC

Build. 24-3, K.Zetkin str., Minsk, 220036

T: + 375 17 367 07 90

e-mail: info@cpd.by

REGISTRATION

Since 1 January 2024 operators are obliged to enter information about information resources (systems) containing personal data

into Register of Personal Data Operators and ensure that the relevant information is kept up-to-date. Types of information

resources (systems), information about which is to be entered into the Register, as well as the list of information to be included

therein shall be determined by the Operational and Analytical Centre under the President of the Republic of Belarus (OAC) by

1 August 2022.

State information systems shall be registered under the separate procedure regardless whether any personal data are

processed in it or not. According to Belarusian legislation state information systems are information systems created and /

or acquired at the expense of state or local budgets, state off-budget funds, or by state legal entities.. Registration is

performed by specially authorised by the Ministry organisation – SERUE “Institute of Application Software Systems.” One

of the conditions for state registration of an information system is registration of all information resources included in

such an information system. Described registration can be performed for private owned information systems voluntarily.

According to the Edict of the President of the Republic of Belarus of 16 April 2013 No. 196 On Certain Measures for

Improvement of the Information (Information Protection Decree) organisations owning information systems intended for

processing of personal data are obliged to notify the OAC on the conditions of technical information protection of such

systems.

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Belarus 97 | | | www.dlapiperdataprotection.com

DATA PROTECTION OFFICERS

Data Protection Law obliges operators to designate a structural unit or person responsible for the internal control of personal

data processing. This shall be an internal unit or employees of the organisation, i.e. it is not possible to outsource the control

functions. The legislation does not provide mandatory requirements for the person responsible for the internal control.

Consequently, the operator appoints such a person or structural unit at its discretion.

Persons responsible for the internal control of personal data processing shall complete training on issues related to personal data

protection at least once every five years. Depending on the type of organisation, the training may be organised at NPDPC or

other educational organisations. In addition, the operators shall annually by 15 November provide NPDPC with information on

the number of persons who shall complete training at NPDPC.

Moreover, a legal entity, including state body, processing personal data shall create information protection systems to

secure information in their information systems used for processing of such data. As a part of creation of such system the

entity should establish special department or appoint employee responsible to take required technical and cryptography

information protection measures. According to the amendments to the Information Protection Decree, the employees of

such department (responsible employee) are required to have higher education in the sphere of information protection

security or other higher or professional-technical education and undergo training on the issues of technical and

cryptographic information protection.

If for some reasons respective departments / employees cannot take such measures themselves, a special organisation

licensed to perform activities on technical and / or cryptography information protection may be involved.

COLLECTION & PROCESSING

Data Protection Law contains a wide range of legal bases for personal data processing:

data subject’s consent;

if the processing is required for:

administrative or criminal proceedings, operational-search activities;

administration of justice and the enforcement of court orders and other enforcement documents;

performing monitoring activities (supervision) in accordance with the legislation;

implementation of legislation on national security, on combating corruption, on preventing money laundering,

financing of terrorist activities and financing weapons of mass destruction proliferation;

the implementation of legislation on elections and referendum;

state social insurance purposes;

formalising employment relationships, in the process of employment activities;

notarial activities;

Belarusian citizenship issues;

assignment and payment of pensions, benefits;

the organisation and carrying out of national statistical observations;

scientific and other research purposes, on condition that the personal data are depersonalised;

accounting, calculation, charging of fees for housing and utility services, other services, taxes;

processing is based on a contract, that is concluded (being concluded) with data subject, and for the purpose of

performing actions stipulated by this contract;

if personal data are specified in a document addressed to the operator and signed by the data subject;

processing is essential for the performance of certain journalist’s activities;

processing is required to protect the subject’s life, health or other interests if obtaining of consent is not possible;

if personal data were previously disseminated;

in order to fulfil the duties/powers stipulated in legislation;

in other cases expressly provided in legislation.

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Belarus 98 | | | www.dlapiperdataprotection.com

Data Protection Law has different list of legal bases for processing of special personal data and for cross-border transfer of

personal data to the territories of states that do not ensure proper protection of data subjects rights.

The consent of the data subject can be obtained in writing, in the form of an electronic document or in another electronic form

(e.g. via tick-box at the website or SMS/email verification). Operator shall provide proof, if be required, that it has collected

proper consent for personal data processing.

Before obtaining consent, the operator shall provide the subject of personal data with the following information:

name (full name) and location (address of residence) of the operator;

purpose of personal data processing;

list of personal data to be processed;

consent validity term;

information about the persons authorised by operator to process personal data (if those are engaged);

what actions be done with personal data;

a general description of the processing methods;

other relevant information.

In addition, apart from other necessary information, the subject shall be informed of his/her rights, the mechanism for exercising

them, the consequences of giving and withdrawing consent.

Operator may collect surname, first name, middle name of data subject, date of birth, identification number (if not, the number of

the ID document) only if it is required for the purposes of processing. Such information shall be provided by data subject when at

the time he/she provides the consent.

Collection and processing of personal data shall be performed having implemented certain  legal, organisational and

technical measures for personal data protection. The organisational measures may include establishing a special entrance

regime to the premises used for collection and processing, designation of employees who can have an access to such

premises and data, and differentiation of access levels to respective information. The technical measures may include using

cryptography, technical means and other possible measures of control over information protection.

TRANSFER

The general rule is that cross-border transfer is prohibited, unless a foreign state provides an appropriate level of protection of

the personal data subjects’ rights. NPDPC has established that the list of foreign states, which ensure appropriate level of

protection. The list includes foreign states that are parties to the Council of Europe Convention for the Protection of Individuals

with regard to Automatic Processing of Personal Data, adopted in Strasbourg on 28 January 1981.

However there are certain exceptions, when transfer to the jurisdictions with inappropriate level of protection will be allowed.

For example, upon respective consent of the personal data subject and informing of the possible risks or under the individual

permit for cross-border transfer issued by NPDPC.

SECURITY

The owners of the information systems should take appropriate technical, legal and organizational measures to secure personal

data processed in their information systems. The key technical measure is creation of the information protection system to secure

the information system of an entity intended for processing of personal data. The information protection system shall be attested

according to the procedure established by the OAC.

BREACH NOTIFICATION

Data Protection Law establishes an obligation to notify National Personal Data Protection Center on breach of systems used for

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Belarus 99 | | | www.dlapiperdataprotection.com

personal data protection immediately, but not later than within three days of discovery in writing or in the form of an electronic

document. Exceptions to this requirement are cases where a breach of security systems has not resulted in the unlawful

dissemination, provision of personal data; modification, blocking or deletion of personal data without the possibility of restoring

access to it.

Certain additional requirements on the notification of the OAC are set for specific cases of information protection system

breaches or periodical reporting as required by Belarus law. The respective requirements are set forth in the Regulations on the

procedure for submitting information about information security events, the state of technical and cryptographic protection of

information to the OAC, as approved by the Order of the OAC of 2 February 2020 No. 66.

ENFORCEMENT

According to Data Protection Law, NPDPC supervises the processing of personal data by operators and authorised persons. In

the case of a breach of personal data legislation, NPDPC has the right to issue a demand to eliminate the detected violations

and/or to terminate personal data processing in the information resource (system). Term for elimination and/or termination is set

by the NPDPC, but shall not be longer than six months.

Violation of personal data protection legislation may result in civil, criminal and administrative liability. If the violation has led to

moral damages, the violator may be required by the court to reimburse such damages.

Since 1 March 2021 the Administrative Offences Code of Republic of Belarus stipulates specific sanctions for personal data

processing violations, including: 

intentional illegal collection, processing, storage or transfer of personal data of an individual or violation of his/her rights

related to the processing of personal data may cause a fine up to 50 base units; intentional distribution – up to 200 base

units (as of 1 January 2022 one base unit equals BYN 32, approx. EUR 11);

non-compliance with requirements on data protection measures implementation may cause a fine ranging from 20

to 50 base units for legal entities. 

The Criminal Code of Republic of Belarus envisages criminal liability for the following breaches:

unlawful collection or provision of information relating to the private life and (or) personal data of another person without

his/her consent (depending on the circumstances like volume on grave), a person could be sentenced to community work,

a criminal fine, arrest, or the restriction or deprivation of liberty for up to two years. For the unlawful distribution –

restriction or deprivation of liberty for up to three years with the criminal fine. Higher liability may apply if offence relates

to the victims performing public functions;

failure to comply with measures to ensure the protection of personal data by a person who processes personal data,

which has inadvertently resulted in their dissemination and causing serious consequences a person could be sentenced to

a criminal fine, deprivation of the right to occupy certain job positions or perform certain activities, corrective work for

up to one year, arrest, or the restriction of liberty for up to two years or deprivation of liberty for up to one year.

ELECTRONIC MARKETING

Electronic marketing is subject to the rules established by the Law on Advertising of 10 May 2007 No. 225-Z (Advertising Law)

and the Law on Mass Media of 17 July 2008 No. 427-Z (Mass Media Law).

According to the general rule of the Advertising Law it is not allowed to use in advertising names, pseudonyms, images or

statements of citizens of the Republic of Belarus without their consent or the consent of their legal representatives.

Distribution of advertisements by telecommunication means (e.g. telephone, telex, facsimile, mobile telephone communications,

email) can be performed only with the consent of respective subscriber or addressee. Such consent can be made as a text

document, including document in electronic form. The consent also can be a part of an agreement for telecom services. In this

case subscriber or addressee must be informed about her/his right to demand stopping placing (distributing) advertisement to

her/him, which shall be specifically confirmed by the subscriber (addressee).

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Belarus 100 | | | www.dlapiperdataprotection.com

The advertisement distributor is obliged to immediately stop advertising to subscriber or addressee upon his / her demand within

one work day from receiving the demand.

Individuals whose rights have been violated as a result of creation and / or distribution of an advertisement are entitled to protect

their rights in court proceedings.

According to the Mass Media Law, information about person’s personal life or audio, video records and photos of a person can be

distributed in mass media as a general rule only with consent of such person or his / her authorised representative. As an

exception, distribution in the media of information messages and (or) materials prepared using audio or video recording, filming or

photo of an individual without her/his consent is allowed only if measures are taken against the possible identification of this

individual by unauthorized persons, and also provided that the dissemination of these information messages or materials does not

violate the constitutional rights and freedoms of the individual and is necessary to protect public interests (except to criminal

investigations or court proceedings).

ONLINE PRIVACY

Belarus law does not specifically regulate online privacy. General requirements on personal data protection apply.

Certain specific online privacy requirements can be established under the legislation. For example, personal data of a person, who

is a domain name administrator, can be disclosed in online WHOIS service of Belarusian domain zone only with consent of such

person. However, consent is not required if the domain name was registered in the name of an individual entrepreneur.

KEY CONTACTS

Sorainen

www.sorainen.com/

DATA PRIVACY TOOL

You may also be interested in our  to assess your organization’s level of data protection maturity.Data Privacy Scorebox

Kirill Laptev
Partner

Sorainen

T +375 17306 2102

kirill.laptev@sorainen.com

Pavel Lashuk
Associate

Sorainen

T +375 17 306 2102

pavel.lashuk@sorainen.com

https://www.dlapiperdataprotection.com

http://www.sorainen.com/

https://www.dlapiperdataprotection.com/scorebox/

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Belgium 101 | | | www.dlapiperdataprotection.com

BELGIUM

Last modified 30 December 2021

LAW

The General Data Protection Regulation (Regulation (EU) 2016/679) ( ) is a European Union law which entered into forceGDPR

in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on

May 25, 2018, without requiring implementation by the EU Member States through national law.

A ‘Regulation’ (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States.

However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their

own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among

the Member States.

Territorial Scope

Primarily, the application of the GDPR turns on whether an organization is established in the EU. An ‘establishment’ may take a

wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.

However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to

the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related “to the

” (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or “offering of goods or services the monitoring of their

” (Article 3(2)(b)) as far as their behaviour takes place within the EU.behaviour

The GDPR has been integrated in Belgium through a few new laws. The ‘ of July 30, 2018 providesData Protection Act’

for the implementation of some of the GDPR provisions open to further definition, derogation or additional requirements.

It also includes the transposition of the 2016/680 Directive regarding the processing of personal data in the criminal justice

chain and the establishment of a Control body on police information (called ‘COC’). Additionally, it regulates the

authorities outside the scope of the EU law (including intelligence and security services).1

The Belgian Data Protection Authority, the successor of the Belgian Privacy Commission, was established by the Belgian

Federal Chamber of Representatives by the Act of December 3, 2017 (‘ ) . Several other laws have also beenDPA Act’ 2

adapted to align them with the GDPR (e.g. Video Surveillance Act).

The competent Secretary of State has announced legislative proposals for a reform of Belgian data protection law (i.e.

both the Data Protection Act and DPA Act) would be introduced before the Federal parliament in the course of 2022.

According to public statements made by the Secretary of State, this reform would address the functioning of theinter alia

Data Protection Authority and strengthen cooperation of the Data Protection Authority with other regulators.  

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Belgium 102 | | | www.dlapiperdataprotection.com

1. See .Data Protection Act

2. See  .DPA Act

DEFINITIONS

” ” is defined as ” ” (Article 4). A low bar is set forPersonal data any information relating to an identified or identifiable natural person

“identifiable” – if the natural person can be identified using “ ” (Recital 26) the information isall means reasonably likely to be used

personal data. A name is not necessary either – any identifier will do, such as an identification number, phone number, location

data or other factors which may identify that natural person.

Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.

The GDPR creates more restrictive rules for the processing of ” ” (Article 9) of personal data (including dataspecial categories

relating to race, religion, sexual life, data pertaining to health, genetics and biometrics) and personal data relating to criminal

(Article 10).convictions and offences

The GDPR is concerned with the ” ” of personal data. Processing has an extremely wide meaning, and includes any setprocessing

of operations performed on data, including the mere storage, hosting, consultation or deletion of the data.

Personal data may be processed by either a ” ” or a ” “. The controller is the decision maker, the person whocontroller processor

” ” (Article 4). The processor “alone or jointly with others, determines the purposes and means of the processing of personal data processes

“, acting on the instructions of the controller. In contrast to the previous law, the GDPRpersonal data on behalf of the controller

imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.

The ” ” is a living, natural person whose personal data are processed by either a controller or a processor.data subject

The Data Protection Act builds on the definitions contained in the GDPR and further clarifies some notions, such as the

notion of ‘public authority’ . It further adds the definitions of a ‘ ’, ‘1 trusted third party disclosure of personal data’

and ‘ ’ in the context of the research and statistical purposes exception. The Datadistribution of personal data

Protection Act also clarifies certain concepts such as ‘processing in the substantial public interest’ , the ‘processing for2

journalistic purposes’ and introduces new concepts such as ‘a joint database’ .3 4

1. Art. 5 Data Protection Act. 

2. Article 8 para. 1 Data Protection Act.

3. Art. 24 para. 1 Data Protection Act.

4. Article 48 Data Protection Act.

NATIONAL DATA PROTECTION AUTHORITY

Enforcement of the GDPR is the prerogative of data protection regulators, known as supervisory authorities (for example, the

Cnil in France or the ICO in the UK). The European Data Protection Board (the replacement for the so-called Article 29 Working

Party) is comprised of delegates from the supervisory authorities, and monitors the application of the GDPR across the EU, issuing

guidelines to encourage consistent interpretation of the Regulation.

The GDPR creates the concept of ” “. Where there is cross-border processing of personal data (lead supervisory authority ie,

processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a single

establishment of a controller or processor but affecting data subjects in multiple Member States), then the starting point for

enforcement is that controllers and processors are regulated by and answer to the supervisory authority for their main or single

establishment, the so-called “lead supervisory authority” (Article 56(1)).

https://www.dlapiperdataprotection.com

http://www.ejustice.just.fgov.be/cgi_loi/change_lg.pl?language=nl&la=N&cn=2018073046&table_name=wet

http://www.ejustice.just.fgov.be/cgi_loi/change_lg.pl?language=nl&la=N&table_name=wet&cn=2017120311

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Belgium 103 | | | www.dlapiperdataprotection.com

However, the lead supervisory authority is required to cooperate with all other “concerned” authorities, and a supervisory

authority in another Member State may enforce where infringements occur on its territory or substantially affect data subjects

only in its territory (Article 56(2)).

The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.

The DPA Act establishes the Data Protection Authority as the successor of the Privacy Commission which was

established under the old data protection legislation. The Data Protection Authority has the competences as set out in the

GDPR whenever that competence has not been explicitly assigned to another body.

The Data Protection Act appoints three more regulatory authorities at the federal level (COC , Committee I and1 2

Committee P ) with varying data protection related competences next to the general Data Protection Authority. In3

addition, there are also regional supervisory authorities who have been entrusted mainly with the supervision of the public

authorities of the regions.

The composition of the Data Protection Authority has proven controversial due to the involvement of some members in

government bodies. The European Commission has warned Belgium that it would start an infringement procedure before

the EU Court of Justice if the problems regarding the Data Protection Authority’s independence would not be resolved.

Therefore, a legislative proposal has been introduced before the Federal parliament at the end of 2021 to amend the DPA

Act by partially reforming the rules on the composition of the Data Protection Authority .4

1. Art. 231 Data Protection Act.

2. Art. 72 para. 2 °7 Data Protection Act.

3. Art. 26 °7, c) Data Protection Act.

4. Legislative proposal 26 November 2021, amending the Act of 3 December 2017 establishing the of the Data Protection

Authority, in order to modify the composition of the centre of expertise so that the independence of its members its members

can be guaranteed (Doc. No. 55-2347/001), www.lachambre.be/flwb/pdf/55/2347/55K2347001

REGISTRATION

There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general

notification obligations. However, Member States may impose notification obligations for specific activities (e.g. processing of

personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases

following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or

processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory

authority (Article 37(7)).

In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by

rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain

comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data

processing carried out within an organisation and must be provided to supervisory authorities on request. This is a sizeable

operational undertaking.

The registration of processing activities through a notification has been abolished. However, in the public sector, the Data

Protection Act obliges the controller of processing activities in the context of police services to  publish a protocol

detailing the transfer to a public authority or private body based on public interest and compliance with legal obligations .1

https://www.dlapiperdataprotection.com

https://www.lachambre.be/flwb/pdf/55/2347/55K2347001

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Belgium 104 | | | www.dlapiperdataprotection.com

1. Art. 20 Data Protection Act.

DATA PROTECTION OFFICERS

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

it is a public authority;

its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and

systemic monitoring of data subjects on a large scale; or

its core activities consist of processing sensitive personal data on a large scale.

Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities

(Article 37(2)), provided that the data protection officer is easily accessible from each establishment (meaning that larger

corporate groups may find it difficult in practice to operate with a single data protection officer).

DPOs must have ” ” (Article 37(5)) of data protection law and practices, though it is possible to outsource theexpert knowledge

DPO role to a service provider (Article 37(6)).

Controllers and processors are required to ensure that the DPO is involved “properly and in a timely manner in all issues which relate

” (Article 38(1)), and the DPO must directly report to the highest management level, must not beto the protection of personal data

told what to do in the exercise of his or her tasks and must not be dismissed or penalised for performing those tasks (Article

38(3)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

to inform and advise on compliance with GDPR and other Union and Member State data protection laws;

to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities,

awareness raising and training staff;

to advise and monitor data protection impact assessments where requested; and

to cooperate and act as point of contact with the supervisory authority.

This is a good example of an area of the GDPR where Member State gold plating laws are likely. For example, German domestic

law has set the bar for the appointment of DPOs considerably lower than that set out in the GDPR.

In addition to the GDPR, the Data Protection Act requires the appointment of a DPO depending on the impact of the

processing activity, namely if it may entail a high risk as referred to in article 35 of the GDPR when (i) a private law body

processes personal data on behalf of a federal public authority or a federal public authority transfers personal data to this

private law body in the context of police services or (ii) the processing falls under the exception necessary for archiving1

purposes in the public interest, scientific or historical research purposes or statistical purposes . Some public authorities2

regulated by the Data Protection Act are also required to appoint a DPO .3

The Data Protection Authority has addressed the GDPR requirements for the appointment of DPOs and the exercise of

its tasks in several cases, including in relation to the position of the DPO and its independence, the obligation to directly

report to the highest management level and the requirement that a DPO must have “expert knowledge”.

1. Art. 21 Data Protection Act.

2. Art. 190 Data Protection Act.

3. The Center for Missing and Sexually Exploited Children (Child Focus) Art. 8 para. 3 Data Protection Act; Competent

authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Belgium 105 | | | www.dlapiperdataprotection.com

criminal penalties, including the safeguarding against and the prevention of threats to public security implementing Directive

2016/680 Art. 63 et seq Data Protection Act; Intelligence and security services Art. 91 Data Protection Act; Bodies for security

clearances, certificates and recommendations Art. 124 Data Protection Act; Coordination Unit for Threat Assessment Art. 157

Data Protection Act.

COLLECTION & PROCESSING

Data Protection Principles

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under

these principles, personal data must be (Article 5):

processed lawfully, fairly and in a transparent manner (the “lawfulness, fairness and transparency principle”);

collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with

those purposes (the “purpose limitation principle”);

adequate, relevant and limited to what is necessary in relation to the purpose(s) (the “data minimization principle”);

accurate and where necessary kept up-to-date (the “accuracy principle”);

kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which

the data are processed (the “storage limitation principle”); and

processed in a manner that ensures appropriate security of the personal data, using appropriate technical and

organizational measures (the “integrity and confidentiality principle”).

The controller is responsible for and must be able to demonstrate compliance with the above principles (the “accountability

principle”). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to

compliance perhaps years after a particular decision relating to processing personal data was taken. Record keeping,demonstrate

audit and appropriate governance will all form a key role in achieving accountability.

Legal Basis under Article 6

In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate

basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are

(Article 6(1)):

with the consent of the data subject (where consent must be ” “, and must befreely given, specific, informed and unambiguous

capable of being withdrawn at any time);

where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of

the data subject prior to entering into a contract;

where necessary to comply with a legal obligation (of the EU) to which the controller is subject;

where necessary to protect the vital interests of the data subject or another person (generally recognised as being limited

to ‘life or death’ scenarios, such as medical emergencies);

where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority

vested in the controller; or

where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a

balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms

of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).

Special Category Data

Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in

effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an

Article 6 basis):

with the explicit consent of the data subject;

where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and

social protection law or a collective agreement;

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Belgium 106 | | | www.dlapiperdataprotection.com

where necessary to protect the vital interests of the data subject or another natural person who is physically or legally

incapable of giving consent;

in limited circumstances by certain not-for-profit bodies;

where processing relates to the personal data which are manifestly made public by the data subject;

where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in

their legal capacity;

where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to

the aim pursued and with appropriate safeguards;

where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical

diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;

where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border

threats to health or ensuring high standards of health care and of medical products and devices; or

where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical

purposes in accordance with restrictions set out in Article 89(1).

Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to

processing genetic data, biometric data and health data.

Criminal Convictions and Offences data

Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an

official public authority, or specifically authorised by Member State domestic law (Article 10).

Processing for a Secondary Purpose

Increasingly, organisations wish to ‘re-purpose’ personal data – i.e. use data collected for one purpose for a new purpose which

was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle

of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the

controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were

initially collected (Article 6(4)). These include:

any link between the original purpose and the new purpose

the context in which the data have been collected

the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are

processed (with the inference being that if they are it will be much harder to form the view that a new purpose is

compatible)

the possible consequences of the new processing for the data subjects

the existence of appropriate safeguards, which may include encryption or pseudonymisation.

If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new

purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and

proportionate measure in a democratic society).

Transparency (Privacy Notices)

The GDPR places considerable emphasis on transparency, i.e. the right for a data subject to understand how and why his or her

data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily

accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.

Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using

clear and plain language (Article 12(1)).

The following information must be provided (Article 13) at the time the data are obtained: 

the identity and contact details of the controller;

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Belgium 107 | | | www.dlapiperdataprotection.com

the data protection officer’s contact details (if there is one);

both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate

interests for processing;

the recipients or categories of recipients of the personal data;

details of international transfers;

the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;

the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object

to processing and data portability;

where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;

the consequences of failing to provide data necessary to enter into a contract;

the existence of any automated decision making and profiling and the consequences for the data subject; and

in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that

further processing, providing the above information.

Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.

Rights of the Data Subject

Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable,

whilst others only apply in quite limited circumstances. Controllers must provide information on action taken in response to

requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two

months where the request is onerous.

Right of access (Article 15)

A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information

about the how the data have been used by the controller.

Right to rectify (Article 16)

Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.

Right to erasure (‘right to be forgotten’) (Article 17)

Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s

highest court ruled against Google ( ), in effect requiring Google to remove search resultsJudgment of the CJEU in Case C-131/12

relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the

search results had no legal basis to process that information.

The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the

data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise

of the objection right, or of the withdrawal of consent.

Right to restriction of processing (Article 18)

Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the

accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of

the data subject, or where the legitimate grounds for processing by the controller are contested.

Right to data portability (Article 20)

Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to

processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or

have transmitted to another controller all personal data concerning him or her in a structured, commonly used and

machine-readable format (e.g. commonly used file formats recognised by mainstream software applications, such as .xsl).

https://www.dlapiperdataprotection.com

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=152065&occ=first&dir=&cid=667631

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Belgium 108 | | | www.dlapiperdataprotection.com

a.

b.

c.

Right to object (Article 21)

Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where

processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they

demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.

In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at

any time. 

The right not to be subject to automated decision making, including profiling (Article 22)

Automated decision making (including profiling) “which produces legal effects concerning [the data subject] … or similarly significantly

” is only permitted where: affects him or her

necessary for entering into or performing a contract;

authorized by EU or Member State law; or 

the data subject has given their explicit ( opt-in) consent.ie,

Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain

human intervention, to contest the decision, and to express his or her point of view.

The Data Protection Act adds only specificities to the general processing requirements. The age for consent of children

for the purposes of article 8.1 GDPR  is 13 year . When processing genetic, biometric and health data, a controller needs1

to indicate who has access to these personal data, keep a list of the categories of people who have access to these data,

keep this list at the disposal of the DPA, and ensure that these people are bound by a legal, statutory or contractual

obligation of confidentiality . The Data Protection Authority has adopted specific guidelines regarding the processing of2

biometric data . 3

The Data Protection Act also provides a list of legal bases for processing data relating to criminal convictions and offences

and requires an access management list and confidentiality duties (as described here above) for processing such data .4

Data subject rights

The Data Protection Act provides further exceptions to data subject’s rights, including the right to be informed when

personal data is received from authorities under special regimes or when personal data is disclosed to these bodies .5 6

With respect to the special regimes addressed in the Data Protection Act, the Data Protection Act also sets out the

corresponding data subject rights (which are often more limited than those included in the GDPR) . 7

The Data Protection Act clarifies that data subject rights, including the right to information in judicial

proceedings/decisions, will be accommodated in accordance with the Judicial Code, the Code on Criminal proceedings

and any specific laws related to criminal law procedure .8

1. Art. 7 Data Protection Act.

2. Art. 9 Data Protection Act.

3. Data Protection Authority, Recommendation on the processing of biometric data (No. 1-2021, 1 December 2021).

4. Art. 10 Data Protection Act.

5. Art. 11, Art. 13 and Art. 14 Data Protection Act.

6. Art. 12 Data Protection Act.

7. Art. 36 et seq, Art. 79, Art. 105 (9), Art. 113, Art. 145, Art. 173 Data Protection Act.

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Belgium 109 | | | www.dlapiperdataprotection.com

a.

b.

c.

d.

e.

f.

g.

8. Art.16 Data Protection Act.

TRANSFER

Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and

Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).

The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides

for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)).

Currently, the following countries or territories enjoy adequacy decisions: Andorra, Argentina, Canada (with some exceptions),

Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, Eastern Republic of Uruguay and New Zealand.

Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor

and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of

appropriate safeguards includes amongst others binding corporate rules, standard contractual clauses, and the EU – U.S. Privacy

Shield Framework. The GDPR has removed the need which existed in some Member States under the previous law to notify and

in some cases seek prior approval of standard contractual clauses from supervisory authorities.

The GDPR also includes a list of context specific derogations, permitting transfers to third countries where: 

explicit informed consent has been obtained;

the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;

the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject

between the controller and another natural or legal person;

the transfer is necessary for important reasons of public interest;

the transfer is necessary for the establishment, exercise or defence of legal claims;

the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or

the transfer is made from a register which according to EU or Member State law is intended to provide information to the

public, subject to certain conditions. 

There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the

purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data

subject; notification to the supervisory authority and the data subject is required if relying on this derogation.

Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognised

or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in

force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is

no other legal basis for transfer will infringe the GDPR.

No general additional requirements relating to transfers are introduced by the Data Protection Act. The Data Protection

Act only regulates the transfer of personal data under the special regimes, which in certain cases provides for less leeway

for transfers .1

1. Art. 66-70, Art. 93-94, Art. 126-127, Art. 159-160 Data Protection Act.

SECURITY

Security

The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate,

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Belgium 110 | | | www.dlapiperdataprotection.com

context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and

organizational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account

of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A ‘one size fits all’

approach is therefore the antithesis of this requirement.

However the GDPR does require controllers and processors to consider the following when assessing what might constitute

adequate security:

the pseudonymization and encryption of personal data;

the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical

incident; and

a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for

ensuring the security of the processing.

The Data Protection Act inserts no general additional requirements in relation to security measures. In the context

of archiving, scientific or historical research purposes or statistical purposes, the Data Protection Act sets out specific

rules including anonymization or pseudonymization requirements . 1

Security measures are also detailed for each special regime but resemble the GDPR .2

1. Art. 198 et seq Data Protection Act.

2. Intelligence and security services Art. 88-89 Data Protection Act, Bodies for security clearances, certificates and

recommendations Art. 121-122 Data Protection Act, Coordination Unit for Threat Assessment Art. 154-155 Data Protection Act,

Passenger Information Unit Art. 179-180 Data Protection Act.

BREACH NOTIFICATION

The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority,

and for more serious breaches to also be notified to affected data subjects. A “personal data breach” is a wide concept, defined as

any “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal

” (Article 4).data transmitted, stored or otherwise processed

The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours

after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and

freedoms of natural persons. When the personal data breach is likely to result in a risk to natural persons, the controller ishigh

also required to notify the affected data subjects without undue delay (Article 34).

Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming

aware of the breach (Article 33(2)).

The notification to the supervisory authority must include where possible the categories and approximate numbers of individuals

and records concerned, the name of the organisation’s data protection officer or other contact, the likely consequences of the

breach and the measures taken to mitigate harm (Article 33(3)).

Controllers are also required to keep a record of all data breaches (Article 33(5)) (whether or not notified to the supervisory

authority) and permit audits of the record by the supervisory authority.

No general additional requirements are inserted in the Data Protection Act relating to data breaches. 

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Belgium 111 | | | www.dlapiperdataprotection.com

Data breach obligations are also detailed for each special regime, but they resemble those contained in the GDPR.

ENFORCEMENT

Fines

The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million

(whichever is higher).

It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of

an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that

‘undertaking’ should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European

Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the

Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the

specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same

undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be

scrutinised carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent

for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some

circumstances (broadly where there is participation or control), so-called “look through” liability. Again, it remains to be seen

whether there will be a direct read-across of this principle into GDPR enforcement.

Fines are split into two broad categories. 

The highest fines (Article 83(5)) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of

the preceding year, whichever is higher, apply to infringement of:

the basic principles for processing including conditions for consent;

data subjects’ rights;

international transfer restrictions;

any obligations imposed by Member State law for special cases such as processing employee data; and

certain orders of a supervisory authority.

The lower category of fines (Article 83(4)) of up to EUR 10 million or, in the case of an undertaking, up to 2% of total worldwide

turnover of the preceding year, whichever is the higher, apply to infringement of:

obligations of controllers and processors, including security and data breach notification obligations;

obligations of certification bodies; and

obligations of a monitoring body.

Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective,

proportionate and dissuasive (Article 83(1)).

Fines can be imposed in combination with other sanctions.

Investigative and corrective powers

Supervisory authorities also enjoy wide investigative and corrective powers (Article 58) including the power to undertake on-site

data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.

Right to claim compensation

The GDPR makes specific provision for individuals to bring private claims against controllers and processors:

any person who has suffered “material or non-material damage” as a result of a breach of the GDPR has the right to

receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Belgium 112 | | | www.dlapiperdataprotection.com

that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.

data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf

(Article 80).

Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77). 

All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against

a decision of a supervisory authority concerning them or for failing to make a decision (Article 78).

Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).

In addition to the GDPR, the Data Protection Act introduces a specific procedure for actions for injunctions that can be

initiated by the data subject or by the Data Protection Authority (DPA) . These claims should be brought before the1

President of the Court of First Instance except when the personal data is processed in criminal investigations or

procedures . There is no single court territorially competent to hear these claims . 2 3

The Data Protection Act also contains a legal basis that allows a body, organisation or non-profit organisation to

represent the data subject upon its request when it: 

was founded in accordance with Belgian law

has legal personality

has statutory objectives of public interest

has been active in the area of the protection of personal data for at least 3 years  4

The DPA can impose administrative fines under article 83 of the GDPR , but public authorities, their agents and5

 authorised representatives are exempted insofar they are not offering goods or services on the market . A supervisory6

authority can exercise the corrective measures set out in article 58.2 GDPR but with regard public authorities, only over

the categories enumerated in the Data Protection Act . 7

Depending on the infringement and the infringer, the controller, processor, competent public  authority or their agent can

be subjected to criminal sanctions, such as criminal fines between 800 EUR – 160.000 EUR and a publication of the

judgement . 8

The DPA consists of 6 different Committees. The of the DPA enjoys investigation powers, suchInspection Committee

as to identify persons, interview persons, conduct written interrogations, conduct on-site investigations, consult

information systems and copy the data they contain, consult information electronically, seize or seal goods or computer

systems and demand the identification of the subscriber or the normal user of an electronic communication service or of

the electronic means of communication used . Additionally, the inspector-general and the inspectors of the inspection9

committee may order the temporary suspension, restriction or freezing of the data processing activities that are the

subject of an investigation if this is necessary to avoid a serious, immediate and difficult to repair disadvantage. They can 10

also request further information . 11

The can follow-up on a complaint but also propose a settlement, formulate warnings andLitigation Chamber inter alia

reprimands, order compliance with data subjects’ requests to exercise their rights, order the suspension of cross-border

data flows and can also impose periodic penalty payments and/or administrative fines .12

Specific provisions according to Art. 85 to 87 and Art. 89 GDPR

The legislator has made use of the opportunity offered by the GDPR to provide exemptions or derogations from

certain obligations when the processing is carried out for journalistic purposes and the purposes of academic, artistic or

literary expression. For those purposes, the Data Protection Act exempts the controller not only from respecting certain

data subjects’ rights under the GDPR but also some obligations of the controller (e.g. notification in case of breaches,

transfer requirements, etc) and the investigative powers of the DPA . 13

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Belgium 113 | | | www.dlapiperdataprotection.com

The Data Protection Act also introduces two regimes for the derogations relating to the processing for archiving,

scientific or historical research purposes or statistical purposes: 

general safeguards requiring among others register, information , contractual  and security requirements, or14 15

compliance with a code of conduct  16

The Data Protection Act does not include other derogations relating to employment.

1. Art. 211 par. 3 Data Protection Act.

 Art. 209 Data Protection Act.2.

 Art. 209 par. 2 Data Protection Act.3.

 Art. 220 par. 2 Data Protection Act.4.

 Art. 101 DPA Act5.

 Art. 221 par. 2 Data Protection Act.6.

 Art. 221 par. 1 Data Protection Act.7.

 Art. 222 et seq Data Protection Act.8.

 Art. 66 DPA Act.9.

 Art. 70 DPA Act.10.

 Art. 76 DPA Act.11.

 Art. 95 DPA.12.

 Art. 24 Data Protection Act.13.

 Art. 193 Data Protection Act.14.

 Art. 194 Data Protection Act.15.

 Art. 187 Data Protection Act.16.

ELECTRONIC MARKETING

The GDPR will apply to most electronic marketing activities, as these will involve some use of personal data (e.g. an email address

which includes the recipient’s name). The most plausible legal bases for electronic marketing will be consent, or the legitimate

interests of the controller (which is expressly referenced as an appropriate basis by Recital 47).   Where consent is relied upon,

the strict standards for consent under the GDPR are to be noted, and marketing consent forms will invariably need to incorporate

clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and merelynot

the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).

Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic

marketing) at any time (Article 21(3)).

Specific rules on electronic marketing (including circumstances in which consent must be obtained) are to be found in Directive

2002/58/EC (ePrivacy Directive), as transposed into the local laws of each Member State. The ePrivacy Directive is to be replaced

by a Regulation. However, it is currently uncertain when this is going to happen, as the European Commission has discarded its

draft of the ePrivacy Regulation after disagreements by the Member States in the Council of the European Union. In the meantime,

GDPR Article 94 makes it clear that references to the repealed Directive 95/46/EC will be replaced with references to the GDPR.

As such, references to the Directive 95/46/EC standard for consent in the ePrivacy Directive will be replaced with the GDPR

standard for consent.

The Data Protection Act applies to most electronic marketing activities, as there is likely to be processing of personal data

involved (e.g. an email address is likely to be ‘personal data’ for the purposes of the Data Protection Act). The Data

Protection Act does not contain additional rules to the GDPR for the use of personal data for the purposes of electronic

marketing. 

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Belgium 114 | | | www.dlapiperdataprotection.com

However, specific rules are set out in the Belgian e-commerce legislation (Book XII of the Code of Economic Law)

regarding opt-in requirements: 

These rules apply to all ‘electronic messages’, such as emails and text messages (Short Message Systems or SMS).

Other types of electronic communication such as instant messaging and chat may also fall within the scope of

these rules depending on the specific context. This covers not only clear promotional messages, but also

newsletters and similar communications. Indeed, any form of communication intended to directly or indirectly

promote goods, services, the image of a company, organisation or person which/who exercises a commercial,

industrial or workmanship activity or regulated profession falls within the scope of these rules.

As a general principle, the prior, free, specific and informed consent of the recipient of the message must be

obtained (‘opt-in principle’).

Two exceptions apply to the opt-in principle. No prior, free, specific and informed consent is to be obtained if:

the electronic marketing message is sent to existing customers of the service provider, or

the electronic message is sent to legal persons (e.g. to a general email address such as

info@company.com). 

These exceptions are subject to compliance with strict conditions. 

Furthermore, all electronic messages must contain a clear reference to the recipient’s right to opt out, including

means to exercise this right electronically.

Neither the Data protection Act nor the DPA Act include specific provisions on electronic marketing.

The Data Protection Authority has adopted specific guidelines regarding direct marketing .1

1. Data Protection Authority, Recommendation on the processing of personal data for direct marketing purposes (No. 1-2020, 17

January 2020).

ONLINE PRIVACY

Cookies

Article 5 (3) of the E-Privacy Directive has been implemented into Belgian Law by means of an amendment to article 129 of the

Belgian Electronic Communication Act.

The use and storage of cookies and similar technologies requires:

the provision of clear and comprehensive information, and

consent of the website user.

Consent is not required for cookies that are:

used for the sole purpose of carrying out the transmission of a communication over an electronic communications

network, or

 

strictly necessary for the provision of a service requested by the user.

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Belgium 115 | | | www.dlapiperdataprotection.com

Neither the Data Protection Act nor the DPA Act include specific provisions on cookies. 

The DPA has recently provided useful additional guidance related to topics such as cookie walls, social media plugins and the

validity of consent through browser settings.  

Download . DLA Piper’s Guide on Cookies

Location data

As location data are personal data, the processing of these data must comply with the general rules stipulated by the GDPR, the

Data Protection Act and, depending on the context, article 129 of the Belgian Electronic Communication Act. Neither the Data

Protection Act nor the DPA Act include specific provisions on location data. 

In addition, article 123 of the Belgian Electronic Communication Act stipulates that mobile network operators may process

location data of a subscriber or an end user only to the extent that the location data has been anonymised, or if the processing is

carried out in the framework of the provision of a service regarding traffic or location data.

The processing of location data in the framework of a service regarding traffic or location data is subject to strict conditions set

forth in article 123.

Traffic data

As traffic data constitute personal data, the processing of traffic data must comply with the general rules stipulated by the GDPR,

the Data Protection Act and, depending on the context, article 129 of the Belgian Electronic Communication Act. Neither the

Data Protection Act nor the DPA Act include specific provisions on traffic data. 

However, in accordance with article 122 of the Belgian Electronic Communication Act, mobile network operators are required to

delete or anonymise traffic data of their users and subscribers as soon as such data is no longer necessary for the transmission of

the communication (subject to compliance with cooperation obligations with certain authorities). 

Subject to compliance with specific information obligations and subject to specific restrictions, operators may process

certain traffic data for the purposes of: 

invoicing and interconnection payments

marketing of the operator’s own electronic communication services or services with traffic or location data (subject to

the subscriber’s or end user’s prior consent), and

fraud detection

KEY CONTACTS

Kristof De Vulder
Partner

T +32 (0) 2 500 15 20

kristof.devulder@dlapiper.com

Heidi Waem
Counsel

T +32 2500 1614

heidi.waem@dlapiper.com

https://www.dlapiperdataprotection.com

https://www.dlapiper.com/en/uk/insights/publications/2020/11/european-law-on-cookies/

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Belgium 116 | | | www.dlapiperdataprotection.com

DATA PRIVACY TOOL

You may also be interested in our  to assess your organization’s level of data protection maturity.Data Privacy Scorebox

https://www.dlapiperdataprotection.com

https://www.dlapiperdataprotection.com/scorebox/

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Benin 117 | | | www.dlapiperdataprotection.com

BENIN

Last modified 10 January 2022

LAW

The data protection regime in Benin is governed by two pieces of legislations namely the Law No. 2017-20 of April 20, 2018 on

the digital code and the Law No. 2009-09 of May 22, 2009 dealing with the Protection of Personally Identifiable Information. 

The Law on the digital code deals with the collection, treatment, transmission, storage, and use of personal data by a person, the

state, local authorities, and legal persons, as well as automated processing and non-automated processing of personal data

contained in files, or any processing of data for public security, defence, research, prosecution of criminal offenses, or the security

and essential interests of the state. 

By contrast, the Law on the Protection of Personally Identifiable Information relates to the digital processing of personally

identifiable information in digital files or manuals, as well as personal identification mechanisms based on nominative, personal, and

biometric information processed alongside a national ID number.

DEFINITIONS

Definition of Personal Data

The personal data is defined as any information relating to an identified or identifiable natural person. It makes a direct reference

to sound and image (Article 1 of the Digital Code).

Definition of Sensitive Personal Data

Pursuant to Article 1 of the Digital Code, the following personal data is considered ‘sensitive’ and is subject to specific processing

conditions: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs; trade union

membership; genetic data; and health-related data; data concerning a person’s sex life or sexual orientation, prosecution to

criminal and administrative penalties.

NATIONAL DATA PROTECTION AUTHORITY

The APDP (The Beninese data protection authority) is the regulator for data in the Republic of Benin. It is an independent and

administrative body with a legal personality as it ensures the application of the provisions of the Digital Code and the right to

privacy.

The APDP’s powers and responsibilities which include:

raising public awareness of the risks, rules, and rights surrounding the processing of personal data;

authorising or denying requests for processing;

receiving and investigating complaints about the misuse of personal data;

conducting necessary inspections regarding personal data processing, and obtaining all information and documents needed;

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Benin 118 | | | www.dlapiperdataprotection.com

informing data controllers of alleged violations of the law and issuing mandatory measures for remedying these violations;

imposing administrative sanctions on data controllers in the case of noncompliance;

informing the public prosecutor of offenses committed under the law;

keeping a public register of personal data processing operations;

issuing public opinions on the state of data protection law;

proposing amendments to simplify and improve data protection legislation, where necessary; and

cooperating with international data protection authorities to share information and assistance, as well as participating in

international negotiations.

Data controllers are required to file an annual report with the APDP concerning compliance with the processing.

REGISTRATION

The is no country-wide system of registration in the Republic of Benin. However, the law imposes an obligation of notification and

requires the controller to keep a register of processing activities carried out under its responsibility. 

Pursuant to Article 405 of the Digital Code, automated or non-automated processing carried out by public or private bodies and

involving personal data must, prior to their implementation, be the subject of a prior declaration to the Authority or be entered in

a register kept by the person designated for that purpose by the controller. 

All processing of personal data is subject to a reporting obligation to the Authority, except for the exemptions provided for in

Book V of the Digital Code (see Articles 408, 410, 411, and 417 of the Digital Code). 

In terms of Article 435 of the Digital Code, each controller and, where applicable, the controller’s representative shall keep a

register of the processing activities carried out under their responsibility. 

This register shall include all of the following information:

the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative

and the data protection officer;

the purposes of the processing;

a description of the categories of data subjects and categories of personal data;

the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third

countries or international organisations;

where applicable, transfers of personal data to a third country or to an international organisation, including the

identification of that third country or international organisation;

the time limits for the deletion of the different categories of data;

a general description of technical and organisational security measures. 

Each processor and, where applicable, the processor’s representative shall also maintain a record of all categories of processing

activities performed on behalf of the controller including: 

the name and contact details of the sub-processor(s) and of each controller on whose behalf the processor is acting and,

where applicable, the names and contact details of the controller’s or processor’s representative and of the data

protection officer;

the categories of processing carried out on behalf of each controller;

where applicable, transfers of personal data to a third country or to an international organisation, including the

identification of that third country or international organisation and, in the case of transfers, the documents attesting to

the existence of appropriate safeguards;

a general description of the technical and organisational security measures. 

The above-mentioned records must be in written form, including electronic form. 

The controller or processor and, if applicable, their representative shall make the register available to the Authority upon

request. 

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Benin 119 | | | www.dlapiperdataprotection.com

The obligation to keep a register does not apply to small and medium-sized enterprises except in the following cases:

if the processing they carry out is likely to involve a risk to the rights and freedoms of the data subjects;

if it is not occasional or if it concerns in particular the special categories of data referred to in article 394 paragraph 1 of

the numerical code, or personal data relating to criminal convictions and offences.

DATA PROTECTION OFFICERS

According to the Article 430 of the Digital Code, a Data Protection Officer (DPO) must be appointed when the data controller is

a state-owned organisation or when the activities of the data controller or data processor involve monitoring individuals or

processing of sensitive data on a large scale. 

Although the Digital Code does not impose a strict duty for the appointment of a DPO, organisations with a DPO are exempt

from notifying the APDP of data processing (Article 408 of the Digital Code).

COLLECTION & PROCESSING

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under

these principles, personal data must be (Article 383):

processed lawfully, fairly and transparently;

collected for specific, explicit, and legitimate purposes and not subsequently processed in a manner inconsistent with

those purposes;

processed appropriately, in a manner relevant and not excessive with regard to the purposes for which they are collected

and processed;

accurate and, if necessary, updated. All reasonable steps must be taken to ensure that inaccurate or incomplete data is

erased or corrected;

kept in a form that allows the identification of data subjects for a period not exceeding that necessary to achieve the

purposes for which they are collected or for which they are processed;

processed in a manner that ensures appropriate security of personal data.

Notwithstanding the above, the overriding principle governing the processing of personal data in Benin is the prior consent of the

data subject (see Articles 6 of the Data protection Law and 389 of the Digital Code.) 

There are some exceptions to this principle. The prior consent of a data subject is not required when processing the data is meant

to:

comply with a legal obligation to which the controller is subject to

perform a task in the public interest or a task falling within the exercise of public authority, which is entrusted to the

controller or the third party to whom the data are shared

perform a contract to which the data subject is a party or perform pre-contractual measures taken at the request of the

data subject

protect fundamental interests or rights

perform certain activities in the framework of journalism, research or artistic or literary expression in compliance with

the ethical rules of these professions 

When the processing is entrusted to a subcontractor, the controller or, where appropriate, his representative in the Republic of

Benin, must:

choose a subcontractor providing sufficient guarantees sufficient guarantees with regard to technical and organisational

security and organisational measures relating to the processing

conclude a contract with the processor either in writing or via electronic means

define among other things the responsibility of the processor with regard to the data controller and their incumbent

obligations in the privacy and security of the data 

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Benin 120 | | | www.dlapiperdataprotection.com

Under the applicable data protection law in Benin, individuals possess the following rights:

right to obtain all their personal data in a clear format, as well as any available information as to their origin;

right to withdraw consent for personal data processing at any time;

the right to object, for lawful reasons, to the processing of their personal data;

right to oppose the processing of their personal data for marketing purposes;

right to rectify or erase personal data when it is deemed inaccurate or incomplete;

right to not be subject to decisions made on the sole basis of an automated processing that would produce significant risks

or harm;

right to be forgotten, or to have information made public about themselves deleted from records; and

right to obtain damages from data controllers when a breach occurs, leading to a material or non-pecuniary damage to a

person. 

Right to be informed

Data controllers must provide data subjects with information describing, among other things:

the processing activities, such as data category;

the purpose of processing;

data recipients;

the existence of profiling activities; and

identification and contact details of the data controllers, or data subject rights. 

Right to access

Any natural person whose personal data is processed may request from the controller information making it possible to know and

contest the processing of their personal data, communication in intelligible form of data to personal character that concerns them

as well as any available information as to their origin. 

Right to rectification

Any natural person may require the data controller to correct, complete, update, block, or delete personal data concerning him,

which is inaccurate, incomplete, ambiguous, out of date, or irrelevant, as the case may be, and as soon as possible, or whose

collection, use, disclosure, or retention is prohibited. To exercise their right of rectification or deletion, the interested party sends

a request, by post or electronically, dated and signed to the controller, or his representative. 

Within 45 days following receipt of the request provided for in the previous paragraph, the controller communicates the

rectifications or erasures of the data made to the data subject himself as well as to the persons to whom they are inaccurate,

incomplete, equivocal, outdated, irrelevant or whose collection, use, communication, or storage is prohibited, have been

communicated. 

Right to erasure

See section above. 

Right to object/opt-out

Any natural person has the right to object, at any time, for legitimate reasons, to the processing of personal data concerning him.

It has the right, on the one hand, to be informed before data concerning it is communicated for the first time to third parties or

used on behalf of third parties for purposes of prospecting, in particular commercial, charitable or political, and, on the other

hand, to be expressly offered the right to oppose, free of charge, said communication or use. 

Right to data portability

Data subjects have the right to receive the personal data concerning them that they have provided to a controller, in a structured,

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Benin 121 | | | www.dlapiperdataprotection.com

commonly used and machine-readable format, and have the right to transmit this data to another controller processing without

the controller to whom the personal data has been communicated obstructing it, when:

the processing is based on consent or on a contract; and

the processing is carried out using automated processes. 

When the data subject exercises his right to data portability in application of the first paragraph, he has the right to obtain that the

personal data are transmitted directly from one controller to another, when this is technically possible. 

This right does not apply to processing necessary for the performance of a task of public interest or relating to the exercise of

public authority vested in the controller. The right referred to in the first paragraph does not infringe the rights and freedoms of

third parties.

TRANSFER

A personal data processor may transfer data to a foreign country if the receiving country ensures an adequate level of protection

for the privacy and human rights and freedoms of the persons concerned. 

The level of protection will be assessed according to: 

the data protection laws of the recipient country;

the safety measures; and

the processing characteristics (end, duration, nature, origin, destination of processed data). 

It is worth noting that a country may not provide sufficient data protection, but if a recipient country is not deemed ‘safe’ in

protecting data, but a data transfer is followed by protective measures such as contractual clauses or internal rules, assent could

be provided by the APDP. 

For instance, some data, such as biometric data, health data, data related to serious infringements, and data regarding crime, will

be considered as involving specific risks for human rights and freedom of individuals’ data. These data will need to be approved

under Article 41 of the Law on the Protection of Personally Identifiable Information.

SECURITY

The Law on the Digital Code adopts a proportionate, context-specific approach to security. 

Article 426 of this Law states that in order to guarantee the security of personal data, the controller and/or its processor must

implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction

or accidental loss, alteration, unauthorised disclosure or access, interception, in particular where the processing involves the

transmission of data over a network, and against all other forms of unlawful processing. 

These measures must ensure, taking into account the state of the art and the costs associated with their implementation, an

appropriate level of security, taking into account, on the one hand, the state of the art in the field and the costs involved in

applying these measures and, on the other hand, the nature of the data to be protected and the potential risks. 

It is also the responsibility of the data controller, his representative and the sub-processor to ensure compliance with these

security measures. 

The Law on the Digital Code does require controllers and processors to consider the following when assessing what might

constitute adequate security: 

the pseudonymization and encryption of personal data;

the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical

incident; and

a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Benin 122 | | | www.dlapiperdataprotection.com

ensuring the security of the processing. 

No specific requirements other than those set forth in the Law.

BREACH NOTIFICATION

A data controller must notify the Commissioner of the APDP of any breach to the security safeguards of personal data, without

delay (Article 427 of The Law on the Digital Code). 

The notification must, at a minimum:

describe the nature of the security breach that affected personal data including, if possible, the categories and approximate

number of individuals affected by the breach and the categories and approximate number of personal data records

affected;

provide the name and contact information of the Data Protection Officer or other point of contact from whom additional

information can be obtained;

describe the likely consequences of the security breach;

describe the steps taken or proposed to be taken by the controller to remedy the security breach, including, if applicable,

steps to mitigate any adverse consequences.

ENFORCEMENT

Not applicable.

ELECTRONIC MARKETING

The personal data Act will apply to most electronic marketing activities, as these will involve some use of personal data (eg, an

email address which includes the recipient’s name). 

The general rule for electronic marketing is that it requires the express consent of the recipient (see Article 245 of the Law No.

2017-20 of April 20, 2018 on the digital code in the Republic of Benin). 

Even when a marketer has the consent of a data subject, that consent can be withdrawn by the data subject under Article 334 of

the Law No. 2017-20 of April 20, 2018 on the digital code in the Republic of Benin. 

The data subject has the right to object at any time to the use of his/her personal data for such marketing. 

This right to object must be explicitly brought to the attention of the data controller. 

However, the data controller may not respond favorably to a request to exercise the right to object if it demonstrates the

existence of legitimate reasons justifying the processing, which override the interests, fundamental rights and freedoms of the data

subject.

ONLINE PRIVACY

Not applicable.

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Benin 123 | | | www.dlapiperdataprotection.com

KEY CONTACTS

Geni & Kebe

www.dlapiperafrica.com/senegal

DATA PRIVACY TOOL

You may also be interested in our  to assess your organization’s level of data protection maturity.Data Privacy Scorebox

Dr. Sangare Mouhamoud
Associate

Geni & Kebe

T +2250779107541

m.sangare@gsklaw.sn

Dr. Francky Lukanda
Senior Associate

Geni & Kebe

T +2250584344660

f.lukanda@gsklaw.sn

https://www.dlapiperdataprotection.com

https://www.dlapiperafrica.com/senegal

https://www.dlapiperdataprotection.com/scorebox/

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Bermuda 124 | | | www.dlapiperdataprotection.com

BERMUDA

Last modified 24 January 2022

LAW

The Bermuda legislature passed a comprehensive legislative framework that specifically addresses issues of data protection in the

form of the Personal Information Protection Act 2016 (PIPA). The principal provisions of PIPA are not yet in force but are

expected to come into force in 2022.

Apart from PIPA, Bermuda law recognizes a duty of confidentiality in certain circumstances under the common law.

DEFINITIONS

Definition of use

PIPA applies to the “use” of personal information, and defines “use” as carrying out any operation on personal information,

including collecting, obtaining, recording, holding, storing, organising, adapting, altering, retrieving, transferring, consulting,

disclosing, disseminating or otherwise making available, combining, blocking, erasing or destroying it.

Definition of personal data

PIPA provides for a definition of “personal information” as meaning “any information about an identified or identifiable individual”.

At common law, information is generally to be regarded as ‘confidential’ if it has a necessary quality of confidentiality and has been

communicated or has become known in such circumstances as give rise to a reasonable expectation of confidence; for example if

obtained in connection with certain professional relationships, if obtained by improper means, or if received from another party

who is subject to a duty of confidentiality.

Definition of sensitive personal data

PIPA provides for a definition of “sensitive personal information” as meaning “any personal information relating to an individual’s

place of origin, race, colour, national or ethnic origin, sex, sexual orientation, sexual life, marital status, physical or mental

disability, physical or mental health, family status, religious beliefs, political opinions, trade union membership, biometric

information or genetic information”. 

NATIONAL DATA PROTECTION AUTHORITY

Alexander White, a US lawyer, has been appointed Privacy Commissioner with effect from 20 January 2020. He will be responsible

for setting up the Privacy Commissioner’s Office, hiring and training staff, undertaking investigations, providing reports and

developing public awareness of the rights of individuals and the obligations of organisations under PIPA.

REGISTRATION

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Bermuda 125 | | | www.dlapiperdataprotection.com

There is no system of registration and none provided for in PIPA.

DATA PROTECTION OFFICERS

There is currently no requirement to appoint a data protection officer. Once PIPA is fully in force, organisations covered by the

legislation will be required to appoint a “privacy officer” for the purposes of compliance with PIPA.

COLLECTION & PROCESSING

Once fully in force, PIPA will regulate the collection and processing of personal information and will apply to any individual, entity

or public authority collecting, storing and using personal information in Bermuda either electronically or as part of a structured

filing system. The use to which sensitive personal information can be put by an organisation is much more restrictive.

The common law, which will continue to apply in parallel with PIPA, will in certain cases consider it a breach of confidence to

misuse or threaten to misuse confidential information.  The concept of ‘misuse’ is a broad one, but will often include any

unauthorised disclosure, examination, copying or taking of confidential information.  The precise scope of the term however will

depend largely on the specific circumstances, including the relevant relationship and the nature of the information.

TRANSFER

Once fully in force, PIPA will regulate the transfer of personal information to an overseas third party. The legislation provides that

the Privacy Commissioner can designate jurisdictions as providing comparable protection to Bermuda law. In other cases, the

organisation subject to PIPA will be required to employ contractual mechanisms, corporate codes of conduct or other means to

ensure that the overseas third party provides comparable protection for the personal information.

SECURITY

Once fully in force, PIPA will make provision for the implementation of proportional security safeguards against risk including loss,

unauthorised access, destruction, use, modification or disclosure. In addition, a person who misuses or divulges confidential

information (deliberately or otherwise) may be liable at common law. 

BREACH NOTIFICATION

Once fully in force, PIPA will require notification of a breach of security leading to the loss or unlawful destruction or

unauthorised disclosure of, or access to, personal information which is likely to adversely affect an individual to (a) the individual

concerned; and (b) the Privacy Commissioner. 

The notice to the Commissioner must describe the nature of the breach, its likely consequences for the individual concerned, and

the measures the organisation is taking to address the breach.

ENFORCEMENT

Once fully in force, PIPA will make provision for investigations and inquiries by the Privacy Commissioner and for a range of

remedial orders that may be imposed by the Commissioner. It also provides for a claim for compensation for financial loss or

emotional distress for failure to comply with the legislation (subject to a reasonable care defence). In addition, PIPA makes

provision for criminal offences and penalties (including imprisonment) for misuse of personal information. In addition, a breach of

the common law duty of confidentiality may give rise to a claim for, among other things, damages and/or an injunction.  These

remedies are to be sought through, and enforced by, the Bermuda courts.

An individual convicted of an offence under PIPA will be liable to a fine of up to BMD 25,000 and/or to imprisonment for up to

two years. An organisation convicted of an offence under PIPA will be liable to a fine of up to BMD 250,000. Proceedings can be

brought against company directors and other officers in a personal capacity.

ELECTRONIC MARKETING

The Electronic Transactions Act 1999 provided that the Minister responsible for electronic commerce had the power to issue a

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Bermuda 126 | | | www.dlapiperdataprotection.com

standard to apply to intermediaries or e-commerce service providers and such a standard was issued by the Minister on 5 May

2000 and came into force on 3 July 2000 (Standard). The definition of “e-commerce service provider” is “a person who uses

electronic means in providing goods, services or information” while an “intermediary” (with respect to an electronic record)

means “a person who, on behalf of another person, sends, receives or stores that electronic record or provides other services

with respect to that electronic record”. The Standard set out certain “Safe Harbour Guidelines” which included certain privacy

requirements and the prohibition on the sale or transfer of personal data or business records of customers to another person for

the purposes of sending bulk, unsolicited electronic records.  

ONLINE PRIVACY

Once fully in force, PIPA will make special provision based on parental consent for certain uses of personal information about a

child under the age of 14. Subject to this, there are no specific restrictions addressing online privacy of confidential information

beyond those generally applicable to the use of confidential information.

KEY CONTACTS

Carey Olsen

www.careyolsen.com/

DATA PRIVACY TOOL

You may also be interested in our  to assess your organization’s level of data protection maturity.Data Privacy Scorebox

Michael Hanson
Managing Partner

Carey Olsen

T +1 441 542 4501

michael.hanson@careyolsen.com

Keith Robinson
Partner

Carey Olsen

T +1 441 542 4502

keith.robinson@careyolsen.com

https://www.dlapiperdataprotection.com

https://www.careyolsen.com/

https://www.dlapiperdataprotection.com/scorebox/

https://www.careyolsen.com/

https://www.careyolsen.com/

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Bolivia 127 | | | www.dlapiperdataprotection.com

BOLIVIA

Last modified 24 January 2022

LAW

 Bill of Personal Data Protection;

The Political Constitution of the Plurinational State of Bolivia, in Article Nº130.

Any individual or collective person who believes to be unduly or illegally prevented from knowing, objecting or obtaining the

deletion or rectification of the data registered by any physical, electronic means, magnetic or computer, in public or private files or

databases, or that affect their fundamental right to personal or family privacy, or in their own image, honor and reputation, may file

a Private Protection Action.

DEFINITIONS

Definition of personal data 

Any information about a natural person identified or identifiable, expressed by numbers, alphabetic letters, graphics, photographs,

alphanumeric symbols, acoustic forms or any other type of data. It is considered that a person is identified when his identity can be

determined directly or indirectly as long as this do not require terms or disproportionate activities. 

Definition of sensitive personal data 

Data that refers to the intimate sphere of the individual, or whose inappropriate use can cause discrimination of any type or high

risk to the particular individual.

NATIONAL DATA PROTECTION AUTHORITY

The Personal Data Authority, is the Agency of the electronic government and information technologies and communication

(AGETIC).

REGISTRATION

It is not established in the Bill of Personal Data Protection, in a prescriptive manner, however, it establishes that personal data can

only be processed with the , unless it is by court order issued for reasons of public interest. It is not yetconsent of its owner

established whether entities or persons interested in the personal data of a third party must request authorization from the

Personal Data Protection Authority.

DATA PROTECTION OFFICERS

The President of the Personal Data Authority is the principal officer and has an Executive Council with three members:

the general Director of the electronic government and information technologies and communication Agency; and

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Bolivia 128 | | | www.dlapiperdataprotection.com

two designated members from the Ejecutive Council.  

The Ejecutive Council of the Personal Data Protection Authority will be assisted by a Consultive Council integrated by six

members:

a person with human rights experience;

a judicial organ representative;

an electoral organ representative;

a Public Ministry representative;

an academic area representative; and

a private sector representative.

COLLECTION & PROCESSING

Under the legitimation principle, the person responsible within the Personal Data Protection Authority may only process personal

data when the owner  grants his consent for one or more specific purposes, when necessary for the fulfilment of a court order,

for the defence or recognition of the rights of the holder/owner before a public authority, to protect the vital interests of the

holder/owner or of another natural person; among other legitimate and informed reasons.

TRANSFER

Nothing in the Bill of Personal Data Protection is established concerning transfer.

SECURITY

The person responsible for the personal data bank must adopt technical, organizational and legal measures that guarantee its

security and prevents its alteration, loss, treatment or unauthorized access. 

The requirements and conditions that personal data banks must meet regarding security are established by the National Authority

for the Protection of Personal Data, except for the existence of special provisions contained in other laws. 

The processing of personal data in data banks that do not meet the requirements and security conditions is prohibited.

BREACH NOTIFICATION

When the person in charge is aware of a breach of security of personal data that occurs at any stage of the treatment, understood

as any damage, loss, alteration, destruction, access, and in general, any illegal or unauthorized use of personal data even when it

occurs accidentally, it will notify the control authority and the affected owners of such suffering immediately. 

The foregoing will not be applicable when the person in charge can prove, according to the principle of proactive responsibility,

the impossibility of the security breach that has occurred, or, which does not represent a risk to the rights and freedoms of the

owners involved. 

The notification made by the person responsible to the affected owners will be written in a clear and simple language. 

The notification should contain at least the following information:

the nature of the incident;

the Personal data compromised;

coercive actions carried out immediately;

recommendations to the holder about the measures that can help protect their interests; and

the means available to the holder to obtain more information. 

The person responsible shall document any breach of the security of the data that occurred at any stage of the treatment,

identifying, but not limited to, the date on which they discovered the reason for the breach, the related facts, their effects and the

corrective measures implemented immediately and definitively, which will be available to the supervisory authority. 

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Bolivia 129 | | | www.dlapiperdataprotection.com

The Regulation on the Right to Protection of Personal Data contemplates the effects of the notifications of security breaches made

by the person in charge of the Control Authority in regard to the procedures, form and conditions of its intervention in order to

safeguard the interests, rights and freedoms of the affected owners.

There is no mandatory breach notification requirement under the Data Protection Law.

ENFORCEMENT

The competent authority for the enforcement of Data Protection Law is the Personal Data Authority, the Agency of the

electronic government and information technologies and communication (AGETIC). However, considering that Authority is not

yet created, the level of enforcement may be distributed to other legislative organs in the future.  

ELECTRONIC MARKETING

There is nothing legally established in Bolivia concerning electronic marketing.

ONLINE PRIVACY

There is nothing established about online privacy, or cookies, or location data.

KEY CONTACTS

Guevara & Gutierrez

gg-lex.com/

DATA PRIVACY TOOL

You may also be interested in our  to assess your organization’s level of data protection maturity.Data Privacy Scorebox

Marcos Mercado Delgadillo
Guevara & Gutierrez

mmercado@gg-lex.com

Jorge Luis Inchauste Comboni
Guevara & Gutierrez

jinchauste@gg-lex.com

https://www.dlapiperdataprotection.com

http://gg-lex.com/

https://www.dlapiperdataprotection.com/scorebox/

http://gg-lex.com/

http://gg-lex.com/

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Bonaire, Sint Eustatius and Saba 130 | | | www.dlapiperdataprotection.com

BONAIRE, SINT EUSTATIUS AND SABA

Last modified 7 January 2022

LAW

Personal Data Protection Act BES (“Personal Data Protection Act BES”);(Wet bescherming persoonsgegevens BES)

General Data Protection Regulation (the “GDPR”) – a regulation of the European Union which became effective on

May 25, 2018.

DEFINITIONS

Definition of Personal Data

Personal Data Protection Act BES 

Article 1 paragraph 2 of the Personal Data Protection Act BES stipulates personal data as any data concerning an identified or

identifiable natural person. 

GDPR 

Personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is one

who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number,

location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic,

cultural or social identity of that natural person.

Definition of Sensitive Personal Data

Personal Data Protection Act BES 

A person’s religion or belief, race, political views, health, sexual life as well as personal data concerning membership of a trade

union. 

GDPR 

Data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic

data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.

NATIONAL DATA PROTECTION AUTHORITY

Personal Data Protection Act BES 

The Personal Data Protection Committee as referred to in article 44 of Personal Data Protection Act BES. 

GDPR 

An independent public authority established by a Member state pursuant to article 51 of the GDPR (Article 4(21), GDPR). The

authority is responsible for monitoring the application of the GDPR in order to protect the fundamental rights and freedoms of

natural persons in relation to processing and to facilitate the free flow of personal data within the EU.

REGISTRATION

Personal Data Protection Act BES 

No registration required. 

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Bonaire, Sint Eustatius and Saba 131 | | | www.dlapiperdataprotection.com

GDPR

Article 30 GDPR requires companies to keep an internal electronic registry, which contains the information of all personal data

processing activities carried out by the company.

DATA PROTECTION OFFICERS

Personal Data Protection Act BES 

Pursuant to article 13 of the Personal Data Protection Act BES the responsible party shall execute appropriate technical and

organizational measures to secure personal data against loss or any form of unlawful processing. These measures shall guarantee

an appropriate level of security, taking account of the technical state of the art and the costs of execution, in view of the risks

associated with that processing and the nature of the data to be protected. The measures shall be aimed partly at preventing

unnecessary gathering and further processing of personal data. 

Besides the measures above, the Personal Data Protection Act BES does not contain any clauses on any type of registration, filings

of documents to any public agency or having a mandatory data protection officer in place. 

GDPR 

The appointment of a data protection officer under the GDPR is only mandatory in three situations:

When the organisation is a public authority or body;

If the core activities require regular and systematic monitoring of data subjects on a large scale; or

If the core activities involve large scale processing of special categories of personal data and data relating to criminal

convictions.

COLLECTION & PROCESSING

Personal Data Protection Act BES 

Collecting and processing: any act or set of acts relating to personal data, including in any case the collection, recording,

organization, storage, updating, modification, retrieval, consultation, use, disclosure by transmission, dissemination or any other

form of making available, bringing together , as well as data blocking, erasure or destruction of data. 

GDPR 

Collection: a natural or legal person, public authority, agency or other body that collect personal data and use it for certain

purposes, like a website that markets to users based on their online behaviour. 

Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the

controller. Processors act on behalf of the relevant controller and under their authority.

TRANSFER

Personal Data Protection Act BES 

Article 42 of Personal Data Protection Act BES stipulates that personal data that is subject to processing or that are intended to

be processed after its transfer may only be transferred to a country outside the European Union if, without prejudice to

compliance with the law, that country guarantees an adequate level of protection. 

GDPR 

The GDPR restricts transfers of personal data outside the European Economic Area, or the protection of the GDPR, unless the

rights of the individuals in respect of their personal data is protected in another way, or one of a limited number of exceptions

applies.

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Bonaire, Sint Eustatius and Saba 132 | | | www.dlapiperdataprotection.com

SECURITY

Personal Data Protection Act BES 

Pursuant to article 13 of the Personal Data Protection Act BES the responsible party shall execute appropriate technical and

organizational measures to secure personal data against loss or any form of unlawful processing. These measures shall guarantee

an appropriate level of security, taking account of the technical state of the art and the costs of execution, in view of the risks

associated with that processing and the nature of the data to be protected. The measures shall be aimed partly at preventing

unnecessary gathering and further processing of personal data. 

GDPR 

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as

well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor

shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (article 32

GDPR).

BREACH NOTIFICATION

Personal Data Protection Act BES 

Contains no specific clauses. 

GDPR 

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after

having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with article 55

GDPR, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. 

Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

ENFORCEMENT

Personal Data Protection Act BES 

Pursuant to the Personal Data Protection Act BES the committee is authorized to impose an order under administrative coercion

to enforce the obligations laid down by or pursuant to the Personal Data Protection Act BES. 

GDPR 

The GDPR holds a variety of potential penalties for businesses. 

For example, article 77 of GDPR states that: 

“Every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her

habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data

relating him or her infringes this Regulation.” 

Additionally, article 79 of the Regulation states that “such proceedings may be brought before the courts of the Member State where the

 data subject has his or her habitual residence.”

Penalties 

Compensation to Data Subjects. One penalty that may be imposed is compensation to, as stated in article 82 of the Regulation,

for the damage they’ve“Any person who has suffered material or non-material damage as a result of an infringement of this Regulation”

suffered. 

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Bonaire, Sint Eustatius and Saba 133 | | | www.dlapiperdataprotection.com

Fines 

Article 83 of GDPR specifies a number of different fines that may vary based on the nature of the infraction, its severity, and the

level of cooperation that “data processors” (i.e. you) provide to the “supervisory authority.” Less severe infringements may incur

administrative fines of up to 10,000,000 Euros or 2% of your total worldwide annual turnover for the preceding year (whichever is

greater), while more severe infractions may double these fines (20,000,000 or 4% annual turnover). 

Individual Member States of the EU may have additional fines and penalties that may be applied as well. However, these additional

penalties are not specifically listed in the text of the Regulation since they’re up to the individual EU nations to set—the only

guidelines in article 84 of GDPR are that and that “Such penalties shall be effective, proportionate and dissuasive” “Each Member State

shall notify to the Commission the provisions of its law which it adopts pursuant to paragraph 1, by 25 May 2018.”

ELECTRONIC MARKETING

Personal Data Protection Act BES

N/A. 

GDPR

Under article 22 GDPR organizations cannot send marketing emails without active, specific consent.

Companies can only send email marketing to individuals if:

The individual has specifically consented.

They are an existing customer who previously bought a similar service or product and were given a simple way to opt out.

ONLINE PRIVACY

Personal Data Protection Act BES

Contains no specific clauses. 

GDPR 

Cookies, insofar as they are used to identify users, qualify as personal data and are therefore subject to the GDPR. Companies do

have a right to process their users’ data as long as they receive consent or if they have a legitimate interest. 

Location data, the GDPR will apply if the data collector collects the location data from the device and if it can be used to identify a

person. 

If the data is anonymized such that it cannot be linked to a person, then the GDPR will not apply. However, if the location data is

processed with other data related to a user, the device or the user’s behavior, or is used in a manner to single out individuals from

others, then it will be “personal data” and fall within the scope of the GDPR even if traditional identifiers such as name, address

etc. are not known.

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Bonaire, Sint Eustatius and Saba 134 | | | www.dlapiperdataprotection.com

KEY CONTACTS

HBN Law & Tax

hbnlawtax.com/

DATA PRIVACY TOOL

You may also be interested in our  to assess your organization’s level of data protection maturity.Data Privacy Scorebox

Maarten Willems
Senior Associate

HBN Law & Tax

T +297 588 6060

maarten.willems@hbnlawtax.com

Misha Bemer
Partner

HBN Law & Tax

T +297 588 6060

misha.bemer@hbnlawtax.com

https://www.dlapiperdataprotection.com

Homepage

https://www.dlapiperdataprotection.com/scorebox/

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Bosnia and Herzegovina 135 | | | www.dlapiperdataprotection.com

BOSNIA AND HERZEGOVINA

Last modified 12 January 2021

LAW

The Law on Protection of Personal Data (‘Official Gazette of BIH’, nos. 49/06, 76/11 and 89/11) (DP Law) is the governing law

regulating data protection issues in Bosnia and Herzegovina (BiH). The DP Law came into force on July 4, 2006 and was amended

on October 3, 2011.

Due to the deficiencies and non-alignment of the DP Law with the GDPR, in 2018, the competent authorities initiated the

procedure for adoption of a new GDPR compliant data protection law in BiH. According to the publicly available information the

draft of the new data protection law (Draft Data Protection Law), was forwarded to the BiH Ministry of Civil Affairs and the

adoption procedure before the BiH Parliament should have been initiated. However, due to the complex political situation as well

as the Covid-19 pandemic, the Draft Data Protection Law is not adopted to date. However, we expect the Draft Data Protection

Law to be adopted in its current text within 2021.

DEFINITIONS

Definition of personal data

The DP Law defines personal data as any information relating to an identified or identifiable natural person. Data subjects are

natural persons whose identity can be determined or identified, directly or indirectly, in particular by reference to a personal

identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social

identity.

Definition of sensitive personal data

The DP Law defines sensitive personal data as any data relating to any of the following:

Racial, national or ethnic origin

Political opinion, party affiliation, or trade union affiliation

Religious, philosophical or other belief

Health

Genetic code

Sexual life

Criminal convictions

Biometric data

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Bosnia and Herzegovina 136 | | | www.dlapiperdataprotection.com

Definitions of sensitive personal data stipulated by Draft Data Protection Law correspond to the definitions prescribed by GDPR.

NATIONAL DATA PROTECTION AUTHORITY

The Personal Data Protection Agency (DPA) is the national data protection authority in BiH. The DPA is seated in

Dubrovaka 6

Sarajevo

www.azlp.gov.ba

The DPA remains the national data protection authority under Draft Data Protection Law.

REGISTRATION

Each data controller (defined as a person or legal entity which processes personal data) must provide the DPA with specific

information on the database containing personal data (“Database”) established and maintained by the controller. The DPA

maintains a publicly available register of data controllers and Databases.

The Database’s registration includes two phases:

First, the controller must register as a data controller (this registration as a controller is to be performed only once).

Second, the controller must report to the Database’s establishment, which has to be done within 14 days.

Registration of the Database is made by submitting the application in the prescribed form to the DPA. The DPA form includes

information regarding:

Data controller 

Name

Address of its registered seat

The Database itself

Processing purpose

Legal ground for its establishment

Identification of exact processing activities

Types of processed data

Categories of data subjects, and

Transfer of data abroad

If there is a subsequent change in the registered data, for example changing initial processing activities, the change needs to be

reported to the DPA within 14 days from the date the change occurred.

Unlike the DP Law, the Draft Data Protection Law foresees the obligation of data controllers and data processors to keep records

of their data processing activities identically as the GDPR, however it does not oblige data controllers to register their data

processing activities/databases with the Agency.   

DATA PROTECTION OFFICERS

There is no statutory obligation that the entity which processes personal data has a data protection officer. The Rules on the

https://www.dlapiperdataprotection.com

http://www.azlp.gov.ba/

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Bosnia and Herzegovina 137 | | | www.dlapiperdataprotection.com

Manner of Keeping and Special Measures of Personal Data Technical Protection (Official Gazette of BiH no. 67/09) (Rules)

stipulate that a controller can have an administrator of the Database. Such administrator is a natural person authorized and

responsible for managing the Database and ensuring privacy and protection of personal data processing, in particular regarding

implementation of security measures, storage and protection of data.

Unlike DP Law, the Draft Data Protection foresees the obligation of data controller and processor to ensure properly and timely

involvement of the data protection officer in all issues related to the protection of personal data. Position and tasks of data

protection officer envisaged by Draft Data Protection Law correspond to those prescribed by GDPR.

COLLECTION & PROCESSING

Collection and processing of personal data is permissible if carried out pursuant to the data subject’s consent and in compliance

with the basic principles of personal data protection.

The form of the data subject’s consent depends on the type of personal data collected and processed. While the collection and

processing of sensitive personal data requires explicit written consent from the data subject, the consent for the collection and

processing of personal data falling within a category of general personal data does not have to be in writing. However, at the

request of the competent authority, the controller has to be able to prove, at any time, the existence of a data subject’s consent

for processing of both personal and sensitive personal data. Therefore, having a written consent for collection of any personal data

is advisable. When required, written consent must contain at minimum elements prescribed by the DP law.

Apart from the consent, there are also other conditions which must be met for the collection and processing to be regarded as

legitimate, including:

Processing must be done in a fair and lawful way

The type and scope of processed data must be proportionate to the respective purpose

Other principles regarding the legitimate reasons for personal data processing

The DP Law provides an exception when a data subject’s personal data may be processed without the data subject’s consent. This

is the case where the processing is necessary for the fulfillment of a data controller’s statutory obligations or for preparation or

realization of an agreement concluded between a data controller and a data subject (Exceptional Cases). These conditions are

considered the basic principles of personal data protection and are applicable to each case of personal data processing.

The legal grounds as well as the data processing requirements envisaged by the Draft Data Protection Law fully correspond to

those envisaged by the GDPR.

TRANSFER

Under the transfer rules set out in the DP Law, processed personal data may be transferred to countries where an adequate level

of personal data protection is ensured. In that regard, preferential status is given to the member states of the Council of Europe

Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (“Convention”), as members of

the Convention ensure an adequate level of personal data protection.

Personal data transfer to countries that do not provide for an adequate level of personal data protection is allowed in certain

cases stipulated by the DP Law, for example:

When the data subject consented to the transfer and was made aware of possible consequences of such transfer

When it is required for the purpose of fulfilling the contract or legal claim

When it is required for the protection of public interest

In addition, the DPA may exceptionally approve the transfer to a country that does not ensure adequate an level of personal data

protection if the controller in the country where the data is to be transferred can provide for sufficient guarantees in regard to

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Bosnia and Herzegovina 138 | | | www.dlapiperdataprotection.com

the protection of privacy and fundamental rights and freedoms of the data subject.

The Draft Data Protection Law prescribes a set of mechanisms based on which a legitimate transfer of data out of BiH is possible.

This means that the Draft Data Protection Law tends, the same as the GDPR, to enable legitimate transfer of personal data

whenever there are some safeguards that transferred data will be processed in line with the law.

Aforementioned means the following:

It should firstly be checked whether a particular country to which the data is to be transferred is regarded as a country

with an adequate data protection system (“Adequate Country”)

If a country to which the data is to be transferred from BiH is the Adequate Country or if there is a data transfer related

international treaty entered into between BiH and that country, a transfer is possible without any approval of the Agency

(“Transfer Approval”)

On the other hand, if a country to which the data is to be transferred is not the Adequate Country, a transfer is still

possible without the Transfer Approval if the adequate data protection measures are undertaken (e.g., if appropriate

standard contractual clauses have been entered into between a data exporter and a data importer) (“Adequate

Safeguards”)

However, even if there are no Adequate Safeguards, there is still a possibility for transferring the data without the

Transfer Approval. Such possibility exists in so-called special situations, explicitly prescribed by the Draft Data Protection

Law, the same as under the GDPR (e.g., a data subject has consented to a particular transfer, a transfer is necessary for

the realization of an agreement between a data subject and data controller, etc.)

Finally, even if none of the aforementioned special situations is applicable, a data transfer is still allowed without the

Transfer Approval if certain conditions (linked to a data controller’s legitimate interest) explicitly prescribed by the Draft

Data Protection Law are cumulatively fulfilled.

SECURITY

The DP Law requires data controllers and processors to:

Take care of data security and to undertake all technical and organizational measures

Undertake measures against unauthorized or accidental access to personal data, their alteration, destruction or loss,

unauthorized transfer, other forms of illegal data processing, as well as measures against misuse of personal data

Adopt a personal data security plan (“Security Plan”) which specifies technical and organizational measures for the security

of personal data

As provided by the Rules (as defined in the section “Data Protection Officers”), the Security Plan includes the categories of

processed data and the list of instruments for protection of the data to ensure confidentiality, integrity, availability, authenticity,

possibility of revision and transparency of the personal data.

The Rules prescribe that the controller is required to undertake more stringent technical and organizational measures when

processing sensitive personal data. Such measures aim at enabling recognition of each authorized access to the information system,

operation with the data during the controller’s regular working hours and cryptographic protection of the data transmission via

telecommunications systems with appropriate software and technical measures.

The Rules also closely regulate the manner of personal data keeping and personal data protection in automatic processing.

Security measures envisaged by Draft Data Protection Law correspond to the measures prescribed by GDPR.

BREACH NOTIFICATION

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Bosnia and Herzegovina 139 | | | www.dlapiperdataprotection.com

The DP Law does not impose data security breach notification duty on the controller. However, the Rules do impose a duty on

the Database’s administrator, processor and performer to inform the controller on any attempt of unauthorized access to

information system for the Database’s management.

However, the regulations issued by the Communication Regulatory Agency (RAK) should be considered. The Regulation on

Carrying out the Activities of the Publicly Available Electronic Communication Networks (‘Official Gazette of BiH’ no. 66/12)

(Regulation A) stipulates that the operator of publicly available electronic communication networks (Operator) is required to

inform RAK about its activities, operations and other applicable information required for RAK’s regulatory competences. Since

RAK’s Regulation on Conditions for Providing the Telecommunications Services and Relation with End Users (‘Official Gazette of

BiH’ no. 28/13) (Regulation B) prescribes for the Operator’s obligation to undertake such methods which will protect the privacy

of users and others, in a manner that will ensure the integrity and confidentiality of data, it can be concluded that the Operator is

required to notify RAK of any breach of security and integrity of public telecommunication services that resulted in violation of

protection of personal data or privacy of the respective services’ s users.

When it comes to the notification duty towards the users, the Regulation B obliges the Operator to inform the users adequately (

, in user agreement, in its terms and conditions or in the appropriate technical way) about the possibility of privacy oreg

telecommunication facilities violations.

Pursuant to the Draft Data Protection Law in case of a personal data breach the controller is obliged to undue delay and where

feasible not later than 72 hours after having become aware of it, which fully correspond to the obligation prescribed by GDPR.

ENFORCEMENT

The DPA enforces the DP Law. The DPA is authorized and obliged to monitor implementation of the DP Law, both , andex officio

upon a third-party complaint. If the DPA finds that a particular person or entity processing personal data acted in violation of data

processing rules, it may request that the controller discontinue such processing and order specific measures to be carried out

without delay.

When acting upon the complaints, the DPA may also issue a decision by which it can order blocking, erasing or destroying of data,

adjustment or amendment of data, temporary or permanent ban of processing, issue warning or reprimand to the controller. The

decision of the DPA may not be appealed; however, a party may initiate administrative dispute before the Court of BiH.

The DPA can initiate a misdemeanor proceeding against the respective data controller before the competent court, depending on

the gravity of the particular misconduct and the data controller’s behavior with respect to the same. The offenses and sanctions

are explicitly prescribed by the DP Law, which includes monetary fines for a controller in the amount between €2,550 and

€51,100, as well as for the controller’s authorized representative in the amount between €100 and €7,700.

The Draft Data Protection Law, although still not as strict as the GDPR, foresees fines which are significantly higher than the ones

foreseen by the Current Data Protection Law. Specifically, the Draft Data Protection Law introduces fines in the amount of up to

BAM 200,000 (approx. EUR 100,000) or 4% of the total worldwide annual turnover of the preceding financial year (whichever is

higher).

Breach of personal data protection regulations represents a criminal offense of unauthorized collection of personal data by all

criminal codes applicable in BiH (Criminal Code of BiH, Criminal Code of the Republic of , Criminal Code of the FederationSrpska

of BiH and Crimes Code of ). Prescribed sanctions are monetary fines (in amount to be determined by the court) orBrko Distrikt

imprisonment up to six (6) months (Criminal Code of BiH; Criminal Code of the Federation of BiH; Criminal Code of the Brko

) or up to one (1) year (Criminal Code of the Republic of ).Distrikt Srpska

ELECTRONIC MARKETING

Although electronic marketing is not governed by the DP Law, the respective law regulates protection of personal data used in

direct marketing. In that regard, the controller is not allowed to disclose personal data to a third party without the data subject’s

consent. However, when that is necessary for the protection of the controller’s rights and interests and when it is not in

contradiction with the data subject’s right to the protection of personal privacy and personal life, the personal data may be used

for direct marketing purposes without consent. The DPA is of the opinion that previous provision could be used only in explicit

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Bosnia and Herzegovina 140 | | | www.dlapiperdataprotection.com

cases, when the controller is offering products or services to regular client in order to limit possible future damages for which he

could be held responsible.

Under Regulation B, the Operator is prohibited from using user personal data for purposes of its business or other promotions,

unless it obtains explicit consent from the user to whom such data relates.

ONLINE PRIVACY

The general data protection rules, as introduced by the DP Law, are relevant for online privacy as well, as there are no specific

regulations that explicitly govern online privacy. This includes obligation to act in accordance with the basic principles of personal

data protection set out in the DP Law as well as acting on the basis of the data subject’s informative consent.

 

KEY CONTACTS

Karanovic & Nikolic

www.karanovic-nikolic.com/

DATA PRIVACY TOOL

You may also be interested in our  to assess your organization’s level of data protection maturity.Data Privacy Scorebox

Nihad Sijercic
Attorney-at-law in cooperation with Karanovic & Nikolic

T +387 33 844 000

nihad.sijercic@karanovicpartners.com

Amina Dugum
Attorney-at-law in cooperation with Karanovic & Nikolic

T +387 33 844 000

amina.djugum@karanovicpartners.com

https://www.dlapiperdataprotection.com

http://www.karanovic-nikolic.com/

https://www.dlapiperdataprotection.com/scorebox/

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Botswana 141 | | | www.dlapiperdataprotection.com

BOTSWANA

Last modified 10 December 2021

LAW

The Data Protection Act – Act No. 32 of 2018, (“the DPA”) is an Act which was assented to by Parliament on the 3rd August

2018 and came into effect on the 15th of October 2021.

The DPA regulates the protection of personal data and ensure that the privacy of individuals in relation to their personal data is

maintained.

DEFINITIONS

Definition of personal data 

Under the DPA, personal data means information relating to an identified or identifiable individual, which the individual can be

identified directly or indirectly, in particular by reference to an identification number, or to one or more factors specific to the

individual’s physical, physiological, mental, economic, cultural or social identity. 

Definition of sensitive personal data 

Sensitive Personal Data is defined to mean personal data which reveals a data subject’s: 

racial or ethnic origin;

political opinions;

religious beliefs or philosophical beliefs;

membership of a trade union;

physical or mental health or condition;

sexual life;

affiliation; or

personal financial information,

and includes: 

any commission or alleged commission by him or her of any offence;

any proceedings for any offence committed or alleged to have been committed by him or her, the disposal of such

proceedings, or the sentence of any Court in such proceedings; and

genetic data, biometric data and the personal data of minors.

NATIONAL DATA PROTECTION AUTHORITY

A body known as the Information and Data Protection Commission (“the Commission”) as established under the DPA is yet to be

formed and will be the designated body tasked with data protection and ensuring the effective application of, and compliance with

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Botswana 142 | | | www.dlapiperdataprotection.com

the DPA, and in particular, the right to protection of personal data, access rectification, objection and cancellation of such data. 

REGISTRATION

The Commission will be responsible for creating and maintaining a public register of all data controllers. There is, however, no

prescribed method of registration. 

A data controller is a person who alone or jointly with others determines the purpose and means of which personal data is to be

processed, regardless of whether or not such data is processed by such person or agent on that person’s behalf. Additionally, a

data controller may engage a data processor, being a person who processes data on behalf of the data controller.  

In terms of the DPA, data controllers are required to notify the Commissioner of the Commission (“the Commissioner”) before

carrying out any wholly or partially automated processing operation or set of such operations which are intended to serve a single

purpose or serve several related purposes. Notification is not required where a data protection representative has been

appointed.

The notification should include the following details: 

The name and address of the data controller and of its representative;

The purpose of the processing;

A description of the data subjects and of the personal data relating to the data subject;

The recipients to whom personal data can be disclosed to;

Proposed transfers of personal data to a third country; and

A general description to allow the Commission to assess the appropriateness of the security measures.

The requirement for notification does not apply to operations which have the sole purpose of keeping a register that is intended

to provide information to the public by virtue of any law, and for which the register is open for public inspection. In addition, the

notification will not be required where a data controller has appointed a data protection representative.

Data controllers are further required to immediately notify the Commissioner of any breach to the technical or organizational

security safeguards for processing of personal data.

The Commission will have the authority to grant an exemption for notification.

DATA PROTECTION OFFICERS

A data controller has the option to appoint a data protection representative who holds the requisite qualifications, their role being

to independently ensure that personal data is processed in a correct and lawful manner, and in accordance with good practice.

The data protection representative is responsible for keeping a list of the processing carried out and the list should be immediately

accessible to any person applying for access. Upon identifying any inadequacies, the data protection representative should bring

such inadequacies to the attention of the data controller and assist in ensuring that the data subject’s rights under the DPA are

protected.

Where a data protection representative has been appointed, the notification to the Commissioner regarding wholly or partially

automated processing operations is not required.

If a data protection representative has reason to suspect that the data controller is contravening the rules applicable for

processing personal data, and if rectification is not implemented as soon as practicable after the contravention is pointed out, the

data protection representative must then notify the Commissioner.

The appointment and removal of a data protection representative must be notified to the Commissioner.

COLLECTION & PROCESSING

Processing means any operation or a set of operations which is taken in regard to personal data, whether or not it occurs by

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Botswana 143 | | | www.dlapiperdataprotection.com

automatic means, and includes the collection, recording, organization, storage, alteration, retrieval gathering, use, disclosure by

transmission, dissemination or otherwise making information available, alignment, or combination, blocking, erasure or destruction

of such data. 

Processing personal data 

Prior to undertaking the processing of personal data, data controllers are generally required to obtain written consent from the

data subjects. Consent is not required in instances authorised by any written law. In addition, a data subject who has given consent

for processing of personal data may at any time, in writing, revoke the consent for legitimate, reasonable, and compelling reasons

at that particular time.

Alternatively to where written consent is obtained, personal data may further be processed where the processing is necessary

for: 

the performance of a contract to which the data subject is party or in order to take steps at the request of the data

subject entering into a contract;

compliance with a legal obligation to which the data controller is subject;

protecting the vital interests of the data subject;

for performing an activity  that is carried out in the public interest or in the exercise of an official authorization vested in

the data controller, or of a third party to whom the data is disclosed; or

for a purpose that  concerns a legitimate interest  of the data controller, or of a third party to whom personal data is

provided, except where such interest is overridden by the interest to protect  the fundamental rights and freedoms of the

data subject and in particular, the right to privacy.

Where personal data is processed for historical, statistical or scientific purposes, the data controller must ensure that there are

appropriate security safeguards in place in instances where the personal data may be kept for a period longer than necessary,

having regard to the purpose for which it is processed or the personal data kept is not used for any decision concerning the data

subject. 

In the event that processing is for direct marketing, the data controller must, at no cost, inform the data subject of the right to

oppose the processing. Processing for such purposes will be prohibited where the data subject has given a notice of objection to

the processing of the personal data.  A data controller who processes the data despite the objection made by the data subject

commits an offence which is punishable by  fine not exceeding BWP500 000 or to imprisonment for a term not exceeding nine

years, or to both. 

Processing sensitive personal data 

Processing sensitive personal data is heavily restricted thereby requiring the data controller to ensure that appropriate security

safeguards have been adopted. Sensitive personal data is generally be prohibited save for where:

the processing is specifically provided for under the DPA;

the data subject has given consent in writing;

the data subject has made the data public;

the processing is necessary for national security, for the purposes of exercising or performing any right or obligation

which is conferred or imposed by law on the data controller in connection with employment, or where the processing is

authorized by any other written law for any reason of substantial interest to the public; or

the processing is necessary to protect the vital interest of a data subject and another person in a case where consent

cannot be given by or on behalf of the data subject, the data controller cannot be reasonably expected to obtain consent

or the consent by or on behalf of the data subject has been unreasonably withheld.

Bodies or entities which have political, philosophical, religious or trade union objects are allowed to process sensitive personal

data relating to the political, philosophical, religious or trade union objects concerning the members of that body or entity, or any

other person who the body or entity regularly exchanges information with. Such processing by an entity or body is allowed if it is

done in the course of its legitimate activities and with appropriate guarantees. It should also be noted that this sensitive personal

data may be provided to a third party only where the data subject has given written consent.

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Botswana 144 | | | www.dlapiperdataprotection.com

Furthermore, processing of sensitive personal data for health or medical purposes is allowed where the processing is done by a

health professional and is necessary for preventative medicine as well as protection of public health, medical diagnosis, health care

or the management of health and hospital care services.

Processing sensitive personal data is also allowed where it is for research, scientific and statistics purposes so long as the

processing is compatible with specified, explicitly stated and legitimate purposes. In the case of research and scientific purposes,

the Commissioner must have approved the processing on the advice of a committee responsible for research and scientific ethics,

whilst in the case of statistics, the processing must be necessary for the purposes provided under the Statistics Act (Cap 17:01).

There is a general prohibition against processing genetic and biometric data for what it reveals or contains. The prohibition does

not apply where such data is processed in accordance with the general requirements for processing sensitive personal data as

outlined above. Where genetic and biometric data is processed for medicinal purposes and the consent of the data subject has

been granted, the processing must only be effected where a unique patient identification number is given to the data subject. This

patient number must be different from any other identification number possessed by the data subject.

Sensitive personal data may also be processed for legal purposes where it is necessary in connection with any legal proceedings

including prospective proceedings, for the purposes of obtaining legal advice, for establishing, exercising or defending legal rights,

or for the administration of justice.

With respect to a data subject’s identity card number, processing in the absence of the data subject’s consent is only allowed

where the processing is clearly justifiable having regard to the purpose of the processing, the importance of a secure identification

or any valid reason as may be prescribed.

During the processing operation where personal data is obtained directly from the data subject, the data controllers and data

processors are required to furnish to the data subject the following information:

The identity and habitual residence or principal place of business;

The purpose of the processing;

The existence of the right to object to the intended processing if the processing is for purposes of direct marketing;

Any other additional information if it will ensure fair processing, which may include the recipient or category of recipients,

whether the reply to any question posed is obligatory or voluntary and the possible consequences of failure to reply as

well as the existence of the right to access, rectify, delete the data concerning the data subject; or

Any other information necessary for the specific nature of the processing, to guarantee fair processing in respect of the

data subject.

A person who has access to personal data and is acting under the authorisation of the data controller or the data processor must

process personal data only as instructed and without prejudice to any duty or restriction imposed by law. A contravention of this

amounts to an offence which is punishable by a fine not exceeding BWP20 000 or to imprisonment for a term not exceeding three

years, or to both. 

Where personal data is processed without the required authorisation, such processing amounts to an offence which is punishable

by a fine not exceeding BWP100 000 or to imprisonment for a term not exceeding three years, or to both.

It is mandatory to safeguard the security of personal data by taking appropriate technical and organisational security measures

necessary to protect the personal data from negligent or unauthorised destruction, negligent loss or the alteration, unauthorised

access and any other unauthorised processing of personal data. 

When taking appropriate technical and organisational security measures necessary to protect the personal data, the person doing

so must ensure an appropriate level of security by taking into account: 

technological developments of processing personal data, and the costs for implementing the security measures; and

the nature of the personal data to be protected and the potential risks involved.

Additionally, when outsourcing processing of personal data, the data processor to be chosen must be one who gives sufficient

guarantees regarding the technical and organisational security measures in place for the processing to be done. The data controller

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Botswana 145 | | | www.dlapiperdataprotection.com

or processer who outsources must ensure that the said measures are complied with.

TRANSFER

The transfer of personal data from Botswana to another country is prohibited save for transborder transfers to countries that

have been designated by the Minister through an Order published in the Government Gazette.

Transborder transfers of personal data require prior authorisation to be granted by the Commissioner so as to assess and ensure

that adequate levels of protection are provided by the country receiving the personal data. The assessment is in light of all the

circumstances surrounding the data transfer operation and particular consideration is given to:

the nature of the data;

the purpose and duration of the proposed processing operation;

the country of origin and the country of final destination;

the rule of law, both general and sectoral, in force in the third country in question; and

the professional rules and security safeguards which are complied with in that country.

Notwithstanding the above, transborder transfers to countries which do not offer an adequate level of protection are allowed

where the data subject consents to the proposed transfer or, where the transfer is:

necessary for the performance of a contract between the data subject and the data controller, or the implementation of

pre contractual measures taken in response to the data subject’s request;

necessary for the performance or conclusion of a contract in the interests of the data subject between the data controller

and a third party;

necessary for the public interest, or for the establishment, exercise or defence of a legal claim;

necessary to protect the vital interests of the data subject; or

made from a register that is intended to provide the public with information and is open to public inspection.

Regardless of the above mentioned restrictions, transborder flow of personal data to a country without adequate levels of

protection may be authorised where the data controller provides adequate safeguards which may be by means of appropriate

contractual provisions, with respect to the protection of the privacy and fundamental rights and freedoms of individuals.

SECURITY

Data controllers are required to take appropriate technical and organisational security measures necessary to protect personal

data from negligent or unauthorised destruction, negligent loss, as well as unauthorised access, alteration and processing of

personal data.

The measures are influenced by technological developments of processing personal data and the costs for implementing the

security measures, as well as the nature of the personal data and the potential risks involved. 

Failure to implement the security safeguards amounts to an offence and will render the data controller liable to a fine not

exceeding BWP100 000 or to imprisonment for a term not exceeding three years, or to both.

BREACH NOTIFICATION

Data controllers and data processors are required to immediately notify the Commissioner of any breach to the security

safeguards of personal data. A failure to do so amounts to an offence punishable by a fine not exceeding BWP100 000 or to

imprisonment for a term not exceeding three years, or to both.

ENFORCEMENT

As mentioned earlier, the Commission is the competent authority that will be tasked with protection of personal data through

effective application and compliance with the DPA. However, since the Commission is yet to be formed, there is currently no

enforcement.

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Botswana 146 | | | www.dlapiperdataprotection.com

ELECTRONIC MARKETING

Marketing by means of electronic communication is governed by the Electronic Communications and Transactions Act – Act No

14 of 2014 (“ECTA”). 

An originator, who carries out marketing by means of electronic communication must provide the addressee with the originators’

identity and contact details including the place of business, e-mail, addresses and telefax number, as well as a valid and operational

opt-out facility from receiving similar communications in future, and additionally, the identifying particulars of the source from

which the originator obtained the addressee’s personal information. 

In terms of the ECTA, unsolicited commercial communication must only be sent where the opt in requirement has been met and

this includes: 

the addressee’s email address and other personal information was collected by the originator of the message in the course

of a sale or negotiations for a sale;

the marketing relates to similar products or services;

when the personal information and address was collected by the originator, the originator offered the addressee the

opportunity to opt-out, free of charge except for the cost of transmission, and the addressee declined to opt- out; and

the opportunity to opt-out is provided with every subsequent message.

Failure to provide the addressee with an optional opt-out facility is an offence which is punishable by a fine not exceeding

BWP10 000, or to imprisonment for a term not exceeding five years, or to both. Furthermore, an originator who persists in

sending unsolicited commercial communications to an addressee who has opted-out from receiving such through the originator’s

opt out facility commits an offence and is liable to a fine not exceeding BWP50 000, or to imprisonment for a term not exceeding

eight years, or to both. 

Also noteworthy is the DPA requirement that where personal data is processed for direct marketing purposes, the data

controller must, at no cost, inform the data subject of the right to oppose the processing. Processing for such purposes will be

prohibited where the data subject has given a notice of objection to the processing of the personal data.  A data controller who

processes the data despite the objection made by the data subject, commits an offence which is punishable by fine not exceeding

BWP500 000 or to imprisonment for a term not exceeding nine years, or to both.

ONLINE PRIVACY

There is currently no specific online privacy legislation and no provision in the DPA and the ECTA regarding such.

KEY CONTACTS

Minchin & Kelly (Botswana)

Isaac Ntombela
Partner

Minchin & Kelly (Botswana)

T +267 391 2734

intombela@minchinkelly.bw

Namie Modiri
Associate

Minchin & Kelly (Botswana)

T +267 391 2734

nmodiri@minchinkelly.bw

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Botswana 147 | | | www.dlapiperdataprotection.com

DATA PRIVACY TOOL

You may also be interested in our  to assess your organization’s level of data protection maturity.Data Privacy Scorebox

https://www.dlapiperdataprotection.com

https://www.dlapiperdataprotection.com/scorebox/

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Brazil 148 | | | www.dlapiperdataprotection.com

BRAZIL

Last modified 24 January 2022

LAW

After several discussions and postponements, the Brazilian General Data Protection Law (LGPD), Federal Law no. 13,709/2018,

entered into force on September 18, 2020. The LGPD is Brazil’s first comprehensive data protection regulation, and it broadly

aligns with the EU General Data Protection Act (GDPR).

Although the law has been in force since 2020, the penalties issued by the LGPD only became enforceable on August 1, 2021.

However, public authorities (such as consumer protection bodies and public prosecutors) and data subjects could enforce their

rights under the LGPD as of September 18, 2020.

Before the enactment of the LGPD, data privacy regulations in Brazil consisted of various provisions spread across Brazilian

legislation. For example, Federal Law no. 12,965/2014 and its regulating Decree no. 8,771/16 (together, the Brazilian Internet Act)

imposed requirements regarding security and the processing of personal data and other obligations on service providers,

networks, and applications providers, and provided rights for Internet users.

The following laws also contain general provisions and principles applicable to data protection:

The Federal Constitution

The Brazilian Civil Code, and

Laws and regulations that address

Certain types of relationships ( , Consumer Protection Code  and employment laws);g. [1]

Regulated sectors ( , financial institutions, health industry, or telecommunications); andg.

Particular professional activities ( , medicine and law).g.

Additionally, there are laws that regulate the processing and safeguarding of documents and information handled by governmental

entities and public bodies.

The LGPD applies to any processing operation carried out by a natural person or a legal entity (of public or private law),

irrespective of (1) the means used for the processing, (2) the country in which its headquarter is located, or (3) the country where

the data are located, provided that:

The processing operation is carried out in Brazil;

The purpose of the processing activity is to offer or provide goods or services, or the processing of data of individuals

located in Brazil; or

The personal data was collected in Brazil.

On the other hand, the law does not apply to the processing of personal data that is:

Carried out by a natural person exclusively for private and non-economic purposes;

Performed for journalistic, artistic, or academic purposes;

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Brazil 149 | | | www.dlapiperdataprotection.com

1.

Carried out for purposes of public safety, national security, and defense or activities of investigation and prosecution of

criminal offenses (which will be the subject of a specific law);

Originated outside the Brazilian territory and are not the object of communication; or

Shared data use with Brazilian processing agents or the object of international transfer of data with another country that is

not the country of origin, provided that the country of origin offers a level of personal data protection adequate to that

established in the Brazilian law.

In addition, on October 20, 2021, the Brazilian Senate unanimously approved the Proposed Amendment to the Constitution

(“PEC”) no. 17/2019, which aims to include in the Federal Constitution the protection of personal data, including in digital media,

as a fundamental right, and to refer privately to the Union (federal government) the responsibility to legislate on this subject.

However, this amendment will only be valid when the National Congress enacts the PEC, which is still pending.

Due to a broad interpretation established in case law, practically every Internet user is considered a ‘consumer’ for the

purposes of the consumer protection.

DEFINITIONS

Definition of personal data

The LGPD defines as any information related to an identified or identifiable natural person.personal data

Anonymized data is not considered personal data, except when the process of anonymization has been reversed or if it can be

reversed applying reasonable efforts.

Definition of sensitive personal data

The LGPD defines  as any personal data concerning: sensitive personal data

Racial or ethnic origin

Religious belief

Political opinion

Trade union

Religious, philosophical or political organization membership

Health or sex life

Genetic or biometric data

NATIONAL DATA PROTECTION AUTHORITY

The LGPD established the National Data Protection Authority (ANPD). The ANPD is part of the federal public administration,

(pertaining to the Presidency of the Republic), and is given technical and decision-making autonomy with jurisdiction over the

Brazilian territory. The ANPD isheadquartered in the Federal District. The legal nature of ANPD is transitory and may be

amended by the Public Authority into an entity of the indirect federal public administration, subject to special autarchic regime and

linked to the Presidency of the Republic, within two (2) years of its regimental structure coming into force.

 The ANPD is now in operation. Its structuring process started on August 27, 2020, with the publication of Decree No.

10,474/2020, which approved and regulated the regulatory structure of the ANPD, and its board of commissioned positions and

nominated trust functions. On November 6, 2020, this Decree entered into force with the appointment of the Director-President

and the members of the Board of Directors of the ANPD, after having been approved by the plenary of the Federal Senate. On

March 9, 2021, the ANPD’s Internal Regulations were published, establishing the competencies and organization of the National

Authority.

The ANPD is composed of:

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Brazil 150 | | | www.dlapiperdataprotection.com

A Board of Directors

A national council for Personal Data and Privacy Protection (Council)

Bodies of direct and immediate assistance to the Board of Directors (General Secretariat, General Coordination of

Administration, General Coordination of Institutional and International Relations)

An Internal Affairs Office (inspection body)

An ombudsman

Its own legal advisory body, and

Administrative and specialized units for the enforcement of the LGPD ( , General Coordination of Standardization;ie

General Coordination of Supervision; and General Coordination of Technology and Research)

The ANPD has the authority to issue sanctions for violations of the LGPD. This sanctions authority came into force on August 1,

2021. In August 2021, the President of the Republic appointed representatives of the National Council for Personal Data and

Privacy Protection (Council). The Council contributes to the performance of the ANPD and has the authority to, among other

things:

Oversee the protection of personal data

Issue regulations and procedures related to personal data protection

Deliberate, at an administrative level, upon the interpretation of the LGPD and matters omitted in its redaction

Supervise and apply sanctions in the event of data processing performed in violation of the legislation

Implement simplified mechanisms for recording complaints about the processing of personal data in violation of the LGPD

In addition, the ANPD Council is responsible for, among other functions:

Proposing strategic guidelines and allowance for the creation of the National Policy for the Protection of Personal Data

and the operation of ANPD

Suggesting actions to be carried out by the ANPD

Preparing studies and conducting public debates and hearings about the protection of personal data

Since the ANPD started its operations, several actions have already been implemented to protect personal data, including:

Publishing guidance on reporting a security incident with personal data and its assessment to the ANPD

Explaining availability of a claim by the data subject against controller

Providing educational materials on data protection, such as (1) guidelines for defining personal data processing agents and

the DPO, (2) how consumers should protect their personal data, and (3) information security for small processing agents.

However, there are still several provisions of the LGPD requiring further regulation and interpretation by the ANPD, which

stakeholders should monitor for future compliance.

REGISTRATION

There is currently no requirement to register with the National Data Protection Authority under Brazilian law.

DATA PROTECTION OFFICERS

The LGPD creates the position of Chief of Data Processing, which is the data protection officer (DPO) in charge of data

processing operations. The DPO is responsible for the following:

Accepting complaints and communications from data subjects and the National Authority

Providing guidance to employees about good practices and carrying out other duties as determined by the controller or

set forth in complementary rules

The LGPD provides the National Data Protection Authority the power to further establish supplementary rules concerning the

definition and the duties of the DPO, including scenarios in which the appointment of such person may be waived, according to

the nature and the size of the entity or the volume of data processing operations.

Currently, and until the ANPD provides more detailed instructions on the subject, it is assumed that every company (public or

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Brazil 151 | | | www.dlapiperdataprotection.com

private) should appoint a DPO. This general obligation extends to all types of activities and volumes of data processing subject to

the LGPD (as set out in the “Guidance on Processing Agents and DPO” published by ANPD in May 2021). In any case, all

companies should monitor this space for future guidance.

On August 30, 2021, the ANPD issued a Public Consultation related to a Resolution with special rules on the application of the

LGPD to small businesses, startups, and innovative companies. This Resolution includes exemptions and flexibilities, such as the

exemption of these companies from appointing a DPO. However, this is still a draft Resolution and needs to be further confirmed

and published.

There is no prohibition against companies using an external DPO or against DPOs performing the same function for more than

one company simultaneously. Likewise, the LGPD does not distinguish whether the DPO must be an individual or a legal entity.

Due to the absence of legal or regulatory requirements, there is no need to communicate or record the identity and contact

information of the DPO with the ANPD.

COLLECTION & PROCESSING

Under the LGPD, collection and processing is referred to as “data treatment”, and defined as all operations carried out with

personal data, such as:

Collection

Production

Reception

Classification

Utilization

Access

Reproduction

Transmission

Distribution

Processing

Filing

Storage

Elimination

Evaluation

Control

Modification

Communication

Transfer

Diffusion, or

Extraction

The processing of personal data may only be carried out based on one of the following legal bases:

With data subject consent

To comply with a legal or regulatory obligation by the controller

By the public administration, for the processing and shared use of data which are necessary for the execution of public

policies provided in laws or regulations or contracts, agreements or similar instruments

For carrying out studies by research entities, ensuring, whenever possible, the anonymization of personal data

For the execution of a contract or preliminary procedures related to a contract to which the data subject is a party

For the regular exercise of rights in judicial, administrative or arbitration procedures

As necessary for the protection of life or physical safety of the data subject or a third party

For the protection of health, exclusively, in a procedure carried out by health professionals, health services or sanitary

authorities

To fulfill the legitimate interests of the controller or a third party, except in the case of prevailing the fundamental rights

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Brazil 152 | | | www.dlapiperdataprotection.com

and freedoms of the data subject, and

For the protection of credit

Notwithstanding the above, personal data processing must be carried out in good faith and based on the following principles:

Purpose

Suitability

Necessity

Free access

Quality of the data

Transparency

Security

Prevention

Nondiscrimination, and

Accountability

As for the processing of sensitive personal data, the processing can only occur when the data subject or their legal representative

consents specifically and in highlight, for specific purposes; or, without consent, under the following situations:

As necessary for the controller’s compliance with a legal or regulatory obligation

Shared data processed as necessary for the execution of public policies provided in laws or regulations by the public

administration

For carrying out studies by research entities, ensuring, whenever possible, the anonymization of personal data

For the regular exercise of rights, including in a contract or in a judicial, administrative or arbitration procedure

Where necessary for the protection of life or physical safety of the data subject or a third party

The protection of health, exclusively, in a procedure performed by health professionals, health services or sanitary

authorities, or

To prevent fraud and protect the safety of the data subject

The controller and operator must keep records of the data processing operations they carry out, mainly when the processing is

based on a legitimate interest.

In this sense, the ANPD may determine that the controller must prepare an Impact Report on Protection of Personal Data,

including sensitive data, referring to its data processing operations, pursuant to regulations, subject to commercial and industrial

secrecy. The report must contain at least a description of the types of data collected, the methodology used for collection and for

ensuring the security of the information, and the analysis of the controller regarding the adopted measures, safeguards and

mechanisms of risk mitigation.

On August 30, 2021, the ANPD issued a Public Consultation related to a Resolution with special rules on the application of the

LGPD to small businesses, startups, and innovative companies. This Resolution includes exemptions and flexibilities, such as the

exemption of these companies from maintaining records of data processing activities and flexibility in conducting Data Protection

Impact Assessments (“DPIA”). However, this is still a draft Resolution, which must be confirmed and published further.

TRANSFER

The transfer of personal data to other jurisdictions is allowed only subject to compliance with the requirements of the LGPD.

Prior specific and informed consent is needed for such transfer, unless:

The transfer is to countries or international organizations with an adequate level of protection of personal data

There are adequate guarantees of compliance with the principles and rights of data subject provided by LGPD, in the form

of

Specific contractual clauses for a given transfer

Standard contractual clauses

Global corporate norms, or

Regularly issued stamps, certificates and codes of conduct

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Brazil 153 | | | www.dlapiperdataprotection.com

The transfer is necessary for international legal cooperation between public intelligence, investigative and prosecutorial

agencies

The transfer is necessary to protect the life or physical safety of the data subject or a third party

The ANPD has provided authorization

The transfer is subject to a commitment undertaken through international cooperation

The transfer is necessary for the execution of a public policy or legal attribution of public service

The transfer is necessary for compliance with a legal or regulatory obligation, execution of a contract or preliminary

procedures related to a contract, or the regular exercise of rights in judicial, administrative or arbitration procedures

SECURITY

Controllers and processors must adopt technical and administrative security measures designed to protect personal data from:

Unauthorized accesses, and

Accidental or unlawful situations of:

Destruction

Loss

Alteration

Communication, or

Any improper or unlawful processing

The LGPD grants the ANPD authority to establish minimum technical standards for companies to implement.

On 4 October 2021, the ANPD launched information security guidelines aimed at small data processing agents (such as

microenterprises, small businesses, and startups) to assist them with good practices in implementing technical and administrative

information security measures for the protection of personal data. The guidelines also contain a checklist to facilitate the

visualization of suggestions, such as awareness and training programs, agreements management, access controls, data storage

guidelines, and vulnerability management.

The Brazilian Internet Act further establishes that service providers, networks and applications providers should keep access

records (such as IP addresses and logins) confidential and in a secured and controlled environment. Guidelines issued under the

Internet Act established guidelines on appropriate security controls, including:

Strict control on data access by defining the liability of persons who will have the possibility of access and exclusive access

privileges to certain users

Prospective of authentication mechanisms for records access, using, for example, dual authentication systems to ensure

individualization of the controller records

Creation of detailed inventory of access to connection records and access to applications containing the time, duration,

the identity of the employee or the responsible person for the access designated by the company and the accessed file

Use of records management techniques that ensure the inviolability of data, such as encryption or equivalent protective

measures

BREACH NOTIFICATION

The controller must report to ANPD and the data subject within a reasonable timeframe if the breach is likely to result in risk or

harm to data subjects. The LGPD itself does not set a specific deadline for notifying the ANPD in the event of security incidents.

However, according to guidance published by the National Authority on February 22, 2021, the communication must be made

within two (2) working days, counted from the date of receiving knowledge of the incident.

In addition, according to this guideline, the company or person responsible for the data must internally assess the incident and

ascertain the nature, category, and number of data subjects affected. The National Authority must also be communicated in the

event of relevant risk or damage to data subjects, using a form available on the ANPD’s page.

The notice must contain, at least, the following:

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Brazil 154 | | | www.dlapiperdataprotection.com

Description of the nature of the affected personal data

Information regarding the data subjects involved

Indication of the security measures used

The risks generated by the incident

The reasons for a delay in communication (if any)

The measures that were or will be adopted

Additionally, the ANPD must verify the seriousness of the incident and may, if necessary to safeguard the data subject’s rights,

order the controller to adopt measures, such as the broad disclosure of the event in communications media, as well as measures

to reverse or mitigate the effects of the incident.

On August 30, 2021, the ANPD issued a Public Consultation related to a Resolution with special rules on the application of the

LGPD to small businesses, startups, and innovative companies. The Resolution includes exemptions and flexibilities, such as the

exemption or flexibility in the communication of security incidents, as well as the flexibility regarding deadlines for responding to

data subjects’ requests, for communicating severe security incidents to the ANPD and affected data subjects, and for responding

to ANPD’s requests. However, this is still a draft Resolution, which must be confirmed and published further.

ENFORCEMENT

The LGPD provides for penalties in case of violations its provisions. Data processing agents that commit infractions can be subject

to administrative sanctions, in a gradual, single or cumulative manner, including a fine, simple or daily, of up to 2% of the revenues

of a private legal entity, group or conglomerate in Brazil, up to a total maximum of R$50 million per infraction.

Other sanctions can include:

Warning

Publicizing of the violation

Blocking the personal data to which the infraction refers to until its regularization

Deletion of the personal data to which the infraction refers

Partial suspension of the database operation to which the infringement refers for a maximum period of six (6) months,

extendable for the same period, until the processing activity is corrected by the controller;

Suspension of the personal data processing activity to which the infringement refers for a maximum period of six (6)

months, extendable for the same period;

Partial or total prohibition of activities related to data processing.

Although the LGPD became effective September 18, 2020, the penalties provided by the law were only enforceable from August 1,

2021. In addition, the ANPD is now in operation and, on October 29, 2021, published the Regulation of the Inspection Process

and the Sanctioning Administrative Process, which establishes the procedures applicable to ANPD’s inspection process and the

rules to be observed during the administrative sanctioning process. However, so far, the ANPD still has not imposed sanctions

regarding violations to the LGPD, so its level of enforcement activity is still uncertain.

Public authorities (such as consumer protection bodies and public prosecutors) are already monitoring data protection matters

and applying penalties based on the LGPD obligations and other applicable laws. Additionally, data subjects may file lawsuits if any

of the rights provided by the LGPD are violated. Under the law, a controller or processor that causes material, moral, individual,

or collective damage to others is liable to individuals for such damages, including through a class action.

Exceptions to the obligation to remedy a violation exist only if:

The agent ( , controller or the processor) did not carry out the data processingie

There was no violation of the data protection legislation in the processing, or

The damage arises due to exclusive fault of the data subject or a third party

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Brazil 155 | | | www.dlapiperdataprotection.com

ELECTRONIC MARKETING

Brazil has no specific law regulating electronic marketing communications. However, it is important to point out that, according to

the LGPD, all processing of consumers’ personal data (which includes the collection, storage, and sending of marketing

communications) can only occur upon the appropriate legal basis for such purpose. Under this scenario, two available legal bases

could be used, depending on the analysis of the concrete case: (1) the data subject’s consent, or (2) the controller’s legitimate

interest.

Despite the lack of a specific statute, general provisions on privacy and intimacy rights, as well as consumer protection rights, also

apply to electronic marketing. Therefore, the sender should immediately cease sending any electronic marketing if the consumer

requests (i.e., offering an opt-out option to electronic marketing).

ONLINE PRIVACY

The Brazilian Internet Act has several provisions concerning the storage, use, disclosure, and other processing of data collected on

the Internet. The established rights of privacy, intimacy, and consumer rights apply equally to electronic media, such as mobile

devices and the Internet. Violations of these rights may also be subject to civil enforcement.

Furthermore, as explained in prior sections, identifiable data are also encompassed under the scope of protection of the LGPD.

Thus, if cookies and location data are associated with a natural person, their collection should also observe the same obligations

provided by the Brazilian data protection law. However, the obligation does not apply to anonymized data, which is not

considered personal data under the LGPD unless the process of anonymization has been reversed or can be reversed using

reasonable efforts.

That said, a proper legal basis is needed when using cookies and similar technologies that involve the processing of a user’s

personal data from (e.g., the information is linked or linkable to a particular user, IP address, a device, or other particular

identifier). Under this scenario, two available legal bases could be used, depending on the analysis of the concrete case: the data

subject’s consent or the controller’s legitimate interest (in the case of essential cookies, for example).

KEY CONTACTS

Campos Mello Advogados

www.camposmello.adv.br/

DATA PRIVACY TOOL

You may also be interested in our  to assess your organization’s level of data protection maturity.Data Privacy Scorebox

Paula Mena Barreto
Partner

Campos Mello Advogados

T +55 21 3262 3028

paula.menabarreto@cmalaw.com

Manoela Quintas Esteves
Associate

Campos Mello Advogados

T +55 21 3262 3042

manoela.esteves@cmalaw.com

https://www.dlapiperdataprotection.com

http://www.camposmello.adv.br/

https://www.dlapiperdataprotection.com/scorebox/

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World British Virgin Islands 156 | | | www.dlapiperdataprotection.com

BRITISH VIRGIN ISLANDS

Last modified 24 January 2022

LAW

The British Virgin Islands’ Data Protection Act, 2021 (DPA) came into force on 9 July 2021.

The DPA is the primary legislation and the first legislative framework of its kind in the British Virgin Islands to govern how public

and private bodies may process personal data. The law strives to promote transparency and accountability, bringing the British

Virgin Islands in line with the UK and EU data protection standards.

DEFINITIONS

Definition of personal data

Personal data means any information in respect of commercial transactions which: (i) is being processed wholly or partly by

means of equipment operating automatically in response to instructions given for that purpose; (ii) is recorded with the intention

that it should wholly or partly be processed by means of such equipment; or (iii) is recorded as part of a relevant filing system or

with the intention, and in each case, that it should form part of a relevant filing system, that relates directly or indirectly to a data

subject, who is identified or identifiable from that information, or from that or other information in the possession of a data user,

including any sensitive personal data and expression of opinion about the data subject

Definition of sensitive personal data

Sensitive personal data means any personal data about a data subject’s:

physical or mental health;

sexual orientation;

political opinions;

religious beliefs or other beliefs of a similar nature;

criminal convictions, the commission or alleged commission of, an offence; or

any other personal data that may be prescribed as such under the DPA, from time to time.

Other key definitions

commercial transactions means any transaction of a commercial nature, whether contractual or not, which includes any

matters relating to the supply or exchange of goods or services, agency, investments, financing, banking, and insurance

data processor, in relation to personal data, means a person who processes data on behalf of a data controller but does not

include an employee of the data controller

data subject means a natural person, whether living or deceased

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World British Virgin Islands 157 | | | www.dlapiperdataprotection.com

data controller means a person who, either alone or jointly, or in common with other persons, processes any personal data, or

has control over, or authorises the processing of any personal data, but does not include a data processor

processing, in relation to personal data, means collecting, recording, holding, or storing the personal data or carrying out any

operation or set of operations on the personal data, including the: (i) organisation, adaptation, or alteration of personal data; (ii)

retrieval, consultation or use of personal data; (iii) disclosure of personal data by transmission, transfer, dissemination or

otherwise making available; or (iv) alignment, combination, correction, erasure or destruction of personal data, and

NATIONAL DATA PROTECTION AUTHORITY

The supervisory authority under the DPA is the Office of the Information Commissioner.

Given the recent enactment of the DPA, the Office of the Information Commissioner has not yet been staffed.

REGISTRATION

There is currently no requirement for a data controller or a data processor to notify the Information Commissioner of their role

or complete any registration.

DATA PROTECTION OFFICERS

There is no requirement under the DPA for a data protection officer to be appointed.

COLLECTION & PROCESSING

Data controllers are responsible for compliance with certain privacy and data protection principles applicable to the personal data

it processes. Data controllers are also responsible for ensuring that the principles are complied with, where personal data is

processed on the data controller’s behalf (e.g., by its vendors).

Under these principles:

a data controller shall not process personal data (other than sensitive personal data) without the express consent of the

data subject, or transfer personal data outside of the British Virgin Islands without proof of adequate data protection

safeguards or consent from the data subject, unless either of the Exceptions defined under the heading “Transfer” exists

(the )General Principle

a data controller must inform a data subject of: (a) the purposes for processing; (b) information as to the source of the

personal data; (c) the rights to request access to and correction of the personal data; (d) how to contact the data

controller; (e) the class of third parties to whom the personal data will be disclosed; and (f) whether the data is obligated

to supply the personal data, and if so, the consequences of not supplying same (the )Notice and Choice Principle

no personal data shall be disclosed without the consent of the data subject for any purposes other than the purpose for

which the personal data was to be disclosed at the time of collection or to any party other than a third party of the class

of third parties noted above (the )Disclosure Principle

a data controller must take practical steps to protect personal data from any loss, misuse, modification, unauthorised or

accidental access or disclosure, alteration, or destruction by having regard to (a) the nature of the personal data and the

harm that would result from any loss, misuse, etc.; (b) the place or location where the personal data is stored; (c) any

security measures incorporated into any storage equipment; (d) the measures taken for ensuring the reliability, integrity,

and competence of personnel having access to the personal data; and (e) the measures taken for ensuring the secure

transfer of the personal data (the )Security Principle

personal data shall not be kept longer than is necessary for the fulfillment of the purpose of processing, and data

controllers must take all reasonable steps to ensure that personal data is destroyed or permanently deleted if no longer

required for the purpose for which it was to be processed (the )Retention Principle

a data controller shall take reasonable steps to ensure that personal data is accurate, complete, not misleading, and kept

current (the ), andData Integrity Principle

data subjects shall be given access to their personal data and be able to request corrections where the personal data is

inaccurate, incomplete, misleading, or not current (the “ ”)Access Principle

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World British Virgin Islands 158 | | | www.dlapiperdataprotection.com

TRANSFER

As set out under the  , transfers of personal data by a data controller or a data processor to countries orGeneral Principle

territories outside the British Virgin Islands are only permitted where that country or territory ensures an adequate level of

protection of data protection safeguards in relation to the processing of personal data. This transfer restriction endeavors to

ensure that the level of protection provided by the DPA is not circumvented by transferring personal data abroad.

The DPA also includes the following exceptions where the General Principle will not apply to a transfer:

if the data subject has consented to the transfer (where consent must be freely given, specific, informed, and unambiguous

and must be capable of being withdrawn at any time)

where the transfer is necessary for the performance of a contract between the data subject and the data controller, or

the taking of steps at the request of the data subject with a view to the data subject entering into a contract with the data

controller

the transfer is necessary for the conclusion of a contract between the data controller and a person other than the data

subject, being a contract that is entered into at the request of the data subject, or is in the interests of the data subject, or

for the performance of such a contract;

the transfer is necessary for reasons of substantial public interest

the transfer is for a lawful purpose directly related to an activity of the data controller, is necessary for, or directly related

to, that purpose, and the personal data is adequate but not excessive in relation to that purchase

the transfer is necessary in order to protect the vital interests of the data subject

the transfer is necessary for the administration of justice, or

the transfer is required for the exercise of any functions conferred on a person by law.

SECURITY

While the DPA does not specify any technical standards for data controllers to implement, the DPA requires a data controller,

when processing personal data, to take practical steps to protect the personal data from any loss, misuse, modification,

unauthorized or accidental access, or disclosure, alteration or destruction (together, ‘ ) by having regard to theSecurity Breach’

following matters:

the nature of the personal data and the harm that would result from a Security Breach

the place or location where the personal data is stored

any security measures incorporated into any equipment in which the personal data is stored

the measures taken for ensuring the reliability, integrity, and competence of personnel having access to the personal data,

and

the measures taken for ensuring the secure transfer of the personal data

The DPA also requires, where a data processor carries out the processing of personal data on behalf of the data controller, the

data controller (for the purpose of protecting the personal data from Security Breach) to ensure that the data processor:

provides sufficient guarantees in respect of the technical and organisational security measures governing the processing to

be carried out, and

take reasonable steps to ensure compliance with the above measures

BREACH NOTIFICATION

The DPA does not require data controllers to notify the Information Commissioner or the data subjects of personal data

breaches.

However, notice requirements apply to data controllers that receive enforcement notices from the Information Commissioner.

The DPA requires a public or private body to, as soon as practicable, and in any event within 30 days of complying with an

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World British Virgin Islands 159 | | | www.dlapiperdataprotection.com

enforcement notice from the Information Commissioner: (i) notify the data subject(s) concerned; and (ii) any person to whom the

personal data was disclosed within the twelve months preceding the date of service of the enforcement notice (as determined by

the Information Commissioner).

ENFORCEMENT

A breach of the DPA constitutes a criminal offence. Upon conviction, violators may be subject to a fine of up to US$100,000,

imprisonment of up to five years, or both. A body corporate is punishable on conviction to a fine of up to US$500,000.

The Information Commissioner has broad investigative and corrective powers under the DPA, including the power to request and

obtain information from parties subject to the law and to issue orders to carry out specific remediation activities.

The DPA provides for a private right of action where data subjects suffer damage or distress due to a breach of the DPA by a

public or private body.

In addition, the DPA explicitly provides for personal liability in respect of offences committed by a body corporate where the

offence is proven to have been committed with the consent or connivance of, or to be attributable to neglect on the part of, any

director, secretary, or similar officer, or any person purporting to act in such capacity. Where the affairs of a body corporate are

managed by its members, this personal liability also applies to the acts and defaults of a member in connection with the member’s

function of management.

ELECTRONIC MARKETING

The DPA applies to “direct marketing”, which is the communication, by whatever means, of any advertising or marketing material

that is directed to particular individuals and therefore includes electronic marketing.

Prior express consent is not required for the purposes of direct marketing. However, a data subject has an unconditional right to

require the date controller to stop, or not to commence, the processing of any of their personal data for the purposes of direct

marketing (i.e., an “opt-out” right).

ONLINE PRIVACY

There are no specific restrictions on online privacy in the DPA. However, the provisions of the DPA apply where a private body is

a website operator that collects personal data.

KEY CONTACTS

Carey Olsen

www.careyolsen.com

Clinton Hempel
Partner

Carey Olsen

T +27 76 412 6091

clinton.hempel@careyolsen.com

Jude Hodge
Counsel

Carey Olsen

T +1 284 394 4034

jude.hodge@careyolsen.com

https://www.dlapiperdataprotection.com

http://www.careyolsen.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World British Virgin Islands 160 | | | www.dlapiperdataprotection.com

DATA PRIVACY TOOL

You may also be interested in our  to assess your organization’s level of data protection maturity.Data Privacy Scorebox

https://www.dlapiperdataprotection.com

https://www.dlapiperdataprotection.com/scorebox/

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Brunei 161 | | | www.dlapiperdataprotection.com

BRUNEI

Last modified 17 December 2021

LAW

At present there are no statutory or common law obligations that protects the privacy of information upon which an individual

can be directly or indirectly identified, save in respect of banker-customer relationship where banks are under a legal duty to keep

customer information confidential.

However, with the publication of the Public Consultation Paper on Personal Data Protection for the Private Sector in Brunei

Darussalam by the Authority for Info-communications Technology Industry of Brunei Darussalam on 20 May 2021 (“Public

”), it is anticipated that the Personal Data Protection Order (“ ”) will be enacted and come into forceConsultation Paper PDPO

in the near future. Premise on the Public Consultation Paper, which sets out in general terms the data protection framework

under the PDPO, it is anticipated that the PDPO will introduce obligations on the part of private sector organizations with respect

to collection, use, disclosure or other processing of individuals’ personal data and the rights of individuals in relation to the

processing of their personal data.

DEFINITIONS

Definition of personal data

At present there is no legal definition.

It is anticipated that under the PDPO “personal data” will refer to data, whether true or not, about an individual who can be

identified (a) from that data; or (b) from that data and other information to which the organization has or is likely to have access.

Definition of sensitive personal data

At present there is no legal definition.

It is anticipated that the PDPO will not make a distinction between sensitive and non-sensitive personal data or define a category

of “sensitive personal data”.

NATIONAL DATA PROTECTION AUTHORITY

At present nil.

It is anticipated that the PDPO will establish a national data protection authority referred to as the Responsible Authority.

REGISTRATION

At present no legal requirement.

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Brunei 162 | | | www.dlapiperdataprotection.com

It is anticipated that the PDPO will not have any registration requirements.

DATA PROTECTION OFFICERS

At present no legal requirement.

It is anticipated that the PDPO will require an organization to appoint a data protection officer who shall be responsible for

ensuring that the organization complies with the PDPO and develops and implement policies and practices that are necessary to

meet its obligations under the PDPO including a process to receive complaints.

COLLECTION & PROCESSING

At present not a regulated activity.

Under the PDPO framework set out in the Public Consultation Paper, organizations may collect, use or disclose personal data

about an individual for purposes that a reasonable person would consider appropriate in the circumstance.

It is anticipated that under the PDPO organizations may collect, use or disclose personal data where –

they have the prior consent of the individual; or

unless otherwise required or authorized by law; or

an exception in the PDPO applies.

Where consent is required, it is anticipated that the PDPO will not specifically prescribe the manner in which consent may be

given and that the PDPO will recognize that consent may be explicit or implicit through an individual’s actions or inactions,

depending on the circumstances, and thereby allowing organizations flexibility as to how they obtain consent. That said, it is

anticipated that the PDPO would require organizations to look to express consent as the first port of call and only rely on

deemed consent or the exceptions to consent if obtaining consent is impractical or if they have otherwise failed to obtain express

consent.

It is anticipated that under the PDPO consent must be validly obtained and consent would not be valid where:

consent is obtained as a condition of providing a product or service and such consent is beyond what is reasonable to

provide the product or service to the individual; the principle being that organizations should not collect more personal

data than is reasonable and necessary; and

where false or misleading information was provided in order to obtain or attempt to obtain the individual’s consent for

collecting, using or disclosing his personal data.   

As part of obtaining valid consent, it is anticipated that the PDPO will require organizations to provide the individual with

information on:

the purposes for the collection, use or disclosure of his personal data, on or before collecting the personal data; and

any other purpose for the use or disclosure of personal data that has not been notified to the individual, before such use

or disclosure of personal data. 

Further, it is anticipated that fresh consent would be required where personal data collected is to be used for a different purpose

from which the individual originally consented.

TRANSFER

At present not a regulated activity.

It is anticipated that under the PDPO, an organization shall not transfer personal data to a country outside Brunei Darussalam

except in accordance with requirements prescribed under the PDPO to ensure that the transferred personal data will be

accorded a standard of protection that is comparable to that under the PDPO.  It is not anticipated that such requirement

prescribed by the PDPO will be as stringent and prescriptive as in other jurisdiction, for example the EU, and it is anticipated that

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Brunei 163 | | | www.dlapiperdataprotection.com

the PDPO will place the onus on organizations to ensure that appropriate measures are taken to protect personal data

transferred out of Brunei Darussalam through the imposition of contractual obligations or otherwise.

SECURITY

At present not a regulated activity save in relation to a “Financial Institution” – see .Mandatory Breach Notification

It is anticipated that under the PDPO, an organization must protect personal data in its possession or under its control by making

reasonable security arrangements to prevent:

unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks; and

the loss of any storage medium or device on which personal data is stored.

It is anticipated that under the PDPO data intermediaries will also be subjected to the same obligation to protect personal data in

their possession.

It is anticipated that the PDPO will provide for a reasonable standard for such security measures taking into account factors such

as the nature and sensitivity of the data, the form in which personal data is stored and the impact to the individual if the personal

data is subject to unauthorized access, disclosure or other risks. But it is not anticipated that the PDPO will stipulate specific

security measures to be adopted and implement by organizations and data intermediaries.

BREACH NOTIFICATION

Mandatory Breach Notification

At present no legal requirement save in relation to a “Financial Institution” (i.e. banks, insurance companies, moneylenders,

pawnbrokers, moneychangers and securities service providers licensed in Brunei Darussalam).

It is anticipated that under the PDPO, organizations are required to, as soon as practicable, but in any case no later than 3

calendar days after the assessment, notify the Responsible Authority of a data breach that:

results in, or is likely to result in, significant harm to the individuals to whom any personal data affected by a data breach

relates; or

is or is likely to be, of a significant scale.

Organizations are also anticipated to be required to notify the affected individuals on or after notifying the Responsible Authority

if the data breach results in, or is likely to result in, significant harm to an affected individual.

Further, it is anticipated that unreasonable delays in reporting breaches that cannot be justified will be considered a breach of the

data breach notification obligation.

Where a data breach is discovered by a data intermediary, it is anticipated that under the PDPO, the data intermediary will be

under a duty to notify the organization or the Responsible Authority of the data breach.

A Financial Institution is obliged to report to the Brunei Darussalam Central Bank, no later than 2 hours after confirmation of all

instances of cyber intrusion, disruption, malfunction, error or cybersecurity issues on a Financial Institution’s system, server,

network or end-point which has a severe or widespread impact on the operations and service delivery or has a material impact on

the Financial Institution.

ENFORCEMENT

At present no enforcement authority.

It is anticipated that under the PDPO the Responsible Authority will administer and enforce the PDPO and will have the powers

to do any of the following:

issue directions to organizations to:

https://www.dlapiperdataprotection.com

https://www.dlapiperdataprotection.com/countries/brunei/breach-notification.html

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Brunei 164 | | | www.dlapiperdataprotection.com

stop collecting, using or disclosing personal data in contravention of the PDPO;

destroy personal data collected in contravention of the PDPO; or

provide access to or correct personal data.

impose a financial penalty of up to BND1 million or 10% of the annual turnover of on an organization for negligent or

intentional breach of the PDPO.

ELECTRONIC MARKETING

No legal requirement to have privacy policies.

ONLINE PRIVACY

No legal requirement to have privacy policies.

KEY CONTACTS

Abraham, Davidson & CO.

www.adcobrunei.com/

DATA PRIVACY TOOL

You may also be interested in our  to assess your organization’s level of data protection maturity.Data Privacy Scorebox

Linus Tan
Associate

Abraham, Davidson & CO.

T +673 2242840

linus_tan@adcobrunei.com

Elaiza Hanum Merican
Associate

Abraham, Davidson & CO.

T +673 2242840

elaiza@adcobrunei.com

https://www.dlapiperdataprotection.com

http://www.adcobrunei.com/

https://www.dlapiperdataprotection.com/scorebox/

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Bulgaria 165 | | | www.dlapiperdataprotection.com

BULGARIA

Last modified 22 December 2021

LAW

The General Data Protection Regulation (Regulation (EU) 2016/679) ( ) is a European Union law which entered into forceGDPR

in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on

May 25, 2018, without requiring implementation by the EU Member States through national law.

A ‘Regulation’ (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States.

However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their

own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among

the Member States.

Territorial Scope

Primarily, the application of the GDPR turns on whether an organization is established in the EU. An ‘establishment’ may take a

wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.

However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to

the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related “to the

” (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or “offering of goods or services the monitoring of their

” (Article 3(2)(b)) as far as their behaviour takes place within the EU.behaviour

Bulgaria implemented the EU Data Protection Directive 95/46/EC with the Personal Data Protection Act (In Bulgarian:

), promulgated in the State Gazette No. 1 of January 4, 2002, as amendedЗакон за защита на личните данни
periodically (Act). The Act came into force on January 1, 2002.

In view of the entry into force of Regulation (EU) 2016/679 (General Data Protection Regulation – ‘GDPR’), the Personal

Data Protection Act was amended by a  law for amendment and supplementation which was promulgated in the State

Gazette No. 17 of February 26,2019.

The Personal Data Protection Act as amended (hereinafter referred to as the ‘Personal Data Protection Act) serves a

twofold purpose – it effectively implements the GDPR into national legislation and also transposes Directive (EU)

2016/680 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with

regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation,

detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such

data, and repealing Council Framework Decision 2008/977/JHA.

The Personal Data Protection Act complements the GDPR by providing regulation to matters in the field of personal data

processing that have not been explicitly covered by the GDPR, or where the GDPR has left room for the exercise of

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Bulgaria 166 | | | www.dlapiperdataprotection.com

legislative discretion. As the regulation has direct effect and is applicable in all EU member-states without the need of

adopting a designated legislative act, the Bulgarian legislator has adopted the approach of directly referring to and

implementing the GDPR without repeating the core provisions of the regulation in the Personal Data Protection Act.

Under the Personal Data Protection Act the role of supervising authority is shared between the Commission for Personal

Data Protection and the Inspectorate to the Supreme Judicial Council, the latter having competence only with regards to

data processing by courts, prosecution offices and criminal investigative bodies in their capacity as judicial authorities. The

Personal Data Protection Act further regulates the legal remedies in cases of violation of personal data law, the

accreditation and certification in the field of personal data protection, the administrative liability and the administrative

measures in cases of violations of its provisions.

DEFINITIONS

” ” is defined as ” ” (Article 4). A low bar is set forPersonal data any information relating to an identified or identifiable natural person

“identifiable” – if the natural person can be identified using “ ” (Recital 26) the information isall means reasonably likely to be used

personal data. A name is not necessary either – any identifier will do, such as an identification number, phone number, location

data or other factors which may identify that natural person.

Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.

The GDPR creates more restrictive rules for the processing of ” ” (Article 9) of personal data (including dataspecial categories

relating to race, religion, sexual life, data pertaining to health, genetics and biometrics) and personal data relating to criminal

(Article 10).convictions and offences

The GDPR is concerned with the ” ” of personal data. Processing has an extremely wide meaning, and includes any setprocessing

of operations performed on data, including the mere storage, hosting, consultation or deletion of the data.

Personal data may be processed by either a ” ” or a ” “. The controller is the decision maker, the person whocontroller processor

” ” (Article 4). The processor “alone or jointly with others, determines the purposes and means of the processing of personal data processes

“, acting on the instructions of the controller. In contrast to the previous law, the GDPRpersonal data on behalf of the controller

imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.

The ” ” is a living, natural person whose personal data are processed by either a controller or a processor.data subject

Definition of personal data

The definition of personal data set forth before by the Personal Data Protection Act was repealed following the

implementation of the GDPR and it explicitly refers to the definition of personal data under art. 4 of the GDPR (§1 of the

Supplementary provisions of the Personal Data Protection Act).

Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable

natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a

name, an identification number, location data, an online identifier or to one or more factors specific to the physical,

physiological, genetic, mental, economic, cultural or social identity of that natural person.

Definition of sensitive personal data

The Personal Data Protection Act refers explicitly to the definitions under the GDPR which applies following its direct

effect in all EU member states.

NATIONAL DATA PROTECTION AUTHORITY

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Bulgaria 167 | | | www.dlapiperdataprotection.com

Enforcement of the GDPR is the prerogative of data protection regulators, known as supervisory authorities (for example, the

Cnil in France or the ICO in the UK). The European Data Protection Board (the replacement for the so-called Article 29 Working

Party) is comprised of delegates from the supervisory authorities, and monitors the application of the GDPR across the EU, issuing

guidelines to encourage consistent interpretation of the Regulation.

The GDPR creates the concept of ” “. Where there is cross-border processing of personal data (lead supervisory authority ie,

processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a single

establishment of a controller or processor but affecting data subjects in multiple Member States), then the starting point for

enforcement is that controllers and processors are regulated by and answer to the supervisory authority for their main or single

establishment, the so-called “lead supervisory authority” (Article 56(1)).

However, the lead supervisory authority is required to cooperate with all other “concerned” authorities, and a supervisory

authority in another Member State may enforce where infringements occur on its territory or substantially affect data subjects

only in its territory (Article 56(2)).

The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.

The Bulgarian data protection authority (DPA) is the Personal Data Protection Commission (In Bulgarian: Комисия за
, the ‘Commission’).защита на личните данни

2 Professor Tsvetan Lazarov, Sofia 1592

Bulgaria

kzld@cpdp.bg

www.cpdp.bg

REGISTRATION

There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general

notification obligations. However, Member States may impose notification obligations for specific activities ( processing ofeg,

personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases

following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or

processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory

authority (Article 37(7)).

In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by

rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain

comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data

processing carried out within an organisation and must be provided to supervisory authorities on request. This is a sizeable

operational undertaking.

The requirement for registration of data controllers before the Commission for Personal Data Protection was repealed

with the implementation of the GDPR.

Pursuant to the Personal Data Protection Act, the Commission for Personal Data Protection  maintains the following

public registers:

register of data controller and data processors who have appointed data protection officers containing the name

of the data controller/ data processor, the name of the appointed data protection officer and its contact details;

register of the accredited certifying bodies under art. 14 containing information on the name and the contact

details of the certifying body and on the period of validity of its accreditation;

https://www.dlapiperdataprotection.com

Home Default

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Bulgaria 168 | | | www.dlapiperdataprotection.com

register of codes of conduct which includes the name of the code, the name of the editor and the relevant

certification body, information about the sector concerned and its content.

The Commission shall also support (a) an internal register of established breaches of the GDPR and the Personal Data

Protection Act, (b) a register of the measures taken in accordance with art. 58, para 2 of the GDPR, and (c) a register of

the personal data destroyed on a monthly basis by providers of public electronic communication networks and / or

services in accordance with art. 251g of the Electronic Communications Act. These registers however, are not public.

In accordance with the Rules of Procedure of the Commission for Personal Data Protection and its Administration, the

above-mentioned registers are held in electronic format and should be updated regularly.

DATA PROTECTION OFFICERS

Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:

it is a public authority;

its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and

systemic monitoring of data subjects on a large scale; or

its core activities consist of processing sensitive personal data on a large scale.

Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities

(Article 37(2)), provided that the data protection officer is easily accessible from each establishment (meaning that larger

corporate groups may find it difficult in practice to operate with a single data protection officer).

DPOs must have ” ” (Article 37(5)) of data protection law and practices, though it is possible to outsource theexpert knowledge

DPO role to a service provider (Article 37(6)).

Controllers and processors are required to ensure that the DPO is involved “properly and in a timely manner in all issues which relate

” (Article 38(1)), and the DPO must directly report to the highest management level, must not beto the protection of personal data

told what to do in the exercise of his or her tasks and must not be dismissed or penalised for performing those tasks (Article

38(3)).

The specific tasks of the DPO, set out in GDPR, include (Article 39):

to inform and advise on compliance with GDPR and other Union and Member State data protection laws;

to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities,

awareness raising and training staff;

to advise and monitor data protection impact assessments where requested; and

to cooperate and act as point of contact with the supervisory authority.

This is a good example of an area of the GDPR where Member State gold plating laws are likely. For example, German domestic

law has set the bar for the appointment of DPOs considerably lower than that set out in the GDPR.

The Personal Data Protection Act does not set an explicit requirement to appoint a data protection officer, thus the

general requirement pursuant to the GDPR applies. Pursuant to the Personal Data Protection Act, data controllers are

obliged to communicate the personal details and contact details of the DPO, as well as any subsequent replacements,

before the Commission for Personal Data Protection, and will also have to publish their contact details. An approved

notification form, which was recently updated by the Commission for Personal Data Protection, is available at the

(only in Bulgarian language).following website

COLLECTION & PROCESSING

https://www.dlapiperdataprotection.com

https://www.cpdp.bg/userfiles/file/Documents_2020/UVEDOMLENIE_DLZD-KZLD

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Bulgaria 169 | | | www.dlapiperdataprotection.com

Data Protection Principles

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under

these principles, personal data must be (Article 5):

processed lawfully, fairly and in a transparent manner (the “lawfulness, fairness and transparency principle”);

collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with

those purposes (the “purpose limitation principle”);

adequate, relevant and limited to what is necessary in relation to the purpose(s) (the “data minimization principle”);

accurate and where necessary kept up-to-date (the “accuracy principle”);

kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which

the data are processed (the “storage limitation principle”); and

processed in a manner that ensures appropriate security of the personal data, using appropriate technical and

organizational measures (the “integrity and confidentiality principle”).

The controller is responsible for and must be able to demonstrate compliance with the above principles (the “accountability

principle”). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to

compliance perhaps years after a particular decision relating to processing personal data was taken. Record-keeping,demonstrate

audit and appropriate governance will all form a key role in achieving accountability.

Legal Basis under Article 6

In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate

basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are

(Article 6(1)):

with the consent of the data subject (where consent must be ” “, and must befreely given, specific, informed and unambiguous

capable of being withdrawn at any time);

where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of

the data subject prior to entering into a contract;

where necessary to comply with a legal obligation (of the EU) to which the controller is subject;

where necessary to protect the vital interests of the data subject or another person (generally recognised as being limited

to ‘life or death’ scenarios, such as medical emergencies);

where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority

vested in the controller; or

where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a

balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms

of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).

Special Category Data

Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in

effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an

Article 6 basis):

with the explicit consent of the data subject;

where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and

social protection law or a collective agreement;

where necessary to protect the vital interests of the data subject or another natural person who is physically or legally

incapable of giving consent;

in limited circumstances by certain not-for-profit bodies;

where processing relates to the personal data which are manifestly made public by the data subject;

where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in

their legal capacity;

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Bulgaria 170 | | | www.dlapiperdataprotection.com

where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to

the aim pursued and with appropriate safeguards;

where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical

diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;

where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border

threats to health or ensuring high standards of health care and of medical products and devices; or

where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical

purposes in accordance with restrictions set out in Article 89(1).

Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to

processing genetic data, biometric data and health data.

Criminal Convictions and Offences data

Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an

official public authority, or specifically authorized by Member State domestic law (Article 10).

Processing for a Secondary Purpose

Increasingly, organizations wish to ‘re-purpose’ personal data –  use data collected for one purpose for a new purpose which wasie,

not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of

purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the

controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were

initially collected (Article 6(4)). These include:

any link between the original purpose and the new purpose

the context in which the data have been collected

the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are

processed (with the inference being that if they are it will be much harder to form the view that a new purpose is

compatible)

the possible consequences of the new processing for the data subjects

the existence of appropriate safeguards, which may include encryption or pseudonymisation.

If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new

purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and

proportionate measure in a democratic society).

Transparency (Privacy Notices)

The GDPR places considerable emphasis on transparency,  the right for a data subject to understand how and why his or herie,

data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily

accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.

Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using

clear and plain language (Article 12(1)).

The following information must be provided (Article 13) at the time the data are obtained:

the identity and contact details of the controller;

the data protection officer’s contact details (if there is one);

both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate

interests for processing;

the recipients or categories of recipients of the personal data;

details of international transfers;

the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Bulgaria 171 | | | www.dlapiperdataprotection.com

the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object

to processing and data portability;

where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;

the consequences of failing to provide data necessary to enter into a contract;

the existence of any automated decision making and profiling and the consequences for the data subject; and

in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that

further processing, providing the above information.

Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.

Rights of the Data Subject

Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable,

whilst others only apply in quite limited circumstances. Controllers must provide information on action taken in response to

requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two

months where the request is onerous.

Right of access (Article 15)

A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information

about the how the data have been used by the controller.

Right to rectify (Article 16)

Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.

Right to erasure (‘right to be forgotten’) (Article 17)

Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s

highest court ruled against Google ( ), in effect requiring Google to remove search resultsJudgment of the CJEU in Case C-131/12

relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the

search results had no legal basis to process that information.

The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the

data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise

of the objection right, or of the withdrawal of consent.

Right to restriction of processing (Article 18)

Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the

accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of

the data subject, or where the legitimate grounds for processing by the controller are contested.

Right to data portability (Article 20)

Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to

processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or

have transmitted to another controller all personal data concerning him or her in a structured, commonly used and

machine-readable format ( commonly used file formats recognized by mainstream software applications, such as .xsl).eg,

Right to object (Article 21)

Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where

processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they

demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.

https://www.dlapiperdataprotection.com

http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=152065&occ=first&dir=&cid=667631

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Bulgaria 172 | | | www.dlapiperdataprotection.com

a.

b.

c.

In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at

any time.

The right not to be subject to automated decision making, including profiling (Article 22)

Automated decision making (including profiling) “which produces legal effects concerning [the data subject] … or similarly significantly

” is only permitted where:affects him or her

necessary for entering into or performing a contract;

authorized by EU or Member State law; or

the data subject has given their explicit ( opt-in) consent.ie,

Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain

human intervention, to contest the decision, and to express his or her point of view.

The Personal Data Protection Act does not repeat the core provisions of the GDPR relating to collection and processing

of personal data in its body. However, following the direct effect of the GDPR in all EU member states, the provisions of

the regulation in this respect shall be applied in all cases of data collection and processing.. The Personal Data Protection

Act explicitly previews that in case the data subject provides his / her personal data to a data controller or a data

processor in breach of Art. 6, para (1) (legal grounds for processing) and Art. 5 (principles for data processing) GDPR, the

data controller / data processor should have to immediately return the data or delete / destroy the data within one month

of becoming aware of the breach (art. 25a of the Personal Data Protection Act).

The Personal Data Protection Act also introduces additional rules relating to specific data processing situations:

Conditions applicable to child’s consent in relation to information society services – The Personal Data Protection

Act introduces a lower age of the data subject, under which the consent of a parent or a guardian would be

required for the lawful processing of personal data of a child in cases of direct provision of information society

services. Under the Personal Data Protection Act if the data subject is under 14 years old, a consent by a parent

exercising the parental rights or by guardian of the data subject is required for the lawful processing of the data.

Processing of personal identification number – Under the Personal Data Protection Act, public access to personal

identification number / personal identification number of a foreigner (‘PIN/PINF’) shall be granted only if required

by law. Data controllers providing electronic services should undertake appropriate technical and organizational

measures to prevent the PIN/PINF from being the sole identifier for the use of their services.

Processing and freedom of expression and information – Where personal data is processed for the exercise of

freedom of expression and information, including for journalistic purposes and for the purposes of academic,

artistic or literary expression, the data controller should assess the lawfulness of such processing in each

particular case. The Personal Data Protection Act sets a number of assessment criteria to be used by data

controllers/processors in the assessment of the lawfulness of processing such as the type of the personal data

processed, the impact of the public disclosure on the privacy of the data subject and his/her reputation etc.

However, the Bulgarian Constitutional Court (Decision Nr.8 dated November 15,2019) declared the assessment

criteria set forth by the Personal Data Protection Act to be unconstitutional. More particularly, the criteria were

found to be unclear and therefore creating unpredictability and legal uncertainty and restricting disproportionally

the freedom of expression and information. Based on this decision, the above-mentioned criteria do no longer

apply. The balancing test between the freedom of expression and the right to information and the protection of

personal data shall me made on a case-by-case basis taking into consideration the specific circumstances and

interests in presence. Further guidance in this respect was provided in a recent decision of the Supreme

Administrative Court (Decision Nr. 11636 dated November 16, 2021), which clarified how the balance between

these competing rights shall be assessed in each individual case.

Processing in the context of employment – The Personal Data Protection Act regulates explicitly certain matters

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Bulgaria 173 | | | www.dlapiperdataprotection.com

related to personal data processing in the context of an employment relationship. Employers may take copy of

employee’s identification documents, driving license or residence document only if required by law. In addition,

according to a statement by the Commission for Personal Data Protection information for the criminal

background of the employees can also be processed by employers only if explicitly provided for by law. Other

legal grounds, such as consent or the legitimate interest cannot be applied for the processing of criminal records

information. Most recently, the Commission for Personal Data Protection has adopted several opinions

concerning the processing of employee health data by employers in the context of Covid-19; in particular, the

latter provide that employers:

cannot request information from a remote-working employee whether he/she (or any of his/her family

members) has tested positive for Covid-19; such information can only be disclosed voluntarily by the

employee;

may provide anonymized information to their employees about established Covid-19 cases in the

company (i.e. without revealing the identity of the infected employee(s));

can order/organize Covid-19 group testing of employees, without processing or having access to the test

results – since the latter contain sensitive health data, they can only be processed by competent health

authorities;

may process only aggregated data for the vaccination status of the employees, gathered voluntary and on

anonymous basis by the appointed Labour Medicine Office (a third party service provider in the field of

occupational medicine, that each employer shall appoint) for the purposes of risk assessment of the health

and safety conditions at the workplace.

Employers should adopt rules and procedures for:

the use of breach reporting system;

restrictions on the use of internal company resources;

introduction of systems for control access, working time and labor discipline.

These rules and procedures shall contain information on the scope, obligations and methods with respect to their

application. The Personal Data Protection Act recognizes that the business purpose of the employer and the nature

of the related work processes shall have to be taken into account upon the adoption of the rules and procedures.

The rules and procedures will have to be brought to the attention of the employees.

Employers shall have to further determine a retention period for the personal data collected during the recruitment

process, which however may not be longer than six months, unless the candidate consented to a longer period.

Where the employer has, for recruitment purposes, requested original or notarized copies of documents certifying

the physical and mental fitness of the applicant, the required degree, or the length of service for the previous

positions occupied, the employer should return the submitted documents within six months of the conclusion of

the recruitment procedure unless otherwise provided by specific law.

Personal data processing by way of large-scale surveillance of publicly accessible areas – Under the Personal Data

Protection Act data controllers and data processors shall adopt internal rules for the processing of personal data

through systematic large-scale surveillance of publicly accessible areas, including via video surveillance. These rules

should put in place appropriate technical and organizational measures to ensure the protection of data subjects’

rights and freedoms. The Personal Data Protection Act provides a definition for ‘large-scale’ – a systematic

monitoring and / or processing of personal data of an unlimited number of data subjects. The rules for personal

data processing through large-scale surveillance of publicly accessible areas shall define the legal grounds and

objectives for the introduction of a monitoring system, the location, scope and means of monitoring / surveillance,

retention periods for the information records and their deletion, the right of review by the persons being subject

to surveillance, the means of informing the public about the monitoring carried out, as well as the restrictions on

granting access to such information to third parties. The minimum requirements for data controllers / data

processors with respect to the aforementioned obligations shall be published on the website of the Commission

for Personal Data Protection.

Processing of personal data of deceased persons

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Bulgaria 174 | | | www.dlapiperdataprotection.com

a.

b.

c.

d.

e.

f.

g.

The Personal Data Protection Act stipulates, that when processing the personal data of deceased persons data controllers

shall have to take appropriate measures to prevent the rights and freedoms of others and the public interest from being

adversely affected. In such cases, the data controller may retain the data only if there is a legal basis therefor. In addition,

data controllers shall provide upon request access to the personal data of a deceased person, including a copy thereof, to

his / her heirs or other persons with legal interest.

TRANSFER

Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and

Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).

The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides

for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)).

Currently, the following countries or territories enjoy adequacy decisions: Andorra, Argentina, Canada (with some exceptions),

Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, Korea, the United Kingdom, Eastern Republic of Uruguay

and New Zealand. 

Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor

and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The

appropriate safeguards include among others binding corporate rules and standard contractual clauses. The EU – US Privacy Shield

Framework was invalidated by the European Court of Justice with the so called  Schrems II Decision, thus it can no longer be used

by data controllers and processors as a mechanism for cross-border data transfers from the EU to the US. On 4 June 2021 the

European Commission adopted new set of standard contractual clauses for transfers outside the EU/EEA. Data controllers and

processors have term until 27 December 2022 to renegotiate their existing data processing agreements based on the old set of

standard contractual clauses in order to reflect the new clauses adopted by the European Commission.

The GDPR has removed the need which existed in some Member States under the previous law to notify and in some cases seek

prior approval of standard contractual clauses from supervisory authorities.

The GDPR also includes a list of context specific derogations, permitting transfers to third countries where: 

explicit informed consent has been obtained;

the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;

the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject

between the controller and another natural or legal person;

the transfer is necessary for important reasons of public interest;

the transfer is necessary for the establishment, exercise or defence of legal claims;

the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or

the transfer is made from a register which according to EU or Member State law is intended to provide information to the

public, subject to certain conditions. 

There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the

purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data

subject; notification to the supervisory authority and the data subject is required if relying on this derogation.

Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognised

or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in

force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is

no other legal basis for transfer will infringe the GDPR.

The Personal Data Protection Act does not derogate from the provisions of the GDPR regarding data transfer and does

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Bulgaria 175 | | | www.dlapiperdataprotection.com

a.

b.

c.

d.

not introduce any additional rules or requirements in this respect. Following the direct effect of the GDPR in all EU

member states, the provisions of the regulation relating to this matter shall be applied in all cases of data transfer.

SECURITY

Security

The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate,

context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and

organisational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account

of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A ‘one size fits all’

approach is therefore the antithesis of this requirement.

However the GDPR does require controllers and processors to consider the following when assessing what might constitute

adequate security:

the pseudonymization and encryption of personal data;

the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical

incident; and

a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for

ensuring the security of the processing.

The Personal Data Protection Act does not derogate from the provisions of the GDPR regarding security of personal data

and does not introduce any additional rules or requirements in this respect.

BREACH NOTIFICATION

The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority,

and for more serious breaches to also be notified to affected data subjects. A “personal data breach” is a wide concept, defined as

any “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal

” (Article 4).data transmitted, stored or otherwise processed

The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours

after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and

freedoms of natural persons. When the personal data breach is likely to result in a risk to natural persons, the controller ishigh

also required to notify the affected data subjects without undue delay (Article 34).

Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming

aware of the breach (Article 33(2)).

The notification to the supervisory authority must include where possible the categories and approximate numbers of individuals

and records concerned, the name of the organisation’s data protection officer or other contact, the likely consequences of the

breach and the measures taken to mitigate harm (Article 33(3)).

Controllers are also required to keep a record of all data breaches (Article 33(5)) (whether or not notified to the supervisory

authority) and permit audits of the record by the supervisory authority.

The Personal Data Protection Act does not derogate from the provisions of the GDPR regarding data breach notification

and does not introduce any additional rules or requirements in this respect. Following the direct effect of the GDPR in all

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Bulgaria 176 | | | www.dlapiperdataprotection.com

EU member states, the provisions of the regulation relating to this matter shall be observed. The Commission for

Personal Data Protection has recently adopted a template of data breach notification, which controllers may use. The

template is in Bulgarian language only.available online

ENFORCEMENT

Fines

The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million

(whichever is higher).

It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of

an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that

‘undertaking’ should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European

Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the

Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the

specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same

undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be

scrutinized carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent

for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some

circumstances (broadly where there is participation or control), so-called “look through” liability. Again, it remains to be seen

whether there will be a direct read-across of this principle into GDPR enforcement.

Fines are split into two broad categories. 

The highest fines (Article 83(5)) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of

the preceding year, whichever is higher, apply to infringement of:

the basic principles for processing including conditions for consent;

data subjects’ rights;

international transfer restrictions;

any obligations imposed by Member State law for special cases such as processing employee data; and

certain orders of a supervisory authority.

The lower category of fines (Article 83(4)) of up to EUR 10 million or, in the case of an undertaking, up to 2% of total worldwide

turnover of the preceding year, whichever is the higher, apply to infringement of:

obligations of controllers and processors, including security and data breach notification obligations;

obligations of certification bodies; and

obligations of a monitoring body.

Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective,

proportionate and dissuasive (Article 83(1)).

Fines can be imposed in combination with other sanctions.

Investigative and corrective powers

Supervisory authorities also enjoy wide investigative and corrective powers (Article 58) including the power to undertake on-site

data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.

Right to claim compensation

The GDPR makes specific provision for individuals to bring private claims against controllers and processors:

https://www.dlapiperdataprotection.com

https://www.cpdp.bg/userfiles/file/Documents_2021/UVEDOMLENIE%20po%20chl_%2033%20GDPR

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Bulgaria 177 | | | www.dlapiperdataprotection.com

any person who has suffered “material or non-material damage” as a result of a breach of the GDPR has the right to

receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means

that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.

data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf

(Article 80).

Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77). 

All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against

a decision of a supervisory authority concerning them or for failing to make a decision (Article 78).

Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).

The functions of supervision and control of the compliance with the GDPR in Bulgaria are shared between the

Commission for Personal Data Protection and the Inspectorate to the Supreme Judicial Council, the latter having

competence only with regards to data processing by courts, prosecution offices and criminal investigative bodies in their

capacity as judicial authorities.

The competences of the Commission are further defined by reference to art. 57 and 58 of the GDPR. Apart from

performing the powers under the GDPR, the Commission is also entitled to:

analyze and carry out overall supervision and ensure compliance with the GDPR, the Personal Data Protection

Act and the legislative acts in the area of personal data protection;

issue secondary legislation in the area of personal data protection;

ensure the implementation of the decisions of the European Commission on the protection of personal data and

the implementation of binding decisions of the European Data Protection Supervisor

participate in international cooperation between data protection authorities and international organizations on

personal data protection issues;

participate in the negotiation and conclusion of bilateral or multilateral agreements on matters within its

competence;

organize, coordinate and conduct training in the field of personal data protection;

issue administrative acts related to its authority in the cases provided for by law;

adopt criteria for the accreditation of certification bodies;

bring proceedings before the court for breach of the GDPR;

issue mandatory instructions, give instructions and recommendations regarding the protection of personal data;

impose coercive administrative measures.

The internal Rules of Procedure of the Commission further clarify its tasks, procedures and rules for work of its

administration, as well as rules for the proceedings before the Commission.

The Personal Data Protection Act does not derogate from the provisions of the GDPR regarding administrative sanctions,

but directly refers to the amounts of fines and pecuniary sanctions set out by the GDPR and the respective criteria for

their determination. The Personal Data Protection Act specifies that all sanctions shall be imposed in the BGN equivalent

of the EUR amounts set by the GDPR.

For other violations under the Personal Data Protection Act the data controller / data processor shall be subject to a fine

or a pecuniary sanction of up to BGN 5000.

The Commission’s decisions are subject to appeal before the Administrative Court Sofia within 14 days of receipt.

Decisions of the Administrative Court are subject to appeal before the Supreme Administrative Court which decisions are

final. 

In case of a violation of his / her rights under the GDPR and the Personal Data Protection Act, every data subject is

entitled to refer the matter to the Commission for Personal Data Protection within one year of becoming aware of the

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Bulgaria 178 | | | www.dlapiperdataprotection.com

breach, but no later than five years from the breach taking place. In addition, data subjects shall be entitled to appeal the

actions and acts of the data controller / data processor directly before the administrative courts or the Supreme

Administrative Court, except where there are pending proceedings before the Commission for the same matter if a

decision regarding the same breach has been appealed and there is not yet a court decision in force. The transfer or

distribution of computer or system passwords which results in the illegitimate disclosure of personal data constitutes a

crime under the Bulgarian Criminal Code (promulgated in the State Gazette No. 26 of April 2, 1968, as amended

periodically) and the penalty for such a crime includes imprisonment for up to three years.

ELECTRONIC MARKETING

The GDPR will apply to most electronic marketing activities, as these will involve some use of personal data ( an email addresseg,

which includes the recipient’s name). The most plausible legal bases for electronic marketing will be consent, or the legitimate

interests of the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon, the

strict standards for consent under the GDPR are to be noted, and marketing consent forms will invariably need to incorporate

clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and merelynot

the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).

Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic

marketing) at any time (Article 21(3)).

Specific rules on electronic marketing (including circumstances in which consent must be obtained) are to be found in Directive

2002/58/EC (ePrivacy Directive), as transposed into the local laws of each Member State. The ePrivacy Directive is to be replaced

by a Regulation. However, it is currently uncertain when this is going to happen, as the European Commission has discarded its

draft of the ePrivacy Regulation after disagreements by the Member States in the Council of the European Union. In the meantime,

GDPR Article 94 makes it clear that references to the repealed Directive 95/46/EC will be replaced with references to the GDPR.

As such, references to the Directive 95/46/EC standard for consent in the ePrivacy Directive will be replaced with the GDPR

standard for consent.

The Personal Data Protection Act does not introduce any rules relating specifically to e-marketing. As the legal grounds

for processing of personal data under the GDPR are also applicable in the area of e-marketing, the explicit consent of the

data subject is likely to be the most suitable ground for the purposes of e-marketing. In certain cases, such processing may

also be justified by legitimate interest – according to Recital 47 of the GDPR, direct marketing could be based on

legitimate interest, to the extent that: (i) it is targeted only to existing customers; and (ii) the customers can reasonably

expect to receive direct e-marketing communications. Still, the possibility to rely on legitimate interest for the purposes of

e-marketing would need to be assessed on a case-by-case basis.

In addition, although the repeal of the provision of the  Personal Data Protection Act regulating the right of the data

subject to object to any data processing for the purposes of direct marketing and does not explicitly refer to the

respective provision of the GDPR, following the direct effect of the regulation, data subjects shall still be entitled to object

before the data controller or the data processor to their personal data being processed for the purposes of e-marketing.

The Bulgarian Electronic Communications Act explicitly requires, when it comes to direct marketing to natural persons,

the opt-in mechanic to be mandatorily applied. After the natural person’s consent is provided, the person shall always be

given the opportunity to opt out from the direct marketing network and refuse his / her personal data to be further

processed for such purposes.

ONLINE PRIVACY

Directive 2002/58 (E-Privacy Directive) is transposed into the Bulgarian Electronic Commerce Act. In 2011 the intention of the

legislator was to introduce the amendments of Art. 5(3) under Directive 2009/136. However, the final adopted text still replicates

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Bulgaria 179 | | | www.dlapiperdataprotection.com

the old wording before Directive 2009/136. The amendment itself was widely interpreted as implementing the text of Directive

2009/136 without, however, introducing the updated text.

Currently, instead of requiring the user’s consent, the relevant text in the Electronic Commerce Act states that users should be

provided with clear and comprehensive information in accordance with Art.13 of the GDPR and they must be given the

opportunity to refuse the storage or access to such information (i.e. opt-out regime).

KEY CONTACTS

Wolf Theiss

www.wolftheiss.com/

DATA PRIVACY TOOL

You may also be interested in our  to assess your organization’s level of data protection maturity.Data Privacy Scorebox

Anna Rizova
Partner

Wolf Theiss

T +359 2 8613703

anna.rizova@wolftheiss.com

https://www.dlapiperdataprotection.com

http://www.wolftheiss.com/

https://www.dlapiperdataprotection.com/scorebox/

https://www.dlapiperdataprotection.comwww.wolftheiss.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Burkina Faso 180 | | | www.dlapiperdataprotection.com

BURKINA FASO

Last modified 10 January 2022

LAW

The data protection regime in Burkina Faso is governed by the following laws and regulations:

Law No. 001-2021 of March 30, 2021 on the protection of persons with regard to the processing of personal data.

Law 010-2004/AN on the protection of personal data.

Decree No. 2007-283/PRES/PM/MPDH of 18 May 2007 regarding the organisation and functioning of the Commission de

l’Informatique et des Libertés;

Decree No. 2007-757/PRES/PM/MPDH/MEF appointing the members of the Commission de I’Informatique et des Libertés

; and

Order No. 2008/001/CIL fixing the internal regulations of the Commission de I’Informatique et des Libertés.

The Burkina Faso has also adopted on 22 November 2013 the Marrakech resolution issued by the French-speaking association of

data protection authorities relating to the procedure for the supervision of personal data transfers of personal data in the

French-speaking world by means of binding corporate rules.

DEFINITIONS

Definition of Personal Data

Any information that allows, in any form whatsoever, directly, or indirectly, the identification of natural persons, in particular by

reference to an identification number or to several characteristics specific to their physical, psychological, mental, economic,

cultural or social identity (Article 5 of the Law).

Definition of Sensitive Personal Data

Any personal data relating to the data subject’s health or that reveal racial or ethnic origins, political, philosophical or religious

opinions, union membership, morals, investigation and prosecution of offenders, criminal or administrative penalties, related

security measures or other measures of a similar nature (Article 5 of the Law).

NATIONAL DATA PROTECTION AUTHORITY

The Burkina Faso’s data protection authority is the Commission de l’Informatique et des Libertés (‘ ‘). CIL

The CIL draws its membership from various segments of society. It is charged with:

making individual or regulatory decisions in cases provided for under the law

assisting with data processing inspections and obtaining all information and documents needed for its mission

issuing model rules to ensure security; and where appropriate, prescribing safety measures including the destruction of

information

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Burkina Faso 181 | | | www.dlapiperdataprotection.com

issuing enforcement notices to data controllers and sharing with the prosecutor’s office the offenses of which the body is

aware

ensuring that the implementation of the right of access and rectification indicated in the acts and declarations do not

impede the free exercise of this law

receiving complaints and petitions

staying informed of the latest technological developments, and keeps abreast of their effects on the right to the protection

of privacy, the exercise of freedoms, and the functioning of democratic institutions

advising individuals and organisations that use automated processing, or who carry out tests or experiments likely to lead

to such processing

responding to requests for public opinion

proposing legislation or regulations to the Government to adapt the protection of freedoms to technological evolution

REGISTRATION

The is no country-wide system of registration in Burkina Faso. However, the law imposes an obligation of notification and annual

reporting to the National Data Protection Authority. These annual reports provide information on those responsible of personal

data’s activity throughout the concerned year.

DATA PROTECTION OFFICERS

We have not identified any obligation to appoint a data protection officer (‘ ‘) or any other equivalent role in the law.DPO

COLLECTION & PROCESSING

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. These

include:

consent and legitimacy: unless otherwise provided by law, data controllers are obligated to obtain consent from the

data subject

purpose: personal data can only be collected and processed for a specific and legitimate purpose

proportionality and relevance: personal data must only be processed in a relevant and necessary manner regarding

the purpose and objectives of the processing

lawfulness and fairness: data controllers must collect and process data in a fair, lawful, and not fraudulent manner

data retention: a specified period of time should be determined in advance depending on the purpose of processing to

ensure that personal data is not stored indefinitely.

security and confidentiality: all responsible persons for processing personal data must not only ensure the security of

data or files to prevent their destruction, or alteration; but also prevent unauthorised access to personal data contained in

a file or intended to form part of the files

preliminary formalities: without exception or exemption provided by law, all data controllers shall, depending on the

nature of personal data processing, namely notify the CIL or ask his opinion or obtain approval, etc. 

Except where provided otherwise by the law, any processing of personal data shall be carried out with the express consent of the

data subject(s). 

The processing of personal data can legally be carried out without the consent of the data subject(s), when it is necessary for:

the performance of a contract to which the data subject is a party; or

pre-contractual measures taken at the request of the data subject;

compliance with a legal obligation to which the controller is subject and when the processing is essential to protect the life

of the data subject or that of a third party;

the purposes of preventive medicine, medical diagnosis, the administration of care or treatment, or the management of

health services, provided that it is carried out by a member of a health profession or by another person who, by reason of

his/her duties, is bound by professional secrecy;

the establishment of an offence, a right, or the exercise or defence of a right in a court of law and when the said

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Burkina Faso 182 | | | www.dlapiperdataprotection.com

processing relates to data made public by the data subject.

A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information

about the how the data have been used by the controller. It may require inaccurate or incomplete personal data to be corrected

or completed without undue delay. 

Data subjects may request erasure of their personal data. It has the right to object to processing on the legal basis of the

legitimate interests of the data controller or where processing is in the public interest. Controllers will then have to suspend

processing of the data until such time as they demonstrate “compelling legitimate grounds” for processing which override the

rights of the data subject. 

Unless an authorisation is required, the law provides that controllers should notify all processing to the CIL. The following are

exempt from the notification requirement to CIL:

temporary copies that are made as part of the technical activities of transmission and provision of access to a digital

network for the purpose of automatic intermediate and transitory storage of data for the sole purpose of allowing other

recipients of the service the best possible access to the information;

processing carried out by a natural person for the exercise of exclusively personal or domestic activities;

disclosed to third parties and not used to support actions or decisions against an individual;

automated processing of personal data for the purpose of research in the field of health;

automated processing of personal data carried out on behalf of the State, a public institution, a local authority or a legal

person under private law managing a public service. 

With respect to day-to-day processing of data which do not infringe on privacy or freedoms, the Law provides that the CIL

establishes and publishes ‘simplified norms,’ which shall include certain information, including:

the date of the declaration;

the full name and address or the name and headquarters of the person making the request and the person who has the

power to decide on the creation of the data processing (data controller) or, if he or she resides abroad, his or her

representative in Burkina Faso;

the characteristics, purpose and, if applicable, the name of the data processing operation;

the department or departments responsible for carrying out the processing;

the department to which the right of access is to be exercised and the measures taken to facilitate the exercise of this

right

the categories of persons who, by reason of their functions or for the needs of the service, have direct access to the

information recorded;

the personal information processed, its origin and the length of time it is kept, as well as the recipients or categories of

recipients authorized to receive this information;

the reconciliation, interconnection or any other form of linking of this information as well as its transfer to third parties;

the measures taken to ensure the security of data and information processing and the guarantee of secrets protected by

law;

if the data processing is intended for the dispatch of personal data between the territory of Burkina Faso and abroad in

any form whatsoever, including when it is the object of operations partially carried out on the territory of Burkina Faso

from operations previously carried out outside Burkina Faso. 

When processing complies with a simplified norm issued by the CIL, no authorisation or notification is required, but only a

‘simplified declaration of conformity,’ to the said norm is required. The simplified declaration of conformity shall be sent to the

CIL. Unless otherwise decided by the CIL, a receipt is issued without delay after the simplified declaration of conformity has been

sent to the CIL. As from receiving this receipt, the applicant can start carrying out the processing. 

Except in cases where they are to be authorised by law, automated processing of personal data carried out on behalf of the State,

or on behalf of any public institution, local authority, or on behalf of a private legal person operating a public service, must be

authorised by decree after the CIL’s approval. In the case of a negative opinion by the CIL, an appeal can be lodged to the

Administrative Supreme Court (Conseil d’Etat).

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Burkina Faso 183 | | | www.dlapiperdataprotection.com

TRANSFER

The provisions of the Law pertaining to international transfers are broadly drafted. 

According to said provisions, international transfers cannot be made without the respect of the following conditions:

To request the authorisation of the CNIL;

To sign with the contracting party, a data confidentiality clause and a data reversibility clause in order to facilitate the

complete migration of the data at the end of the contract;

Implement technical and organisational security measures.

Additionally, the transfer can only be made to a foreign country or an international organisation if the beneficiary country or

international organisation ensures an adequate level of protection equal to the one ensured in Burkina Faso (Article 42 of the

law). 

As a signatory to the Marrakech Resolution of 22 November 2013, Burkina Faso recognizes the application of the French-speaking

RCE, which consist in a code of conduct by which a group of companies defines its internal policy on the transfer of personal data.

The RCE are based and designed on the model of the European Commission’s binding corporate rules (‘ ‘). BCR

In practice, the RCE mechanism concerns the authorities of the AFAPDP member countries that have adopted the cooperation

protocol and the resolution on the framework for data transfers in the French-speaking area. These concerns at least the

following 13 countries: Albania, Andorra, Belgium, Benin, Burkina Faso, France, Gabon, Luxembourg, Mauritius, Morocco, Senegal,

Switzerland and Tunisia. 

The RCE cover intra-group transfers of personal data carried out by a company established in an AFAPDP member country, to

other companies of the group, whether the latter are located in an AFAPDP member country or not.

SECURITY

The personal data Act is not prescriptive about specific technical standards or measures.

However, the Article 24 states that the data controller shall take all necessary measures in view of the nature of the data and the

architecture of the processing, in particular to prevent them from being distorted, damaged, lost, stolen or accessed by

unauthorised parties.

BREACH NOTIFICATION

Not applicable.

Mandatory breach notification

We have not identified, in the law, any general obligation to notify the data subject in the case of a security breach. However,

Article 21 of the law provides that in the event where ‘information has been transmitted by mistake to a third party, its

rectification or cancellation shall be notified to that third party, unless an exemption is granted by the control authority’ (i.e. the

CIL).

ENFORCEMENT

As of 14 December 2021, we have not identified any notable enforcement decision issued by the CIL pertaining to the law.

ELECTRONIC MARKETING

The personal data Act will apply to most electronic marketing activities, as these will involve some use of personal data (eg, an

email address which includes the recipient’s name). 

The general rule for electronic marketing is that it requires the express consent of the recipient (see Article 49 of law No.

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Burkina Faso 184 | | | www.dlapiperdataprotection.com

045-2009/AN of November 10, 2009 regulating electronic services and transactions in Burkina Faso and Article 14 of the personal

data Act). 

Even when a marketer has the consent of a data subject, that consent can be withdrawn by the data subject under Article 20 of

the Personal Data Act.

The data subject has the right to object at any time to the use of his/her personal data for such marketing. 

This right to object must be explicitly brought to the attention of the data controller. 

However, the data controller may not respond favourably to a request to exercise the right to object if it demonstrates the

existence of legitimate reasons justifying the processing, which override the interests, fundamental rights and freedoms of the data

subject.

ONLINE PRIVACY

The Law does not provide any specific rules governing cookies and location data.

However, pursuant to Article 10 of the data controller must implement all appropriate technical and organisational measures to

preserve the security and confidentiality of the data, including protecting the data against accidental or unlawful destruction,

accidental loss, alteration, distribution or access by unauthorised persons.

KEY CONTACTS

Geni & Kebe

www.dlapiperafrica.com/senegal

DATA PRIVACY TOOL

You may also be interested in our  to assess your organization’s level of data protection maturity.Data Privacy Scorebox

Dr. Sangare Mouhamoud
Associate

Geni & Kebe

T +2250779107541

m.sangare@gsklaw.sn

Dr. Francky Lukanda
Senior Associate

Geni & Kebe

T +2250584344660

f.lukanda@gsklaw.sn

https://www.dlapiperdataprotection.com

https://www.dlapiperafrica.com/senegal

https://www.dlapiperdataprotection.com/scorebox/

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Burundi 185 | | | www.dlapiperdataprotection.com

BURUNDI

Last modified 28 January 2019

LAW

Burundi does not have a law that specifically regulates personal data protection. However, several laws and regulations currently in

force contain data protection provisions or impose confidentiality obligations on specific types of personal information. For

example, employment, banking, telecommunications and health sector laws impose some data protection requirements. Such

provisions generally require covered entities to maintain the confidentiality of personal information.

Under Law n° 1/012 of May 30, 2018 on the Code of Health Care and Health Services Provision in Burundi, healthcare

institutions are required to maintain the confidentiality of patient information, unless confidentiality is waived in cases

provided for by law.

Law No. 1/17 of August 22, 2017 governing banking activities: Article 133 imposes confidentiality obligations on customer

and account information. This article provides that any person who contributes to the operation, control or supervision

of a banking institution is bound to professional secrecy. Violations are enforced under penal code provisions without

prejudice to disciplinary proceedings.

Several Ministerial Orders applicable to the telecommunications sector have been adopted to protect the privacy of and

restrict access to and interception of the contents of communications (Legislative Decree No. 100/153 of June 17, 2013

on the Regulation of the Control and Taxation System for International Telephone Communications entering Burundi;

Decree-Law No. 100/112 of April 5, 2012 on the Reorganization and Operation of the Telecommunications Regulatory

and Control Agency ‘ARCT’; Ministerial Ordinance No. 730/1056 of November 7, 2007 on the interconnection of

telecommunications networks and services opened to the public).

DEFINITIONS

Definition of personal data

Not specifically defined. 

Definition of sensitive personal data

Not specifically defined.

NATIONAL DATA PROTECTION AUTHORITY

There is no national data protection authority in Burundi.

REGISTRATION

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Burundi 186 | | | www.dlapiperdataprotection.com

There is no requirement to register databases.

DATA PROTECTION OFFICERS

There is no requirement to appoint a data protection officer.

COLLECTION & PROCESSING

Most sector specific laws and regulations that impose confidentiality and data protection requirements apply to covered entities

under the law or regulation, and require such entities to maintain the confidentiality of personal information during processing.

TRANSFER

No geographic transfer restrictions apply in Burundi. Certain sector specific provisions require companies to obtain consent prior

to third party transfers of personal information. Notably, under Article 16 of Law n ° 1/012 of May 30, 2018 on the Code of

Health Care and Health Services Provision in Burundi, “every patient has the right to decide on the use of the medical information

concerning him and the conditions under which they may be transmitted to third parties.”

SECURITY

There are no specific data security requirements in Burundi.

BREACH NOTIFICATION

There are no breach notification requirements in Burundi.

ENFORCEMENT

The relevant sector specific agency or regulator is generally authorized to enforce violations of confidentiality requirements.

ELECTRONIC MARKETING

There are no specific electronic marketing requirements in Burundi.

ONLINE PRIVACY

There are no specific online privacy requirements in Burundi.

KEY CONTACTS

DATA PRIVACY TOOL

You may also be interested in our  to assess your organization’s level of data protection maturity.Data Privacy Scorebox

Claver Nigarura
Managing Partner

Rubeya & Co-Advocates

T +257 22 24 89 10

claver@rubeya.bi

https://www.dlapiperdataprotection.com

https://www.dlapiperdataprotection.com/scorebox/

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Cambodia 187 | | | www.dlapiperdataprotection.com

CAMBODIA

Last modified 17 December 2021

LAW

Cambodia has not yet enacted any comprehensive data protection legislation.

The most recent update to the country’s data protection landscape has come in the form of the E-Commerce Law, which contains

provisions for the protection of consumer data that has been gathered over the course of electronic communications. The

E-Commerce Law is thereby restricted in scope to virtual and/or digital data protection.

Other matters pertaining to data protection typically fall under the right to privacy, which is protected in broad terms under the

Constitution of the Kingdom of Cambodia 2010, the Civil Code of Cambodia 2007, and the Criminal Code of the Kingdom of

Cambodia 2009.

DEFINITIONS

Definition of Personal Data

Cambodian law does not specifically define the term “personal data,” or discuss what specific information constitutes personal

data.

The E-commerce Law defines the term “data” as “a group of numbers, characters, symbols, messages, images, sounds, videos,

information or electronic programs that are prepared in a form suitable for use in a database or an electronic system”.

Due to the absence of a definition of “personal data”, it remains plausible that any data of a data subject may be viewed by the

regulatory and enforcement authorities as personal data of that data subject. Therefore, conventional data, such as full names,

national identification numbers, passport numbers, photographs, video, images, phone numbers, personal email addresses,

biometric data, IP addresses, and other network identifiers, etc., may arguably constitute personal data.

Definition of Sensitive Personal Data

There is no express definition of what constitutes sensitive personal data. That said, based on laws applicable to persons and

entities in other sectors (such as doctors and banks), the types of data below are generally considered to be of a more sensitive

nature, and thus should be handled with more stringent data protection mechanisms:

medical data

financial data

personal data of children, and

personal identifiers (e.g., national identification cards and passport details).

As there is no clear limit as to the scope of what may be considered sensitive data, any data of a data subject should be prudently

treated as sensitive data to the greatest extent possible.

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Cambodia 188 | | | www.dlapiperdataprotection.com

1.

2.

3.

4.

5.

6.

7.

NATIONAL DATA PROTECTION AUTHORITY

Since Cambodia does not have any dedicated laws on data protection, there are no regulatory or enforcement authorities that are

specifically tasked with handling, overseeing or implementing personal data protection matters in Cambodia.

That said, the following governmental bodies may have substantial powers over data protection matters:

the Ministry of Commerce (“ ”)MOC

the Ministry of Post and Telecommunications (“ ”), andMPTC

the Ministry of Interior (“ ”).MOI

REGISTRATION

Since Cambodia does not have any dedicated laws on data protection, there are no specific registration requirements for data

protection. However, “Electronic Commerce Service Providers” and “Intermediaries” (in an e-commerce context), who would

likely store, process and transfer the data of the data subjects, must register with the MOC and MPTC.

Under the E-Commerce Law, “Electronic Commerce Service Providers” are defined as persons who use electronic means to

supply goods and/or services, except insurance institutions, and an “Intermediary” is broadly defined as a person who provides

services of sending, receiving, transmitting or storing, either on a temporary or permanent basis, electronic communications, or

other services relating to electronic communications, including persons who represent the originators; persons providing means of

seeking any data in an electronic system; persons providing online marketing and online commercial services; and other persons as

specified under the E-Commerce Law.

DATA PROTECTION OFFICERS

Since Cambodia does not have any dedicated laws on data protection, there are no specific requirements in Cambodia to appoint

data protection officers who are specifically tasked with handling, overseeing or implementing data protection matters in

Cambodia.

COLLECTION & PROCESSING

As Cambodia has not enacted any dedicated or comprehensive data protection laws, there are no laws or regulations in Cambodia

that explicitly and specifically discuss the concept of collection and processing of data.

Based on Cambodia’s existing legal framework for data privacy, seven data protection obligations are either implied or explicitly

imposed. Those obligations are discussed below.

Consent Obligation: Obtain consent from the individual before collecting, using, or disclosing his/her personal data for a

purpose. Organizations should allow an individual who previously gave consent to withdraw his/her consent.

Purpose Limitation Obligation: Collect, use, or disclose personal data about an individual only for purposes that are

reasonable and that have been disclosed/notified to the individual concerned.

Disclosure/Notification Obligation: Disclose to or notify the individual of the purpose(s) for which the organization

intends to collect, use or disclose the individual’s personal data on or before such collection, use or disclosure of the

personal data. The purposes notified must be reasonable.

Correction Obligation: Correct any incorrect or inaccurate personal data of a data subject that is in the possession or

under the control of the organization upon request of the data subject.

Access Obligation: Allow data subjects to access their personal data in the possession or under the control of an

organization for correcting the information under the Correction Obligation.

Protection Obligation: Protect personal data in its possession or under its control by taking necessary measures to

prevent loss, unauthorized access, use, alteration, leak, disclosure, or otherwise.

Retention Obligation: Retain all personal data that is in its system, and that may give rise to civil and criminal liability.

TRANSFER

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Cambodia 189 | | | www.dlapiperdataprotection.com

While Cambodian law does not explicitly prohibit an organization from transferring data, it implies a disclosure/notification

obligation under its existing legal framework for data protection. Personal data can only be collected, used, or disclosed for

purposes that the individual understands and has given consent to at the time of giving initial consent or a new consent. Such

purposes must be disclosed or notified to data subjects in a reasonable manner based on the circumstances.

Where the use and disclosure of the personal data is for a purpose different from that for which it was initially collected, it is

necessary to notify the individual of the new purpose and obtain a new consent unless:

the new purpose is within the scope of the original consent, or

implied consent can be established.

Implied consent refers to any act that is generally recognized as consent under applicable trade practices. However, it is

recommended that a new consent that is express and written be obtained once service providers use or disclose personal data for

a purpose different from that for which it was collected.

When a service provider is seeking consent from the data subject, the service provider must disclose or notify the data subjects of

the purpose(s) for which it intends to collect, use or disclose the data subjects’ personal data before such collection, use or

disclosure of the personal data. Cambodia’s laws related to data protection do not prescribe how an organization should notify

individuals. Organizations must determine what would be the most appropriate form of notification. The form of the

disclosure/notification to obtain each data subject’s consent should be as close to a formal contract as possible. Moreover,

requirements such as clicking on the consent button, typing a full legal name for the signature, and/or scrolling through all terms of

the disclosure/notification should be implemented. Furthermore, disclosures/notifications to the individuals regarding the purpose

of the collection, use, and disclosure of personal data must not be too vague or broad in scope; an appropriate level of specificity

should be provided.

Therefore, where the organization will be disclosing or transferring personal data to third parties, the organization should notify

the individuals of such disclosure or transfer. Any consent provided by the individual without first being disclosed or notified of the

purposes would not be valid.

SECURITY

Article 32 of the E-Commerce Law directly addresses matters of data protection in the course of electronic communication.

Service providers that electronically store consumers’ private information must take all reasonable security measures to avoid

loss, modification, leakage, and/or unauthorized disclosure of all consumer data. The E-Commerce Law notes, however, that

disclosures are allowable with the consent of authorities, or with the consent of the individual whose data is being disclosed. The

E-Commerce Law does not provide specific guidelines as to how or what mechanisms are required. It is simply required that any

measures could be used as long as they could reasonably protect the data from loss, or unauthorized access, use, alteration, or

disclosure without authorization or illegally.   

The E-Commerce Law also prohibits any encryption of data that may be used as evidence for any accusation or offence. This

obligation potentially allows governmental authorities to order the decryption of data implicated in an investigation.

The E-Commerce Law also makes a blanket prohibition on certain forms of cybercrime, including interference with any electronic

system for the purpose of accessing, downloading, copying, extracting, leaking, deleting, or otherwise modifying any stored data in

bad faith or without authorized permission.

In case the service provider is not under the scope of the E-Commerce Law, the obligations under the laws of general application

that require consent of data subjects when collecting, using, disclosing, and processing data would imply that the service provider

still needs to protect data from any unauthorized acts.

BREACH NOTIFICATION

There is no breach notification requirement under Cambodian law.

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Cambodia 190 | | | www.dlapiperdataprotection.com

ENFORCEMENT

Since there are no regulatory or enforcement authorities that are specifically tasked with handling, overseeing or implementing

personal data protection matters in Cambodia, the enforcement of the data protection would generally fall under the auspice of

authorities across various sectors:

the Ministry of Commerce

the Ministry of Post and Telecommunications, and

the Ministry of Interior.

ELECTRONIC MARKETING

Since Cambodia does not have any dedicated laws on data protection, there are no special requirements when obtaining consent

for marketing purposes. The E-commerce Law suggests that it is not necessary to obtain consent from the individual to send

marketing communications as long as each marketing communication has clear and straightforward opt-out instructions and the

individual has not previously exercised his/her opt-out right. Electronic marketing in Cambodia is subject to the general laws

relating to digital marketing issues including:

Law on Consumer Protection, which prohibits “unfair practices” in relation to consumer transactions. Unfair practices

include unfair sales; bait advertising; unfair solicitation sales;  demanding or accepting payments without intention to supply

goods or services per the purchase order;  making a false claim or representation of some business activity; coercion by

force and mental threats;  pyramid schemes;  selling goods bearing a false trade description; and any other unfair practices.

Law Concerning Marks, Tradenames and Acts of Unfair Competition, is relevant to comparative advertising. The following

acts are considered acts of unfair competition: all acts that create confusion with the establishment, the goods, or the

industrial, commercial or service activities of a competitor;   false allegations in the course of trade of such a nature as to

discredit the establishment, the goods, or the industrial, commercial or service activities of a competitor; and indications

or allegations of the  use  of  marks which,  in  the course of trade, misleads the public as to the nature, manufacturing

process, characteristics, suitability for their purpose, or quantity of the goods.

Telecommunications Law, prohibiting all  activities  against  the  principles of fair, free, equal, and effective competition.

Other regulations on the Management of Advertisement on Website, Social Network, Mass Media and Mobile Phone

Operators.

ONLINE PRIVACY

As mentioned under , personal data can only be collected, used, or disclosed for purposes that the individual understandsTransfer

and has given consent to at the time of giving initial consent or a new consent. Such purposes must be disclosed or notified to data

subjects in a reasonable manner based on the circumstances. That said, any personal data, including location data, can only be

collected and shared online through website cookies after the organization obtains consent from the data subject.

For obtaining consent from the data subject, please refer to the .Transfer section

https://www.dlapiperdataprotection.com

https://www.dlapiperdataprotection.com/countries/cambodia/transfer.html

https://www.dlapiperdataprotection.com/countries/cambodia/transfer.html

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Cambodia 191 | | | www.dlapiperdataprotection.com

KEY CONTACTS

DATA PRIVACY TOOL

You may also be interested in our  to assess your organization’s level of data protection maturity.Data Privacy Scorebox

Jay Cohen
Partner and Director of Cambodian Office

Tilleke & Gibbins (Cambodia) Ltd

T (+855) 17 87 57 238

jay.c@tilleke.com

Sochanmalisphoung Vannavuth
Associate

Tilleke & Gibbins (Cambodia) Ltd

T (+855) 10 61 65 91

sochanmalisphoung.v@tilleke.com

https://www.dlapiperdataprotection.com

https://www.dlapiperdataprotection.com/scorebox/

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Canada 192 | | | www.dlapiperdataprotection.com

CANADA

Last modified 24 January 2022

LAW

In Canada there are 28 federal, provincial and territorial privacy statutes (excluding statutory torts, privacy requirements under

other legislation, federal anti-spam legislation, criminal code provisions etc.) that govern the protection of personal information in

the private, public and health sectors. Although each statute varies in scope, substantive requirements, remedies and enforcement

provisions, they all set out a comprehensive regime for the collection, use and disclosure of personal information.

The summary below focuses on Canada’s private sector privacy statutes:

Personal Information Protection and Electronic Documents Act (‘PIPEDA’)

Personal Information Protection Act (Alberta) (‘PIPA Alberta’)

Personal Information Protection Act (British Columbia) (‘PIPA BC’)

An Act Respecting the Protection of Personal Information in the Private Sector (‘Quebec Privacy Act’), (collectively,

‘Canadian Privacy Statutes’)

We expect PIPEDA to be significantly amended or replaced by a new federal statute sometime during this session of Parliament

(before October 2025). In the previous session of Parliament, the federal government introduced Bill C-11, which would have

replaced PIPEDA with the Consumer Privacy Protection Act (‘CPPA’). The CPPA made it to second reading, but died on the

order paper when the 2021 Federal Election was called. The CPPA would have provided additional rights to data subjects (e.g.

portability of data), expanded the requirements for valid data subject consent, and set out new monetary penalties of up to 5% of

annual global revenue. Bill C-11 faced significant debate, but we expect a new version of the bill to be introduced at some point

during this session of Parliament as the Federal Government seeks to align Canadian privacy law with that of California and the

European Union.

PIPEDA applies to all of the following:

Consumer and employee personal information practices of organizations that are deemed to be a ‘federal work,

undertaking or business’ ( , banks, telecommunications companies, airlines, railways, and other interprovincialeg

undertakings)

Organizations who collect, use and disclose personal information in the course of a commercial activity which takes place

within a province, unless the province has enacted ‘substantially similar’ legislation (PIPA BC, PIPA Alberta and the Quebec

Privacy Act have been deemed ‘substantially similar’)

Inter provincial and international collection, use and disclosure of personal information in connection with commercial

activity

PIPA BC, PIPA Alberta and the Quebec Privacy Act apply to both consumer and employee personal information practices of

organizations within BC, Alberta and Quebec, respectively, that are not otherwise governed by PIPEDA.

The province of Quebec recently enacted a major reform of its privacy legislation with the adoption of Bill 64. Bill 64 received

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Canada 193 | | | www.dlapiperdataprotection.com

Royal Assent on September 22, 2021, and its various provisions will be coming into force gradually between 2022 and 2024. With

Bill 64’s changes, Quebec now has a modern legal framework for privacy that resembles the European GDPR in several key areas.

 

DEFINITIONS

Definition of personal data

‘Personal information’ includes any information about an identifiable individual (business contact information is expressly “carved

out” of the definition of ‘personal information’ in some Canadian privacy statutes).

The Quebec Privacy Act, as modified by Bill 64, has broadened the definition of “personal information” to include any information

that allows an individual to be identified indirectly as well as directly.

Definition of sensitive personal data

Not specifically defined in Canadian Privacy Statutes, except for the Quebec Privacy Act.

The Quebec Privacy Act, as modified by Bill 64, defines “sensitive personal information” as any information that, by virtue of its

nature (e.g. biometric or medical), or because of the context in which it is used or communicated, warrants a high expectation of

privacy. The Quebec Privacy Act has stricter consent requirements in certain situations for the use and communication of

personal information qualified as sensitive.

Definition of anonymized information

The Quebec Privacy Act, as modified by Bill 64, defines “de-personalized information” as any information which no longer allows

the concerned individual to be identified directly.

Definition of biometric information

The Quebec CAI defines “biometric information” as information measured from a person’s unique physical, behavioural or

biological characteristics.

NATIONAL DATA PROTECTION AUTHORITY

In Canada there are 28 federal, provincial and territorial privacy statutes (excluding statutory torts, privacy requirements under

other legislation, federal anti-spam legislation, criminal code provisions etc.) that govern the protection of personal information in

the private, public and health sectors.  Although each statute varies in scope, substantive requirements,  remedies and

enforcement provisions, they all set out a comprehensive regime for the collection, use and disclosure of personal information.

The summary below focuses on Canada’s private sector privacy statutes:

Personal Information Protection and Electronic Documents Act (‘PIPEDA’)

Personal Information Protection Act (Alberta) (‘PIPA Alberta’)

Personal Information Protection Act (British Columbia) (‘PIPA BC’)

An Act Respecting the Protection of Personal Information in the Private Sector (‘Quebec Privacy Act’), (collectively,

‘Canadian Privacy Statutes’)

We expect PIPEDA to be significantly amended or replaced by a new federal statute sometime during this session of Parliament

(before October 2025). In the previous session of Parliament, the federal government introduced Bill C-11, which would have

replaced PIPEDA with the Consumer Privacy Protection Act (‘CPPA’).  The CPPA made it to second reading, but died on the

order paper when the 2021 Federal Election was called.  The CPPA would have provided additional rights to data subjects (e.g.

portability of data), expanded the requirements for valid data subject consent, and set out new monetary penalties of up to 5% of

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Canada 194 | | | www.dlapiperdataprotection.com

annual global revenue. Bill C-11 faced significant debate, but we expect a new version of the bill to be introduced at some point

during this session of Parliament as the Federal Government seeks to align Canadian privacy law with that of California and the

European Union.

PIPEDA applies to all of the following:

Consumer and employee personal information practices of organizations that are deemed to be a ‘federal work,

undertaking or business’ (e.g. banks, telecommunications companies, airlines, railways, and other interprovincial

undertakings)

Organizations who collect, use and disclose personal information in the course of a commercial activity which takes place

within a province, unless the province has enacted ‘substantially similar’ legislation (PIPA BC, PIPA Alberta and the Quebec

Privacy Act have been deemed ‘substantially similar’)

Inter provincial and international collection, use and disclosure of personal information in connection with commercial

activity

PIPA BC, PIPA Alberta and the Quebec Privacy Act apply to both consumer and employee personal information practices of

organizations within BC, Alberta and Quebec, respectively, that are not otherwise governed by PIPEDA.

The province of Quebec recently enacted a major reform of its privacy legislation with the adoption of Bill 64. Bill 64 received

Royal Assent on September 22, 2021, and its various provisions will be coming into force gradually between 2022 and 2024. With

Bill 64’s changes, Quebec now has a modern legal framework for privacy that resembles the European GDPR in several key areas.

REGISTRATION

There is no general registration requirement under Canadian Privacy Statutes.

Some registration requirements exist under Quebec privacy laws:

Personal information agents, defined as “any person who, on a commercial basis, personally or through a representative,

establishes files on other persons and prepares and communicates to third parties credit reports”, must be registered with

the CAI

Databases of biometric information must be disclosed to and registered with the CAI

DATA PROTECTION OFFICERS

PIPEDA, PIPA Alberta, and PIPA BC expressly require organizations to appoint an individual responsible for compliance with the

obligations under the respective statutes.

Starting September 22, 2023, the Quebec Privacy Act, as modified by Bill 64, will require organizations to appoint a person

responsible for the protection of personal information, who is in charge of ensuring compliance with privacy laws within the

organization. By default, the person with the highest authority within the organization will be the person responsible for the

protection of personal information, however this function can be delegated to any person, including a person outside of the

organization.

This person’s responsibilities are broadly defined in the law and include:

Approval of the organization’s privacy policy and practices

Mandatory privacy assessments

Responding to and reporting security breaches, and

Responding to and enacting access and rectification rights

The contact information of the person responsible for the protection of personal information must be published online on the

website of the organization.

COLLECTION & PROCESSING

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Canada 195 | | | www.dlapiperdataprotection.com

Canadian Privacy Statutes set out the overriding obligation that organizations only collect, use and disclose personal information

for purposes that a reasonable person would consider appropriate in the circumstances.

Subject to certain limited exceptions prescribed in the Acts, consent is required for the collection, use and disclosure of personal

information.  Depending on the sensitivity of the personal information, consent may be opt in or opt out. Under the Quebec

Privacy Act, consent must be “manifest, free, and enlightened”, and implicit or opt-out consent is generally not considered valid. 

Organizations must limit the collection of personal information to that which is necessary to fulfil the identified purposes and only

retain such personal information for as long as necessary to fulfil the purposes for which it was collected.

Each of the Canadian Privacy Statutes have both notice and openness/transparency requirements.  With respect to notice,

organizations are generally required to identify the purposes for which personal information is collected at or before the time the

information is collected.  With respect to openness/transparency, generally Canadian Privacy Statutes require organizations make

information about their personal information practices readily available.

All Canadian Privacy Statutes contain obligations on organizations to ensure personal information in their records is accurate and

complete, particularly where the information is used to make a decision about the individual to whom the information relates or if

the information is likely to be disclosed to another organization.

Each of the Canadian Privacy Statutes also provides individuals with the following:

A right of access to personal information held by an organization, subject to limited exceptions;

A right to correct inaccuracies in/update their personal information records; and

A right to withdraw consent to the use or communication of personal information.

In addition to these rights, the Quebec Privacy Act, as modified by Bill 64, will create a right for individuals to have their personal

information deindexed (coming into force September 2023) and to data portability (coming into force September 2024).

Finally, organizations must have policies and practices in place that give effect to the requirements of the legislation and

organizations must ensure that their employees are made aware of and trained with respect to such policies.

TRANSFER

When an organization transfers personal information to a third party service provider ( , who acts on behalf of the transferringie

organization — although Canadian legislation does not use these terms, the transferring organization would be the “controller” in

GDPR parlance, and the service provider would be a “processor”), the transferring organization remains accountable for the

protection of that personal information and ensuring compliance with the applicable legislation, using contractual or other means.

In particular, the transferring organization is responsible for ensuring (again, using contractual or other means) that the third party

service provider appropriately safeguards the data, and would also be required under the notice and openness/transparency

provisions to reference the use of third party service providers in and outside of Canada in their privacy policies and procedures.

These concepts apply whether the party receiving the personal information is inside or outside Canada. Transferring personal

information outside of Canada for storage or processing is generally permitted so long as the requirements discussed above are

addressed, and the transferring party notifies individuals that their information may be transferred outside of Canada and may be

subject to access by foreign governments, courts, law enforcement or regulatory agencies. This notice is typically provided

through the transferring party’s privacy policies.

With respect to the use of foreign service providers, PIPA Alberta specifically requires a transferring organization to include the

following information in its privacy policies and procedures:

The countries outside Canada in which the collection, use, disclosure or storage is occurring or may occur, and

The purposes for which the third party service provider outside Canada has been authorized to collect, use or disclose

personal information for or on behalf of the organization

Under PIPA Alberta, specific notice must also be provided at the time of collection or transfer of the personal information and

must specify:

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Canada 196 | | | www.dlapiperdataprotection.com

The way in which the individual may obtain access to written information about the organization’s policies and practices

with respect to service providers outside Canada, and

The name or position name or title of a person who is able to answer on behalf of the organization the individual’s

questions about the collection, use, disclosure or storage of personal information by service providers outside Canada for

or on behalf of the organization.

In addition, under the Quebec Privacy Act, an organization must take reasonable steps to ensure that personal information

transferred to service providers outside Quebec will not be used for other purposes and will not be communicated to third

parties without consent (except under certain exceptions prescribed in the Act). The Quebec Privacy Act also specifically provides

that the organization must refuse to transfer personal information outside Quebec where it does not believe that the information

will receive such protection.

Starting September 22, 2023, the Quebec Privacy Act, as modified by Bill 64, will require all organizations, before transferring

personal information outside of the province of Quebec, to conduct data privacy assessments and enact appropriate contractual

safeguards to ensure that the information will benefit from adequate protection in the jurisdiction of transfer. These assessments

must take into account the sensitivity of the information, the purposes, the level of protection (contractual or otherwise) and the

applicable privacy regime of the jurisdiction of transfer. Quebec has decided not to implement a system of adequacy decisions, and

therefore assessments will likely be required prior to any cross-jurisdiction transfer.

SECURITY

Each of the Canadian Privacy Statutes contains safeguarding provisions designed to protect personal information. In essence, these

provisions require organizations to take reasonable technical, physical and administrative measures to protect personal

information against loss or theft, unauthorized access, disclosure, copying, use, modification or destruction. These laws do not

generally mandate specific technical requirements for the safeguarding of personal information.

BREACH NOTIFICATION

Currently, PIPEDA and PIPA Alberta are the only Canadian Privacy Statutes with breach notification requirements. Bill 64 added

breach notification requirements to the Quebec Privacy Act, which will come into force on September 22, 2022.

In Alberta, an organization having personal information under its control must, without unreasonable delay, provide notice to the

Commissioner of any incident involving the loss of or unauthorized access to or disclosure of  personal information where a

reasonable person would consider that there exists a real risk of significant harm to an individual as a result.

Notification to the Commissioner must be in writing and include:

A description of the circumstances of the loss or unauthorized access or disclosure

The date or time period during which the loss or unauthorized access or disclosure occurred

A description of the personal information involved in the loss or unauthorized access or disclosure

An assessment of the risk of harm to individuals as a result of the loss or unauthorized access or disclosure

An estimate of the number of individuals to whom there is a real risk of significant harm as a result of the loss or

unauthorized access or disclosure

A description of any steps the organization has taken to reduce the risk of harm to individuals

A description of any steps the organization has taken to notify individuals of the loss or unauthorized access or disclosure,

and

The name and contact information for a person who can answer, on behalf of the organization, the Commissioner’s

questions about the loss of unauthorized access or disclosure

Where an organization suffers a loss of or unauthorized access to or disclosure of personal information as to which the

organization is required to provide notice to the Commissioner, the Commissioner may require the organization to notify the

individuals to whom there is a real risk of significant harm.  This notification must be given directly to the individual (unless

specified otherwise by the Commissioner) and include:

A description of the circumstances of the loss or unauthorized access or disclosure

https://www.dlapiperdataprotection.com

DATA PROTECTION LAWS OF THE WORLD

Data Protection Laws of the World Canada 197 | | | www.dlapiperdataprotection.com

The date on which or time period during which the loss or unauthorized access or disclosure occurred

A description of the personal information involved in the loss or unauthorized access or disclosure

A description of any steps the organization has taken to reduce the risk of harm, and

Contact information for a person who can answer, on behalf of the organization, questions about the loss or unauthorized

access or disclosure

The breach notification provisions under PIPEDA are very similar to the breach notification provisions under PIPA Alberta. The

main difference is that PIPEDA requires organizations to notify both the affected individuals and the federal regulator if the breach

creates a real risk of significant harm to the individuals (whereas PIPA Alberta requires the initial notice only to the regulator, and

then to the individuals if the regulator requires it. In practice, many organizations notify affected Albertans regardless of whether

the Alberta Commissioner requires (and the Commissioner typically does require it for most reported breaches in any event).

Further, under PIPEDA, organizations must also keep a record of ALL information security breaches, even those which do not

meet the risk threshold of a “real risk of significant harm.”

The new Quebec Privacy Act, as modified by Bill 64, will introduce a number of new obligations in connection with “confidentiality

incidents”, which are defined as unauthorized access, use, or communication of personal information, or the loss of such

information. These include:

A general obligation to prevent and remedy security incidents

The obligation to notify the CAI and the person affected whenever the incident presents a risk of “serious injury.” Factors

to consider when evaluating the risk of serious injury include the sensitivity of the information concerned, the anticipated

consequences of the use of the information and the likelihood that the information will be used for harmful purposes, and

The obligation on to keep a register of security incidents, with the CAI having extensive audit rights for the CAI

ENFORCEMENT

Privacy regulatory authorities have an obligation to investigate complaints, as well as the authority to initiate complaints.

Under PIPEDA, a complaint must be investigated by the Commissioner and a report will be prepared that includes the